Review of sustainability reports | Pérez Góngora y Asociados

International Standard on Sustainability Assurance (ISSA) 5000

"As of fiscal year 2025, private companies will be required to report sustainability information in their financial statements in accordance with the Sustainability Information Standards (SIS) in Mexico...". Entities that carry out sustainability actions (sustainable entities) are usually perceived by investors, third parties with financial interests in the Company and the Company, as entities that have a better performance and are more resilient, consequently, they could be more profitable. This is because they make more efficient use of their resources and are able to identify risks related to the socio-environmental environment. Governance with a focus on sustainability generates confidence among stakeholders in the entity itself to be subject to investment, financing and to establish business relationships. Therefore, promoting sustainability actions usually generates more value to the entities and, therefore, to their owners.

For more detail and an in-depth analysis of the highlights, see the articles on the Pérez Góngora y Asociados, S.C. website on Sustainability Reporting Standards (SIS) in Mexico (Publication 1, Publication 2 and Publication 3).

On the other hand, on Tuesday, January 28, 2025, an amendment to the General Provisions applicable to issuers of securities and other participants in the securities market was published in the Official Gazette of the Federation, requiring, through transitory provisions, that the Sustainability Information, (report containing the Sustainability Information, prepared in accordance with the IFRS Sustainability Disclosure Standard), which is added in this Resolution must be submitted as of 2026, with respect to the annual information corresponding to 2025.

The aforementioned Provisions also state that the report must have the reasonable assurance of the information by an external auditor. However, also in a transitory provision, the report containing the sustainability information that the Issuers present in 2026, with the annual information corresponding to 2025, may not have the assurance of an external auditor, but the report to be presented in 2027 with the annual information of 2026 shall be

The report must have at least limited assurance, and for subsequent years, the report must have a reasonable level of assurance. But how will this review be carried out, how should the information produced by the Entity that will be subject to assurance procedures be documented, what represents a limited and reasonable level of assurance, and if my Company is not an Issuer, why should I have an assurance report from an Auditing Firm such as Pérez Góngora y Asociados?

In response to the above questions, and by way of context, the International Standard on Assurance on Sustainability (ISSA) 5000, issued by the International Auditing and Assurance Standards Board (IAASB), was issued for this type of services. These standards are the appropriate framework for professionals to carry out assurance work on sustainability information. Their objective is to improve the confidence that investors, regulators and other stakeholders have in the information incorporated in companies' sustainability reports.

This standard establishes the requirements for professionals performing assurance engagements on an entity's sustainability information, covering topics such as the scope, objectives and procedures to be performed by audit firms. In addition, it specifies detailed guidelines on planning the engagement, obtaining evidence, evaluating the applicable criteria, using the work of other professionals and experts, and the requirements for issuing the assurance report, including responding to scope limitations and written representations from management.

Fundamental principles and concepts

In today's corporate ecosystem, sustainability reporting is no longer an add-on but a core component of corporate reporting. This standard is a high quality global standard, designed from the ground up to establish a rigorous and consistent benchmark for all work of this nature. The purpose of this article is to provide a detailed and structured analysis of the ISSA 5000, in order to facilitate its understanding.

ISSA 5000 is a stand-alone standard that does not require reference to International Standards on Auditing (ISAs). However, it explicitly requires the engagement leader to belong to a firm that applies International Standard on Quality Management 1 (ISQM 1).

This standard will apply to all assurance work on sustainability information. This means that it will replace the use of ISAE 3000 (Revised) and ISAE 3410 for this type of work, unifying practice under a single global standard.

Types of insurance

ISSA 5000 formalizes and clarifies the differences in the work effort required between the two levels of assurance. Although both seek to reduce the risk of the work, they do so to different degrees, which has a direct impact on the nature of the procedures and the level of confidence that can be offered to users.

Limited assurance and reasonable assurance represent the two levels of confidence that a practitioner can obtain when performing an assurance engagement on sustainability information under ISSA 5000.

The objective of any sustainability assurance engagement shall be to obtain sufficient and appropriate evidence to express a conclusion designed to improve the degree of confidence of the intended users of sustainability information.

The difference in the level of acceptable risk drives key variations in the nature, timing and extent of the procedures performed in each type of assurance.

Limited underwriting

In a limited assurance engagement, the risk of the practitioner expressing an inappropriate conclusion is reduced to a level that is acceptable in the circumstances of the engagement. However, this risk is greater than the risk resulting from reasonable assurance. Despite having a higher risk, limited assurance still provides a significant level of assurance.

Reasonable assurance

In a reasonable assurance review, the risk of the practitioner expressing an inappropriate conclusion when the information is materially misstated is reduced to an acceptably low level in the circumstances of the engagement. This level of assurance is high, but not absolute.

