Managing Your ESG Data Toward Third-Party Assurance
This article covers key considerations for organizations embarking on environmental, social, and governance (ESG) assurance with an outside auditor. By now, if you have been following our insights series covering preparatory steps in the ESG assurance process, you have already learned about the following topics: why ESG assurance is an essential competitive differentiator; factors that help managers and board members understand their readiness for ESG assurance; how to decide on what level of assurance to seek; why and how companies should establish robust ESG data controls; and how to prepare your control environment for ESG reporting and assurance.
Third-party assurance is a rigorous and detailed process. Addressing the questions covered below will further help prepare your organization for the ESG assurance engagement and ensure that it runs as smoothly as possible.
Do you have sufficient company resources assigned?
When seeking ESG assurance, the auditor will list required information upfront and will make additional inquiries during the course of the engagement. These requests may be extensive, and the organization needs to be prepared to handle them. The proper level of preparation includes dedicating personnel with ample time and knowledge of the data who have deep experience in ESG and the rigors of assurance. Unlike a financial audit, where the data resides largely within a single function—finance, the ESG assurance process may entail data and source documents that reside in various groups including finance, human resources (HR), supply chain, property management, and legal.
Time is another resource your organization will need to allocate to the ESG assurance effort. Assurance generally requires significantly more lead time and resources in the first year, as the auditors familiarize themselves with the organization, and the organization familiarizes itself with the ESG assurance process. Once the knowledge and infrastructure are in place, the second year typically takes less time, and the third year runs even more efficiently.
Are the individuals supporting the assurance process sufficiently trained?
Given that ESG assurance is a relatively new practice, organizations typically support the engagement by teaming up professionals involved in ESG functional areas (e.g., legal, HR, and supply chain) with those in finance. For the engagement to run smoothly, ESG-focused team members should educate their finance colleagues on which ESG metrics to report and the sources of these metrics. In turn, the financial professionals train their sustainability colleagues on the assurance process given their experience from financial statement audits.
ESG-focused professionals may lack experience in assurance, so they may underestimate the work involved. Finance professionals can teach them how to prepare the required documents—vetted, approved, and with an audit trail—to meet the auditor’s requirements. ESG data is often collected manually and can be hard-coded to a spreadsheet, making this process more onerous. Team members in ESG functional areas can inform their finance colleagues of the drivers, collation process, and calculations. This training can be handled through ongoing cross-functional teamwork throughout the assurance project rather than a formal training program.
Should you supplement internal resources with external expertise?
Depending on your organization’s level of experience and the availability of personnel, you may consider retaining external resources to help prepare data and collate information required during the engagement. Some organizations hire an outside firm to work with them on an assurance readiness review to evaluate their information, processes, and controls and to identify any gaps that may make the assurance process more challenging. Outside expertise can fill gaps in skills and resources and help an organization identify potential blind spots.
Another recommended best practice is to work with an experienced external firm on a trial run audit before assurance is formally required. A trial run can prepare an organization to fulfill regulatory requirements and meet assurance deadlines without the pressure of a formal reporting deadline. Moreover, a trial run will lead to a more efficient process with fewer distractions for team members once assurance is required.
Do you have a thorough grasp on your source documentation?
Vetting source documents and having them readily available can reduce costs and improve the speed and efficiency of the assurance engagement. The auditor will evaluate data sources and calculations used to produce ESG metrics. For example, when verifying electricity consumption metrics, the auditor will likely need to review utility statements indicating how much electricity was used rather than simply reviewing the spreadsheets where the data was entered. For gender or diversity metrics, the auditor will examine the underlying human-resource records or surveys used to derive metrics.
Source information can be particularly challenging for large or geographically dispersed organizations with diverse documentation standards. For instance, verifying vehicle fuel data from multiple global locations can raise uncertainties because that data may be in varying units and located across a combination of company and third-party records. Therefore, it is critical to have well-organized and vetted source documents to ensure the assurance process runs smoothly.
Are you prepared to discuss estimates and third-party data with the auditor?
Auditors will pay special attention to estimates and third-party data. For example, calculating Scope 3 emissions based on dollars spent with a vendor would require an evaluation of the spending data and how it was used to derive an emissions estimate, including visibility into and validation of the emission factors utilized. Similarly, waste categories can be difficult to measure depending on available documentation from companies picking up your waste and the standards applied in different countries. Estimates and third-party provided data should be identified in advance of the engagement and discussed upfront with the auditors.
Are you prepared to discuss the software used to generate metrics?
All software involved in generating metrics should be brought to the auditor’s attention. These tools may range from software used to calculate sustainability data to human-resource systems that manage talent data or any other system from which the organization derives data. Depending on the level of assurance being sought, the auditors will need to understand the controls embedded in the tech stack and particularly the controls in place to manage access to data and the inputting of data into the software tool. The auditor will most likely need to perform tests to determine that the outputs provided by the tool are appropriate given the inputs.
Have you agreed on a project plan with the auditor?
Transparency about expectations will help the engagement run smoothly. Be sure to agree with the auditor on a clear, detailed project plan, including a timeline, inputs, and deliverables. Build in some flexibility, particularly in the first years. Allow time for the inevitable learning curve, and don’t anticipate that the project will be completed in weeks.
Have you confirmed planned timing for the information subject to assurance to be released?
Once you have decided to proceed with ESG assurance, ensure that the entire organization is aware so that the information is not released externally until the assurance process is complete. This will help you safeguard the integrity of what you report and avoid having to issue corrections later.
Managing the Evolution of ESG Reporting and Assurance
ESG assurance is an iterative process, involving continuous re-evaluation and refinement each year. ESG expectations and requirements are in flux, and they are expected to become more demanding in the years ahead. The metrics that are material to reporting are evolving, so items that were not considered material in the past may soon become material.
To keep up, organizations need to follow changes to reporting requirements and monitor how peers, partners, and competitors are handling ESG assurance. As ESG metrics rise in prominence, it is worth ensuring that business strategy and ESG requirements are aligned and employees are well-informed on the issues so they can contribute to strong performance and accurate reporting.
BDO will continue to produce a series of insights to help companies understand the ESG assurance process. We encourage executives to follow this series for value-added insight about the ESG landscape and how all organizations can optimize their ESG-related data and processes.
SHARE