How to Report Under ESRS G1: Business Conduct for Non-Big 4 Auditors

Why G1 is different from every other topical ESRS

Your client is a mid-sized Dutch engineering firm. The CFO tells you that ESRS G1 “doesn’t really apply” because the company has never had a corruption case. You pull up ESRS G1 paragraph 7 and find that the disclosure requirement covers corporate culture, whistleblower protection mechanisms, anti-corruption training coverage, political lobbying activities, and payment practices to SME suppliers. The client has a code of conduct that was last updated in 2019, no formal whistleblower channel beyond an open-door policy, and an average payment term to small suppliers of 67 days. G1 applies. The question isn’t whether the company has had incidents. It’s whether the company has the policies, mechanisms, and metrics to demonstrate how it conducts business.

ESRS G1 is the only governance topical standard. It sits alongside the five environmental standards (E1 through E5) and four social standards (S1 through S4), but it operates differently in two ways that affect how you plan your engagement.

First, G1 covers business conduct matters that apply to virtually every company. The standard’s scope (ESRS G1 paragraph 4) includes business ethics and corporate culture, anti-corruption and anti-bribery, whistleblower protection, animal welfare, management of supplier relationships (with a specific focus on payment practices to SMEs), and political influence including lobbying. A manufacturing company may conclude that ESRS E4 (Biodiversity) is not material because it has no sites near protected areas. It cannot credibly conclude that anti-corruption policies and payment practices are immaterial. The double materiality assessment for G1 will almost always identify at least one material sub-topic.

Second, G1 has significant overlap with ESRS 2 General Disclosures. The original 2023 ESRS G1 repeated governance, strategy, and risk management disclosures already required by ESRS 2. The December 2025 amended version deleted those duplications. Under the amended ESRS, companies follow ESRS 2 for general governance and management disclosures and apply G1 only for business conduct-specific elements. If your client’s sustainability statement was drafted under the original standard and has overlapping text in the ESRS 2 and G1 sections, the amended standard requires consolidation.

ESRS G1 draws on well-established international frameworks. The UN Convention against Corruption informs the anti-corruption requirements. The EU Whistleblower Protection Directive (Directive (EU) 2019/1937) informs the whistleblower provisions. The SFDR principal adverse impact indicator #15 (“Cases of insufficient action taken to address breaches of standards of anti-corruption and anti-bribery”) links directly to G1-4. For your engagement, these framework references give you external benchmarks to test the client’s disclosures against.

The six disclosure requirements in practice

G1-1: Corporate culture and policies on business conduct

ESRS G1 paragraph 7 requires the undertaking to describe its policies on business conduct matters. The disclosure must cover how the company establishes, develops, promotes, and evaluates its corporate culture. Paragraph 8 adds specific requirements: the mechanisms for identifying, reporting, and investigating concerns about unlawful behaviour or behaviour contradicting the code of conduct; and whether the company accommodates reporting from both internal and external stakeholders.

Where the undertaking has no anti-corruption or anti-bribery policies consistent with the UN Convention against Corruption, paragraph 8 requires the company to state this fact, say whether it plans to implement such policies, and provide an implementation timetable.

Whistleblower protection gets its own sub-requirements. The disclosure must cover the establishment of internal whistleblower reporting channels, training provided to staff who receive reports, and the protections in place for whistleblowers. Dutch companies are subject to the Wet bescherming klokkenluiders (the Dutch transposition of Directive 2019/1937), which requires companies with 50 or more employees to have an internal reporting channel. Your assurance procedures should verify that the channel described in the sustainability statement actually exists and is operational, not just that a policy document references it.

ESRS G1 AR 1 (application requirements) lists optional additional disclosures: the frequency with which the board discusses corporate culture, the principal themes promoted as part of corporate culture, and specific incentive structures that reinforce ethical behaviour. The amended ESRS moved most of these to non-mandatory illustrative guidance, but the core G1-1 requirements survived intact.

G1-2: Management of relationships with suppliers

ESRS G1 paragraph 13 requires disclosure of how the undertaking manages its relationships with suppliers, with specific attention to payment practices and their impacts on supplier welfare, particularly SMEs. ESRS G1 AR 2 defines “management of relationships” to include the undertaking’s approach to sustainable procurement, fair treatment of suppliers, and the consideration of suppliers’ dependencies on the undertaking.

