Mastering CSRD Audit-Readiness: A Comprehensive Guide

As companies work towards Corporate Sustainability Reporting Directive (CSRD) compliance, ensuring that double materiality assessments, data collection, and reporting are audit-ready is critical.

Starting January 1st, 2025, CSRD compliance will be phased in. From their first report, companies must undergo limited assurance auditing by an approved third party. This requires companies to ensure their data is fully auditable to maintain compliance and avoid penalties.

Although each member state will transpose the auditing and assurance part of the European Sustainability Reporting Standards (ESRS) differently, there are general best practices that will help companies prepare regardless of the member state they are based. This article provides an overview of the assurance requirements of the CSRD, the challenges businesses are likely to face, and the best practices companies should take to become CSRD audit-ready.

CSRD Overview: The New Standard for Sustainability Reporting

The CSRD is the world’s most extensive and far-reaching mandatory sustainability reporting framework globally. It will require more than 50,000 companies to report against 1,144 sustainability data points based on a double materiality assessment.

From 2025, the CSRD will take over from the EU’s existing sustainability reporting framework, the Non-Financial Reporting Directive (NFRD), and will be phased in as per the following timeline:

• 2025: Companies currently reporting under the NFRD will transition to reporting on their FY2024 data.
• 2026: Large undertakings (meets 2 of 3: 250+ employees, €50M+ revenue, €25M+ assets) will start reporting based on their FY2025 data.
• 2027: EU-listed small and medium enterprises (SMEs) will begin disclosing their FY2026 data using a lighter version of the ESRS.
• 2029: Non-EU businesses generating €150 million or more in EU net revenue, or with a branch generating €40 million in revenue over the past two consecutive years will start reporting FY2028 data using the lighter version of the ESRS.

Assurance is required the first time these companies’ report, and therefore audit readiness is a necessary part of compliance and something all companies will need to prepare for regardless their reporting deadline.

The Importance of CSRD Audit Readiness

Limited assurance is a critical part of CSRD compliance. Without ensuring audit readiness, inaccuracies and missteps in the process could cost additional time and result in non-compliance penalties.

Enforcement of CSRD non-compliance is up to each member state and how they choose to transpose it into their national law. So far, punishments in member states have ranged from criminal charges to fines. Following are examples of how some states will penalize non-compliance:

• France: Criminal charges of up to €75,000 and five years in prison.
• Finland: Companies will face late filing fees and fines for non-compliance.
• Sweden: Non-compliance can result in individual board members being liable, which can lead to fines or imprisonment.

Key CSRD Audit Requirements

Companies must conduct limited assurances to ensure the reliability and validity of their sustainability reporting under the CSRD. Depending on the member state, companies will have between 4 and 6 months to submit their report and complete their assurance.

Although requirements differ from state to state, some key requirements are common to all:

• Double Materiality Assessment: The double materiality process is essential as it defines all data that must be collected. Documentation of how it was conducted, the stakeholders involved, the process of deciding whether something is material or not, and any supporting scientific material will be a critical starting point for the auditor.
• GHG Emissions: GHG emissions and other climate data will be material to every company. They will be some of the most complex data to collect, calculate, and report, and therefore, they will require robust data and metadata.

Who is Eligible to Conduct a CSRD Audit

Each EU member state defines who is eligible to conduct a CSRD audit, provided they are an accredited independent third-party auditor and meet CSRD requirements, which are laid out in the EU’s Audit Directive. Following are some examples of how member states define whether an independent third party is eligible to conduct a third-party audit:

• Ireland: Ireland created their own assurance standards and will have auditors apply for approval to act as a sustainability assurance service provider, give them instructions on how to use their standards, and set up a governing body to oversee the assurance process.
• Croatia: Croatia changed their Audit Act to include guidance on verifying third-party sustainability auditors and added fines for audit firms ranging from €2,650 – €106,000, depending on the size of the auditing firm and infraction, which can include unaccredited or inaccurate auditing services.
• Denmark: The Danish government established a system where third-party auditors are verified; just as financial auditors are currently accredited. They must pass a test, register with the Danish Business Authorities (DBA), and be appointed at a general meeting of the DBA by a majority vote.

Where governments do not set their own standards for CSRD audit assurance, they can use existing standards, typically the ISSA3000 (ISSA5000).

ISSA 3000 (ISSA 5000)

The International Auditing and Assurance Standards Board (IAASB) created the International Standard on Sustainability Assurance (ISSA) 5000 as an upgrade from the ISSA 3000 in response to the assurance requirement in new sustainability reporting mandates, like the CSRD and others.

