Investors are now demanding climate and sustainability information that is as decision-useful and disciplined as the 10-K. IFRS S1 and S2 set the global baseline for that expectation, and 2025 is the year many multinational groups begin applying them at scale. Even though the US SEC’s climate rule remains on hold, boards cannot wait. California’s climate disclosure laws are progressing, and global capital markets want comparable data.

Executive Summary

Global investors are increasingly demanding climate and sustainability disclosures that match the rigor and decision-usefulness of financial reporting. With the rollout of IFRS S1 and S2 in 2025, multinational companies are expected to embed sustainability data into enterprise-level control systems. Even as U.S. regulatory uncertainty continues—with the SEC’s climate rule on hold and California’s SB 253 and SB 261 progressing—boards must act proactively to align with international expectations. The IFRS Foundation and EFRAG’s interoperability guidance now provides a path to harmonize global standards, reducing duplication for companies reporting under both ISSB and EU frameworks.

This paper outlines a practical playbook for assurance readiness built around three priorities: designing financial-grade disclosure controls, building verifiable evidence trails, and preparing early for limited assurance under the new ISSA 5000 global standard. Companies are urged to treat sustainability data with the same control discipline as financial data—ensuring traceability, locked methodologies, and consistent governance. Real-world examples from Alphabet, Microsoft, ExxonMobil, and others demonstrate that phased assurance—starting small but with audit-grade discipline—builds trust and credibility with investors.

Ultimately, the message is clear: ISSB-aligned reporting is not a compliance formality but a strategic imperative. Organizations that act now to institutionalize robust controls, auditable data architecture, and supplier evidence validation will be best positioned to meet growing investor scrutiny and assurance expectations. By viewing sustainability information as a core element of enterprise reporting, companies can move confidently toward integrated, investor-ready disclosure.

Why This Matters Now

IFRS S1 requires companies to disclose material sustainability risks and opportunities across the enterprise. IFRS S2 focuses specifically on climate, setting expectations for governance, strategy, risk management, metrics, and targets. The IFRS Foundation and EFRAG have issued interoperability guidance to reduce duplication between S1 and S2 and the EU’s ESRS standards, which is critical for US-headquartered groups with European operations.

Given this shifting regulatory and investor landscape, three practical priorities can keep companies aligned with expectations and ready for assurance:

1. Design disclosure controls that mirror financial-grade processes

2. Build evidence trails that match S2 hot spots

3. Plan now for limited assurance, with a roadmap toward reasonable assurance

1. Design Disclosure Controls That Mirror Financial Discipline

Sustainability reporting must be treated as an extension of disclosure controls and procedures. Start by developing a control inventory mapped to S1 and S2 requirements and to the five COSO components. COSO’s 2023 Internal Control over Sustainability Reporting guidance offers a blueprint for establishing control objectives, assessing risk, ensuring information flow, and defining monitoring routines (summary link).

Build the core with steps that audit teams can test:

• Establish data lineage for each metric, naming the system of record and reconciling it to financials where relevant.

• Lock calculation methods, estimation policies, and scenario inputs in controlled documents with versioning and sign-offs.

• Implement role-based access and change logs for spreadsheets and carbon-accounting tools. Archive all evidence in a retrievable repository with retention rules suitable for assurance.

• Align governance: schedule disclosure-committee reviews of S1 and S2 drafts alongside 10-K timelines so narratives on strategy, targets, and risks remain consistent.

Key takeaway: control programs collapse when they depend on one “brilliant analyst” instead of a structured, cross-functional environment. The risk is key-person exposure and inconsistent audit trails.

2. Build Evidence Trails That Match S2 Hot Spots

S2 requires transparent evidence for Scope 1, Scope 2, and material Scope 3 emissions, as well as for scenario analysis and climate-related financial effects. The most frequent audit friction points fall into three areas:

1. Activity-level corroboration – for example, meter data and utility invoices must reconcile to energy-use figures and resulting emissions.

2. Supplier-data reliability – establish a supplier-data acceptance policy with variance thresholds and fallback methods when data arrive late or incomplete.

3. Scenario rerun capability – maintain clearly labeled files with pathways, parameters, and links to external datasets so auditors can replicate results.

Interoperability again matters. Companies reporting under both ISSB and ESRS can avoid duplication by embedding the joint IFRS-EFRAG mapping directly into their workpapers. This allows control testers and auditors to cross-reference requirements efficiently.

Practical checkpoint: document who reviewed each dataset, what tests were applied, and how updates were incorporated. Reviewers look for evidence that data were not only calculated correctly but also validated at each stage.

