Professional Documents
Culture Documents
Contents
• 1 AA1000 AccountAbility Commitment and Principles
• 2 AA1000 Assurance Standard Introduction
• 3 AA1000 Assurance Standard Requirements
• 4 AA1000 AS Guidance for Assurance Practitioners
• 5 AA1000 AS Guidance for Report Preparers Seeking
Assurance
• 6 AA1000 AS Guidance for Stakeholders using Assurance
Reports
• 7 Informative Annexes
• 8 Foreword
♦ 8.1 Evolution of the standard
♦ 8.2 Development process
♦ 8.3 Who this standard is for
• 9 Introduction
♦ 9.1 Aims and benefits of sustainability assurance
♦ 9.2 Structure of the standard
• 10 AA1000 AS Guidance
• 11 AccountAbility Principles
♦ 11.1 1.1. Inclusivity - Stakeholder Engagement
♦ 11.2 1.2. Materiality
♦ 11.3 1.3. Completeness
♦ 11.4 1.4. Responsiveness
♦ 11.5 '2. Quality of information principles
♦ 11.6 2.1. Reliability
♦ 11.7 2.2. Clarity
♦ 11.8 2.3. Balance
♦ 11.9 2.4. Comparability
♦ 11.10 2.5. Accuracy
♦ 11.11 2.6. Timeliness
• 12 Methodology for Conducting Sustainability Assurance
♦ 12.1 Defining the scope of the engagement
◊ 12.1.1 Content
⋅ 12.1.1.1 Process for identifying
Intended audience / user
⋅ 12.1.1.2 Process for identifying the
material issues for the report
⋅ 12.1.1.3 Process for determining the
report boundary
⋅ 12.1.1.4 Limitations
◊ 12.1.2 Quality of information
⋅ 12.1.2.1 Disclosures covered
⋅ 12.1.2.2 Level of assurance
⋅ 12.1.2.3 Limitations
♦ 12.2 Engagement acceptance
◊ 12.2.1 Independence and impartiality
◊ 12.2.2 Competence
◊ 12.2.3 Duty of care
◊ 12.2.4 Reporting criteria and evidence
Contents 1
Aa1000
Introduction
Informative Annexes
1. References
2. AccountAbility Standards Technical Committee
3. Keeping Standards up-to-date
4. Certification of sustainability assurance practitioners
5. Accreditation of sustainability assurance providers
6. Translating AA1000AS
7. The value of sustainability assurance
Foreword
The first edition of the AA1000 Assurance Standard was launched in 2003 as the world?s first sustainability
assurance standard. It was developed to ensure the credibility and quality of sustainability performance and
reporting and was the result of an extensive, two-year, worldwide consultation involving hundreds of
organisations from the professions, the investment community, nongovernmental organisations (NGOs),
labour and business. AA1000AS 2003 superseded the information on sustainability assurance provided in the
AA1000 Framework standard published in 1999. The 2003 edition was supported by a guidance note on the
application of the principles; a user note: five case studies on the application of the principles during
assurance engagements; and a briefing note on assurance levels and assurance engagements. AA1000AS
2008, is the second edition of AccountAbility?s assurance standard. It supersedes all previous versions and
related guidance on sustainability assurance published by AccountAbility. It draws on the growing body of
practice and experience in sustainability assurance.
Development process
AA1000AS 2008 was developed using a broad based multi-stakeholder process. A period of initial research
which included a widely broadcast e-survey was followed by face-to-face consultations in 20 countries with a
comprehensive range of stakeholders and a series of workshops with specific stakeholder groups. All of the
input received was then considered by the drafting committee of the AccountAbililty standards technical
committee who prepared a draft standard for public review. There were three periods of public review of 60 -
90 days each. All public review took the form of collaborative drafting with full transparency using a wiki
platform. Between each of these periods of public review and following the final one, the AccountAbility
standards technical committee reviewed and revised the draft. The final draft was prepared by the technical
committee and submitted to the AccountAbility Operating Board who approved it for publication.
This standard is primarily intended for use by sustainability assurance practitioners and providers. In addition,
this standard may be useful to those preparing for assurance in accordance with this standard, as well as for
users of sustainability assurance reports and statements, for other standards developers, and for professional
development and training practitioners.
The evolving nature of learning in the standards field means that the process of developing standards is
ongoing. By continually engaging with AA1000 Assurance Standard users and stakeholders, AccountAbility
is able to reflect learning in the form of additional guidance and revisions to the standard. AccountAbility
invites you to share your AA1000 Assurance Standard experiences with us so that we can continue to improve
the AA1000 Series.
Introduction
Sustainability reporting provides stakeholders with information about the social, economic and environmental
management and performance of an organisation. Sustainability reporting should be of a high quality and
communicated in a manner designed to provide stakeholders with sufficient information to be able to
understand the sustainability performance of an organisation.
Credibility is a pre-requisite for effective sustainability reporting. Credibility can be considerably enhanced
through assurance using accepted professional standards. Reporting organisations and their stakeholders
increasingly accept that robust independent external assurance is a key way of increasing the credibility and
effectiveness of their reporting and, ultimately, their performance.
The AA1000 Assurance Standard, AA1000AS (2008), is a standard in the AA1000 Series and as such is
based on the general commitment and principles found in the AA1000 AccountAbility Commitment and
Principles, AA1000ACP (2008).
