(Illustration by James Heimer)
Sustainability has risen rapidly on the agenda of companies. An increasing number of stakeholders, including shareholders, agree that sustainability-related issues pose potentially serious risks to businesses and therefore require effective management. Global problems such as the climate crisis, pandemics, and geopolitical conflicts like the war in Ukraine further accelerate this agenda by exposing vulnerabilities in supply chains and highlighting the need for greater resilience.
But the rise of sustainability management has also driven growing concerns about the quality and trustworthiness of environmental, social, and governance (ESG) information that companies collect and report. Stakeholders want to know that businesses care enough about sustainability to ensure transparency and accuracy. In response, demand for independent assurance through external reviews to provide credibility to companies’ sustainability data has soared, opening up space for a large and lucrative market in auditing sustainability-related information.
While expectations are high, we know little about the effectiveness of current practices in sustainability auditing. To address this glaring paucity of knowledge, we came together to form a research stream within the Oxford Rethinking Performance Initiative (ORP). Founded in 2020 at Saïd Business School at the University of Oxford, the ORP is a research consortium focused on the advancement of more holistic performance measurement.
In early 2021, we initiated a large study of the sustainability assurance practices at Financial Times Stock Exchange (FTSE) 100 Index companies in 2020 and 2021. Our project commenced in early 2021, and we collected data from the most recent sustainability reports on each company’s website. All reports we analyzed for the FTSE 100 companies were produced during 2020 or 2021 and tended to coincide with the company’s fiscal-year end. Using these publicly available reports, we assembled and examined a comprehensive data set of audit and reporting information of the FTSE 100 companies. We have published the first results of the study in a working paper available on the Social Science Research Network, and a second study, which takes an internationally comparative view, is still ongoing.
Little did we know that our extensive data collection efforts during 2021 would reveal alarming deficiencies in measurement, reporting, audits, and assurances. Despite bold statements from companies about their ESG commitments and values, their practices fall short. While high-profile companies scramble to establish themselves as leaders in this space and engage in grandstanding and ambitious rhetoric, their reporting is often ambiguous or cryptic, and the corresponding assurance weak. Better incentives combined with stronger regulation are likely necessary for companies to back their ESG declarations with credible reporting and robust assurance.
The Benefit of the Doubt
Audit and assurance play a vital role in instilling corporate accountability and trust. Financial audits are intended to provide reasonable assurance that financial statements are free from material misstatement. Most jurisdictions legally require such assurance for financial reports. By contrast, auditing and assurance of nonfinancial information is typically not mandatory. But the sustainability assurance market has grown steadily over the past several years, to the point where it now serves more than half of companies globally, according to the International Federation of Accountants.1
This trend is not least due to increasing investor and regulatory pressure. In 2019, for example, a McKinsey survey reported that 97 percent of questioned investors opine that sustainability disclosure should be assured, and in January 2022, Aviva Investors told 1,500 companies in 30 countries that it now expects annual external audits on climate reporting from all of them. On the regulatory side, the new European Corporate Sustainability Reporting Directive (CSRD), which will come into effect in 2023, will explicitly require the limited assurance of sustainability information.
Who, then, reaps the benefits in this growing market? In the United Kingdom, about half of sustainability audits are done by the Big Four accounting firms (Deloitte, PricewaterhouseCoopers, KPMG, and Ernst & Young), while the rest are serviced through specialized environmental or sustainability consulting firms (e.g., Bureau Veritas, Corporate Citizenship, Carbon Trust). Globally, the Big Four serve more than 60 percent of the market.
LISTEN: Hear more from the authors about reforming sustainability reporting practices on Spring Impact’s Mission to Scale podcast.
When we began to delve into public information about sustainability assurance to collect detailed information on the 2020 and 2021 reports, we observed a narrative of ambitious promises. Big Four firms like KPMG avow that their services “help to instill confidence in the important decisions that management makes on behalf of an organization,” and PwC claims that it “add[s] credibility to published information.” Bureau Veritas, a French company that specializes in inspections and certifications, offers sustainability audits and promises that it can “safeguard [a] company’s reputation.”
What we found in our investigations belied these statements. Our excavation of corporate reports and websites in search of assurance statements uncovered little evidence of their bona fides. In fact, we found it exceedingly difficult simply to locate assurance statements, let alone grasp what they considered a sustainability report. For the 73 FTSE 100 Index companies that sought assurance in 2020 or 2021, we recorded 10 different synonyms for the concept of a sustainability report and found assurance statements for these to be placed in 16 different locations. Yet we were not satisfied with the assurance statement itself; we also wanted to examine the underlying data. In extreme cases, doing so required diving into as many as seven different data repositories, annexes, and reports to gather the information we needed.