Summary of differences

We present a summary of the most significant differences that companies should be aware of, as shown below:

‍

Feature	Limited Assurance	Reasonable assurance
Occupational Hazard Objective	Reduce the risk to a level acceptable in the circumstances, which is higher than for reasonable assurance.	Reduce risk to an acceptably low level under the circumstances of the job.
Risk Assessment Level	The risk of material misstatement (RoMM) is identified and assessed at the disclosure level.	RoMM is identified and evaluated at the assertion level for disclosures.
Scope of Procedures	The procedures are less extensive.	The procedures are more extensive.
Understanding Controls	An understanding is obtained by inquiring into fewer internal control components. Understanding the results of the internal control system monitoring process is an additional requirement in ISSA 5000 compared to ISAE 3410. is an additional requirement in ISSA 5000 compared to ISAE 3410.	An understanding is obtained through inquiry and other procedures of all components of the internal control system. of the internal control system.
Testing of Controls	Evaluation of the design and implementation is only performed if the practitioner plans to obtain evidence evidence proving its operational effectiveness.	The design and implementation of controls is evaluated; testing of controls is required if substantive procedures alone do not provide sufficient and appropriate evidence. if substantive procedures alone do not provide sufficient and appropriate evidence.
Nature and Extent of Proceedings	The procedures vary in nature and are minor in extent. It includes the concept of "deep dive", if something catches the practitioner's attention.	Procedures are more extensive. Requires substantive procedures for higher risks and consideration of substantive procedures for all material disclosures. and consideration of substantive procedures for all material disclosures.
Additional procedures	If the practitioner becomes aware of an issue that causes him/her to believe that the sustainability information may be materially misstated, additional procedures are required to be designed and performed to obtain further evidence until the practitioner can conclude that the material misstatement is not probable or determine that the sustainability information is not material. evidence until he/she can conclude that the material misstatement is not probable or determine that the material misstatement does exist. material misstatement does exist.	If the practitioner obtains new information that is inconsistent with the evidence on which the risk assessment was originally based (contradictory evidence), the risk assessment needs to be revised. the risk assessment was originally based on (contradictory evidence), it is required to revise the risk assessment and perform additional and perform additional procedures to obtain further evidence to support the conclusion of Reasonable Assurance. Reasonable Assurance.
Conclusion and Report	The conclusion is expressed in the negative. "Based on the procedures performed and the evidence obtained, nothing has come to our attention that would lead us to believe that the sustainability information is not prepared, in all material respects, in accordance with the NIS. material respects, in accordance with the NIS."	The conclusion is expressed positively. "In our opinion, the sustainability information is prepared, in all material respects, in accordance with the NIS."

‍

The limited assurance approach in ISSA 5000, aligned with ISAE 3410 for GHG (Greenhouse Gas) declarations, seeks to reduce the range of assurance at the disclosure level (only looking for signs that something is wrong). This risk-based approach at the disclosure level was considered more appropriate for designing and performing procedures, and also facilitates the transition from limited assurance reviews to reasonable assurance, providing a more natural basis for scaling up procedures and evidence gathering, rather than having to completely redesign the assignment.

The limited assurance assurance report has mandatory elements that emphasize the limited nature of the work:

Statement of Limitation: The report should explicitly state in the "Basis for Conclusion" section that the procedures in a limited assurance engagement vary in nature and timing and are less in scope than for a reasonable assurance engagement, and, consequently, the level of assurance obtained is substantially less.

Summary of Work Performed: The limited assurance report should include a section entitled "Summary of Work Performed" containing an informative summary of the work performed as a basis for the practitioner's conclusion. This summary is generally more detailed than the procedures described in a reasonable assurance report. This is essential for users to understand the level of limited assurance obtained.

Planning and Materiality

Unlike financial auditing, materiality in sustainability is a concept driven by the diverse information needs of users. This generally involves the use of multiple materialities, both quantitative and qualitative, for different disclosures.

When required by the applicable reporting framework, the practitioner should consider the concept of dual materiality. This approach recognizes two perspectives:

- Financial materiality: The impact of sustainability issues on the value of the entity.

- Impact materiality: The impact of the entity's activities on the environment, society or the economy.

Risk Response and Estimation Management

One area of particular focus in sustainability is the assessment of information involving estimates and forward-looking information. ISSA 5000 requires a robust approach to these areas.

Since the effective date of ISSA 5000 is for periods beginning on December 15, 2026 (which is why the Provisions do not require the 2025 sustainability report, issued in the first months of 2026, to have some degree of assurance), we encourage Administrations to evaluate an external review process of their first sustainability report and the documentation supporting that report, in order to correct any deficiencies identified, or to improve the documentation and assess the reasonableness of the judgments of the estimates of the sustainability performance metrics, to correct any deficiencies identified, or to improve the documentation and assess the reasonableness of the judgments of the estimates of the sustainability performance metrics, and the documentation supporting that report, with the purpose of correcting any identified deficiencies, or improving the documentation and assessing the reasonableness of the judgments of the estimates of the sustainable performance metrics, to maintain consistency in both periods in the 2026 report, including information from the previous year, for comparability purposes.

At PGA we have highly trained and specialized professionals to provide review services of the Sustainability Report prepared by the Companies, in accordance with Sustainability Reporting Standards applicable as of January 1, 2025, as well as our financial and sustainability compliance teams, can accompany the Administrations to ensure the correct disclosure and documentation, with the purpose that organizations and administrations focus on their business and maximize operating results.

‍

Written by Juan Carlos Arroyo Guevara.