External assurance of signatories' reports

It is also used by service organisations to demonstrate to their clients the implementation of operational risk controls over outsourced financial services. For PRI signatories, external assurance of ESG information provides the highest form of confidence that the reported information is reliable and relevant. As such, signatories would obtain third-party assurance over their RI processes/ESG information to provide stakeholders, e.g. plan beneficiaries, with credible information, demonstrate leadership and differentiate themselves from their peers. In addition, investment managers and fund of funds would obtain third-party assurance to provide their clients with the confidence that submitted information can be used to make decisions, for example, as part of requests for proposals or due diligence questionnaires.

Key components 

In a standard definition, assurance should:

• be conducted by someone not involved in preparing the subject matter;
• have pre-defined criteria to evaluate the subject matter against;
• use an appropriate standard;
• result in a written conclusion, stating a level of confidence that the intended audience can have in the data or process.

Limited vs reasonable level of assurance

External assurance can be provided at either a reasonable or limited level. A reasonable level would provide a higher level of comfort over the reliability of the information, similar to a financial statement audit. This aims to result in a positive opinion that the information in the report is correct. A limited level of assurance engagement, which is less detailed, results in a negative statement by the assurance provider and could be adequate for the yearly assurance of ESG data-based information.

Although reasonable assurance is more resource intensive, it would allow for the review of the internal controls for which the assurer can then provide the following positive statement: “the processes are effective at meeting the desired outcome”. Finally, signatories can benefit from best practices external assurers can provide as identified from their line of work with many other clients.

Data vs process assurance

The PRI Reporting Framework consists of data and process-based questions. Data questions are specific to the reporting year, while processes will typically remain the same for several years. In the following sections, thirdparty independent assurance is split into data assurance and process assurance. As per the PRI’s 2016 paper on assurance, the relevance of process assurance should be substantiated by relating it to specific PRI framework indicators, as well as clearly defining “outcomes of the assurance as well as changes that have been implemented or will be implemented as a result”. Both can be conducted to either a limited or reasonable degree.

As with internal audit, external assurance of data-based information should be differentiated from process-based information. This is because process-based information plays a more important role thanks to their dominance among the indicators and the purpose of the Reporting Framework in evaluating signatories based on their processes.

Assurers asked by clients to assure their data and/or processes reported in their Transparency Report should use the definitions, examples and, where provided, criteria from the explanatory notes in the Reporting Framework when evaluating their clients’ responses. As the Reporting Framework does not form an RI standard, however, the explanatory notes for some indicators may not provide detailed criteria leaving some room for subjective interpretation by auditors. As and when RI standards evolve, these can facilitate the assurance process further.

Legally required external assurance

Some markets have regulatory requirements on nonfinancial data reporting (e.g. South Africa) and/or operational risk controls auditing of financial service firms. Future developments of current voluntary regulations and expansion of mandatory regulations are expected and could make this more relevant in the future. Signatories are encouraged to check what applies in their country through the PRI regulatory database for further information.

 

Key steps	Example of actions
Consider the value add	Outline the value add of external assurance for your organisation Ensure that the board or other form of highest governing body endorse the assurance engagement Internal audit function will require this every five years as part of IIA’s international standards used to provide assurance of internal controls
Develop an external assurance plan	Outline the period and milestones of the assurance engagement Outline assurance criteria which forms the basis of the scope to be undertaken by the assurer (key items, boundaries, definitions, references etc.)
Select an external assurer provider	Engage assurers through a competitive procurement process Ensure proper industry qualifications and experience relevant to your report
The provider executes the assurance engagement	Establish regular meetings with the assurance provider to monitor progress against project timeline and budget
Communication	Discuss the assurance conclusion with your provider - go through feedback to identify future improvements Communicate the outcome of the assurance engagement across the organisation and other stakeholders Develop plan on how to make improvements in the organisation based on the risks found in the assurance outcome

External assurance of responses to ESG reports

A detailed review of existing non-financial assurance standards is covered by the Audit and Assurance Faculty in 2008. This expands on different type of non-financial reports such as what is found in annual reports or corporate responsibility reports. Assurance standards specific to investors’ RI reports fell within the “other types of reports” and focused on ISAE 3000. Another applicable assurance standard of ESG reporting is the Accountability AA 1000 assurance standard.

As metrics-based information is specific to the reporting year, assurance of some of the data would be yearly. The data capturing system would also be audited at an interval of every three-five years or as and when there are significant changes to the standard or the system itself.

Reporting and management standards

While assurers use assurance standards to conduct a thirdparty independent assurance, signatories can facilitate this process by using ESG reporting standards to produce their ESG reports, and relevant management standards that cover their RI processes. The table below provides ESG reporting and management standards that may be of interest to signatories.