Our data collection often raised more questions than it answered. At first, we assumed that obvious gaps or misstatements must be errors in the reports. We presumed, perhaps somewhat naively, that large companies had vast resources dedicated to the process of collecting, reporting, and assuring sustainability-related information. We wrote to various companies seeking clarification and correction. In our efforts to clarify and give these firms the benefit of the doubt, some of them engaged with us, while others never replied. The responses we did receive were staggering in their lack of responsiveness, exposing inconsistencies and errors, fractured reporting processes, and ignorance of procedure.
The examples we discuss below reflect the practices of a wide range of companies. Some have been founded in the past 20 years, while others range up to 166 years old. They are headquartered in various parts of the United Kingdom and Europe and represent a wide variety of industries. But they have two things in common: They are all large, FTSE 100 Index-listed companies that provide some form of ESG or sustainability report, and their assurance of these reports raised red flags.
Three Ways Companies Greenwash
Auditing and assurance can and should facilitate better sustainability-related disclosure. In its current form, however, the practice instead often creates doubt and confusion in an already highly disorganized space. Reporting that claims to verify sustainability practices but undermines, rather than affirms, those practices is ultimately just a form of greenwashing.
The three common greenwashing strategies our investigations revealed were misleading statements, obfuscation, and diversion.
Misleading Statements | What should one reasonably expect from reading an assurance statement? Truth be told, these reports—even in financial auditing—do not necessarily reflect the whole effort that goes into the external review of data, methodologies, and more. One would want to understand, at a minimum, what was reviewed in the assurance engagement, how this review was performed, what standards were applied, which frameworks were used, what the assurance process found, and, ideally, how the firm could improve in response to the reviewed information.
The sustainability assurance statements that we examined were underwhelming. Depending on the complexity of the organization, financial audit reports can run from 5 to 20 pages. However, we found very few cases in which sustainability assurance reports were more than two pages in length. We often discovered that all relevant information about the independent verification of sustainability metrics fit on one page. More important, auditors frequently reported that their assurance of sustainability-related information was of “limited” scope—meaning they did not find blatant evidence of fraud. In contrast with financial auditors, the sustainability auditors did not assure that such information was true and fair to a reasonable extent. Reasonable assurance requires the assurance firm to obtain sufficient data to form a positive opinion, in a manner similar to that of a financial statement audit. More extensive testing of the data and the processes that generate the data is required for reasonable assurance. And rather than providing a negative statement, as in limited assurance engagements, the assurer expresses an opinion about whether the sustainability metrics are complete and accurate based on the specified criteria. Limited assurance engagements cost much less than reasonable assurance. Such a limited level of assurance cannot ground the credibility of current sustainability assurance practices. Reasonable assurance is not the default, although arguably it should be.
This trend did, however, admit exceptions. Imagine our delight when we found that some companies asked their auditors to engage on a higher, “reasonable” level of assurance. Only a handful of the companies listed on the FTSE 100 Index—including Australian mining company BHP, the British multinational Hikma Pharmaceuticals, and British specialty-chemicals company Croda International—expended the extra effort and money to seek reasonable assurance for (some) of their sustainability-related information.
An example comes from the 3i Group, a multinational private equity and venture capital company based in London. It states in its 2020 sustainability report that “emissions have been verified to a reasonable level of assurance by Carbon Intelligence according to the ISO 14064-3 standard.” That is, the report satisfied the globally recognized greenhouse-gas (GHG) reporting standard established by the International Organization for Standardization (ISO) in Switzerland. But we cross-checked this information with Carbon Intelligence’s 2020 assurance letter, which stated that “the independent third-party verification of direct and indirect carbon dioxide equivalent emissions (CO2e) [was] … to a limited level of assurance.” We don’t know what led to this discrepancy—whether it happened as an error of inconsistency or as blatant misinformation on the part of the company. It is telling, however, that the error was repeated in the 2021 report. Ultimately, 3i was either trying to get undeserved credit for reasonable assurance or making a copy-and-paste error from the 2021 report. Given the nature of this mistake, we decided to check 3i’s recently released 2022 reports to see if this same error was reported yet again. Lo and behold, the inconsistency had been corrected, and the 2022 sustainability report now states that limited assurance was obtained.
