CSRD audit: Everything about the audit of the sustainability report

The new sustainability reporting in accordance with the CSRD affects more than 15,000 companies in Germany. The background to this is the start of the CSRD reporting and auditing obligation in 2026 for all large companies for the 2025 financial year. In future, the sustainability report will play an important role in the preparation and auditing process as part of the management report. In addition to the companies affected, this also poses major challenges for the auditing industry – both as consultants and auditors. The following article provides a brief insight into the future CSRD audit as well as ideas, tips and tricks with regard to ensuring auditability for companies.

Who may audit the CSRD report in Germany?

Legal requirements for the CSRD audit

Who is to carry out the audit of the sustainability report in future is probably one of the most discussed regulations in the current government draft for the implementation of the CSRD Directive in Germany.

In principle, the Directive provides for the possibility of approving other auditors in addition to the auditor through a Member State option. However, this option was not simply implemented in the current explanatory memorandum to the law; instead, it provides for a future review by the Federal Government regarding the approval of other independent providers of assurance services (e.g. environmental verifiers) in a subsequent amendment to the law. As a result, the CSRD audit is currently the responsibility of the auditors.

Authorized inspectors

According to the government draft, the statutory auditor or another auditor can be commissioned to audit the sustainability reporting. The prerequisite for the audit is that auditors register as sustainability auditors. To this end, auditors appointed before 01.01.2026 must provide evidence of at least 40 hours of CSRD training.

Importance of choosing the right auditor

It is very important to determine a suitable sustainability auditor for the respective company. In this case, it may be advisable to use the statutory auditor, as they are already familiar with the company. If, on the other hand, another auditor is to be used for sustainability reporting, attention should be paid to their qualifications and, in the best case, to their previous experience.

In the future, lenders and investors will refer to this information and base their investment decisions on it. For this very reason, the content of the sustainability report should contain relevant and reliable information, to which a good auditor can contribute as part of its audit.

Tip for the CSRD test

The auditor should be involved at the beginning of the preparation, but at the latest during the double materiality analysis, in order to avoid negative consequences for the audit opinion. In addition to the annoyance of a potentially negative audit result, this saves both human and financial resources for the company itself.

CSRD audit: What exactly is audited in the sustainability report?

The audit focuses in particular on

  • Review of the double materiality analysis including the associated process and the resulting material topics identified
  • Completeness and accuracy of reportable ESRS data points based on the material topics identified
    Note: We have developed a data point mapping tool to determine the data points for you at the touch of a button.
  • Reporting obligation in accordance with Article 8 of the EU Taxonomy Regulation, including the associated process for determining the KPIs to be reported (revenue, OpEx and CapEx)

Tip for the CSRD test

In addition to the disclosures in accordance with the European Sustainability Reporting Standards (ESRS), data collection for the EU Taxonomy Regulation should be started at an early stage. To ensure that the data can be collected reliably and without high manual effort in the future, changes to the chart of accounts or changes in the recording of transactions (e.g. through additional data points) must be taken into account for most financial accounting systems.

With what assurance should the sustainability report be audited in the future?

At the beginning, the legislator provides for a CSRD audit with limitedassurance. The verdict is summarized in a separate audit opinion, in addition to the already known audit opinion. It is planned that the CSRD disclosures will be audited in future (vss. in 2028) withreasonable assurance, analogous to the audit of the annual/group financial statements.

It is expected that the costs and time required for the audit of the sustainability report will be the same as the fees for the traditional audit of the financial report. This is justified by the increasing relevance of the sustainability report, which in future is to have the same status as the annual financial statements.

What does a CSRD audit with limited assurance mean?

A limited assurance engagement is not a full scope audit. The auditor bases the audit in particular on

  • understanding the company, including business processes and the control environment, and
  • on surveys and analytical assessments with a focus on the plausibility of the information.

In comparison to reasonable assurance, the auditor has a higher degree of freedom with regard to site inspections and sample sizes.

How does the CSRD audit with reasonable assurance differ from this?

In the case of reasonable assurance, the auditor will expand the scope of the audit based on the above-mentioned audit procedures, particularly in the areas of control and IT. In addition, larger sample sizes and expanded site audits will be performed due to the higher level of assurance required.

