Home 442The Assurance of Corporate Sustainability Reports and the Renewed Role of Certified Auditors
Article Open Access

442The Assurance of Corporate Sustainability Reports and the Renewed Role of Certified Auditors

  • Janne Ruohonen ORCID logo EMAIL logo and Helmi Kullas
Published/Copyright: November 29, 2024
Download Article (PDF)
Become an author with De Gruyter Brill
Author Information Explore this Subject
European Company and Financial Law Review
From the journal European Company and Financial Law Review Volume 21 Issue 3-4

Abstract

The corporate sustainability reporting directive (2022/2464, CSRD) is expected to broaden its scope to include almost 50 000 companies in Europe. The directive sets two key obligations: (1) The annual management report must include information about certain sustainability subjects according to uniform standards; and (2) Sustainability reports must be controlled by an auditor or other authorized controller. This article focuses on examining the topic from an auditor’s perspective. Assuring the reliability of sustainability reports is essential to meet the objective of stakeholders getting reliable and comparable information. The aim of the article is to examine the renewed obligation to assure sustainability reporting, especially the key differences between the limited assurance level of sustainability reporting and the reasonable assurance level of statutory auditing. In addition, the article examines the narrowing of the expectation gap between the stakeholders and the actual content of assurance. If, in the future, sustainability information at the EU level is genuinely intended to be placed in the same category as the audit of financial information, then it is necessary to move from limited assurance engagements to reasonable assurance engagements. However, the issue must be carefully evaluated from the perspective of the administrative burden incurred by the companies, because it significantly increases the costs associated with the assurance of sustainability reporting for the companies. Finally, the goal is to evaluate how the assurance of sustainability reporting is regulated in Finland.443

1. Introduction

Over the past decade, voluntary sustainability information reporting has been growing rapidly, with about 77 percent of the largest European companies issuing sustainability reports.[1] The valuation of companies has shifted to a more comprehensive view, taking into account factors influencing longevity in addition to financial factors.[2] As a result, sustainability matters have become a focal point for investors, creditors, legislators, customers and other stakeholders.[3] The new sustainability reporting requirements are not only going to affect large corporations, but reporting duties have also been set for listed small and medium-sized enterprises (SMEs) (excluding microenterprises). The auditing industry has undergone many changes in the 21st century. With new requirements on reporting and assuring sustainability information, auditors must understand not only the financials of a company, but also the impact of its opera444tions on sustainability issues as well as the impacts of sustainability issues on the company. Auditors can also utilize financial data when assuring sustainability reporting and vice versa.[4] International standards for auditing (ISA) have already been established in the auditing industry, and certified auditors have adequate prerequisites for adopting the statutory role of a sustainability reporting auditor based on international standards.

Until now, one key problem in sustainability reporting in the EU has been the use of confusing reporting practices. The new sustainability reporting directive (2022/2464, CSRD) was published in the official journal of the EU in December 2022, and it came into force on 5 Feb 2023.[5] The directive requirements stem from the European Commission’s communication regarding the Green Development Program (2019).[6] The goal is to ensure that financial markets have reliable and comparable information for large and listed SMEs about the environment, society, and governance.[7] The directive sets two key obligations to said companies:

  1. The annual management report must include information about certain sustainability subjects according to the European standards.

  2. Sustainability reports must be controlled by an auditor or another authorized controller.

The essential novelty of the CSRD is the creation of European sustainability standards that require companies to report on sustainability as part of their annual report.[8] Increasing awareness of sustainability issues has changed the way business is conducted.[9] Corporate social responsibility (CSR) in general has been taken over by corporations as a tool to manage risks and further marketing goals, as opposed to incorporating sustainable development into com445pany values and operations.[10] If the reported information is not specific enough, companies can choose to publish information that is advantageous in order to influence investors and other stakeholders.[11] It is therefore essential that sustainability information is carefully verified since the publication of sustainability information always includes the risk of greenwashing. Assuring the reliability of sustainability reports is essential for the objective of investors and other stakeholders getting comparable information.[12] Certified auditors as assurance professionals are well qualified with relevant expertise to also perform sustainability reporting audits.

Implementing the CSRD into governmental legislation has required numerous regulatory changes across Europe, and in many countries, an auditor’s job description is expanding from financial reporting to sustainability reports.[13] The aim of the article is to examine the assurance requirements of the CSRD from the auditor’s point of view, and the assurance made by non-auditors is outside the scope of the article. The key differences between the limited assurance level of sustainability reporting and the reasonable assurance level of statutory auditing are examined. In this context, the article explains how the expectation gap between the stakeholders and the actual content of assurance could be narrowed. Finally, the goal is to evaluate how the new assurance of sustainability reporting is regulated in Finland from the auditor’s perspective. This review focuses on some main regulatory changes concerning, for example, the executor of sustainability reporting auditor and the assurance report. In Finland, the 446new regulation entered into force on 1 January 2024.[14] The research method is legal dogmatics, which is used to systematize and interpret regulations regarding the certification of sustainability reporting.

