A few years ago, ESG audits were something only the largest multinationals worried about. That's changed. The EU's Corporate Sustainability Reporting Directive, California's climate disclosure laws, ISSB standards going mainstream, and investors asking harder questions about sustainability claims have all pushed ESG audits from a voluntary exercise to an operational requirement.
There's still a lot of confusion around what an ESG audit involves, how it differs from ESG reporting, and whether you need external help or can handle it internally. This guide covers what an ESG audit is, the different types, which frameworks and standards apply, what the process involves step by step, and how to get your organisation ready for one.
What an ESG Audit Is
An ESG audit is a structured review of how your organisation performs across environmental, social, and governance criteria. It examines your policies, data, processes, and disclosures, and checks whether what you're reporting matches what you're actually doing.
An ESG audit isn't the same as ESG reporting. Reporting is the act of disclosing your sustainability data and performance to stakeholders. An audit verifies that those disclosures are accurate, complete, and consistent with the standards you're reporting against.
It's also distinct from ESG assurance, though the two overlap. Assurance is a specific engagement, typically performed by an independent auditor, that results in a formal opinion on whether your ESG disclosures are materially correct. An ESG audit can be internal or external, and doesn't always produce a formal assurance statement. In a regulatory context, though, "ESG audit" usually refers to the kind that leads to third-party assurance.
Why ESG Audits Matter Now
For years, ESG disclosure was mostly voluntary. Companies published sustainability reports because investors and customers expected it, but the data didn't face the same scrutiny as financial statements. New disclosure laws have changed that.
CSRD and ESRS in the EU. The Corporate Sustainability Reporting Directive now requires thousands of companies, including non-EU companies with significant EU revenue, to publish sustainability disclosures under the European Sustainability Reporting Standards. CSRD requires external assurance, starting with limited assurance and expected to move to reasonable assurance over the coming years. ESG data will face a similar level of scrutiny to financial data.
ISSB standards going global. IFRS S1 and S2, issued by the International Sustainability Standards Board, are being adopted or referenced by regulators in multiple jurisdictions. These standards are designed to produce investor-grade sustainability data, and the expectation is that this data will be subject to assurance.
US state-level climate laws. California's SB 253 requires large companies doing business in the state with over $1 billion in annual revenue to disclose Scope 1, 2, and 3 greenhouse gas emissions. While the federal SEC climate disclosure rule has faced challenges, state-level action is filling the gap.
Investor and supply chain pressure. Large asset managers and procurement teams are demanding verifiable ESG data even outside of regulation. If you're a supplier to a company in scope for CSRD, you may be asked for audited ESG data as a condition of doing business.
ESG data is moving toward the same level of accountability as financial data. Companies that treat ESG audits as an afterthought will struggle when their reporting deadlines arrive.
Types of ESG Audits
Not all ESG audits are the same. The type you need depends on where you are in your ESG programme, what your regulators require, and what your stakeholders expect.
|
Type |
Who Does It |
What You Get |
When It Makes Sense |
|
Internal ESG audit |
Your own audit or sustainability team |
Internal gap analysis, risk identification, control testing |
Starting out, preparing for external assurance, ongoing monitoring |
|
External ESG audit (limited assurance) |
Independent auditor or assurance firm |
Statement that nothing came to attention suggesting material misstatement |
First-time external assurance, voluntary disclosure, investor requests |
|
External ESG audit (reasonable assurance) |
Independent auditor or assurance firm |
Positive opinion that disclosures are fairly stated in all material respects |
CSRD compliance (phasing in), mature ESG programmes, high stakeholder scrutiny |
|
Supply chain ESG audit |
Third-party auditor, often on-site at supplier |
Assessment of supplier's labour, environmental, and governance practices |
Procurement risk management, buyer requirements, due diligence |
Most organisations start with internal audits. Your own team reviews policies, data collection processes, and disclosures against the relevant framework to identify gaps before anyone external gets involved. Discovering data quality problems during an external audit is expensive and disruptive; an internal review catches them early.
External audits come in two forms: limited assurance and reasonable assurance. Under limited assurance, the auditor checks for red flags and issues a statement that nothing came to their attention suggesting the disclosures are materially misstated. Under reasonable assurance, the auditor gives a positive opinion that the disclosures are fairly stated, closer to what happens in a financial audit. CSRD starts with limited assurance and will move to reasonable assurance as the framework matures.
