From AccountAbility AA1000 Wiki

A. Guidance for Assurance Practitioners

Introduction

This guidance for AA1000AS (2008) is non-binding. It is intended to provide guidance on good practice and to provide a more detailed understanding of sustainability assurance.

A.1 Conducting Sustainability Assurance

A.1.1 Scope of the Engagement

The two types of sustainability assurance deemed to be in accordance with the AA1000AS (2008) are:

Type 1. Evaluation of adherence to the AA1000 AccountAbility Principles

Type 2. Evaluation of adherence to the AA1000 AccountAbility Principles plus evaluation of performance information

AA1000AS (2008) should not be used only to provide verification of sustainability performance information and data. It must include an evaluation of adherence to the AA1000 AccountAbility Principles.

The Type 1 scope makes it possible for innovative assurance practices, such as the use of expert panels, to claim accordance with AA1000AS (2008).

A.1.2 Intended audience

Stating the intended audience is helpful in understanding the balance, clarity and timeliness of the disclosure. It is also useful when an assurance engagement includes a number of disclosures and not a single report. Identifying the intended audience can help an assurance provider understand and evaluate the inclusion or exclusion of information in certain disclosures. For example, a type 2 assurance engagement includes in its scope ‘specified’ performance information. Understanding the audience provides an argument for why certain performance information has been specified.

A.1.3 Report Boundary

The agreement on the boundaries of the report should refer to a set of criteria for defining boundaries that ensure inclusion of all material economic, social and environmental impact of the organisation, including where relevant those not directly under its control such as joint ventures, suppliers contractors and products.

Suitable criteria for evaluating report boundaries are those that

• have been developed by an independent peer reviewed or multi-stakeholder process,

• are supported by sound argument and evidence, and

• are publicly available.

This includes the GRI Boundary Protocol, which states that "a sustainability report should include all entities in its boundary that generate significant sustainability impacts (actual and potential) and/or over which the reporting organisation exercises control or significant influence over financial and operating policies and practices".

A.1.4 Disclosures covered

It is acceptable to include in an assurance engagement more than one source of disclosure (e.g. a group level report, a single issue report, web based information). In doing so the assurance provider must ensure that any assurance statement attached to any single disclosure is clear about the disclosure the statement refers to.

A.1.5 Level of Assurance

For those required to use ISAE 3000 a high level of assurance relates to reasonable assurance and a moderate level of assurance relates to limited assurance.

The ISAE 3000 terms may be used where required as long as the basic requirements of AA1000 Assurance Standard (2008) are met and the reference to use of ISAE 3000 is explicit.

The intent is for AA1000AS (2008) to provide a frame that can accommodate and not contradict other practices.

A.1.6 Limitations

It is important to be explicit about limitations. Not to do so may increase assurance engagement risk.

A.1.7 Engagement Acceptance

A.1.7.1 Independence

AA1000AS (2008) sets out minimum requirements for independence to provide a frame within which claims of independence can be made and defended. Some professions and organisations may have higher tests of independence. These should be applied as long as they encompass the requirements of AA1000AS (2008). Some organisation may choose to use higher tests for independence as a basis for competitive advantage.

A.1.7.2 Competence

It is important to professionalise the discipline of sustainability assurance. To do this will require standardisation and independent evaluation of the competencies of individual practitioners and assurance provider organisations.

A.1.7.2.1 Individual Practitioner's Competence

The standardisation and evaluation of practitioner competence will draw on the qualifications and competencies developed by a number of existing disciplines. However, sustainability assurance is a distinct discipline and must therefore be served by a distinct set of competencies (acknowledging that it draws on a number of other disciplines).

Sustainability Assurance Practitioner competence is currently codifed in the Certified Sustainability Assurance Practitioner (CSAP) program administered by IRCA.

A.1.7.2.2 Organisational Provider Competence

Organisational provider accreditation does not currently exist for sustainability assurance providers.

Organisational provider accreditation is a well understood practice that exists in a wide range of related areas. If organisational provider accreditation is developed for sustainabililty assurance it must take into consideration the size and range of provider organisations.

A.1.7.3 Due Care

The requirement for due care is basedon existing requirements in other professions. Higher tests for due care should be used when required as long as the AA1000AS (2008) requirements are met.

A.1.7.4 Reporting Criteria and Evidence

The credibility and usefulness of the report and associated assurance will depend on how useful the information is. Is it rigorous? Is it comparable? Etc. The choice of criteria is very important. It is therefore important for the assurance provider to not only evaluate the evidence but also the criteria it is based on.

A.1.7.5 Requirements of AA1000AS (2008)

The assurance provider has to decide whether to accept an engagemernt and whether, having accepted the engagement it is possible to use the AA1000AS (2008).

In making this decision it should be recognised that the assurance process is iterative and that the report preparer should make changes in response to the preliminary findings of the assurance provider.

It is therefore important to evaluate the report preparers capacity and willingness to respond to these findings during the assurance process.

It is also important to understand that the sustainability assurance process is not an end-of-pipe process - that is, it does not happen after the report has been written. Assurance should be an ongoing process during the period of information gathering and report preparation.

A.1.8 Engagement Letter

The minimum criteria for an engagement letter are set out in the AA1000AS (2008).

A best practice engagement letter may include

• objectives,

• responsibilities of reporter and assurance provider,

• applicable code of conduct,

• scope,

• standards to be used,

• assumptions regarding reporting criteria and evidence,

• requirements for evidence,

• summary of activities, including milestones, timeframes and progress reporting requirements,

• assurance report and assurance statement requirements,

• confidentiality requirements,

• a declaration of independence by the assurance provider,

• level of assurance anticipated,

• risks and constraints,

• liability,

• fees and costs, and

• any special requirements relating to web-site reporting or translations.

A.1.9 Performing the Engagement

A best practice assurance plan would contain details of:

• identification of key reporting organisation and assurance provider contacts,

• risk assessment and planning,

• review of reporting criteria,

• evidence gathering plan for evaluations against both, the AA1000 AccountAbility Principles and the quality of information (as relevant for the scope), including,

• depth, breadth, type and sources of evidence gathering (to demonstrate how the anticipated level of assurance will be achieved),

• activities schedule including dates and durations,

• resource requirements (human, financial, technological),

• sampling plans to be used and rationale,

• assurance procedures to be used, and

• reference documents, protocols, checklists and other working documents to be used.