2. CSRD as a Part of the EU’s Evolving Regulatory Field

Before the CSRD there were many different non-financial reporting standards[15] that led to sustainability information being hard to compare and unreliable.[16] The aim of the directive is to channel private capital to finance the green and social transition and lure more investment to sustainable economy targets.[17] The CSRD does not determine how companies and executives should advance sustainability in their operations because sustainability practices fall within the scope of the Corporate Sustainability Due Diligence Directive (CSDDD), which entered into force on 25 July 2024.[18] However, it might significantly affect the practices of promoting sustainability in companies.[19] The final form of the due diligence provisions of the CSDDD is significant for management responsibility, as well for sustainability reporting.[20] However, the 447due diligence requirements of the executives appear to be more lenient than in the original proposal.[21] The European Parliament passed the directive in April 2024.[22]

In addition, several other issues related to corporate sustainability have been regulated at the EU level in recent years, and some of the projects are still in the preparation phase. The directive on gender quotas for the boards of listed companies employing more than 250 people was approved after a long process in December 2022.[23] Diversity issues in corporate governance are also related to the CSRD, as diversity in corporate governance can affect corporate decision-making, and the directive sets demands for reporting on this.[24] In addition, the European Parliament and the Council regulate which investment and financial objects can be considered sustainable (taxonomy regulation), and how financial market participants and financial advisors must provide sustainability information to investors.[25] The EU Public Country-by-Country (CbC) reporting directive entered into force on 21 December 2021 and requires certain multinational groups operating in the EU to publish information on their tax affairs. The auditor has the role of verifying the existence of the report but not to provide assurance on the content of the report.[26]448

3. Standardization of Sustainability Reporting – Auditors’ Perspective

It is essential for auditors to get added clarification and guidance in order to make better materiality judgements on sustainability issues. The need for standardization of sustainability reporting has been recognized repeatedly in literature. Green and Oixin pointed out the need to clarify terminology and expectations of reporting on greenhouse gas emissions,[27] Desai and Gerard found the lack of standards as a reason for overly positive and therefore misleading sustainability reporting[28], and Fraser, Quail and Simkins saw generally accepted standards as a solution to confusion surrounding sustainability reporting.[29] The CSRD aims to solve this problem by doing just that: requiring standardization of sustainability reporting.[30] The report must be prepared in accordance with the approved reporting standards referred to in Article 29b of the Financial Statements Directive, and the certification of sustainability reporting must comply with the sustainability certification standards approved by the EU Commission in accordance with Article 26, Paragraph 3, of the Audit Directive.[31]

Creating a set of uniform reporting standards and keeping them up to date is not easy, as they must be suitable for the reporting obligations of different-sized companies operating in different evolving industries. For example, ISA have been criticized for being biased by creating a bigger burden for smaller entities than for big companies with more resources[32], and ISA have also been criticized for not being suitable for inspections of small audit targets.[33] In a 449Centre for European Policy Studies CEPS study on the Non-Financial Reporting Directive (NFRD), several external service providers highlighted the practical desirability of standardizing non-financial information. However, they cautioned against fully replicating the approach used in financial reporting, as this may compromise materiality due to nonfinancial information being intrinsically tied to a company’s unique business and sustainability goals.[34] Increasingly detailed reporting requirements can overburden SMEs and put them in a competitive disadvantage.[35] It becomes even more significant by the fact that many large and listed companies are already voluntarily gathering and reporting data on sustainability matters.[36]

European Financial Reporting Advisory Group (EFRAG) is responsible for drafting EU sustainability reporting standards. In July 2023, the European Commission adopted the Delegated Act on the first set of European Sustainability Reporting Standards (ESRS).[37] The first of many sets of standards, ESRS1 (General requirements), has been published in the Official Journal of the European Union in December 2023 and two exposure drafts of standards for SMEs were published for consultation and are currently being under deliberation and field testin, expected to finish in December 2024.[38]

In accordance with the CSRD, a two-way impact assessment (article 19a.1) must be prepared in the sustainability report, the purpose of which is to ensure that the company’s stakeholders receive all relevant sustainability informa450tion.[39] The sustainability report must include the information necessary to understand, on one hand, the company’s effects on sustainability matters, and on the other, the information necessary to understand how sustainability matters affect the company’s development, result and position.[40] Traditionally, sustainability-related financial reporting utilizes the exposure-materiality principle, which is an outside-in perspective, generally including information on environmental aspects influencing the finances of a company. So-called impact reporting utilizes impact materiality with an inside-out perspective, focusing on the effects the company has on environmental issues.[41] Companies falling under the scope of the CSRD must report on both two-way impact assessment aspects, according to the principle of double materiality.

Companies are obligated to take both aspects of materiality into account independently; that is, the scope of the disclosure obligation includes (1) information that is material from both points of view, and (2) information that is material from only one point of view. The double-materiality audit has many benefits for the company and allows the users of the report to gain a deeper understanding of the company’s operations and the effects on many different stakeholders.[42] By incorporating both financial and non-financial information, a more comprehensive view of the company’s financial state can be provided as the amount of reporting will increase significantly. Thus, auditors can gain a better and deeper understanding of the company’s operations and impacts on stakeholders but will face some difficulties and need more resources to complete the audit.[43] The main contents of a sustainability report are determined by the CSRD (Article 49-f). SMEs can present their sustainability report in an abbreviated form.[44]

