FAQs: Review or audit of sustainability reports

1. If an entity is required to prepare a sustainability report, what are its obligations in relation to obtaining a review or audit?

An entity that is required to prepare a sustainability report under the Corporations Act for a financial year (reporting entity) must:

• have the sustainability report reviewed (limited assurance) or audited (reasonable assurance) in accordance with the Corporations Act, and
• obtain an auditor’s report on the sustainability report: see s301A, s1707E and s1707F of the Corporations Act.

For financial years commencing before 1 July 2030, the sustainability report will be required to be reviewed or audited to the extent required by the Auditing and Assurance Standards Board (AUASB): see s1707E(1)–(2) of the Corporations Act and FAQ 2. From 1 July 2030, the sustainability report will be required to be audited: see s301A, s1707E and s1707F of the Corporations Act.

The auditor’s report on the sustainability report is the fifth report required as part of a reporting entity’s annual reporting, alongside the annual financial report, directors’ report, auditor’s report on the annual financial report, and the sustainability report.

2. What auditing standards apply to a review or audit of the sustainability report?

The review or audit of the sustainability report must be conducted in accordance with the auditing standards made under s336(1) of the Corporations Act: see s307AB of the Corporations Act. These are:

• ASSA 5000 General Requirements for Sustainability Assurance Engagements (ASSA 5000). This standard applies to both audits and reviews, and
• ASSA 5010 Timeline for Audits and Reviews of Information in Sustainability Reports under the Corporations Act 2001 (ASSA 5010). This standard outlines the timetable for phasing in these review or audit requirements between 1 January 2025 and 30 June 2030.

3. Who can conduct the review or audit of the sustainability report?

The auditor of a sustainability report must either be an individual auditor, audit company or audit firm. Under the Corporations Act, the auditor of the sustainability report must either be:

• an individual auditor that is an individual who consents to be appointed, or is appointed, as auditor of a company, registered scheme, registrable superannuation entity (RSE) or retail CCIV
• an audit company that is a company that consents to be appointed, or is appointed, as auditor of a company, registered scheme, RSE or retail CCIV, or
• an audit firm that is a firm that consents to be appointed, or is appointed, as auditor of a company, registered scheme, RSE or retail CCIV: see s9 (for the definitions of individual auditor, audit company or audit firm), s324AA and s1232(1) of the Corporations Act.

Where the auditor of the sustainability report is an audit company or audit firm:

• the person primarily responsible for the conduct of the audit (lead auditor) must be a registered company auditor, and
• the person responsible for the review of the audit (if any) (review auditor) must be a registered company auditor: see s9 (for the definitions of lead auditor and review auditor), s324AF and s1232(1) of the Corporations Act.

Where the auditor of the sustainability report is an individual auditor:

• the individual auditor must be a registered company auditor: see s324BA of the Corporations Act, and
• the person responsible for the review of the audit (if any) (also a review auditor) must be a registered company auditor: see s324AF(2) of the Corporations Act.

4. In what circumstances can ASIC register an applicant as a registered company auditor under the Corporations Act?

ASIC can only register an applicant as a registered company auditor if the applicant has the qualifications and practical experience in auditing required under s1280 of the Corporations Act and Part 9.2 of the Corporations Regulations 2001 (the Corporations Regulations). For further information see RG 180: Auditor registration (RG 180).

Only experience in conducting audits of financial reports is recognised as practical experience under s1280(2)(b)(ii) of the Corporations Act and reg 9.2.01 of the Corporations Regulations.

Auditing or reviewing sustainability-related disclosures does not meet the practical financial auditing experience requirements.

5. Does the same auditor need to be appointed for the financial reporting audit and sustainability reporting audit?

An RSE may only have one auditor: see s324AA(2) of the Corporations Act. If the RSE is a reporting entity, that auditor must be the auditor of both the sustainability report and the annual financial report.

A company, registered scheme or retail CCIV may have more than one auditor: see s324AA(1) and s1232(1) of the Corporations Act. If the company, registered scheme or retail CCIV is a reporting entity, the auditor of the sustainability report (whether an individual auditor, audit company or audit firm) is not required under the Corporations Act to be the same as the auditor of the annual financial report (whether an individual auditor, audit company or audit firm).