ESRS G1 AR 3 defines “vulnerable suppliers” as those exposed to significant economic, environmental, or social risks because of their relationship with the undertaking. For a large Dutch manufacturer, vulnerable suppliers might include small, single-client subcontractors in the value chain who lack bargaining power. The disclosure should address whether the company has identified such suppliers and what it does to avoid exploiting the power imbalance.

This is the G1 disclosure requirement where the gap between “what the standard asks” and “what companies actually have” is smallest. Most companies have procurement policies, supplier codes of conduct, and onboarding processes. The question is whether those existing processes produce the specific disclosures G1-2 requires. Check whether the client’s procurement policy explicitly addresses payment terms for SMEs (this links to G1-6 metrics) and whether it covers how the company identifies and manages supplier dependency risks.

G1-3: Prevention and detection of corruption and bribery

ESRS G1 paragraph 17 requires disclosure of the undertaking’s anti-corruption and bribery prevention system. This includes the scope of the system (which functions and geographies it covers), the identification of “functions-at-risk” (defined in AR 4 as functions deemed to be at risk of corruption and bribery), and the training provided to those functions.

Paragraph 19 requires quantitative data: the percentage of functions-at-risk covered by the anti-corruption training programme. This is one of G1’s few hard metrics. The denominator is all functions the company has identified as at-risk; the numerator is those that received training in the reporting period. If the client has not formally identified its functions-at-risk, this metric cannot be calculated, and the gap should be flagged.

The anti-corruption disclosure requirement also connects to the SFDR. The SFDR principal adverse impact indicator #15 specifically references cases of insufficient action taken to address breaches of anti-corruption and anti-bribery standards. Financial market participants looking at your client’s sustainability statement will check G1-3 disclosures as part of their PAI reporting.

G1-4: Confirmed incidents of corruption or bribery

ESRS G1 paragraph 22 requires the undertaking to disclose confirmed incidents of corruption or bribery during the reporting period. The disclosure covers the number of convictions for violation of anti-corruption and anti-bribery laws, the amount of fines incurred, and any actions taken to address breaches.

If the undertaking has had no confirmed incidents, the disclosure is straightforward: a statement that no incidents occurred. But “no incidents” requires a functioning detection system. If the client has no whistleblower channel, no internal investigation procedure, and no monitoring of high-risk functions, a claim of “no incidents” is less credible. Your assurance procedures should assess whether the client has detection mechanisms in place, not just whether incidents were detected.

ESRS G1 paragraph 23 adds that disclosures about incidents should include only those involving actors in the value chain where the company or its employees are directly involved. If a client’s supplier was convicted of bribery in a jurisdiction where the client operates, but the client had no involvement, that incident falls outside G1-4’s scope.

G1-5: Political influence, including lobbying

ESRS G1 paragraph 27 requires the undertaking to disclose its activities related to political influence, including lobbying. Paragraph 29 specifies the information to be provided: the financial and in-kind political contributions made (aggregated by country and type of recipient), the main topics covered by lobbying activities, and the alignment between the company’s public statements on sustainability matters and its political engagement positions.

AR 14 and AR 15 provide an illustrative example of how this disclosure might look, including a table showing amounts spent on lobbying by topic and jurisdiction. For most mid-sized Dutch companies, lobbying is limited to industry association memberships. The disclosure should state the monetary value of association fees where those associations engage in political advocacy, and the main regulatory topics those associations lobby on.

The alignment requirement in paragraph 29(c) is the sharpest part of this disclosure. It asks the undertaking to demonstrate that its lobbying positions are consistent with its stated sustainability commitments. If the client’s sustainability statement says it supports the EU Green Deal but its industry association lobbied against the CSRD scope expansion, that inconsistency is a disclosure point.

G1-6: Payment practices

ESRS G1 paragraph 33 requires the undertaking to disclose its payment practices, with particular attention to late payments to SMEs. The original standard required the average time to pay an invoice. The amended ESRS removed this metric. The December 2025 technical advice replaced it with entity-specific disclosures on late payments to SMEs, supported by a new Application Requirement providing methodological guidance.

What remains in G1-6 includes the undertaking’s standard contractual payment terms (disaggregated by category if they vary), and the number or percentage of payment transactions that are paid past the contractual due date. ESRS G1 AR 16 notes that the standard contractual terms may differ significantly from actual payment behaviour, and requires the undertaking to address this gap if it exists.