451The scope of the sustainability report will be extensive due in no small part to the double-materiality principle, and the amount of information included in the sustainability report will most likely be much greater and more qualitative than in a typical financial report. This scope increase can cause disclosure overload.[45] Disclosure overload is known in financial auditing as the problem of accounting standards and regulations being too complex, broad, and burdensome for companies.[46] In the age of big data, the risk of information overload is ever increasing on all aspects of reporting.[47] Materiality judgement is key for preventing disclosure overload and its negative effects that can lead to less transparency.[48] In a study by CEPS, it was found that stakeholders, business organizations and even external reporting advising service providers did not fully understand the concept of double materiality.[49] The external service providers advising reporting companies indicated that the reason for limited understanding was that the concept was fairly new and only discussed in relation to environmental and climate matters.[50] Baumüller and Grbenic criticize the CSRD for not clarifying the principle of double materiality while adding even more requirements under the reporting scope.[51] Mosca and Picciau suggest developing the known benchmark of materiality, the reasonable investor, that pays attention to the effects of social and environmental issues and long-term risks and opportunities.[52]

452The CSRD also states that standards should cover all information that is material to users of that information.[53] In order for the reporting to be what the legislation aims for it to be—complete, comparable and reliable—the reporting should be uniform to a certain degree. This goal is unlikely to be reached if too much room is left for subjective materiality consideration. Auditors and audit users need added clarification and guidance in order to make better materiality judgements. Baumüller and Sopp state that the CSRD gives some clarification by defining the concept of double materiality but gives final responsibility to EFRAG on providing guidelines for its practical application.[54] The standards should not create an excessive administrative burden for companies in relation to the benefits stakeholders get from sustainability information.

4. Improving Stakeholders’ Access to Assured Information

4.1 Increasing Transparency of Companies

From the perspective of the transparency of companies’ value chains, it has been considered essential that sustainability reporting obligations do not extend to only a few large companies.[55] The previous Non-Financial Reporting Directive (NFRD) covered approximately 11 000 companies in the EU. The CSRD is expected to broaden its scope to include about 48 000 companies.[56]453The directive will also affect non-EU companies with operations in the EU.[57] The term “non-financial information” has been considered imprecise, as it may give the impression that the information in question has no financial significance. The directive instructs on sustainability information, which increasingly also has economic significance.[58] The CSRD will be gradually applied in four stages in the years 2025–2029.

Even though the requirements of the CSRD do not apply to listed microenterprises[59] or unlisted SMEs, the sustainability requirements, through the requirements applied to value and supply chains, will also affect these companies, as companies with reporting obligations must be aware of the sustainability aspects of their supply chains.[60] Large, unlisted companies must also disclose information on sustainability issues. In addition, players in the financial sector need to receive information from unlisted large companies as well. The reporting obligation of listed SMEs, on the other hand, was considered essential for the realization of investor protection, as a significant part of the listed companies in the EU region belong to this group. The reporting obligation of SMEs ensures that financial sector operators can fulfill their obligations regarding the provision of sustainability information and can also include in their investment portfolios small companies that have been certified to properly manage their sustainability obligations.[61]454

4.2 Principal-Agent Relationships and Key Stakeholders of Sustainability Reporting

Investors and other stakeholders increasingly demand that companies publish more sustainability-related information.[62] Investors recognize the financial consequences of sustainability risks better than before and demand more sustainability information due to the increase in sustainability requirements in investment product offerings.[63] Sustainability-driven investment is both a regulatory change and a trend in the financial markets.[64] In order for these stakeholders to benefit from increased reporting information, they must be able to trust the information to be correct. Auditing has an important role in creating this trust and giving value to the reports. Research shows that the assurance of sustainability reporting increases the willingness of non-professional investors to invest in the company, especially if the sustainability report is assured by an accounting firm.[65]

Figure 1 Stakeholder groups recognized in the CSRD (Recitals 3–14).
Figure 1

Stakeholder groups recognized in the CSRD (Recitals 3–14).

The need for reporting assurance is based on improving the principal-agent relationship of the shareholder and the management, and the goal of reducing 455costs related to it.[66] Various legal strategies to combat the problems in principle-agent relationships have been suggested.[67]Regulating and standardizing the work of the agent is one of the strategies presented.[68] Regulations provide more information to the principal about the agent’s work and constrains agents by ordering them to not follow procedures that would harm the interests of the principal, therefore building trust and reducing costs. Assurance of the standardized statutory reporting can reduce the asymmetry even further.

In a complicated and somewhat new element of business such as sustainability, management is most likely better informed about the effects that the company’s actions have on sustainability matters as well as the effects actions have on the company. A key function of corporate governance structures is reducing information asymmetries and aligning the interests of agents with those of the stakeholders on whose behalf they act, therefore managing many types of agency conflicts. Sustainability reporting can be one of the corporate governance devices reducing information asymmetry between managers and stakeholders.[69] The CSRD addresses both internal and external governance which affect companies’ sustainability reporting systems.[70] Sustainability reporting is a way for management to inform shareholders on sustainability matters and their effects, but it also gives management an opportunity to misuse this information asymmetry. Managers may have incentives to dismiss environmental 456impacts in order to create short-term value while harming the company’s and stakeholders’ interests in the long run.[71]

Sustainability assurance helps solve this problem. In a way, this function of assuring the reporting also forms a principal-agent relationship between the stakeholders and the auditor or sustainability reporting auditor. In this relationship, the principal (shareholder) enters into an agreement with an independent agent (auditor) to perform the audit task.[72] The auditor works for the benefit of the stakeholder to help make better informed decisions regarding the company. Sustainability reporting auditors have an independent role and follow procedures to ensure that they report any deficiencies they observe in the assurance report.[73] The actual performance of the work and methods of implementation remain the auditor’s responsibility.