? Foreword
? Introduction
? Glossary
There are also three guidance sections providing additional guidance for assurance practitioners, reporting
organisations seeking assurance and stakeholders using assurance reports
AA1000 AS Guidance
A. Guidance for Assurance Practitioners
AccountAbility Principles
1.1.1. Can the organization describe the stakeholders to whom it considers itself accountable?
1.1.2. Does the report content draw upon the outcomes of stakeholder engagement processes used by the
organization in its ongoing activities, and as required by the legal and institutional framework in which it
operates?
1.1.3. Does the report content draw upon the outcomes of any stakeholder engagement processes undertaken
specifically for the report?
1.1.4. Are the stakeholder engagement processes that inform decisions about the report consistent with the
scope and boundary of the report?
Advanced level
1.1.5. Does the reporting organisation have in place a stakeholder strategy and adequate processes sufficient to
deliver this strategy?
1.1.6. The AA1000 Stakeholder Engagement Standard (AA1000SES) establishes requirements for effective,
quality stakeholder engagement. The following steps are included in the AA1000SES and any evaluation of
adequate stakeholder engagement processes needs to consider the following, (refer to the AA1000SES for
further guidance):
1.1.13. Engage with stakeholders in ways that facilitate understanding, learning and improvement
1.1.18. Is there a process for resolving conflicts or dilemmas between different stakeholder expectations
regarding materiality?
1.2. Materiality
The concept of materiality comes from financial auditing and reporting. Materiality for financial reporting is
defined as follows: ?Information is material if its omission or misstatement could influence the economic
decisions of users taken on the basis of the financial statements. Materiality depends on the size of the item or
error judged in the particular circumstances of its omission or misstatement. Thus, materiality provides a
threshold or cut-off point rather than being a primary qualitative characteristic which information must have if
it is to be useful.?
In practice, financial impact thresholds are established that define the ?magnitudes? that are deemed material.
The European Federation of Accountants (FEE) guidance on materiality during audit engagements indicates
that it is important to consider materiality when determining evidence gathering requirements; and that when
considering materiality the practitioner should understand what factors will influence the decisions of
intended users. The relative importance of qualitative and quantitative factors in determining materiality is a
matter of professional judgment.
The AA1000 Assurance Standard builds on this and requires that an Assurance Provider assess an
organisation?s determination of materiality in relation to a range of criteria and not just in relation to financial
thresholds. As in the case of financial auditing and reporting, an issue, concern or impact is material if it could
influence the decisions and behaviour of Stakeholders or the organisation itself.
The AA1000 Assurance Standard, by recognising Stakeholders as users and by requiring that Stakeholders
participate in the determination of materiality makes it clear that they are an important source of evidence and
that their views count in the determination of materiality.
An Assurance Provider should evaluate an organisation?s determination of the issues, concerns and impacts
material to the organisation and its Stakeholders, and whether there are any material misrepresentations or
omissions in its reporting of the results of this process.
A material misrepresentation or omission occurs when information is not disclosed or, if disclosed, is in some
way distorted such that in either case it likely to change the decisions, actions and behaviour of Stakeholders
or the organisation itself.
Scope should take into consideration physical, organizational and time boundaries. The Assurance Provider
should clearly state the boundaries of enquiry in the assurance statement.
The reporting organisation is responsible for determining what it considers to be material. It should be made
clear in the assurance statement and/or final report where the final responsibility for determining materiality
lies.
The determination of materiality should be systematic and defensible. An Assurance Provider should analyse
the process used to determine materiality, as well as its systematic application.
An assurance provider should assess whether there has been an evaluation of relevance and importance based
on clearly identified criteria, taking into account whether there is a has been an process for establishing and
justifying the basis for determining the past, present or likely future occurrence and the severity of the
(predicted) impact.
An assurance provider should evalutate the process through which stakeholders have been involved. The
following tests provide guidance for evaluating adherence to the Principle. An Assurance Provider will need
to establish what is required to determine that these criteria are met and what evidence is necessary. Different
levels of assurance may require different levels of evidence testing.
Basic Level
1.2.1. Did the reporting organisation, in defining material issues, take into account external factors, including:
1.2.1.2. The main topics and future challenges for the sector reported by peers and competitors.
1.2.1.3. Relevant laws, regulations, international agreements, or voluntary agreements with strategic
significance to the organization and its stakeholders.
1.2. Materiality 7
Aa1000
1.2.1.4. Reasonably estimable sustainability impacts, risks, or opportunities (e.g., global warming, HIV-AIDS,
poverty) identified through sound investigation by people with recognized expertise, or by expert bodies with
recognized credentials in the field.
1.2.1.5. Did the reporting organisation, in defining material topics, take into account internal factors,
including:
1.2.1.6. Key organizational values, policies, strategies, operational management systems, goals, and targets.
1.2.1.7. The interests/expectations of stakeholders specifically invested in the success of the organization (e.g.,
employees, shareholders, and suppliers).
1.2.2. The core competencies of the organization and the manner in which they can or could contribute to
sustainable development.
Advanced Level
1.2.7. Does the process fairly represent the views and significant of stakeholders?
1.2.11. In your professional judgment, are there any material omissions or misrepresentations?
1.2.12. In your professional judgment, does the report address all material performance issues? 1.2.13. Is the
relative significance of material issues and related performance put into context?
1.3. Completeness
Fairness and Balance
1.3. Completeness 8
Aa1000
An assurance practitioner should evaluate whether all information that is material to users, both favourable
and unfavourable, for assessing the reporting organisation?s economic, environmental, and social performance
appears in a manner consistent with the declared scope.