We found other examples of inconsistencies and misconceptions regarding what companies mean by external assurance. United Utilities, one of the largest FTSE 100 Index-listed water companies in the United Kingdom, stated that it had assured its Task Force on Climate-Related Financial Disclosures (TCFD) report against the Principles of Effective Disclosure. The Financial Stability Board, an international body that monitors the global financial system, formed the task force in 2015 to help its work in strengthening and protecting global financial markets from systemic risks such as climate change. When we examined the data underlying United Utilities’ TCFD report it was unclear what was actually covered by that assurance. When we inquired about this, a firm spokesperson responded, “It comes down to what we mean by assurance.” The response went on to explain that this assurance was “of effective disclosure rather than assurance of data.” How exactly the former can be assured without the latter is unclear to us. Interestingly, the GHG reporting section was assured, but by another party. In our view, the information, as presented, could lead readers to assume that the entire TCFD contents were assured. In response to our conclusion, United Utilities state that its reporting makes clear whether the assurance or verification relates to disclosures or to data, and that it has complied with its relevant reporting obligations.
We found another example of misleading assurance reporting from Avast, a Czech multinational cybersecurity software company. The firm stated in its 2020 annual report that it sought out Enviros, a UK-based consultancy that specializes in geosciences and serves energy companies, to verify its emissions: “Avast commissioned an external audit to review our prior emissions calculations, investigate whether the main drivers of our environmental impact are accurately captured, and provide additional recommendations for reducing our emissions.” But we looked into this claim and found that Avast did not include the actual Enviros assurance letter. This document normally accompanies the GHG metrics disclosed in company reports and helps instill confidence that these metrics have been independently verified. When we wrote to the company to ask for further details, a member of its team informed us that the assurance letter was confidential. On further probing, this representative responded via email: “I’m sorry we can’t support you more on this occasion. As you know, the purpose of our work with Enviros was to audit our findings, but at the moment it is not our intention to publish further details.”
Obfuscation | We laboriously collected a massive amount of data to extract the indicators purportedly audited in each assurance. To do so, we had to identify what companies call the “selected information” that defines these indicators and that serves as the focus for sustainability assurance. The concept of selected information raises serious questions about bias, since management freely chooses which metrics are and are not subjected to independent assurance, often without obvious links to the materiality of the disclosed metrics. But, setting this problem aside, we found it frequently impossible even to identify what this selected information included. Instead, many companies engaged in obfuscation, displaying a determined commitment to make data interpretation as difficult as possible.
Many companies undertake external assurance and disclose only those metrics cherrypicked by management, rather than those that are relevant to the company’s operations.
Take Experian, for instance. The American-Irish multinational consumer credit reporting company provides a lesson in how not to report sustainability information. Experian hired PwC to undertake limited assurance of its reported metrics and presented what appears to be a detailed and useful list of its sustainable business performance measures in the section before the assurance letter. Experian provides this list in its 2021 Sustainable Business Report. However, we sought to understand the external assurance of these measures and found in very small print that only those metrics reported with a small superscript “A” were verified by PwC. Out of numerous reported metrics spread over 11 pages and covering topics such as board composition, employee information, social measures, carbon emissions, and energy usage, only four measures were independently assured. The presentation made it difficult to gain clarity about which measures were ultimately within the scope of the assurance engagement.
Taylor Wimpey, a UK-based home construction firm, engaged in similar obfuscation. The company’s 2020 sustainability report contained a very long list of metrics, as well as the external assurance document from The Carbon Trust, a British consultancy dedicated to helping companies achieve net zero emissions. Although Taylor Wimpey reported nearly 100 nonfinancial performance metrics, only three were externally assured: Scope 1 and Scope 2 GHG emissions, and energy data. We sent emails to the company secretary, who is listed as its sustainability contact, in December 2021 and January 2022 but did not receive any response. We then sent an email to the company’s head of investor relations in late January 2022. Again, nothing.
Other companies also made our search for information difficult. Admiral Group, a financial services company headquartered in Wales, stated in its 2019 reports that in 2020 it would seek independent assurance. To the firm’s credit, in 2020 it did obtain independent assurance from The Carbon Trust, according to Admiral Group’s public disclosure. For casual readers among the public, this assurance may have satisfied their interest. But our desire to understand exactly what information was assured led us yet again down a winding path. Despite close examination, we could not find the actual assurance statement on the company’s website, in annual reports or related documents, or on The Carbon Trust’s website either. Further online searches yielded no results, so we decided to contact the firm directly. But no contact details for investor queries appeared on the company’s website—all such information was listed only for customers with insurance-related queries. The only name we could find on the reporting-related website pages was the investor relations manager’s, but no email address was provided. We searched for the manager’s contact details on LinkedIn, with no luck. We finally resorted to direct-messaging the company’s social media team on Twitter and Instagram.
