A simple guide for assurance firms to deliver a high-quality CSRD audit

Introduction – What to do when you perform a CSRD audit

This blog post is for auditors. As assurance firms are preparing themselves to perform CSRD audits, many of the smaller firms are struggling with the basics: how to perform a CSRD audit? And what to do to prepare?

We’ve basically seen two types of approaches of assurance firms who start their CSRD preparation. 

The first approach is to send some of your team members to expensive training sessions to make sure that you build up expertise in the firm. You receive top-down presentations on the CSRD legislation, examples and use cases to better understand the approach that companies are taking to report on non-financial data. Many of the firms that we talked to indicated that these training sessions do not provide the right level of detail to be useful. Everyone kind of knows the high level requirements of CSRD and the underlying ESRS taxonomy. The problem you face is around the preparations you need to do and the skills you need to hire to be able to deliver on such a complicated assurance service.

The second approach is to deep-dive into the ESRS data framework, provided by EFRAG, and come up with a work program that describes in detail which checks to perform. Many of the firms we spoke to, tried to do this themselves and got stuck due to the sheer amount of datapoints that you need to master. 

We have outlined a simple approach to set up and successfully execute a CSRD audit, ensuring that your firm not only meets regulatory standards but also manage the inherent risks that you as an auditor will have to take if you choose to deliver on these complicated audits.

Establish Clear Objectives and scope the work 

First things first. Assurance firms have to focus on the scope of the work. What is it that the undertaking requires you to do? If there is insufficient data, how can you avoid the risks of potential misstatements?

Scoping is key in the financial audit and is key in accepting the assurance work for CSRD. For customers who are not ready yet, there is simply no other option than to scope out.

It’s essential to define clear objectives and goals with the customer and to put specific parts of the CSRD work out-of-scope if the customer is not ready yet. Determine what areas of the business you want to assess and what outcomes you think you can achieve. This will provide a roadmap for the audit and help in identifying key performance indicators. Most importantly, it sets an ambitious calendar and makes clear that the ESG discussions inside and outside of the business are important and strategic. They cannot be ignored. Most importantly, when scoping or de-scoping, you identify the risks of potential misstatements and determine the chance that you can actually determine this based on the available data.

Setting up the CSRD audit

1. Determine risks
Determine what you aim to achieve with the audit. Objectives may include assessing current compliance levels, identifying gaps in data collection, and improving future sustainability reporting. It should also include your strategic objectives around improving your business on key non-financial metrics and assess what is your business ambition. 

2. Assemble the Audit Team
Form a multidisciplinary team that includes members with expertise in sustainability, compliance, finance, and operations. Consider involving external auditors with experience in CSRD and ESRS.

3. Evaluate the Double Materiality Assessment to see if this has sufficient substance
Review the DMA to identify which standards are applicable to the business. Focus on those that relate directly to their material operational impacts and stakeholder interests. If you see evidence that the followed processes are not sufficiently executed or mature enough, consider that a red flag and address it directly with your customer.

4. Develop an Audit Plan – identifying risks on potential misstatements
Create a detailed audit plan that includes timelines, resources, and methodologies. Specify the key performance indicators (KPIs) and metrics that will be evaluated according to ESRS guidelines, and more importantly, define the risks that in your opinion are inherent to the business and their reported material topics and targets. Don’t forget that these metrics and targets are the key to measuring the potential risks of misstatement of your customer. Achievable metrics in a specific sector and are not yet completely set in stone but will quickly arise when auditors become better in benchmarking and comparisons in their analysis. Discussions are ongoing how to measure company performance and as an auditor, you can play a role in these discussions. 

Performing the CSRD audit

1. Data Collection
Collect data from various sources within the company, including financial reports, HR records, and operational data. Ensure that the data covers all relevant aspects of the ESRS, such as environmental impact, social practices, and governance structures. If you face a challenging and complex business environment, it makes sense to look at their ESG reporting tool to help you collect data and introduce some structure and process around their data collection. In the end, the prepared-by-customer list (“PBC”) is a large part of the educational work you need to perform with your customer.

2. Evaluate Compliance and Performance on Double Materiality Assessment results
Assess how well the company’s current reported sustainability practices align with standard ESRS requirements (ESRS-2) and develop your professional opinion regarding their choice of material topics to report on. Evaluate both qualitative and quantitative data to measure their performance against expected sustainability topics. You can do this manually or automatically, through the use of CSRD audit automation tools that help to identify the material topics per industry. 

3. Identify risks of potential misstatement and define audit plan
Highlight metrics, targets, actions and policies to come up with a comprehensive list of risks that require additional attention. Set up your audit plan accordingly and use the ESRS framework to sufficiently mitigate the risk of misstatement by performing the checks in a focused way. 

4. Collect the evidence

First perform all the steps and checks related to the identified risks and spend sufficient time on these checks with the customer. After that, you execute a full compliance audit on all remaining checks to guarantee compliance with the ESRS framework and the law. 

4. Prepare Audit Report
Draft a comprehensive audit report that includes findings, compliance status, and recommendations. Ensure that the report is structured in a way that aligns with CSRD requirements for transparency and detail. If you need any help with setting up such a report, please let me know. This is one of the items that we are working on to automate and to build software for: generating these reports should be easy and cost less. It should also be something that generates actionable items to fix quickly and without too much discussion.

5. Review and Communicate Results
Present the audit findings to the undertaking, including senior management, board members, and relevant employees. Discuss the necessary actions to address gaps and leverage opportunities for improvement. 

Follow-up actions

1. Implement Recommendations
Develop an action plan to implement audit recommendations. Assign responsibilities and set deadlines to ensure accountability. CSRD automation tools  allow you to set actions for next year’s audit and make sure that certain gaps are filled. We believe that these actions should be based on a better understanding of the legislature and integrated into your existing workflow. This allows for the undertaking and the auditor to grow into the work and focus on a practical way of improving the reporting discipline within the company.

2. Monitor Progress
Regularly monitor the implementation of recommended actions. This can involve periodic reviews and updating the audit plan as needed. 

3. Update Reporting Practices
Integrating changes into the steps and checks that you perform is key. Update reporting templates and define data collection methods to ensure ongoing compliance with CSRD and alignment with ESRS, and at the same time, make sure that you do not just rely on the experience and know-how of one expert in the organisation who holds all knowledge of doing CSRD audits. This is in the end not scalable and creates risk across the board.

Conclusion

Following best-practices that are well established in the audit processes of financial data seems to be the key to success. The challenge of auditing so much non-structured data (e.g. “narrative”) is the challenge that you need to overcome by introducing new technology, clear scoping and objectives and in the end, focusing your attention on parts of the report that are most important (risk-based). 

However, compliance is part of your assurance and to achieve that, you need to be thorough. Making sure that you use a comprehensive work program that includes all necessary steps and checks is therefore essential. In order for you to stay on budget and deliver in time, you have to perform these checks efficiently and diligently. We believe the only way to do so is with the right automation.