Quick Read
Independence in non-financial assurance remains compromised by the same conflicts that financial audit resolved through regulation: firms that advise on sustainability programme design are subsequently appointed to assure those same programmes, creating an undisclosed financial incentive to validate their own prior work. The IESBA ethics standards and ISSA 5000 now require independence safeguards from 15 December 2026, yet procurement practices have not evolved to enforce them, leaving audit committees unable to distinguish between genuine independence and the false efficiency of using an adviser-turned-assurer. The paper argues that independence in non-financial assurance must be treated as a structural requirement, not an organogram, and that boards must ask whether the assurance firm would lose revenue if it concluded the advisory team's work was deficient.
IN BRIEF
Independence in assurance is a structural property, not a contractual assertion. The operative test is whether the assurance provider can reach an adverse conclusion without commercial consequence to itself.
The IESBA's International Ethics Standards for Sustainability Assurance, including International Independence Standards, were issued in January 2025 and are generally effective for periods beginning on or after 15 December 2026 — the same date as ISSA 5000.
ISO/IEC 17021-1 requires impartiality of management system certification bodies and constrains the provision of management system consultancy to certification clients.
The standard market practice in non-financial assurance is for one provider to deliver both advisory services and the assurance over the work those services produced. This arrangement was prohibited in financial reporting by section 201 of the Sarbanes-Oxley Act in 2002.
Advisory and assurance are frequently purchased through different procurement channels — strategy buys the advice, finance buys the assurance — so no single person in the organisation observes the conflict.
Executive summary
An audit committee that would refuse, without discussion, to appoint its tax adviser as its statutory auditor will approve a sustainability assurance provider that spent the previous two years building the sustainability programme it is now examining. The same directors. The same meeting. Frequently the same afternoon.
This is not hypocrisy and it is not incompetence. It is a failure of pattern recognition. Independence in financial audit is recognised because it has a hundred years of scandal attached to it, and because its absence has a name. Independence in non-financial assurance has neither, so the conflict presents as efficiency: the provider already knows the data, the systems and the people, and the engagement is therefore quicker and cheaper.
It is quicker and cheaper for exactly the reason it is worthless.
THE TEST THAT WORKS
Not: is there a separate legal entity, a separate team, a Chinese wall, an engagement letter asserting independence? Every one of those can be answered yes by a firm structurally incapable of an adverse conclusion. The test is: if the assurance team concluded that the advisory team's work was wrong, would the firm lose money? If yes, it is not independent, whatever its organogram.
This paper sets out why independence exists, the five threats applied to non-financial assurance, why boards do not see the conflict, what the standards now require from 15 December 2026, and the questions to ask before appointment rather than after.
1. Why independence exists
The independence requirements governing financial audit were not derived from ethical theory. They were derived from failures, each of which cost somebody a great deal of money, and each of which followed the same structure: a firm that had advised on the construction of an accounting position was subsequently asked to opine on whether the position was correct.
The regulatory response — section 201 of the Sarbanes-Oxley Act in the United States, the EU Statutory Audit Directive and Regulation, the IESBA Code of Ethics internationally — converged on a single principle. A firm may not audit its own work. Not because auditors are dishonest, but because no professional judgement survives the requirement to declare that the professional exercising it was previously mistaken, and the firm's fee depended on the earlier judgement.
Independence is not a statement about the integrity of individuals. It is a statement about what an organisation is capable of concluding, given what concluding it would cost.
The non-financial assurance market has not yet had its Enron. It has instead had a decade of arrangements that a financial audit committee would recognise instantly and reject without debate.
2. The five threats, applied

Figure 1 — The five threats from the ethics framework, translated into the non-financial estate.
Self-review
The firm assures the materiality assessment it performed. It verifies the GHG inventory it built. It certifies the management system it designed. This is the most common arrangement in the market and the only one that cannot be mitigated by any safeguard, because the safeguard would have to consist of the firm being willing to declare its own prior work defective.
Board members occasionally suggest that a firewall between the advisory and assurance teams addresses this. It does not. The firewall is between two teams inside a single partnership whose profits are shared, and the assurance partner's finding that the advisory partner's methodology was wrong is a finding about the firm.
Self-interest
The assurance fee is small. The advisory relationship it sits beside is not. A sustainability assurance engagement might be worth a few hundred thousand; the transformation programme, the data platform implementation, and the ESG strategy work alongside it might be worth ten times that.
The question the audit committee should ask, and almost never does, is for the ratio: total fees paid to this provider for advisory work, over total fees paid for assurance work, across the group, for the last three years. It is a single number, it is readily obtainable, and it is rarely volunteered.
Advocacy
The firm helped design the net-zero target. It now assures progress against it. It has, in the ordinary course of the advisory engagement, publicly and privately defended the methodology, the baseline and the pathway. It holds a position.
A position is not an opinion. An opinion can change when the evidence does.
