Page

Discussion

View source

History

AA1000 AS Guidance for Assurance Practitioners

From AccountAbility AA1000 Wiki

Jump to: navigation, search

AA1000 AS Guidance

A. Guidance for Assurance Practitioners

A.1 Conducting Sustainability Assurance

A.1.1. Scope of the engagement

Two types of sustainability assurance shall be deemed to be in accordance with the AA1000 Assurance Standard (2008).

Type 1. Evaluation of Adherence to the AccountAbility Principles.

Type 2. Evaluation of Adherence to the AccountAbility Principles plus Evaluation of Adherence to the Quality of Information Principles.

Interrelationship between Type 1. and Type 2

[What additional guidance is needed?]

A.1.2. Intended audience

[What additional guidance is needed?]

A.1.3. Report boundary

[What additional guidance is needed?]

A.1.4. Disclosures covered

The assurance engagement shall identify all disclosures (e.g. reports and other forms of communication) covered by the engagement.

[What additional guidance is needed?]

A.1.5. Level of assurance

The assurance engagement agreement shall define the anticipated level of assurance.

There shall be two levels of assurance: moderate and high.

A high level of assurance requires:

A moderate level of assurance requires:

For those required to use ISAE 3000 a high level of assurance relates to reasonable assurance and a moderate level of assurance relates to limited assurance.

The ISAE 3000 terms may be used where required as long as the basic requirements of AA1000 Assurance Standard (2008) are met and the reference to use of ISAE 3000 is explicit.

[What additional guidance is needed?]

A.1.6. Limitations

[What additional guidance is needed?]

A.1.7. Engagement acceptance

A.1.7.1. Independence

The Assurance Provider shall be demonstrably independent from the Reporting Organisation and its stakeholders. The assurance approach and the contract shall not dilute or unduly influence the ability of the assurance provider to fulfill its duties to the reporting organisation and its stakeholders. The assurance provider shall make a public statement of independence. Independence requires:

• Freedom from conflict of interest

• Disclosure of recent, ongoing or potential financial or commercial relationships between the assurance provider (including all individual practitioners on the assurance team) and the reporting organisation and its stakeholders.

• Governance arrangements or ownership

• Citation of any mechanisms or professional codes of practice designed to ensure independence to which the provider and practitioners are signatory.

A.1.7.2. Competence

Assurance practitioners, providers and the reporting organisation shall ensure that the individuals and organisations involved in an assurance engagement are demonstrably competent. The assurance provider shall be prepared, upon request by the reporting organisation, to make information available to interested stakeholders about the competencies of the individuals involved in the assurance engagement.

A.1.7.2.1. Individual practitioner competence

The assurance provider shall ensure that the individual assurance practitioners involved in the assurance engagement are demonstrably competent. Competencies shall be demonstrated in the following areas:

• Stakeholder engagement

• Assurance and audit practices

• Sustainability subject matter

A.1.7.2.2. Organisational provider competence

The assurance providers shall be able to demonstrate adequate institutional competencies. Competencies shall include:

• Assurance oversight mechanism • Understanding of the legal aspects of the assurance process • Infrastructure and systems to ensure quality delivery of assurance

Assurance providers shall be able to demonstrate that they have adequate indemnity insurance in place.

A.1.7.3. Due care

Assurance providers shall exercise care in accordance with the importance of the task, the competencies required and the confidence placed in them by the users of their assurance statement.

A.1.7.4. Reporting criteria and evidence

Before accepting an engagement, the assurance provider shall be satisfied that it is reasonable to assume that the reporting criteria used by the reporting organisation are suitable (fit for purpose) and that sufficient evidence is available. Suitable criteria are those that

• Have been developed by an independent peer reviewed or multi-stakeholder process

• Are supported by sound argument and evidence

• Are publicy available

A.1.7.5. Requirements of AA1000AS (2008)

Before accepting an engagement the assurance provider shall be satisfied that the requirements of AA1000AS (2008) can be met during the course of the engagement and that the reporting organisation is acting in good faith.

