ESG Assurance Readiness: The 16-Control Checklist
What your auditor will look for during a limited assurance engagement. Get these 16 controls in place before they walk in the door.
Updated: March 2026Standard: ISAE 3410 / ISO 14064-3 / CSRD Art. 34
Third-party assurance of sustainability data is moving from optional to mandatory. CSRD requires limited assurance starting FY 2027. SB 253 will require limited assurance for Scope 1+2 (CARB's second rulemaking will set the timeline). CDP awards higher scores to verified disclosures. Your investors and customers increasingly expect it.
Assurance is not a financial audit — but it borrows the same logic. The assurance provider checks whether your emissions data is materially correct, your methodology is sound, and your internal controls are sufficient to produce reliable data year after year.
The assurance gap: Most mid-market companies have emissions numbers but lack the controls and documentation to pass an assurance engagement. The numbers might be right, but they can't prove it. This checklist closes that gap.
Limited vs Reasonable Assurance
Limited assurance (what's required first) means the auditor concludes "nothing has come to our attention that causes us to believe the data is materially misstated." They do inquiry, analytical procedures, and limited testing. Reasonable assurance (the higher standard, required by CSRD after the transition period) means the auditor provides positive assurance — "in our opinion, the data is fairly stated." This requires more extensive testing.
Both standards look for the same underlying controls. Building them for limited assurance means you're already prepared when reasonable assurance kicks in.
The 16 Controls
1
Formal data governance policy
A written document that defines who is responsible for emissions data, how it flows through the organization, and how decisions about methodology are made and approved.
Evidence: Signed policy document with defined roles, review cycle, and escalation path.
High risk if missing — auditor's first question.
2
RACI matrix documented
Responsible, Accountable, Consulted, Informed — for each step of the data collection, calculation, and reporting process. Prevents gaps and duplicated effort.
Evidence: RACI chart mapping data owners to each scope/category/facility.
Medium risk — auditors use this to validate segregation of duties.
3
Automated collection from primary systems
Where possible, data flows directly from source systems (utility billing, fuel card providers, fleet management) rather than being manually transcribed.
Evidence: System integration logs, API connection records, or automated import schedules.
Medium risk — manual processes aren't disqualifying but require stronger review controls.
4
Dual-review on manual entry
Any manually entered data point must be reviewed by a second person before it enters the calculation. This catches transcription errors — the most common source of material misstatement.
Evidence: Review sign-off log with reviewer name, date, and any corrections made.
High risk if missing — manual data without review is the #1 audit finding.
5
Reconciliation with financial records
Cross-check fuel spend in your emissions inventory against accounts payable. If you reported 50,000 gallons of diesel but AP shows $200,000 in diesel purchases at $4/gal = 50,000 gal — it reconciles. If it doesn't, investigate.
Evidence: Reconciliation workpaper showing financial data vs activity data comparison.
High risk — this is the single most effective quality control.
6
Anomaly detection (quarterly)
Flag data points that deviate more than 30% from the prior quarter or prior year. Investigate and document the cause. Seasonal variation is fine — unexplained jumps are not.
Evidence: Quarterly variance report with explanations for flagged items.
Medium risk — shows active data monitoring.
7
Emission factors documented with source and version
Every EF used in your inventory must be traceable: source database, publication year, specific table or row reference. "EPA 2024" is not enough — "EPA GHG EF Hub 2024, Table 1, Row 12: Natural Gas" is.
Evidence: EF register listing each factor, source URL, version, and date accessed.
High risk — undocumented EFs are a qualification trigger.
8
Methodology aligned to GHG Protocol
Your calculation methodology must explicitly reference the GHG Protocol Corporate Standard (Scope 1+2) and/or Corporate Value Chain Standard (Scope 3). Document any deviations and justify them.
Evidence: Methodology note referencing specific GHG Protocol sections applied.
High risk — non-aligned methodology may lead to qualified assurance opinion.
9
Organizational boundaries defined and documented
Which entities, facilities, and operations are included in your inventory? Equity share or operational control approach? Document the choice and apply it consistently.
Evidence: Boundary statement listing all included/excluded entities with rationale.
High risk — inconsistent boundaries between scopes is a common finding.
10
Board or executive sign-off process
The final emissions report should be reviewed and approved by someone with authority before submission. This mirrors financial reporting governance and demonstrates tone at the top.
Evidence: Sign-off form or email chain showing executive approval of final numbers.
Medium risk — demonstrates governance maturity.
11
Segregation of duties
The person who collects the data should not be the same person who reviews it or approves the final report. At minimum: collector, reviewer, approver — three different people.
Evidence: Role assignments showing separation between collection, review, and approval.
Medium risk — small teams can document mitigating controls.
12
Access controls on ESG data
Who can edit emissions data? Access should be limited to authorized personnel with audit trail logging. If anyone in the company can change a cell, data integrity is questionable.
Evidence: User access list for ESG data systems with role-based permissions.
Medium risk — relevant for platform-based reporting.
13
Pre-assurance dry run completed
Before engaging an external assurer, walk through the full inventory as if you were the auditor. Check every data source, recalculate a sample of entries, verify EFs, and test controls. Document findings.
Evidence: Dry run report with findings, corrections made, and open items.
Low risk if skipped — but dramatically reduces audit findings and cost.
14
Audit committee or board briefed
The governing body should understand the scope, timeline, and expected outcome of the assurance engagement before it begins. No surprises.
Evidence: Board/committee minutes or briefing memo documenting the discussion.
Low risk — but signals mature governance to the assurer.
15
Targets tracked against science-based trajectory
If you've set reduction targets, track actual progress against the required trajectory. A target without tracking is just a press release.
Evidence: Dashboard or report showing target year, required annual reduction, and actual reduction.
Low risk for first assurance — becomes critical in subsequent years.
16
Year-over-year comparison documented
Compare current year emissions to prior year by scope and source. Explain material changes. This is expected in CSRD, CDP, and most investor-facing disclosures.
Evidence: YoY comparison table with variance explanations for changes exceeding 10%.
Low risk — but expected in all mature disclosures.
Prioritization: Where to Start
If you're starting from zero, focus on the 6 high-risk controls first. These are the items most likely to trigger a qualified assurance opinion or prevent engagement completion:
Control 1 (Governance policy), Control 4 (Dual-review), Control 5 (Financial reconciliation), Control 7 (EF documentation), Control 8 (GHG Protocol alignment), Control 9 (Boundaries). Get these six in place and you've addressed the majority of common audit findings.
The remaining 10 controls strengthen your position from "passable" to "audit-ready." Implement them over 2–3 months, prioritizing by risk level.
The Dry Run: How to Do It
Two weeks before your assurance engagement starts, run through this exercise internally:
1. Pick 5 random data points from your Scope 1 inventory. Trace each one back to its source document (utility bill, fuel receipt, maintenance log). If you can't find the source for any of them, you have a documentation gap.
2. Recalculate 3 entries from scratch using the documented EFs. If your result differs from the inventory by more than 5%, investigate.
3. Check that your Scope 2 kWh totals reconcile with facility electricity costs at your average rate per kWh. If they're off by more than 10%, something is wrong with either the activity data or the financial records.
4. Verify that every entity in your boundary statement has corresponding data in the inventory. No orphan entities. No missing facilities.
5. Have someone who didn't build the inventory read the methodology note and try to reproduce one calculation. If they can't follow it, neither can your auditor.
Track your readiness live
Emberglow's Prove workspace tracks all 16 controls with evidence status, owner assignments, and gap action items. Server-side audit trail captures every change automatically.
Book a Free Diagnostic