5. Identifying and Mitigating the Expectation Gap

The sustainability reporting audit can be considered a management tool to gain the trust of owners, creditors, and other stakeholders. Many stakeholders are interested in the assurance of the reported information about the company.[74] The main duty of the auditor is to respond to the information needs of shareholders and creditors. In the evaluation of sustainability issues, on the other hand, the information needs of potential investors and financiers are highlighted, as directing the flow of capital in the EU to a more sustainable approach is one of the main goals of this new legislation.[75] The asymmetric distribution of information between the principal and the agent can be rectified 457with the new sustainability reporting regulation. Essentially, the CSRD creates a reporting obligation that binds companies based on mandatory and commensurate standards – and the reliable assurance of the sustainability data reported by these standards. According to a study, assuring sustainability reports increased the willingness to invest for non-professional investors.[76] However, there is a risk that interested parties might expect more from the sustainability reporting audit than what the assurance is supposed to provide.

Sometimes stakeholders expect more from the auditor than what is actually part of the auditor’s statutory duties.[77] The existence of an expectation gap is widely recognized in financial reporting[78], and it is expected to be an issue in sustainability reporting as well.[79] A gap in expectations of the producer and users of assurance results in lower credibility and loss of stakeholder confidence.[80] Research shows that even in financial auditing, auditors often disagree with shareholders on what is material, and different parties tend to view sustainability information as more material than others, suggesting that the expectation gap is larger in sustainability reporting assurance.[81] Furthermore, research shows that the expectation gap is especially related to the auditor’s 458duties as a public watchdog regarding the company’s creditors and investors.[82]

As stated before, reporting on sustainability matters is a new, confusing and complicated subject. The nature of the subject and the fact that sustainability reporting on this level is uncharted territory for nearly every party makes it so that the expectations for the reporting and the assurance will most likely exceed its realistic capability. Reza and Karim discuss the increasing challenges in the audit profession, stating that increasing regulation encourages and requires auditors to expand efforts in detecting fraud, but at the same time vague terminology in said legislation creates problems in the industry.[83] Terms such as reasonable and material can have a different meaning to an auditor than it does to a shareholder, therefore increasing the expectation gap. Along with the many positive effects of the new directive on the expectation gap of sustainability reporting, it is also important to note some possible downsides. According to research by Doxey and Sealy, mandatory sustainability reporting and assurance may exacerbate the expectation gap between the auditor and the users of the report.[84] The research also shows that the gap is bigger when it comes to negative and quantitative information, which will increase with sustainability reporting.

The expectation gap can be divided into three categories:[85]

  1. knowledge gap – what auditors do versus what the public thinks they do

  2. performance gap – what auditors do versus what they are supposed to do

  3. evolution gap – what auditors do now versus what the public wants them to do in the future.

The sustainability assurance will certainly face all of these gaps. To solve the first two points, the most important step is the creation of functional and explicit sustainability reporting and assurance standards. Another way to narrow 459the gap is to ensure that the auditors possess adequate sustainability reporting skills. In addition, increasing stakeholders’ understanding of sustainability reporting assurance and its later discussed level is crucial. This step includes enhancing the understanding of the auditor’s actual role in certifying sustainability reporting. Effective communication between the auditor and stakeholders is an important part of narrowing the gap.[86] It is more feasible to educate users of sustainability information rather than members of the general public. This goal could be facilitated through shareholder meetings that review the sustainability assurance report.[87] We believe that these are especially related to the knowledge gap in the early stages of sustainability reporting assurance, as the auditors have not yet developed experience based on professional skepticism in identifying essential sustainability-related issues compared to well-established practices of statutory auditing in auditing financial statements.[88] The performance gap, on the other hand, is particularly related to how auditors actually react to the observations they make in assuring sustainability information.[89] Sustainability reporting can be one of the corporate governance devices reducing information asymmetry between managers and stakeholders.

The evolution gap is related to the future of sustainability data verification—that is, what the stakeholders actually expect from verification. Narrowing this gap requires the joint contribution of sufficient expertise of auditors, readiness for regulatory change, working practices of auditing, sufficient information of stakeholders and clarification of standards. With new technology and analysis tools, the accuracy of both financial and environmental, social and governance (ESG) auditing processes can be improved, minimizing the risk of errors and providing more reliable information to stakeholders. In addition, one way to reduce the evolution gap is to expand the auditor’s responsibilities.[90] As we can 460see, this category also includes tightening the assurance level of sustainability reporting.