A.1.8. Engagement Letter

The minimum criteria for an engagement letter are set out in the AA1000 Assurance Standard (2008). A good practice engagement letter may include

• Objectives

• Responsibilities of reporter and assurance provider

• Applicable Code of Conduct

• Scope

• Standards to be used

• Assumptions regarding reporting criteria and evidence

• Requirements for evidence

• Summary of activities, including milestones, timeframes and progress reporting requirements

• Assurance Report and Assurance Statement requirements

• Confidentiality requirements

• A declaration of independence by the assurance provider

• Level of assurance anticipated

• Risks and constraints

• Liability

• Fees and costs

• Any special requirements relating to web-site reporting or translations

A.1.9. Performing the Engagement

The Assurance provider shall prepare a documented engagement plan for conducting the assurance engagement. In addition to addressing the items in the engagement letter, the assurance plan may contain details of:

• Identification of key reporting organisation and assurance provider contacts

• Risk assessment and planning

• Review of reporting criteria

• Evidence gathering plan for evaluations against both the content principles and the quality of information principles (as relevant for the scope), including,

• Depth, breadth, type and sources of evidence gathering (to demonstrate how the anticipated level of assurance will be achieved)

• Activities schedule including dates and durations

• Resource requirements (human, financial, technological)

• Sampling plans to be used and rationale

• Assurance procedures to be used

• Reference documents, protocols, checklists and other working documents to be used

A.1.10. Assurance Reporting

A.1.10.1. Assurance statement

An assurance statement may include the following information:

• Title

• Intended Audience

• Note on roles and responsibilities (assurance provider, reporting organisation)

• Description of the scope of the assurance engagement and its type

• Assurance standard used

• Description of disclosures covered

• Note on criteria used

• Limitations (in the sustainability report, the engagement scope or evidence gathering)

• Description of methodology

• Conclusions concerning adherence to the AccountAbility Principles

• Conclusions concerning the Quality of Information (only in a Type 2. assurance engagement)

• Statement on level of assurance obtained

• Findings, commentary and recommendations including, where appropriate, whether previous years' recommendations have been implemented

• Note on competencies and independence

• Name and date

A.1.10.2. Report to management

The report to management may provide additional information including further detail on:

• the conduct of the engagement,

• the findings, and

• the recommendations.

A.1 AccountAbility Principles

A.1.1 Inclusivity

The following questions provide guidance for evaluating adherence to the foundation principle of Inclusivity. The assurance provider needs to establish what evidence is required for the relevant level of assurance to determine that these criteria are met.

A.1.1.1 Report disclosures

A.1.1.1.1. Does the report describe the stakeholders to whom the organisation considers itself accountable?

A.1.1.1.2. Does the report content draw upon the outcomes of stakeholder engagement processes used by the organisation in its ongoing activities?

A1.1.1.3. Does the report content draw upon the outcomes of any stakeholder engagement processes undertaken specifically for the report?

A1.1.1.4. Are the stakeholder engagement processes that inform decisions about the report consistent with the scope and boundary of the report?

A.1.1.2 Systems and processes

A.1.1.2.1 Does the reporting organisation have in place a stakeholder strategy and adequate processes sufficient to deliver this strategy?

A.1.1.2.2 The AA1000 Stakeholder Engagement Standard (AA1000SES) establishes requirements for effective, quality stakeholder engagement. The following steps are included in the AA1000SES and any evaluation of adequate stakeholder engagement processes needs to consider the following, (refer to the AA1000SES for further guidance):

A.1.1.2.2.1 Identify stakeholders

A.1.1.2.2.2 Initial identification of material issues

A.1.1.2.2.3 Determine and define engagement strategy, objective and scope

A.1.1.2.2.4 Establish engagement plan and implementation schedule

A.1.1.2.2.5 Identify effective ways of engaging that work

A.1.1.2.2.6 Build and strengthen capacity

A.1.1.2.2.7 Engage with stakeholders in ways that facilitate understanding, learning and improvement

A.1.1.2.2.8 Operationalise, internalise and communicate learning

A.1.1.2.2.9 Measure and assess performance

A.1.1.2.2.10 Assess, re-map and re-define

A.1.1.2.2.11 Have stakeholders been involved in the determination of material issues?

A.1.1.2.2.12 Is there a process for resolving conflicts or dilemmas between different stakeholder expectations regarding materiality?

A.1.2 Materiality

The concept of materiality comes from financial auditing and reporting. Materiality for financial reporting is defined as follows: ‘Information is material if its omission or misstatement could influence the economic decisions of users taken on the basis of the financial statements.

The AA1000 Assurance Standard (2008), by recognising Stakeholders as users and by requiring that stakeholders participate in the determination of materiality makes it clear that they are an important source of evidence and that their views count in the determination of materiality.