An Assurance Provider should analyse the way in which the reporting organisation has established boundaries
for:
There is a growing trend towards reporting on specific issues and to specific stakeholders or users, and to
providing assurance appropriate to those users. An Assurance Provider may therefore be asked to provide
assurance where there is no single report but rather a range of communications, for example, summary and
full reports, on-line versions, presentations, podcasts etc.
In such a case assurance should consider individual communications in relation to their intended users and
within the context of the underlying data, systems, processes, organisational conduct and competencies that
the individual communications draw on. The same tests for fairness and balance should be used.
Any assurance statement attached to a specific report or communication should clearly acknowledge the
difference in scope between an assurance engagement and the scope of the report or communication, and
make it clear what the assurance statement refers to. This also applies when providing an assurance statement
for the summary version of a full sustainability report. The statement should apply only to the information
within that particular report, or make it clear that it is referring to content in the full report to avoid confusing
readers. The following tests provide guidance for evaluating adherence to the principle. An Assurance
Provider will need to establish what is required to determine that these criteria are met and what evidence is
necessary. Different levels of assurance may require different levels of evidence testing.
Basic Level
1.3.1 Does the report cover and prioritise all information that should reasonably be considered material?
1.3.2 Does the report include all entities that meet the criteria of being subject to control or significant
influence of the reporting organization unless otherwise declared?
1.3.3 Does the information in the report include all significant actions or events in the reporting period, and
reasonable estimates of significant future impacts of past events when those impacts are reasonably
foreseeable and may become unavoidable or irreversible?
1.3.4 Does the report omit relevant information that would influence or inform stakeholder assessments or
decisions, or that would reflect significant economic, environmental, and social impacts?
Advanced Level
1.3. Completeness 9
Aa1000
1.3.5 Is there a process in place to determine boundaries (e.g. of the organisation?s influence or control, of the
report, of the assurance engagement)?
1.3.6 there a process in place to fully research and understand the range of issues and concerns material to the
organization and its stakeholders?
1.3.7 Is there a process in place to address the range of issues and concerns raised by stakeholders?
1.3.8 Does the organisation have a process for deciding what is fair and balanced for any specific report?
1.3.10 Are the specific reports and communications being assured fair and balanced?
1.4. Responsiveness
Prioritising Response
An assurance practitioner should evaluate whether a reporting organisation has in place a process to respond
to material issues and how an organisation has prioritised response.
An assurance provider should evaluate whether the reporting organisation has allocated adequate resources.
Resources are adequate when they allow the reporting organisation to achieve within the stated time frame its
stated commitments and to communicate its response in a way that is consistent with stakeholder interests.
Timeliness of Response
An assurance provider should evaluate whether the reporting organisation has responded in a timely fashion.
Communicating the Response
An assurance provider should evaluate Rresponsiveness in relation to the intended users and within the
context of the overall response to material issues and concerns.
A reporting organisation?s processes and mechanisms for providing access should reflect the different needs
and capacities of its stakeholders and should not require unreasonable effort. Information should be clear and
understandable.
The following tests provide guidance for evaluating adherence to the principle. An Assurance Provider will
need to establish what is required to determine that these criteria are met and what evidence is necessary.
1.4. Responsiveness 10
Aa1000
Basic Level
1.4.1. Does the organisation have in place a process to decide what issues to respond to?
1.4.2. Is the information on the organisation?s response available and accessible to stakeholders?
Advanced Level
1.4.3. Does the organisation have a process in place to integrate its responses into its management, governance
and change processes?
1.4.5. Does the organisation allocate adequate resources to enable the implementation of commitments?
1.4.7. Does the organisation have processes in place to prevent material misstatements when communicating
its response to stakeholders?
1.4.8. Does the organisation identify any shortfalls and implement corrective action in relation to its
responsiveness?
2.1. Reliability
Assurance providers should evaluate whether the information and data included in a report about the
organisation?s performance is supported by internal systems, controls and documentation.
The following tests provide guidance for evaluating adherence to the criteria. An Assurance Provider will
need to establish what is required to determine that these criteria are met and what evidence is necessary.
Different levels of assurance may require different levels of evidence testing.
2.1.2 Can the original source of the information in the report can be identified?
2.2. Clarity
An assurance provider should evaluate whether the report presents information in a way that is
understandable, accessible, and usable by the organization?s range of stakeholders (whether in print form or
through other channels).
The following tests provide guidance for evaluating adherence to the criteria. An Assurance Provider will
need to establish what is required to determine that these criteria are met and what evidence is necessary.
Different levels of assurance may require different levels of evidence testing.
2.2.1 Does the report contain the level of information required by stakeholders, but avoids excessive and
unnecessary detail?
2.2.2 Could stakeholders find the specific information they want without unreasonable effort through tables of
contents, maps, links, or other aids?
2.2.3 Does the report avoid (where practical) technical terms, acronyms, jargon, or other content likely to be
unfamiliar to stakeholders, and does it include explanations (where necessary) in the relevant section or in a
glossary?
2.2.4 Is the data and information in the report available to stakeholders, including those with particular
accessibility needs (e.g., differing abilities, language, or technology).
2.3. Balance
An assurance provider should evaluate whether the overall presentation of the report?s content provides an
unbiased picture of the reporting organization?s performance and avoids selections, omissions, or presentation
formats that are reasonably likely to unduly or inappropriately influence a decision or judgment by the report
reader.
