
- The CSRD requires a mandatory external audit of sustainability reports based on limited assurance.
- Since 18 March 2026, reporting obligations apply only to companies with more than 1,000 employees AND more than €450m net turnover (both criteria cumulatively).
- The ESRS are being simplified: a draft of revised standards was published in May 2026, cutting mandatory data points by over 60%.
- Good preparation means clear processes, solid data management, and an internal control system well before the first audit.
- The CSRD audit is also a strategic tool: audited ESG data strengthens investor trust, improves financing conditions, and sharpens market positioning.
The demands on sustainability reporting are increasing, and with them the importance of the CSRD audit for companies in Germany and throughout Europe. With the Corporate Sustainability Reporting Directive (CSRD), the European Union is creating a new standard for transparency and comparability. The goal is to systematically and comprehensibly integrate environmental, social and governance issues (ESG) into corporate reporting.
1. Why the CSRD audit is now in focus
The Omnibus package has significantly narrowed the scope of the CSRD. Since 18 March 2026, reporting obligations apply only to companies with more than 1,000 employees AND more than €450m net turnover (both criteria must be met cumulatively). Many companies that previously expected to fall in scope are now exempt.
The Omnibus package redrew the CSRD scope. Reporting is now mandatory only for companies meeting both of these criteria:
- More than 1,000 employees
- More than €450m net turnover
Non-EU groups are subject to reporting from €450m EU turnover, at the earliest from financial year 2028 (first report in 2029).
Even so, one thing is clear: the CSRD audit will remain mandatory for companies in scope and a strategic lever for others who want to position themselves for the future. The directive requires meaningful sustainability reporting and its external verification based on limited assurance. Companies must set up processes, data, and responsibilities in a way that meets these requirements.
Until the full implementation of the CSRD in Germany, the CSR Directive Implementation Act (CSR-RUG) continues to apply. Germany's national CSRD transposition law has not yet been adopted; entry into force is expected during 2026. Companies that adopt structured sustainability reporting early gain clear advantages: they comply with regulatory requirements and strengthen their position with investors, customers, and business partners.
2. The regulatory framework: The basis of every CSRD audit
Anyone who wants to pass the CSRD audit successfully must know the legal framework. The Corporate Sustainability Reporting Directive (CSRD) obliges companies to provide comprehensive and standardized sustainability reporting. It gradually replaces the previous Non-Financial Reporting Directive (NFRD) and, in Germany, the CSR-RUG.
Currently, the legal framework of the CSR-RUG still applies in Germany. Companies that have previously been required to report non-financial information remain obliged to do so under the relevant HGB provisions. Only with the full implementation of the CSRD will this framework be replaced. This transition phase requires careful planning, as many requirements apply in parallel or overlap in time.
Voluntary reporting as a strategic advantage
Not all companies are directly subject to reporting requirements. Nevertheless, starting structured sustainability reporting early can be strategically advantageous. A possible framework for this is the Voluntary Reporting Standard for SMEs (VSME), which EFRAG published in December 2024 as a voluntary reporting standard.
The voluntary standard is being broadened into the "VS" (Voluntary Standard), expected as a delegated act later in 2026. It is based on the VSME but will also cover non-SMEs with fewer than 1,000 employees (or under €450m turnover) that fall outside the CSRD scope. CSRD-obligated companies may not require value-chain partners with 1,000 employees or fewer to provide information beyond what the voluntary standard covers.
The voluntary reporting standard is not subject to mandatory external auditing. Nevertheless, external validation can be advantageous, for example for the use of environmental claims towards consumers (see EmpCo Directive) or for a better rating certificate such as EcoVadis.