3. Plan for Limited Assurance Now and Reasonable Assurance Later

The assurance threshold is rising rapidly. The IAASB released ISSA 5000 as the first global standard for sustainability assurance across all frameworks. Most providers will rely on it for both limited and reasonable assurance engagements.

A pragmatic approach begins with limited assurance on a defined subset of S2 metrics — typically Scope 1, Scope 2, and energy data — and expands as controls mature. Successful programs assign a single control owner per metric, paired with an internal audit partner who tests readiness before external review.

Example structure for Year One:

• Scope and criteria documented for each metric

• Defined testing procedures and sampling methods

• Repository indexed for traceability

• Independent review by an external firm using ISSA 5000 methods

Key takeaway: start small but with audit-grade discipline. Each tested control builds credibility and accelerates reasonable assurance readiness.

Ready to strengthen your ISSB reporting framework?

Real-World Assurance Signals

Public examples show how major US companies are setting precedents:

• Alphabet (United States, 2024) obtained third-party assurance over selected environmental indicators, increasing confidence in its reported GHG, energy, and water metrics. See Alphabet’s 2024 Environmental Indicators Assurance Letter on Google Sustainability.

• Microsoft (United States, 2024) included an independent accountants’ review by Deloitte for specified environmental metrics in its 2024 Environmental Sustainability Report Data Fact Sheet (download link).

• ExxonMobil (United States, 2025) reported limited assurance by ERM CVS confirming that its 2023 GHG inventory meets ISO 14064-3 expectations, with 2024 assurance underway (Metrics and Data page).

Each case underscores how external validation of key metrics improves credibility and investor trust.

The Scope 3 Challenge: Supplier Evidence That Stands Up in Review

Scope 3 emissions remain the toughest test for most programs. The challenge is not just methodology but traceability. Companies should formalize a supplier-data acceptance policy that defines thresholds, specifies when modeled values can be used, and documents the reasoning behind each substitution.

The evidence record should show when supplier data were collected, who reviewed them, which validation checks were applied, and how updates flow into the emissions inventory. This process ensures a complete audit trail from supplier engagement to disclosure.

Apple provides a practical example. In 2024, Apple reported that more than 320 suppliers participated in its clean-energy program, representing over 18 gigawatts of supplier clean-energy commitments. Those commitments anchor electricity-use claims in verifiable procurement data and invoices that can be tested by assurance providers.

To close supplier evidence gaps, companies can build a set of reusable workpapers:

• A supplier data packet defining accepted fields, contractual terms for data sharing, and attestation requirements.

• A reconciliation table that converts supplier operational data into greenhouse-gas activity data, with emission factors and version history.

• A holdout sampling plan for re-performance testing.

Programs often fail when supplier portals collect values without automated validation. The assurance team then finds inconsistencies late in the cycle, leading to rework and delays. Establishing early-stage controls prevents those surprises.

Data Architecture That Makes Evidence Auditable

ISSB reporting succeeds when the data architecture is simple, structured, and auditable. A reliable pattern separates the process into three layers:

1. System of record: stores raw meter readings, activity data, and supplier submissions.

2. Calculation layer: includes locked formulas and controlled emission factors.

3. Disclosure layer: produces summary tables and narrative text for reports.

Each S2 metric should be mapped to a control owner and a defined evidence artifact, such as a utility invoice, a fuel-purchase record, or a supplier attestation. COSO’s sustainability control guidance provides a structure for risk assessment, control activities, and monitoring that translates easily into sustainability reporting.

Retention rules are equally important. Financial statement retention policies should serve as a minimum standard. Add extended retention for climate models, scenario assumptions, and input datasets, since external reviewers will expect to rerun or recalculate key analyses.

The IAASB’s ISSA 5000 is shaping assurance procedures globally, so data repositories should enable sampling, recalculation, and reperformance without manual intervention.

Assurance Playbook for US Groups with Global Exposure

For most US filers, a phased assurance strategy makes sense: begin with limited assurance on key S2 metrics in Year One, then move toward reasonable assurance once controls stabilize. Several leading companies illustrate this progression.

• Alphabet’s 2024 environmental indicators assurance letter demonstrates how selected greenhouse-gas, energy, and water data can sit beside the primary report with independent validation.

• Microsoft’s 2025 environmental data fact sheet includes Deloitte’s review report over defined metrics, with explicit scope and exclusions.

• ExxonMobil’s limited assurance by ERM CVS covers its 2023 GHG inventory, aligned to ISO 14064-3, with 2024 assurance underway.