The following tests provide guidance for evaluating adherence to the criteria. An Assurance Provider will
need to establish what is required to determine that these criteria are met and what evidence is necessary.
Different levels of assurance may require different levels of evidence testing.
2.3.1 Does the report disclose both favorable and unfavorable results and topics.
2.3.2 Is the information in the report presented in a format that allows users to see positive and negative trends
in performance on a year-to-year basis (including both the quantitative data and commentary on observed
trends)
2.3.3 Is the emphasis on the various topics in the report proportionate to their relative materiality.
2.1. Reliability 12
Aa1000
2.4. Comparability
Comparability is necessary for evaluating performance. Assurance practitioners should evaluate whether
stakeholders using the report are able to compare information reported on
economic, environmental, and social performance against the organization?s past performance, its objectives,
and, to the degree possible, against the performance of other organizations.
The following tests provide guidance for evaluating adherence to the principle. An Assurance Provider will
need to establish what is required to determine that these criteria are met and what evidence is necessary.
Different levels of assurance may require different levels of evidence testing.
2.4.1 Can the report and the information contained within it be compared on a year-to-year basis?
2.4.2 Can the report and the information within it be compared on a year to year basis to that of industry
peers?
2.4.4 Can any significant variation between reporting periods in the boundary, scope, length of reporting
period, or information covered in the report be identified and explained?
2.4.5 Where they are available, does the report utilizes generally accepted protocols for compiling, measuring,
and presenting information, including the GRI Technical Protocols for Indicators contained in the Guidelines?
2.4.6 Does the report use GRI Sector Supplements, where available?
2.5. Accuracy
An assurance provider should evaluate the accuracy of quantitative and qualitative information in the report.
The specific threshold of accuracy that is necessary will depend partly on the intended use of the information.
Certain decisions will require higher levels of accuracy in reported information than others.
Tests
The following tests provide guidance for evaluating adherence to the criteria. An Assurance Provider will
need to establish what is required to determine that these criteria are met and what evidence is necessary.
Different levels of assurance may require different levels of evidence testing.
2.5.1 Does the report indicate the data that has been measured?
2.5.2 Are data measurement techniques and bases for calculations are adequately described, and can they be
replicated with similar results?
2.5.3 The margin of error for quantitative data is not sufficient to substantially influence the ability of
stakeholders to reach appropriate and informed conclusions on performance.
2.5.4 The report indicates which data has been estimated and the underlying assumptions and techniques used
to produce the estimates, or where that information can be found.
2.4. Comparability 13
Aa1000
2.5.5 The qualitative statements in the report are valid on the basis of other reported information and other
evidence reviewed.
2.6. Timeliness
The usefulness of information is closely tied to whether the timing of its disclosure to stakeholders enables
them to effectively integrate it into their decision-making and assurance practitioners should evaluate whether
this is possible with the report they are considering? The following tests provide guidance for evaluating
adherence to the criteria. An Assurance Provider will need to establish what is required to determine that these
criteria are met and what evidence is necessary. Different levels of assurance may require different levels of
evidence testing.
2.6.1 Has information in the report been disclosed while it is recent relative to the reporting period?
2.6.2 Is the collection and publication of key performance information aligned with the sustainability
reporting schedule?
2.6.3 Does the information in the report (including web based reports) clearly indicates the time period to
which it relates, when it will be updated, and when the last updates were made?
The scope of the assurance engagement will determine the level of assurance being sought, and shall be
agreed between the reporting organisation and the assurance provider before the assurance engagement
begins. The agreement on scope shall take into consideration the affect on engagement scope that may result
from the application of the content principles. The assurance statement should declare the scope of the
assurance engagement.
Guidance
The AA1000 Assurance Standard advocates an open scope. This means applying the principles within the
context of stakeholder engagement to an organisation?s issues and concerns. This includes issues that the
organization can influence as well as those over which it has management control. It encompasses both direct
and indirect impacts. An Assurance Provider should analyse the way in which the organisation has established
boundaries for the identification of issues and concerns. Assurance Providers should consider organisational,
physical and time boundaries. Assurance Providers can refer to the GRI guidance on boundary definition.
The scope of an assurance engagement may be different from the scope of a report. The AA1000 Assurance
Standard requires that where the scope of an assurance engagement is limited, any limitations in scope are
clearly stated in the assurance statement.
Content
Requirement
The scope of the assurance engagement shall include an evaluation of the process used by the organisation to
determine the intended users of the report and the results of that determination. The intended users shall be
evaluated in the context of the organization?s reporting policy and the material concerns of the intended users.
Guidance
Requirement
The scope of the assurance engagement shall include an evaluation of the process the organisation has used to
determine its material sustainability issues and the results of that process.
Guidance
The consideration of material issues must take place within the context of financial concerns and not just
social, environmental and economic issues. There are, for example, financial issues with social implications
such as incentive systems.
Requirement
The scope of the assurance engagement shall include an evaluation of the process the organisation has used to
determine the report boundaries and the results of that process, and shall evaluate those boundaries within the
context of the boundaries associated with the identification, understanding and response of the organisation to
its material sustainability issues.
Guidance Oranization have to consider financial statement bonduary to determine the report bondaries. The
bonduary of the sustainability report an of the financial report should be the same.