Tip for the CSRD test

From the company’s perspective, an efficient audit can be ensured in particular through an effective internal control system. The implementation of suitable ESG software solutions (such as the Materiality Master) and IT systems as well as suitable controls generally leads to less time being required and, as a result, to lower audit costs.

Steps for reviewing the CSRD report

1. preparation for the CSRD exam

First, a suitable sustainability auditor must be appointed. Either the statutory auditor or another qualified and experienced auditor is suitable for this purpose.

The company to be audited prepares all relevant documents before the start of the audit in order to be able to carry out the audit efficiently. These documents to be prepared should include, in particular, the process documentation, the documentation of the double materiality analysis as well as the specific data collection and (if available) the sustainability strategy.

2. performance of the CSRD test

The sustainability auditor will first deal with the process of preparing the sustainability report and the resulting data points of the CSRD report. To this end, he will, among other things, hold discussions with internal stakeholders such as those responsible for sustainability reporting and take individual samples.

3. follow-up of the CSRD examination

The sustainability auditor reports to the company on the results of the CSRD audit. If necessary, he or she makes suggestions for improving data collection and the underlying processes. These process improvements should be implemented promptly and the auditor should be sufficiently involved in the process.

Common CSRD audit challenges and how to overcome them

The CSRD now provides for a large number of data points that the company has generally not recorded in this structured form in the past. For this reason, it is very important to identify the data points to be reported at an early stage.

Tips for the CSRD check

  1. The selection of relevant topics as a result of the double materiality analysis should be pragmatic, as the selected topics are decisive for the number of data points to be reported.
  2. In the first few years, there are a number of simplification provisions, particularly for companies with fewer than 750 employees. It is advisable to take full advantage of these. This gives companies sufficient time to implement appropriate processes so that reliable and high-quality data points can be presented as a result.
  3. It is advisable to set up your own reporting system to ensure that the data is recorded and transmitted consistently. Internal plausibility checks (e.g. by the controlling department) should ensure the quality of the reported data points.

A data and information strategy with associated responsibilities and processes should be implemented, especially for globally active groups, in order to be able to collect data points consistently and qualitatively. This includes comprehensive internal communication between all affected departments as well as information from the value chain (especially but not only direct suppliers and customers). A suitable IT landscape, an internal database or a suitable external CSRD tool can provide resource-saving support.

Best practices for a successful CSRD audit

It is advisable to involve the auditor at an early stage – at the latest, however, as part of the double materiality analysis. Detailed and stringent documentation is necessary to enable the auditor to carry out their work efficiently and effectively. In addition, the collection of relevant data must be started at an early stage in order to allow sufficient time for preparation and to be able to clarify any questions with the auditor at an early stage. As part of the data collection process, communication between the departments and all relevant stakeholders must be ensured from the outset and sufficient documentation of the processes and implemented controls must be prepared.

In order to carry out reporting in accordance with the CSRD, it can be helpful to use software with corresponding certification. There are already a large number of providers on the market offering various solutions for this purpose.

Tip

To avoid unnecessary costs, a market research and evaluation of the various software products should be carried out, for example with our CSR tool overview, as the providers differ considerably in terms of functionality and therefore price. Not all functions are useful for every company.

Internal audits should be carried out in order to always have an overview of whether the data is complete and correct. Furthermore, it makes sense to regularly review the internal reporting and preparation processes in order to be able to react to (legal) changes, as legislation and the relevant accompanying information are constantly evolving.

Guest article written by Urs Gnädinger and Sarah Stindl

Urs Gnädinger - CSRD Prüfer
Sarah Stindl - CSRD WP

Urs Gnädinger from the Stuttgart region is an auditor at audit.innovation and founder of audit.neo – an operating system for auditors. He started his career at Ernst & Young (EY) in 2012 and is also a  Lecturer for international accounting at the HTWG University of Applied Sciences Konstanz.

Sarah Stindl works as an audit consultant at audit.innovation. She completed her Bachelor of Science at the University of Ulm in March 2024 and dedicated her thesis to sustainability reporting.