ESG Reporting: The Minimum Viable System for Audit-Ready Data (Not a Pretty PDF)

Most multinational companies have an ESG report. Fewer have an ESG reporting system. The difference is not merely cosmetic. A report is a document produced once a year, usually by a sustainability team pulling numbers from spreadsheets and supplier questionnaires into a narrative designed to read well. A system, however, is an operating model: it includes defined data owners, documented controls, traceable evidence files, and governance that can withstand external assurance scrutiny. When KPMG surveyed over 750 companies across industries and geographies, 75 percent said they did not feel adequately equipped to have their ESG data independently assured. This represents a structural gap, not a knowledge gap. These organizations know what to report; they have not built the infrastructure to defend it.

This piece is not about what any single framework requires. It is about the internal operating model that sits underneath all of them: the controls, ownership chains, and evidence architecture that make your data assurance-ready regardless of which regime applies.

Reports Without Systems Break Under Pressure

The distinction between data acceptable for internal sourcing decisions and data acceptable for external claims is where most organizations fail. Internal decisions, such as choosing a lower-emission supplier, can tolerate estimates and proxies. External claims, including anything in a sustainability report, investor presentation, or regulatory filing, require data that is traceable to a primary source, governed by a documented methodology, and reviewed through a defined approval chain. These are not interchangeable standards. Treating them as such is how companies get into trouble.

When the SEC filed suit against Vale S.A. in 2022, it alleged that the Brazilian mining company had manipulated dam safety audits, obtained fraudulent stability certificates, and misled investors through its ESG disclosures between 2016 and 2019. The Brumadinho dam collapse killed 270 people and erased more than $4 billion in market capitalization. Vale published sustainability reports annually. The failure was a system that allowed fabricated evidence to flow unchecked from the field to the investor. Separately, DWS, Deutsche Bank's asset management arm, paid $19 million to the SEC in 2023 and a further EUR 25 million to the Frankfurt Public Prosecutor in April 2025 after investigations found that its public claims about ESG leadership did not correspond to its internal documentation and control processes. Both cases share the same root cause: a gap between what the organization stated externally and what its systems could evidence.

Why Regime-Neutral Architecture Matters Now

Multinational companies face a fragmented regulatory landscape. The IFRS Foundation reported in 2025 that 36 jurisdictions have adopted or are finalizing steps toward adopting the ISSB Standards, with 14 of the first 17 profiled jurisdictions targeting full adoption. The EU's CSRD remains in force for Wave 1 entities, though the Omnibus I Directive, proposed in February 2025 and formally adopted by the Council on 24 February 2026, raised scope thresholds to 1,000 employees and EUR 450 million turnover, delayed Wave 2 reporting to 2028, and removed the pathway to reasonable assurance. In the U.S., the SEC voted in March 2025 to stop defending its climate disclosure rule, but California's mandatory climate reporting laws remain on track for 2026.

Building a bespoke compliance system for each jurisdiction is not viable. What is viable is a single, well-governed data infrastructure that produces granular, traceable, source-verified data points which can then be mapped to any disclosure framework. The framework mapping layer sits on top. The evidence and controls layer sits underneath. General counsel should be asking whether ESG data inputs carry the same access controls, change logs, and segregation of duties that apply to financial reporting. The CFO's office should ensure that the ESG data pipeline connects to the same ERP and consolidation infrastructure that supports the financial close, not a parallel universe of spreadsheets.

The Five-Layer Control Architecture

The following framework describes the minimum viable operating model. It is not a software recommendation. It is a control architecture with defined ownership, evidence requirements, and failure modes at each layer. Companies should treat it as a diagnostic: if any layer is missing or informal, the system is vulnerable.

Layer 1: Source Governance.

Every data point destined for external disclosure must be traceable to a documented primary source. The control is a source registry: a catalog identifying, for each reportable metric, the primary data source, the owner, the collection methodology, and known estimation methods. Ownership must be formally assigned to functional leads (facilities for energy, procurement for supplier data, HR for workforce metrics). When this layer is missing, sustainability teams reverse-engineer data origins during report preparation, which is slow and unreliable.

Layer 2: Collection and Aggregation Controls.

Raw data must move from origin to central repository through a defined, repeatable process. Every transfer step should be either automated or, where manual steps remain, subject to four-eyes review and documented reconciliation. The evidence files are extraction logs, reconciliation records, and exception reports. Organizations that skip this layer are asking their assurer to trust the final numbers with no way to verify the chain.

Layer 3: Validation and Quality Assurance.

Data must pass through defined quality gates before entering the disclosure pipeline: completeness checks (all entities and periods represented), reasonableness checks (figures within expected ranges, with documented explanations for outliers), and consistency checks (reconciliation with adjacent data points). "Decision-grade" data, in this context, means data that has been subject to at least one independent validation step, with exceptions documented, and that carries a traceable approval from a named individual authorized to attest to its accuracy.

Layer 4: Disclosure Mapping and Claim Review.

Before any data point appears in an external document, it must be mapped to its validated source, tagged with the applicable framework reference, and reviewed for consistency with the organization's methodology. This layer requires collaboration between sustainability, legal, and communications. The critical failure mode is that ESG claims appear in marketing materials, RFP responses, and executive speeches without routing through the same review process applied to regulatory filings. "Defensible" means every external claim can be reverse-traced to a validated data point, and that the claim does not overstate what the data supports. The DWS enforcement actions illustrate this layer's importance precisely.

Layer 5: Evidence Archival and Assurance Readiness.