• CVS Health (2025) disclosed reasonable assurance for Scope 1 and Scope 2 and limited assurance for Scope 3, signaling maturing control confidence.

• Intel’s 2024–2025 Corporate Responsibility Report notes third-party assurance for selected sustainability indicators.

These examples show how companies can build credibility through incremental assurance while clarifying boundaries, criteria, and responsible parties.

Navigating Regulatory Cross Currents

US filers face overlapping expectations from multiple regimes. The SEC issued a stay order in April 2024 while litigation continues in the Eighth Circuit, but investor demand for decision-useful climate data remains. Meanwhile, California’s Air Resources Board continues developing rules under SB 253 and SB 261 through 2025 workshops, previewing verification and assurance concepts that may influence national practice.

For US-based multinationals, applying ISSB S1 and S2 now helps maintain alignment with global investors while preparing for California’s phased implementation. Companies that embed these frameworks early can adapt faster when federal or state requirements become binding.

A Compact Diagnostic That Moves Programs Forward

Assurance readiness is best managed through a concise diagnostic view that highlights control maturity and gaps. A proven ESG diagnostic framework covers five levers:

1. Governance cadence that integrates S1 and S2 with the 10-K reporting cycle.

2. Control inventory mapped to COSO components and to every S2 paragraph.

3. Evidence repository with retention rules, access controls, and an indexed audit trail.

4. Scenario and target workbooks designed for reruns with change logs and data stamps.

5. Assurance roadmap that sequences limited and reasonable assurance with provider engagement.

In practice, audit readiness breaks down when no one owns specific controls or when evidence lists are incomplete. Assign named control owners, document testing procedures, and ensure internal audit performs trial sampling before the external review.

The Bottom Line for 2025: Ready for Investors and Reviewers

ISSB reporting is more than a compliance exercise. It is the foundation of a control system that must stand independently and withstand investor, auditor, and regulatory scrutiny. The strongest programs treat sustainability data like financial data—with consistent definitions, locked methods, change control, and transparent evidence trails.

The path forward is clear: design robust controls, build traceable evidence, and plan early for assurance. Companies that act now will not only meet ISSB and California expectations but will also strengthen credibility with investors and capital markets.

Need help building your ISSB control inventory or assurance roadmap? Take the next step toward audit-ready sustainability reporting by getting in touch with our specialists.

Written by: Gasilov Group Editorial Team

Reviewed by: Seyfi Gasilov, Partner – Corporate Strategy & Legal Compliance

Meet Our Team →

Frequently Asked Questions (FAQ): ISSB S1 and S2

1. What evidence trail does an external reviewer expect for Scope 2 market-based reporting under ISSB S2?

External reviewers expect meter readings, supplier invoices, and contract documentation for energy instruments such as power purchase agreements or renewable certificates. A calculation file should link each activity record to emissions factors, with clear version histories for reproducibility. Retaining contracts and supporting invoices for the entire review period allows auditors to perform reperformance testing efficiently.

2. How should US groups align ISSB S2 with California SB 253 and SB 261?

Use a unified control inventory that maps S2 data points to California’s disclosure and verification requirements. CARB workshop materials from 2025 preview data-validation and assurance expectations, so teams should embed these insights into their internal guidance. Early supplier engagement and data-sharing agreements are essential where value-chain categories are material to the inventory.

3. What is a practical way to phase assurance without overloading resources?

Start with limited assurance on foundational metrics such as Scope 1, Scope 2, and energy consumption. Use the initial cycle to validate data lineage and strengthen controls before expanding to Scope 3 and climate-related financial effects. ISSA 5000 provides a consistent structure for assurance procedures, so designing repositories that align with its requirements will save time in later cycles.

4. How can companies avoid last-minute recalculations that delay assurance sign-off?

Lock emission factors, calculation methods, and key assumptions early in the reporting cycle, routing any changes through formal change-control documentation. Maintain scenario workbooks with date-stamped inputs and pathways that can be rerun on demand. COSO’s sustainability control guidance includes templates for change control and monitoring that help prevent end-of-cycle disruptions.

5. Which real-world examples show credible third-party review of ESG data?

Alphabet’s environmental indicators assurance letter documents an independent accountants’ review over greenhouse-gas, energy, and water metrics. Microsoft’s sustainability data fact sheet includes Deloitte’s review of defined metrics, and ExxonMobil publishes limited assurance by ERM CVS over its greenhouse-gas inventory. These examples demonstrate transparent scope, criteria, and accountability, all core features of credible assurance.