ESG Assurance Gaps That Trigger Regulatory Enforcement: What Auditors Examine and How to Prepare

When the SEC charged WisdomTree Asset Management with a $4 million penalty in October 2024, the enforcement action did not turn on whether the firm's ESG funds performed well or poorly. It turned on whether WisdomTree had any written policies and procedures governing the screening process it advertised to investors. The firm had marketed three exchange-traded funds as excluding fossil fuels and tobacco.

The funds held securities in coal mining, natural gas extraction, and tobacco retail. WisdomTree knew about the screening failure as early as September 2020 but did not amend its prospectuses until November 2022. The core deficiency was the absence of documented controls, an auditable process, and internal verification that the firm was doing what it said it was doing.

The gap between what companies claim their sustainability data processes do and what an independent practitioner can actually verify is the central problem in ESG assurance, and it has nothing to do with how complex the standards are. Whether your organization faces limited assurance under the CSRD, ISSA 5000, or Australia's ASSA 5000, the step that matters most is building an internal control architecture that produces traceable, source-documented evidence for every material disclosure. Companies that treat assurance readiness as a reporting exercise rather than a controls exercise will fail their first engagement.

The enforcement pattern: controls absence, not data errors

The WisdomTree case was not isolated. The same pattern produced a larger penalty when DWS, Deutsche Bank's asset management subsidiary, paid $19 million to the SEC for materially misleading statements about its ESG integration process. DWS had marketed itself as a firm where ESG was "in its DNA" and touted a proprietary ESG Engine that supposedly guided every investment decision. The SEC found no formalized process to verify whether investment professionals actually consulted the tool's ratings. In April 2025, the Frankfurt Public Prosecutor's Office imposed an additional EUR 25 million fine, concluding that DWS's external claims did not correspond to reality.

Both firms had genuine ESG programs and spent real money on ESG infrastructure. Both failed because the link between stated processes and actual execution was undocumented and unverifiable. That link is what assurance practitioners examine.

Many companies preparing for mandatory sustainability assurance are investing in data collection platforms and report formatting while neglecting the procedural documentation that assurance providers actually request. The question an auditor asks is not "do you have emissions data?" It is "show me the documented process that produced this number, the source inputs, the assumptions log, the review sign-off, and the evidence that internal controls operated as designed."

What limited assurance actually requires

Limited assurance is less extensive than reasonable assurance, but it is not lenient. Under the CEAOB's September 2024 guidelines on limited assurance for CSRD sustainability reporting, practitioners must still obtain sufficient evidence that the sustainability statement is free from material misstatement. A limited assurance conclusion is expressed negatively ("nothing has come to our attention"), while reasonable assurance yields a positive opinion ("the information is fairly presented"). The procedural difference is that limited assurance involves fewer tests of details and less substantive testing of underlying records, but it still requires the practitioner to understand the entity's processes, assess risks of material misstatement, and perform analytical and inquiry procedures.

This means limited assurance is not a soft pass. The CEAOB guidelines specify that practitioners must understand the entity's process for identifying sustainability matters, evaluate the materiality assessment, assess risks of material misstatement including fraud risk, and evaluate consistency between sustainability and financial statements. When a practitioner encounters a metric calculated through an undocumented methodology or a materiality determination with no recorded rationale, that triggers further investigation, even under limited assurance.

The EU Omnibus I directive, published in the Official Journal on February 26, 2026, has removed the requirement for the European Commission to adopt reasonable assurance standards for CSRD. The deadline for adopting limited assurance standards has been pushed to July 1, 2027. Limited assurance will be the operative standard for CSRD reporting for the foreseeable future. Companies that assumed they had a runway to "upgrade" from limited to reasonable should instead treat limited assurance as the permanent ceiling and build their systems accordingly.

This removal does not reduce risk. It concentrates it. With limited assurance as the only mandated level, regulators, investors, and assurance providers will scrutinize whether companies are meeting even this threshold credibly. A qualified or adverse limited assurance conclusion will carry reputational and regulatory consequences precisely because the bar is supposed to be achievable.

