Chapter 5

External Assurances

External assurances can be provided for environmental management systems (EMS) and sustainability reports. These assurances provide a measure of credibility from an independent third party. An EMS can be certified to provide assurance that it meets international standards (e.g., ISO 140001) for identifying environmental impacts, improving environmental performance, and implementing a systematic approach to environmental management. Third-party certification bodies are usually involved in this assurance process. Sustainability reports can be examined for quality of performance and content of the reports.

It is no surprise that the accounting profession is involved in providing assurance for sustainability reports. The profession offers a variety of attestation services. These attestation engagements include agreed-upon procedures, examinations of nonfinancial information, and reviews and audits of financial reports. Users of financial reports (interim and annual) are familiar with assurances provided by a review or audit opinion issued by certified public accountants. A review is performed when limited assurance is needed and is much narrower in scope than an audit. The purpose of an audit of financial statements is to examine management’s assertions that the financial statements are fairly presented in accordance with Generally Accepted Accounting Principles (GAAP). In the audit process, the financial statements are tested for compliance with GAAP, an established set of criteria. To test these assertions, auditors conduct their examination in accordance with the accounting profession’s Generally Accepted Auditing Standards (GAAS). Audits provide the highest level of assurance for financial statements. The final product is an opinion on the fair presentation of the financial statements. The audit report describes the scope of the work done and the conclusion. The auditing process for financial statements is well established and consistently applied across companies.

Assurances for Sustainability Reports

Assurances for sustainability reports have not reached the same level of consistency across all organizations as that for financial statements of publicly traded companies. The Global Reporting Initiative (GRI) supports the use of internal and external approaches to bolster the credibility of sustainability reports. Internal auditing and controls can provide some degree of assurance about the quality of the information being produced. Because internal methods are not sufficient, external assurance can be obtained from professional assurance providers, stakeholder panels, and other external parties. Professional firms include major accountancy firms (e.g., Deloitte, PricewaterhouseCoopers, KPMG), certification bodies (e.g., ABS Quality Evaluations Inc., Bureau Veritas Certification), and technical expert firms. In 2008, 80% of the 250 of the largest global companies (Global 250 [G250]) issued a sustainability report, and 70% of these companies engaged major accountancy firms to provide external assurance of their reports.¹ Regardless of whether internal or external methods are used, the GRI recommends that competent individuals or groups perform the evaluation. Professional standards or other systematic methods that provide evidence can be used. The GRI defines external assurance as a report on the quality of the sustainability report being reviewed and information in the report. The expectation is that the conclusions of an assurance evaluation are to be published. The GRI makes a distinction between external assurance and compliance assessments (or performance certifications). The latter is an assessment on the level of performance.

The GRI specifies important attributes for external assurance of reports that are constructed under the GRI Reporting Framework. First, external groups or individuals conducting the assurance should be properly trained in assurance procedures and knowledgeable of the matter being assessed. Second, the assurance procedures should be defined, documented, and based on evidence. Third, the report should consider the reasonableness and fairness of the organization’s performance. This includes correctness of the data as well as an overall evaluation of the content. Fourth, assurance providers should be in a position of independence from the organization. Relationships with the organization should be ones that do not preclude the assurance providers from rendering an independent and impartial conclusion. Fifth, the report should state the degree to which the report has applied the GRI Reporting Framework with regard to the conclusions of the report. The final attribute is that a written opinion or conclusion be available to the public with an assertion about the organization’s relationship to the assurance provider.

Assurance Standards

The assurance of sustainability reports is still evolving. There are several standards available with which to conduct examinations. AA1000 Assurance Standard (AA1000AS; 2008) and International Standards on Assurance Engagements (ISAE) 3000 are two that can be used. AA1000AS (2008) is an international standard that addresses the requirements for performing sustainability assurance with a focus on the organization’s responsiveness and future performance. The standard covers using the standard, accepting an assurance engagement, and performing the assurance engagement in accordance with the standard. Its key feature is that it requires the assurance provider to give assurance on the extent and type of adherence to the three AA1000 AccountAbility Principles Standard (AA1000APS) 2008.² These principles are the Foundation Principle of Inclusivity, the Principle of Materiality, and the Principle of Responsiveness. The Foundation Principle of Inclusivity involves including stakeholders in developing a strategy for sustainable development. The Principle of Materiality is for determining the important issues for an organization and its stakeholders. The Principle of Responsiveness is how the organization responds to the important issues that pertain to sustainability performance. AA1000AS (2008) focuses on the significant interests of the stakeholders. A key factor in providing assurance is finding omissions or misrepresentations in the report as a whole that could affect the behavior of intended users of the report.

ISAE 3000 provides principles and procedures for all assurance engagements other than audits or reviews of historical financial information covered by the International Standard on Auditing (ISA) and International Standard on Review Engagements (ISRE). The International Auditing and Assurance Standards Board (IAASB) issued ISAE 3000. IAASB is an independent standard-setting body that operates under the auspices of the International Federation of Accountants (IFAC). ISAE 3000 provides an assurance approach and procedures such that the engagement can be conducted in compliance with professional assurance standards and codes of conduct. Under the ISAE 3000 standard, assurance engagements can be conducted for (a) environmental, social, and sustainability reports; (b) information systems, internal control, and corporate governance processes; and (c) compliance with grant conditions, contracts, and regulations. ISAE 3000 provides guidance on evaluating ethical requirements, quality control, engagement acceptance, planning, work of an expert, obtaining evidence, documentation, and preparing the assurance report.

