Browse The Auditing and Attestation (AUD)

Communicating ESG Results and Impact on External Reporting

February 7, 2025 11 min read

An in-depth exploration of how auditors communicate ESG results, including reporting formats, assurance levels, and the impact on corporate disclosures.

On this page

22.3 Communicating ESG Results and Impact on External Reporting

Communicating Environmental, Social, and Governance (ESG) metrics and insights is increasingly important in today’s business landscape. Investors, regulators, and other stakeholders seek greater transparency and reliability in both financial and nonfinancial disclosures. As sustainability reporting evolves alongside regulatory expectations, external auditors play a key role in reassuring the markets about ESG disclosures’ accuracy and consistency. This section explores how these disclosures are made, the differing levels of assurance provided, and the auditor’s responsibilities when presenting ESG results.

1. Management vs. Auditor Responsibilities

ESG reporting is a collaborative effort between an entity’s management and the external auditor, albeit with distinct responsibilities:

  1. Management Responsibilities

    • Preparation and Presentation of ESG Data: Management gathers operational and sustainability data, selects an appropriate ESG reporting framework (e.g., GRI, SASB, IFRS S1 and S2 for sustainability disclosure), and compiles the results into a cohesive report.
    • Alignment with Chosen Frameworks and Standards: Management is accountable for ensuring that the ESG metrics align with the chosen external reporting framework. This includes delineating data boundaries, deciding on material metrics, and defining any relevant narrative.
    • Internally Ensuring Data Reliability: Management must implement internal controls over ESG data—processes that check for completeness, accuracy, and compliance with relevant criteria.

  2. Auditor Responsibilities

    • Assurance on ESG Metrics: The auditor’s primary role is to provide independence-driven assurance (limited or reasonable) on the data presented by management. They assess whether metrics are free from material misstatement and consistent with stated frameworks.
    • Testing the Process: Beyond merely reviewing numbers, auditors examine the systems and processes management uses to generate and report ESG information, including data quality controls and record maintenance.
    • Identifying and Addressing Potential Inconsistencies: The auditor must identify any disparities between ESG disclosures and the financial statements or other parts of an entity’s annual report.

The distinction between management and auditor responsibilities is critical. While management creates and owns the information, the auditor validates the reliability of this data, providing confidence to external users.

2. Report Formats

ESG results can appear in various channels, each meeting different stakeholder needs and regulatory directives. Common approaches for communicating ESG performance include:

  1. Standalone Sustainability Reports

    • Often published annually or biennially.
    • Can include case studies on environmental initiatives, graphs of social impacts, and discussions of governance structures.
    • Many such reports include a dedicated “Assurance Statement” or “Independent Assurance Report,” summarizing the CPA’s or consultant’s findings.

  2. Integrated Reporting

    • Combines financial and nonfinancial data in a single, cohesive report, emphasizing the interconnectivity of business strategy and sustainability.
    • Promoted by the International Integrated Reporting Council (IIRC), now consolidated under the IFRS Foundation and sometimes referred to more broadly as “Integrated Reporting ().”
    • Auditors offering an integrated assurance approach may perform procedures on both the financial statements and ESG metrics, enhancing stakeholder understanding of an entity’s overall performance.

  3. Disclosures in Annual Filings

    • ESG data might be included in Management Discussion & Analysis (MD&A) sections or risk factor disclosures within statutory filings (e.g., Form 10-K in the U.S.).
    • External auditors must cross-check ESG data with the financial statements to avoid material inconsistencies.
    • In some jurisdictions, ESG disclosures may be mandated in annual filings, thus raising the profile of these disclosures with regulators and investors.

Each reporting format brings different challenges for the auditor. A standalone sustainability report or integrated report typically entails more direct ESG-related testing, while annual filings require thorough cross-referencing of ESG statements with financial data.

3. Levels of Assurance

Auditors can provide varying levels of assurance on ESG disclosures, ranging from a limited review to a comprehensive examination:

  1. Limited Assurance (Review)

    • Provides negative assurance, i.e., the auditor states that “nothing came to our attention” to suggest the ESG metrics are not fairly stated.
    • Generally involves fewer procedures, such as inquiries of responsible personnel and analytical review.
    • Sufficient if stakeholders primarily seek a basic level of comfort regarding the reliability of disclosed information.

  2. Reasonable Assurance (Examination)

    • Offers positive assurance, akin to an audit opinion.
    • The auditor explicitly concludes whether, in their opinion, the ESG information is fairly presented in accordance with the relevant criteria.
    • Demands more rigorous testing of processes and data, often involving site visits, re-performance of calculations, and more extensive sampling.

