The Request the Company Was Not Prepared For

The investor relations manager of a Caribbean conglomerate listed on a regional stock exchange received an email from the portfolio manager of an institutional investor that held approximately six per cent of the company’s outstanding shares. The portfolio manager’s fund had recently adopted an enhanced due diligence framework for its Caribbean holdings, and the email contained three requests that the investor relations manager had never received before.

First, the portfolio manager requested a copy of the company’s most recent ESG report, with specific attention to the company’s climate risk disclosures, its carbon footprint measurement, its workforce diversity data, and its community impact assessment. Second, the portfolio manager requested evidence that the company’s cybersecurity posture had been independently assessed, including the scope and findings of any penetration testing, the status of the company’s incident response plan, and the board’s oversight arrangements for technology risk. Third, the portfolio manager requested independent assurance over the company’s non-financial disclosures — specifically, a report from a qualified assurance provider confirming that the ESG data the company published was reliable, that the measurement methodologies were appropriate, and that the disclosures were consistent with an established reporting framework.

The investor relations manager forwarded the email to the CFO. The CFO’s assessment was swift: the company could not respond to any of the three requests in a manner that would satisfy the institutional investor. The company had no ESG report. Its annual report contained a two-paragraph corporate social responsibility statement that described a scholarship programme and a beach cleanup initiative, but no quantitative data on emissions, water usage, waste, workforce composition, or community investment. The company had never obtained an independent cybersecurity assessment. Its IT function managed security operationally, but no external evaluation of the company’s cybersecurity posture had ever been conducted, and the board received no reporting on technology risk. And the company had never engaged an assurance provider to provide independent assurance over any non-financial information.

The institutional investor’s follow-up was measured but consequential: “We appreciate the company’s operational performance. However, in the absence of independently assured non-financial disclosures, we are unable to assess the sustainability of that performance. Our enhanced due diligence framework requires visibility into the non-financial risks and opportunities that increasingly determine long-term enterprise value. We will revisit our position when the company is able to provide the information our framework requires.”

The portfolio manager did not sell the existing position. But the fund’s planned increase in its holding — an additional investment of approximately US$3.2 million — was deferred indefinitely. The company’s inability to provide non-financial assurance had a quantifiable cost in capital that was not deployed.

This fictional scenario, while not attributable to any specific Caribbean listed company, reflects a rapidly emerging reality across the region. The scope of what stakeholders — investors, regulators, lenders, rating agencies, and business partners — expect to be independently assured is expanding beyond the traditional financial statements. ESG performance, cybersecurity posture, regulatory compliance, supply chain sustainability, and data governance are all entering the domain of independent assurance, and Caribbean enterprises that cannot provide this assurance are beginning to experience tangible commercial consequences.

The Expanding Scope of Assurance

For most of the history of the audit profession, independent assurance meant one thing: the financial statement audit. The auditor examined the financial statements and provided an opinion on whether they presented a true and fair view. Every other dimension of the enterprise’s operations, performance, and risk was outside the scope of independent assurance.

That paradigm is changing. Stakeholders are demanding independent assurance over information that extends far beyond the financial statements, driven by the recognition that financial performance alone does not provide a complete picture of enterprise value, risk, or sustainability.

ESG and Sustainability Assurance: The International Sustainability Standards Board’s IFRS S1 and S2 standards are establishing a global framework for sustainability-related financial disclosures, and assurance over those disclosures is following closely. The International Auditing and Assurance Standards Board is developing a sustainability assurance standard — the International Standard on Sustainability Assurance — that will provide the framework for independent assurance over sustainability information. Major stock exchanges worldwide are progressively requiring or encouraging sustainability disclosures with independent assurance. For Caribbean enterprises, the trajectory is clear: sustainability disclosures will become expected, and independent assurance over those disclosures will become the standard for credibility. The Jamaica Stock Exchange has already signalled its interest in governance and sustainability reporting, and institutional investors — as the opening scenario illustrated — are not waiting for regulatory mandates.

Cybersecurity Assurance: The increasing frequency and severity of cyber incidents has created demand for independent assurance over enterprise cybersecurity posture. Cybersecurity attestation engagements — typically conducted under ISAE 3000 or the AICPA’s SOC for Cybersecurity framework — provide stakeholders with independent confirmation that the enterprise has implemented cybersecurity risk management processes, that those processes are designed effectively, and that they are operating as intended. For Caribbean financial institutions, offshore service providers, and enterprises that handle sensitive client data, cybersecurity assurance is moving from a differentiator to a baseline expectation. The cybersecurity series documented the increasing regulatory and commercial pressure on Caribbean enterprises to demonstrate their cybersecurity governance.

