In a ‘how to’ session at Corporate Disclosures 2025, EY assurance partner Asif Chowdhury and Kingfisher ESG Reporting Manager Olga Mayorova offered their perspectives on how companies can get ready for external limited assurance on their sustainability disclosures.
Outlining the preparations UK-based home improvement retail company Kingfisher makes before its sustainability disclosures are subject to assurance, Mayorova said the first step is to discuss with the assurance provider to understand the steps that they are going to take and align with the upfront evidence that is required.
The company also works with an external reporting partner to verify all data sets prior to submission.
Internally, the most intensive effort goes into preparing the people who provide the sustainability data, as the metrics come from all corners of the business and are often produced by individuals for whom audit processes are unfamiliar.
“For the data contributors, audit and assurance is not really part of the day-to-day job,” Mayorova said. “We explain the assurance process in detail, explain the evidence requirements, explain the key steps and how the data is tested. We put a lot of effort into preparing them early ahead of the assurance engagement.”
Kingfisher’s internal audit function also tests data flows, controls and signoffs each year to ensure the system can withstand external examination. Any weaknesses are fixed before the assurance team arrives.
As mandatory assurance approaches under CSRD, this process will become even more central. Mayorova said the focus will be on controls and data ownership as well as technology to decrease the risks of human error and ensure there is “a really clear audit trail”.
While companies strengthen internal processes, assurance providers face a separate challenge: the expectation gap. According to Chowdhury, the first phase of CSRD adoption brought significant anxiety among companies uncertain about regulatory interpretation and the potential for qualifications in the assurance conclusions.
“There's a big expectation gap in what a limited assurance is. Assurance can only build trust when you have strong foundations,” Chowdhury said. “Limited assurance is based on inquiries and analytical reviews of data. Some providers, like us, will do some sample testing for high-risk [data points] but not many do, and you have no real assurance on the completeness of the data.”
He illustrated how to establish the necessary foundation for limited assurance with a hypothetical budget of £100. Of this, he said £20 should go on doing the materiality assessment, £60 should be invested in putting the right controls in place, and the remaining £20 should go on external assurance.
Amongst the first wave of companies reporting under the CSRD, Chowdhury noted that many are doing more internal audit advisory work on the sustainability topics that they disclosed for the first time, with a view to improving governance around the more challenging sustainability data before their reports are subject to assurance in the second round of reporting.
Under the current scope of the CSRD, Kingfisher will be among the second wave of companies required to report in line with the ESRS and obtain limited assurance on those disclosures. The company has undertaken a pre-assurance exercise with its assurance provider, with a particular focus on the double materiality assessment (DMA).
While the DMA itself is “not a game changer” because of Kingfisher’s history of reporting on material sustainability topics, Mayorova said a key change is that assurance will focus on the process behind the exercise rather than the metrics that are ultimately disclosed.
“We learned how important it is to show a clear and traceable process including who was consulted, how the decisions were made, how they were documented, how the rationale links to the actual [metrics]. We saw that, even in our mature reporting practices, assurance really requires a different level of discipline and evidence traceability,” she said.
“Overall, we now understand that the process needs to be much more digital and automated,” Mayorova continued. “The DMA will have to be assured as part of CSRD reporting so we do need to have a tighter system to manage the inputs, documentation and approvals. Basically, we're talking about controls.”
This echoes the advice Chowdhury gave at the Corporate Disclosures 2024 conference, where he explained that assurance providers are assessing the processes and evidence underpinning the DMA and urged companies to engage with their providers early to establish what their expectations are around the exercise.
With the ESRS shifting to an explicit fair presentation framework, under the revisions approved by EFRAG last week, Kingfisher is working with its internal audit team and finance department to understand how this will impact its reporting and assurance process.
Fair presentation emerged as a contentious issue during the ESRS revisions. EFRAG Sustainability Reporting Board members and Cristina Saporetti, Luc Vansteenkiste, Marcello Bianchi dissented from approving the cross-cutting ESRS 1, partly on the basis that it could make the assurance process more onerous for preparers.
Chowdhury said the shift to fair presentation will require new judgement calls on what is included in the reports.
“When you undertake a double materiality assessment and you find that a disclosure is not material, it is not just a compliance exercise so you also need to check whether investors would care about it,” he explained. “In the context of fair presentation, you have to think more holistically, rather than a yes/no compliance-based approach. That will need quite a bit of assessment, as well as engagement with investors.”
“When you undertake a double materiality assessment and you find that a disclosure is not material, it is not just a compliance exercise,” he said. Investors may still expect the information. Carbon pricing is one example: immaterial for many companies, but strategically relevant for investors.
“In the context of fair presentation, you have to think more holistically rather than a yes/no compliance-based approach,” he said. Applying the new standard will require more assessment and engagement with investors.
Broadening the lens to the IAASB’s new international sustainability assurance standard (ISSA 5000), Chowdhury said engagements done in line with the standard will be more forensic in their assessments of risks, with more understanding needed of the systems in place.
“The risk assessment in this new standard is more granular. It’s more prescriptive,” Chowdhury said. Auditors in Australia are already requesting end-to-end process maps of sustainability information - expectations historically associated with financial audits.”
The standard also provides more guidance on how to disclose estimation uncertainty, aligning more closely with financial audit requirements. Companies may need to provide sensitivities for key estimates.
“You need to build those foundations,” Chowdhury said, advising companies to involve IT teams and controllers early to understand what auditors will examine.
Whether subject to the CSRD or to jurisdictional climate reporting regimes integrating ISSA 5000, companies must establish the “foundations” of robust controls and evidence traceability, not only over their sustainability data but also over their reporting and materiality processes.