A.1.10 Assurance Reporting

A.1.10.1 Assurance Statement

A best practice assurance statement would include the following information:

• title,

• intended Audience,

• note on roles and responsibilities (assurance provider, reporting organisation),

• description of the scope of the assurance engagement and its type,

• assurance standard used,

• description of disclosures covered,

• note on criteria used,

• limitations (in the sustainability report, the engagement scope or evidence gathering),

• description of methodology,

• conclusions concerning the Adherence to the AA1000 AccountAbility Principles,

• conclusions concerning the quality of information (only in a Type 2. assurance engagement),

• statement on level of assurance obtained,

• findings, commentary and recommendations including, where appropriate, whether previous years' recommendations have been implemented,

• note on competencies and independence,

• name of the assurance provider and date.

A.1.10.2 Report to Management

The report to management may provide additional information including further detail on:

• the conduct of the engagement,

• the findings, and

• the recommendations.

A.2 The Assurance Process

A.2.1 Subject Matter

The scope of the engagement defines what subject matter to include.

When evaluating adherence to the AA1000 AccountAbility Principles the assurance provider will focus on the profile of the organisation and the management approach. In other words: who are they, what do they do and how do they understand and manage their sustainability issues. This information may be, but does not have to be, assertion based. The assurance provider may evaluate adherence without having to evaluate against a management claim.

When evaluating performance information the assurance provider will focus on the quality of the information. The evaluation will be assertion based. In other words: what information have they provided on their performance and is it credible.

A.2.2 Criteria

The assurance provider will need to establish what criteria to use. This guidance document provides information on recommended criteria. However other criteria may be used if they meet the requirements of AA1000AS (2008) for quality criteria.

A.2.2.1 AA1000 AccountAbility Principles

The assurance provider should bring agreed criteria to the engagement for the evaluation of adherence to the AA1000 AccountAbility Principles. These criteria must meet the requirements of AA1000AS (2008) and may be based on the recommendations in this guidance document.

AA1000 AccountAbility Principle of Inclusivity

The following questions provide guidance for evaluating adherence to the foundation AA1000 AccountAbility Principle of Inclusivity. The assurance provider needs to establish what evidence is required to determine that these criteria are met.

The AA1000 Stakeholder Engagement Standard (AA1000SES) establishes requirements for effective, quality stakeholder engagement and should be considered a source of acceptable criteria for evaluating adherence to the principle of inclusivity.

Tests

The following criteria may be used to evaluate adherence to the principle:

• Does the organisation have in place a process to identify and prioritise stakeholders? What is the quality and extent of this process?

• Does the reporting organisation have in place a stakeholder strategy and adequate processes sufficient to deliver this strategy? What is the quality and extent of the strategy and processes?

• Does the organisation have in place a process to determine and define engagement strategy, objective and scope? What is the quality and extent of this process?

• Does the organisation have in place a process to establish engagement plans and implementation schedules? What is the quality and extent of this process?

• Does the organisation have in place a process to identify effective modes of engaging that work? What is the quality and extent of this process?

• Does the organisation have in place a process to build and strengthen capacity to engage? What is the quality and extent of this process?

• Does the organisation have in place a process to engage with stakeholders in ways that facilitate understanding, learning and improvement? What is the quality and extent of this process?

• Does the organisation have in place a process to achieve, internalise and communicate learning? What is the quality and extent of this process?

• Does the organisation have in place a process to measure and assess engagement performance? What is the quality and extent of this process?

• Does the organisation have in place a process to assess, re-map and re-define engagement strategies and processes? What is the quality and extent of this process?

• Have stakeholders been involved in the determination of material issues? What is the quality and extent of this involvement?

• Is there a process for resolving conflicts or dilemmas between different stakeholder expectations regarding materiality? What is the quality and extent of this process?

• Are stakeholder strategies, processes and results reflect in public sustainability disclosures? What is the quality and extent of this?

AA1000 AccountAbility Principle of Materiality

The concept of materiality comes from financial reporting and auditing. Materiality for financial reporting is defined as follows:

‘Information is material if its omission or misstatement could influence the economic decisions of users taken on the basis of the financial statements’.

A material misrepresentation or omission occurs when information is not disclosed or, if disclosed, is in some way distorted such that in either case it is likely to change the decisions, actions and behaviour of stakeholders or the organisation itself.

Materiality depends on the size of the item or error judged in the particular circumstances of its omission or misstatement. Thus, materiality provides a threshold or cut-off point rather than being a primary qualitative characteristic which information must have if it is to be useful.

In practice, financial impact thresholds are established that define the ‘magnitudes’ that are deemed material. The European Federation of Accountants (FEE) guidance on materiality during audit engagements indicates that it is important to consider materiality when determining evidence gathering requirements; and that when considering materiality the practitioner should understand what factors will influence the decisions of intended users. The relative importance of qualitative and quantitative factors in determining materiality is a matter of professional judgement.

In the sustainability context, materiality refers not only to a material misstatement or omission in reporting but also to the relevance and importance of an issue to an organisation’s ability to create value. Material issues are the issues that must be taken into consideration when making decisions about what the organisation is going to do and how it is going to do it.

The reporting organisation is responsible for determining what it considers to be material. In making this determination, it must understand and respond to what is material to its stakeholders. While stakeholders participate in and influence the reporting organisation’s determination of what it will treat as material, they do not, unless explicitly assigned, have responsibility for final decision and sign off. This then becomes a governance issue for the reporting organisation. The determination should be made in a robust and transparent manner and governance should reflect this.

The AA1000AS (2008) requires that an assurance provider assess an organisation’s determination of material issues in relation to a range of criteria and not just in relation to financial thresholds. As in the case of financial reporting and auditing, an issue, concern or impact is material if it could influence the decisions and behaviour of stakeholders or the organisation itself.

Process for Determining Materiality

The determination of materiality should be systematic and defensible.

A reporting organisation, with its stakeholders, should determine what is material to whom, why and at what point. To determine materiality it should analyse the relevance of these issues and concerns to the organisation and its stakeholders, and their importance in relation to the organisation’s ability to create and maintain public and private value. "Relevance" is about what matters and “importance” is about how much it matters. Material issues are the most important issues of those that have been deemed relevant.

