How CSRD’s 3rd-party audits will work
So-called third party assurance is an additional safeguard check for companies in complying with the EU's CSRD mandate. Read More
The European Union’s corporate disclosure mandate, CSRD, is complicated and unprecedented, with many moving parts to which companies must comply. One piece of that is so-called third party assurance.
Within the CSRD, third party assurance refers to an EU approved auditor that verifies a company’s reported sustainability data, similar to how financial data is audited. This third-party verification acts as additional check on greenwashing or misrepresentation of reported data.
There are two types of assurance — limited and reasonable:
- Limited assurance: This is a basic check of the gathered data that should conclude no significant misstatements are found (“nothing has come to our attention to indicate that the information in materially misstated”).
- Reasonable assurance: This is a more thorough investigation that should conclude with the verifier confirming the sustainability-related information prepared, in all material respects, is in accordance with the applicable reporting criteria.
Both standards are likely to follow the International Standard on Sustainability Assurance 5000 guideline, created by the International Auditing and Assurance Standards Board. Limited assurance standards are expected to be adopted by 2026, with the more detailed and in-depth reasonable assurance standards planned to be enforced beginning Oct. 1, 2028.
Preparing for the audit
Each member state will have specific requirements regarding third-party approval, according to Corinne Dougherty, audit partner at KPMG, among the firms companies can hire to do the CSRD audits.
“Companies need to look at, and figure out ultimately, where they have to file in which EU member countries, and then from there, look at the transposition of the CSRD into law,” said Dougherty. Currently, 12 of the 30 countries enforcing CSRD have partially or fully completed the transition of the regulation into law: France, Denmark, Hungary, Romania, Finland, Slovakia, Czech Republic, Ireland, Lichtenstein, Lithuania, Sweden and Croatia.
This lack of clarity could be a barrier if it continues, but Dougherty specifically mentions that most U.S.-based companies “don’t have to report until 2029 [and thus] have a longer lead time in order to get ready.”
Go Beyond Compliance Reporting to Achieve True Sustainability
Before a company submits its ultimate report to the EU, Dougherty recommends it focus on establishing and solidifying its pre-assurance process, and specifically, the double materiality assessment. The double materiality assessment determines both the internal and external material risk and opportunity posed by a company’s sustainability matters.
“Companies are going to have to go through and perform their double materiality assessment to even just determine what topics or material to be reported … [and] how many material IROs they have, so impact, risk or opportunities,” said KMPG’s Dougherty. Once this assessment is complete, Dougherty recommends companies take advantage of the runway available with the disclosure deadline by performing a “dry-run” of sorts.
“That’s really, essentially, looking at in from a mock audit standpoint, it really helps organizations identify gaps in their methodology,” said Dougherty.
Pharmaceutical company Astra Zeneca agrees with Dougherty’s recommendation. Liz Chatwin, vice president of sustainability, safety, health and environment previously told Trellis the company’s plans to prepare a “CSRD-aligned” dry-run report in 2025 to ensure their data is aligned, correct, and in order for their mandated reporting timeline of 2026.
“Engage with your auditors really early on in the [limited assurance] process to help you out in the long run,” KPMG’s Dougherty said, “especially when it comes to double materiality assessment and looking at an audit trail of documentation for this entire process.”