Amazingly enough, we received a response. The team helpfully shared a copy of the assurance statement. However, upon closer reading, we learned from the assurance letter that “this Assurance Statement should be read in connection with the footprint document.” But the footprint document was not included in the company’s communication with us and not provided on its website. When we followed up and requested the document, we were informed that the company would “not share the footprint document publicly, as it contains internal data.” The Admiral Group did offer to answer any questions that we had about the footprint document, but how could we ask questions about something that we hadn’t seen? This experience raises the question of how much transparency these assurances really guarantee and what investors should expect from them.
Diversion | The third form of greenwashing we encountered in our investigation of assurance statements is diversion. While this tactic is technically not miscommunication, we all know that what is not said is often more important than what is said. Our data collection efforts revealed disclosure practices that left out relevant information, and we suspect that, at least in some cases, the omissions were intended to distract from an unwanted story line. We also experienced a significant amount of unresponsiveness and ghosting to various inquiries we made.
Severn Trent, a Coventry, UK-based water services company, gave us the silent treatment. On page 196 of its 2021 Annual Performance Report, the company provided its GHG emissions metrics and stated that a firm called Jacobs had undertaken external assurance of the GHG data and processes. Indeed, on page 35 of the report, Severn Trent included the assurance letter from Jacobs. Yet this letter’s content and coverage were not comprehensive. First, it contained no information about which metrics Jacobs had independently assured. We also couldn’t find information about whether the assurance was completed on a limited or reasonable basis. We could pinpoint no information on the frameworks, criteria, or public benchmarks used in the assurance process.
As a result, we contacted the company for confirmation that Jacobs had independently assured all metrics on page 196. We included specific questions in our email inquiry, as we thought this would be standard assurance information that a company should be able to share. We sent emails to a variety of departments and people in the company, including the corporate social responsibility (CSR) team contact and the investor relations point person. As of October 2022, we have not received a response.
In other instances, we were denied simple information about rationale and reasoning. For example, when reviewing Smith & Nephew plc, a medical-equipment manufacturing company headquartered in the United Kingdom, we noted that it had not undertaken external assurance since 2017. We wrote to Smith & Nephew and inquired whether our impression was accurate and, if so, why this was the case. We also asked whether the company was likely to resume external verification of sustainability metrics in the future. A spokesperson confirmed that the last external verification had indeed been in 2017, yet showed no interest in engaging further on this topic with us, responding only, “You are correct. We don’t comment on specific decisions like this, but we do ensure the accuracy and messaging in our sustainability report carefully. I’m sure that we will consider independent verification again in the near future.”
All Is Not Lost
We could include many more confusing, and sometimes infuriating, anecdotes about our FTSE 100 Index data collection experiences, but we would not want to give the impression that sustainability assurance is hopeless. As mystifying and discouraging as the negative examples were, we also found some positive and encouraging ones. Some assurance letters were genuinely informative, and some companies responded to our inquiries swiftly and completely. British chemicals and sustainable technologies multinational Johnson Matthey, for example, provided an integrated annual report that included both financial and sustainability data in a single document—a refreshing and helpful change from the profusion of documents we typically encountered in our research. The report was well organized and easy to navigate. Avieco, a UK-based sustainability consultancy that is part of Accenture, undertook the external assurance, and its letter included a detailed listing of assurance activities, a clear statement of materiality, key metrics presented in easy-to-read tables, and comprehensive recommendations for improvement.
As we noted earlier, reporting companies and their nonfinancial assurance firms often ignore or minimize the detailed sustainability metrics required to guarantee public trust. Many companies undertake external assurance and disclose only those metrics cherry-picked by management, rather than those that are relevant to the company’s operations and, more important, to stakeholders. To its credit, Johnson Matthey hired an external sustainability consultant to undertake a rigorous independent assessment to identify the metrics that would be relevant to a variety of both internal and external stakeholders, including employees, customers, investors, NGOs, and others. This effort produced a robust ESG map based on the priority sustainability themes and metrics these stakeholder groups expressed. Although not a simple or risk-free undertaking, this process exemplifies the broad stakeholder engagement that is crucial to the development of relevant and material sustainability goals and targets unconstrained by the whims of management.
