How to Get Your ESG Data Audit-Ready Before CSRD Filing Season

By Kwame Asante, CTO & Co-Founder

The first thing sustainability controllers typically discover when a CSRD limited-assurance engagement begins is that their calculation workbook is not nearly as traceable as they thought. Line items reference emission factors by nickname. Source documents live in someone's email. Version numbering stopped working somewhere around the third restatement. We've seen this pattern in nearly every enterprise preparing for a first formal assurance review, and it is entirely fixable — but not in the final two weeks before the auditor arrives.

Limited assurance under CSRD is not the same as a financial audit, but that distinction cuts both ways. Auditors won't recompute every figure. What they will do is follow the data trail for a sample of material figures and ask a straightforward question: can you show me, step by step, how this number was produced, from which source document, using which emission factor version? If you can't answer that question in under ten minutes per line item, you have a readiness problem.

This article is the checklist our team and our customers' sustainability controllers have developed through real assurance preparation cycles. It is organized by the four areas auditors focus on first.

1. Calculation Workbook Structure and Traceability

Most enterprises build their initial emission inventory in Excel or Google Sheets. There is nothing wrong with that — but spreadsheets accumulate structural debt fast. By the time a workbook has been through three reporting periods, it typically contains unnamed formula references, hardcoded emission factors with no version tag, and cross-sheet links to files that no longer exist at their original path.

Before an assurance review, audit every calculation row for four attributes:

• Source reference: which underlying document or data export does this activity figure come from?
• Emission factor identity: which factor library, which version, which year of publication?
• Boundary assignment: is this row inside or outside your operational control boundary, and why?
• Change log: if this figure was revised after an initial entry, what changed and why?

An auditor who can pull up any row and immediately see all four attributes will move through their sample in hours, not days. One who has to ask about each one will find the process slow enough that they may expand their sample — which expands your exposure.

"The fastest audits we've supported are the ones where the calculation file is essentially self-documenting. Every figure has a source, every source has a reference, and the trail is linear. It sounds obvious. In practice, it takes deliberate design from day one of data collection."

— Kwame Asante, CTO & Co-Founder, Carbonkindle

2. Emission Factor Version Control

Emission factor selection is one of the top two causes of CSRD restatements in Wave 1 filings, based on what practitioners in the EFRAG implementation community report. The failure mode is consistent: a company uses the grid emission factors published by their national grid operator three years ago, because that's what was in the original workbook template. The grid mix has since changed — in some EU markets by 8-15% year-on-year as renewables penetrate — and the factor is now materially wrong.

Before filing, verify the following:

• All grid emission factors are the most recent annual publication from the relevant grid operator or IEA regional dataset
• All process emission factors (ecoinvent, IPCC AR6, or custom) are tagged with database version and publication year
• Any custom or supplier-provided emission factors are accompanied by the documentation the supplier submitted
• Factors used in prior periods are stored separately from current-period factors, so restatements can be scoped without ambiguity

If your inventory system doesn't enforce version tagging automatically, build a simple factor registry: a dedicated tab that lists every factor used, its source, its version, and the date it was applied. Auditors will ask for it, and having it prepared tells them you run a controlled process.

3. Scope 3 Gap Justification

ESRS E1 does not require enterprises to report every Scope 3 category — it requires materiality assessment and disclosure of which categories were assessed as not material, along with the basis for that assessment. This is where many enterprises are underprepared.

Materiality assessments for Scope 3 often exist as a sentence or two in the narrative disclosure. Auditors want the underlying analysis: the revenue exposure by category, the spend-based or activity-based proxy estimates that informed the materiality call, and a documented rationale for any category assessed as below-threshold.

For each of the 15 GHG Protocol Scope 3 categories, you need one of two things ready before the auditor arrives: either a calculated inventory figure with a documented methodology, or a materiality assessment document that explains why the category was excluded and what analysis supported that conclusion. Categories 1 (purchased goods and services) and 11 (use of sold products) are the two most frequently challenged in manufacturing and consumer goods sectors, so those justifications need to be particularly thorough and well-documented.

4. Internal Data Quality Controls

Auditors under CSRD limited assurance assess not just the figures but the process that produced them. A documented internal control over sustainability reporting (ICSR) framework is not yet mandatory for all companies, but demonstrating that one exists significantly reduces audit scope because auditors can rely on controls testing rather than substantive re-performance.

At minimum, have documented evidence of these controls:

• Data completeness check: which entities are included, and what is the documented reason any subsidiary was excluded?
• Reasonableness review: does someone compare current-year figures to prior-year figures and investigate deviations above a defined threshold?
• Access control: who has write access to the calculation workbook, and is there a record of approvals before figures are submitted to disclosure?
• Disclosure sign-off: who reviewed the final ESRS E1 disclosure fields, and what is the evidence of that review?

The absence of these controls doesn't automatically cause an assurance qualification, but it increases the scope of work the auditor needs to do — and it is a finding that appears in the management letter regardless.

5. The Pre-Assurance Dry Run

The most consistently useful preparation step we recommend is a self-conducted dry run, typically 6-8 weeks before the expected assurance start date. Take your own calculation workbook and try to answer, without asking anyone else, the complete audit trail for your five largest emission line items. If you can answer those five cold, in sequence, using only documented references, your preparation is in good shape. If you get stuck on any of them, you've found your gap with enough time to fix it.

That dry run takes about half a day. It surfaces more actionable preparation work than any checklist, because it forces you to walk the exact path the auditor will walk. In our experience working with enterprises preparing their first CSRD filings, the dry run consistently finds two or three specific issues that wouldn't have appeared on a checklist review: a missing source document, an emission factor that was updated but not reflected in the workbook, a boundary decision that was never written down anywhere.

A Note on Timing

The window between data collection close and assurance engagement start is typically four to six weeks. Most enterprises use that window to finalize narrative disclosure and management commentary. The calculation workbook audit is often treated as already-done at that point — when in practice, it has only been prepared, not reviewed for assurance-readiness.

Shifting the workbook audit to begin eight weeks before data close — while source data is still accessible and factor versions can still be checked against live databases — is the single most effective timeline change an enterprise can make. Everything else being equal, an earlier audit start leads to a shorter and less expensive assurance engagement.

If you're preparing for a first CSRD limited-assurance review, start the audit trail work now. Not the week before the auditor arrives.