top of page

Guest Article: Steps to Assurance Readiness for CSRD Compliance - Preparing for a New Era in Sustainability Reporting



In the second of a three part series, guest writer and ESG Governance and Reporting expert Deepa Rao explains how assurance is key for complying with CSRD - and something that businesses can no longer overlook.



As the regulatory landscape for sustainability reporting evolves, companies are approaching a critical juncture. With the European Union's Corporate Sustainability Reporting Directive (CSRD) transitioning to more stringent standards, compliance is no longer sufficient; regulators are also mandating assurance of key sustainability information by independent third parties. This shift signifies a major change in corporate reporting, one that extends beyond compliance to emphasize reliability, transparency, and accountability.


Understanding the Assurance Requirements


The CSRD introduces a phased rollout for assurance on sustainability disclosures, guided by Article 26a of the Audit Directive:


  1. Limited Assurance Standards (by October 2026): The Commission, will adopt sustainability assurance standards for limited assurance by October 1, 2026. In this phase, auditors will evaluate whether the disclosed sustainability information is plausible and free from material misstatement, providing a basic level of confidence without the thoroughness of a full audit. This initial step offers organisations time to enhance their ESG reporting processes while establishing some credibility in their disclosures.


  2. Reasonable Assurance Standards (by October 2028): By October 1, 2028, the Commission will adopt sustainability assurance standards for reasonable assurance, contingent on a feasibility assessment for both auditors and organisations. This level of assurance will require a more in-depth review, including testing the design and operating effectiveness of controls over the reported sustainability information, similar to the approach used in financial audits like the Sarbanes-Oxley Act (SOX). However, the broader scope of sustainability data adds a layer of complexity beyond standard financial audits.


Organisations must act now to gain a comprehensive view of all data within their ESG or integrated reporting processes. The CSRD significantly expands what must be reported and who is involved, increasing potential risks that need to be managed effectively.


The Scale of the Challenge


Preparing for CSRD assurance requirements is not a plug-and-play exercise. It represents a significant transformation in corporate reporting, requiring companies to navigate several complex challenges:


  1. Vast Data Sets: Sustainability disclosures cover a wide range of data points, from greenhouse gas emissions to social and governance metrics. This data often originates from multiple sources across the organization.


  2. Audit-Unfamiliar Data: Many sustainability data points have never been through an audit process, making them more prone to inaccuracies.


  3. Newly Created Data Sets: Data collected specifically for disclosure may lack historical benchmarking, further complicating validation.


  4. Untrained Data Handlers: Individuals responsible for collecting sustainability data may not have previously considered the need for precision or audit readiness.


  5. Reputational Risk: Poor-quality sustainability disclosures can damage a company’s reputation and stakeholder trust.


  6. Compliance Risk: Failure to comply with CSRD requirements could lead to penalties and affect the company’s standing in the market.


Steps to Achieve Assurance Readiness


To prepare for these rigorous assurance standards and avoid adverse assurance opinions, companies need to take proactive steps. The following roadmap can help organizations gear up for the journey from limited to reasonable assurance:


  • Identify Key Data Sets and Disclosures : Start by understanding what data will be subject to assurance. Key areas might include climate-related disclosures, employee welfare, governance practices, and more. Focus on identifying the specific data points that will be crucial for both limited and reasonable assurance engagements.


  • Engage Stakeholders and Understand the Data: Connect with internal and external stakeholders to understand the metrics and disclosures required. This involves gaining clarity on the sources of the data, the methods used for data collection, and how the data is aggregated. Ensure the data is accurate, reliable, and trustworthy by identifying data ownership, reviewing data quality, and assessing data collection processes.


  • Establish Internal Controls Over Disclosures: Document and implement internal controls for sustainability reporting. Perform a gap analysis to identify control weaknesses and enhance them as needed. Controls should include verification and approval steps to minimize the risk of errors and omissions. Strong review processes by knowledgeable personnel are essential.


  • Test the Effectiveness of Controls: Utilize the three lines of defence model to test the effectiveness of controls. The first line (operational management) should monitor controls daily, the second line (risk management and compliance functions) should assess the controls periodically, and the third line (internal audit) should provide independent evaluation.


  • Leverage Internal Audit as a Critical Player : Internal audit can play a key role in evaluating and providing an opinion on the effectiveness of internal controls. This function should go beyond financial controls to cover sustainability-specific risks and compliance gaps.


  • Conduct Staff Training Programs: Train staff on their roles in data collection and assurance processes. Emphasize the importance of accurate data and familiarize them with the requirements for limited and reasonable assurance. Make training an ongoing process to keep up with evolving regulations and controls.


  • Monitor and Continuously Improve: Establish a process for ongoing monitoring and improvement of controls to ensure consistent quality. Regular assessments can help identify areas for improvement and strengthen the organization’s ability to maintain high standards of data reliability.


  • Document Thoroughly and Obtain Executive Sign-Off : Maintain comprehensive documentation of all processes, controls, and findings. Ensure that executive leadership signs off on the final assurance preparations, demonstrating a commitment to data integrity and regulatory compliance.


Engaging Third-Party Assurance Providers


Once the organization is prepared internally, the next step is to engage a third-party assurance provider. Consider performing a readiness assessment well ahead of formal assurance engagements. Early involvement allows the assurance provider to understand the company's data landscape, processes, and controls, ensuring that all aspects are aligned with the CSRD requirements.


Third-party providers can offer valuable insights on potential gaps, helping organizations address deficiencies before transitioning to more stringent reasonable assurance requirements in 2028. Early engagement also provides sufficient time to align internal processes with assurance standards, making for a smoother transition.


The Benefits of a Robust Assurance Framework


Preparing for CSRD assurance is a heavy lift, but it comes with significant rewards:


  • Investor Confidence: High-quality, assured sustainability reports can strengthen investor trust and attract capital.


  • Reputation Management: By demonstrating compliance and transparency, companies can bolster their reputation and reduce the risk of reputational damage.


  • Operational Improvements: The process of establishing robust internal controls can drive broader organizational efficiencies and performance improvements.


What does all this mean?


The journey to CSRD compliance and assurance readiness requires thorough planning, robust internal controls, and collaboration across the organization. With the phased approach to assurance requirements, companies must prioritize their readiness strategies now to meet the demands of both limited and reasonable assurance. By taking proactive steps and engaging third-party providers early, organizations can not only meet regulatory requirements but also build trust and confidence with stakeholders. The era of enhanced sustainability reporting is here—companies must rise to the challenge and demonstrate their commitment to transparency and accountability.


Deepa Rao is a Chartered Accountant and seasoned internal audit professional who transitioned into the ESG field. She leads Global ESG Reporting and Controls at Cognizant, focusing on strong processes and governance for ESG reporting. Based in the UK, she brings expertise from consulting roles at KPMG and PwC, with a background in corporate risk management, internal controls, and ESG reporting.


An advisor to startups and recognized Subject Matter Expert, Deepa speaks at forums like the World Economic Forum, IIA, and FinTech Global Summit. She was nominated as a “Rising Star for ESG Governance” at the 2023 Corporate Governance Awards, and her team at Cognizant has won awards for ESG innovation and management excellence.


You can find Deepa on LinkedIn here.

bottom of page