Familiarity
Statutory audit imposes partner rotation and, in the EU, firm rotation, because a nine-year relationship between an engagement partner and a finance director changes what gets raised. No equivalent requirement exists across most of the non-financial estate. Certification bodies rotate audit teams under accreditation requirements; assurance providers frequently do not.
An organisation can impose rotation on itself, and a small number do. It costs a learning curve and buys back a capacity for surprise.
Intimidation
A certification body knows that raising a major non-conformity may lose the client to a body that would not have raised it. This threat is structural to the certification market and is the reason accreditation, rather than contract, is the control: the accreditation body examines the certification body's decisions, and a certification body that never raises major non-conformities is a certification body with an accreditation problem.
THE ASYMMETRY BETWEEN CERTIFICATION AND ASSURANCE
Certification bodies operate under ISO/IEC 17021-1, which requires impartiality and constrains management system consultancy, and are themselves audited by an accreditation body. Sustainability assurance providers come under the IESBA's ethics standards from 15 December 2026. Consultancies delivering ESG advisory services and calling the output assurance are subject to neither.
3. Why boards do not see it
The framework is unfamiliar. An audit committee knows the financial independence rules to the article number. It does not know that IESBA issued ethics standards for sustainability assurance in January 2025, effective from 15 December 2026, or that ISO/IEC 17021-1 constrains consultancy by certification bodies. The rules exist; the committee has not been told they exist.
The purchases are made through different channels. The strategy team engages the ESG advisory firm. Finance engages the assurance provider. Procurement processes them separately. Neither budget holder sees the other's contract, and the audit committee sees only the assurance appointment on its agenda.
The conflict is presented as domain expertise. "They already understand our data" is offered as a reason to appoint, and it is the precise fact that disqualifies. Knowing the data because you built it is not the same as knowing the data because you tested it.
The provider has a commercial interest in the arrangement persisting. It is not in the interests of a firm earning both fees to explain that earning both fees is the problem. Nobody is lying. Nobody is volunteering, either.
The advisory-assurance conflict in non-financial assurance is not an aberration in the market. It is the market.
4. What the standards now require
Term | Definition |
|---|---|
IESSA | The IESBA's International Ethics Standards for Sustainability Assurance, including International Independence Standards. Issued January 2025. Generally effective for assurance engagements on sustainability information reported for periods beginning on or after 15 December 2026 — the same date as ISSA 5000. Applies profession-agnostically, to all sustainability assurance practitioners. |
ISSA 5000 | The IAASB's standard for sustainability assurance engagements. Requires the practitioner to comply with relevant ethical requirements, including those relating to independence. |
ISO/IEC 17021-1 | The accreditation standard for management system certification bodies. Requires impartiality, requires that threats to impartiality be identified and managed, and constrains the provision of management system consultancy to certification clients. |
ISO/IEC 17029 | The accreditation standard for validation and verification bodies. Contains equivalent impartiality requirements for verification engagements. |
Sarbanes-Oxley section 201 | The United States statutory prohibition on an auditor providing specified non-audit services to an audit client. The structural precedent, enacted in 2002 after the profession concluded that a firm cannot objectively test its own recommendations. |
What changes on 15 December 2026
Independence in sustainability assurance ceases to be a matter of provider policy and becomes a matter of professional standard.
A provider offering both advisory services and assurance over the resulting work will be operating against an ethics framework that addresses the arrangement directly.
Nothing in the standards obliges an audit committee to ask. The standards constrain the practitioner. The appointment is still made by the board.
5. Six questions before appointment
Asked at plan approval, before the engagement letter is signed. Asked of the provider, in writing, and minuted.
What services, of any kind, has your firm or any affiliate provided to this entity or its subsidiaries in the current and three preceding financial years? Provide fees by category.
What is the ratio of total advisory fees to total assurance fees paid to your firm by this group over that period?
Did your firm participate, in any capacity, in designing, implementing or advising upon the management system, the materiality assessment, the data collection process, or the targets that are within the scope of this engagement?
Under what accreditation, and against what ethics or independence standard, will this engagement be performed? Name the accreditation body and the standard.
What is your firm's partner rotation policy for this engagement, and how long has the proposed engagement leader served this client?
In the last twenty-four months, across your practice, how many times has your firm issued a qualified conclusion, a major non-conformity, or a withheld certificate? Provide the number.
THE SIXTH QUESTION IS THE WHOLE OF IT
A provider that has never issued an adverse outcome has not been performing assurance. It has been performing something else, competently, under the same name. The number is a matter of record, and a provider that will not supply it has answered the question.
6. What independence costs
It is worth being honest about the price, because papers of this kind usually are not.
An independent provider does not already know your data. The engagement takes longer. The first cycle produces findings that a familiar provider would have resolved quietly. The relationship is less comfortable, because the provider is not managing a relationship, and there is no partner who will call the CFO before writing something difficult.
An organisation buying independence is buying the possibility of an unwelcome answer, and it will occasionally receive one. That is the product. Every other feature of the engagement is packaging.