Supply chain ESG audits are typically on-site assessments of a supplier's labour practices, environmental management, health and safety, and governance. They're driven by procurement requirements, due diligence obligations, and increasingly by regulation around forced labour and environmental standards in supply chains.
Frameworks and Standards
There's no single global ESG audit standard. Organisations work with a patchwork of frameworks, and the right combination depends on industry, geography, and stakeholder expectations. The main frameworks include CSRD/ESRS, ISSB, GRI, SASB, and TCFD, alongside ISO standards for specific operational areas.
|
Framework |
Focus Area |
Geography |
Assurance |
Best For |
|
GRI |
Broad sustainability |
Global |
Voluntary |
Organisations wanting wide ESG coverage |
|
SASB (now ISSB) |
Financially material ESG |
Global |
Voluntary |
Industry-specific material issues |
|
ISSB (IFRS S1/S2) |
Climate & sustainability |
Global |
Increasingly required |
Investor-focused climate disclosure |
|
ESRS (CSRD) |
Full sustainability |
EU + non-EU in scope |
Mandatory (limited, then reasonable) |
EU companies under CSRD |
|
TCFD |
Climate financial risk |
Global |
Voluntary |
Climate risk and opportunity reporting |
|
ISO 14001 |
Environmental management |
Global |
Certification audit |
Operational environmental compliance |
|
ISO 45001 |
Occupational health & safety |
Global |
Certification audit |
Workplace safety governance |
Most organisations use a combination. A European company under CSRD will report against ESRS but might also use GRI for broader stakeholder disclosure and ISSB for investor-facing materials. A US energy company might combine SASB industry standards with TCFD for climate risk reporting.
The audit is then conducted against whichever standards the organisation has chosen to report under. The auditor checks whether data, processes, and disclosures meet the requirements of those standards.
On the assurance side, auditors follow standards like ISAE 3000 (the international standard for assurance on non-financial information) or, in the US, AT-C 105 and AT-C 210 from the AICPA. These aren't ESG-specific. They're professional standards that govern how assurance work is performed, applied to ESG subject matter.
The ESG Audit Process
The details vary depending on scope and type, but the basic sequence is the same for internal assessments and external assurance engagements.
Scoping and materiality
The first step is deciding what's in scope. Which ESG topics are material to your organisation? Which frameworks are you reporting against? Which entities, geographies, and time periods does the audit cover? Scope defines everything that follows. Getting it wrong means either wasting time on things that don't matter or missing areas that do.
Materiality assessment is a large part of scoping. Under CSRD's double materiality approach, you examine both the impact your business has on the environment and society, and the impact ESG issues have on your financial performance. Other frameworks define materiality differently, so the framework you've chosen shapes how you scope.
Data collection and evidence gathering
This is where most organisations hit problems. ESG data doesn't live in one system the way financial data does. Carbon emissions data might sit in a separate tool, employee diversity metrics in your HRIS, governance policies in a document management system, and supply chain data in procurement spreadsheets. Sometimes it's in someone's inbox.
Auditors need evidence for every claim in your disclosure: the raw data, the methodology used to calculate it, the assumptions made, and the controls around data quality. Without that evidence, the auditor can't verify the claim.
Stakeholder interviews
Auditors review documents and also interview the people responsible for ESG data and processes: sustainability managers, operations staff, HR, procurement, legal, and often senior leadership. These conversations show the auditor how ESG governance works in practice, not just on paper.
Testing and assessment
The auditor evaluates your data against the standards you're reporting under. They test the accuracy of specific metrics by recalculating emissions figures, cross-referencing headcount data, and verifying policy implementation. They look for gaps between what your disclosures say and what the evidence supports. They also assess whether your internal controls around ESG data are strong enough to produce reliable information.
This is where limited and reasonable assurance differ in practice. Limited assurance involves inquiry and analytical procedures. Reasonable assurance requires more extensive evidence gathering, including substantive testing of individual data points.
Findings and reporting
The auditor produces a report with their findings. For an internal audit, this is typically a gap analysis with recommendations for improvement. For an external assurance engagement, it's a formal assurance report, either a limited or reasonable assurance opinion that accompanies your published ESG disclosures.
The report identifies areas of strong performance, areas where data quality or controls need improvement, and any material misstatements or gaps. It may also include recommendations for strengthening ESG governance and data management.
