CSRD: decoding the H2A guidelines on certification of sustainability information

The year 2025, for the 2024 financial year, will be the first year of publishing sustainability reports under the Corporate Sustainability Reporting Directive (CSRD).

In accordance with Articles L. 821-54 and L. 822-24 of the French Commercial Code, and to ensure the reliability of sustainability information published under the transposition of the European directive, such information must be audited by one or more auditors, i.e., statutory auditors (CAC) or independent third-party organizations (OTI). The auditor's task leads to the production of a certification report based on limited assurance.

In carrying out their mission, the auditors must adhere to the limited assurance standard that the European Commission had planned to adopt by October 1, 2024, as a delegated act. Pending this standard and considering that the French government had no plans to adopt a national standard, the High Authority for Audit (H2A) published guidelines. These guidelines describe the auditor's expected work and how they will express their conclusions. The October 2024 guidelines update those published in June 2023.

RSM France, the 6th largest global network of financial audit, accounting, and consulting, certified Visa Durability and OTI, and kShuttle, a software provider specializing in managing financial and non-financial performance, offer a breakdown of these guidelines and provide insights into the implications for managing and ensuring the robustness of sustainability-related information.

An Expanded Mission for the Verification and Certification of Sustainability Information

Compliance of Sustainability Information with ESRS Standards and Regulatory Requirements

LeThe Commercial Code, in its Articles L. 821-54 and L. 822-24, defines the certification mission. The auditor, who certifies the sustainability information published by the entity, issues an opinion at the end of their mission on:

• The compliance with the European Sustainability Reporting Standards (ESRS) of the process implemented by the entity to determine the sustainability information published and the adherence to the obligation to consult the CSE. The process mentioned above must minimally include that the entity performs a double materiality analysis, which requires reviewing the Impact – Risks and Opportunities (IRO) related to sustainability issues, thus allowing the entity to identify its material issues;
• The compliance of the sustainability information included in the management report with the requirements of Article L. 232-6-3 (or L. 233-28-4 of the Commercial Code, depending on the entity concerned), including compliance with the ESRS. These information resulting from the process mentioned above must meet the criteria of relevance, faithful representation, comparability, verifiability, and understandability;
• The compliance with the publication requirements set by the Taxonomy framework. Article 8 of Regulation (EU) 2020/852 stipulates that entities must publish in their sustainability report information about "how and to what extent [their] activities are associated with environmentally sustainable economic activities in light of the six environmental objectives set by the European Commission";
• The compliance with the requirement to tag sustainability information, as set out in Article 29quinquies of Directive 2013/34/EU. To date, no text specifies the content and presentation of information to be published according to the unique electronic information format (xHTML), nor the methodology to follow for compliance.

A Verification Process Aimed at Ensuring the Transparency of Sustainability Information

In-Depth Analysis of the Entity and Its Context

The auditor’s approach requires an understanding of the entity and its internal and external environment. The sector of activity and characteristics of the entity, the regulatory framework relating to sustainability information, the involvement of governance in determining sustainability issues, the relevant internal control elements for determining, developing, and presenting sustainability information and the information required by the Taxonomy framework are all factors the auditor must consider when assessing the context of the information and the maturity of the following process.

Verification of the Relevance of the IRO Identification and Evaluation Process

The process to identify the IRO (Impacts, Risks, and Opportunities) related to sustainability issues is an integral part of the entity’s internal environment and must be described in the sustainability report.

This process must include:

• Identification of all entities within the group of the reporting company. The sustainability information is assessed at the consolidated or combined level. Each contributing activity or company in the scope must be analyzed to identify its material or non-material IRO;
• Identification of stakeholders affected by the group’s activities and users of sustainability information. The IRO must be analyzed for each stakeholder;
• Evaluation of impact materiality. For each sustainability issue, ESRS 1  recommends identifying the real and potential impacts, both negative and positive, of the entity on the population or the environment, notably through exchanges with internal and external stakeholders. This evaluation should cover the entire value chain of the group, including its upstream operations, its own operations, and downstream operations. The materiality of the impacts must then be assessed against the thresholds defined by the entity for publication. The materiality of the issues meets criteria such as severity, likelihood of occurrence, and the scope of risks and opportunities over the short, medium, or long term;
• Evaluation of financial materiality. This is based on forecasts and environmental, social, or governance scenarios, the realization of which is considered likely but whose expected financial effects have not yet been reflected in the audited financial statements. The auditor will also verify the criteria selected by the entity for publishing information related to indicators for a material sustainability issue. The entity may also be required to supplement the information with specific details regarding IRO not covered by ESRS but deemed material due to specific facts or circumstances.

