This article is the fourth in a five-part series on Scope 3 by Responsible Investor. The first article looked into how asset owners are grappling with the topic, the second covered corporate efforts and the third delved into data challenges. Look out for our upcoming focus on the push by regulators to address indirect emissions across value chains.

Amid the wave of incoming sustainability reporting rules, auditors are finding themselves in a somewhat peculiar situation.

In the near future, they are likely to see a raft of companies asking them to provide reasonable assurance – the highest level of assurance – on their Scope 3 disclosures, which are notoriously difficult to collect and often based on third-party data and estimates.

Limited assurance requirements are already in place from this year under the EU’s Corporate Sustainability Reporting Directive (CSRD), which mandates it for any material information. From 2028, the requirements will shift to reasonable assurance.

This is a huge and complex ask. Just over a decade ago – which is, in many ways, a lifetime in sustainability reporting – it was seen as impossible.

A 2010 response by the Association of Chartered Certified Accountants to a consultation paper on GHG statement assurance said: “We believe that reasonable assurance on disclosed Scope 3 emissions is not generally possible; moreover, assuring completeness presents often insurmountable problems.”

Now, regulators are demanding it and auditors are gearing up to meet assurance expectations. Yet the industry is a long way off being able to provide reasonable assurance for Scope 3 emissions reporting, auditors have told Responsible Investor.

Limited assurance

Limited assurance is a form of non-financial assurance in which a practitioner looks at processes and procedures in order to determine whether there are any issues. It is often expressed in negative form, for example: “Nothing has come to our attention…”

Reasonable assurance

Reasonable assurance – or positive assurance – is a more extensive form of non-financial assurance in which a practitioner takes steps using “identified suitable criteria” to determine whether the required procedures and process have been followed.

For Douglas Johnston, climate change and sustainability partner at EY, Scope 3 emissions represent “the most material” sustainability-related exposure for companies. It is the topic “everyone is anxious about”, he tells Responsible Investor.

“Everyone is setting targets, but the data is just not there,” he says.

Deloitte’s head of ESG assurance, Steve Farrell, says data challenges for Scope 3 should “not be underestimated” and introduce increased complexities from an assurance perspective.

“Scope 3 reporting has only become more commonplace in recent years. More companies are choosing to report on all material categories – either as part of their net zero commitments, or due to voluntary or mandatory reporting,” he adds.

Assurance challenges

Assurance on GHG statements more broadly was first in demand in the early 2000s, when carbon emissions reporting started to come under closer scrutiny.

Policymakers began to call for assurance in order to provide more confidence in the information being reported in GHG statements, explains Willie Botha, technical director at the IAASB.

The standard setter was called on to develop an international assurance standard on greenhouse gas statements (ISAE 3410) in 2013, as it already had in place a widely used global non-financial assurance standard, ISAE 3000.

“We have gone from little or no reporting – never mind assurance – to mandatory disclosure and assurance on all metrics”

Steve Farrell, Deloitte

But the market for assuring GHG statements is still relatively young, and until now corporates and auditors have mostly been confident with Scope 1 and 2 data.

Global head of sustainability reporting and assurance at PwC, Alan McGill, says the data that companies have for their Scope 3 carbon footprint is “pretty much non-existent”.

“Most organisations have a pretty good handle on Scope 1 and 2. But Scope 3 typically represents around 95 percent of total emissions, and very few companies have oversight of it,” he says.

Often, corporates have only reported Scope 3 emissions which pertain to business travel. As McGill notes, however, that would only represent “a tiny part of your actual footprint”.

A significant element of the assurance process is to provide confidence on the methodologies used to calculate the data. But given the absence of primary Scope 3 data, it is often provided by third parties.

Auditors are therefore not always able to access their models, and “your ability to assure the information is compromised”, adds McGill.

Farrell agrees that there is a big obstacle on the underlying data and control environment, which is often “very immature, relative to financial information, so requires a lot more governance”.

As well as ISAE 3410, companies and auditors also use the GHG Protocol’s technical guidance, which breaks down Scope 3 emissions into 15 different categories. Companies can choose which categories are most relevant and material for them, and report against those specific metrics.

