Sustainability Assurance Process: Planning to Statement & Report

How Does the Sustainability Assurance Process Work?

The sustainability assurance process is a structured, phased engagement through which an independent assurance provider examines an organization's sustainability-related disclosures and issues a formal conclusion on their reliability. While the specific procedures vary based on the assurance level (limited or reasonable) and the standard used (ISAE 3000, ISSA 5000, or AA1000AS), the overall process follows a consistent structure.

Understanding this process helps organizations prepare effectively, set realistic timelines, allocate appropriate resources, and maximize the value of the engagement beyond just the assurance conclusion. This guide walks through each phase, the deliverables produced, and the roles and responsibilities of all parties involved.

Phase 1: Planning — Setting the Foundation

The planning phase is the most critical — it shapes the entire engagement. Thorough planning ensures the assurance provider focuses on the right areas, applies appropriate procedures, and manages risks effectively.

Step 1: Engagement Acceptance and Preconditions

Before accepting the engagement, the assurance provider evaluates whether the preconditions for assurance are met:

• Suitable subject matter: Is the sustainability information identifiable and capable of being evaluated consistently?
• Appropriate criteria: Is there a recognized reporting framework (GRI, ESRS, ISSB, GHG Protocol) against which the information can be assessed?
• Sufficient evidence: Can the provider reasonably expect to obtain enough evidence to support a conclusion?
• Meaningful purpose: Is there a rational purpose for the engagement and identifiable intended users?
• Independence: Is the provider free from conflicts of interest that could impair objectivity?
• Competence: Does the engagement team have the necessary expertise in both assurance methodology and the relevant sustainability subject matter?

Step 2: Engagement Letter

The engagement letter is a formal agreement between the assurance provider and the organization that documents:

• The scope of the engagement (which report, data, or disclosures will be examined).
• The applicable criteria (reporting framework).
• The assurance level (limited or reasonable).
• The assurance standard to be applied (ISAE 3000, ISSA 5000).
• Respective responsibilities of the organization and the assurance provider.
• The timeline, fees, and access requirements.
• Restrictions on use and distribution of the assurance statement.

Step 3: Scope Definition and Criteria Selection

Scope definition determines exactly what will be examined. This includes:

• Reporting entity: Which legal entities, operations, or sites are included?
• Reporting period: What time period does the information cover?
• Subject matter: The full sustainability report, specific sections (environmental only), or specific KPIs (GHG emissions, water usage)?
• Criteria: The reporting framework against which the information will be assessed — GRI Standards, ESRS, ISSB, GHG Protocol, or entity-developed criteria.

Step 4: Materiality and Risk Assessment

The assurance provider determines materiality — the threshold above which misstatements are considered significant — and performs a risk assessment to identify areas where material misstatement is most likely. This risk assessment drives the allocation of assurance procedures, focusing effort on the areas of highest risk.

Key risk factors include:

• Data areas with high estimation uncertainty (e.g., Scope 3 emissions, biodiversity metrics).
• New or changed reporting methodologies.
• Areas with limited internal controls or manual processes.
• Data collected from third parties outside the organization's direct control.
• Qualitative disclosures involving significant management judgment.

Phase 2: Evidence Gathering — Building the Evidence Base

The evidence-gathering phase is where the assurance provider obtains the information needed to form their conclusion. The nature and extent of procedures depend on the assurance level.

Site Visits and Physical Observation

For organizations with multiple operational sites, the assurance provider may visit selected locations to:

• Observe data collection processes at source (e.g., meter readings, waste measurement, safety incident recording).
• Interview local personnel responsible for sustainability data.
• Verify that reported site-level data reconciles with on-the-ground reality.
• Assess the consistency of data collection practices across locations.

Data Sampling and Analysis

The assurance provider selects samples of data for detailed examination. Sampling approaches include:

• Judgmental sampling: Selecting items based on risk factors, materiality, and professional judgment (common in limited assurance).
• Statistical sampling: Using statistically determined sample sizes to draw conclusions about the population (more common in reasonable assurance).
• Key item testing: Testing the largest or most material individual items (e.g., the five largest emission sources that comprise 80% of total emissions).

System Walkthroughs

The assurance provider traces data from its point of origin through the organization's systems to the final reported figure. For example, tracing an electricity consumption figure from the utility bill, through the data entry process, emission factor application, aggregation, and final reporting. This identifies potential error points and control gaps.

Management Inquiry

Structured interviews with management and key personnel to understand:

• How sustainability data is collected, processed, and reviewed.
• What methodologies and assumptions underpin key calculations.
• How estimation uncertainty is identified and addressed.
• What internal controls exist over sustainability data.
• Whether there are any known issues, restatements, or changes in methodology.