ISAE 3000 and AA1000AS (2008) have been developed through consultation processes but are different in their approaches. ISAE 3000 is based on standards similar to that of audits of financial statements, while AA1000AS (2008) is based on consultation with a broader group—professions, the business community, and stakeholders. These two standards provide different assurance approaches and may have left assurance providers confused about the ultimate impact of each approach on the users of the reports. A recent study concluded that both standards could be applied together in an assurance process because they are technically complementary and have no major methodological conflicts.³

International Organization for Standardization (ISO) Standard 14001—Environmental Management Systems

In addition to having its sustainability report evaluated, an organization can have the environmental dimension of their operations assessed for performance quality. For example, environmental management systems can be certified in accordance with international standards by certification bodies. ISO 14001, the international standard for environmental management systems (EMS), is becoming increasingly popular among organizations that want to exert more control over their environmental impacts. ISO 14001 was designed to help an organization to identify, evaluate, and continually improve an organization’s products, services, and activities that affect the environment. In effect, it helps with the implementation of an EMS and allows for an EMS to be certified by an outside party. The standard was initially issued in 1996, and it was revised in 2004. There are other standards in the environmental series that are guidelines to address the development and implementation of environmental management systems, audit program review and assessment material, labeling issues, performance targets and monitoring, and life cycle issues. ISO 14001 is the only one in the series that can be certified.

The Benefits of ISO 14001

The ISO 14001 certification demonstrates that an organization has met an international standard for establishing and maintaining its EMS. This provides an organization with a systematic approach to monitor their resource and energy usage so they can reduce their waste. A reduction in waste can reduce costs. Another benefit is a systemized approach to legal compliance. Such an approach can prevent legal costs and fines if environmental damage is averted. In addition, a certified EMS enables an organization to be equipped to address stakeholders’ demands for better environmental performance. It allows the organization to demonstrate its efforts to lessen its impact on the environment and to publicly advertize its certification.

ISO 14001 is intended to be flexible so that many organizations can use the standard. For example, an organization sets its own goals. This allows organizations of all sizes and types to use the standard. ISO 14001 also allows that different organizations will have different purposes. The standard requires an organization’s environmental policy to comply with legal requirements and to be committed to pollution prevention and continual improvement. In addition, the standard facilitates the creation of an EMS that can be subjected to an objective audit.

The Components of an EMS Under ISO 14001

There are six components to an EMS under ISO 14001.⁴ These are general requirements, environmental policy, planning, implementation and operation, checking and corrective action, and management review. The general requirements involve establishing and maintaining the system in accordance with the standard. This encompasses implementation, documentation, and continual improvement of the system.

Policy

In setting its environmental policy, top management should be directly involved by committing to compliance with environmental laws and to continual improvement. The policy should be the foundation for objectives and goals. A written policy is necessary so that both external and internal groups can review it. To keep the policy current with the organization’s environmental status, it should be reviewed periodically. In order for the policy to be beneficial to the organization, it should be distributed to employees and contractors along with being made available to the public.

Planning

Planning needs to be done for all the environmental aspects of an organization’s activities (past, current, and future). An examination of inputs and outputs of proposed, current, and past products and services is relevant to determining how an organization interacts with the environment. Examples of interactions are air emission, waste and by-products, and use of raw materials. The effects of packaging and transportation of products also should be considered. The planning component involves setting up a system that identifies and updates environmental laws that are applicable to the organization. Environmental goals and targets should be set in the environmental policy and need to be documented. Methods, timeframes, and levels of responsibility for these goals need to be specified.

Implementation and Operation

The implementation of an EMS involves many aspects. Typically, financial, human, and organizational infrastructure are the resources needed for a successful system. Top management’s support is important here because it is responsible for providing the resources to establish and maintain the EMS. In addition to resources, it is essential to communicate to employees what their roles, responsibilities, and levels of authority will be. To provide for a consistent implementation, this information should be documented. Responsibility for the system should be given to a key employee, but top management should keep involved with the system by reviewing it regularly. Implementation should involve identifying employees that could cause material environmental impact in the course of their work. Training these employees to handle their work carefully is a crucial step. In addition, all employees need to be apprised of the consequences of not conforming to the policy.

The successful operation of an EMS is dependent on many things. Internal and external communications are important aspects of the EMS. Internal communications need to be formalized so that information can be communicated across various levels of the organization. In addition, a policy for communications from and to external parties should be determined and documented. Public relations can be critical to safe handling of environmental problems.

ISO 14001 requires that the organization document many aspects of its EMS. This includes documenting its environmental policy, goals, and targets; boundaries of the EMS; main components of the EMS; and interactions of the system. The organization must take control of EMS documents. This relates to how specific documents are approved, changed, and stored. As part of its operational controls, an organization should connect its environmental policy to its activities that have significant environmental impacts. Plans and procedures for controlling operations that deviate from policy should be established along with plans and procedures for emergencies. Emergency preparedness and response should be adapted to what could happen at the organization’s facilities. Testing for emergency preparedness should be done periodically.

Checking

How well an organization is managing its environmental impacts can be evaluated by collecting data. This data can be compared to standards or targets. Not only should the organization meet its targets, but it should also demonstrate that it has complied with legal requirements. The organization should have procedures that deal with nonconformity. In addition, procedures for access to these records and identification of users should be created. Procedures for internal audits should be created.

Management Review

Management review is a necessary component of the ISO 14001 standard. Top management should review the environmental management system at specific intervals. This review should include an examination of audit results, external communications, environmental performance, performance reports, corrective and preventive actions, and recommendations.

How Many Organizations Are ISO 14001 Certified?

ISO 14001 was published in 1996, and since then the number of companies acquiring third-party certification has increased steadily. By the end of 2007, there were approximately 154,572 certifications from 148 countries.⁵ The 10 countries with the most certifications at the end of 2007 are shown in Table 5.1.