Internal audit and the EU's Corporate Sustainability Reporting Directive

What is the EU Corporate Sustainability Reporting Directive (CSRD)?

CSRD is mandatory for all large European companies and those listed in the EU-regulated markets, including EU subsidiaries of non-EU parent companies. The CSRD is far-reaching and will require a significant number of new entities to report on sustainability, inside and outside of the EU. Small-to-mid-sized businesses must only provide sustainability reporting proportionate to their size and resources.

According to a report developed by Deloitte on Frequently Asked Questions About the E.U. Corporate Sustainability Reporting Directive, the number of organizations that must disclose sustainability reporting will increase to over 50,000, compared with 11,700 presently reporting. The implementation timeline ranges from January 1, 2024, through 2028 depending on the type of entity, and organizations will report one year after their implementation date.

Along with the scope of who needs to report expanding significantly, the EU has adopted the concept of “double materiality.” The CSRD defines double materiality as the requirement to “report both on the impacts of the activities of the undertaking on people and the environment (impact materiality), and on how sustainability matters affect the undertaking (financial materiality).” Because of the complexity of the reporting, it’s critical to ensure your organization understands the requirements and seeks advice if they are unclear.

What is the difference between CSRD and ISSB?

CSRD will affect many businesses operating in the EU, whether registered in the EU or elsewhere. At the same time, the ISSB has issued its first two inaugural standards, IFRS S1 (general disclosures) and IFRS S2 (climate-focused disclosures), which will be required in a similar timeframe as CSRD.

While there is some commonality, such as an alignment of standards drawing from the Task Force on Climate-related Financial Disclosures (TCFD) and inclusion in the annual report, there are several differences. The CSRD is further developed with 12 standards rather than two, and it’s still unknown what the ISSB’s remaining topics will cover. ISSB will likely have a global reach, unlike the more EU-focused CSRD. The most notable difference is the ISSB’s adoption of a single materiality approach as opposed to the CSRD’s double materiality (as discussed above). There is an intent to align, but how this will work in practice is not clear. At present, there are still more unknowns than knowns, so it’s important to keep up to date as the CSRD and ISSB evolve.

Assurance requirements

Prior to CSRD, external assurance was voluntary, but this will change. While some large companies provided reports based on the limited assurance requirements from ISAE3000 – a standard framework for non-financial reporting – most haven’t had to or chosen to provide assurance. Under the ISAE3000, there are two levels of assurance: limited and reasonable. Reasonable provides more assurance than limited, with the latter providing a “moderate” level, meaning there’s a limited amount of testing and a heavy reliance on inquiry and review.

CSRD reports must be assured by an external party. Initially, limited assurance will be sufficient, but reasonable assurance will likely be required further down the road. A new sustainability assurance standard is currently under consultation, and the EU may develop its own standard, so the exact requirements are still not clear.

Internal audit as an enabler

There isn’t a cookie-cutter solution on what role internal audit can (or will) play in your organization’s CSRD implementation. It’s important to be flexible and look for opportunities to add value. Internal auditors are working in an environment with a lot of uncertainty. However, because implementation deadlines are short, there’s no time for resolution before taking action, both as an organization and internal audit function. CSRD provides a tremendous opportunity for internal auditors to support their organizations by identifying risks, putting effective controls in place, and understanding the impact on your corporate reporting and sustainability strategies.

Stakeholders will likely be watching CSRD reporting closely, particularly if you’re in a high-risk industry, so it’s critical to get it right. Non-compliance is a key risk. Inaccurate, incomplete, or misleading reporting will have a reputational impact. Although organizations have reported financial data for decades, sustainability reporting is new. However, the development of the control framework should remain the same: establish controls, map data back to sources, and generate an audit trail. Internal audit can follow a similar approach to auditing financial or other external reporting.

Additionally, there may be some growing pains with immature systems and an over-reliance on spreadsheets and other manual processes as organizations familiarize themselves with providing data suitable for CSRD reporting, primarily if the reporting uses multiple frameworks.

Overall, ESG and the Corporate Sustainability Reporting Directive present an opportunity for internal audit to make an impact and raise its profile as a trusted advisor by using existing skill sets to offer critical support during these uncertain times.