The assurance level of a sustainability or financial report is closely related to the expectation gap. In society, the expectations of stakeholders are likely to increase in the future, which may further increase the expectation gap.[91] The gap is strongly related to regulation, as the duties of auditors and sustainability reporting auditors are defined by legislation. In connection with regulatory changes, it is necessary to assess what stakeholders can reasonably expect from an auditor, and whether the model can be implemented cost-effectively.[92] The cost of sustainability reporting assurance will be lower than the costs of assuring financial statements due to the lower level of assurance and less extensive procedures required.[93] From a legal standpoint, it is about what the auditor must inspect (target) and how the auditor must perform the inspection (inspection procedures). From a practical standpoint, it is about the general beliefs of interested parties regarding the scope of the auditor’s duties.[94] The audit of sustainability reporting is not as specific as the audit of the financial statements, but on the other hand, the limited assurance audit does not require the same detailed audit activities as a financial statement audit. However, stakeholders do not necessarily recognize the difference in assurance levels between statutory auditing and sustainability reporting assurance, which tends to further increase the expectation gap between the work actually performed by auditors and stakeholders’ expectations.

6. Is the Limited Assurance Level Sufficient?

A factor affecting the expectation gap and the reliability and impact of assurance is the level of assurance applied. In statutory auditing, the central principle is the principle of reasonable assurance. According to ISA 200.5, it means a 461high level of assurance which the auditor achieves by acquiring enough suitable audit evidence. However, getting reasonable assurance is different from getting absolute assurance. The auditor must also approach the audit with professional skepticism; that is, examine the acquired audit evidence critically. A lack of a clear definition of a reasonable level of assurance can increase the expectation gap between the auditor and the users of the audit report.[95] For example, in connection with corporate bankruptcies, stakeholders often raise the question of why the auditor did not warn about problems with the continuity of operations or detect abuses committed in the company.

Regarding the assurance of sustainability data, it has been concluded that, at least in the initial phase, a limited assurance level is sufficient.[96] As discussed, according to research by Doxey and Sealy, the expectation gap is bigger when it comes to sustainability reporting.[97] The study also finds that disclosures that receive limited assurance are viewed by auditors as less material than those that receive a higher level of assurance. This finding broadens the expectation gap even further when it comes to sustainability reporting that requires limited assurance as the CSRD will require during at least the first few years of implementation.[98]

The difference between the assurance levels can be considered considerable from the perspective of the auditors’ workload. The EU has not yet adopted harmonised assurance standards for sustainability reporting. The Committee of European Auditing Oversight Bodies (CEAOB) has only issued general guidelines on limited assurance on sustainability reporting. According to these guidelines in a limited assurance engagement the amount of work is expected to be less than for a reasonable assurance engagement that would be performed in the same circumstances.[99] The most widespread definition and guidance on limited assurance is on the International Standard on Assurance Engagements 462(ISAE) 3000 on Assurance Engagements Other than Audits or Reviews of Historical Financial Information.[100] The level of limited assurance can be defined by three main characteristics. First, the level of assurance is significantly lower than the assurance that is achieved by measures required for reasonable assurance.[101] This difference between limited and reasonable assurance has been explicitly emphasized in the CSRD.[102] Procedurally, for limited assurance, the auditor collects less evidence and conducts fewer analytical procedures compared to reasonable assurance. This difference can be seen in how risk is considered in both levels of assurance. In reasonable assurance, risk is reduced to an acceptably low level in the circumstances, and in limited assurance, risk is reduced to an acceptable level, but the risk is greater than for reasonable assurance.[103] Therefore, a comprehensive risk assessment is not required in limited assurance.[104]

The second defining requirement of limited assurance is that while the level of assurance is low, it must still be meaningful. In ISAE 3000, the auditor is tasked with the assessment of meaningfulness and the requirement that the assurance is likely to enhance the intended users’ confidence about the information.[105] The third defining characteristic is that the practitioner’s conclusion is expressed 463differently depending on the level of assurance. The sustainability reporting auditor must perform their assignment in such a way that the conclusion of limited assurance is presented as a statement that provides at least limited assurance that no circumstance has been observed in which it could be concluded that the reporting is substantially incorrect.[106] In limited assurance, the auditor’s workload is lighter, and the final result is presented with a negative statement that the auditor has not detected any material misstatements. In reasonable assurance, the conclusion is stated in a positive manner.[107] According to a recent study, non-financial reporting, such as sustainability reporting, does not typically have high consistency and comparability, making it very difficult, if not impossible, to reach a reasonable level of assurance.[108] Combining the reporting with a standard is a step toward more reliability in sustainability assurance. Regarding the CSRD, a reasonable assurance level was not considered possible because the lack of a uniform standard causes different perceptions and expectations regarding assurance, and a reasonable assurance level could be adopted at the latest on 1 January 2028, and only after it has been assessed whether reasonable assurance is achievable by auditors and companies.[109] The ISSA 5000 standard on general requirements for the assurance of sustainability reporting was recently approved. The standard aptly describes the relation between limited assurance and reasonable assurance: “The procedures in a limited assurance engagement vary in nature and timing from, and are less in extent than for, a reasonable assurance engagement; and Consequently, the level of assurance obtained in a limited assurance engagement is substantially lower than the assurance that would have been obtained had a reasonable assurance engagement been performed”.[110]464

7. Auditors’ Pivotal Role in Assuring Sustainability Reports – Observations from Finland

7.1 Legislative Changes

According to Finnish regulations, auditors play a key role as assurers of sustainability information. The task of statutory auditors in Finland differs somewhat from auditors in other EU countries because in Finland the company’s administration is also subject to audit (FAA 3:1), which in part emphasizes the expectations of the interest groups regarding the content of the audit.[111] In Finland, the CSRD extends to approximately 1300 companies.[112] Only 10 percent of these companies are listed companies, and most have never reported their sustainability information.[113] Implementing the directive to governmental legislation has required numerous regulatory changes. In September 2023, the Ministry of Economic Affairs and Employment of Finland published the proposal (the government’s proposal 20/2023, later the proposal or GP 20/2023) on amendments to the Finnish Accounting Act (1336/1997, later FAcA) and to the Finnish Auditing Act (1141/2015, later FAA) required for bringing the CSRD into force. The legislative changes have now been approved and have been applied since the beginning of 2024.

