How Sustainability Leaders Can Ensure Audit & Assurance Readiness

Nasdaq

ESG and sustainability data are increasingly used by investors, regulators, customers, employees, and other stakeholders to assess the sustainability and value of a company. This expanded use has prompted audit and assurance practices, as they help de-risk sustainability data by enhancing data credibility and reducing the risks of errors, omissions, and misstatements.

International Federation of Accountants (IFAC) research showed 69% of companies globally obtained assurance on some of their sustainability disclosures in 2022 and were expanding the scope of their assurance engagements year over year. Moreover, according to 2024 Nasdaq ESG Solutions research, 97% of companies report that audit and assurance of ESG and sustainability data is a challenge ^[1].

Because inaugural assurance engagements can be overwhelming, Nasdaq ESG Solutions outlines best practices to help sustainability leaders secure the right resources and engage the right people in pursuit of investor-grade sustainability and ESG data. We additionally highlight key examples of assurance expectations in regulatory and voluntary reporting.

Terminology Sustainability Leaders Should Know

Before digging into how audit and assurance are currently leveraged for sustainability data, it is helpful to take a step back to define key terms. Audit and verification are the processes of examining and verifying the accuracy, completeness, and reliability of data and information and assurance is the deliverable or outcome of the audit. There are different levels of assurance, and companies often begin with a lighter touch and work their way up to more in-depth verification.

• Attestation is a review of a sub-component of a disclosure, where a third party will attest to the processes and controls to which the company handles a set of data.
• Limited assurance primarily includes analytical procedures and inquiries. This is typically based on a limited data request.
• Reasonable assurance is more expansive, going beyond data requests to include site visits and more testing. Note that the transition from limited to reasonable assurance can be a significant lift for companies.

The literal outcome of this work is a written statement, which is often attached to the sustainability report. The statement will cite the values and protocols to which the data has been verified. In addition, the company will receive a report indicating errors and other learnings from the audit. This is an important tool for companies to continue improving their ESG and sustainability data management.

Where Assurance Fits into Sustainability Reporting

There are many examples of assurance requirements or recommendations in both regulatory and voluntary reporting. A few are outlined below and others can be found across many frameworks and standards supported in Nasdaq Metrio™, Nasdaq’s sustainability reporting and data management solution.

Regulatory requirements around the globe prescribe levels of assurance for climate and other ESG data. While these regulations do not apply to every company, examples include:

• U.S. Securities and Exchange Commission (SEC) Climate-Related Disclosure Rules. The SEC rules, adopted March 6, 2024, require large accelerated filers (over $700M float) and accelerated filers (between $75M and $700M float) to disclose Scope 1 (direct) and 2 (indirect) emissions if they are material and obtain a third-party attestation of any disclosed Scope 1 and 2 emissions. It further provides a phase-in period for large accelerated filers to achieve reasonable assurance and accelerated filers to achieve limited assurance. Even if your company does not need to disclose Scope 1 and 2, all companies will need to provide certain climate-related disclosures in their audited financial statements. The company’s CEO and CFO will need to certify the accuracy of all information and effectiveness of controls and procedures, so a company may want to obtain assurance to help ensure data accuracy.
• California’s Climate Corporate Data Accountability Act (SB-253). SB-253 requires public and private companies doing business in California with over $1 billion in total annual revenues to disclose Scope 1, 2, and 3 emissions and obtain assurance over those emissions. For Scopes 1 and 2, limited assurance will be required beginning in 2026, then reasonable assurance beginning in 2030. For Scope 3, limited assurance will be required beginning in 2030. The California Air Resources Board must provide more specific requirements around disclosure and assurance by January 1, 2025.
• EU Corporate Sustainability Reporting Directive (CSRD). The EU CSRD takes a progressive approach to enhancing the level of assurance required for sustainability information, beginning with limited assurance and expanding to reasonable assurance. The European Commission will adopt assurance standards for limited assurance no later than October 1, 2026 by means of delegated acts. For reasonable assurance, there will be standards in delegated acts by October 1, 2028, following an assessment to determine if reasonable assurance is feasible for auditors and undertakings. Considering the results of that assessment and, if appropriate, those delegated acts will also specify the date from which a requirement for reasonable assurance shall apply.

