Browse Auditing and Attestation (AUD)

Applying AICPA Attestation Concepts to ESG Assurance Engagements

Feb 7, 2025

How AICPA attestation concepts apply to ESG reviews and examinations, including criteria, evidence, responsibility, and report wording.

On this page

ESG assurance engagements can be performed using attestation concepts that CPA candidates already study in AUD: suitable criteria, identifiable subject matter, management responsibility, practitioner independence, evidence, materiality, and a written conclusion.

The subject matter may be a full sustainability report, selected greenhouse gas metrics, workforce statistics, governance disclosures, or another defined ESG measure. The practitioner does not assure “sustainability” in the abstract; the practitioner reports on the specific subject matter measured against specified criteria.

    flowchart LR
	    A["Define subject matter"] --> B["Evaluate criteria"]
	    B --> C["Determine review or examination"]
	    C --> D["Plan evidence procedures"]
	    D --> E["Evaluate misstatements and limitations"]
	    E --> F["Issue attestation report"]

Attestation Building Blocks

An ESG attestation engagement needs the same structural elements as other attestation engagements.

Element ESG application
Subject matter The specific ESG information covered, such as Scope 1 emissions or employee turnover
Criteria The framework, protocol, or management-developed criteria used to measure the subject matter
Responsible party Management, which prepares and presents the ESG information
Practitioner The CPA or firm providing the attestation conclusion
Intended users Parties expected to use the report, such as investors, lenders, regulators, or management
Evidence Records, calculations, controls, confirmations, observations, inquiries, and analytics supporting the conclusion

If any element is unclear, the engagement becomes risky. For example, an engagement over “social impact” without specific metrics and criteria is too vague to support a meaningful assurance conclusion.

Review Versus Examination

A review provides limited assurance. An examination provides reasonable assurance. Both require planning, evidence, professional skepticism, documentation, and a written report, but the extent of procedures and the conclusion wording differ.

Engagement Assurance level Typical procedures Report wording
Review Limited assurance Inquiry, analytical procedures, and limited testing targeted to risk Negative-form conclusion
Examination Reasonable assurance More extensive testing, recalculation, inspection, observation, control testing, and evidence evaluation Positive-form opinion

Limited assurance is lower than reasonable assurance, but it is not casual review. Reasonable assurance is higher, but it is not absolute assurance.

Suitable Criteria

Suitable criteria are central to ESG attestation. Criteria should allow the subject matter to be measured or evaluated in a way that is relevant, objective, measurable, complete, and understandable to users.

The practitioner should consider:

  • whether the criteria fit the subject matter
  • whether the criteria are available to intended users
  • whether definitions and boundaries are clear
  • whether management applied the criteria consistently
  • whether estimates, assumptions, and measurement methods are disclosed
  • whether internally developed criteria are sufficiently objective

If criteria are unsuitable, the practitioner may need to modify the engagement, request clearer disclosure, restrict report use, or decline the engagement.

Planning and Evidence

Planning begins by understanding the subject matter, criteria, reporting boundary, processes, data systems, controls, risks of material misstatement, and expected users. ESG engagements often require cross-functional understanding because data may originate in operations, HR, legal, procurement, IT, or third-party systems.

Evidence procedures may include:

  1. inquiries of management and metric owners
  2. inspection of source records and supporting schedules
  3. recalculation of reported metrics
  4. sampling of transactions, facilities, employees, or supplier data
  5. observation of site procedures or control activities
  6. analytical comparisons with prior periods, production volumes, or other expectations
  7. testing controls over data entry, review, formulas, and changes
  8. use of specialists for technical measurements or estimates

The chosen procedures should match the assurance level. A reasonable assurance examination generally needs more persuasive evidence than a limited assurance review.

Report Content

An ESG attestation report should communicate the engagement clearly enough that users understand what was and was not covered.

Important report elements include:

  • identification of the subject matter
  • criteria used
  • management’s responsibility
  • practitioner’s responsibility
  • level of assurance
  • nature of procedures
  • inherent limitations
  • conclusion or opinion
  • restrictions on use, if applicable

The practitioner should not imply assurance over unaudited narrative, forward-looking targets, excluded entities, or metrics outside the engagement scope.