Relevance of an issue is determined in relation to objective sustainability criteria. AccountAbility has developed the 5-part Materiality Test, which is explained in detail in Redefining Materiality. Whilst this process intends to provide a benchmark for analysing relevance, it is not a requirement. The process identifies and tests issues in relation to:

• direct financial impacts,

• policy-related performance,

• organisational peer-based norms,

• stakeholder behaviour and concerns, and

• societal norms.

Importance is determined by prioritising relevant issues. This prioritisation should be made based on suitable and identified thresholds.

Tests

The following criteria may be used to evaluate adherence to the principle:

• Is there a process in place to determine what is material?

• Does the process include an evaluation of relevance?

• Does the process include an evaluation of importance?

• Are the criteria for evaluating relevance and importance clear and understandable?

• Have the processes been systematically applied?

• Did the reporting organisation, in defining material issues, take into account external factors, including:

o the issues and concerns raised by stakeholders,

o the main topics and future challenges for the sector reported by peers and competitors,

o relevant laws, regulations, international agreements, or voluntary agreements with strategic significance to the organisation and its stakeholders,

o reasonably estimable sustainability impacts, risks, or opportunities (e.g., global warming, HIV-AIDS, poverty) identified through sound investigation by people with recognized expertise, or by expert bodies with recognized credentials in the field.

• Did the reporting organisation, in defining material topics, take into account internal factors, including:

o key organisational values, policies, strategies, operational management systems, goals, and targets.

o the interests/expectations of stakeholders specifically invested in the success of the organisation (e.g., employees, shareholders, and suppliers).

o significant risks to the organisation.

o critical factors for enabling organisational success.

o the core competencies of the organisation and the manner in which they can or could contribute to sustainable development.

• Has the reporting organisation determined material issues adequately?

• Does the report address all material performance issues?

• Are there any material omissions or misrepresentations in the report?

AA1000 AccountAbility Principle of Completeness

Completeness is about the comprehensive identification and understanding of material issues and the organisation’s response to them. The complete understanding of material issues and the response to them is aided by the sources of information and the expertise brought to bear on the issues. Understanding can be aided by such things as:

• commissioning or undertaking research

• building internal and external capacity and competencies

• engaging in discussions and debates on material concerns and opportunities

• adopting and applying appropriate standards, codes, frameworks or management systems

Completeness of identification and understanding also depends on the maturity of the issue. It will be more difficult to have a deep understanding of a new or emerging issue since relatively little will be known or agreed about the issue. On the other hand, for mature issues, there is a wealth of knowledge and agreement and therefore the expectation of a deeper understanding.

The maturity of the issue will also influence the nature of the response. The more well understood and mature an issue is, the more advanced should be the response expected from the organisation.

Tests

The following criteria may be used to evaluate adherence to the principle:

• Has the organisation completely identified its material issues?

• Does the organisation have a complete understanding of its the material issues?

• Is there a process in place to fully research and understand the range of issues and concerns material to the organisation and its stakeholders? What is the quality and extent of the process?

• Is there a process in place to understand the associated impacts of material issues? What is the quality and extent of the process?

• To what extent does the organisation have in place, or have access to, the necessary competencies to ensure a complete understanding of its material issues and associated impacts?

• Does the organisation have a complete understanding of the stakeholders to who are affected by and/or can affect its material issues?

• Is there a process in place to fully understand the maturity of issues and concerns material to the organisation and its stakeholders? What is the quality and extent of the process?

• Does the organisation have a process in place to understand the response to material issues expected by stakeholders?

• Have the above processes been systematically applied?

• To what extent does the understanding of material issues extend across the organisation?

AA1000 AccountAbility Principle of Responsiveness

A reporting organisation should have a process in place to respond to material issues, that is, to develop and implement policies, strategies and plans consistent with stakeholder and organisational interests.

Since the response must compete for available resources, the response to material issues needs to be prioritised. This prioritisation needs to be consistent with these other strategies and plans, as well as with stakeholder interests. A systematic process for determining the relevance and importance of material issues will provide the basis for decisions about priority.

If there are stakeholder concerns that have not been responded to this needs to be communicated An assurance provider should evaluate whether a reporting organisation has in place a process to respond to material issues and how an organisation has prioritised response.

Resources for response

An assurance provider should evaluate whether the reporting organisation has allocated adequate resources. Resources are adequate when they allow the reporting organisation to within the stated time frame its stated commitments and to communicate its response in a way that is consistent with stakeholder interests.

Timeliness of response

An assurance provider should evaluate whether the reporting organisation has responded in a timely fashion.

Communicating the response

An assurance provider should evaluate responsiveness in relation to the intended users and within the context of the overall response to material issues and concerns.

Participation in and access to response

An assurance provider should evaluate the access of stakeholders

• to the process for developing responses (policies, strategies, plans), and

• to information about responses.

Tests

The following criteria may be used to evaluate adherence to the principle:

• Does the organisation have in place a process to decide what issues to respond to and to prioritise them? What is the quality and extent of this process?

• Is communication of the response consistent with stakeholder needs and concerns?

• Is the information on the organisation’s response available and accessible to stakeholders?

• To what extent does the organisation involve stakeholders in the process for developing responses?

• Does the organisation have a process in place to integrate its responses into its management, governance and change processes? What is the quality and extent of this process?

• Does the organisation have processes in place to prevent material misstatements when communicating its response to stakeholders?

• Have the above processes been systematically applied?

• Does the organisation allocate adequate resources to enable the implementation of commitments?

• Does the organisation respond in a timely fashion?

• Do communications include a explanation of stakeholder concerns that are not being responded to?

• Does the organisation identify any shortfalls and implement corrective action in relation to its responsiveness?

A.2.2.2 Performance Information

The criteria for evaluating performance information may be based on the guidance in this document or may be from another acceptable source. The assurance provider must make it clear what criteria are being used.

A.2.3 Evidence

It is important that the assurance provider have a clear plan for the breadth, depth and quality of the evidence required. The assurance provider should use accepted sampling protocols and have in place internal procedures for determining what evidence they need and for evaluating when evidence is acceptable.

A.2.4 Conclusions

Conclusions should be clear and to the point. There should be a conclusion on each of the four AA1000 AccountAbility Principles and on performance information, where relevant.