In deciding whether to appoint the same auditor or different auditors for the sustainability report and annual financial report, reporting entities that are companies, registered schemes or retail CCIVs should consider the following:

• a reporting entity is required to disclose connected information between the sustainability report and the annual financial report: see paragraph 21(b)(ii) of Appendix D of AASB S2 Climate-related Disclosures (AASB S2) and paragraphs B39–B44 of AASB S2. For example, AASB S2 requires a reporting entity to disclose material information about current and anticipated effects of climate-related risks and opportunities, which would directly incorporate elements from the annual financial report: see paragraphs 13–21 of AASB S2
• the auditor of the sustainability report is required to consider whether there are any material inconsistencies between other information (including in an annual financial report) and the information in the sustainability report: see paragraphs 13, 172 and 175 of ASSA 5000
• the auditor of the annual financial report is required to consider whether there are any material inconsistencies between other information (including in the sustainability report) and the information in the annual financial report: see paragraphs 12(c), 14–15 and 17 of ASA 720 The Auditor’s Responsibilities Relating to Other Information (ASA 720), and
• if the evidence that the auditor of the sustainability report obtains from the auditor of the annual financial report is not adequate, and sufficient appropriate evidence cannot be obtained from alternative procedures, the opinion on the sustainability report may be subject to a limitation on scope: see paragraph 55 of ASSA 5000.

These matters are also relevant in deciding whether the lead auditor or review auditor for the annual financial report should be the same as, or different to, the lead auditor or review auditor for the sustainability report: see FAQ 6.

6. Where the auditor of a reporting entity’s annual financial report and sustainability report is the same, and is an audit company or audit firm, can there be a different lead auditor or review auditor for each report?

Yes.

7. What opinion must the auditor of the sustainability report form under the Corporations Act?

An auditor of the sustainability report for a financial year commencing before 1 July 2030, must form an opinion about:

• whether the sustainability report, to the extent required to be audited by the auditing standards, is in accordance with the Corporations Act, including s296A(2) or s296B(1) (contents of climate statements), s296C (compliance with AASB S2) and s296D (climate statement disclosures)
• whether the auditor has been given all information, explanation and assistance for the conduct of the audit, and
• whether the reporting entity has kept sustainability records sufficient to enable the sustainability report to be prepared and audited to the extent required by the auditing standards: see s307AA, s309A(1), and s1707E(5)–(6) of the Corporations Act. See also ASSA 5010 and paragraphs 49 to 53 of ASIC Regulatory Guide 280: Sustainability reporting (RG 280).

 An auditor of the sustainability report for a financial year commencing on or after 1 July 2030 must form an opinion about:

• whether the sustainability report is in accordance with the Corporations Act, including s296A(2) or s296B(1), s296C and s296D
• whether the auditor has been given all information, explanation and assistance necessary for the conduct of the audit, and
• whether the reporting entity has kept sustainability records sufficient to enable the sustainability report to be prepared and audited: see s307AA and s309A(1) of the Corporations Act. See also paragraphs 49 to 53 of RG 280.

8. What must the auditor’s report on the sustainability report contain (other than the auditor’s opinion to the extent required under the Corporations Act)?

If the sustainability report is required to be reviewed, the auditor’s report on the sustainability report must:

• describe any matter that the auditor becomes aware of in the course of the review of the sustainability report that makes the auditor believe that the sustainability report, to the extent it is required to be reviewed by the auditing standards, does not comply with Division 1 of Part 2M.3 of the Corporations Act
• explain why any such matter makes the auditor believe that the sustainability report, to the extent it is required to be reviewed by the auditing standards, does not comply with Division 1 of Part 2M.3 of the Corporations Act
• include any statements or disclosures required by the auditing standards for the purposes of s1707F of the Corporations Act, and
• specify the date on which the auditor’s report on the sustainability report is made: see s1707E(2) and s1707F of the Corporations Act.

If the sustainability report is required to be audited, the auditor’s report on the sustainability report must:

• explain why, if the auditor is not of the opinion that the sustainability report is in accordance with the Corporations Act
• describe any defect or irregularity in the sustainability report
• describe any deficiency, failure or shortcoming in respect of whether the auditor has been given all information, explanation and assistance necessary for the conduct of the audit of the sustainability report
• include any statements or disclosures required by the auditing standards. For example, ASSA 5000 includes additional content requirements for the sustainability report: see paragraphs 191 to 196 of ASSA 5000
• include a statement of the auditor’s opinion on whether the inclusion of any additional information under s296A(3)(c) of the Corporations Act in the notes to the climate statements, was necessary to make the disclosures required by s296D of the Corporations Act: see s309A(4) of the Corporations Act. However, ASIC does not expect that reporting entities will need to include notes to the climate statements in a sustainability report. For further information, see paragraphs 96 to 97 of RG 280, and
• specify the date on which the auditor’s report on the sustainability report is made: see s309A of the Corporations Act.

For further information about when the sustainability report is required to be reviewed and audited, see ASSA 5010 and FAQ 2.