Analytical Procedures

Analytical procedures involve evaluating sustainability information through analysis of plausible relationships:

• Year-over-year trend analysis (e.g., has emission intensity changed proportionally with production?).
• Ratio analysis (e.g., energy per unit of output, water per employee).
• Benchmarking against industry peers or sector averages.
• Expectation analysis (e.g., does reported consumption align with known operational changes?).

Phase 3: Testing — Verifying the Data

Substantive Testing

Substantive testing involves direct verification of reported data against source evidence. Examples include:

• Recalculating GHG emissions from source data (activity data × emission factor) and comparing to reported figures.
• Tracing reported water consumption to utility invoices or meter readings.
• Verifying employee headcount and diversity data against HR system records.
• Confirming waste tonnage figures with waste management contractor reports.
• Checking that emission factors and conversion ratios match recognized sources (e.g., DEFRA, EPA, IEA).

Controls Testing (Reasonable Assurance)

For reasonable assurance engagements, the assurance provider evaluates internal controls over sustainability reporting:

• Design evaluation: Are the controls designed effectively to prevent or detect material misstatement? For example, does a segregation of duties exist between data collection and data review?
• Operating effectiveness testing: Have the controls operated consistently as designed throughout the reporting period? This involves testing a sample of control instances — e.g., reviewing evidence that monthly data reviews were performed, approval sign-offs obtained, and reconciliations completed.

Recalculation and Re-performance

The assurance provider independently recalculates key figures using the organization's source data and stated methodology. This is particularly important for:

• GHG emissions calculations (checking activity data × emission factor × GWP).
• Intensity metrics (checking numerator and denominator sources and calculations).
• Aggregation from site-level to group-level figures.
• Currency conversions, unit conversions, and normalization calculations.

Phase 4: Forming the Conclusion

After completing all procedures, the assurance provider evaluates the totality of evidence obtained:

1. Evaluate identified misstatements: Assess whether any errors, omissions, or misrepresentations identified are, individually or in aggregate, material.
2. Consider uncorrected misstatements: If management declines to correct identified errors, assess whether the remaining misstatements are material to the conclusion.
3. Assess overall presentation: Evaluate whether the sustainability information as a whole is consistent with the assurance provider's understanding of the organization and its sustainability performance.
4. Form the conclusion: Based on all evidence, form either an unmodified (clean) conclusion or a modified conclusion (qualified, adverse, or disclaimer).

What Are the Key Deliverables of a Sustainability Assurance Engagement?

A sustainability assurance engagement produces two primary deliverables: the independent assurance statement and the management letter.

The Independent Assurance Statement

The assurance statement is the primary public deliverable — the formal document that communicates the assurance provider's conclusion to stakeholders. It is typically published alongside the sustainability report.

Structure of the Assurance Statement

1. Title: "Independent Assurance Statement" or "Independent Limited/Reasonable Assurance Report."
2. Addressee: Typically addressed to the board of directors, shareholders, or management of the reporting entity.
3. Scope: Precisely identifies the subject matter examined — which report, which sections, which data points, which period, and which entities.
4. Criteria: Identifies the reporting framework or criteria used (e.g., "GRI Standards 2021," "ESRS," "GHG Protocol Corporate Standard").
5. Respective responsibilities: Distinguishes the organization's responsibility (preparing the information) from the assurance provider's responsibility (examining and concluding).
6. Assurance standard: States the standard under which the engagement was conducted (e.g., ISAE 3000 (Revised)).
7. Summary of procedures: Describes the nature and extent of procedures performed at a high level.
8. Inherent limitations: Notes that assurance is not absolute and that sustainability data involves inherent measurement uncertainties.
9. Conclusion: The formal assurance conclusion in either negative form (limited) or positive form (reasonable).
10. Observations (optional): Some statements include a section with non-qualifying observations or emphasis of matter paragraphs.
11. Signature, date, and provider identification: The name and credentials of the assurance provider, the engagement partner, the date, and the location.

The Management Letter

The management letter is a confidential document issued to the organization's management and/or audit committee. Unlike the assurance statement, it is not published externally.

What the Management Letter Contains

• Observations: Non-material findings identified during the engagement — data quality issues, minor errors, methodology inconsistencies, or documentation gaps that do not individually or collectively constitute material misstatement.
• Control weaknesses: Identified weaknesses in internal controls over sustainability reporting that, if not addressed, could lead to future material misstatements.
• Recommendations: Specific, actionable recommendations for improving data quality, strengthening controls, enhancing governance, and progressing toward reasonable assurance readiness.
• Good practices observed: Recognition of areas where the organization demonstrates strong data management, effective controls, or best practice approaches.
• Year-over-year progress: For recurring engagements, tracking whether prior-year recommendations have been implemented and noting progress.

