The EU’s incoming corporate sustainability disclosure regime – even in its watered-down state – is a landmark piece of legislation.
Tens of thousands of companies, including many based outside the bloc, will eventually be required to report against the Corporate Sustainability Reporting Directive (CSRD) – although the newly introduced materiality assessment brings a degree of uncertainty about exactly what they will disclose.
But this is not the only pioneering aspect. CSRD also introduces mandatory assurance of sustainability information for the first time. Within the next few years, a deluge of sustainability disclosures by companies, the majority of which will be highly inexperienced, will require assurance.
The quality of this information matters too. Disclosures under CSRD will form the basis of much of the reporting under other parts of the EU’s sustainable finance regulatory framework, including for investors as part of their mandatory requirements under the Sustainable Finance Disclosures Regulation (SFDR).
How prepared then is the market to assure the coming tide of disclosures?
“Not fully prepared, to put it mildly,” according to Wim Bartels, a senior partner at Deloitte with over 20 years’ sustainability experience who also sits on the sustainability reporting board of EFRAG, the EU’s standard setter behind CSRD and the technical standards that underpin it.
Questions and uncertainties abound when it comes to the CSRD. This is partly due to its unprecedented depth and breadth, both in terms of disclosures and who discloses, but also to a lack of clarity on how it will be implemented.
The first reporting period for CSRD, which applies to the 11,000 or so large EU firms that already report under the bloc’s existing disclosure regime, the Non-Financial Reporting Directive (NFRD), begins in just a few months’ time. Despite this, not a single EU country has yet finalised transposition of the directive into national law, and no state is required to do so until June, halfway through the first reporting cycle.
“There is very, very little time to prepare,” says Hilde Blomme, deputy chief executive at Accountancy Europe, the body that represents the profession in Europe. “The timeliness is going to be an issue for the reporting, but also for the sustainability assurance.”
The capability/capacity gap
Time is not the only concern.
Firms with experience of reporting under NFRD, which was adopted in 2014, should not need to overhaul their process to comply with CSRD but can simply introduce updates, Bartels says.
As he notes, most of these big firms will also be served by the largest accountancy firms, which are most likely to possess the capabilities to provide the necessary assurance. Many will also have already sought voluntary assurance for some of their sustainability-related disclosures.
What concerns Bartels is whether there is the capability and capacity in the wider market to provide assurance for the 40,000-plus additional firms that will be required to disclose their sustainability data over the next three years.
“For the large accounting firms, including Deloitte where I work, it’s a matter of capacity,” he says. “We have the capability, but now we need to scale up the team with the knowledge we have and that’s happening. But with the smaller accounting firms, perhaps, they face a capability issue as well as a capacity one.”
Acquiring that expertise – especially practical expertise – may prove difficult, says Bartels, given the limited supply of experts.
There are also unique challenges with CSRD even for experienced assurers. The European Commission’s (EC) recent requirement that virtually all the standards underpinning the CSRD be subject to materiality assessment makes for “substantial assurance work”, Blomme tells Responsible Investor.
The EC’s controversial decision to remove mandatory reporting – even on key climate indicators – from the European Sustainability Reporting Standards (ESRS), was confirmed in late July and marked a substantial rollback from the standards originally created by EFRAG.
Blomme describes this new component as “absolutely essential” to assurance of CSRD.
“There is going to be a lot of substantial assurance work that will need to be done as a practitioner as to whether a company has come to the right conclusions when it comes to its materiality assessment,” she says.
As she notes, this is especially important since that assessment will be the determining factor on what gets included in audit reports.
Carmen Lu, counsel at New York City law firm Wachtell, Lipton, Rosen & Katz, tells RI that she has heard talk of possible near-term shortages of assurers to do the work that will be required by CSRD and the SEC’s current proposed draft climate disclosure rules.
The US financial watchdog’s rule, which is expected in October, will require listed US companies to get assurance on their disclosure of Scope 1 and 2 emissions – vastly narrower than the breadth of assurance that could be necessitated under CSRD.
Given this potential shortage and the broad scope of topics that will need to be assured for companies that fall under the EU’s rules, Lu says that it would not surprise her “if third-party specialist consultants take on assurance assignments to fill demand”.
But here too there is uncertainty, given that neither CSRD nor the SEC’s proposal set out what qualifications an assurer should have to undertake this work.
The SEC’s proposed climate rules outline limited high-level specifications for who is qualified to do assurance, while the EU has set baseline standards but leaves member states with significant leeway on accreditation – a situation Lu describes as a “kind of no man’s land where a fairly wide range of parties could potentially opine on these issues”.
Each EU country will ultimately determine who will be allowed to undertake assurance under CSRD, whether that is statutory auditors, other types of auditors, consultants or a mix.
“I’m not saying that no one can do it, but it needs to be very well thought through and a deliberate decision to say, yes, we’re going to step into this market.”
Wim Bartels, Deloitte
Blomme says she is aware of around 10 countries where this is being discussed, and described the emerging landscape as “very patchy”. In France and several countries they are pursuing a mixed approach, whereas Sweden is currently opting for just auditors.
“It’s a bit early to know what direction this is going in,” Blomme tells RI. She notes that most countries seem to want to allow all providers, given the demand pressures.