ISSA 5000: the global benchmark arrives

The International Auditing and Assurance Standards Board published ISSA 5000 in November 2024, and the International Organization of Securities Commissions issued a statement of support for it as the global framework for sustainability assurance. ISSA 5000 is effective for engagements on sustainability information reported for periods beginning on or after December 15, 2026. Australia has already adopted a local equivalent, ASSA 5000, effective from January 1, 2025. The UK Financial Reporting Council has adopted ISSA (UK) 5000, and the AICPA's Auditing Standards Board is converging its attestation standards with the new framework.

ISSA 5000 contains more than double the requirements of its predecessor, ISAE 3000, and introduces several features that will change what assurance engagements look like in practice. The standard explicitly addresses double materiality, requiring practitioners to consider both financial materiality and impact materiality when a double materiality framework is used. It introduces sustainability-specific guidance on forward-looking information, estimates, and the use of external data sources.

It also requires practitioners to assess the entity's process for identifying sustainability matters to be reported, which means your materiality assessment methodology will itself be subject to evaluation.

For companies subject to overlapping regimes, ISSA 5000's framework-neutral design matters. A single engagement under ISSA 5000 can cover ESRS-compliant reporting, IFRS S2 disclosures, and GRI-based reporting under one standard. This convergence simplifies the assurance market but raises the bar: your internal processes need to produce evidence that satisfies whichever criteria your assurance provider applies. (Our Reporting Deadline Tracker maps all 33 deadlines across 10 jurisdictions, including ISSA 5000's effective date and CSRD assurance milestones.)

What auditors actually examine: a decision framework for assurance readiness

The work that matters most before an ESG assurance engagement is building internal capabilities that produce what practitioners call "sufficient appropriate evidence." Based on the CEAOB guidelines, ISSA 5000, and the enforcement patterns in DWS, WisdomTree, and the ASIC greenwashing cases against Vanguard Australia ($12.9 million) and Mercer ($11.3 million), five areas consistently determine whether an engagement produces a clean opinion or a qualification.

First, the materiality determination must be documented as a governed decision, not a consulting output. Practitioners will examine who participated in the materiality assessment, what evidence was considered, how impact and financial materiality were evaluated, and whether the board or a delegated committee formally approved the results. Under the simplified ESRS, the number of data points has been reduced, but each retained disclosure carries more weight per decision. A materiality assessment that lacks documented stakeholder input, recorded scoring methodology, and board-level sign-off will raise a red flag. Sustainability teams need to maintain a materiality assessment file that includes meeting minutes, scoring matrices, evidence of stakeholder consultation, and a formal approval record. This file should be version-controlled and updated annually.

Second, emissions data requires a complete calculation trail from source to disclosure. Practitioners will request the activity data inputs (utility bills, fuel purchase records, travel booking data), the emission factors applied and their source (GHG Protocol, national registry, supplier-specific), the calculation methodology and any assumptions or proxies used, and the review and approval process. The most common audit finding in early CSRD assurance engagements involves Scope 2 emissions where companies cannot demonstrate whether they applied location-based or market-based methods consistently, or where renewable energy certificate claims lack documentary support. Finance controllers or equivalent roles need to maintain a data lineage register for each emissions category, documenting the source system, extraction method, factor applied, and review sign-off. Where estimates or spend-based proxies are used for Scope 3, the methodology and its limitations must be stated directly and the rationale for not using activity-based data documented.

Third, forward-looking statements and scenario analysis need documented assumptions and sensitivity ranges. ISSA 5000 provides specific guidance on assurance over estimates and forward-looking information, given that sustainability reporting involves more prospective content than financial reporting. Practitioners will evaluate whether the assumptions underlying climate scenarios, transition plans, and target trajectories are reasonable, internally consistent, and supported by external reference points. A net-zero target that lacks documented interim milestones, identified decarbonization levers, and quantified capital allocation is not assurable. Any forward-looking disclosure needs a structured assumptions register that identifies each assumption, its source, the date it was set, and the conditions under which it would be revised.

