Obtaining third-party assurance over financial disclosures is common practice among investors, as it is a regulatory requirement in most markets.

It is also used by service organisations to demonstrate to their clients the implementation of operational risk controls over outsourced financial services. For PRI signatories, external assurance of ESG information provides the highest form of confidence that the reported information is reliable and relevant. As such, signatories would obtain third-party assurance over their RI processes/ESG information to provide stakeholders, e.g. plan beneficiaries, with credible information, demonstrate leadership and differentiate themselves from their peers. In addition, investment managers and fund of funds would obtain third-party assurance to provide their clients with the confidence that submitted information can be used to make decisions, for example, as part of requests for proposals or due diligence questionnaires.

Key components 

In a standard definition, assurance should:

  • be conducted by someone not involved in preparing the subject matter;
  • have pre-defined criteria to evaluate the subject matter against;
  • use an appropriate standard;
  • result in a written conclusion, stating a level of confidence that the intended audience can have in the data or process.

Limited vs reasonable level of assurance

External assurance can be provided at either a reasonable or limited level. A reasonable level would provide a higher level of comfort over the reliability of the information, similar to a financial statement audit. This aims to result in a positive opinion that the information in the report is correct. A limited level of assurance engagement, which is less detailed, results in a negative statement by the assurance provider and could be adequate for the yearly assurance of ESG data-based information.

Although reasonable assurance is more resource intensive, it would allow for the review of the internal controls for which the assurer can then provide the following positive statement: “the processes are effective at meeting the desired outcome”. Finally, signatories can benefit from best practices external assurers can provide as identified from their line of work with many other clients.

Data vs process assurance

The PRI Reporting Framework consists of data and process-based questions. Data questions are specific to the reporting year, while processes will typically remain the same for several years. In the following sections, thirdparty independent assurance is split into data assurance and process assurance. As per the PRI’s 2016 paper on assurance, the relevance of process assurance should be substantiated by relating it to specific PRI framework indicators, as well as clearly defining “outcomes of the assurance as well as changes that have been implemented or will be implemented as a result”. Both can be conducted to either a limited or reasonable degree.

As with internal audit, external assurance of data-based information should be differentiated from process-based information. This is because process-based information plays a more important role thanks to their dominance among the indicators and the purpose of the Reporting Framework in evaluating signatories based on their processes.

Assurers asked by clients to assure their data and/or processes reported in their Transparency Report should use the definitions, examples and, where provided, criteria from the explanatory notes in the Reporting Framework when evaluating their clients’ responses. As the Reporting Framework does not form an RI standard, however, the explanatory notes for some indicators may not provide detailed criteria leaving some room for subjective interpretation by auditors. As and when RI standards evolve, these can facilitate the assurance process further.

Legally required external assurance

Some markets have regulatory requirements on nonfinancial data reporting (e.g. South Africa) and/or operational risk controls auditing of financial service firms. Future developments of current voluntary regulations and expansion of mandatory regulations are expected and could make this more relevant in the future. Signatories are encouraged to check what applies in their country through the PRI regulatory database for further information.

 

Key steps Example of actions 
Consider the value add 
  • Outline the value add of external assurance for your organisation
  • Ensure that the board or other form of highest governing body endorse the assurance engagement
  • Internal audit function will require this every five years as part of IIA’s international standards used to provide assurance of internal controls 
Develop an external assurance plan 
  • Outline the period and milestones of the assurance engagement
  • Outline assurance criteria which forms the basis of the scope to be undertaken by the assurer (key items, boundaries, definitions, references etc.)
Select an external assurer provider 
  • Engage assurers through a competitive procurement process
  • Ensure proper industry qualifications and experience relevant to your report 
The provider executes the assurance engagement 
  • Establish regular meetings with the assurance provider to monitor progress against project timeline and budget
Communication 
  • Discuss the assurance conclusion with your provider - go through feedback to identify future improvements
  • Communicate the outcome of the assurance engagement across the organisation and other stakeholders
  • Develop plan on how to make improvements in the organisation based on the risks found in the assurance outcome 

External assurance of responses to ESG reports

At a glance

  • Prerequisite: internal verification of responses to PRI report
  • Scope: data-based indicators that are key to the organisation, prioritised by the PRI and/or reported to other users such as a regulator. Such information can be assured against PRI criteria as defined in explanatory notes of the Reporting Framework or, if applicable, as per regulatory requirements
  • Benefits: can provide comfort that processes and policies described exist, as well as confirming simpler type of information such as existence of policy documents, disclosure of policies, percentage of votes that were co-filed on a resolution
  • Limitations: only provides assurance that information reported is correct, not that the investor is responsible
  • Assurance level: limited level at first which gradually increases to reasonable assurance for most significant items.
  • Applicable assurance standards: ISAE 3000, AA1000 AS
  • Frequency: yearly: for data that affect whether a signatory will trigger some other indicators . two-three years: e.g. policies, disclosure of policies and results of engagements

A detailed review of existing non-financial assurance standards is covered by the Audit and Assurance Faculty in 2008. This expands on different type of non-financial reports such as what is found in annual reports or corporate responsibility reports. Assurance standards specific to investors’ RI reports fell within the “other types of reports” and focused on ISAE 3000. Another applicable assurance standard of ESG reporting is the Accountability AA 1000 assurance standard.