Limitations
Requirement
Any restrictions in the scope of the assurance engagement shall be addressed in the sustainability report and in
the assurance statement
Guidance
Where the full list of material sustainability issues of the organisation is not included in the report because of
the defined material issues of interests to the intended audience, or where the boundaries covered in the report
are restricted because of the defined interest of the intended audience, the reporting organisation shall ensure
that this is made clear in the report and in the assurance statement.
Quality of information
Disclosures covered
Requirement
The scope of the assurance engagement shall identify all disclosures (i.e. reports and other forms of
communication) covered by the engagement. The assurance statement shall identify those disclosures covered
by the engagement.
Guidance
An organisation may produce in print or electronically a number of different reports on its sustainability
performance. It is important to make clear exactly which of these disclosures are covered by the assurance
statement. This may mean attaching an ?assured? statement or notice to each individual web page that has
been assured and noted on pages that are not assured that ?the information on this page has not been assured.
This may be the case where the assurance engagement covered all information produced before a given date
and then the organisation provides more recent, un-assured information on its website.
Level of assurance
Requirement
The scope of the engagement shall define the anticipated level of assurance. The assurance engagement plan
shall ensure that sufficient evidence is gathered to provide the level of assurance. If during the performance of
the engagement it becomes evident that information required to achieve the agreed level is not available the
Assurance Provider will highlight this in the Assurance Statement and may qualify their conclusions.
Guidance
Based on the current state of the debate of its technical committee and other stakeholders, AccountAbility
defines ?level of assurance? as the level of confidence the Assurance Provider obtains concerning:
Limitations 16
Aa1000
1. The scope of the subject matter (i.e. have you identified and are you addressing the right issues?)
During the assurance engagement, the Assurance Provider obtains a level of assurance about the organisation
and articulates this in the assurance statement, recognizing that in practice the level of assurance is usually
agreed between the organisation and Assurance Provider at the outset of the engagement and is related to
work effort; and that assurance is an iterative process during which weaknesses in the evidence and the
disclosure are resolved or explained in the Report and may result in qualified conclusions.
The question then becomes: how do you name or identify the levels? The technical committee has considered
options ranging from:
? not naming levels but instead requiring a high level of transparency on the methodology used to assess the
scope of the subject matter and the reliability of information (this would mean that the users of the assurance
statement would have to determine for themselves the level of assurance); to
? using the same names for levels as those used in ISAE 3000 - ?limited? and ?reasonable? (this would
provide a high level of consistency with existing usage and allow for greater alignment between AA1000AS
and the standards of the accounting profession).
There has, however, been hesitation to adopt either of these two options. It has been argued that to simply
provide greater transparency of methodology makes comparing statements more subjective and difficult. On
the other hand, others argue that the terms ?limited? and ?reasonable? do not adequately reflect the nature of
levels to the lay reader and that the definition of these terms is not precise. There is also concern with the
language required to express these levels: ?limited? assurance must be expressed in negative language.
A middle road has been suggested. This would require more transparency of methodology alongside more
appropriately named levels. The named levels would allow for correspondence with ?limited? and
?reasonable? where this is desired, but would use more accessible language. It has also been suggested that
the named levels be explained as reference points along a spectrum in order to allow for assurance providers
to further refine their description of levels should they wish.
These two ?reference? levels have been referred to during technical committee discussions as the ?highest
level obtainable? and ?the level below which assurance is not possible.? The level obtained would be
described in relation to the work needed to reduce the risk of misstatement. The highest level of assurance is
not a guarantee but an acknowledgement on the part of the Assurance Provider that any additional information
would not increase their level of confidence in the conclusions has reached. The level below which assurance
is not possible means that the type and quality of information available does not provide the Assurance
Provider with any level of confidence.
Any refinement to the statement of level obtained would explain why the highest level of confidence has not
been obtained, for example, something to do with:
It should be possible to come up with acceptable terms for these reference levels as well as with further
guidance on how to refine their description in an assurance statement.
Level of assurance 17
Aa1000
ISAE 3000 provides guidance on the approach and procedures that enable an assurance engagement to be
undertaken in a systematic and consistent manner and in line with professional auditing standards and codes
of conduct. AA1000AS is a principles-based assurance standard that defines the necessary processes required
to apply these principles during an assurance engagement. The two standards differ in their approach to the
scope of the subject matter. ISAE 3000 requires the Assurance Provider to agree on the scope of the subject
matter of the assurance engagement with the reporting organisation at the outset, and to apply considerations
of materiality in relation to this predetermined scope. The AA1000AS takes an open-scope approach
determined by stakeholder-based materiality. It defines stakeholders as individuals and groups that affect
and/or are affected by the organisation and requires that Assurance Providers assess the quality of the
organisation?s engagement with these stakeholders and the robustness of its decision-making processes
regarding "stakeholder-based" materiality.
Both standards require an evaluation of the reliability of the underlying systems, data and information. ISAE
3000 reduces the risk of errors or omissions in the assured information to an acceptable level by choosing
between a ?reasonable assurance engagement? (risk reduced to a low level) and a ?limited assurance
engagement? (risk reduced to a moderate level) or a combination of these for different information. The
choice determines the amount/depth of work which the Assurance Provider undertakes. The AA1000AS
defines level of assurance as the level of confidence the assurance provider obtains concerning the reliability
of information and the scope of the subject matter, and does not define specific levels of assurance.
