Regulatory updates

Globally, there has been an increased focus on sustainability reporting and investments in sustainable businesses. Accordingly, organizations are increasingly reporting on their broader performance and impact. However, with a view to deepen the investor’s trust on the reported information, there is a need to provide assurance on the information reported. In India, presently, there is no authoritative guidance with respect to assurance engagements on sustainability information. Practitioners in India currently refer to the International Standard on Assurance Engagements (ISAE) 3000, Assurance Engagements Other than Audits or Reviews of Historical Financial Information.

In this regard, on 12 September 2022, the Institute of Chartered Accountants of India (ICAI) had released an Exposure Draft on the Standard on Sustainability Assurance Engagements (SSAE) 3000, Assurance Engagements on Sustainability Information (ED). Based on the comments and representations received from different stakeholders, ICAI, on 10 January 2023, has issued the final standard – SSAE 3000, Assurance Engagements on Sustainability Information. Following are some of the key aspects that have been discussed:

• Applicability and Effective Date: SSAE 3000 would apply to a sole proprietorship or partnership firm registered with the ICAI on:
  1. A voluntary basis for assurance reports covering periods ending on 31 March 2023, and
  2. Mandatory basis for assurance reports covering periods ending on or after 31 March 2024.
• Parties involved: All assurance engagements would have at least three parties - the responsible party, the practitioner and the intended users. However, depending upon the circumstances of an engagement, there may also be a separate role defined for a measurer/evaluator, or the engaging party, as the case may be. The responsible party is responsible for identifying the underlying subject matter¹. Subject matter refers to the phenomenon that is measured or evaluated by applying criteria The measurer/evaluator uses the criteria²Criteria are the benchmarks used to measure or evaluate the underlying subject matter, so identified to measure or evaluate the underlying subject matter, resulting in subject matter information³ Subject matter information refers to the outcome of the measurement or evaluation of the underlying subject matter against the criteria, i.e., the information that results from applying the criteria to the underlying subject matter . The engaging party agrees the terms of the engagement with the practitioner and the practitioner issues the assurance report for the intended users.
• Scope: There are two kinds of assurance engagements - attestation engagements⁴ An assurance engagement in which a party other than the practitioner measures or evaluates the underlying subject matter against the criteria. A party other than the practitioner also often presents the resulting subject matter information in a report or statement. In some cases, however, the subject matter information may be presented by the practitioner in the assurance report. In an attestation engagement, the practitioner’s conclusion addresses whether the subject matter information is free from material misstatement. The practitioner’s conclusion may be phrased in terms of:
  • The underlying subject matter and the applicable criteria,
  • The subject matter information and the applicable criteria, or
  • A statement made by the appropriate party.
  and direct reporting engagements⁵ An assurance engagement in which the practitioner measures or evaluates the underlying subject matter against the applicable criteria and the practitioner presents the resulting subject matter information as part of, or accompanying, the assurance report. In a direct engagement, the practitioner’s conclusion addresses the reported outcome of the measurement or evaluation of the underlying subject matter against the criteria. . SSAE 3000 would apply only to the attestation engagements (both limited as well as reasonable assurance engagements). SSAE 3000 is an umbrella standard which applies to all assurance engagements on sustainability information. However, in case there is a subject matter information to which a specific assurance standard applies, e.g., Green House Gases (GHG) emissions, SSAE 3000 would apply in addition to the subject matter specific standard. Also, SSAE 3000 should be read in conjunction with the “Framework for Assurance Engagements” issued by the ICAI⁶ In case of any conflicts between SSAE 3000 and the Framework for Assurance Engagements, SSAE 3000 would prevail .
• Understanding the underlying subject matter: The underlying subject matter, so identified by the entity should have the following two characteristics:
  1. It can be measured or evaluated against the relevant criteria, and
  2. It can be subject to procedures to gather information required for supporting the necessary assurance conclusion.
  In order to understand the underlying subject matter and other significant issues, if any, the practitioner should make inquiries of the relevant parties regarding their knowledge of an actual, suspected or alleged intentional misstatement affecting the subject matter information, main findings of the internal audit function (if there is such a function) regarding the subject matter information, and whether an expert has prepared the subject matter information.
• Materiality: The practitioner should consider the appropriate materiality threshold for planning and performing the assurance engagement, determining the nature, timing and extent of procedures, as well as in evaluating that the subject matter information is free from any material misstatement. Various quantitative and qualitative factors which may be considered for determining materiality threshold include, the number of persons or entities affected by the underlying subject matter, the characteristics of the presentation adopted for the subject matter information when the applicable criteria allows for variations in that presentation, and so on.
• Using the work of subject matter experts/another practitioner/internal auditor⁷ If the practitioner plans to use the work of the internal audit function, he/she should also evaluate the extent to which the internal audit function’s organisational status and relevant policies and procedures support the objectivity of the internal auditors and whether it applies a systematic and disciplined approach, including quality control : The practitioner, while using the work of any subject matter expert, another practitioner or the internal auditor should evaluate the necessary competence, capabilities and objectivity level and perform relevant procedures to determine the adequacy of the work so performed for the engagement purpose.
• Documentation: The practitioner must prepare on a timely basis, the engagement documentation which provides a record of the basis for the assurance report, the nature, timing and extent of the procedures performed, evidence obtained, significant matters arising during the engagement, if any, conclusions reached, and the significant professional judgements made in reaching those conclusions. Engagement documentation should be assembled in an engagement file on a timely basis after the date of the assurance report and should be retained for a period of not less than five years from the date of the assurance report.
• Reporting: The practitioner, based on the evaluation of the evidence obtained and conclusions reached, should issue an assurance report⁸ The assurance report should not be dated earlier than the date on which the practitioner has obtained the evidence on which his/her conclusion is based in writing. The report so issued should clearly express the practitioner’s conclusion about the subject matter information. In this regard, SSAE 3000 has specified a list of basic elements that must be included in an assurance report and has also provided the illustrative formats of the assurance reports for reference purpose.