If the assurance engagement has never once told you something you did not want to hear, you have been buying a document, and paying assurance prices for it.
7. Speeki's position
Speeki is an accredited certification and assurance body. It does not provide consulting services. It does not design sustainability programmes, build management systems, prepare materiality assessments, or advise on targets — and it therefore never examines its own work.
This is a structural choice with a commercial cost, and it is worth stating what the cost is. Advisory revenue is larger, faster and stickier than assurance revenue. A firm that forgoes it is choosing a smaller business in exchange for the capacity to reach an adverse conclusion without consequence to itself.
That capacity is the only thing an assurance provider actually sells. Details of Speeki's accreditations and their scope are published at speeki.com and should be treated as the authoritative source.
Questions this paper answers
What is the correct test of an assurance provider's independence?
Whether the provider can reach an adverse conclusion without commercial consequence to itself. Concretely: if the assurance team concluded that the advisory team's work was wrong, would the firm lose money? Structural indicators — separate legal entities, separate teams, information barriers, contractual assertions of independence — can all be satisfied by a firm that is structurally incapable of the adverse conclusion. Independence is an incentive, not an organogram.
Can the firm that built our sustainability programme also assure it?
It can, and across the market it commonly does, but the arrangement is self-review: the firm would have to declare its own prior work defective in order to reach an adverse conclusion. This is the arrangement financial reporting prohibited in section 201 of the Sarbanes-Oxley Act in 2002, after the profession concluded that a firm cannot objectively test its own recommendations. An information barrier does not address it, because the barrier separates two teams within a single partnership whose profits are shared.
What independence standards apply to sustainability assurance?
The IESBA's International Ethics Standards for Sustainability Assurance, including International Independence Standards, were issued in January 2025 and are generally effective for assurance engagements on sustainability information reported for periods beginning on or after 15 December 2026 — the same date as ISSA 5000. They apply profession-agnostically to all sustainability assurance practitioners. ISSA 5000 itself requires the practitioner to comply with relevant ethical requirements including independence.
What independence rules apply to certification bodies?
ISO/IEC 17021-1, the accreditation standard for management system certification bodies, requires impartiality, requires that threats to impartiality be identified and managed, and constrains the provision of management system consultancy to certification clients. ISO/IEC 17029 imposes equivalent requirements on validation and verification bodies. Both are enforced by the accreditation body, which audits the certification body's decisions — which is why accreditation rather than contract is the operative control.
Why do audit committees miss the advisory-assurance conflict?
Four reasons. The independence framework for sustainability assurance is unfamiliar, and most committees have not been told it exists. Advisory and assurance are purchased through different procurement channels — strategy buys the advice, finance buys the assurance — so no one person observes both contracts. The conflict is presented as domain expertise, when knowing the data because you built it is precisely what disqualifies you from testing it. And the provider earning both fees has no commercial interest in explaining that earning both fees is the problem.
What single question best exposes a lack of independence?
In the last twenty-four months, how many times has your firm issued a qualified conclusion, raised a major non-conformity, or withheld a certificate? A provider that has never issued an adverse outcome has not been performing assurance. The number is a matter of record, and a provider unwilling to supply it has answered the question.
What does independence cost the client?
An independent provider does not already know your data, so the engagement takes longer and the first cycle produces findings a familiar provider would have resolved quietly. The relationship is less comfortable, because there is no partner who will call the CFO before writing something difficult. What the organisation is buying is the possibility of an unwelcome answer, and it will occasionally receive one. That possibility is the product; every other feature of the engagement is packaging.
References and sources
IESBA, International Ethics Standards for Sustainability Assurance (including International Independence Standards), issued January 2025; generally effective for assurance engagements on sustainability information reported for periods beginning on or after 15 December 2026.
IAASB, ISSA 5000, General Requirements for Sustainability Assurance Engagements, issued November 2024; effective for periods beginning on or after 15 December 2026. Requires compliance with relevant ethical requirements, including independence.
Sarbanes-Oxley Act of 2002, section 201 — prohibited non-audit services.
Directive 2006/43/EC on statutory audits, as amended, and Regulation (EU) No 537/2014 on statutory audit of public-interest entities, including audit firm rotation.
ISO/IEC 17021-1:2015, Conformity assessment — Requirements for bodies providing audit and certification of management systems: impartiality requirements and constraints on management system consultancy.
ISO/IEC 17029:2019, Conformity assessment — General principles and requirements for validation and verification bodies.
Speeki, The Non-Financial Audit Function (Series 1, Paper 01) and The Plan That Survives the Deadline (Series 1, Paper 02), July 2026.
About Speeki
Speeki is an accredited ESG assurance and certification body operating in more than 100 countries. Speeki provides management system certification, verification and validation, and sustainability assurance. Speeki does not provide consulting services. Its independence is structural.
For current details of Speeki's accreditations and their scope, please refer to speeki.com.
© 2026 Speeki. This paper is provided for general information and does not constitute legal, accounting or assurance advice.