Are You Ready for a Sustainability Assurance Review?

by | Jan 16, 2024 | GLYNTBlog

This is the year, and this is the season, when everyone has the same question: Will We Pass Our Sustainability Assurance Review? It is indeed a new challenge, and a bit intimidating.

GLYNT is a SOX-level certified sustainability data preparation system that produces audit-ready data. We got an intense audit done on our systems so you don’t have to. Just use GLYNT. Not only are we audit-ready, we deliver 70–80% savings over current systems.

But, we’re also happy to share what we’ve learned. Here’s a 12-step checklist that will get the wheels spinning on audit-readiness. We suggest doing a round of preparation using the list, and then check in with your internal audit team. They’ll have some practical tips on how to take your work further.

12 Steps to Prepare for Sustainability Assurance

The auditors will be focusing on your method of data preparation, which starts long before you touch any data. They will be looking broadly, across your entire system of data prep. Your assurance review or audit is not about whether you added 2 + 2 accurately. It is about whether the methods you use can produce great data, over and over again.

There will also be a phrase, “decision-useful:” Is your data ready to be reliably used to make decisions? This is the key audit criteria. The auditor gets a close look on behalf of others. They don’t want to be embarrassed later, so they’ll ask the tough questions now.

1. Establish Defensible Boundaries

What assets are in your reported data set? (Assets are buildings, vehicles and equipment). What is excluded? Do you have a method for answering this question? Would a user of your data think that you had made a reasonable decision about what to include? And, is your data complete? Do you have data for all types of energy use for each? Document how you checked your boundaries two or three different ways.

2. Remove Duplicate Data

Often, the original source data (e.g. Primary Data) for sustainability reporting are invoices – energy bills, utility bills, landlord bills and so on. Accounting systems can create a lot of duplicates. Remove duplicate data from your systems. Use a method and a set of tests to scrub it out. Document this method for the auditors.

3. Know Your Data Dictionary

Your data will be used in a software system or report. Suppose you report Energy Cost. What does that mean in that context? Is that what you intended? Build a data dictionary for every report or software application that will be using your data, and document how your system produces data that matches the definitions, field by field. You’d be surprised at the range of definitions out there for Energy Cost!

4. Check for Consistency Over Time

Suppose Mary Lou is in charge of data prep one year and Sally Ann is in charge the next year. They may have different methods for handling data, leading to a 10% year over year change in the level of reported emissions. This is exactly what users of your data don’t want to see, and what the auditors will check for. They want to see an investment in a repeatable method that reliably produces data. Your data should enable apples-to-apples comparisons over time.

5. Document Your Data Sources

Many reporting frameworks (such as the CSRD, CBAM or Catena-X) require you to report your use of estimated data. And there are caps on the amount of estimated data that can be used. So get ready for your auditors to ask the same question. Document your use of Primary Data, source by source. This level of granularity is needed.

6. Document Data Assembly

The question that prompted this blog post was, “How do I document our data entry for assurance reviews?” Data entry happens at this step, Step 6 out of 12. There is a lot to do in an audit-ready data system and it goes well beyond the moment of data entry. (Note: GLYNT has been hearing from many companies that their auditors are concerned about the continued use of manual data entry). Regardless of how you bring the data together, document how you took a pile of PDFs, or a bunch of spreadsheet submissions and turned it into a master data set. What were the steps? Who touched the data? When? What changes were made from the original source? If you simply entered data to a software application, you’ll need to include all the steps that preceded that moment.

7. Document Judgements

As you move data through the system described above, there will be gray areas. For example, you might be reporting Energy Cost and using Current Charges as the key input. But one of your data sources does not provide Current Charges. So you filled that in, using your best efforts. That judgment call needs documentation. The documentation is not just for your auditors, it is quite helpful for your team as it improves data consistency year over year.

8. Check On Use of Estimates, and Fill in Data Gaps

Many sustainability software applications will fill in missing data for you. This seems like a feature, but can be a problem too, as it quietly raises your use of estimated data. Everyone struggles to round up complete data sets for sustainability reporting. It’s hard! But take a week or two before finalizing your data set or report. Check your data holes, go back to the teams and get the original source data. This comprehensive check shows you are using a systematic approach to sustainability data reporting, and is appreciated by the readers of your report, and your auditors.

9. Validate Your Data

Before you send the master data set to your software application or share with any team, validate your data. Validation is a series of tests that check the data for reasonableness. One frequent validation test, for example, is to ensure that the service periods reported from a data source are consistent and don’t have gaps or overlap. If you have prepared data from Source X and are showing one service period from May 5, 2023 to June 4, 2023 and another from June 1, 2023 to July 1, 2023, you have a problem! While you may be showing others only aggregated data, you are reporting out of your source of truth. A source of truth with errors is problematic. Best practice is to build a script that executes a series of tests on your data. Validation is about the details. (Note: You can run through your script by hand. Of course, we all prefer automation, but that is not the issue. The issue is whether you have a validation script).

10. Upload and Validate Again

It may seem strange to validate on Step 9 and then do it again on Step 10, but actually, this is a great way to eliminate errors. If your Energy Cost data is $10,322.45 before you upload and is $103,224.50 in the application, something went wrong. Or, if you reported Energy Cost and it shows up as Site Cost, you’ll have to review that data mapping. It could be correct. Just as you ran a validation script before the upload, develop a script for after the upload. It will be a different script because the validation is being done in a different context. Validation helps you achieve the goal of accurate and complete data, in context, ready to use.

11. Trial Review (Test Like an Auditor)

To get ready for an assurance review or an audit, go through each step above and do three things: First, read your documentation. Is it clear to someone else? Second, look at your testing. Do you detect errors with your tests? Or could an error slip through? And three, are the data files, documentation and original source data ready for the reviewer? You’ll save time and money with an organized approach.

12. Governance

There is a phrase in the security and privacy world that applies here too: “It’s about the people, processes and technology.” It takes all three components to deliver great outcomes. Governance is part of the people angle. Having multiple layers of review (program managers, senior managers, executive teams, board committees) allows the data and the data methods to be looked at from all angles. When every layer of governance is empowered to dig in and ask the tough questions, the reported data is better.

Note: Limited assurance reviews are negotiated between the reporting company and the auditor. You may be able to negotiate out some of the above, but most companies we talk to find preparing for limited assurance a huge level of effort. A reasonable assurance review is similar to a financial audit.

ABOUT GLYNT

“We got audited, so you don’t have to.”

GLYNT is The Sustainability Data Company, producing investor-grade data for businesses around the world. Our audit-ready sustainability data enables accurate reporting, operational efficiencies and access to financial capital. With a purpose-built machine learning system, GLYNT is the automated solution for all types of water, waste, energy and emissions data. Speed work, lower costs, and power ESG, carbon accounting and other business systems with accurate, actual data from GLYNT.

Most Recent Posts