Further, it has been clarified that the assurance report should be signed by the practitioner (i.e., the engagement partner) in his/her personal name. In case a firm has been appointed as the practitioner, the report should be signed in the personal name of the practitioner as well as in the name of the firm. The partner/proprietor signing the assurance report must mention his/her ICAI membership number and also include the registration number of the firm, wherever applicable.

---

To access the text of SSAE 3000, please click here

On 25 July 2022, the Securities and Exchange Board of India (SEBI) had introduced regulations pertaining to the Social Stock Exchange (SSE)⁹ An SSE means a separate segment of a recognised stock exchange having nationwide trading terminals, permitted to register Non-Profit Organisations (NPOs) and/or list the securities issued by NPOs in accordance with the provisions of the ICDR Regulations. by making amendments to the following regulations:

• The SEBI (Issue of Capital and Disclosure Requirements) Regulations, 2018 (ICDR Regulations)¹⁰ The amendments have been issued by the SEBI (Issue of Capital and Disclosure Requirements) (Third Amendment) Regulations, 2022 (ICDR Amendment Regulations) by inserting a chapter on ‘Social Stock Exchange’
• The SEBI (Listing Obligations and Disclosure Requirements) Regulations, 2015 (LODR Regulations)¹¹ The amendments have been issued by the SEBI LODR (Fifth Amendment) Regulations, 2022 (LODR Amendment Regulations) by adding a chapter on ‘Obligations of Social Enterprises’, and
• The SEBI (Alternative Investment Funds) Regulations, 2012 (AIF Regulations)¹²The amendments have been issued by the SEBI AIF (Third Amendment) Regulations, 2022 (AIF Amendment Regulations) by introducing changes in relation to social impact fund.

As per the amendments introduced, a Social Enterprise (SE)¹³ An NPO or a For Profit Social Enterprise (FPSE), in order to be identified as an SE, must establish primacy of its social intent. In this regard, SEBI has prescribed 16 thematic areas which would qualify as eligible activities that meet the eligibility criteria specified in the ICDR Amendment Regulations. Additionally, an SE should have at least 67 per cent of its activities, qualifying as eligible activities through one or more of the following:
‑   at least 67 per cent of the immediately preceding three-year average of revenues comes from providing eligible activities to members of the target population,
‑   at least 67 per cent of the immediately preceding three-year average of expenditure has been incurred for providing eligible activities to members of the target population, and
‑   members of the target population to whom the eligible activities have been provided constitute at least 67 per cent of the immediately preceding three-year average of the total customer base and/or total number of beneficiaries. , which is either registered with or has raised funds through an SSE, should submit an annual impact report to the SSE. The annual impact report must be audited by a social audit firm¹⁴Social audit firm means any entity which has employed social auditors and has a track record of minimum three years for conducting social impact assessment, employing social auditor(s)¹⁵ Social auditor refers to an individual registered with a self-regulatory organisation under ICAI or such other agency, as may be specified by SEBI, who has qualified a certification programme conducted by the National Institute of Securities Market (NISM) and holds a valid certificate in this regard .