Most companies begin by obtaining limited assurance as they mature their sustainability reporting processes. Some progress to reasonable assurance in response to shareholder demands, emerging regulations, or as confidence in the reliability of their ESG data grows.

4. Communicating ESG Results in Practice

When communicating ESG results, auditors must ensure that both the final assurance statement and any narrative they produce are transparent and aligned with the appropriate frameworks:

  • Scope of the Engagement: Clearly define which metrics are covered, the period under review, and the level of assurance (limited or reasonable).
  • Criteria Used: Note explicitly the ESG framework or standard management employed (e.g., GRI Standards, SASB Standards, IFRS S1/S2).
  • Limitations and Constraints: Disclose any constraints encountered during the engagement, such as data limitations for certain metrics.
  • Conclusions and Opinions: Provide a concise conclusion (negative or positive assurance). For integrated audits, a combined opinion may detail both financial and nonfinancial assurance findings.
  • Recommendations: Often, auditors may offer suggestions to strengthen internal controls over ESG data—though these usually remain within management letters or separate communication channels outside the published assurance statement.

5. Visualizing the ESG Communication Process

Below is a Mermaid diagram illustrating how ESG data flows from management’s system to the final reporting stages, showing the auditor’s involvement in validating accuracy.

    flowchart TB
	    A[Management Collects ESG Data] --> B[Data Verification & Internal Controls]
	    B --> C(ESG Report Draft)
	    C --> D{External Auditor}
	    D --> E[Auditor Procedures<br/> (Limited or Reasonable Assurance)]
	    E --> F(ESG Assurance Conclusion)
	    F --> G[Final External Report<br/> (Standalone or Integrated)]

Explanation:
• Management gathers ESG data (A) and reviews it via internal controls (B).
• The ESG report is created (C), after which the external auditor (D) tests the reliability of information (E).
• The auditor then issues an assurance conclusion (F), and the company publishes final disclosures or reports (G).

6. Best Practices and Common Pitfalls

  1. Best Practices

    • Alignment with Global Standards: Where possible, adopt widely recognized ESG frameworks to facilitate comparability and enhance stakeholder trust.
    • Robust Internal Controls: Strengthen data-gathering and documentation processes to reduce the risk of material misstatements.
    • Cross-Functional Collaboration: Use input from sustainability experts, finance teams, operations management, and external consultants to generate a consistent, high-quality ESG report.

  2. Common Pitfalls

    • Overlooking Data Completeness: Omitting relevant scope (e.g., upstream and downstream emissions) can distort the impact presented to stakeholders.
    • Unclear Materiality: Failing to define what is “material” from an ESG perspective can produce overly broad or shallow disclosures.
    • Misalignment between Financial and Nonfinancial Disclosures: Inconsistencies lead to stakeholder confusion and potential credibility issues.

7. Glossary

  • Integrated Reporting: A holistic format that merges financial statements and sustainability factors, advocating a clear narrative of overall performance.
  • Limited Assurance (Negative Assurance): Auditor attests that no misconduct or material misstatement came to their attention, relying primarily on inquiry and analytical procedures.
  • Reasonable Assurance (Positive Assurance): Auditor provides an opinion specifying that ESG data is free of material misstatements, following procedures analogous to a detailed financial audit.

8. Further References and Resources

Below are some resources valuable for auditors, financial professionals, and corporate management aiming to deepen their knowledge of ESG reporting:

  • International Federation of Accountants (IFAC):
    “Key Considerations for Assurance on Sustainability Reports” – In-depth guidelines for CPA firms conducting ESG assurance.
  • IFRS Foundation (home to the ISSB for Sustainability Reporting):
    Guidance on emerging sustainability disclosure standards.
  • IIRC Case Studies:
    “Integrated Reporting in Practice” – Real-world examples provided through the Business Network.
  • Sustainability Accounting Standards Board (SASB):
    Offers industry-specific metrics and frameworks for ESG reporting.