Limitations
Requirement
Any restrictions in the scope of the assurance engagement shall be addressed in the sustainability report and in
the assurance statement
Guidance
Engagement acceptance
The Assurance Provider shall be demonstrably independent from the Reporting Organisation.
The Assurance Provider shall be impartial in its dealings with the Reporting Organisation and its
Stakeholders.
Guidance
The Assurance approach and associated contractual framework agreed between the Assurance Provider and
the Reporting Organisation must not dilute or unduly influence the ability of the Assurance Provider to fulfil
its responsibility to the Reporting entity?s Stakeholders.
Limitations 18
Aa1000
Many codes and mechanisms exist that might usefully guide Assurance Providers in ensuring independence,
depending for example on their professional base, and their institutional and geographic location. Given the
diversity of possible Assurance Providers and contexts, the Provider is required to make a public Statement of
Independence covering each Assurance assignment that would include:
? Conflict-of-interest policies that it adheres to, concerning employment relationships, for example, including
any professional codes that it adheres to on a voluntary or mandatory basis.
? An account of any recent, ongoing or potential financial or commercial relationships between the Assurance
Provider and the Reporting Organisation, for example, fee-forservice (e.g. consultancy, research, other forms
of accounting, Assurance, or advice), governance arrangements and/or ownership (e.g. directorships or
shareholdings). This should apply to both the organizations concerned and the individuals involved in the
Assurance assignment. Good practice would require that the fee for the current assurance engagement should
be disclosed within the statement.
Impartiality concerns the ability and willingness of the Assurance Provider to fulfil the agreed Assurance
assignment without its understanding, judgement or statements being unduly influenced by the nature of its
relationships with the Reporting Organisation?s Stakeholders (including shareholders).
Given the diversity of possible Assurance Providers and contexts, the Assurance Provider is required to make
public a Statement of Impartiality covering each Assurance assignment that would include:
? Recent, ongoing or potential financial or commercial relationships between the Assurance Provider and the
Reporting Organisation?s Stakeholders involving fee-for service (e.g. consultancy, research, other forms of
accounting, Assurance, or advice), governance arrangements and/or ownership (e.g. directorships or
shareholdings) or membership. This should apply to both the organisations concerned
Competence
Requirement
Assurance Practitioners, Providers and the Reporting Organisation shall ensure that the individuals and
organisations involved in an Assurance Engagement are demonstrably competent. The Reporting Organisation
shall require the Assurance Provider to be prepared to make information available to interested Stakeholders
about the competencies of the individuals involved in the Assurance Engagement.
The Assurance Providers, that is, the organisations through which individuals provide Assurance, shall be able
to demonstrate adequate institutional competencies.
Guidance
The credibility of a Report?s Assurance relies on the Assurance Provider?s competencies as well as the use of
appropriate standards, including the AA1000 Assurance Standard.
? An understanding of Sustainability Assurance, including accounting and data review procedures and
auditing practice
? An understanding of and ability to apply and to embed techniques and processes of stakeholder engagement
and to assess and assure against these principles
The CSAP qualification demonstrates the required competence (see the Annex below).
The competencies of the Assurance Providers, that is the organizations through which Assurance practitioners
provide assurance should include:
? Adequate Assurance oversight to ensure that the organisation is undertaking Assurance to the highest
possible standards and is not compromised by commercial interests or inadequate competencies. Oversight of
Assurance work is required by one or more mechanisms or processes, such as an Assurance Committee,
involving people neither undertaking nor benefiting from the Assurance work in question.
? Adequate understanding of the legal aspects of the Assurance process, and adequate professional indemnity
insurance.
? Infrastructure to ensure the above as well as the secure, long-term storage of Assurance-related material.
Individual Assurance Providers (i.e. not part of any organisation) must ensure that they have equivalent
arrangements in place.
Duty of care
Requirement
Assurance providers shall exercise care in accordance with the importance of the task and the confidence
placed in them by the users of their assurance statement. Possessing the necessary competence is a necessary
prerequisite.
Guidance
Before accepting an engagement, the Assurance Provider shall satisfy himself that it is reasonable to assume
that the reporting criteria used by the reporting organisation are suitable (fit for purpose) and that sufficient
evidence is available.
Competence 20
Aa1000
Guidance
Before accepting an engagement the Assurance Provider shall satisfy himself that it is reasonable to assume
that the requirements of AA1000AS (2008) can be met during the course of the engagement and that the
Reporting Organisation is acting in good faith.
Guidance
Engagement Letter
Requirement
The terms and conditions shall be set out in an engagement letter which shall cover:
? Objectives
? Scope
? Standards to be used
? Confidentiality requirements
Guidance
? Objectives
? Scope
? Standards to be used
? Confidentiality requirements
Engagement Letter 22
Aa1000
The Assurance provider shall prepare a documented plan for conducting the assurance engagement. In
addition to addressing the items in the engagement letter, the Assurance provider shall provide detail on:
? Evidence gathering plan for evaluations against both the content principles and the quality of information
principles, including,
? Depth and breadth of evidence gathering (to demonstrate how the anticipated level of assurance will be
achieved)
? Types of evidence
? Sources of evidence
Guidance
There shall be a system in place that articulates the reporting process and structure ? for example GRI ? and it
shall be publicly available. There shall be information systems in place for reporting indicators including
indicator protocols (either GRI or own) that are publicly available.