The first two areas of the auditor’s mission — i.e., verifying the compliance of the sustainability information determination process and the published sustainability information — mainly consist of ensuring that:

1. The auditor verifies:

   - The relevance of the entity’s approach to the double materiality process with respect to the goal that the outcome of this process results in the publication of material impacts, risks, and opportunities;

   - The correct description of this analytical approach in the management report to facilitate the understanding of this process.

   This step is crucial because the proper application of ESRS regarding the process determines the appropriateness of identifying and publishing material information.

2. The auditor specifically verifies those pieces of information that present a significant risk of non-compliance with applicable regulations, including the ESRS, and/or where there are strong expectations from the users of sustainability information.
    

Verification of the Consistency of All Sustainability Information

This verification is based on the requirements of the ESRS, particularly the following criteria: relevance, faithful representation, comparability, verifiability, and understandability:

• Relevance requires that the information provided enables users to make decisions based on the double materiality approach (impact materiality and financial materiality);
• Faithful representation requires that the information is complete, neutral, and accurate;
• Comparability means the information provided by the entity for the reporting period can be compared with information from previous periods and with other entities (particularly those with similar activities or operating in the same sector);
• Verifiability means the information can be corroborated by others or through independent resources;
• Understandability requires that the information be clear and concise. The comprehensibility criterion should ensure that any informed user can easily understand the provided information.
• The entity publishes material information, which may also be supplemented by non-mandatory ESRS-related information (ESRS 1 – Annexe C et ESRS 1, 18), for two reasons

1. It is information that will only need to be published in subsequent reporting periods or that results from local legislation or standardization body positions;
2. Or because the entity is only encouraged to publish such information to promote good practice.

Regarding the specific compliance review of sustainability information with the requirements of the French Commercial Code, including the ESRS, the verifications focus on the methods used for preparing and presenting sustainability information, as well as on specifically selected information. To do this, the auditor implements the work outlined by the guidelines.

Given the volume of sustainability information and the level of assurance expected (limited assurance), the auditor specifically verifies only certain pieces of this information to identify the existence, or lack thereof, of significant errors, omissions, or inconsistencies, including those due to fraud or greenwashing practices, which could influence the judgment or decisions of users of sustainability information or affected stakeholders.

These works are tailored according to the level of limited assurance presented in the certification report and are based on a risk-based approach. The auditor identifies and selects information that, in their professional judgment, presents a significant risk of non-compliance with the provisions of the French Commercial Code, including the ESRS, and the characteristics (as mentioned above in section 2.3) that it must comply with and/or for which, in their view, there are strong expectations from the users of sustainability information. The identification and volume of information verified by the auditor depend on the risk level determined for the published information, considering various internal or external factors (internal organization, banking ratios related to sustainability issues, variable compensation for management, maturity of internal control systems, reliance on expert advice, etc.).

To verify the selected information, the auditor employs appropriate control techniques for the information subject to their verification. These techniques are similar to those that could be used in the context of auditing financial statements. These techniques may include analytical procedures, physical observations, on-site or off-site inspections, requests for information from individuals (internal or external to the entity), or entities included within the scope of consolidation or combination, or within its value chain, or even the use of experts.

Focus on the Verification of Information Related to the Green Taxonomy

Presentation of the Green Taxonomy Requirements

The Taxonomy Regulation requires the company to analyze its activities in accordance with this framework so that it can report on the sustainable portion of its turnover, investments, and operating expenses (Capex and Opex).

The production of this information involves the entity determining, according to the taxonomy framework, its sustainable economic activities and, to do so, determining:

• its eligible activities: that is, those that fall within the scope of activities defined by the delegated acts adopted by the European Commission as capable of making a substantial contribution to each environmental objective;

• the alignment of these economic activities;

• the key performance indicators and the accompanying information to be provided, depending on whether the entity is a financial company or not.

Each activity will thus be classified:

-   either as an eligible and aligned activity, forming the sustainable portion of the company in its reporting;
-  or as an eligible but non-aligned activity, thereby informing the market of non-compliance with the alignment technical criteria for the activity, classifying it as a non-eligible activity.

Eligible economic activities are considered aligned if they meet the following three criteria:

• they make a substantial contribution to achieving one or more of the six environmental objectives while respecting the technical screening criteria for each activity;
• they do not cause significant harm to any of the other five objectives (the "Do No Significant Harm" criterion),
• they are carried out in compliance with the minimum safeguards defined by the taxonomy framework, which include the procedures the company has implemented to align with the OECD and UN guidelines on business and human rights (human rights, corruption, taxation, competition).

