Browse The Auditing and Attestation (AUD)

ESG Assurance Engagements Under AICPA Standards

February 7, 2025 10 min read

Explore how CPAs deliver ESG attestation services under AICPA’s SSAE standards, differentiating between examinations and reviews, understanding report language, and ensuring high-integrity ESG disclosures.

On this page

22.6 ESG Assurance Engagements Under AICPA Standards

As Environmental, Social, and Governance (ESG) reporting rapidly gains traction in the marketplace, stakeholders increasingly demand credible, accurate, and transparent nonfinancial data. In response, the accounting profession, under the American Institute of Certified Public Accountants (AICPA) guidelines, has developed attestation standards to govern how practitioners can provide assurance on complex ESG metrics. This section explores the application of Statements on Standards for Attestation Engagements (SSAE) in providing both reasonable and limited assurance on ESG data, offering a comprehensive review of the service options, scope, reporting language, and best practices.

Overview of Attestation Standards (SSAE)

Under SSAE, CPAs can perform specific types of engagements—namely, examinations or reviews—on ESG information. This includes full sustainability reports or standalone metrics such as carbon emissions, water usage, or diversity metrics. Whether providing a higher or a limited level of assurance, the ultimate objective is to enhance the reliability of the reported ESG information. By performing these attestation services, external accountants can help organizations build trust with investors, customers, and the broader market.

Key Considerations in ESG Attestation

  1. Criteria Selection:
    • Organizations must select appropriate frameworks or criteria (e.g., Global Reporting Initiative (GRI), Sustainability Accounting Standards Board (SASB), or other recognized protocols) to benchmark their ESG performance.
    • CPAs should evaluate whether the chosen standards or frameworks are relevant, complete, and objective.

  2. Subject Matter:
    • The practitioner may evaluate qualitative or quantitative ESG data—ranging from an entity’s carbon footprint to human capital metrics—depending on the client’s reporting objectives.
    • Assurance is tied to the disclosed subject matter, and any limitations in scope should be documented.

  3. Reporting Framework Alignment:
    • The sustainability/ESG framework used must be consistently applied by the organization and is the basis for the CPA’s attestation report.
    • CPAs must verify that the organization’s processes align with these chosen frameworks to produce reliable information.

Examination vs. Review Engagements

SSAE outlines two primary levels of assurance that CPAs can provide on ESG reporting.

1. Examination Engagements (Reasonable Assurance)

An examination engagement is the highest form of ESG attestation, analogous to a financial statement audit’s “positive” assurance. The CPA conducts rigorous procedures to conclude that the subject matter is presented in conformity with the applicable ESG reporting framework, free from material misstatement.

• Depth of Procedures:
– Substantive testing, detailed analysis of data sources, confirmation with third parties (if necessary), and re-performance of certain ESG calculations.
– Observation of internal control processes related to data gathering, ensuring comprehensive coverage and reliability.

• Report Language:
– The CPA offers a positive statement, such as:
“In our opinion, the ESG metrics, in all material respects, are presented fairly based on [Applicable ESG Framework].”

2. Review Engagements (Limited Assurance)

A review, by contrast, provides a limited level of assurance. This engagement relies heavily on inquiry and analytical procedures rather than extensive detailed testing.

• Scope of Procedures:
– Inquiries of personnel responsible for data collection and oversight.
– High-level analytical assessments to detect anomalies in reported ESG metrics.

• Report Language:
– The CPA expresses “negative” or limited assurance:
“We are not aware of any material modifications that should be made for the ESG metrics to be in accordance with [Applicable ESG Framework].”

Report Language and Scope

When drafting the report, practitioners must communicate:

  1. The Applicable Criteria:
    • Clearly identify the specific framework or set of metrics used, e.g., “Carbon Disclosure Project guidelines” or “Global Reporting Initiative Standards.”

  2. Type of Assurance:
    • Indicate if the engagement is a review (limited assurance) or an examination (reasonable assurance).

  3. Procedures Performed:
    • Clarify the nature, extent, and timing of work done (e.g., site visits, sample testing, analytical reviews).

  4. Departures from Criteria:
    • Document any material misstatements or deviations from the chosen framework.
    • If the engagement scope was limited to certain metrics, explicitly note those metrics to avoid confusion about broader assurances.

  5. Responsibility:
    • Emphasize management’s responsibility for preparing the ESG disclosures and the CPA’s responsibility for expressing an opinion or conclusion on those disclosures.