How Conformity Assessment Standards Ensure Provider Credibility

The credibility of a sustainability assurance engagement depends not only on the assurance standard applied but also on the credentials and competence of the provider. Two conformity assessment standards play a critical role in establishing provider credibility, particularly for GHG and environmental assurance: ISO/IEC 17029 and ISO 14065.

ISO/IEC 17029: Requirements for Validation and Verification Bodies

ISO/IEC 17029:2019 specifies general requirements for bodies performing validation and verification as conformity assessment activities. It ensures that providers:

• Maintain impartiality: The body must identify and manage threats to impartiality, ensuring that no relationship, financial interest, or pressure compromises its objectivity.
• Demonstrate competence: Personnel must possess relevant technical knowledge, sector expertise, and validation/verification methodology skills. Competence must be assessed and maintained through ongoing training.
• Operate quality management: The body must implement and maintain a quality management system that ensures consistent, reliable, and defensible validation/verification outcomes.
• Accept accreditation oversight: Bodies accredited under ISO/IEC 17029 are subject to periodic assessment by their national accreditation body, providing external oversight of their operations.

ISO 14065: Requirements for Environmental Information Verification Bodies

ISO 14065:2020 builds on ISO/IEC 17029 with additional requirements specific to environmental information validation and verification, particularly GHG statements. Bodies accredited under ISO 14065:

• Demonstrate competence in GHG quantification methodologies, emission factors, and environmental measurement.
• Apply ISO 14064-3 as the methodological standard for verification/validation of GHG statements.
• Meet requirements for environmental sector-specific technical knowledge.
• Maintain independence from GHG program operators and reporting entities.

For organizations seeking assurance on GHG inventories, carbon neutrality claims, or environmental disclosures, engaging an ISO 14065-accredited provider offers the highest level of credibility. The accreditation framework ensures that the provider's competence and impartiality have been independently assessed by a national accreditation body — a level of oversight that goes beyond simply performing the engagement under an assurance standard.

Typical Timeline and Milestones

Note: Timelines are indicative and depend on scope complexity, data readiness, number of locations, and whether this is a first-time or recurring engagement.

Roles and Responsibilities

Organization's Responsibilities

• Preparing the sustainability information in accordance with the applicable criteria.
• Designing and implementing internal controls over sustainability data.
• Providing the assurance provider with access to all necessary information, records, and personnel.
• Providing written representations on the completeness and accuracy of information.
• Responding to assurance provider queries in a timely manner.
• Correcting identified errors before the assurance statement is finalized.

Assurance Provider's Responsibilities

• Conducting the engagement in accordance with the applicable assurance standard.
• Maintaining independence and exercising professional skepticism throughout.
• Performing sufficient procedures to obtain a reasonable or limited level of assurance.
• Communicating findings to management in a timely manner.
• Issuing the assurance statement and management letter.
• Maintaining engagement documentation and quality management.

Audit Committee / Board's Role

• Overseeing the assurance process and provider selection.
• Reviewing the assurance statement and management letter.
• Ensuring management addresses recommendations from the management letter.
• Approving the sustainability report for publication with the assurance statement.

Frequently Asked Questions

How long does a sustainability assurance engagement typically take?

A limited assurance engagement typically takes 4–8 weeks from engagement letter signing to issuance of the assurance statement. Reasonable assurance engagements take 8–14 weeks due to more extensive procedures. Timelines depend on scope, data readiness, organization size, and number of locations.

What is included in a sustainability assurance statement?

A sustainability assurance statement typically includes the scope, criteria, respective responsibilities, summary of procedures, inherent limitations, the assurance conclusion, and the provider's signature and date. It is published alongside the sustainability report.

What is a management letter and why is it important?

A management letter is a confidential document containing observations, findings, and recommendations identified during the engagement. These include data quality issues, control weaknesses, and improvement areas. It drives year-over-year improvement in sustainability reporting maturity.

What evidence does the assurance provider need from my organization?

The evidence pack includes source data (utility bills, invoices, meter readings), calculation workbooks, emission factor sources, methodology documentation, internal review records, organizational charts, reporting boundary documentation, and management representations.

How does ISO/IEC 17029 accreditation ensure provider credibility?

ISO/IEC 17029 establishes requirements for competence, impartiality, and quality management for validation and verification bodies. Accreditation under this standard ensures the provider has been independently assessed by a national accreditation body, giving stakeholders confidence in the provider's capability and objectivity.