Verification of the Analysis Process and Associated Ratios

Regarding the auditor’s control over compliance with the publication requirements of the Taxonomy framework, the auditor carries out the tasks defined by the guidelines to conclude that no errors, omissions, or inconsistencies have been detected in the information provided by the entity, which would be significant enough to undermine compliance with the publication requirements of this information.

The auditor’s work focuses on three dimensions:

1. The entity’s determination of its eligible and aligned activities.

Based on their knowledge of the taxonomy framework and the elements collected during the understanding of the entity, the auditor:

• verifies whether the procedures implemented by the entity cover all the economic activities of the entity, and, if applicable, the activities of entities included in the consolidated or combined scope of sustainability information;
• assesses whether these procedures are designed to comply with the requirements of the taxonomy framework regarding the establishment and formal presentation of qualitative information (such as the nature of eligible and aligned activities, how the entity assessed the satisfaction of the alignment technical criteria, the description of the composition of key performance indicators, the methodologies for allocating these indicators to different activities) and quantitative information (particularly the key performance indicators);
• verifies whether these procedures are established so that the numerical data used to establish the key performance indicators align with the accounting data.

The limited assurance legal engagement, entrusted to the sustainability auditor, may evolve in the future into reasonable assurance. Under a limited assurance engagement, the verifications are less extensive than those required for reasonable assurance, which means that the nature (choice of audit techniques), scope, and, consequently, the duration of the work are different from those necessary for reasonable assurance.
Such an engagement requires the auditor to use professional judgment and critical thinking to define the work that allows them to arrive at assurance which, although lower than reasonable assurance, increases the confidence that users of the information covered by the engagement can place in it.
 

One of the major challenges for entities subject to the CSRD is to provide readers with an accurate picture of the impacts of sustainability issues (environmental, social, and governance) on their activities and the impacts of those activities on sustainability issues, as well as how they address, particularly in a forward-looking manner, these issues in the evolution of their models and economic strategies.

The concept of transparency is essential for explaining and documenting the process of constructing the double materiality analysis, the identification of IROs, or taxonomy information. This transparency and documentation are essential elements for the auditor's work. Implementing the CSRD requires deep reflection from the governance on both the goals set and the resources allocated to achieve them, notably with appropriate processes and tools to collect, process, and compile information.

This is why the digitalization of the reporting process is highly recommended. It is a means to ensure the reliability of the information collected and published, and to succeed in audits.

CSR Insight: A Tool for Businesses

The CSR Insight solution has been designed to address these challenges and align with the expectations of auditors:

-    Embedded ESRS to ensure regulatory compliance in the presentation of information to be disclosed

• Complete alignment with IG3 and CSRD through the integration of all sector-agnostic datapoints, including voluntary ones, those benefiting from a phase-in, conditional and alternative datapoints;
• Library of indicators to collect data in the CSRD format, including the expected units, IG3 reference*, the list of underlying data needed to produce the report (for example, Disclosure Requirement S1-6 – Characteristics of the Undertaking’s Employees, which requires disclosure of workforce/FTE by gender), and the description.
• Generation of a ready-to-use report presenting all the datapoints to be disclosed according to the recommended reporting format.

-    Validation Workflow to Track Roles and Responsibilities

• A multi-level data validation workflow process, aligned with the organization and responsibility scopes: data entry, validation, analysis, consultation, etc., depending on the organizational scope of the company and the different business areas (social, environment, climate, governance, etc.)
• An integrated dialogue box to facilitate communication between stakeholders, streamline the process, and track exchanges.

-   Embedded Consistency Controls to Ensure Data Collection Reliability and Automate Verifications

• Consistency controls at the data entry level: completeness (number of indicators entered and progress status), comparison to threshold values, comparison with historical data, request for comments in case of significant deviations…;
• Provision of definitions, procedures, and calculation methods for indicators to promote understanding and limit confusion or interpretations that may lead to errors;
• Interoperability with existing tools to prioritize the automated collection of data already controlled and validated internally.
   

-    Complete Audit Trail of Data (History and Supporting Documents)

• An integrated audit trail to log and trace any modifications and validations of data in each campaign.

• Addition and archiving of supporting documents and comments to help understand or validate one or more indicators.

  
   

Thus, digitizing reporting with CSR Insight helps secure the data collection process to ensure the reliability of data and efficiently prepare for the audit.

• Issuing Trustworthy Data: The data is secure and auditable regardless of the method of information retrieval: manual entry, file import, interface;
• Compliance with regulatory requirements;
• Credibility and legitimacy of commitments;
• Time-saving and cost reductions during audits and verification by OTI.