7.2 Executor of Sustainability Reporting Audit and Required Qualifications

In Finland, companies within the scope of CSRD must choose an authorized sustainability auditor[114] to audit its sustainability report. According to the FAA 2:2, a sustainability reporting auditor must be a certified auditor[115] who is also approved to perform the assurance of sustainability reporting, and a sustainability reporting audit committee is an audit firm that is also approved to perform a sustainability reporting audit. The statutory auditor of the company 465and the authorized sustainability auditor can be the same person, or different auditors can be selected for the tasks. If the authorized sustainability auditor is the same person as the financial information auditor, the sustainability assurance report can be included as a section of the audit report. The same guideline applies to the situation where the audit firm also performs the sustainability reporting assurance. It is likely that in practice in many Finnish companies’ current statutory auditors (audit firms) will be selected to audit sustainability reporting as well. According to Amendment to the FAA 6:6, the certified title of an authorized sustainability auditor or its abbreviation (“KRT”) can only be used by a person or auditing committee approved as such.[116]

EU member states are allowed to accredit independent assurance services providers to provide an assurance opinion on sustainability reporting.[117] Member states also had the option to provide companies with the possibility of choosing a sustainability assurance company registered in another country outside the EEA. Providing this option is not mandatory according to the CSRD, and Finland did not use this option. The auditors in Finland are subject to strict supervision by the public authorities, and they already have significant expertise in auditing financial information and knowledge of local companies. The directive requires the reporting of sustainability information as part of the management report, which the statutory auditor must review in connection with the statutory audit, and it is likely that in practice companies’ statutory auditors (audit firms) will most likely be selected to audit sustainability reporting as well.

According to the FAA 6:3 a §, applicants must be approved as an authorized sustainability auditor if they meet the approval conditions: (1) fulfill the qualifications of a certified auditor set in the FAA 6:2; (2) have completed sufficient university level studies covering topics relevant for sustainability reporting assurance and information on applying this knowledge in practice; and (3) have completed an authorized sustainability auditor’s specialization degree. The approval also requires practical experience of at least eight months of sustainability reporting or consolidated sustainability reporting assurance services or other services related to sustainability issues. The eight-month minimum experience is a requirement in the CSRD (Article 10(1)). The demand for certified sustainability auditors can be expected to increase dramatically; Finland could need hundreds of new experts.[118] Due to this need, the amendment to 466the Auditing Act includes a transitional provision that gives certified auditors (those approved as auditors before 1 January 2024) the opportunity to be certified as authorized sustainability auditors by completing studies of at least 30 hours on sustainability reporting and assurance in the first two years of the new legislation being in effect. Registering as an authorized sustainability auditor during this transitional period will not require the eight months of experience or an examination on the required studies.[119]

Authorized sustainability auditors’ special proficiency. Only a certified auditor can act as an auditor, which is why auditors are required to have the expertise of a professional in the field. For a statutory auditor to perform the assurance of sustainability reporting, the vocational qualification must guarantee sufficient theoretical knowledge of the topics relevant to the assurance of sustainability reporting, as well as the ability to apply the information in practice (CSRD 7.2). The CSRD requires that “statutory auditors or audit firms that carry out sustainability reporting assurance should have a high level of technical and specialized expertise in the field of sustainability.”[120] Expertise can be a combination of education and the required practical experience of sustainability issues.

The authorized sustainability auditor is required to have a sufficient amount of university studies and practical experience of sustainability issues; in Finland the requirement is at least 10 European Credit Transfer System (ECTS) units. Companies within the scope of the CSRD are demanding audit targets, that is, large companies and listed SMEs (excluding listed microenterprises), which is why their sustainability reporting auditor can be required to have an adequate expertise.

7.3 Management Report and Assurance Report

Sustainability information should be included as part of the management report.[121] The management report is a separate document connected to the financial statement. The limited liability company’s board of directors and CEO are responsible for preparing and signing the financial statements (the Finnish Companies act 6:2.1, 6:17.1, and 3:7.1). Until now, many of the EU member countries have published non-financial information as a separate document. In 467Finland, the statutory auditor must still take the management report into account while conducting the audit. For example, according to the FAA, the audit report shall contain an opinion on whether the information included in the management report for the financial year is consistent with the information included in the financial statements (FAA 3:5.2 section 4). The sustainability reporting part of the activity report is not intended, at least in its entirety, to be audited by a statutory auditor of a company.[122] In CSRD article 34(b), the auditor has a duty to give a statement about the financial statements’ material inaccuracies, and sustainability reporting is not excluded. This requirement matters especially when someone other than the statutory auditor is acting as sustainability reporting auditor.