? Evidence gathering plan for evaluations against both the content principles and the quality of information
principles, including,
? Depth and breadth of evidence gathering (to demonstrate how the anticipated level of assurance will be
achieved)
? Types of evidence
? Sources of evidence
Reporting
Assurance statement
Requirement
An assurance statement shall be issued. Any restrictions to the scope of the sustainability report or assurance
engagement shall be addressed in the assurance statement. Any Claim of accordance with AA1000AS (2008)
shall meet all requirements of the standard. An assurance Statement shall include the following information:
? Title
? Note on audience
? Note on criteria
Reporting 24
Aa1000
? Disclosure of methodology
? Findings, commentary and recommendations - including whether previous years' recommendations have
been implemented (where appropriate)
? Signature
Guidance
An introduction to the Assurance Statement by the Reporting Organisation though not mandatory can be
useful. It could explain the organisation?s current and future approach to assurance, including:
? why assurance was used, including expectations and perceived benefits (and actual benefits if assurance has
been carried out in previous years);
? which standards and frameworks were chosen for the engagement and why.
Title
A simple and clear title should be used, for example: Independent Assurance Statement
Note on audience
If there is no list of intended users provided in the Report, the organisation leading the assurance engagement
should consider identifying the agreed audience of the Report in the Assurance Statement, where practical.
Otherwise, a reference to the location of the list in the Report can be useful to readers.
The roles and responsibilities of the assurance provider and reporting organization should be clearly stated.
The lead provider as well as the other experts on the team should be identified. The organisation should
identify who within the organization commissioned the engagement.
The statement should state which sections of the report are the subject of the assurance engagement. Any
exclusions and limitations should be explained.
Assurance statement 25
Aa1000
Note on criteria
The statement should identify the criteria used for the engagement, their suitability and their source.
Disclosure of methodology
The statement should provide a description of the methodology used during the engagement. This should
include:
? the identification of the standards and principles used and how they were used (e.g. for reference or as the
basis for determining compliance) including any limitations to use;
? a description of the evidence gathering methods, including the depth of investigation; and
? the robustness of the process and systems used by the organisation to determine material issues;
? the robustness of the process and systems used to understand as completely as possible the impacts and
opportunities associated with material issues;
? findings concerning assertions relating to compliance to agreed standards, codes, regulations and policies;
Assurance statement 26
Aa1000
This should be provided for all Assurance Providers and experts involved in the assurance process.
Signature
Report to management
Requirement
If agreed in the letter of engagement, the Assurance provider shall provide a report to management. The report
to management shall provide a greater level of detail on the conduct of the engagement and the findings. The
report to management shall not communicate different or additional conclusions than those found in the
assurance statement except in those cases where there is an agreed and justified need for confidentiality.
Guidance
The content and style of the report should be discussed with the Reporting organisation as part of the design
of the engagement.
The report will typically follow the structure of the assurance statement. In addition to further detail on the
conduct and findings of the engagement, the report may also include information that benchmarks the
reporting organisation with peer organisations.
Additional detail on the conduct of the engagement should address in detail any constraints encountered
during the engagement and should outline the relative strengths and limitations of the process used in the
collection and analysis of information.
Informative Annexes
References
Stakeholder Engagement
Informative Annexes 27
Aa1000
Reporting
Accounting for Good: the Global Stakeholder Report 2005 (The Second World-wide Survey on Stakeholder
Attitudes to CSR Reporting) Pleon Kohtes Klewes GmbH / Pleon b.v., 2005 ~
Context (2006) Reporting in Context 2006: Global Corporate Responsibility Reporting Trends
http://www.econtext.co.uk/cover_scans/InContext2006.pdf
FORGE - Guidelines on Environmental Management and Reporting for the Financial Services Sector
http://www.abi.org.uk/forge/
Friends of the Earth et al (2004) Lessons Not Learned: The Other Shell Report
http://www.foe.co.uk/resource/reports/lessons_not_learned.pdf
KPMG (2005) KPMG International Survey of Corporate Responsibility Reporting KPMG/ UNEP (2006)
Carrots and Sticks for Starters: Current trends and approaches in Voluntary and Mandatory Standards for
Sustainability Reporting http://www.unep.fr/outreach/reporting/docs/Public-UNEPKPMG-Report-FIN.pdf
UNEP/Sustainability (2004) ?Risk and Opportunity?: Global Reporters 2004 Survey of Corporate
Sustainability Reporting http://www.sustainability.com
UNEP/Sustainability (2006) ?Tomorrow?s Value? Global Reporters 2006 Survey of Corporate Sustainability
Reporting http://www.sustainability.com
WBCSD- http://www.wbcsd.org/
WBCSD (2002) Sustainable Development Reporting: Striking the Balance Eurobarometer 217: The attitudes
of European citizens towards environment (research Nov 2004, Published April 2005)
Environmental, Social and Sustainability Reporting on the World Wide Web: a guide to best practice
(ACCA/Corporateregister.com)
References 28
Aa1000
Accountability (2006) The Materiality Report: Aligning Strategy, Performance and Reporting
http://www.accountability21.net/publications.aspx?id=560
User Note on the Application of the Principles of Materiality, Completeness and Responsiveness as they
Relate to the AA1000 Assurance Standard http://www.accountability21.net/publications.aspx?id=1242
IFAC Framework
COS 3410N
Only assurance engagements that meet the requirements of the standard shall claim that assurance has been
provided in accordance with AA1000AS (2008) and be eligible for inclusion on the Corporate Register list of
AA1000AS assured reports. Users of the standard should notify Corporate Register that they have used the
standard.