For your engagement, G1-6 produces testable data. You can verify contractual payment terms against standard supplier contracts. You can verify actual payment times against the accounts payable ledger. If the standard term is 30 days but the client’s average actual payment is 67 days, that discrepancy needs to appear in the disclosure. The EU Late Payment Directive (Directive 2011/7/EU) caps payment terms at 60 days for B2B transactions and 30 days for public authorities. If the client’s actual payment behaviour exceeds these limits, the G1-6 disclosure intersects with a legal compliance question.

What changed under the December 2025 Omnibus amendments

ESRS G1’s changes under the Omnibus simplification were less dramatic in percentage terms than the environmental standards, but structurally meaningful.

Duplications with ESRS 2 deleted. The original G1 repeated governance, strategy, and risk management process requirements already required by ESRS 2. The amended version makes explicit that companies should follow ESRS 2 for general governance disclosures and add G1 only for business conduct-specific content. If the sustainability statement previously had identical governance text in both the ESRS 2 and G1 sections, the amended standard eliminates this. Clients can consolidate into a single governance section with cross-references.

Average invoice payment time removed from G1-6. EFRAG’s December 2025 technical advice deleted the metric requiring average time to pay an invoice. The replacement is an entity-specific disclosure on late payments to SMEs, with new Application Requirements providing methodological guidance. This change reflects feedback from Wave 1 reporters that the original metric was difficult to calculate accurately (particularly where payment systems use different date fields for invoice receipt versus payment initiation) and that the metric was not comparable across companies.

Voluntary datapoints eliminated. All “may disclose” content in G1 was either deleted or moved to non-mandatory illustrative guidance (NMIG). The AR provisions that previously provided optional disclosures on corporate culture, training, and supplier relationship details are now guidance rather than standard text. The mandatory core requirements remain unchanged.

No targets required. Neither the original nor the amended ESRS G1 includes a specific disclosure requirement for targets related to business conduct. This is unusual across the ESRS set (most topical standards have a targets DR). PwC’s sustainability reporting guide (December 2024) confirms that no target-setting disclosure requirement exists in ESRS or ISSB standards specifically for business conduct. If your client has set voluntary targets (for example, “100% of at-risk functions trained by 2025”), they can disclose them under the general ESRS 2 GDR-T provisions, but they’re not required to.

Worked example: Veenstra Engineering B.V.

Client profile: Veenstra Engineering B.V. is an industrial equipment manufacturer based in Zwolle, Netherlands, with €78M revenue and 210 employees. The company exports to 14 countries, including markets with elevated corruption risk (Turkey, Nigeria, Indonesia). It uses 45 suppliers, of which 28 are SMEs. The company has a code of conduct from 2019 that references anti-corruption but provides no specific procedures.

Step 1: Materiality assessment

Veenstra’s DMA identifies two material G1 sub-topics. Anti-corruption and bribery is material because the company operates through local agents in Turkey, Nigeria, and Indonesia, where Transparency International’s Corruption Perceptions Index ranks all the mentioned countries below 40 (out of 100). Payment practices is material because 62% of suppliers are SMEs and the company’s average actual payment time is 67 days against contractual terms of 45 days. Political influence is assessed as not material (no direct lobbying, industry association fees total €8,500 per year).

Step 2: Policies (G1-1)

Veenstra’s 2019 code of conduct states that “the company does not tolerate corruption or bribery.” It does not identify functions-at-risk, does not reference the UN Convention against Corruption, and does not describe a whistleblower channel. The company has a Wet bescherming klokkenluiders-compliant internal reporting channel (established in 2023 after the Dutch transposition deadline), but this channel is not referenced in the code of conduct and has not been communicated to external stakeholders.

The sustainability team updates the code of conduct in Q3 2024. The revised version identifies sales, procurement, and local agent management as functions-at-risk. It references the UN Convention against Corruption. It describes the internal whistleblower channel, the designation of the compliance officer as the receiving party, and the protections available to reporters.

Step 3: Anti-corruption (G1-3)

In September 2024, Veenstra conducted anti-corruption training for all functions-at-risk. Sales (18 employees), procurement (6 employees), and local agent managers (4 employees) attended mandatory training sessions. Total functions-at-risk headcount: 28. Training coverage: 100%. The training covered red flags for bribery, the company’s gift and hospitality policy, and the procedure for reporting concerns through the whistleblower channel.

Step 4: Incidents (G1-4)

Veenstra had no confirmed incidents of corruption or bribery in 2024. No convictions, no fines. The whistleblower channel received zero reports in its first year of operation.