9. When do modified liability settings apply to statements in an auditor’s report?

Temporary modified liability settings apply in specific circumstances to certain types of statements (protected statements), including in:

• an auditor’s report on the sustainability report: see s1707 and s1707D of the Corporations Act;
• an auditor’s report on a document that would be a sustainability report if the entity were required to prepare a sustainability report for the year and where the document contains a declaration that the directors intend that s1707DA apply to the document: (voluntary sustainability report prepared under the Corporations Act); see s1707DA(1) of the Corporations Act, and
• an auditor’s report on a report that is treated as a sustainability report for specific purposes pursuant to an ASIC order under s340(1) or s341(1) of the Corporations Act (relief condition reports): see s342C and s1707DB of the Corporations Act.

The modified liability settings apply to protected statements in the type of auditor’s reports described above if they are made for the purposes of complying with the Corporations Act or the auditing standards: see s1707DA(5) and s1707DB(5).

The modified liability settings also apply to statements (regardless of where they are made) that are required to be made under a Commonwealth law, that are the same as a protected statement, or update or correct a protected statement.

However, these settings do not apply in relation to statements in an auditor’s report that are not prepared for the purposes of complying with the Corporations Act or the auditing standards. For example, these settings would not apply to statements that are made in the part of an auditor’s report that is not yet required under the ASSA 5010 timeline for phasing in the review and audit requirements: see also FAQ 2.

For further information, see paragraphs 61 to 69 of RG 280.

10. Do the appointment, removal and resignation requirements apply separately where there is more than one auditor?

Yes. The appointment, removal and resignation requirements under Divisions 6, 7 and 8 of Part 2M.4 of the Corporations Act generally apply (as appropriate) to each auditor: see also s1232R(2) of the Corporations Act.

For example, if a company, registered scheme or retail CCIV is a reporting entity, and has appointed one auditor for the sustainability report and another auditor for the annual financial report, the appointment, removal and resignation requirements would apply separately to each of these auditors. This is because the appointment, removal and resignation requirements generally refer to ‘an auditor’ (see for example, s327A of the Corporations Act).

An RSE may only have one auditor: see s324AA(2) of the Corporations Act and FAQ 5. If the RSE is a reporting entity, that auditor must be the auditor of both the sustainability report and the annual financial report. Accordingly, the appointment, removal and resignation requirements will apply to the auditor in their capacity as auditor of all the RSE’s reports prepared under Ch 2M of the Corporations Act.

Specific company auditor appointment requirements apply differently to auditors of annual financial reports where the reporting entity is a company limited by guarantee or proprietary company: see s327A(1A)(a), s327B(1A)(b), s325(2)(b) and s324BD(1)(c) of the Corporations Act.

For further information, see ASIC Regulatory Guide 26: Resignation, removal and replacement of auditors (RG 26).

11. If an existing auditor’s assurance engagement is extended to cover assurance over another report under Chapter 2M, would this require a new appointment?

No. If a reporting entity has already appointed an auditor of the annual financial report and wishes to extend the scope of the assurance engagement to cover assurance over the sustainability report (or vice versa), this would not be a new appointment for the purposes of the Corporations Act.

In this circumstance, we consider that the original consent to act as auditor under the Corporations Act continues to apply and no further consent is required under the Corporations Act: for further information see s328A(1) and s1232R(2) of the Corporations Act. However, the scope of the assurance engagement (i.e. which reports are covered) will be determined by the terms of engagement.

12. If the existing auditor of a reporting entity’s annual financial report does not have their terms of engagement extended to include the review or audit of the reporting entity’s sustainability report, does a vacancy in the office of auditor occur?

Yes, a vacancy in the office of the auditor would occur in this circumstance.

The vacancy must generally be filled within 1 month of the vacancy: see s327C(1), s327D, s331AAB, s331AC(1), s331AG(1) and s1232R(2) of the Corporations Act. The auditor appointment processes, which depends on the type of reporting entity, will apply.

13. If an existing auditor’s terms of engagement are altered, so that they are no longer reviewing or auditing both the annual financial report and sustainability report, but only one of those reports, does a vacancy in the office of auditor occur?

Yes, a vacancy in the office of the auditor would occur in this circumstance.

The vacancy must generally be filled within 1 month of the vacancy: see s327C(1), s327D, s331AAB, s331AC(1), s331AG(1) and s1232R(2) of the Corporations Act. The auditor appointment processes, which depends on the type of reporting entity, will apply.

14. How do the removal and resignation requirements apply to an auditor who is responsible for reviewing or auditing both the annual financial report and the sustainability report?

The removal and resignation requirements apply where the auditor is being removed from or is resigning from office and will no longer be performing any of the responsibilities of auditor of the entity: see s329, s331AC, s331AK and s1232R(2) of the Corporations Act.

The removal and resignation requirements would not apply, if the scope of an existing auditor’s assurance engagement is being reduced, so that it no longer covers both the reporting entity’s sustainability report or annual financial report but only one of those reports. This is because the auditor would still be performing some responsibilities of auditor of the entity.