For adherence to the AA1000 AccountAbility Principles, conclusions are not stated as a ‘yes’ or a ‘no’. The conclusion should articulate the quality and extent of adherence. So instead of saying in the statement that: ‘in our opinion the organisation adheres to the principle of materiality’, the assurance provider should say: ‘the organisation has in place a procedure to determine its materiality sustainability issues’.

It should then characterise the qualities and limitations of the procedure. It should also state a conclusion on the results of the procedure. For example: ‘It is our opinion that as a result of implementing the procedure no material issues have been omitted.’

Conclusions on disclosures on performance should address the quality of the information and should be based on the evaluation of evidence in relation to the agreed criteria. The conclusions should address the systems, processes and underlying data as well as the disclosed assertions.

A.2.5 Recommendations

Recommendations should address deficiencies in adherence to the AA1000 AccountAbility Principles and in the quality of performance information. In the context of addressing deficiencies in adherence to the AA1000 AccountAbility Principles, for example, when addressing the adequacy of adherence to the principle of responsiveness, it may be appropriate to provide recommendations on performance within the context of sustainable development.

A.3 Quality of Information

These criteria are consistent with the Quality of Information Principles from GRI G3 but other criteria that satisfy the requirements of the standard are acceptable.

A.3.1 Reliability

The assurance provider should evaluate the publicly disclosed information including the underlying systems and data, to assess whether the publicly disclosed information has been gathered, recorded, compiled, analyzed, and disclosed in a way that, when examined, establishes the quality and materiality of the information.

Tests

The following tests may be used to evaluate the reliability of information:

• Can the original source of information be identified?

• Is there reliable evidence to support assumptions or complex calculations?

• Is representation available from the original data or information owners, attesting to its accuracy within acceptable margins of error?

A.3.2 Clarity

The assurance provider should evaluate the publicly disclosed information and underlying systems and data to assess whether the publicly disclosed information is made available in a manner that is understandable and accessible to the intended audience of the report.

Tests

The following tests may be used to evaluate the clarity of information:

• Does the report contain the level of information required by stakeholders, but avoid excessive and unnecessary detail?

• Could stakeholders find the specific information they want without unreasonable effort through tables of contents, maps, links, or other aids?

• Does the report avoid (where practical) technical terms, acronyms, jargon, or other content likely to be unfamiliar to stakeholders, and does it include explanations (where necessary) in the relevant section or in a glossary?

• Is the data and information in the report available to stakeholders, including those with particular accessibility needs (e.g., differing abilities, language, or technology)?

A.3.3 Balance

An assurance provider should evaluate whether the overall presentation of the report’s content provides an unbiased picture of the reporting organisation’s performance and avoids selections, omissions, or presentation formats that are reasonably likely to unduly or inappropriately influence a decision or judgment by the report reader.

Tests

The following tests may be used to evaluate the balance of information:

• Does the report disclose both favourable and unfavourable results and topics?

• Is the information in the report presented in a format that allows users to see positive and negative trends in performance on a year-to-year basis (including both the quantitative data and commentary on observed trends)?

• Is the emphasis on the various topics in the report proportionate to their relative materiality?

A.3.4 Comparability

The assurance provider should evaluate the publicly disclosed information and underlying systems and data to assess whether issues and information have been selected, compiled, and reported consistently, and whether reported information has been presented in a manner that enables stakeholders to analyze changes in the organisation’s performance over time, and could support analysis relative to other organisation's.

Tests

The following tests may be used to evaluate the comparability of information:

• Can information be compared on a year-to-year basis?

• Can information be compared on a year to year basis to that of industry peers?

• Can the organisation’s performance be compared with appropriate benchmarks?

• Can any significant variation between reporting periods in the boundary, scope, length of reporting period, or information covered in the report be identified and explained?

• Are generally accepted protocols for compiling, measuring, and presenting information used?

A.3.5 Accuracy

The assurance provider should evaluate the publicly disclosed information and underlying systems and data to assess whether the publicly disclosed information is sufficiently free from error and detailed for stakeholders to assess the reporting organisation’s performance.

Tests

The following tests may be used to evaluate the accuracy of information:

• Are data measurement techniques and bases for calculations adequately described, and can they be replicated with similar results?

• Is the margin of error for quantitative data not sufficient to substantially influence the ability of stakeholders to reach appropriate and informed conclusions on performance?

• Is there an indication of which data has been estimated and the underlying assumptions and techniques used to produce the estimates, or where that information can be found?

• Is qualitative information valid on the basis of other evidence reviewed?

A.3.6 Timeliness

The assurance provider should evaluate the publicly disclosed information and underlying systems and data to assess whether reporting occurs on a regular schedule and information is available in time for stakeholders to make informed decisions.

Tests

The following tests may be used to evaluate the timeliness of information:

• Is the collection and publication of information recent relative to the reporting period?

• Does information clearly indicate the time period to which it relates, when it will be updated, and when the last updates were made?

B. Guidance for Reporting Organisations Seeking Assurance

When choosing whether to obtain assurance based on AA1000AS (2008) or any other assurance standard it is useful to understand what assurance based on AA1000AS (2008) offers the reporting organisation, what the process involves and how to prepare for assurance. This guidance is aimed specifically at reporting organisations and provides some guidance on these common issues relating to assurance from a reporting organisation perspective.

B.1 Choosing AA1000AS (2008)

When deciding whether or not to choose AA1000AS (2008) assurance it is useful to understand what the process involves and the main benefits to a reporting organisation.

In applying the AA1000 Assurance Standard (2008) an external assurance provider evaluates a company’s public sustainability disclosure (usually the annual CSR/sustainability report), and assesses the underlying systems and processes that deliver the relevant information and underpin the organisation’s performance. The results of this process are communicated publicly in an assurance statement, typically in the sustainability report.

The value of the AA1000AS (2008) to an organisation is two-fold.

• external value - through using external, independent assurance an organisation can increase the credibility of its reporting. In addition by allowing an assurance provider to reach conclusions about the quality of its disclosure and underlying systems, process and data in a balanced way, and providing recommendations for future management and performance, an organisation can find it much easier to prove that its sustainability efforts are genuine and in the process build trust with stakeholders.