Practical ESG Attestation Process

Below is a simplified diagram illustrating how an ESG attestation engagement may unfold. The process applies to both reviews and examinations, though the level of depth may vary depending on engagement type:

    flowchart LR
	    A[Define ESG Scope and Criteria] --> B[Plan Engagement<br> (Risk Assessment)]
	    B --> C[Perform Procedures<br>(Inquiries, Testing, Analytics)]
	    C --> D[Evaluate the Evidence<br> (Comparisons, Validations)]
	    D --> E[Draft Report<br>(Conclusions)]
	    E --> F[Issue Final Attestation<br>Report to Stakeholders]
  1. Define ESG Scope and Criteria: Management selects relevant frameworks and determines which data to subject to assurance.
  2. Plan Engagement (Risk Assessment): The CPA identifies areas prone to error or high subjectivity, shaping detailed or analytical procedures.
  3. Perform Procedures: Depending on whether it’s an examination (reasonable assurance) or review (limited assurance), the practitioner completes various testing steps.
  4. Evaluate the Evidence: The CPA compares results with expectations, industry benchmarks, or historical data for consistency.
  5. Draft and Issue Report: Findings are formalized in a written conclusion, stating whether the ESG data meets the specified criteria.

Glossary of Key Terms

• Attestation Engagement: A service delivered under SSAE wherein a CPA provides a conclusion about a particular subject matter—here, ESG metrics—based on suitable criteria.
• Limited Assurance (Review): An assurance concept where the CPA states that no evidence was found suggesting that the subject matter is materially misstated.
• Reasonable Assurance (Examination): A higher-alignment standard akin to an audit opinion, offering positive assurance that the subject matter is free from material misstatement.
• ESG Metrics: Nonfinancial disclosures covering environmental (e.g., emissions, water usage), social (e.g., diversity, human rights), and governance (e.g., Board composition, ethical business practices) performance.

Best Practices and Common Pitfalls

  1. Selecting the Right ESG Framework
    • Best Practice: Align metrics with widely recognized frameworks such as GRI or SASB to bolster credibility.
    • Pitfall: Using internal, undocumented methods can lead to confusion or pushback from stakeholders who question the validity of the data.

  2. Thorough Planning
    • Best Practice: Conduct a robust risk assessment to focus on areas with high likelihood of misstatement (e.g., complex supply chain data).
    • Pitfall: Insufficient planning can lead to scope creep, unexpected timing issues, and cost overruns.

  3. Clear Communication of Scope
    • Best Practice: Specify exactly which ESG metrics are covered (e.g., carbon footprint) and exclude any data outside that scope to avoid misinterpretation.
    • Pitfall: Ambiguous boundaries can erode user confidence or create legal or reputational risks.

  4. Documentation and Evidence Retention
    • Best Practice: Maintain a thorough audit trail of testing, inquiries, and conclusions drawn.
    • Pitfall: Lack of proper documentation reduces the defensibility of your conclusions, risking potential litigation or regulatory action.

  5. Consistent Application of Criteria
    • Best Practice: Strive for consistency in measurement, reporting, and assurance scopes over time to allow comparability.
    • Pitfall: Shifting methods or criteria year-over-year without transparent explanation diminishes the value of trend analysis.

References and Additional Resources

• AICPA Attestation Standards:
https://www.aicpa.org/research/standards/auditattest/attestationstandards.html

• AICPA Whitepapers and Guidance:
“Attestation Engagements on Sustainability Information” provide a thorough overview of key considerations, reporting frameworks, and best practices.

• “Sustainability Assurance 101”:
A collection of AICPA guidance documents and conference materials focusing on the fundamentals of sustainability reporting and assurance.

• Global Reporting Initiative (GRI) and Sustainability Accounting Standards Board (SASB):
Common frameworks that provide well-structured criteria for ESG disclosures.