Fourth, the governance and oversight structure must show active engagement, not passive delegation. Practitioners examine board and committee meeting minutes for evidence that sustainability matters were discussed, that management reporting on ESG performance was reviewed, and that escalation pathways exist for material sustainability risks. A sustainability committee that meets quarterly but has no documented agenda items related to data quality, assurance findings, or risk identification will undermine the governance disclosure. The corporate secretary or governance function should ensure that sustainability is a standing agenda item with documented discussion, questions raised, and decisions taken, rather than a slide deck received without recorded deliberation.

Fifth, internal controls over sustainability reporting need to be designed, documented, and tested. This is where most companies are furthest behind, and it produced every enforcement action cited in this analysis. Controls mean documented procedures for data collection, review, and approval; segregation of duties; exception handling protocols; and periodic testing. Even under limited assurance, expect inquiries about the control environment and possible walkthroughs. Under reasonable assurance or ISSA 5000, testing of controls becomes a core procedure. Internal audit functions should extend their scope to include sustainability reporting processes, using the same control testing methodology applied to financial reporting.

Cross-jurisdictional convergence and its assurance implications

Each jurisdiction imposes assurance requirements with different timelines and scopes. Australia's ASSA 5000 is already in effect for Group 1 entities under AASB S2 with reporting periods beginning January 1, 2025, requiring limited assurance over Scope 1 and 2 emissions from the first year, with a trajectory toward reasonable assurance by financial years starting on or after July 1, 2030. The EU requires limited assurance with no current path to reasonable. California's SB 253 requires third-party assurance for Scope 1 and 2 beginning with the first reporting cycle.

A multinational operating across these jurisdictions must build to the highest applicable standard. A company that builds only to the CEAOB's interim guidelines may find its evidence trails insufficient when ISSA 5000 becomes operative in December 2026. The UK's FRC has adopted ISSA (UK) 5000, and investor pressure and green bond frameworks are already requiring reasonable assurance over specific metrics. Companies that design systems only for limited assurance may need to re-engineer when a reasonable assurance requirement arrives through a financing covenant rather than a regulatory mandate.

The governance gap between sustainability and finance

The most persistent organizational problem in assurance readiness is structural. In most companies, sustainability data is collected by a team outside the finance function, using tools disconnected from the financial reporting control environment. Financial data runs through ERP systems with built-in access controls, approval workflows, and audit trails. Sustainability data runs through spreadsheets, third-party platforms, and manual uploads with minimal controls infrastructure.

This is a governance problem. The sustainability team may have excellent subject-matter expertise but no training in control design. The finance team may have rigorous control processes but no understanding of emissions methodologies. The assurance provider needs both.

Companies that will handle assurance successfully are those that establish explicit process ownership for each sustainability data stream, designate a sustainability controller role responsible for data quality and evidence management, integrate sustainability data into existing control frameworks, and create formal handoff protocols between the sustainability function and internal audit. This requires a mandate from general counsel or the CFO. The CEAOB guidelines and ISSA 5000 both emphasize connectivity between sustainability and financial reporting. A company that reports a net-zero transition plan while its capital expenditure budget shows no decarbonization spending will trigger a consistency finding that crosses into the CFO's domain.

This analysis has mapped the control, governance, and evidence gaps that generate enforcement actions and assurance qualifications. Companies that have invested in reporting frameworks and data platforms have a head start, but that investment leaves them exposed if it has not extended to the procedural documentation and internal controls that assurance practitioners will request.

Gasilov Group's Assurance Readiness Diagnostic begins with a structured walkthrough of your existing sustainability data architecture, control environment, and governance documentation against the specific evidence requirements of ISSA 5000, CEAOB guidelines, and any applicable national assurance standards. The first deliverable is a gap matrix that maps each material disclosure to its source data, control points, and documentation status, identifying where your evidence trails break down before your assurance provider finds them.