Regulatory Compliance Assurance: Caribbean regulators are increasingly requiring or requesting independent assurance over specific aspects of regulatory compliance. Anti-money laundering compliance, prudential reporting, insurance solvency calculations, and pension fund administration are all areas where regulators may require or benefit from independent verification that the enterprise’s compliance processes are operating effectively. These assurance engagements go beyond the scope of the financial statement audit and require specialist knowledge of the regulatory framework and the compliance processes being assessed.

Internal Controls Assurance: While the standard financial statement audit evaluates internal controls only to the extent necessary for audit planning purposes, separate assurance engagements over internal controls — commonly known as SOC 1 or SOC 2 reports in the AICPA framework, or conducted under ISAE 3402 internationally — provide independent assurance that an organisation’s internal controls over financial reporting, data security, availability, processing integrity, confidentiality, or privacy are suitably designed and operating effectively. For Caribbean enterprises that provide outsourced services — fund administration, payroll processing, IT hosting, business process outsourcing — SOC reports are increasingly required by their clients and their clients’ auditors.

Supply Chain and Third-Party Assurance: As global supply chains face increasing scrutiny for environmental practices, labour standards, and ethical sourcing, assurance over supply chain sustainability is emerging as a stakeholder expectation. Caribbean enterprises that participate in international supply chains — particularly in agriculture, manufacturing, and tourism — may face requests from international partners for independent verification of their environmental and social practices. This assurance extends beyond the enterprise’s own operations to its supply chain, creating a cascade of assurance requirements that Caribbean enterprises must anticipate and prepare for.

The Assurance Framework: ISAE 3000 and Beyond

Non-financial assurance engagements are conducted under established professional standards that provide the methodology, quality requirements, and reporting framework for independent assurance over subject matters other than historical financial statements.

ISAE 3000 (Revised): The International Standard on Assurance Engagements 3000 is the overarching standard for assurance engagements on subject matters other than historical financial information. It provides the framework for ESG assurance, compliance assurance, internal controls assurance, and any other engagement where a practitioner provides a conclusion on a subject matter against identified criteria. ISAE 3000 engagements can provide either reasonable assurance (the same level as a financial statement audit) or limited assurance (a lower level that provides a negative conclusion — “nothing has come to our attention” — based on less extensive procedures). Caribbean enterprises entering the non-financial assurance space typically begin with limited assurance and progress to reasonable assurance as their data quality, processes, and reporting maturity improve.

ISAE 3402: The International Standard on Assurance Engagements 3402 applies specifically to assurance over controls at a service organisation. It is the standard under which SOC 1 reports are issued internationally, providing assurance to the clients of service organisations that the service organisation’s controls over financial reporting are suitably designed and operating effectively. For Caribbean BPO providers, fund administrators, and IT service companies, ISAE 3402 reports are increasingly a commercial necessity.

The Emerging Sustainability Assurance Standard: The IAASB’s International Standard on Sustainability Assurance, currently in development, will provide the specific framework for assurance over sustainability disclosures prepared under the ISSB standards and other sustainability reporting frameworks. Caribbean enterprises and assurance providers should monitor this standard’s development and prepare for its adoption, as it will define the methodology and quality requirements for the sustainability assurance engagements that institutional investors and regulators will increasingly expect.

The Caribbean Readiness Gap

Caribbean enterprises face a readiness gap in non-financial assurance that mirrors the gaps documented throughout this series in audit committee effectiveness, internal audit capability, and technology adoption.

Data Infrastructure: Non-financial assurance requires data — reliable, consistent, measurable data on ESG metrics, cybersecurity controls, compliance processes, and operational performance. Many Caribbean enterprises lack the data infrastructure to produce the information that assurance engagements require. Carbon emissions are not measured. Workforce diversity data is not systematically collected. Cybersecurity incident metrics are not tracked. Compliance testing results are not documented in auditable form. Building the data infrastructure for non-financial assurance is a prerequisite that Caribbean enterprises must invest in before engaging an assurance provider.

Reporting Frameworks: Non-financial assurance requires that the subject matter be measured and reported against identified criteria — a reporting framework that defines what is measured, how it is measured, and how it is disclosed. Caribbean enterprises that want their ESG disclosures to be independently assured must adopt a recognised reporting framework — the ISSB standards, the GRI Standards, or another framework that provides the criteria against which the assurance provider can assess the disclosures. Without a framework, there is nothing to assure against.

Governance Structures: Non-financial assurance requires governance structures that parallel those for financial reporting: board-level oversight, management accountability, internal controls over non-financial information, and quality assurance processes that ensure the reliability of the data before it reaches the assurance provider. The audit committee’s mandate should extend to oversight of non-financial reporting and assurance, ensuring that the same governance rigour applied to financial statements is applied to ESG disclosures, cybersecurity reporting, and other non-financial information.