• Internal value - although the external benefit is fundamental to the AA1000AS (2008), many organisations who use it suggest the internal benefit can provide an equally compelling business case, especially for those organisations whose reporting systems are not yet fully matured. Organisations highlight the value of having experienced sustainability experts review their process for determining material sustainability issues, commenting on the adequacy of their stakeholder engagement and providing an evaluation of where sustainability fits into the wider strategic aims of the business. Organisations gain significant value from the assurance process and many highlight that the learning that comes from the process is very valuable when trying to improve sustainability management and performance.

The AA1000AS (2008) is a principles-based standard that provides a rigorous framework for assurance while at the same time providing enough flexibility to adapt to the context of the individual organisation. It is not a tick box, certification standard based on yes/no answers to fixed criteria. It provides conclusions based on evidence that reflect the status of an organisation at a particular point in time and provides recommendations to encourage continuous improvement.

All assurance engagements based on AA1000AS (2008) must evaluate the quality and extent of adherence to the AA1000 AccountAbility Principles. This is Type 1 assurance. In addition the Type 2 scope allows an assurance provider to evaluate specific selected sustainability performance information. This allows more of a verification style assurance on selected issues. This evaluation of selected performance information cannot be done without the evaluation of adherence of the AA1000 AccountAbility Principles if the engagement is to be deemed in accordance with AA1000AS (2008). It is up to the reporting organisation to agree with the assurance provider the type of assurance they wish.

B.2 How to prepare for AA1000AS (2008) Assurance

In preparing for an AA1000AS (2008) assurance engagement it is useful to understand what an assurance provider will be doing, what they will evaluate, what criteria they will use and what evidence they will be looking for.

In applying AA1000AS (2008) an assurance provider must evaluate the quality and extent of a reporting organisation’s adherence to the AA1000 AccountAbility Principles and provide conclusions and recommendations. The assurance provider may also evaluate and provide conclusions and recommendations on specified performance information.

The assurance provider will evaluate adherence to the AA1000 AccountAbility Principles based on the criteria in the AA1000AS (2008) and with support from additional guidance in Section A of this document. In preparing for assurance it is important to understand both the principles and the evaluation criteria.

When preparing for assurance it is also useful to understand the types of evidence that an assurance provider will be looking for. In general there is a clear difference between the evidence that an assurance provider will look for when evaluating adherence to the AA1000 AccountAbility Principles and when evaluating performance information.

When evaluating adherence to the AA1000 AccountAbility Principles an assurance provider will firstly look for evidence that systems and processes are in place that demonstrate adherence to each principle. For example:

• What systems do you have in place for engaging stakeholders and developing an engagement strategy?

• What systems do you have in place for determining material issues?

• Do you understand your materials issues in a systematic way?

• Are your systems and processes for responding and communicating your response adequate? In addition to this an assurance provider will be looking for evidence that your systems are being implemented in a way that results in quality outputs and outcomes.

When evaluating sustainability performance information an assurance provider will start by looking at data and information disclosed. The assurance provider will then want to know how that data/information is collected, aggregated, and what is included or excluded and why.

All of the information in relation to assurance will be considered in terms of the quality of the information, based on the criteria in the AA1000AS (2008) and Section A of this document.

To prepare for AA1000AS (2008) assurance it is helpful to understand the types of systems and processes that can help an assurance provider evaluate adherence to the principles.

For further information on the criteria that will be used by the assurance providers see the AA1000AS (2008) and Section A of this document. These criteria are for use by assurance providers but will be useful for organisations when seeking and preparing for assurance.

B.3 How to Select an Assurance Provider

When selecting an assurance provider there are a number of considerations which a reporting organisation may wish to take into account. Considering your objectives in relation to the assurance provider’s competencies and approach is likely to result in an assurance process that provides increased value for your organisation and your stakeholders. The list below provides a simple introduction to some of the considerations you may wish to take into account when selecting a provider.

B.3.1 Administrative Requirements

• Will the assurance provider deliver proactive and timely updates?

• Does the proposed account manager have experience of managing similar accounts?

• Will the approach to assurance delivery achieve the required levels of service?

B.3.2 Organisational Profile

• Does the provider have sufficient relevant experience in similar organisations?

• How many similar assurance engagements has the organisation conducted recently?

• Is the organisation financially fit?

B.3.3 Technical Proposal

• Can the provider demonstrate a clear and detailed understanding of priority issues?

• Can the provider demonstrate a clear understanding of the core activities required for an AA1000AS (2008) assurance engagement?

• Can the provider demonstrate a clear and detailed understanding of the scope?

• Can the provider outline a clear and detailed work plan

• Can the provider give a clear and detailed presentation of the proposed deliverables?

• Can the provider give a clear and detailed demonstration of competencies and capacities to deliver? Do team members have the right qualifications?

• Can the provide give a clear and detailed presentation of the organisation and structure for delivery of assurance?

B.3.4 Cost Proposal

• Does the proposal include all costs and prices?

• Are all assumptions and cost components declared?

• Is the supplier willing to underwrite all and any start up costs?

• Does it provide value for money?

By weighting and evaluating considerations such as those above a reporting organisation is able to evaluate which assurance provider is best positioned to deliver the type and style of assurance they require.

B.4 During the Assurance Engagement

During the assurance engagement you will interact frequently with the assurance provider. Understanding your role and that of the assurance provider will make the assurance process more productive for both and ultimately lead to a better assurance outcome.

The role of the reporting organisation is to support the assurance provider. It is important to be open and to facilitate access to people, sites and documentary evidence. But it is also important to continually question and seek to better understand what the assurance provider is doing and why.

The assurance process is an iterative process. It requires assurance providers to gather evidence in order to generate conclusions and recommendations. Preliminary findings may lead the assurance provider to challenge you on certain points. It is the role of the assurance provider to challenge you on issues where they feel that what you are disclosing does not match the evidence they have collected. This is their role and understanding this dynamic is crucial to developing a good assurance process.

Being challenged may result in an assurance provider asking for revisions to be made to the report to avoid unnecessary negative conclusions in the public statement. It is through this iterative process that assurance can lead to a better quality, more reliable report as well as a more meaningful assurance statement.

This iterative process that takes place over the course of the reporting period, rather than at the end of the reporting period gives the assurance provider a better opportunity to understand and observe the systems and processes. It makes the assurance process more valuable to the reporting organisation and readers of the assurance statement. An ‘end of pipe’ approach rarely produces the same depth of understanding and therefore the conclusions are often less meaningful.

