Prior to CSRD, external assurance was voluntary, but this will change. While some large companies provided reports based on the limited assurance requirements from ISAE3000 – a standard framework for non-financial reporting – most haven’t had to or chosen to provide assurance. Under the ISAE3000, there are two levels of assurance: limited and reasonable. Reasonable provides more assurance than limited, with the latter providing a “moderate” level, meaning there’s a limited amount of testing and a heavy reliance on inquiry and review.
CSRD reports must be assured by an external party. Initially, limited assurance will be sufficient, but reasonable assurance will likely be required further down the road. A new sustainability assurance standard is currently under consultation, and the EU may develop its own standard, so the exact requirements are still not clear.
Internal audit as an enabler
There isn’t a cookie-cutter solution on what role internal audit can (or will) play in your organization’s CSRD implementation. It’s important to be flexible and look for opportunities to add value. Internal auditors are working in an environment with a lot of uncertainty. However, because implementation deadlines are short, there’s no time for resolution before taking action, both as an organization and internal audit function. CSRD provides a tremendous opportunity for internal auditors to support their organizations by identifying risks, putting effective controls in place, and understanding the impact on your corporate reporting and sustainability strategies.
Stakeholders will likely be watching CSRD reporting closely, particularly if you’re in a high-risk industry, so it’s critical to get it right. Non-compliance is a key risk. Inaccurate, incomplete, or misleading reporting will have a reputational impact. Although organizations have reported financial data for decades, sustainability reporting is new. However, the development of the control framework should remain the same: establish controls, map data back to sources, and generate an audit trail. Internal audit can follow a similar approach to auditing financial or other external reporting.
Additionally, there may be some growing pains with immature systems and an over-reliance on spreadsheets and other manual processes as organizations familiarize themselves with providing data suitable for CSRD reporting, primarily if the reporting uses multiple frameworks.
Overall, ESG and the Corporate Sustainability Reporting Directive present an opportunity for internal audit to make an impact and raise its profile as a trusted advisor by using existing skill sets to offer critical support during these uncertain times.