Every element from Layers 1 through 4, including source records, extraction logs, QA sign-offs, and claim mapping documents, must be archived in a structured, accessible format an external assurer can navigate without the sustainability team reconstructing the trail from memory. Retention periods should align with the most demanding applicable requirement, typically five to seven years. When this layer is robust, assurance becomes a verification exercise. When it is absent, preparation consumes months and still risks qualified opinions.

These layers are not sequential steps to complete once. They are a continuous operating model, tested periodically just as financial controls are tested under SOX-equivalent regimes.

For companies that are pressure-testing their ESG data architecture, or recognizing the need to, an independent readiness assessment can identify control gaps before an assurer does. The value is diagnostic: it tells you where the system breaks under scrutiny so you can fix it on your timeline.

The Assurance Readiness Gap Is a Financing Risk

The control architecture above has direct consequences for capital access. Sustainability-linked loans and bonds tie margin adjustments to ESG performance indicators, and the credibility of those indicators depends on the borrower's ability to evidence them under assurance. The CSRD's assurance requirements, even as amended to remain at limited assurance, require an external practitioner to examine the sustainability statement for material misstatement. Limited assurance is not "no assurance." For companies with weak controls, even this threshold triggers significant remediation. Australia's mandatory climate reporting regime is phasing in limited assurance for Scope 1 and 2 with reasonable assurance to follow, and the IAASB's ISSA 5000 standard is establishing a global benchmark for sustainability assurance engagements.

From Analysis to Action

If you have read this far, you recognize the gap between where your ESG data infrastructure sits and where it needs to be. The challenge is operational: cross-functional coordination, formal ownership assignment, and disciplined evidence management that many sustainability teams were not resourced to deliver and that finance and legal teams have not historically extended into non-financial domains.

This is the operational gap that Gasilov Group's advisory practice is designed to address. We work with multinational companies to design, stress-test, and implement regime-neutral ESG data architectures, from source governance through assurance readiness, so your infrastructure serves any disclosure obligation without being rebuilt each time the rules shift. If your organization is preparing for its first external assurance engagement, responding to regulatory scope changes, or recognizing that your current process would not survive scrutiny, contact Gasilov Group to schedule a focused diagnostic of your ESG data control environment.

Written by: Gasilov Group Editorial Team

Reviewed by: Arif Gasilov, Partner, Climate & Environmental Reporting​

Leads CSRD and ESRS alignment, double materiality assessments, emissions baselining, and climate risk mapping, with hands-on experience across corporate and public sector sustainability engagements in North America and Europe.

Meet Our Team →

Frequently Asked Questions (FAQ):

How do I build an ESG audit trail that satisfies both CSRD and ISSB requirements simultaneously?

Build your evidence architecture at the data-point level rather than the framework level. Each reportable metric should carry a documented chain: source identification, collection methodology, validation record, and approval sign-off. CSRD limited assurance requires a practitioner to examine the sustainability statement for compliance with ESRS through procedures like inquiry and analytical review. ISSB-aligned disclosures are being adopted with assurance expectations in countries like Brazil, where mandatory ISSB reporting for publicly accountable entities took effect in January 2026. If your evidence files are structured at the metric level with full traceability, the same data maps to either framework without duplication.

What is the practical difference between "limited" and "reasonable" assurance for ESG, and how should it affect control design?

Limited assurance requires the practitioner to obtain enough evidence to conclude that nothing has come to their attention suggesting material misstatement, relying mainly on inquiry and analytical procedures. Reasonable assurance requires detailed testing of internal controls, sampling of source data, and recalculation. For control design, limited assurance can rely on documented processes and management representations, but still needs traceable evidence. Companies anticipating reasonable assurance (as Australia is phasing in for Scope 1 and 2) need automated controls, exception logging, segregation of duties, and tested reconciliation procedures comparable to SOX financial controls.

What roles should sit on an ESG disclosure committee?

Include: the CSO or equivalent (content ownership), a senior CFO representative (alignment with financial reporting processes), legal counsel (regulatory exposure and claim defensibility), internal audit or risk (independent control oversight), and at least one operational leader from the largest data domain, typically facilities or EHS for environmental metrics. Unlike financial disclosure committees that draw mainly from finance and legal, ESG committees must extend to procurement, HR, and operations because ESG claims appear in materials well beyond regulated filings.

How should companies classify and handle unreliable supplier ESG data?

Categorize supplier data into three quality tiers: verified (third-party audit or certification), self-reported with contractual attestation (supplier has signed a representation as to accuracy), and estimated (proxy calculations based on industry benchmarks). Verified data supports specific, quantified external claims. Self-reported data supports directional or qualified claims. Estimated data should be disclosed as estimated and used primarily for internal decisions, not precise external assertions. Supplier contracts should specify data format, delivery frequency, and audit rights. The EU's Omnibus introduced a value-chain cap protecting companies under 1,000 employees from excessive data requests, which may limit what larger firms can contractually demand from smaller suppliers.

What are the most common reasons ESG assurance engagements produce qualified opinions?

The five most frequent causes are: incomplete entity coverage (not all material subsidiaries contributed data), undocumented methodology changes between periods, lack of segregation between data originators and approvers, missing or disorganized evidence files, and inconsistency between the sustainability report and other public statements such as marketing materials or investor presentations. Each is a controls failure, not a data availability issue. Companies that implement the five-layer architecture with particular attention to evidence archival and claim review eliminate these triggers before the engagement begins.