B.5 Responding to the Assurance Statement

An assurance provider will publicly state their conclusions and recommendations in an assurance statement. As this statement is independent and externally provided you may not agree with everything that is said in it. While you are unable to alter the content of the assurance statement you are at liberty to provide an assurance statement response.

The response allows a reporting organisation to provide their point of view in relation to parts of the assurance statement they may wish to take issue with or elaborate on. It also enables the reporting organisation to outline planned improvements in response to items addressed in the assurance statement.

C. Guidance for Stakeholder using the Assurance Statement

This guidance is for stakeholders who use assurance statements based on AA1000AS (2008). It provides guidance on what the assurance process involves as well as guidance on how to read and understand the various sections of an AA1000AS (2008) assurance statement.

C.1 The Purpose of AA1000AS (2008) Assurance

AA1000AS (2008) is used to provide assurance related to an organisation´s public disclosures on its sustainability management and performance.

Sustainability assurance in accordance with the AA1000AS (2008) evaluates and provides conclusions on

• adherence to the AA1000 AccountAbility Principles through evaluating sustainability disclosures, management systems and processes (Type 1, required in all cases)

• disclosures on performance through evaluating information and the underlying systems that generate this information (required for a type 2 assurance only)

C.2 The Assurance Process

At its most basic, an assurance engagement is about

• evaluating evidence

• about the subject matter

• against criteria

• to develop conclusions and

• recommendations

So it is important to know what the subject matter is (and therefore the scope of the assurance engagement), what the criteria used to evaluate the subject matter are, and what and how evidence has been gathered and evaluated. Knowing this allows the reader of the statement to make a judgement about the quality of the assurance provider’s conclusions and recommendations.

Before the assurance engagement begins, the assurance provider and reporting organisation agree on what will be covered during the assurance process. At a minimum the assurance provider will evaluate an organisation’s adherence to the AA1000 AccountAbility Principles but may also evaluate specific performance information.

When performing sustainability assurance the assurance provider gathers evidence about the subject matter they are providing assurance on. This evidence usually includes documents, interviews, site visits and other analysis. The evidence is then evaluated against agreed criteria, including criteria in the AA1000AS (2008) and in Section A of this document.

The evaluation of this evidence enables an assurance provider to develop conclusions and recommendations on adherence to the AA1000 AccountAbility Principles as well the reporting organisation’s sustainability disclosures and the systems and processes used to gather, manage and communicate this information. These conclusions and recommendations are publicly communicated in an assurance statement. The statement also outlines the work done to arrive at those conclusions. The reporting organisation does not have the right to revise or edit the assurance statement.

C.3 Understanding an Assurance Statement

An AA1000AS (2008) assurance statement will include the following information. Some statements may include additional information.

C.3.1 Who is the Audience

At its broadest the assurance provider will identify all stakeholders as the audience. Other providers will limit the audience of to the management of the company. This allows them to limit their potential liability. Irrespective of the audience, the statement adds credibility for all readers.

C.3.2 Roles and Responsibilities

An assurance statement should explain what the reporting organisation is responsible for (i.e. preparing the report) and what the assurance provider is responsible for (i.e. assuring the disclosure in the report).

C.3.3 Criteria used by the Assurance Provider

This should refer to what criteria and standards the assurance provider used to conduct the assurance engagement. When AA1000AS (2008) is mentioned the assurance provider is stating that the standard has been followed to the extent necessary to support a claim of accordance with the standard.

C.3.4 Description of the Scope of the Assurance Engagement

The description of the scope of the assurance engagement should describe the subject matter covered by the assurance provider on which the conclusions in the assurance statement are based.

There are two types of scope in AA1000AS (2008). The assurance statement must state the type of assurance.

C.3.5 Levels of Assurance

Levels only apply to the evaluation of performance information in a Type 2 engagement.

There are two levels of assurance, high and moderate.

Levels of assurance relate to the depth of investigation and therefore the type and breadth of evidence evaluated by the assurance provider.

C.3.6 Limitations

An assurance statement should mention any limitations in the sustainability report, the engagement scope and the evidence gathering.

C.3.7 Description of the Work done

An assurance statement should provide a description of work done during the engagement. This helps readers understand what an assurance provider has done in order to develop their conclusions.

A description of the work done will include a description of the evidence gathering methods. Typically evidence gathering may include site visits, document analysis, interviews. For example, an assurance provider may state the number of interviews held and sites visited.

C.3.8 Conclusions concerning the AA1000 AccountAbility Principles

An assurance statement must provide conclusions concerning the AA1000 AccountAbility Principles. These conclusions should provide information on how an organisation’s systems, processes, policies and commitments allow them to adhere to the AA1000 AccountAbility Principles.

The guidance in Section A of this document provides useful information on how conclusions are developed and what issues they should cover.

C.3.9 Conclusions concerning Performance Information

An assurance statement for a Type 2 assurance engagement must provide conclusions concerning performance information. These conclusions should address the quality and credibility of the information. The conclusions should also address then quality and credibility the systems and processes used to gather, manage and communicate this information.

Conclusions should also highlight any material omissions or misstatements.

C.3.10 Recommendations

An assurance statement must include recommendations related to adherence to the AA1000 AccountAbility Principles and, for Type 2 assurance, performance information.

These recommendations may address the robustness of the process and systems used by the organisation, for example the systems in place to determine material issues,. The recommendations may cover past performance and future objectives.

C.3.11 Competence and Independence

An assurance statement must state the competencies of the assurance provider.

The statement should also include a confirmation of independence.

D. Informative Annexes

The AA1000AS (2008) is designed to complement and enhance the use of guidelines for sustainability reporting and to be applicable within the context of other relevant performance, systems and process standards, guidelines and assurance frameworks.