Looking to the future: ESRS and European audit standards
The CSRD refers to the European Sustainability Reporting Standards (ESRS), which set uniform requirements across Europe. On 6 May 2026, the EU Commission published a draft of simplified ("revised") ESRS for consultation. Key changes include:
- Mandatory data points cut by over 60%
- Total data points reduced by over 70%
- Reporting costs per company reduced by over 30%
- Simplified materiality assessment
- New flexibilities and clearer structure
New European auditing standards are also emerging, particularly ISSA 5000, which will be decisive for the external audit of sustainability information. Companies that follow these developments actively gain a clear implementation advantage.
3. Obligations and scope of the audit according to CSRD
The CSRD audit is not only a formal control. It is based on clearly defined obligations and standards that companies must meet. At the center is mandatory sustainability reporting, which will be as binding and audit-relevant as the classic financial report. For many companies, this means new processes, new data requirements and a significantly higher degree of transparency.
Which standards apply?
Reporting is based on the European Sustainability Reporting Standards (ESRS). They form the central set of rules for the content, structure and methodology of sustainability reporting.
Key requirements include:
- a double materiality assessment (impact and financial materiality)
- disclosure requirements on environmental, social and governance aspects (ESG)
- sector-specific reporting requirements (added gradually)
- specification of methods, data sources and assessment bases used
External audit becomes mandatory
Sustainability reports will be subject to mandatory external audit. Auditors or other approved auditors check the information according to defined standards.
The audit obligation is staggered by company size and timing. Companies in scope since 2024 (formerly large, capital-market-oriented companies with more than 500 employees under the NFRD) are already subject to reporting. For the remaining groups, deadlines are being updated in line with the Omnibus changes. In addition, there is the option of voluntary audits for non-obligated companies.
For the audit of the sustainability report, the limited assurance standard applies.
4. Preparation for the CSRD audit in practice
The CSRD audit presents many companies with a new challenge. It requires not only a sustainability report, but a resilient, comprehensible and auditable information base. Clear structures built early reduce risks, save time and ensure a smoother audit process.
Create clear processes and responsibilities
A central success factor is a clearly structured internal process. Sustainability reporting must be understood as an integral part of corporate management, not a by-product. This includes:
- Definition of responsibilities: Who is responsible for which topics, data and key figures?
- Involvement of all relevant areas: Sustainability concerns ESG teams, finance, controlling, HR, purchasing, production and communications.
- Integration into existing reporting structures: With structured Green Controlling, sustainability data can be collected and audited more efficiently.
A well-structured process not only facilitates reporting itself. It makes the CSRD audit more predictable for companies.
Data quality and documentation as a basis
Auditors require complete and verifiable documentation of all relevant information. Companies should, at an early stage:
- systematically record data sources and responsibilities
- establish plausibility and consistency checks
- clearly document interpretation decisions regarding the ESRS
- clearly define external data suppliers and stakeholders
Information from the value chain is particularly critical, as it is often not fully controllable internally. A transparent approach helps here, for example through coordinated processes with suppliers and partners.
Strategically design time planning
A realistic and early time plan is essential for a successful CSRD implementation. It should include several phases:
- Materiality assessment and strategy development
- Data collection and internal coordination
- Report preparation and quality assurance
- Audit preparation and feedback loops
- Finalization of the sustainability report
Since many processes are new, plan buffer times, especially for the first audit. Early coordination with auditors helps clarify open questions and avoid delays.
Establishment of an internal control system
To make sustainability reporting permanently auditable, the establishment of an internal control system (ICS) is decisive. This system ensures that data is collected and processed consistently, correctly and comprehensibly. It includes:
- process descriptions and control documentation
- technical systems for data collection
- clear release processes and responsibilities
- regular internal audit mechanisms
The ICS is not a "nice to have". It becomes the decisive proof of quality for the CSRD audit. Typically, controlling is responsible for such a system.
Use external expertise
Not all companies have the resources or expertise to implement CSRD audit requirements on their own. Involving external experts or CSRD consultants can turn a regulatory obligation into an opportunity to strategically anchor sustainability in the company.
A structured ESRS data points template helps you identify which data to collect, track obligations and prepare for the audit process.