For further information about the auditor removal and resignation requirements, see RG 26 and ASIC Information Sheet 65 Resignation of an auditor of a public company (INFO 65).

15. What audits or reviews do the individual auditor rotation requirements under the Corporations Act cover?

Auditor rotation requirements apply to individuals that play a significant role in the audit (and in some cases a review) of a listed company, listed registered scheme, RSE and retail CCIV: see Division 5 of Part 2M.4 and s1232(1) of the Corporations Act. These apply to:

• audits of financial reports (both annual financial reports and half-yearly financial reports);
• audits and reviews of sustainability reports;
• audits and reviews of relief condition reports: for further information about these reports, see FAQ 9 and s342C(6)(b) of the Corporations Act, and
• audits and reviews of voluntary sustainability reports under the Corporations Act: for further information about these reports, see FAQ 9 and s1707DA(4)(b) of the Corporations Act. See also s1707E(3)–(4).

16. How do the auditor independence requirements apply where there is more than one auditor or lead auditor?

Auditor independence requirements apply to individuals that play a significant role in an audit under Ch 2M: see s307C, Divisions 3, 4 and 5 of Part 2M.4, s1232(1), s1232N and s1232P–s1232Q of the Corporations Act.

These include individual auditors, lead auditors and review auditors.

Auditor independence requirements also apply under APES 110 Code of Ethics for Professional Accountants (including Independence Standards).

If a company, registered scheme or retail CCIV is a reporting entity, and the lead auditor for its sustainability report is not the same as the lead auditor for its annual financial report, each lead auditor must:

• be aware of, and implement appropriate responses in relation to, conflict of interest situations: see ss324CA–324CH, s1232(1), ss1232P–1232Q of the Corporations Act
• comply with their auditor rotation obligations under Division 5 of Part 2M.4 and s1232(1) of the Corporations Act: for further information, see FAQ 15. For example, if an auditor has been the auditor of a listed entity’s annual financial report for three years and subsequently has also been the auditor of that listed entity’s sustainability report for a further two years, the lead auditor would have played a significant role in the audit of that reporting entity for a successive period of 5 years under s324DA of the Corporations Act. For further information, see ASIC Regulatory Guide 187: Auditor rotation (RG 187), and
• give a written declaration to the directors of the reporting entity that to the best of the lead auditor’s knowledge and belief, there have been no contraventions of the auditor independence requirements under the Corporations Act or applicable code of professional conduct in relation to the review or audit (written independence declaration): see s307C and s1232(1) of the Corporations Act.

Individual auditors have obligations in relation to conflict of interest situations, auditor rotation and providing a written independence declaration. They apply to the auditor of the sustainability report (i.e. an individual auditor) whether or not they are the same as the auditor of the annual financial report.

Review auditors must comply with their auditor rotation obligations. They apply to the review auditor for the sustainability report whether or not they are the same as the review auditor for the annual financial report.

17. Should an auditor's written auditor independence declaration to the directors of the reporting entity identify the report to which it relates?

Yes.

18. How does the obligation to report to ASIC apply where there is more than one auditor or lead auditor?

The reporting obligations under s311 of the Corporations Act apply (as appropriate) to each individual auditor, audit company or member of an audit firm: see also s1232(1) of the Corporations Act. For further information see Regulatory Guide 34: Auditor’s obligations: Reporting to ASIC (RG 34).

For example:

• if a company, registered scheme or retail CCIV is a reporting entity, and the lead auditor for its sustainability report is not the same as the lead auditor for its annual financial report, the reporting obligations under s311 of the Corporations Act would apply independently to each lead auditor, and
• each lead auditor would only be required to report under s311 of the Corporations Act if they are aware of a suspected contravention. In some cases, they might both need to report the same suspected contravention if they are each aware of it, such as when reviewing for any material inconsistencies between the information contained in the annual financial report and sustainability report: see also Table 1 of RG 34.

19. Do annual transparency reporting obligations apply where sustainability reporting audits or reviews are conducted?

Auditors are required to publish annual transparency reports if they conduct an audit under Division 3 of Part 2M.3 of the Corporations Act of 10 or more bodies of the kinds described in s332A(1) of the Corporations Act.

For the purposes of determining whether this threshold has been met, sustainability reporting audits or reviews of the kinds of bodies described in s332A(1) of the Corporations Act are counted. This is because:

• sustainability reporting audits are audits under Division 3 of Part 2M.3 of the Corporations Act, and
• while the sustainability reporting requirements are being phased in, references to an audit of the sustainability report generally include a reference to a review of a sustainability report: see s1707E(4) of the Corporations Act.

If an auditor conducts an audit of an annual financial report and a sustainability report for the same body, this is counted as one body for the purposes of applying s332A(1) of the Corporations Act.