Detailed information on The AA1000 Series of standards can be found on the AccountAbility web site:
http://www.accountability21.net
We welcome suggestions for improvement of our standards and encourage readers to notify us immediately of
any apparent inaccuracies or ambiguities. Please address your comments to the Head of Standards at
AccountAbility.
? Enable practitioners to develop, validate and communicate their competence in a systematic manner.
? Develop a more systematic understanding of key competency requirements for providing effective
assurance, and so establish a basis for informing this and other standards in future.
? those who work in CSR departments involved in the development of corporate accountability programs;
? Sustainability Assurance Practitioner: an active practitioner with demonstrable experience over a number of
assignments with different clients or, for internal practitioners, over several assurance cycles covering a range
of sustainability issues
? Lead Sustainability Assurance Practitioner: active in the provision of sustainability assurance and you have
led a significant number of sustainability assurance assignments either internally or as part of external
assurance assignments. Experience in stakeholder engagement as part of assurance assignments is essential, as
is the lead role in forming assurance judgements and the preparation of external or internal assurance
statements
The revision consultations have illustrated that there is significant interest in organisational accreditation to
address the experience gap and to ensure the quality of assurance. This is something that will have to be
considered and developed over time with those in the field.
A reporting organisation needs to take into account a number of considerations when engaging a sustainability
assurance provider. Listed below is a selection of some (but not all) of the factors a reporting organisation
should consider when engaging a sustainability assurance provider.
Administrative Requirements
? Has current engagement with the assurance provider given confidence that they will be able to provide
adequate account management and timely communications?
Organisational Profile
? Is the summary of the providers services and the markets in which it operates suitably relevant
? Is the experience in providing similar services to other organisations relevant to your organisation?
? How many similar assurance engagements has the organisation done in the last three years?
Assurance Team
? Can team members demonstrate the necessary qualifications and competencies? Are they CSAP certified?
? Does the lead assurance practitioner have the necessary qualifications and competencies? Is he CSAP
certified?
Technical Proposal
? Does the assurance provider have a clear and detailed understanding of:
o Product issues
o Market issues
? Does the assurance provider have a clear and detailed understanding of:
o GRI criteria
? Does the provider illustrate a clear understanding of the scope of work required in the assurance engagement
(assurance, issues, organisation, time)?
? Is a clear and detailed work plan proposed that understands stakeholder concerns and will lead to a fit for
purpose assurance statement?
? Is there a clear and detailed presentation of the organisation and structure for delivery of assurance services?
Translating AA1000AS
The AA1000AS 2003 edition has been translated into a number of languages. Translating the standard into
multiple languages enables wider international use of the standard, a greater depth of understanding at the
local level and increased consistency in the quality of assurance engagements worldwide.
It is our intention to translate AA1000 2008 into a number of languages. AccountAbility is always looking for
partners to work with to translate the standard into new languages. If you are interested in partnering on this,
please contact the Head of Standards at AccountAbility.
Although limited in sustainability reporting, regulation is the clear driver for independent assurance in the
financial world. Similarly the ability to illustrate compliance to various codes and standards is an important
element of the value of assurance. This is particularly true in countries such as France where elements of
non-financial reporting are mandatory. Voluntary reporting and assurance on sustainability issues is often seen
as a way of avoiding regulation on certain issues, which many companies value.
Convincing:
Independent sustainability assurance can help to convince stakeholders of a company?s claims and
performance in a number of areas. It can help a company illustrate that it is meeting organisational
commitments or that it is improving performance on a previously weak area.
More positively, independent assurance can reaffirm where a company is going beyond best practice and
developing clear brand differentiations. Independent assurance can help embed a company?s reputation for
strong sustainability performance.
Translating AA1000AS 33
Aa1000
Assurance which accurately considers materiality and stakeholder engagement can give confidence to
stakeholders that the organisation is reporting on the issues it should be and is not ignoring anything relevant
and important.
Decision Making:
Assurance of timely and appropriate data and underlying systems is essential to enable stakeholder
decision-making. As much of a company?s value is bound up in intangible non-financial assets there is
increasing stakeholder pressure for many of these issues to be assured independently to give those who make
decisions on the company greater confidence.
Decision-makers informed by assurance can range from those in the investment community, to NGOs
deciding where to focus their campaigns, to consumers deciding which products to buy. Assurance on a single
report can provide a central place for decisions makers to go to, improving access and reducing the need for
organisations to respond to endless questionnaires.
Assurance can help as much internally as externally. Independent verification of policies, strategies, systems,
understanding and data can help an organisation enhance and improve international management systems
and/or strategies. It can help a company identify what more is needed to be done in order to satisfy certain
organisational commitments (e.g. UNGC) or more generically can identify where a company?s sustainability
performance is strong and where it can be improved.
Assurance that incorporates stakeholder engagement will go further in capturing controversial and contested
areas of responsibility and driving necessary learning and innovation.
What is clear is that the value of assurance is not restricted to the reporting organisation, but is appreciated by
all of it?s stakeholders. Indoor stakeholders (management) gain a greater understanding of areas of risk and
value creation. Back-door stakeholders (investors and regulators) are able to analyse risks, opportunities and
compliance more easily. Although front-door stakeholders (media, NGOs, Customers) remain cynical about
assurance they are generally responsive to ideas of independent verification of company activities.