We found another top-notch example in Mondi, a multinational packaging-and-paper manufacturer, and its well-structured, understandable, and integrated annual report. Mondi’s sustainability assurance report, completed by independent assurance firm ERM CVS, included a clear statement of engagement scope, reporting criteria, and standards. Although most of Mondi’s sustainability KPIs were assured to a limited level, ERM CVS did undertake reasonable assurance for some important environmental metrics, including Scope 1 and Scope 2 GHG emissions and energy usage. Like Johnson Matthey, Mondi takes multistakeholder engagement seriously in its sustainability governance and disclosure. The company’s 2020 sustainable development report defines its stakeholders broadly as “internal and external individuals, groups, organizations, and partners that are interested in, have influence over, or are affected by (positively or negatively) our business decisions, policies, and objectives.” As part of its sustainability governance model, Mondi has implemented a hotline, providing an anonymous whistleblowing and grievance capability for its stakeholder communities, including employees, customers, partners, and investors. This process allows stakeholders to report any concerns related to their business operations, including environmental pollution, HR-related issues, health and safety violations, fraud and corruption, and so on. All such reports are investigated by Mondi’s internal audit department and reviewed with the board. This undertaking is not risk-free, but it engenders greater trust by offering transparency into Mondi’s business operations and impacts.
Kudos to both of these companies and their sustainability assurance firms for delivering clear and material information to a broad community of stakeholders, including investors and the general public.
Doing Better
In all fairness, our insights may not always tell the full story. Separating out practice from disclosure is not always straightforward, and companies might be using robust measurement methods internally but weak reporting mechanisms that aren’t informative to the reader. Good assurance is not solely the responsibility of the company that seeks it—robust processes and practices and enlightened assurers and auditors are necessary ingredients.
This experience has led us to several conclusions. First, information providers and auditors/assurers apply a fair amount of arcane language and terminology from financial auditing (such as the terms “reasonable” or “limited assurance”) but often without adequate explanations. They must better outline how sustainability assurance is different from financial auditing, and how this discrepancy may require alternative processes, skills, language, and detailing of information. Assurers need to create much more stringent, standardized, and rigorous processes around these requirements to achieve a credible audit practice for sustainability information.
Second, companies can aid the credibility of sustainability assurance by providing more complete and consistent information. At minimum, each company that undergoes assurance should disclose four things: 1) what framework and methodology are being used to prepare and disclose the information, 2) what specific information and metrics are independently assured, and by whom, 3) whether the assurance is limited or reasonable, and 4) any supplementary information that will help to place the above information in context. Referring to missing information or stating what is important without sharing it significantly undermines the credibility of reporting and auditing.
Despite the greenwashing efforts we’ve encountered, we maintain that external assurance remains an essential tool for increasing the quality and credibility of sustainability-related information and ensuring that companies achieve genuine sustainability goals.
The Maturation of Sustainability Reporting
“Everything we hear is an opinion, not a fact,” the stoic Roman emperor Marcus Aurelius wrote. “Everything we see is a perspective, not the truth.” This lesson from managing an empire applies to sustainability reporting. While room for improvement exists in the creation of global sustainability audit standards, the inclusion of social impact data, the expanded adoption of reasonable (versus limited) assurance practices, and more, we do have reason for optimism. National and international efforts to improve and harmonize reporting and measurement, such as in the United Kingdom by the Financial Reporting Council and internationally by the International Financial Reporting Standards Foundation’s International Sustainability Standards Board (ISSB), will prove helpful in driving a more consistent reporting practice. The European Union’s Corporate Sustainability Reporting Directive mandates sustainability audits, which will improve auditors’ experience and processes—even if only for limited assurance engagements. Having a clear mandate and standards will help reporting companies and auditors to formalize their practices and increase their quality. The CSRD will also likely lead to more regulatory scrutiny of audits from competition and market authorities, which, in the best of cases, will dissuade companies from greenwashing.
Ultimately, investors and the general public need to feel confident that the information provided by companies—both financial and sustainability data—is accurate and trustworthy. External assurance is a requirement for financial reporting by listed companies. We believe the same rigorous verification process should be applied to sustainability reporting. Many companies have taken baby steps, but they have a long way to go to reach maturity.
Read more stories by Donna Carmichael, Kazbi Soonawalla & Judith C. Stroehle.