Misstatements, Scope Limits, and Modifications

ESG attestation issues may involve calculation errors, omitted locations, unsupported estimates, unsuitable criteria, inconsistent boundaries, or management refusal to correct a material misstatement.

The practitioner should evaluate:

  • whether identified misstatements are material
  • whether limitations prevent sufficient appropriate evidence
  • whether criteria are suitable and properly disclosed
  • whether the report needs modification
  • whether withdrawal or refusal is necessary

The correct answer in an exam scenario often turns on whether the practitioner can obtain enough evidence for the conclusion being issued.

Common Pitfalls

  • Providing a reasonable assurance-style conclusion after limited procedures.
  • Failing to identify the criteria in the report.
  • Letting management’s sustainability narrative expand the perceived assurance scope.
  • Accepting internally developed criteria without evaluating objectivity and availability.
  • Overlooking independence or self-review threats if the practitioner helped design the ESG reporting process.
  • Treating ESG data as lower quality evidence simply because it is nonfinancial.

Quick Review

AICPA attestation concepts apply naturally to ESG assurance. Define the subject matter, evaluate suitable criteria, understand management and practitioner responsibilities, choose review or examination, gather evidence consistent with the assurance level, and issue a report that clearly states scope, criteria, limitations, and conclusion.

Review Questions

### What is the subject matter in an ESG attestation engagement? - [ ] Sustainability in general with no defined scope. - [x] The specific ESG information covered by the engagement. - [ ] The practitioner's preferred environmental policy. - [ ] The audit firm's marketing statement. > **Explanation:** Subject matter must be identifiable, such as selected ESG metrics or a defined sustainability report. ### What is the role of suitable criteria? - [x] They provide the benchmark for measuring or evaluating the ESG subject matter. - [ ] They replace evidence gathering. - [ ] They eliminate management responsibility. - [ ] They guarantee absolute assurance. > **Explanation:** Criteria allow the practitioner to evaluate the subject matter and report a conclusion. ### Which engagement provides reasonable assurance? - [ ] Review. - [x] Examination. - [ ] Compilation. - [ ] Consulting engagement with no report. > **Explanation:** An examination provides reasonable assurance and generally uses positive-form opinion wording. ### Which conclusion style is typical for a review engagement? - [ ] Positive opinion wording. - [x] Negative-form limited assurance wording. - [ ] A guarantee of all ESG information. - [ ] No written conclusion. > **Explanation:** A review provides limited assurance and commonly states that nothing came to the practitioner's attention. ### Which procedure is more consistent with an examination than a limited review? - [ ] Inquiry only. - [ ] Reading the report for presentation. - [x] More extensive testing, recalculation, inspection, and control evaluation. - [ ] No evidence procedures. > **Explanation:** Examinations require more extensive and persuasive evidence. ### Who is ordinarily the responsible party for ESG information? - [x] Management. - [ ] The practitioner. - [ ] The intended users. - [ ] The sustainability report designer. > **Explanation:** Management prepares and presents the ESG information. ### What should the practitioner do if criteria are vague and not available to intended users? - [ ] Ignore the issue if management approves the report. - [x] Evaluate whether the criteria are unsuitable and whether the engagement must be modified or declined. - [ ] Issue reasonable assurance automatically. - [ ] Remove all criteria references from the report. > **Explanation:** Unsuitable criteria can prevent a meaningful attestation conclusion. ### What is a self-review threat in an ESG assurance setting? - [ ] The practitioner reads prior-year workpapers. - [x] The practitioner helps design the ESG reporting process and later assures the same information. - [ ] Management provides source records. - [ ] Users request a copy of the report. > **Explanation:** Assuring work the practitioner helped create may impair objectivity or independence. ### Which report element helps prevent users from assuming all ESG narrative was assured? - [ ] A broad marketing statement. - [ ] Silence about subject matter. - [x] Clear identification of scope, criteria, and covered metrics. - [ ] Omission of inherent limitations. > **Explanation:** Clear scope and criteria show users what was and was not covered. ### Reasonable assurance is high assurance, but not absolute assurance. - [x] True. - [ ] False. > **Explanation:** Reasonable assurance reduces risk to an acceptably low level but does not guarantee perfection.
Revised on Monday, June 15, 2026
ESG Challenges
22.7 Future of ESG