As metrics-based information is specific to the reporting year, assurance of some of the data would be yearly. The data capturing system would also be audited at an interval of every three-five years or as and when there are significant changes to the standard or the system itself.

Reporting and management standards

While assurers use assurance standards to conduct a thirdparty independent assurance, signatories can facilitate this process by using ESG reporting standards to produce their ESG reports, and relevant management standards that cover their RI processes. The table below provides ESG reporting and management standards that may be of interest to signatories.

Examples of reporting and management standards for ESG information

Standards used for third-party assurance of Transparency Reports

Findings: external assurance among signatories

11% of signatories reported that they conducted third-party assurance or internal audit of their 2016 and/or 2017 Transparency Report, or would do so for their 2017 responses. In most cases this applied to selected responses rather than the whole report. To a degree, this is expected as PRI reports include financial data, which are assured in most countries as part of regulation to publish annual accounts. Signatories assured at different levels (limited and reasonable) and used a variety of standards, with ISAE 3000 being the most widely-used non-financial one.

Variations in uptake of this practice due to the different organisation sizes were small Among both asset owners and investment managers, this ranged from 6% to 15%, with the highest uptake observed among the largest ones. Regional variations were more notable. European and African asset owners were more likely to report doing so (15% and 25% respectively) than Oceanian and Latin American ones (<5%). Among managers, this ranged from 12% for Europeans to 6% and 7% for American and Oceanian ones respectively. Uptake among Latin American managers was particularly high (20%). This could be driven by increased scrutiny from clients due to lower level of trusts. Alternatively, it could reflect the advanced practices of the small number of PRI signatories in that region compared to the more diverse base in Europe and North America.

 

Third-party assurance among PRI signatories

Download the full report

  • Download report

    Introducing confidence-building measures to PRI signatories

    April 2018

Prioritised indicators for third-party assurance

Below, the PRI has identified the most important databased indicators from the 2018 Reporting Framework that signatories who seek external assurance should focus on. They include metrics-based ones that change on a yearly basis, and descriptive ones that provide details on a signatory’s strategy and approach to RI. The AWG recommends the frequency of assurance should generally reflect how frequently the information changes. As such, descriptive indicators can be assured every two-three years instead of every year.

Organisational overview

  • asset volume (OO 4.2)

  • asset class allocation (OO 5.1, 5.2, 7.1, 7.2)

  • breakdown of externally managed assets in segregated mandates and pooled funds (OO 8.1)

  • implementation of active ownership activities in listed assets (OO 10.1)

  • implementation of ESG incorporation activities in all assets (OO 11.1 and OO 11.2)

  • breakdown of listed assets in active and passive investments (OO LEI 1.1, OO FI 1.1, OO SAM 1.1)

  • asset-class characteristics (e.g. OO PR 1.1, OO PE 1.1)

Strategy and governance

  • existence of RI approach/policy and if publicly available (SG 1.1, 2.1 and 2.3)

  • disclosure of asset class specific RI information to clients and public (SG 19.1)

  • objective setting (SG 5.1, 5.2, 6.1)

  • ESG trends inclusion in scenario analysis (SG 13.1)

  • asset allocation to environmental and social themed areas (SG 15.2, 15.3)

ESG incorporation and active ownershp of listed and non-listed assets

  • AUM covered by different ESG incorporation strategies (FI 1.1, LEI 1.1, PE 1.1, PR 2.1, INF 2.1)

  • ESG incorporation in passively managed listed equities (LEI 11.2)

  • policies for each ESG incorporation strategy per specific asset

  • engagement policy and data (LEA: 1.1, 11.1)

  • voting policy and data (LEA 15.1, LEA 21.1, 23.1-23.4, SAM 7.1)

 

ESG portfolio characteristics of listed and non-listed assets

 

  • thematic bonds (FI 8.1)

  • private equity assets (PE 2.1, 3.1, 3.2, 5.1, 6.1, 8.1. 8.2, 9.1,

    9.2, 13.1, 16.1,17.1)

  • property assets (PR 9.1, 10.1, 11.1, 12.1, 13.1)

  • infrastructure assets (e.g. INF 3.1, 8.1, 10.1, 12.1, 15.1, 16.1)