5. Types of audits and requirements for the CSRD audit
The CSRD audit ensures that published ESG data is credible, reliable and comparable. The audit process draws on established standards from financial reporting with some special features.
Limited vs. reasonable assurance
The CSRD audit requires limited assurance. Auditors assess the plausibility and appropriateness of the reported information, but with a smaller scope than for a financial statement audit. Typical audit procedures include:
- Surveys and interviews with responsible persons
- Analysis of processes and controls
- Sample checks of individual information
- Assessment of the materiality assessment and underlying methods
An audit with reasonable assurance was originally planned but is currently no longer foreseen for the CSRD report. This standard would be more akin to a classic financial audit and would include more extensive tests, verification of internal control effectiveness, and detailed validation of key figures.
Audit standards: ISSA 5000 and ISAE 3000
The external audit of sustainability reporting is based on international standards:
| Standard | Description | Status |
|---|---|---|
| ISAE 3000 (Revised) | Current standard for audits of non-financial information | Applied until full ISSA introduction |
| ISSA 5000 | Future European auditing standard for sustainability information (IAASB) | Emerging standard |
These standards regulate the structure and methodology of the audit, requirements for audit evidence, formulation of audit opinions, and quality assurance of the audit process.
Audit opinions and their significance
At the end of the CSRD audit, an audit opinion provides information about the reliability of the reporting. With limited assurance, a negatively worded audit opinion is issued, for example:
"On the basis of the audit procedures performed and the audit evidence obtained, nothing has come to our attention that causes us to believe that the consolidated sustainability statement is not presented fairly, in all material respects, in accordance with applicable requirements."
With reasonable assurance, the opinion is positively formulated, similar to a financial audit opinion. Companies can also combine both audit types, for example if particularly sensitive topics such as climate targets or supply chain information are to be examined in more detail.
Practical implications for companies
The chosen type of audit directly influences:
- the time and organizational effort
- the depth of internal documentation required
- the resources needed
- the level of reputation with stakeholders
6. Strategic implications of the CSRD audit
The CSRD audit is far more than an additional legal requirement. If understood correctly, it becomes a strategic instrument for corporate sustainability. The transparency and structure created through sustainability reporting have an impact far beyond regulatory obligations: on financing, market positioning, competitiveness and reputation.
ESG transparency as a competitive advantage
Customers, investors, and business partners today expect more than just financial figures. Companies that disclose their sustainability strategy and have it externally audited actively strengthen trust in their business practices.
The CSRD audit provides additional credibility because the published information is not only created internally but is also externally verified. That can:
- Facilitate access to capital, as banks and investors increasingly incorporate ESG criteria into their decisions
- Strengthen supply chain relationships by transparently meeting sustainability requirements
- Increase brand image and employer attractiveness, especially among young talents who value sustainability
Sustainability reporting as a management tool
The CSRD means that sustainability information is being integrated into corporate management. Companies that systematically collect and use their ESG data can:
- Identify and manage risks early (e.g. climate risks, supply chain risks)
- Identify opportunities (e.g. efficiency gains, innovation potential)
- Measurably link sustainability goals with business strategy
This makes the CSRD audit a driver for professionalization and strategic development, not just a compliance exercise.
Signaling effect for stakeholders
Audited sustainability reporting sends a strong signal: "We take sustainability seriously and allow ourselves to be measured against it."
This creates trust with:
- Investors who are increasingly demanding binding ESG data
- Customers who expect sustainable supply chains
- Employees who value responsible action
- Regulatory authorities that check traceability and transparency
Companies that start early with high-quality reporting gain a first-mover advantage and position themselves as a reliable partner in the transformation.
Connection to further sustainability requirements
The CSRD does not stand in isolation. It is part of a larger regulatory framework that gradually strengthens the anchoring of sustainability, including the EU Taxonomy Regulation and the Corporate Sustainability Due Diligence Directive (CSDDD).
Good preparation for the CSRD audit therefore also means setting up reporting and control processes so that they meet several regulations at the same time.