While the additional categories may be helpful to companies, they introduce fresh assurance challenges.

“The calculation methodologies across the 15 categories vary widely,” says Farrell. “Some are relatively simple, such as transmission and distribution losses, and some more complex, such as financed emissions.”

The independent assurance complexity can thus vary “significantly” depending on the categories included, he adds.

Regulatory shift

Despite these challenges, the market is rapidly shifting to mandatory Scope 3 disclosure and assurance requirements.

“We have gone from little or no reporting – never mind assurance – to mandatory disclosure and assurance on all metrics,” says Farrell.

Global regulatory developments such as the CSRD, the SEC’s upcoming climate rule in the US, and widespread adoption of the International Sustainability Standards Board’s (ISSB) global sustainability standards are rapidly forcing markets to shift away from voluntary disclosure to mandatory.

All three currently include a requirement for Scope 3 reporting. While the EU requires limited assurance on any material metrics, the SEC’s draft rule only asks for limited assurance on Scope 1 and 2 data.

For ISSB rules, it will be up to the jurisdictions introducing the standards to decide on assurance requirements.

While many countries are still only in the early stages of adoption, Australia is consulting on legislation to phase in assurance requirements for its mandatory climate reporting, with a view to introducing reasonable assurance across all climate disclosures – including Scope 3 – from year four of reporting.

McGill predicts that Scope 3 restatements – where a revision is made by the company to its disclosure – will be “relatively commonplace” in the short to medium-term due to the speed at which companies will have to adjust, and the inaccuracies and estimations which will follow.

He adds that restatements for financial reporting are rare, so “it will be interesting to see how investors and regulators cope with this”.

This may not be a problem for investors. A number of investors told RI in November that they were not concerned with CSRD reporting quality, despite auditors warning that stakeholders are likely underprepared for the assurance outcomes in the first few reporting cycles.

“If investors think something counts as a material metric, they will judge reasonable assurance as appropriate, because it will impact the company and it should be akin to a financial audit”

Alan McGill, PwC

Nonetheless, if restatements happen, McGill says there will be concerns over whether to engage with  and trust the data, and how to use it for decision-making purposes.

For SBTi’s head of validation, McKenna Smith, there is a risk that mandated reporting will put companies under too much pressure.

“We need to not reprimand companies which discover errors and then make changes,” she says.

Limited vs reasonable assurance

Restatements will also call into question the quality of assurance carried out.

As Johnston notes, part of the assurance provider’s role is to advise a client on whether or not they should assure data in the first place. But incoming regulatory requirements with time-restrictive deadlines may no longer allow for leeway on this.

Some regulation already envisages a step up in the level of assurance required following the first few years of reporting.

“Limited assurance is the current market standard in terms of what firms are seeking,” says Farrell. “The current trajectory – as we can see in the CSRD – is to eventually transition to reasonable assurance.”

But auditors are concerned that companies and stakeholders are not prepared for this level of assurance to be carried out on such immature data.

Given the “complexity and immaturity” of both the control environment and the underlying data environment, as well as the general immaturity of Scope 3 as a concept, Farrell says companies are “some way off” being able to obtain reasonable assurance on complete Scope 3 disclosures.

McGill agrees: “Limited assurance works okay, but as you move to reasonable assurance, the bar for data quality and availability is higher, which will make it much more challenging.”

For EY’s Johnston, there is also a problem with how investors and stakeholders understand assurance.

“There will be more demand for assurance in the context of CSRD. But to be honest, I don’t think most stakeholders understand the difference between limited and reasonable assurance,” he says.

He adds that EY has not seen much demand from investors for reasonable assurance.

On this point, McGill disagrees. “If investors think something counts as a material metric, they will judge reasonable assurance as appropriate, because it will impact the company and it should be akin to a financial audit.”

Johnston says he has also seen demand to move from limited to reasonable assurance from audit committees, who are now often taking full responsibility for the annual report and accounts, including non-financial disclosures.

“They are asking why we aren’t subjecting these material, non-financial data to the same level of rigour as the financial data, given investors are using it to form views about the company,” he says.