Given that this is an overarching standard it is to be expected that during an assurance engagement a range of other standards will be cited. Assurance providers will look for standards and guidelines that provide suitable criteria against which assertions found in public disclosure can be evaluated. They will look for

• the use of indicators supported by appropriate protocols,

• systems and process standards that have been used to design and implement underlying systems,

• product and labeling standards and certifications that can be used to substantiate assertions,

• procedural standards that supplement the requirements and guidance in this standard,

• guidance and benchmark frameworks that can be used to evaluate adherence to the principles,

• evidence of standards used to guide the development of appropriate strategies and practices for stakeholder engagement,

D.1 References

D.1.2 Stakeholder Engagement

The Stakeholder Engagement Standard, AA1000SES

Stakeholder Engagement Manual, Volume 2 http://www.accountability21.net/publications.aspx?id=904

Critical Friends - Stakeholder Panels Report http://www.stakeholderpanels.net http://www.accountability21.net/publications.aspx?id=1088

D.1.3 Reporting

GRI G3 Guidelines http://www.globalreporting.org/ReportingFramework/G3Guidelines/

Accounting for Good: the Global Stakeholder Report 2005 (The Second World-wide Survey on Stakeholder Attitudes to CSR Reporting) Pleon Kohtes Klewes GmbH / Pleon b.v., 2005 ~

ACCA (2004) The Future of Sustainability Assurance http://www.accaglobal.com/publicinterest/activities/research/reports/sustainable_and_transparent/rr-086

Canadian Reporting guidance http://www.sustainabilityreporting.ca

Context (2006) Reporting in Context 2006: Global Corporate Responsibility Reporting Trends http://www.econtext.co.uk/cover_scans/InContext2006.pdf

Corporate Register http://www.corporateregister.com (Library of Reports)

DEFRA Environmental Reporting Guidelines http://www.defra.gov.uk/environment/business/envrp/guidelines.htm

FORGE - Guidelines on Environmental Management and Reporting for the Financial Services Sector http://www.abi.org.uk/forge/

Friends of the Earth et al (2004) Lessons Not Learned: The Other Shell Report http://www.foe.co.uk/resource/reports/lessons_not_learned.pdf

KPMG (2005) KPMG International Survey of Corporate Responsibility Reporting

KPMG/ UNEP (2006) Carrots and Sticks for Starters: Current trends and approaches in Voluntary and Mandatory Standards for Sustainability Reporting http://www.unep.fr/outreach/reporting/docs/Public-UNEPKPMG-Report-FIN.pdf

UNEP/Sustainability (2004) ‘Risk and Opportunity’: Global Reporters 2004 Survey of Corporate Sustainability Reporting http://www.sustainability.com

UNEP/Sustainability (2006) ‘Tomorrow’s Value’ Global Reporters 2006 Survey of Corporate Sustainability Reporting http://www.sustainability.com

WBCSD- http://www.wbcsd.org/

GEMI (2004) Transparency: A Path to Public Trust www.gemi.org/Transparency-PathtoPublicTrust.pdf

WBCSD (2002) Sustainable Development Reporting: Striking the Balance Eurobarometer 217: The attitudes of European citizens towards environment (research Nov 2004, Published April 2005)

UN Global Compact http://www.globalcompact.org (also document - A practical guide to Communication on Progress (United Nations Global Compact and Making the Connection: Using the GRI’s G3 Reporting Guidelines for the UN Global Compact’s Communication on Progress)

Environmental, Social and Sustainability Reporting on the World Wide Web: a guide to best practice (ACCA/Corporateregister.com)

Materiality: Redefining Materiality http://www.accountability21.net/publications.aspx?id=1168

Accountability (2006) The Materiality Report: Aligning Strategy, Performance and Reporting http://www.accountability21.net/publications.aspx?id=560

Assurance: Certification as a sustainability assurance practitioner htpp://www.accountability21.net/publications.aspx?id=368

AA1000AS (2003): http://www.accountability21.net/publications.aspx?id=288

AA1000AS (2003) Guidance note on Principles: http://www.accountability21.net/publications.aspx?id=380

Assurance Standards Briefing AA1000AS (2003) and ISAE3000: http://www.accountability21.net/publications.aspx?id=390

User Note on the Application of the Principles of Materiality, Completeness and Responsiveness as they Relate to the AA1000 Assurance Standard http://www.accountability21.net/publications.aspx?id=1242

The Future of Assurance http://www.accountability21.net/publications.aspx?id=456

The Materiality Report

Better Assurance through Better understanding

IFAC Framework

IAASB ISAE 3000

COS 3410N

D.1.4 References to the use of AA1000AS (2008)

Only assurance engagements that meet the requirements of the standard shall claim that assurance has been provided in accordance with AA1000AS (2008) and be eligible for inclusion on the Corporate Register list of AA1000AS assured reports. Users of the standard should notify Corporate Register that they have used the standard.

D.2 AccountAbility Standards Technical Committee

Jennifer Iansen Rogers, KPMG – Chair

Glenn Howard Frommer, MTR

Dominique Gangneux, ERM

Chuck Gatchell, Nike, Inc.

Sean Gilbert, GRI

Adrian Henriques, Middlesex University

Vernon Jennings, Independent Consultant

Eileen Kohl Kaufman, SAI

Dave Lucas, Eskom

Paul Monaghan, Cooperative Financial Services

Johan Piet, Transparability

Preben J. Soerensen, Deloitte

Chris Tuppen, BT (to 4 February 2008)

David York, ACCA

D.3 Keeping Standards up-to-date

Standards are living documents that reflect progress in principles, practice, methods and science. To maintain their currency, all standards are periodically reviewed (at a minimum every five years) and where warranted new editions are published. Between editions, amendments may be issued. Standards may also be withdrawn. It is important that readers assure themselves they are using the current standard, which should include any amendments which may have been published since the standard first appeared.

Detailed information on The AA1000 Series of standards can be found on the AccountAbility web site: http://www.accountability21.net

We welcome suggestions for improvement of our standards and encourage readers to notify us immediately of any apparent inaccuracies or ambiguities. Please address your comments to the Head of Standards at AccountAbility.

D.4 Certification of sustainability assurance practitioners

IRCA and AccountAbility have established a partnership to provide a professional qualification in sustainability assurance.

D.4.1 The Certified Sustainability Assurance Practitioner Program (CSAP) aims to

• Enable practitioners to develop, validate and communicate their competence in a systematic manner.

• Make it easier for organisations to identify credible assurance expertise.

• Improve stakeholder confidence in the expertise of sustainability assurance professionals engaged by organisations.

• Develop a more systematic understanding of key competency requirements for providing effective assurance, and so establish a basis for informing this and other standards in future.

D.4.2 This Program is intended for all practitioners worldwide including

• those who work in CSR departments involved in the development of corporate accountability programs;

• those who work in departments involved in internal (assurance) audit processes;

• those who provide consultancy services for organisations on sustainability assurance;

• independent assurance providers who undertake assurance processes; and

• those just starting out in the area of sustainability assurance.

