ESG Audit Checklist: What Auditors Need to Know

Environmental, Social, and Governance (ESG) reporting has moved from a voluntary initiative to a regulatory expectation in many jurisdictions. As organizations face increasing scrutiny over their sustainability claims, auditors play a critical role in verifying the accuracy and completeness of ESG disclosures. This checklist outlines what auditors should focus on when evaluating ESG reporting.

Understanding the ESG Landscape

Before diving into audit procedures, auditors need to understand the reporting framework the organization has adopted. Common frameworks include the Global Reporting Initiative (GRI), the Sustainability Accounting Standards Board (SASB), the Task Force on Climate-related Financial Disclosures (TCFD), and the newer International Sustainability Standards Board (ISSB) standards.

Each framework has different requirements for metrics, disclosures, and materiality assessments. The first step in any ESG audit is confirming which frameworks apply and whether the organization's disclosures align with the selected standards.

Environmental Factors

Greenhouse gas emissions are typically the most scrutinized environmental metric. Auditors should verify the methodology used for calculating Scope 1, Scope 2, and Scope 3 emissions. Check whether emission factors are sourced from recognized databases and whether the organizational boundary is consistently applied.

Energy consumption data should be traceable to utility bills, meter readings, or other primary sources. Verify that conversions between units are accurate and that renewable energy claims are supported by certificates or contractual agreements.

Waste and water metrics require clear definitions of what is measured and how. Confirm that waste diversion rates are calculated consistently and that water withdrawal data reflects actual measurements rather than estimates.

Climate-related risks and targets should be assessed for reasonableness. If the organization has committed to net-zero targets, auditors should evaluate whether the interim milestones and action plans are credible and consistent with the stated timeline.

Social Factors

Workforce data includes employee demographics, turnover rates, health and safety statistics, and training hours. Auditors should verify that data collection methods are consistent across locations and that definitions (such as what constitutes a recordable injury) align with recognized standards.

Supply chain due diligence is increasingly important. Check whether the organization has processes to identify and address human rights risks in its supply chain. Review supplier audit reports, questionnaires, and corrective action plans.

Community engagement and impact disclosures should be supported by documented programs, expenditure records, and measurable outcomes. Vague claims about community benefit without supporting evidence should be flagged.

Diversity, equity, and inclusion (DEI) metrics require careful review. Verify that demographic data is collected and reported in compliance with applicable privacy regulations and that benchmarks are clearly defined.

Governance Factors

Board composition and oversight disclosures should be verified against corporate records. Confirm the accuracy of reported board diversity, independence classifications, and committee structures.

Ethics and anti-corruption programs should be assessed for substance, not just existence. Review training completion rates, whistleblower reports, and the outcomes of any investigations.

Executive compensation disclosures should be reconciled to employment agreements, board minutes, and proxy statements. Pay-for-performance claims should be evaluated against actual performance metrics.

Data privacy and cybersecurity governance are increasingly material governance topics. Verify that the organization has documented policies, incident response plans, and board-level oversight of cyber risk.

Data Quality and Controls

ESG data often comes from systems and processes that lack the maturity of financial reporting infrastructure. Auditors should evaluate whether adequate controls exist over data collection, aggregation, and reporting. Key questions include:

• Is there a clear data owner for each ESG metric?
• Are data collection templates standardized across business units?
• Is there a review and approval process before data is published?
• Are manual adjustments documented and authorized?

Documentation and Evidence

Every ESG claim should be supported by verifiable evidence. Auditors should maintain workpapers that document the sources reviewed, the procedures performed, and the conclusions reached. Tools that facilitate document extraction and matching within existing workflows can improve the efficiency of evidence gathering, particularly when dealing with large volumes of supporting documentation spread across multiple sources.

Looking Ahead

ESG assurance requirements are expanding. Auditors who develop expertise in this area now will be well-positioned as mandatory assurance standards take effect across more jurisdictions. The key is to apply the same rigor to ESG data that has long been applied to financial data.