Quiz: ESG Attestation Essentials for CPAs

### Which of the following terms refers to a higher level of assurance, similar to that provided in a financial statement audit? - [x] Reasonable Assurance (Examination) - [ ] Limited Assurance (Review) - [ ] Negative Assurance - [ ] Transitional Assurance > **Explanation:** When conducting an examination engagement under SSAE, a CPA provides “reasonable assurance” or a positive opinion, analogous to the assurance level in a standard financial statement audit. ### In an ESG review engagement, the CPA’s conclusion can best be described as: - [ ] A guarantee of accuracy - [ ] An assertion of perfect compliance - [x] A statement that no material misstatements have been identified - [ ] An explicit declaration awarding sustainability certification > **Explanation:** A review provides limited assurance through a negative assurance statement, typically indicating that no material modifications are required for the subject matter to be in conformity with the chosen framework. ### Which of the following is generally performed as part of an ESG examination but not typically emphasized in a limited assurance review? - [x] Comprehensive test of controls and detailed testing of data sources - [ ] High-level analytical reviews only - [ ] Inquiries to management personnel - [ ] Public opinion surveys > **Explanation:** In an examination, the CPA conducts detailed procedures and more extensive testing. A limited assurance review emphasizes inquiry and analytical procedures rather than comprehensive testing. ### The purpose of selecting a recognized ESG framework (e.g., GRI, SASB) in an attestation engagement is to: - [ ] Provide creative flexibility in defining metrics - [ ] Ensure the engagement remains confidential - [x] Offer objective, publicly available criteria for evaluating performance - [ ] Eliminate the need to discuss scope restrictions > **Explanation:** Using a well-established ESG framework ensures that both management and the CPA rely on transparent, standardized metrics and guidelines. ### In the final ESG attestation report, which of the following must be disclosed for clarity? - [x] The applicable criteria or framework used for the engagement - [x] The type of assurance provided (review vs. examination) - [ ] The strategic leadership team’s financial compensation details - [ ] The organization’s plan for philanthropic outreach > **Explanation:** The CPA’s report should identify the specific ESG framework and specify whether the engagement was a review or an examination, thus clarifying the scope and nature of the assurance provided. ### One of the primary differences between an examination and a review of ESG metrics is: - [x] The depth and extent of the procedures performed - [ ] The relevant AICPA standards applied - [ ] The reporting framework selected - [ ] The time period covered by the report > **Explanation:** Both examinations and reviews follow SSAE standards, but examinations dig deeper and provide a higher level of assurance. ### Which statement correctly describes a common pitfall in ESG assurance engagements? - [x] Using unknown or proprietary frameworks without adequate transparency - [ ] Relying on well-known frameworks like GRI or SASB - [x] Failing to clearly define the engagement scope - [ ] Documenting all evidence and supporting materials thoroughly > **Explanation:** Practitioners can undermine stakeholder confidence by using frameworks that are unclear or by failing to define their scope. Transparent use of recognized standards and finite engagement boundaries mitigate this risk. ### If an organization only wants limited assurance over their carbon emissions data, the CPA would likely perform: - [ ] An integrated financial statement audit with ESG metrics - [x] A review engagement focusing on emissions data - [ ] A comprehensive examination of all ESG metrics - [ ] No procedures, as carbon emissions are nonfinancial > **Explanation:** Under SSAE standards, a review engagement (limited assurance) for the specified metric (carbon emissions) meets the organization’s goal. ### Which step typically occurs at the conclusion of both a review and an examination engagement? - [x] Issuing a written report with either limited or reasonable assurance - [ ] Preparing a press release summarizing findings - [ ] Preparing journal entries for management - [ ] Submitting data to the SEC for immediate disclosure > **Explanation:** Both types of engagements culminate in a formal report to the client or stakeholders. The level of assurance differs, but the reporting step is consistent. ### True or False: When performing an ESG examination engagement, CPAs express “negative assurance” in their final report. - [ ] True - [x] False > **Explanation:** In an examination, the CPA expresses a positive assurance (e.g., “In our opinion…”). Negative or limited assurance (“We are not aware of any material modifications…”) applies to review engagements.

For Additional Practice and Deeper Preparation

Auditing & Attestation CPA Mock Exams (AUD): Comprehensive Prep
• Tackle full-length mock exams designed to mirror real AUD questions—from risk assessment and ethics to internal control and substantive procedures.
• Refine your exam-day strategies with detailed, step-by-step solutions for every scenario.
• Explore in-depth rationales that reinforce understanding of higher-level concepts, giving you a decisive edge on test day.
• Boost confidence and reduce exam anxiety by building mastery of the wide-ranging AUD blueprint.

Disclaimer: This course is not endorsed by or affiliated with the AICPA, NASBA, or any official CPA Examination authority. All content is created solely for educational and preparatory purposes.

Fuad Efendi
View the page source Edit the page History
Sunday, February 23, 2025
22.4 ESG Metrics and Verification Techniques
22.7 Future Outlook: ESG and Investor Demands