Common Problems
Common problems include data quality issues, fragmented systems, and confusion about which standards apply.
- Data quality is almost always the biggest issue. ESG data has historically been treated with less rigour than financial data. Estimates, manual spreadsheets, inconsistent definitions, and gaps are common. When an auditor applies financial-grade scrutiny to ESG data, the problems surface quickly.
- There's no single system of record. Financial data flows through the ERP. ESG data is scattered across dozens of systems, tools, and manual processes. Getting it all into one auditable view takes more work than many organisations expect.
- Framework confusion wastes time. Organisations sometimes try to audit against too many frameworks at once without understanding where they overlap. GRI, SASB, ISSB, and ESRS all cover some of the same ground. Mapping the overlaps before you start saves effort.
- Qualitative claims are harder to audit than numbers. "We reduced Scope 1 emissions by 12%" is verifiable. "We are committed to an inclusive workplace" is much harder to audit. Auditors need evidence for narrative claims too, and many organisations aren't prepared for that.
- There aren't enough qualified ESG auditors. The profession is catching up with demand, but there's a real skills gap. Financial auditors are adapting to ESG subject matter, and sustainability professionals are learning assurance methodology. The pool of people strong in both is still small.
How to Prepare
Preparation should start well before your first mandatory deadline. The following steps apply whether you're preparing for an internal assessment or getting ready for external assurance.
Assign clear ownership. Someone needs to own the ESG audit process. In many organisations this sits with the sustainability team, but it needs strong connections to finance, internal audit, legal, and operations. Without clear ownership, nobody is accountable for data quality.
Map your data sources. Build an inventory of every data point you disclose, or plan to disclose, along with the source system, the person responsible, the calculation methodology, and the controls around it. You can't audit data if you don't know where it comes from.
Run an internal gap assessment. Compare your current ESG disclosures and processes against the framework you're reporting under. Identify where the data is weak, where controls are missing, and where disclosures don't fully meet the standard's requirements. Do this before engaging an external auditor.
Invest in proper data management. If your ESG data lives in spreadsheets, auditing will be painful. Platforms designed for ESG data collection and reporting, such as Workiva, Novisto, Benchmark ESG, and others, provide audit trails, version control, and workflow management that make data auditable.
Build your controls framework. ESG data needs internal controls just like financial data: documented processes for data collection, review, approval, and sign-off; segregation of duties; a clear audit trail showing who changed what and when. If you already have a strong SOX or internal controls programme, extending it to ESG is a natural step.
Start early. Companies that begin preparing a year before their first mandatory assurance deadline tend to manage the process well. Companies that start three months before face serious problems. The data infrastructure, governance processes, and cultural shifts needed take time.
ESG Audit vs. ESG Certification
An audit assesses your ESG performance and data against a set of standards. Certification is a separate step where an independent body formally confirms that you meet specific criteria. The two are related but not the same thing.
Relevant certifications include ISO 14001 for environmental management systems, ISO 45001 for occupational health and safety, B Corp certification for social and environmental impact, and framework-specific confirmations like GRI-referenced reporting. Certification has its own requirements, process, and fees. Going through an ESG audit first makes certification smoother because you've already identified and addressed the gaps.
Find relevant solutions on OneStop ESG Marketplace
If you're early in the process, start with an internal assessment against the framework most relevant to your situation. If you're further along, talk to assurance providers about what reasonable assurance will require. If you're somewhere in between, invest in the data infrastructure that supports everything else.
We cover ESG audit tools, reporting platforms, and compliance updates regularly at OneStop ESG. Our marketplace has vendor comparisons, and our resources section has more guides on related topics.
Subscribe to our newsletter for more insights, case studies, and ESG intelligence.
Keep abreast of the top ESG Events on OneStop ESG Events.
OneStop ESG Educate: Your go-to source for top ESG courses and training programs tailored to your needs.
Stay informed with the latest insights on OneStop ESG News.
Discover meaningful career opportunities on OneStop ESG Jobs.
.png%3Falt%3Dmedia%26token%3D3075f666-bce1-4367-9ee7-6782087e9f3e&w=1920&q=90)
.png%3Falt%3Dmedia%26token%3Ddf6c179e-0af8-476e-a02b-488a202395ea&w=1920&q=90)
.png%3Falt%3Dmedia%26token%3D910a4ea1-9886-4e46-a5c9-0b48aa7b96bf&w=1920&q=90)