CSRD Audit Trail / Audit Evidence for Sustainability

What is CSRD Audit Trail / Audit Evidence for Sustainability?

An audit trail for sustainability sits on two legs: what the reporting entity produces and what the assurance provider expects to inspect. ESRS 1 paragraph 7 requires the sustainability statement to be faithfully represented, which in practice means every reported figure must be reproducible from underlying records. The reporting entity documents source data (energy invoices, payroll headcounts, supplier questionnaires), the calculation methodology applied to that data, the emission factors or conversion rates selected, and any estimation techniques used where direct measurement was unavailable.

On the assurance side, ISSA 5000.105-109 governs the procedures a practitioner performs in a limited assurance engagement. The practitioner evaluates whether the entity's data collection process produces evidence that is sufficient and appropriate to support the reported disclosures. That evaluation includes testing whether the trail is intact: can the practitioner pick a reported Scope 1 figure from the sustainability statement and walk it back through calculation files, metering records, and fuel purchase invoices without a gap? If a link in that chain is missing or undocumented, the practitioner faces a scope limitation.

The CEAOB guidelines (September 2024) reinforced this expectation by requiring the practitioner to obtain an understanding of the entity's system of internal control over sustainability information. For entities reporting under ESRS for the first time, that system is often immature. Finance teams accustomed to general ledger controls discover that sustainability data flows through Excel workbooks maintained by facilities managers, HSE officers, and HR departments with no reconciliation controls, no version history, and no formal review.

Worked example: Dupont Ingenierie S.A.S.

Client: French engineering services company, FY2027, revenue EUR 92M, IFRS reporter, 1,200 employees. Dupont falls within the revised Omnibus I CSRD scope (1,000+ employees, though below the EUR 450M turnover threshold ). The engagement team at a mid-tier French firm performs limited assurance under ISSA 5000 on Dupont's first ESRS-compliant sustainability statement.

Step 1 — Map data sources to ESRS disclosures: The team identifies Dupont's four material topics from the double materiality assessment: climate change (E1), own workforce (S1), workers in the value chain (S2), and business conduct (G1). For E1, Dupont's Scope 1 emissions of 3,800 tonnes CO2e derive from fleet diesel consumption and natural gas heating across six office and workshop locations. The sustainability team compiled consumption data from utility invoices into a master spreadsheet, applied emission factors from ADEME (the French Environment Agency), and calculated total CO2e.

Documentation note: record the data flow for each material ESRS topic. For E1, document the chain: utility invoices per site, consolidation spreadsheet (version-controlled), ADEME emission factor table (version and publication date), final CO2e calculation. Attach the spreadsheet and a sample of source invoices.

Step 2 — Test the audit trail for Scope 1 emissions: The team selects the two largest sites (Paris headquarters and Lyon workshop, representing 71% of reported Scope 1). For each site, the team traces the reported natural gas consumption in kilowatt-hours back to the supplier invoices for all twelve months. The Paris site shows a complete trail. The Lyon site is missing invoices for March and April; the sustainability team estimated those months using the average of adjacent months.

Documentation note: record the completeness test results by site. For Lyon, document the estimation method applied (two-month average), the resulting estimate (42,000 kWh versus a full-year reported figure of 580,000 kWh for that site), and the percentage of total Scope 1 affected (7.2%). Evaluate whether the estimation is reasonable and whether the gap constitutes a trail deficiency requiring disclosure.

Step 3 — Evaluate internal controls over the data flow: The team inquires of the facilities manager responsible for compiling energy data. No formal reconciliation exists between the master spreadsheet and the underlying invoices. The spreadsheet has no version control; the team identifies two prior versions with different emission factor vintages saved in the same shared drive folder. Dupont's finance team performed no review of the sustainability data before it was included in the management report.

Documentation note: record the control deficiencies identified. Cite ISSA 5000.80 (understanding the entity's system of internal control over sustainability reporting). Note the absence of reconciliation, version control, and finance review. Assess whether these deficiencies increase the risk of material misstatement at the disclosure level and whether additional procedures are needed.

Step 4 — Conclude on trail sufficiency: The Scope 1 trail is substantially intact, with the Lyon estimation affecting 7.2% of total reported emissions. The team determines that the estimation does not cause a material misstatement. For S1 (own workforce), the trail runs from Dupont's HR payroll system, which already supports financial statement audit procedures. The team identifies no gaps in S1 data. For G1 (business conduct), narrative disclosures trace to board minutes and the published code of conduct.

Documentation note: record the overall assessment of audit trail sufficiency per ISSA 5000.131-133. Summarise trail status by ESRS topic (complete, partially complete with estimation, or incomplete). Document the basis for concluding that the evidence is sufficient for a limited assurance conclusion.

Conclusion: the engagement produces an unmodified limited assurance conclusion. The audit trail was intact for the three largest disclosure areas, with one documented estimation that fell below the materiality threshold. The trail deficiency at the Lyon site is communicated to management as an observation for remediation before FY2028.

What reviewers and practitioners get wrong

• The FRC's February 2025 sustainability assurance market study found that firms lacked consistent methodologies for determining what constitutes "sufficient" procedures in a limited assurance engagement on sustainability. Where the audit trail is weak, some practitioners compensated by performing additional inquiry without corroborating the responses against source data. ISSA 5000.105-109 requires procedures responsive to assessed risks, not simply more questions directed at management.
• Teams frequently treat the sustainability audit trail as a post-hoc reconstruction exercise performed in the weeks before the assurance engagement, rather than a continuous process built into the data collection workflow. ESRS 1 paragraph 11 requires the sustainability statement to be verifiable. An entity that assembles its evidence trail only when the assurance provider requests it will produce gaps, version conflicts, and undocumented estimations that increase engagement risk and cost.

Related terms

Frequently asked questions