The ISSA 5000 is designed to be more flexible and adaptable than the ISSA 3000, considering the range of companies, industries, geographies, and frameworks to which it will be applied. This flexibility will be essential in the context of the CSRD as it allows auditors to use a set of principles rather than strict rules to conduct assurances on the range of companies the CSRD will affect.

When the full guidance for ISSA 5000 is released in January 2025, it will be the most commonly used standard for CSRD assurances up until the EU releases its own standard in October 2026.

Understanding CSRD Assurance Levels: Limited vs. Reasonable

From the time of their first report, companies will be expected to obtain limited assurances as defined by the member states until the EU releases a limited assurance standard on October 1st, 2026. After this, EU-wide companies will be expected to use that standard for consistency and comparability.

The EU expects to move from limited assurance to reasonable assurance in 2028 based on a feasibility assessment of companies and auditors’ experience with limited assurance.

CSRD Assurance Timeline

• January 1, 2025: Companies will conduct limited assurance as defined by their member state
• October 1, 2026: The EU will release a limited assurance standard for EU-wide use
• October 1, 2028: The EU plans to release an EU-wide reasonable assurance standard (pending a feasibility assessment)

What is Limited Assurance?

The CSRD defines limited assurance as a conclusion that is “provided in a negative form of expression by stating that the practitioner has identified no matter to conclude that the subject matter is materially misstated.”

This means it requires fewer in-depth tests and questions than reasonable assurance, requiring less cost, time, and effort.

What is Reasonable Assurance?

Reasonable assurance, on the other hand, is described as a conclusion “provided in a positive form of expression and results in providing an opinion on the measurement of the subject matter against previously defined criteria.”

It requires much more in-depth procedures and considerations. This means that companies need to spend much more time on their internal controls, and auditors would need substantial levels of testing, which would, therefore, be more costly and timely. This is why the CSRD is considering the feasibility of a reasonable level of assurance before committing to it.

Top Challenges Companies Face in CSRD Assurance

The CSRD compliance process is complex, particularly for first-time reporters. Assurance represents a particular challenge as it requires proper management and recording of data throughout the reporting process. The following are the biggest challenges that companies will face to become audit-ready.

• Reporting Complexity: Every part of the CSRD compliance reporting journey is complex, from the double materiality assessment, which is a critical component of the assurance audit, to all the data collection calculations across the company’s operations and particularly within its value chain.

• Data Governance: With 1,144 data points to report against, how the undertaking manages data will be critical to reporting and obtaining assurance on that data for compliance. Companies will have to set up strong internal controls and governance over data.

• Data Silos: The information required for CSRD reporting often resides in different systems, departments, and forms across the company’s operations and value chain. Breaking down these silos to integrate data into a cohesive report is another major challenge. A central data suppository where data can be effectively managed, sorted, and found will be critical for saving time for the reporting and auditing process.

• Costs: The assurance costs are expected to be relatively high due to the complexity and amount of data that has to be audited. They also vary depending on company size and whether companies are listed or non-listed. And, if the CSRD does move to reasonable assurance, the cost per company will more than double each year. EFRAG estimates that for listed companies starting in 2025, the first-year limited assurance costs will range between €108,000 and €162,000. For reasonable assurance, the cost increases to €246,000 – €394,000.

While these all represent obstacles for reporters, conducting best practices to ensure audit readiness will mitigate these challenges.

Get CSRD audit ready today with Good.Lab →

Steps to Master CSRD Audit Readiness

To overcome some of the challenges in preparing for a compliant CSRD audit, reporters must focus on data management and the double materiality assessment process. In managing these processes, reporting companies should have all the documentation they need to fulfill assurances.

The following are best practices for companies to ensure CSRD reporting is audit ready:

1.     Understand the CSRD Requirements

Understanding what your reporting requirements are under the CSRD, when, and what you must report. The requirements for assurance and potential penalties for non-compliance in your member state are a critical first step.

2.     Get the Double Materiality Assessment Right

The double materiality assessment process is an essential first step in the CSRD reporting process that helps you to know which data points you should be reporting against. How it is conducted, who the stakeholders are, and other qualitative and quantitative information that went into determining whether IROs are material will have to be documented for an auditor to review.