The ICAI has been entrusted with the responsibility of being the self-regulatory organization for regulating the profession of social auditors. Consequently, on 5 August 2022, ICAI had released an Exposure Draft (ED) on Compendium of Social Audit Standards (SAS).

Based on the comments and feedback received from various stakeholders, ICAI, on 14 January 2023 released the final version of the SAS (the standards). ICAI has prescribed total 16 standards, each corresponding to a specific thematic area (as suggested by SEBI) which would qualify as eligible activities for the purpose of establishing primacy of social intent. Subsequently on 4 February 2023, ICAI has issued the Framework for SAS (framework) which provides basic principles for social audit of projects/programs/project-based activities and provides guidance on matters relating to preparation of social audit report. The key requirements prescribed by the framework and the SAS issued by ICAI are as follows:

Applicability: The framework is applicable to engagements conducted by the social auditor, such as social audit (i.e., social impact assessment of a project/program of SEs), impact assessment (under the Companies (Corporate Social Responsibility Policy) Amendment Rules, 2021 and other similar assignments¹⁶Any other engagement(s) conducted by other auditor of an organisation e.g., statutory audit, internal audit, tax audit will not be under the scope of this Framework.

Elements of social audit engagement: The five elements of a social audit engagement are:

• A three-party relationship involving a social auditor, a responsible party (generally SE), and the intended user
• Project/programme/intervention to be covered
• Project monitoring framework
• Evidence
• A written report.

Planning, conducting and documenting social audit engagements: The framework lists down the considerations for a social auditor while planning the audit, including understanding the entity and its environment, the responsibility of the social auditor when it uses the work of a field level research agency and/or subject matter expert and other matters. It also prescribes the steps for fieldwork process, which includes data collection and sampling and documentation of the work done.

A system of quality control: A social auditor/audit firm should establish a system of quality control which must include policies and procedures addressing each of the following elements:

1. Leadership responsibilities for quality within the firm,
2. Ethical requirements,
3. Acceptance and continuance of client relationships and specific engagements,
4. Human resources,
5. Engagement performance, and
6. Monitoring.

The quality control policies and procedures should be documented and communicated to the firm’s personnel on a timely basis.

Communication with TCWG: The social auditor should communicate with Those Charged With Governance (TCWG) in a timely manner on matters such as the following:

• The roles and responsibilities of the social auditor with respect to the social audit
• An overview of the planned scope, timing of the social audit
• Communicate timely observations arising from the social audit that are significant/relevant to the project/programme
• Deficiencies in internal control for programme implementation/management that the auditor has identified and in the social auditor’s judgement are of sufficient importance to merit their respective attentions.

Materiality: A social auditor should consider materiality while assessing the overall impact of the project. Materiality should be considered in the context of various quantitative and qualitative factors, such as relative magnitude, the nature and extent of the effect of these factors on the evaluation or measurement of the subject matter, the interests of different stakeholders involved, and so on.

Use of technology: A social auditor should determine the usage and acceptability of technology for meeting the objectives, collecting and verifying evidence as well as validating impact measurements and assessments in case of social audit engagements.

Reporting – Social audit report: A social auditor needs to issue a written social audit report containing the findings from the assessment in terms of the impact created, gaps, if any, along with the recommendations for improvement. It should address the social impact assessment covered by the project that the intended users might be interested in. While the framework does not require a standardised format for reporting on all social audit engagements (i.e., social audit reports may be tailored to the area specific circumstances), it identifies certain basic elements which the social audit report should include.

Social audit standards: The amended ICDR Regulations prescribe 16 thematic areas which would qualify as eligible activities for the purpose of establishing primacy of social intent. Consequently, ICAI issued 16 SAS, each corresponding to a specific area. These are as follows:

The standards provide guidance on three key aspects:

1. Objective and scope
2. Process of social audit, including parameters related to collection of data, audit evidence and metrics for evaluation of a project/programme
3. Assessment of challenges and limitations.

Effective date: The standards and framework are effective from the date of their hosting on the ICAI website, i.e., standards are effective from 14 January 2023, and the framework is effective from 4 February 2023.

---

To access the text of the framework, please click here

To access the text of the standards, please click here