Assurance Provider Capability: Not all audit and assurance firms have the capability to provide non-financial assurance. ESG assurance requires knowledge of sustainability frameworks, emissions measurement methodologies, and social impact assessment. Cybersecurity assurance requires understanding of cybersecurity frameworks, penetration testing, and IT governance. Caribbean enterprises seeking non-financial assurance should engage providers with demonstrated capability in the specific subject matter being assured.

Dawgen Global’s Expanded Assurance Services

Dawgen Global has expanded its assurance practice beyond the traditional financial statement audit to provide Caribbean enterprises with the full spectrum of assurance services that modern stakeholders expect.

ESG and Sustainability Assurance: Dawgen Global provides limited and reasonable assurance over ESG and sustainability disclosures prepared under the ISSB standards, the GRI Standards, and other recognised frameworks. Our ESG assurance engagements evaluate the reliability of the enterprise’s ESG data, the appropriateness of its measurement methodologies, and the consistency of its disclosures with the adopted framework. For enterprises that have not yet adopted a reporting framework, Dawgen Global provides advisory services to support framework selection, data infrastructure development, and reporting maturity building.

Cybersecurity Attestation: Dawgen Global provides independent cybersecurity assurance engagements under ISAE 3000, evaluating the enterprise’s cybersecurity risk management processes, the design and operating effectiveness of cybersecurity controls, and the governance arrangements for technology risk. Our cybersecurity assurance team combines audit methodology expertise with the technical cybersecurity knowledge documented in the From Breach to Boardroom cybersecurity series.

Regulatory Compliance Assurance: Dawgen Global provides assurance over specific aspects of regulatory compliance, including AML/CFT compliance, prudential reporting, insurance solvency, and pension fund administration. These engagements are designed to meet the expectations of Caribbean financial regulators and to provide boards and audit committees with independent confirmation that the enterprise’s compliance processes are operating effectively.

SOC and Internal Controls Reporting: Dawgen Global provides ISAE 3402 and SOC reporting for Caribbean service organisations, delivering the independent assurance that their clients and their clients’ auditors require over the design and operating effectiveness of internal controls. Our SOC reporting capability supports Caribbean BPO providers, fund administrators, IT service companies, and other service organisations that need to demonstrate control quality to their stakeholders.

Assurance Readiness Advisory: Dawgen Global helps Caribbean enterprises prepare for non-financial assurance by assessing their data infrastructure, governance structures, and reporting processes against the requirements of the applicable assurance standards. Our Assurance Readiness Assessment identifies the gaps between the enterprise’s current state and assurance readiness, and produces a practical roadmap for closing those gaps.

Assurance as Competitive Advantage

The fictional conglomerate that lost a US$3.2 million investment because it could not provide independently assured non-financial disclosures experienced a consequence that is still relatively rare in the Caribbean — but will become increasingly common. The institutional investors, development finance institutions, international lenders, and multinational partners that Caribbean enterprises engage with are progressively integrating non-financial assurance into their due diligence frameworks. The enterprise that can demonstrate independently assured ESG performance, cybersecurity governance, and compliance effectiveness has an advantage over competitors that cannot.

This advantage extends beyond investor relations. Regulatory examinations are increasingly incorporating non-financial dimensions — cybersecurity governance, AML compliance effectiveness, and operational resilience. Business partners are requesting evidence of supply chain sustainability and data protection. Rating agencies are integrating ESG and governance factors into their assessments. The enterprises that invest in non-financial assurance are not merely satisfying a current requirement — they are building the infrastructure that positions them for the stakeholder expectations of the next decade.

The expansion of assurance beyond the financial statements is not a departure from the audit profession’s core mission. It is an evolution of that mission — extending independent, objective assurance to the dimensions of enterprise performance and risk that modern stakeholders need visibility into. Caribbean enterprises that embrace this evolution will find that assurance, far from being a compliance cost, is a governance capability that strengthens trust, attracts capital, and creates competitive advantage.

Prepare for the Assurance Future

Dawgen Global invites Caribbean enterprises to assess their readiness for the expanding scope of assurance. Whether you are responding to an investor request for ESG assurance, preparing for a regulatory expectation of compliance attestation, or positioning your enterprise to demonstrate governance quality to international partners, our Assurance Readiness Assessment provides the starting point.

Request a proposal for Dawgen Global’s Assurance Readiness Assessment and Expanded Assurance Services. Email [email protected] or visit www.dawgen.global to begin the conversation.

DAWGEN GLOBAL | Big Firm Capabilities. Caribbean Understanding.

Request a proposal for Dawgen Global’s Assurance Readiness Assessment and Expanded Assurance Services.

Email: [email protected]

Web: www.dawgen.global

About Dawgen Global