Step 5: Payment practices (G1-6)

Veenstra’s standard contractual payment terms are 45 days for SME suppliers and 60 days for large suppliers. In 2024, the average actual payment to SME suppliers was 67 days. Of 1,840 payment transactions to SMEs in 2024, 1,104 (60%) were paid after the contractual due date. The company attributes the late payment pattern to a manual invoice approval workflow that adds 15 to 20 days between invoice receipt and payment release.

The G1 section for Veenstra tells an honest story. The company has corruption risk exposure through export markets and local agents. It updated its code of conduct in the reporting period and trained all at-risk functions. It had no incidents but also has a nascent whistleblower system. Its payment practices to SMEs are a problem, with 60% of transactions paid late and an average that exceeds the EU Late Payment Directive threshold. A reviewer sees a company that’s building its governance systems with documented gaps still open.

Practical checklist for your next CSRD engagement

1. Check whether the client’s code of conduct or anti-corruption policy references the UN Convention against Corruption (ESRS G1 paragraph 8). If it doesn’t, and the company has no plans to align, the sustainability statement must disclose the absence and state whether plans exist.
2. Verify that a functioning whistleblower channel exists, not just a policy reference to one. For Dutch companies with 50 or more employees, the Wet bescherming klokkenluiders requires an operational channel. Check the platform’s activity log, the designated receiving officer’s training records, and whether the channel has been communicated to both internal and external stakeholders.
3. Request the client’s identification of functions-at-risk for corruption and bribery (ESRS G1 AR 4). If no formal identification exists, the G1-3 training coverage metric cannot be calculated. Flag this gap before the reporting deadline, not after.
4. For G1-6, run an AP aging report covering all SME supplier transactions. Calculate the percentage paid past contractual due date. Compare the standard contractual terms against the actual payment average. If the gap is material, verify management’s explanation for the delay. Check whether the actual payment behaviour exceeds the EU Late Payment Directive’s 60-day threshold.
5. For G1-5 (political influence), verify the total monetary value of industry association memberships where those associations engage in political advocacy. Even if the client does not lobby directly, association fees fund lobbying activities and fall within G1-5’s scope. If the client assesses political influence as not material, verify that the DMA rationale is documented.
6. Check for duplications between the ESRS 2 governance section and G1. Under the amended ESRS, general governance disclosures belong in ESRS 2 only. G1 adds business conduct-specific disclosures. If the sustainability statement repeats governance text in both sections, flag it for consolidation.

Common mistakes in first-year ESRS G1 filings

• Claiming “no corruption risk” because no incidents have occurred. ESRS G1-3 requires disclosure of the prevention and detection system, not just the incident record. A company operating in markets that Transparency International scores below 50 on the CPI has corruption risk by definition. The absence of detected incidents in a company with no detection mechanisms says more about the mechanisms than about the risk.
• Disclosing a code of conduct without mapping it to G1’s requirements. G1-1 paragraph 8 requires specific disclosures on reporting mechanisms, whistleblower channels, and anti-corruption procedures. A code of conduct that says “we act ethically” without describing those mechanisms doesn’t satisfy the disclosure requirement. Map the code’s content against paragraph 8’s sub-requirements before concluding it covers G1-1.
• Ignoring the payment practices disclosure. G1-6 is the disclosure requirement most clients want to skip, because the data often reveals unflattering payment behaviour. Under the EU Late Payment Directive, late payment to SMEs is not just a disclosure issue; it’s a compliance issue. Companies that avoid G1-6 because the numbers look bad are making a strategic error. The sustainability statement must report the data regardless of whether it’s favourable.
• Treating industry association memberships as immaterial for G1-5. An association fee of €10,000 may seem small, but if that association lobbied against sustainability legislation the client publicly supports, the inconsistency becomes a G1-5 disclosure point under paragraph 29(c). The materiality test for G1-5 isn’t the size of the contribution. It’s whether the political influence activities are consistent with the company’s stated sustainability commitments.

Related Ciferi content

Related guides:

Put audit concepts into practice with these free tools:

Frequently asked questions

Further reading and source references

• ESRS G1, Business Conduct: the governance topical standard covering corporate culture, anti-corruption, whistleblower protection, political influence, and payment practices.
• ESRS 2, General Disclosures: the baseline governance and strategy disclosures that G1 builds upon (duplications removed under the amended ESRS).
• EU Whistleblower Protection Directive (Directive (EU) 2019/1937): informs the whistleblower provisions in G1-1.
• EU Late Payment Directive (Directive 2011/7/EU): caps B2B payment terms at 60 days, directly relevant to G1-6 payment practices disclosures.