Findings: data assured among signatories

  • Organisational overview: most of it, e.g. all financial data (assets under management) and other operational data (e.g. staff numbers)
  • Strategy and governance: most of it e.g. policy and governance processes
  • Active ownership: engagement and voting figures and policies.
  • Incorporation strategies: processes and for screening exclusion list
  • Externally-managed assets: appointment, monitoring

External assurance of controls related to ESG processes

At a glance

  • Prerequisite: system of internal controls established and audited by internal audit function
  • Scope: RI specific processes should be assured at high/reasonable level when conducted for providing confidence to external stakeholders such as the PRI, limited level acceptable for internal purpose
  • Benefits: highest form of impartial assurance, guidance on best practices
  • Challenges: time and financial resources, limited to very specific processes
  • Frequency: every two-three years for ESG processes considered the most material based on internal audit function own fs risk assessment and PRI recommendations.
  • Examples of standards: ISAE 3402/SSAE 18/ AF01/06 (country dependent)

Standards available

There are a limited number of assurance standards for the review of ESG processes. Most of the standards reported are used for assuring either financial or non-financial data which investors would include either in the PRI reports, annual report or other sustainability reports (e.g. SASB or GRI report). At the time of writing, the most widely used standard applicable to ESG processes is ISAE 3402 (which overlaps with SSAE 18) for service organisations. Asset owners can request this from their managers or service providers.

Other theme-specific assurance standards are starting to emerge, such as ISAE 3410 on climate change. Along with developments in assurance standards, progress in responsible investment management standards adapted from ISO 9001 can help signatories structure their RI processes as part of their core management systems and facilitate third-party independent assurance.

In 2019, the IIASB is also planning to release a guide for assurers on applying the ISAE 3000 standard, mentioned in the previous section as the main standard applicable for data-based information. This guide will address key challenges, including some particularly pertinent to the PRI Transparency Report:

  • assertion of subject matter information;
  • assurance of qualitative information;
  • evaluation the maturing of controls and reporting systems;
  • competence expected of accountants.
Assurance standard type Examples of standards 
Internal controls of service organisations  ISAE 3402, SSAE 18, AT 101, AAF 01/06 (ICAEW), IIA’s international standards and IPPF
Climate-specific  

ISAE 3410 or national equivalent (assurance engagements on greenhouse gas statements)

Findings: assurance standards used among signatories

Among the wide range of standards listed by signatories, ISAE 3000 was the most common one specific to non-financial information. (Inter)national accounting standards were common too as they are used to assure annual reports. Few reported assurance standards specific to internal controls for service organisations. Many signatories understood this question to refer to management standards such as ISO 14001 and ISO 9001 against which they had received certification.

Prioritised process-based indicators for internal audit/external assurance

As good practice, the AWG recommends that signatories should assure RI processes every three-five years or sooner if these have changed to demonstrate that these are implemented as described. However, the AWG recognises that it is not practical or effective to assure all processes. Instead, the AWG recommends that signatories start with fundamental processes the PRI identifies as the most important to provide confidence that the signatory implements the Principles along with the processes most material to the signatory. In many ways, this should mirror the logical structure of the Reporting Framework. This is split into modules pertinent to all signatories (organisational overview, strategy and governance) and modules that are driven by asset allocation, management style and ESG incorporation/active ownership practices. The PRI has identified key processes and their corresponding indicators for internal audit/external assurance in the tables below.

These are grouped into:

  • overarching strategy and governance (applicable to all assets)
  • active ownership processes in directly managed assets
  • ESG incorporation in directly managed assets
  • ESG processes in directly non-listed assets
  • ESG processes for indirectly managed assets 

Prioritised strategy and governance processes for internal audit external assurance of related internal controls

Prioritised strategy and governance processes for internal audit/external assurance of related internal controls and corresponding indicators

Prioritised active ownership processes for internal audit/external assurance of related internal controls for directly managed assets

Prioritised active ownership processes for internal audit/external assurance of related internal controls for directly managed listed assets and corresponding indicators

Prioritised ESG incorporation processes for internal audit/external assurance of related internal controls for directly managed listed assets and corresponding module indicators

Prioritised ESG incorporation processes for internal audit/external assurance of related internal controls for directly managed listed assets and corresponding module indicators

Prioritised RI processes for internal audit/external assurance of related internal controls for directly managed non-listed assets and corresponding module indicators

Prioritised RI processes for internal audit/external assurance of related internal controls for directly managed non-listed assets and corresponding module indicators

Prioritised RI processes for internal audit/external assurance of related internal controls for indirectly managed assets and corresponding module indicators

Prioritised RI processes for internal audit/external assurance of related internal controls for indirectly managed assets and corresponding module indicators

Providing assurance of internal controls of an asset owner or manager through their manager's or service provider's ISAE 3402 assurance reports

Providing assurance of internal controls of an asset owner or manager through their manager’s or service provider’s ISAE 3402 assurance reports