An assurance provider should evaluate an organisation’s determination of the issues, concerns and impacts material to the organisation and its Stakeholders, and whether there are any material misrepresentations or omissions in its reporting of the results of this process.

A material misrepresentation or omission occurs when information is not disclosed or, if disclosed, is in some way distorted such that in either case it likely to change the decisions, actions and behaviour of Stakeholders or the organisation itself.

A.1.2.1 Relevance and Importance

Scope should take into consideration physical, organisational and time boundaries. The Assurance Provider should clearly state the boundaries of enquiry in the assurance statement.

A.1.2.2 Determining what is Material

The reporting organisation is responsible for determining what it considers to be material. It should be made clear in the assurance statement and/or final report where the final responsibility for determining materiality lies.

A.1.2.3 Process for determining Materiality

The determination of materiality should be systematic and defensible. An Assurance Provider should analyse the process used to determine materiality, as well as its systematic application.

An assurance provider should assess whether there has been an evaluation of relevance and importance based on clearly identified criteria, taking into account whether there is a has been an process for establishing and justifying the basis for determining the past, present or likely future occurrence and the severity of the (predicted) impact.

An assurance provider should evalutate the process through which stakeholders have been involved.

The following questions provide guidance for evaluating adherence to the principle. The assurance provider needs to establish what evidence is required for the relevant level of assurance to determine that these criteria are met.

A.1.2.1.4 Reporting Disclosures

A.1.2.1.4.1 Did the reporting organisation, in defining material issues, take into account external factors, including:

A.1.2.1.4.1.1 Main sustainability interests/topics and Indicators raised by stakeholders.

A.1.2.1.4.1.2 The main topics and future challenges for the sector reported by peers and competitors.

A.1.2.1.4.1.3 Relevant laws, regulations, international agreements, or voluntary agreements with strategic significance to the organisation and its stakeholders.

A.1.2.1.4.1.4 Reasonably estimable sustainability impacts, risks, or opportunities (e.g., global warming, HIV-AIDS, poverty) identified through sound investigation by people with recognized expertise, or by expert bodies with recognized credentials in the field.

A.1.2.1.4.1.5 Did the reporting organisation, in defining material topics, take into account internal factors, including:

A.1.2.1.4.1.6 Key organisational values, policies, strategies, operational management systems, goals, and targets.

A.1.2.1.4.1.7 The interests/expectations of stakeholders specifically invested in the success of the organisation (e.g., employees, shareholders, and suppliers).

A.1.2.1.4.1.8 Significant risks to the organisation.

A.1.2.1.4.1.9 Critical factors for enabling organisational success.

A.1.2.1.4.2 The core competencies of the organisation and the manner in which they can or could contribute to sustainable development.

A.1.2.1.4.3 Has the reporting organisation prioritised material issues adequately?

A.1.2.1.4.4 Is the relative significance of material issues and related performance put into context?

A.1.2.1.4.5 In your professional judgment, does the report address all material performance issues?

A.1.2.1.4.6 In your professional judgment, are there any material omissions or misrepresentations?

A.1.2.1.5. Systems and Processes

A.1.2.1.5.1 Is there a process in place to determine what is material?

A.1.2.1.5.2 Does the process include an evaluation of relevance?

A.1.2.1.5.3 Does the process include an evaluation of importance?

A.1.2.1.5.4 Does the process fairly represent the views and significant of stakeholders?

A.1.2.1.5.5 Are the criteria for evaluation clear and understandable?

A.1.2.1.5.6 Have the processes been systematically applied?

A.1.2.1.5.7 Is the determination of materiality consistent with stakeholder views?

A.1.3 Completeness

A.1.3.1 Fairness and Balance

An organisation’s understanding of its performance should be comprehensive, fair and balanced. An assurance practitioner should evaluate whether reported information is detailed for stakeholders using the report to make decisions with a high degree of confidence. An assurance practitioner should evaluate whether all information that is material to users, both favourable and unfavourable, for assessing the reporting organisation’s economic, environmental, and social performance appears in a manner consistent with the declared scope.

A.1.3.2. Determining the Extent of Completeness

An Assurance Provider should analyse the way in which the reporting organisation has established boundaries for:

• the discussion of the organisation’s performance,

• the discussion of stakeholders’ concerns, and

• the scope of the assurance engagement.

Completeness and Communications

There is a growing trend towards reporting on specific issues and to specific stakeholders or users, and to providing assurance appropriate to those users. An Assurance Provider may therefore be asked to provide assurance where there is no single report but rather a range of communications, for example, summary and full reports, on-line versions, presentations, podcasts etc.