 

Download the full report

• 

  Introducing confidence-building measures to PRI signatories

  April 2018

Prioritised indicators for third-party assurance

Below, the PRI has identified the most important databased indicators from the 2018 Reporting Framework that signatories who seek external assurance should focus on. They include metrics-based ones that change on a yearly basis, and descriptive ones that provide details on a signatory’s strategy and approach to RI. The AWG recommends the frequency of assurance should generally reflect how frequently the information changes. As such, descriptive indicators can be assured every two-three years instead of every year.

Organisational overview

• asset volume (OO 4.2)

• asset class allocation (OO 5.1, 5.2, 7.1, 7.2)

• breakdown of externally managed assets in segregated mandates and pooled funds (OO 8.1)

• implementation of active ownership activities in listed assets (OO 10.1)

• implementation of ESG incorporation activities in all assets (OO 11.1 and OO 11.2)

• breakdown of listed assets in active and passive investments (OO LEI 1.1, OO FI 1.1, OO SAM 1.1)

• asset-class characteristics (e.g. OO PR 1.1, OO PE 1.1)

Strategy and governance

• existence of RI approach/policy and if publicly available (SG 1.1, 2.1 and 2.3)

• disclosure of asset class specific RI information to clients and public (SG 19.1)

• objective setting (SG 5.1, 5.2, 6.1)

• ESG trends inclusion in scenario analysis (SG 13.1)

• asset allocation to environmental and social themed areas (SG 15.2, 15.3)

ESG incorporation and active ownershp of listed and non-listed assets

• AUM covered by different ESG incorporation strategies (FI 1.1, LEI 1.1, PE 1.1, PR 2.1, INF 2.1)

• ESG incorporation in passively managed listed equities (LEI 11.2)

• policies for each ESG incorporation strategy per specific asset

• engagement policy and data (LEA: 1.1, 11.1)

• voting policy and data (LEA 15.1, LEA 21.1, 23.1-23.4, SAM 7.1)

 

ESG portfolio characteristics of listed and non-listed assets

 

• thematic bonds (FI 8.1)

• private equity assets (PE 2.1, 3.1, 3.2, 5.1, 6.1, 8.1. 8.2, 9.1,

  9.2, 13.1, 16.1,17.1)

• property assets (PR 9.1, 10.1, 11.1, 12.1, 13.1)

• infrastructure assets (e.g. INF 3.1, 8.1, 10.1, 12.1, 15.1, 16.1)

External assurance of controls related to ESG processes

Standards available

There are a limited number of assurance standards for the review of ESG processes. Most of the standards reported are used for assuring either financial or non-financial data which investors would include either in the PRI reports, annual report or other sustainability reports (e.g. SASB or GRI report). At the time of writing, the most widely used standard applicable to ESG processes is ISAE 3402 (which overlaps with SSAE 18) for service organisations. Asset owners can request this from their managers or service providers.

Other theme-specific assurance standards are starting to emerge, such as ISAE 3410 on climate change. Along with developments in assurance standards, progress in responsible investment management standards adapted from ISO 9001 can help signatories structure their RI processes as part of their core management systems and facilitate third-party independent assurance.

In 2019, the IIASB is also planning to release a guide for assurers on applying the ISAE 3000 standard, mentioned in the previous section as the main standard applicable for data-based information. This guide will address key challenges, including some particularly pertinent to the PRI Transparency Report:

• assertion of subject matter information;
• assurance of qualitative information;
• evaluation the maturing of controls and reporting systems;
• competence expected of accountants.

Assurance standard type	Examples of standards
Internal controls of service organisations	ISAE 3402, SSAE 18, AT 101, AAF 01/06 (ICAEW), IIA’s international standards and IPPF
Climate-specific	ISAE 3410 or national equivalent (assurance engagements on greenhouse gas statements)

Prioritised process-based indicators for internal audit/external assurance

As good practice, the AWG recommends that signatories should assure RI processes every three-five years or sooner if these have changed to demonstrate that these are implemented as described. However, the AWG recognises that it is not practical or effective to assure all processes. Instead, the AWG recommends that signatories start with fundamental processes the PRI identifies as the most important to provide confidence that the signatory implements the Principles along with the processes most material to the signatory. In many ways, this should mirror the logical structure of the Reporting Framework. This is split into modules pertinent to all signatories (organisational overview, strategy and governance) and modules that are driven by asset allocation, management style and ESG incorporation/active ownership practices. The PRI has identified key processes and their corresponding indicators for internal audit/external assurance in the tables below.

These are grouped into:

• overarching strategy and governance (applicable to all assets)
• active ownership processes in directly managed assets
• ESG incorporation in directly managed assets
• ESG processes in directly non-listed assets
• ESG processes for indirectly managed assets