Voluntary ESG and sustainability reporting frameworks also address assurance. For example, the Task Force on Climate-related Financial Disclosures (TCFD) states that “disclosures should be subject to internal governance processes that are the same or substantially similar to those used for financial reporting.” Some entities that score or rank companies’ sustainability disclosures reward or allocate points for assurance practices, such as:

• The Carbon Disclosure Project (CDP) supports verification and assurance as good practice in environmental reporting because it offers data users further confidence in the accuracy of the data reported. It asks respondents to indicate the type of verification or assurance (from limited to high assurance), assurance cycle, and completion status for the current reporting year.
• The S&P Global Corporate Sustainability Assessment (CSA) for the Dow Jones Sustainability Indices (DJSI) asks if the company has received any external assurance in relation to its sustainability reporting. If so, it requests evidence indicating where the assurance statement is available in the public domain.

Building the Right Team

Audit and assurance of ESG and sustainability data involve internal and external parties. If ESG and sustainability responsibilities sit within the finance function, the company may already have created these cross-team connections given familiarity with existing financial auditing practices. For ESG and sustainability leaders assembling their teams for the first time, consider including the following:

• The corporate controller is responsible for the company’s accounting, reporting, and financial management, including the preparation and presentation of ESG and sustainability data.
• Data owners contribute data ranging from environmental inputs to workforce statistics and corporate policies. These individuals are typically the first line of defense in generating good data, given they own the program or project related to the data.
• Data approvers sign off on information provided by data owners ahead of assurance and public release of the data.
• The legal, compliance, and risk team is typically the second line of defense, helping ensure that data owners and approvers are following the defined processes and policies set forth by the company.
• The internal audit team is viewed as the third line of defense, providing independent and objective review of the effectiveness and efficiency of the company’s governance, risk management, and control processes, including those related to ESG and sustainability data. Internal audit departments typically report directly to the board or audit committee.
• The external auditor or assurance provider is an independent professional firm that provides assurance and attestation services on the fairness and reliability of the company’s financial and non-financial information, including the ESG and sustainability data.

Audit Trail and Traceability

In addition to proactively assembling a cross-functional team, the following practices may help companies prepare for assurance:

• Define clear roles and responsibilities. Identify data owners and establish sign off requirements by subject matter experts. Leverage workflow management tools, such as those in Nasdaq Metrio to assign team members to the appropriate roles and define or limit access to the data to avoid unintentional corruption of information. Defined roles are particularly important, as the individuals providing the data are often different from those providing the final quality assurance.
• Set expectations for timing. Because additional time is needed to complete external audits after ESG and sustainability data is gathered and calculated, existing reporting timelines may need to be adjusted.
• Employ a centralized repository for information. Input and store data in one shared location, rather than various static documents and folders. Collecting data in one digitized location enables audit trails with detailed date and time stamps and user logs.
• Formalize the process for data collection. Automate data collection through APIs and bulk uploads. The fewer times that individuals touch the data, the less likely it is to be compromised. Lock data at the end of data collection periods to prevent unintended changes.
• Request source documentation. When requesting data, ask for supporting documentation such as a copy of the output from a technology solution or the link to a publicly available policy. Attaching supporting documents to data entries helps avoid tracking down sources in the future.
• Address data anomalies and outliers. If there are abnormalities in the data, document reasoning for the auditor. Save time during an audit by attaching notes about the data changes, such as variances due to mergers and acquisitions.

How Sustainability Leaders Can Get Started with Audit & Assurance

Whether your company will be required to meet regulatory requirements for assurance of sustainability and ESG data, now is the time to plan for audit-readiness to ensure investor-grade data for all stakeholders. Sustainability leaders have long been responsible for delivering and communicating ESG and sustainability strategy and are now layering in assurance of their data to meet evolving stakeholder and regulatory expectations.

Nasdaq Metrio is designed to help increase efficiency and effectiveness by facilitating audit-readiness for ESG and sustainability data. Nasdaq’s platform enables cross-team collaboration, data centralization and documentation, workflow automation, and clear audit trails, while keeping the needs of sustainability strategy and KPI achievement in focus.

To learn more or inquire about how Nasdaq Metrio can help future-proof your sustainability data and reporting, get in touch with our team here.

^{[1] Nasdaq ESG Solutions (2024). 2024 ESG & Sustainability Software Strategy Report. [Publication in preparation].}

^{This communication and the content found by following any link herein does not, and is not intended to, constitute legal advice; instead, all information, content, and materials are for general informational purposes only and do not establish an attorney-client or other fiduciary or principal-agent relationship. Information in these materials may not constitute the most up-to-date information. Please contact your attorney to obtain advice with respect to any particular legal matter. Only your individual attorney can provide assurances that the information contained herein – and your interpretation of it – is applicable or appropriate to your particular situation. Nasdaq accepts no liability for any actions taken by you or any third party based on Nasdaq services, nor for any penalties, fines, or legal consequences faced by you as a result of non-compliance with laws or regulations.}