According to the Amendment to the FAA 3:1 a §, the subject of sustainability reporting assurance is the information presented by the entity as its sustainability report. A dated and signed assurance report must be provided for each accounting period. The report must specify the entity subject to inspection and a description of the scope of the assurance, specifying the sustainability assurance standards that were followed. According to the Accounting act 3:5 a §, in the assurance report the auditor gives statements on:

  1. the process conducted by the entity to specify information for the reporting compliant with reporting standards

  2. whether the information in the sustainability report is marked with identifiers as instructed in the chapter

  3. whether the reporting is compliant with reporting standards and legislation

  4. whether regulation set by Article 8 in regulation (EU) 2020/852 by the European Parliament and Council is followed.

If the same statutory auditor performs both financial audit and sustainability reporting assurance, EU member states may require that the assurance report on sustainability reporting be included as a separate section in the audit report.[123] Finland has utilized this option and regulated it as described in FAA 3:5 a.468

7.4 Effects on Companies and Management Responsibilities

The costs arising from sustainability reporting are more tangible and measurable in the short term compared to the potential benefits, which are currently unmeasurable due to their intangible value and will materialize only in the long term. The effects will also vary between countries and cultures, therefore making a comparison of tangible and intangible effects ambiguous. EFRAG and CEPS have conducted a cost-benefit analysis of the first set of ESRS in November 2022, which excludes the direct costs for SMEs, since the standards published now do not apply to them.[124] It is undeniable that the directive brings on significant challenges in resourcing and new ways of collecting and managing data.

For companies, there will be two kinds of direct costs: a one-time cost burden for investments required to begin reporting and additional recurring costs for each reporting period.[125] The starting costs include new information systems required for the new kind of data and implementation of new procedures, while the recurring costs depend on the human resources permanently committed to reporting in the company, as well as on the assurance of reporting by an outside entity. According to the report published in November 2022, the estimated one-time cost for a large, NFRD-listed company will be on average 287 000 euros, with an additional one-time compliance cost of 320 000 euros annually for ensuring the fulfillment of the reporting requirements and introduction of new systems. For non-listed undertakings not under the NFRD scope, the one-time cost is estimated at 36 000 euros and the recurring annual cost at 40 000 euros.[126]

The costs of sustainability reporting assurance were identified during the legal preparation phase in Finland. These costs are significant and will vary a lot depending on the industry, size and previous conduct of a company. The costs may be overwhelming for smaller companies that are not directly under the scope of the directive but will need to report as part of another company’s supply chain, since the cost of collecting data from the supply chain companies is proportionally greater the smaller the company is.[127] The Finnish Ministry of Economic Affairs and Employment has evaluated that for a typical SME subcontractor the one-time cost will be around 8000 euros in initial purchasing costs, with an annual recurring cost of around 2000 euros.[128] The cost to sup469ply chain companies will also vary depending on how much the reporting-obligated company will support its supply chain in the process of sustainability reporting. Due to the required limited assurance level, the costs from sustainability reporting assurance will be lower than the costs from the assurance of financial statements that require a reasonable level of assurance.[129]

The extent of collaboration with supply chain companies will be one of the many new strategic decisions for the management of large companies affected by the CSRD. Based on the directive, each member state must stipulate that the company’s administrative, management and supervisory bodies are collectively responsible for sustainability reporting. In Finland, these bodies are the board and the CEO. The liability for sustainability reporting is similar to that of financial statement information.[130]

Another key factor to ensure credible sustainability reporting is the auditing committee.[131] In Finland, the audit committee is responsible for assisting the company’s board by doing preparatory work for board decisions. In implementing the directive, the responsibilities of the audit committee have been expanded to include observing the reporting procedures and presenting the sustainability report to the board.[132] There will be many ways to carry out sustainability reporting that will present many challenges ahead for company management and leadership. The roles of the board and management, as well as incentives regarding sustainability reporting, must also be disclosed.[133]

8. Conclusions

The auditors play a key role in assuring the accuracy of sustainability. The sustainability reporting requirements set by the CSRD are not only going to affect large corporations but reporting duties have also been set for listed SMEs. The CSRD is expected to broaden its scope to include almost 50 000 companies in Europe. In addition, the reporting standards require obtaining the necessary information from small, non-listed companies, if it is essential in terms of its sustainability effects in the sustainability reporting company’s value chain. The sustainability reporting audit can also be considered a management tool to gain the trust of the shareholders, creditors and other stakeholders.

470In order for stakeholders to benefit from increased reporting information, they must be able to trust the information to be correct. Investors and other stakeholders increasingly demand that companies publish more sustainability-related information, and assuring sustainability reports seems to encourage non-professional investors to invest.

It is necessary to be prepared for an increasing expectation gap, as expectations increase with mandatory sustainability reporting and assurance. The existence of an expectation gap is widely recognized in financial reporting, and it is also probably an issue in sustainability reporting. The research has identified several ways to mitigate various audit expectation gaps, such as the creation of functional sustainability reporting and assurance standards, improving auditors’ skills, stakeholders’ understanding of sustainability reporting assurance and its level and effective communication between auditor and stakeholders. Several ways to narrow the evolution gap are to prepare for regulatory changes, clarify standards,– and possibly tighten the level of assurance.