Barriers to entry
Even if jurisdictions allow non-auditors to pick up the slack, Bartels believes there are still substantial barriers to other types of companies entering the field, including considerations around independence.
Auditors of a company are required to be independent, which means there are strict limits around what other services an accountant can provide to a company it provides assurance for.
This would mean that a non-audit firm looking to pick up assurance work in addition to its other core businesses could risk losing traditional work from clients, such as on the advisory side.
Bartels notes that non-auditors would also face “a lot of practical challenges” in setting up the infrastructure to do this work.
“Other providers would need to install a system that is equal to those of accounting firms in terms of independence and expertise, which comes with professional qualifications, ethical standards and permanent education,” he says.
Blomme tells RI that European states that allow non-auditors to provide assurance under CSRD would require them to become accredited before taking up such responsibilities.
Earlier this year, a survey of more than a thousand disclosures by companies in major economies revealed that in 2021 professional accountants conducted 57 percent of sustainability and ESG assurance engagements, a fall from 64 percent in 2019.
The remaining engagements were provided by non-accountancy service providers such as consultancy firms. These often had a narrower scope, focusing specifically on greenhouse gases or other environmental metrics.
Bartels suggests that, under a mandatory regime, the number of non-accountants providing assurance might fall.
“If it becomes mandatory, it comes with an increased risk of liabilities,” he says. “And we know that those risks sometimes become realities – and not small ones.”
Companies should ask themselves whether they have the competency to manage such liability and what it might do to their insurance premiums, Bartels adds. “I’m not saying that no one can do it, but it needs to be very well thought through and a deliberate decision to say, ‘Yes, we’re going to step into this market’.”
Another area of uncertainty is around standards. This month, the International Auditing and Assurance Standard Board (IAASB) put out its draft global sustainability assurance standard for consultation.
The International Standard on Sustainability Assurance 5000 (ISSA 5000), which is designed to be agnostic when it comes to disclosure standards, is expected to be finalised by late 2024. According to Blomme, that will be “a bit late but just in time” for the first CSRD reporting.
Whether the EC will endorse this standard, however, remains to be seen.
As Blomme notes, the EC does not have to pick a limited assurance standard until 2026, several years into the CSRD reporting cycle – a timeframe she describes as “disjointed”. The EC has even longer to decide on a reasonable assurance standard, with the deadline set for 2028.
Limited assurance is a form of non-financial assurance in which a practitioner looks at processes and procedures in order to determine whether there are any issues. It is often expressed in negative form, for example “nothing has come to our attention…”
Reasonable assurance – or positive assurance – is a more extensive form of non-financial assurance in which a practitioner takes steps using “identified suitable criteria” to determine whether the required procedures and process have been followed.
In the absence of direction from the EC, some European countries with larger economies are discussing what limited assurance standards to use when transposing CSRD into national law, Blomme tells RI. Some are said to be looking at international standards, while others – such as France – are adapting their own standards.
Blomme adds that it would be “helpful” if the EC gave an indication about its thinking on ISSA 5000, such as responding to the consultation.
There may be hope in this direction, however. IAASB’s chair Tom Seidenstein told RI this month that the organisation is “working closely” with the EC and other EU stakeholders to develop a standard that could be “the core of European assurance requirements”.
First-year reporting: what to expect
Given the uncertainty, what can we expect in the first year of reporting?
In the first few years, Lu believes there could be “a lot of variation” in terms of what assurance looks like and who is engaging in it. This will “hopefully become more uniform over time”, she says, reflecting feedback from investors, regulators and other stakeholders.
Blomme also expects what she calls a “patchwork” in terms of who is providing assurance, the standards being used and how it is being enforced. “It’s going to be a bit all over the place. There is not going to be a one-size-fits-all approach, forget about that.”
She notes that many large companies that will be reporting in 2026 are starting to work with consultants to prepare. But she expects that there will still be companies that are not ready and whose reporting may not be signed off by assurers at their first attempt.
“That’s not something necessarily that companies would need to be ashamed of,” she says. What matters is that the “trend is positive for them” over subsequent years.
But there is a question mark over how useful it will be if too many firms’ reporting is deemed insufficient by auditors, Bartels warns.
“The concern is that, because companies are not fully ready and auditors may also not be fully upskilled, many firms end up with qualified opinions. If we have too many of these, what does that tell us? What is the value of it?”
The lack of maturity in the market means companies must be their “own assurers for a while in many ways”, Lu adds.
Companies should focus on making sure that they have the right internal processes and procedures in place, she says. “You should not rely on your assurer to catch your mistakes” – especially given the enforcement actions that may come with mandatory reporting.
This could be especially important under CSRD, given that the information reported has been deemed material by the company itself – arguably building the case against itself should it report drastically incorrect or misleading information.
Above all, assurance insiders are keen to stress the unprecedented nature of CSRD and the workload it will bring with it.
Some jurisdictions have claimed that it will take just 70-80 hours for assurance practitioners to get to grips with the new legislation and disclosure standard.
Questioning such a low estimate, Blomme points out that even when assurers have got to grips with the theoretical side of things, there is still the practical one. The process, she says, is going to take a few years.