In such a case assurance should consider individual communications in relation to their intended users and within the context of the underlying data, systems, processes, organisational conduct and competencies that the individual communications draw on. The same tests for fairness and balance should be used.

Any assurance statement attached to a specific report or communication should clearly acknowledge the difference in scope between an assurance engagement and the scope of the report or communication, and make it clear what the assurance statement refers to. This also applies when providing an assurance statement for the summary version of a full sustainability report. The statement should apply only to the information within that particular report, or make it clear that it is referring to content in the full report to avoid confusing readers.

The following questions provide guidance for evaluating adherence to the principle. The Assurance Provider needs to establish what evidence is required for the relevant level of assurance to determine that these criteria are met

A.1.3.3. Reporting Disclosures

A.1.3.3.1 Does the report cover and prioritise all information that should reasonably be considered material?

A.1.3.3.2 Does the report include all entities that meet the criteria of being subject to control or significant influence of the reporting organisation unless otherwise declared?

A.1.3.3.3 Does the information in the report include all significant actions or events in the reporting period, and reasonable estimates of significant future impacts of past events when those impacts are reasonably foreseeable and may become unavoidable or irreversible?

A.1.3.3.4 Does the report omit relevant information that would influence or inform stakeholder assessments or decisions, or that would reflect significant economic, environmental, and social impacts?

A.1.3.3.5 Are the specific reports and communications being assured fair and balanced?

A.1.3.4. Systems and Processes

A.1.3.4.1 Is there a process in place to determine boundaries (e.g. of the organisation’s influence or control, of the report, of the assurance engagement)?

A.1.3.4.2 Is there a process in place to fully research and understand the range of issues and concerns material to the organisation and its stakeholders?

A.1.3.4.3 Is there a process in place to address the range of issues and concerns raised by stakeholders?

A.1.3.4.4 Does the organisation have a process for deciding what is fair and balanced for any specific report?

A.1.3.4.5 Have the above processes been systematically applied?

A.1.4. Responsiveness

A.1.4.1. Prioritising Response

An assurance practitioner should evaluate whether a reporting organisation has in place a process to respond to material issues and how an organisation has prioritised response.

A.1.4.2. Resources for Response

An assurance provider should evaluate whether the reporting organisation has allocated adequate resources. Resources are adequate when they allow the reporting organisation to achieve within the stated time frame its stated commitments and to communicate its response in a way that is consistent with stakeholder interests.

A.1.4.3. Timeliness of Response

An assurance provider should evaluate whether the reporting organisation has responded in a timely fashion.

A.1.4.4. Communicating the Response

An assurance provider should evaluate Responsiveness in relation to the intended users and within the context of the overall response to material issues and concerns.

A.1.4.5. Participation in and Access to Response

An Assurance Provider should evaluate the access of stakeholders

• to the process for developing responses (policies, strategies, plans), and

• to information about responses.

A reporting organisation’s processes and mechanisms for providing access should reflect the different needs and capacities of its stakeholders and should not require unreasonable effort. Information should be clear and understandable.

A.1.4.6. Reporting Disclosures

A.1.4.6.1 Is communication of the response consistent with stakeholder views?

A.1.4.6.2 Is the information on the organisation’s response available and accessible to stakeholders?

A.1.4.7. Systems and Processes

A.1.4.7.1. Does the organisation have in place a process to decide what issues to respond to?

A.1.4.7.2. Does the organisation have a process in place to integrate its responses into its management, governance and change processes?

A.1.4.7.2. Have the above processes been systematically applied?

A.1.4.7.2. Does the organisation allocate adequate resources to enable the implementation of commitments?

A.1.4.7.2. Does the organisation have processes in place to prevent material misstatements when communicating its response to stakeholders?

A.1.4.7.2. Does the organisation identify any shortfalls and implement corrective action in relation to its responsiveness?

A.2. Evaluating the Quality of Information

This guidance supports an assurance provider when evaluating the quality of information.

Note: These criteria are consistent with the Quality of Information Principles from GRI G3.

A.2.1. Reliability

The assurance provider shall evaluate the publicly disclosed information including the underlying systems and data, to assess whether the publicly disclosed information has been gathered, recorded, compiled, analyzed, and disclosed in a way that, when examined, establishes the quality and materiality of the information.