We recognize that the difference between assurance levels is significant. The sustainability reporting auditors issue the assurance report based on a limited assurance engagement, which is associated with three characteristics: (1) The level of assurance is significantly lower than the reasonable assurance level; (2) Despite the low level of assurance, it must be likely to enhance the intended users’ confidence about the information; and (3) The auditor’s workload is lighter, and the final result presents a negative statement that the auditor has not detected any material misstatement. It is obvious that limited assurance is not nearly as comprehensive as reasonable assurance. Stakeholders do not necessarily recognize the difference in assurance levels between statutory auditing and sustainability reporting assurance, which might actually increase the gap. If, in the future, sustainability information is genuinely intended to be placed in the same category as the audit of financial information, it is necessary to increase the assurance level. According to the transitional provision or the CSRD, the EU commission is responsible for making an assessment whether reasonable assurance is feasible for auditors and companies by October 1, 2028. If appropriate based on the results of the assessment, those delegated acts shall specify the date from which the auditor’s opinion shall be based on a reasonable assurance engagement.[134]

From the perspective of consistency between statutory audit and assurance on sustainability reporting, it might be appropriate to move to a reasonable level of assurance on sustainability reporting. In our view, the reasonable assurance level can cause practical difficulties, as sustainability issues are more ambiguous and less measurable than financial information. Unified standards, however, 471will likely alleviate the confusion surrounding sustainability reporting. Only after auditors gain experience from the application of the new standards will we see whether the increase of the assurance level is possible and on what schedule. Increasingly detailed reporting requirements can overburden especially SMEs and put them at a competitive disadvantage. Disclosure overload is known in financial auditing as the result of accounting standards and regulations being too complex, broad and burdensome to companies. Moving to a reasonable level will no doubt increase the costs. According to a recent study, the limited assurance of sustainability reporting is estimated to cost an incremental amount between 2.6 and 3.9 billion euros per year, while the reasonable assurance is estimated to cost between 6.0 and 9.7 billion euros per year.[135] As far as the costs incurred by the companies are concerned, the difference is considerable. The EU legislators should weigh the costs of tightening the assurance level in relation to the benefits. In our view, this is particularly important if the goal is to expand the sustainability reporting obligation to even smaller companies in the future. For small companies, additional administrative costs are relatively more significant than for large companies.[136] The versatility and complexity of the data to be collected and processed require new skills. Of course, with the development of information technology systems and artificial intelligence, it is possible to increase the efficiency of data collection and processing, at least in the long-term.

Implementing the CSRD has required numerous regulatory changes in European countries. In Finland the legislation has been implemented since the beginning of 2024. EU member states were allowed to accredit independent assurance service providers to provide an assurance opinion on sustainability reporting, but Finland did not use this option. A sustainability reporting auditor must always be a certified auditor that fulfills the qualifications, has sufficient university studies covering topics relevant for sustainability reporting assurance and has completed a sustainability reporting auditor’s specialization degree. The auditor’s professional judgement will play a key role in assuring sustainability reporting. Therefore, the expertise of sustainability reporting auditors is important to offer stakeholders more versatile, reliable and verified information about the sustainability of companies’ operations than before.

Published Online: 2024-11-29
Published in Print: 2024-11-11

© 2024 the author(s), published by Walter de Gruyter GmbH, Berlin/Boston

This work is licensed under the Creative Commons Attribution 4.0 International License.

Articles in the same Issue

  1. Frontmatter
  2. Frontmatter
  3. 269Redefining the Conceptual Ground of Corporate Governance Regulation
  4. 307Legal Transplants of Shareholder Voting Rights in the European Union – Evidence from the Past, Consequences for the Future
  5. 345Determining Economic Loss Due to Misrepresentations on the Stock Market Using Forward Casting
  6. 367Delisting Costs and Corporate Mobility in Europe
  7. 398Regulation of Takeover Bids in a Global Context
  8. 417Cross-border Mobility of Insolvent Companies Within the European Union
  9. 442The Assurance of Corporate Sustainability Reports and the Renewed Role of Certified Auditors
  10. 472The Sanctions Principles-Based Regulation: A Blueprint for a New Approach for the EU Sanctions Policy (Part II)
https://doi.org/10.1515/ecfr-2024-0013
Creative Commons
BY 4.0

Articles in the same Issue

  1. Frontmatter
  2. Frontmatter
  3. 269Redefining the Conceptual Ground of Corporate Governance Regulation
  4. 307Legal Transplants of Shareholder Voting Rights in the European Union – Evidence from the Past, Consequences for the Future
  5. 345Determining Economic Loss Due to Misrepresentations on the Stock Market Using Forward Casting
  6. 367Delisting Costs and Corporate Mobility in Europe
  7. 398Regulation of Takeover Bids in a Global Context
  8. 417Cross-border Mobility of Insolvent Companies Within the European Union
  9. 442The Assurance of Corporate Sustainability Reports and the Renewed Role of Certified Auditors
  10. 472The Sanctions Principles-Based Regulation: A Blueprint for a New Approach for the EU Sanctions Policy (Part II)
Sign up now to receive a 20% welcome discount
Institutional Access
How does access work?
Have an idea on how to improve our website?
Please write us.
© 2025 De Gruyter Brill
Downloaded on 11.9.2025 from https://www.degruyterbrill.com/document/doi/10.1515/ecfr-2024-0013/html
Scroll to top button