Quiz: Communicating ESG Results and External Reporting

### Which of the following is a key responsibility of management concerning ESG reporting? - [x] Ensuring the completeness and accuracy of ESG data - [ ] Expressing a negative assurance on ESG data - [ ] Providing external validation of ESG metrics - [ ] Publishing external auditors’ opinions > **Explanation:** Management is responsible for preparing and presenting ESG data, guaranteeing its completeness, accuracy, and alignment with chosen frameworks. ### Where might ESG data commonly appear in a company’s annual statutory filings? - [x] In the MD&A or in risk factor disclosures - [ ] Only on the auditor’s website - [ ] Solely in footnotes of the financial statements - [ ] Exclusively in the board of directors’ meeting minutes > **Explanation:** Companies often include ESG data in the MD&A or risk factors section to comply with stakeholder and regulatory demands for transparency. ### Which statement best describes “Integrated Reporting”? - [x] A holistic combination of financial and nonfinancial performance in one report - [ ] A short memo dedicated only to board members - [ ] A format that excludes financial performance metrics - [ ] A required standard for all U.S. public companies > **Explanation:** Integrated reporting merges financial and sustainability data into a single report for a comprehensive view of corporate performance. ### In a “Limited Assurance” engagement, the auditor: - [ ] Provides a conclusive opinion on ESG data akin to a financial statement audit - [x] Issues a negative assurance stating no evidence suggests material misstatement - [ ] Assumes management’s role in preparing the ESG data - [ ] Conducts procedures identical to an integrated audit approach > **Explanation:** Limited assurance typically involves fewer procedures than a full examination and concludes with a statement that nothing came to the auditor’s attention indicating material errors. ### Which of the following best explains a “reasonable assurance” opinion on ESG data? - [x] The auditor expresses a positive assurance that the ESG data follows the framework - [ ] The auditor only reviews ESG disclosures for grammar and style - [x] The auditor obtains thorough evidence, similar to an audit-level engagement - [ ] The auditor conclusively states that ESG data is out of scope > **Explanation:** Reasonable assurance is akin to a more rigorous audit, where the auditor obtains sufficient evidence to confidently express that ESG metrics are fairly reported. ### A common pitfall in ESG reporting is: - [x] Omitting upstream or downstream environmental impacts, resulting in incomplete disclosures - [ ] Providing references to recognized standards - [ ] Including a negative assurance statement - [ ] Engaging specialist consultants for data verification > **Explanation:** Incomplete boundary definitions can lead to omitting material aspects, reducing the reliability of communicated ESG performance. ### To maintain consistency, which strategy should an auditor adopt across both financial statements and ESG reports? - [x] Cross-check any potential inconsistencies in reported figures and narratives - [ ] Only rely on the preparer’s word regarding material consistency - [x] Ignore sections in the ESG report referencing operational aspects - [ ] Provide a separate management representation letter exclusively for ESG data > **Explanation:** The auditor must ensure consistency across all corporate disclosures, flagging any material inconsistencies with financial or regulatory statements. ### Which organization champions the integration of financial and nonfinancial data and is now a part of the IFRS Foundation? - [x] The International Integrated Reporting Council (IIRC) - [ ] The Internal Revenue Service (IRS) - [ ] The World Economic Forum (WEF) - [ ] The Public Company Accounting Oversight Board (PCAOB) > **Explanation:** The IIRC, now consolidated under the IFRS Foundation, has led the movement toward integrated reporting for holistic corporate disclosures. ### Which statement correctly describes the contrast between the auditor’s and management’s responsibilities? - [x] Management prepares and owns the ESG data, while the auditor’s role is to validate the reliability of this data - [ ] The auditor is responsible for setting corporate sustainability goals - [ ] Management provides site visit confirmations to the auditor - [ ] The auditor designs internal control practices over sustainability > **Explanation:** The separation of duties is clear: while management generates and manages the data, the auditor evaluates its reliability and alignment with the chosen framework. ### For a company just beginning ESG reporting, the typical initial form of assurance is: - [x] Limited assurance - [ ] Reasonable assurance - [ ] No assurance required - [ ] A combined and integrated audit > **Explanation:** Many organizations opt for limited assurance when they first begin reporting ESG metrics, progressively moving toward reasonable assurance in subsequent periods.

For Additional Practice and Deeper Preparation

Auditing & Attestation CPA Mock Exams (AUD): Comprehensive Prep
• Tackle full-length mock exams designed to mirror real AUD questions—from risk assessment and ethics to internal control and substantive procedures.
• Refine your exam-day strategies with detailed, step-by-step solutions for every scenario.
• Explore in-depth rationales that reinforce understanding of higher-level concepts, giving you a decisive edge on test day.
• Boost confidence and reduce exam anxiety by building mastery of the wide-ranging AUD blueprint.

Disclaimer: This course is not endorsed by or affiliated with the AICPA, NASBA, or any official CPA Examination authority. All content is created solely for educational and preparatory purposes.

Fuad Efendi
View the page source Edit the page History
Sunday, February 23, 2025
22.2 Integrating ESG Risk into the Audit Process
22.4 ESG Metrics and Verification Techniques