Readiness is useful in advance of assurance of Sustainability reporting or disclosures to SEC or capital markets, in advance of other reporting required by regulations, or other public reporting or disclosures of Sustainability information. 

Yes, assurance/ audit readiness helps companies achieve greater success if their greenhouse gas (GHG) emissions inventories will be audited.  This is the “metrics” piece of the familiar “Governance/ Strategy/ Risk/ Metrics and Targets” that is common for climate-related regulations and disclosures.  These headings appear in the SEC final climate disclosure rule, as well as California’s climate disclosure laws.  This grouping of disclosure topics really took off with publication of TCFD (Task Force on Climate-related Financial Disclosures) guidelines in 2017.

Yes, readiness can help organizations feel more confident about their qualitative disclosures.  In general, Sustainability reporting includes more qualitative content than financial reporting – as well as retrospective and prospective content.  [These are two of the three aspects described in DHC’s “Three Attributes of Sustainability Reporting …” white paper, which was referenced in COSO’s ICSR supplemental guidance.]   Users must be able to trust descriptions, claims and assertions in narrative disclosures. 

I’m not a CPA, and there are many answers on the internet.  There are distinctions between data and narrative, backwards-looking and comfort for forward-looking.  From where I sit, accounting firms and Internal Audit tend to use “assurance”.  Technical and management auditors (ISO, environmental compliance, etc.) do not.   If you are entertaining proposals for firms to review your Sustainability reporting, ask them to explain the difference.  In plain English, and in five sentences or less.  Let me know how that goes.

DHC is not an accounting firm.  Mr. Hileman worked at a Big 4 firm for six years, beginning just at the outset of Sarbanes-Oxley.  He supported [CPA] audit partners and teams for financial audits, internal audits, agreed-upon procedures, and other reviews.  Mr. Hileman led audits pursuant to an SEC consent decree, and a readiness exercise for a client seeking to exist another consent decree. 

Yes.  Mr. Hileman supported dozens of financial audit procedures, revieing processes, systems, internal controls for estimating contingent environmental liabilities.  Also evaluated the reasonableness of the estimates themselves, and whether the amount in reserves was sufficient.  This effort involved planning, risk assessment, detailed procedures, applying both technical and business knowledge – and always some degree of judgment.  This experience from six annual audit cycles helps me hold my own with accounting firms.

Again – yes.  DHC has experience in ISO management systems, including readiness for one high-profile audit certification audit mandated by a consent decree.  The VW Monitorship effort involved oversight of another ISO 14001 audit as a provision of settlement with the U.S. Department of Justice.  ISO systems are processes.  DHC also has experience with garden-variety compliance audits for environmental, safety, contractor management, insurance reviews, and others.  What’s the criteria, and can you demonstrate that you meet it?

You’ll see “limited assurance” and “reasonable assurance.”  The accounting firms (and Google) can explain; my “lay” (non-CPA) oversimplification:  With limited assurance (sometimes referred to “negative assurance”), you end up with something like this:  “Nothing came to our attention that was materially deficient.”  In other words, we looked, we didn’t find anything massively wrong.  With reasonable assurance:  “We performed procedures and have comfort that things conform in all material respects ….”  In other words, we looked, we may have found some gaps – but we didn’t determine that any of them were ‘material’.  If they did identify material weaknesses, these may be called out in the assurance report.   Note: Internal Audit also uses “assurance.”  The IIA published new Global Internal Audit Standards, effective January 1, 2024.  Definitions may not be identical.  These insights may be a good starting point, but don’t take it from DHC:  as you consider Sustainability assurance providers, ask them to explain it.  In plain English, please.

No.  There are too many variables to write a recipe.  The drivers of assurance vary, as does the level of desired assurance, scope, criteria, method for performing the audit, and the output.  Auditors call many of the shots, and are free to use professional judgment to gain comfort that they have sufficient data and information to reach conclusions.  None of this is predictable in advance, but with a sense of how it works, auditees can rise to the challenge.

COSO is the most important organization you’ve never heard of.  Perhaps you (or parents?) remember Lincoln Savings & Loan, Charles Keating, and the collapse of this segment of the economy in 1988-89.  Taxpayers shelled out $3.4 billion.  Many parties were astonished that there was no common framework for what would constitute a well-run organization.   COSO stands for “Committee of Sponsoring Organizations”.  They released the Internal Controls Integrated Framework (ICIF) in 1992 as [optional] principles-based guidance.  Only a decade later, Enron and WorldCom outraged the government (and capital markets) again.  Congress passed Sarbanes-Oxley, which required internal controls over financial reporting (ICFR), and that these be subject to the financial audit.  What does ICFR look like?  COSO’s ICIF had been there for the taking all along.  Although not required by statute, the COSO ICIF became the de facto model for all ICIF.  There’s much more at www.coso.org. 

COSO’s ICIF provided a principles-based model for compliance, reporting and operations.  The ICIF was always “reporting agnostic” – it didn’t matter whether financial or non-financial, external or internal, or whatever.   If you wanted to control “reporting”, here is your framework.  There has been a groundswell in Sustainability reporting.  There has been a concurrent chorus demanding that the information in the reports is accurate, and decision-useful.  Gee, what would that look like?  COSO’s ICIF was there for the taking, but stakeholders didn’t know how to apply it.  In 2002, the COSO Board authorized supplemental guidance.  COSO’s “Achieving Effective Internal Controls over Sustainability Reporting (ICSR)” was released to wide acclaim in 2023.  Douglas Hileman is an author – one of only six, and the only non-CPA on the author team. 

They both require assurance.  The requirements begin with limited assurance and graduate to reasonable assurance over time.  Yes, assurance readiness can help you here.

Some people can get a 1600 on the SAT, an 850 FICO score, or a perfect 10 at the Olympics.  Nothing is guaranteed.   Assurance doesn’t usually result in “pass” or “fail”.  The assurance provider may identify “material weaknesses”.   They may identify other weaknesses, gaps, and opportunities for improvement.  With effort on readiness, an auditee can reduce the likelihood of a material weakness.  The auditee can steer the assurance provider away from topics that are out of scope. 

As much as you’ve got.  A COSO ICSR workshop can pay significant dividends if taken early.  Pilot walkthroughs can help companies re-think their processes and controls, and apply these to priority topics. 

Designate a primary point of contact for all aspects of the assurance engagement for Sustainability reporting.  Then engage a resource to get ready.