Seyfi Gasilov, Partner, Corporate Strategy & Regulatory Governance

Brings more than twenty years guiding organizations through strategic growth, governance challenges, and cross border compliance with a combined legal and operational lens. Meet Our Team →

FAQ

What specific procedures does a limited assurance practitioner perform on Scope 3 emissions that differ from Scope 1 and 2?

For Scope 1 and 2, practitioners typically request source documents such as utility invoices, fuel purchase records, and meter readings, then verify the calculation chain from activity data through emission factors to reported totals. For Scope 3, where companies rely heavily on spend-based estimates, industry averages, or supplier-provided data of varying quality, practitioners focus on the reasonableness of the estimation methodology, whether the company has documented why specific proxy approaches were chosen over activity-based methods, and whether the boundaries and category selections are consistent with the GHG Protocol's Scope 3 standard. Under ISSA 5000, the practitioner must also evaluate the entity's disclosure of estimation uncertainty, which means companies need to state the limitations of their Scope 3 methodology in the report itself, not just in internal documentation.

Can a company receive a clean limited assurance opinion if it uses estimated data for certain ESRS disclosures?

Yes, but only if the estimation methodology is documented, reasonable, consistently applied, and disclosed. The CEAOB guidelines and ISSA 5000 both recognize that sustainability reporting involves more estimates and forward-looking information than financial reporting. The issue arises when a company uses estimates without documenting the basis, applies different estimation approaches to similar data points across reporting periods without explanation, or fails to disclose that the data is estimated. A practitioner will not qualify an opinion solely because estimates were used; they will qualify it if the estimates are unsupported, inconsistent, or undisclosed.

How does the EU Omnibus removal of reasonable assurance affect companies already building toward that standard?

The Omnibus I directive removes the Commission's obligation to adopt reasonable assurance standards, but it does not prohibit member states or assurance providers from offering or requiring reasonable assurance voluntarily. Companies that have already invested in controls infrastructure for reasonable assurance should continue, because that infrastructure will satisfy limited assurance more comfortably, meet Australian requirements where ASSA 5000 trajectories toward reasonable assurance by 2030, and satisfy investor or lender requirements that may specify reasonable assurance in financing documentation. The investment is not wasted; it provides a margin of safety.

What is the relationship between ISSA 5000 and the CEAOB guidelines during the EU transition period?

The CEAOB guidelines were issued in September 2024 as interim, non-binding guidance to bridge the gap before the European Commission adopts formal limited assurance standards, now due by July 1, 2027. The Commission has asked CEAOB to advise on how to incorporate ISSA 5000 into EU-specific requirements, including potential add-ons for EU Taxonomy Article 8 disclosures and digital tagging. In practice, ISSA 5000 and the CEAOB guidelines are substantively aligned, since the CEAOB drew on the same conceptual foundations. Companies should build to ISSA 5000's requirements, as this will satisfy both the CEAOB guidelines and the eventual EU adopted standard.

Do non-EU companies with CSRD reporting obligations face different assurance requirements than EU-domiciled entities?

Under the Omnibus I text, non-EU companies with EU net turnover exceeding EUR 450 million and an EU subsidiary or branch generating more than EUR 200 million in net turnover are subject to CSRD reporting obligations for financial years beginning on or after January 1, 2028, reporting in 2029. The assurance requirement is the same: limited assurance from a statutory auditor or authorized assurance provider. Non-EU groups face additional complexity in determining the reporting boundary, sourcing data from non-EU operations where data systems may not be designed for ESRS-compliant disclosure, and ensuring that the assurance provider has access to evidence across the enterprise's global operations. Internal audit functions in non-EU parent companies should begin mapping which sustainability data streams currently lack the documentation and control infrastructure that an EU-based assurance provider will request.