The process involves using stakeholder engagements as well as other quantitative and qualitative data to identify impacts, risks, and opportunities (IROs) across your company’s operations and value chains. The identified IROs are then assessed for materiality, if they meet certain thresholds.

Auditors will be looking for the following details from the materiality assessment process:

• The process of finding and assessing IROs.
• Any dialogue held with stakeholders through transcriptions, meeting minutes, emails, or questionnaires.
• The due diligence process for determining what is material in the value chain.
• The process by which management decides whether an IRO is material, such as how thresholds were determined for each IRO.

A software-based double materiality assessment will be the simplest way to ensure all this data is captured, as it automates the process and provides a data trail for everything an auditor can review.

Learn how Good.Lab’s CSRD-aligned double materiality assessment simplifies CSRD reporting →

3.     Data Quality, Management, and Verifiability

The ESRS has 12 separate standards and more than 1,100 data points to report against, so your company will need a strategy for data management and governance.

Some of these data points, like diversity numbers, company social policies, energy use, and resources used, will be quite easily accessed. However, other data like value chain emissions (Scope 3), workers in the value chain, and deforestation figures may be more complex to collect, manage, and verify.

Ensuring you have a central data hub, and someone designated to manage it will be essential. To streamline the full process, a CSRD software solution can provide the following benefits:

• Reduce the chances of human error in calculations
• Verify data with traceable metadata
• Provide safe and reliable data and documentation storage in any necessary form
• Help you to maintain compliance as CSRD changes with continual updates
• Auditor platform access for a collaborative and continual review process

4.     Ensure You are Meeting the CSRD Minimum Requirements

To become CSRD compliant, you must ensure that your company data meets the minimum requirements to pass a limited assurance test. For example, to meet the minimum requirements for a limited assurance audit of a GHG emissions data point, you must show the activity and geo-location data that produced the emissions.

It is also beneficial to know where estimates are allowed under the CSRD, and what supporting evidence is required. The two areas estimates are important are in value chain data reporting and future-looking data, such as scenario analyses.

• Value chain Estimates: Estimate for upstream and downstream value chain data when the reporting company does not have access to accurate data. They can use sector-average data, providing they provide the metrics, how they were prepared, the level of accuracy, and plans to increase accuracy in future reporting.
• Future-looking data Estimates: Future-looking data like climate risk assessments under different scenarios also allows for estimates and reasonable assumptions provided the reporting entity accurately describes and explains the uncertainty around the estimates.

Knowing the minimum requirements for data collection will help ensure that data does not need to be collected twice and that companies are not collecting unnecessary, unrequired data.

5.     Obtain Internal and Interim Audits

Working with your assurance provider early on can reduce the risks of missing any data points or supporting documentation. Conducting internal and interim audits will also help reduce those risks, ensuring audit readiness when the time comes.

• Internal Audits: Assign an internal auditing team that will periodically (once a quarter) ensure that all documentation is up to date, organized, and correct.
• Interim Audits: At the Q3 stage, ensure that all data from Q1-Q3 is accurate and will pass a limited assurance audit. It will give companies time to make any adjustments before the full audit is conducted.

Both will help identify gaps in the assurance process to ensure they can be filled when the time comes.

6.     Make Your Report and Get Your Auditor to Review it

Once you have all your material data, put it in your annual report in both the human-readable (XHTML) and machine-readable (XBRL) formats as required by the European Single Electronic Format (ESEF). And ensure all supporting documentation is well organized for the auditing process.

Share this report and supporting documentation with your assurance provider and considering you have been working throughout the year with this provider, you should have no issues with meeting your limited assurance needs.

Simplify CSRD Audit Compliance with Good.Lab

Navigating CSRD audit compliance can be complex, but the right tools make all the difference. Good.Lab’s software streamlines data management, offering real-time access to auditors, ensuring transparency throughout the year, and helping to identify and resolve any gaps early on.

Our sustainability software platform, built on deep expertise in CSRD, empowers companies to:

• Conduct thorough CSRD-aligned double materiality assessments, with all documentation securely stored for auditing.
• Centralize data, metadata, and supporting documents in a single hub, eliminating silos and simplifying data retrieval for seamless reporting.
• Address complex data challenges like GHG accounting with ease, reducing the risk of errors and ensuring audit-ready reporting.

Achieving audit-readiness is essential for CSRD compliance. With Good.Lab’s tools and expertise, you can turn compliance into a smooth, efficient process. Get in touch today for a demo of our CSRD audit-readiness solutions and see how we can support your journey.