The following tests provide guidance for evaluating adherence to the criteria. An Assurance Provider will need to establish what is required to determine that these criteria are met and what evidence is necessary. Different levels of assurance may require different levels of evidence testing.

A.2.1.1 Is the scope and extent of external assurance is identified?

A.2.1.2 Can the original source of the information in the report be identified?

A.2.1.3 Is there reliable evidence to support assumptions or complex calculations?

A.2.1.4 Is representation available from the original data or information owners, attesting to its accuracy within acceptable margins of error?

A.2.2 Clarity

The assurance provider shall evaluate the publicly disclosed information and underlying systems and data to assess whether the publicly disclosed information is made available in a manner that is understandable and accessible to the intended audience of the report.

The following tests provide guidance for evaluating adherence to the criteria. An assurance provider will need to establish what is required to determine that these criteria are met and what evidence is necessary. Different levels of assurance may require different levels of evidence testing.

A.2.2.1 Does the report contain the level of information required by stakeholders, but avoids excessive and unnecessary detail?

A.2.2.2 Could stakeholders find the specific information they want without unreasonable effort through tables of contents, maps, links, or other aids?

A.2.2.3 Does the report avoid (where practical) technical terms, acronyms, jargon, or other content likely to be unfamiliar to stakeholders, and does it include explanations (where necessary) in the relevant section or in a glossary?

A.2.2.4 Is the data and information in the report available to stakeholders, including those with particular accessibility needs (e.g., differing abilities, language, or technology).

A.2.3. Balance

An assurance provider should evaluate whether the overall presentation of the report’s content provides an unbiased picture of the reporting organisation’s performance and avoids selections, omissions, or presentation formats that are reasonably likely to unduly or inappropriately influence a decision or judgment by the report reader.

A.2.3.1 Does the report disclose both favourable and unfavourable results and topics.

A.2.3.2 Is the information in the report presented in a format that allows users to see positive and negative trends in performance on a year-to-year basis (including both the quantitative data and commentary on observed trends)

A.2.3.3 Is the emphasis on the various topics in the report proportionate to their relative materiality.

A.2.4. Comparability

The assurance provider shall evaluate the publicly disclosed information and underlying systems and data to assess whether issues and information have been selected, compiled, and reported consistently, and whether reported information has been presented in a manner that enables stakeholders to analyze changes in the organization’s performance over time, and could support analysis relative to other organization's.

A.2.4.1 Can the report and the information contained within it be compared on a year-to-year basis?

A.2.4.2 Can the report and the information within it be compared on a year to year basis to that of industry peers?

A.2.4.3 Can the organisation’s performance be compared with appropriate benchmarks?

A.2.4.4 Can any significant variation between reporting periods in the boundary, scope, length of reporting period, or information covered in the report be identified and explained?

A.2.4.5 Where they are available, does the report utilizes generally accepted protocols for compiling, measuring, and presenting information, including the GRI Technical Protocols for Indicators contained in the Guidelines?

A.2.4.6 Does the report use GRI Sector Supplements, where available?

A.2.5. Accuracy

The assurance provider shall evaluate the publicly disclosed information and underlying systems and data to assess whether the publicly disclosed information is sufficiently free from error and detailed for stakeholders to assess the reporting organization’s performance.

Tests

A.2.5.1 Does the report indicate the data that has been measured?

A.2.5.2 Are data measurement techniques and bases for calculations adequately described, and can they be replicated with similar results?

A.2.5.3 The margin of error for quantitative data is not sufficient to substantially influence the ability of stakeholders to reach appropriate and informed conclusions on performance.

A.2.5.4 The report indicates which data has been estimated and the underlying assumptions and techniques used to produce the estimates, or where that information can be found.

A.2.5.5 The qualitative statements in the report are valid on the basis of other reported information and other evidence reviewed.

A.2.6. Timeliness

The assurance provider shall evaluate the publicly disclosed information and underlying systems and data to assess whether reporting occurs on a regular schedule and information is available in time for stakeholders to make informed decisions.

A.2.6.1 Has information in the report been disclosed while it is recent relative to the reporting period?

A.2.6.2 Is the collection and publication of key performance information aligned with the sustainability reporting schedule?

A.2.6.3 Does the information in the report (including web based reports) clearly indicates the time period to which it relates, when it will be updated, and when the last updates were made?

Retrieved from "http://www.accountabilityaa1000wiki.net/index.php/AA1000_AS_Guidance_for_Assurance_Practitioners"