7. Recommendations for action and checklist for CSRD audit preparation
Good preparation is the key to a successful CSRD audit. The following checklist helps companies build internal processes systematically, create transparency and minimize audit risks.
1. Set the strategic course
- Clearly define responsibilities for sustainability reporting
- Integrate sustainability strategy with corporate strategy
- Actively involve management and supervisory bodies in the process
- Take into account the potential impact of other regulations (EU taxonomy, CSDDD)
2. Review scope and reporting obligations
- Determine whether and from when the company is subject to reporting requirements under the updated thresholds (more than 1,000 employees AND more than €450m turnover)
- Check transitional periods and possible exemption regulations
- Decide whether to report voluntarily early (first-mover advantage)
- Involve key suppliers and partners in the process (value chain)
3. Set up data management and documentation
- Identify and centrally record relevant ESG data sources
- Establish plausibility and quality checks
- Document questions of interpretation regarding the ESRS
- Define processes for data collection along the value chain
- Ensure comprehensible documentation for auditors
4. Implement internal control system (ICS)
- Standardize processes for data collection and processing
- Define and document control and release processes
- Clearly define roles and responsibilities in the ICS
- Plan regular internal audits and improvement cycles
5. Design the schedule realistically
- Set up a multi-stage project plan with clear deadlines
- Plan feedback loops and coordination with auditors
- Schedule report preparation and review early
- Incorporate buffer times, especially during the first CSRD audit
6. Communication and training
- Create internal awareness and involve all relevant departments
- Conduct CSRD training and courses on ESRS, reporting processes and audit requirements
- Clearly structure stakeholder communication (internal and external)
- Communicate results transparently and understandably
7. Use external support in a targeted manner
- Contact auditors early
- Involve external specialist advice where internal know-how is lacking
- Analyze best practices from other industries
- Evaluate ESG software solutions and supporting technologies
8. Outlook and further resources
The CSRD audit will continue to gain importance in the coming years and become an integral part of corporate governance.
Companies that create solid structures now will benefit twice over: from more efficient processes and a clear advance of trust in the market. Pay particular attention to the following developments:
- New ESRS versions and sector-specific standards: Subscribe to the free CSRD Compass Newsletter to not miss updates.
- Integration with other EU regulations (e.g. Taxonomy, CSDDD)
- Digitalization of reporting through standardized data formats and platforms
For further information, we recommend the Readiness Check for the CSRD audit by the DRSC and the website of the Institute of Public Auditors in Germany (IDW).
A structured materiality analysis template is the foundation for every CSRD audit. Identify which topics are relevant, document your decisions, and build audit-ready evidence from day one.
Frequently asked questions about the CSRD audit
Who is subject to the CSRD audit under the current rules?
Since 18 March 2026, the reporting obligation applies only to companies meeting both criteria: more than 1,000 employees AND more than €450m net turnover. Non-EU groups are subject from €450m EU turnover, at the earliest for financial year 2028. Companies below these thresholds are not obligated but may report voluntarily.
What does limited assurance mean in practice?
Limited assurance means auditors assess the plausibility of your reported sustainability information but with a narrower scope than a full financial audit. They conduct interviews, process analyses and sample checks. If nothing comes to their attention that raises doubts, they issue a negatively worded positive opinion. It is less intensive than reasonable assurance but still requires solid internal processes and documentation.
Which audit standard applies to the CSRD report?
Currently, ISAE 3000 (Revised) is the applicable standard for auditing non-financial information. The new ISSA 5000 standard, developed by the IAASB specifically for sustainability assurance, is emerging and will become the primary European standard. Companies should familiarize themselves with both.
How early should we start preparing for the CSRD audit?
Start as early as possible. A realistic project plan should cover the materiality assessment, data collection, report preparation, audit preparation and finalization in sequence. For the first audit cycle, build in generous buffer time. Early coordination with your auditors helps clarify open questions before they become blockers.