D.4.3 The Program offers Certification at three grades

• Associate Sustainability Assurance Practitioner: an understanding of the field of sustainability assurance gained by attending relevant training. This grade is most relevant to those beginning their career in sustainability assurance, and those involved in related topics

• Sustainability Assurance Practitioner: an active practitioner with demonstrable experience over a number of assignments with different clients or, for internal practitioners, over several assurance cycles covering a range of sustainability issues

• Lead Sustainability Assurance Practitioner: active in the provision of sustainability assurance and you have led a significant number of sustainability assurance assignments either internally or as part of external assurance assignments. Experience in stakeholder engagement as part of assurance assignments is essential, as is the lead role in forming assurance judgements and the preparation of external or internal assurance statements

D.5 Accreditation of Sustainability Assurance Providers

There is currently no requirement for the accreditation of sustainability assurance providers in order to perform assurance engagements using AA1000 Assurance Standards. Furthermore there is no formal scheme at present which attempts to accredit providers in the same way as the CSAP programme accredits individual practitioners.

The revision consultations have illustrated that there is significant interest in organisational accreditation to address the experience gap and to ensure the quality of assurance. This is something that will have to be considered and developed over time with those in the field.

D.5.1 Engaging a Sustainability Assurance Provider

A reporting organisation needs to take into account a number of considerations when engaging a sustainability assurance provider. Listed below is a selection of some (but not all) of the factors a reporting organisation should consider when engaging a sustainability assurance provider.

D.5.2 Administrative Requirements

• Has current engagement with the assurance provider given confidence that they will be able to provide adequate account management and timely communications?

D.5.3 Organisational Profile

• Is the summary of the providers services and the markets in which it operates suitably relevant

• Is the experience in providing similar services to other organisations relevant to your organisation?

• How many similar assurance engagements has the organisation done in the last three years?

• Is the organisational structure, ownership relationships clear and suitable?

• Is the organisation financially sound?

D.5.4 Assurance Team

• Are the necessary skills represented on the team?

• Can team members demonstrate the necessary qualifications and competencies? Are they CSAP certified?

• Does the lead assurance practitioner have the necessary qualifications and competencies? Is he CSAP certified?

D.5.5 Technical Proposal

• Does the assurance provider have a clear and detailed understanding of:

• Product issues

• Market issues

• Supply chain issues

• Does the assurance provider have a clear and detailed understanding of:

• Conducting assurance in accordance with AA1000 AS principles

• How to evaluate materiality

• How to conduct stakeholder engagement

• GRI criteria

• Data verification techniques

• Does the provider illustrate a clear understanding of the scope of work required in the assurance engagement (assurance, issues, organisation, time)?

• Is a clear and detailed work plan proposed that understands stakeholder concerns and will lead to a fit for purpose assurance statement?

• Is there a clear plan on the proposed deliverables?

• Is there a clear illustration of the competencies and capacity to deliver

• Is there a clear and detailed presentation of the organisation and structure for delivery of assurance services?

• Is the cost proposal satisfactory?

D.6 Translating AA1000AS

The AA1000AS (2003) has been translated into a number of languages. Translating the standard into multiple languages enables wider international use of the standard, a greater depth of understanding at the local level and increased consistency in the quality of assurance engagements worldwide.

It is our intention to translate AA1000AS (2008) into a number of languages. AccountAbility is always looking for partners to work with to translate the standard into new languages. If you are interested in partnering on this, please contact the Head of Standards at AccountAbility.

D.7 The Value of Sustainability Assurance

There are a number of drivers which lead companies to seek independent assurance for their sustainability report and these provide a useful framework for assessing the value of sustainability assurance.

D.7.1 Compliance (Regulation/Threat of Regulation)

Although limited in sustainability reporting, regulation is the clear driver for independent assurance in the financial world. Similarly the ability to illustrate compliance to various codes and standards is an important element of the value of assurance. This is particularly true in countries such as France where elements of non-financial reporting are mandatory. Voluntary reporting and assurance on sustainability issues is often seen as a way of avoiding regulation on certain issues, which many companies value.

D.7.2 Convincing

Independent sustainability assurance can help to convince stakeholders of a company’s claims and performance in a number of areas. It can help a company illustrate that it is meeting organisational commitments or that it is improving performance on a previously weak area.

More positively, independent assurance can reaffirm where a company is going beyond best practice and developing clear brand differentiations. Independent assurance can help embed a company’s reputation for strong sustainability performance.

Assurance which accurately considers materiality and stakeholder engagement can give confidence to stakeholders that the organisation is reporting on the issues it should be and is not ignoring anything relevant and important.

D.7.3 Decision Making

Assurance of timely and appropriate data and underlying systems is essential to enable stakeholder decision-making. As much of a company’s value is bound up in intangible non-financial assets there is increasing stakeholder pressure for many of these issues to be assured independently to give those who make decisions on the company greater confidence.

Decision-makers informed by assurance can range from those in the investment community, to NGOs deciding where to focus their campaigns, to consumers deciding which products to buy. Assurance on a single report can provide a central place for decisions makers to go to, improving access and reducing the need for organisations to respond to endless questionnaires.

D.7.4 Learning and Performance Improvement:

Assurance can help as much internally as externally. Independent verification of policies, strategies, systems, understanding and data can help an organisation enhance and improve international management systems and/or strategies. It can help a company identify what more is needed to be done in order to satisfy certain organisational commitments (e.g. UNGC) or more generically can identify where a company’s sustainability performance is strong and where it can be improved.

Assurance is able to provide an evaluation of an organisation’s overall performance and forward-looking indications of its abilities. This is not only a matter of aggregating information flows from within the company and from specific assurance processes but also of ensuring the quality of these systems, which underpin performance.

Assurance that incorporates stakeholder engagement will go further in capturing controversial and contested areas of responsibility and driving necessary learning and innovation.

What is clear is that the value of assurance is not restricted to the reporting organisation, but is appreciated by all of it’s stakeholders. Indoor stakeholders (management) gain a greater understanding of areas of risk and value creation. Back-door stakeholders (investors and regulators) are able to analyse risks, opportunities and compliance more easily. Although front-door stakeholders (Media, NGOs, Customers) remain cynical about assurance they are generally responsive to ideas of independent verification of company activities.