Five Data Gaps Audit Teams Find Most Often in CSRD Submissions
March 28, 2026 | Audit and Assurance
March 28, 2026 | Audit and Assurance
The EU Corporate Sustainability Reporting Directive requires companies to obtain limited assurance on their sustainability statements starting with fiscal year 2024 filings for large public-interest entities. Assurance providers across Europe have now completed their first full cycles, and the patterns are clear: most first-time CSRD filings arrive with the same five categories of data quality problems.
None of these gaps are exotic. They are predictable consequences of companies building their ESRS-compliant disclosure processes on top of pre-existing voluntary frameworks - often CDP or GRI - without recognizing where CSRD's requirements are more stringent. Here is what shows up most frequently, and how to address each before your submission window opens.
CSRD requires a double materiality assessment that considers both impact materiality (how the company's activities affect people and the environment) and financial materiality (how sustainability topics affect the company's financial position). The ESRS framework requires this assessment to be grounded in stakeholder engagement - not just management's internal view.
The gap that assurance teams find most often is a double materiality assessment that identifies topics (climate change, water, labor rights) without any documented evidence that affected stakeholders were consulted. Companies frequently rely on industry benchmarking, peer review, or SASB sector frameworks as proxies for stakeholder input - but ESRS 1 requires engagement with "workers and their representatives, affected communities, end users, and other affected stakeholders" as part of the IRO (impact, risk, and opportunity) identification process.
To close this gap before your audit, you need documented records of stakeholder engagement activities - surveys, interviews, focus groups, or multi-stakeholder panel outputs - that are clearly linked to your final materiality map. The engagement does not need to be exhaustive, but it must be authentic and traceable.
Under ESRS E1, companies that identify climate as a material topic must disclose their Scope 3 GHG emissions across the relevant categories of the GHG Protocol. Many first-time filers include a Scope 3 total figure - often taken from their CDP response - without the category-by-category breakdown, calculation methodology description, and emissions factor sources that ESRS requires.
Assurance providers flag this because the aggregate Scope 3 figure is unverifiable without knowing how it was constructed. Category 11 (use of sold products) and Category 15 (investments) are particularly problematic for financial services and industrial companies because the estimation approaches vary widely and the uncertainty range is large. ESRS E1 allows the use of primary data, supplier-specific data, or spend-based estimation, but each approach must be disclosed separately, with the percentage of Scope 3 emissions covered by each approach.
If your team calculated Scope 3 using a spend-based approach and a single third-party emission factor database, you need to document: which database (Ecoinvent, US EPA, EXIOBASE, etc.), which version, the reference year for the emission factors, and the total proportion of Scope 3 emissions that could not be covered by the primary methodology and were estimated using secondary factors.
ESRS S1 (Own Workforce) requires workforce metrics that most companies have never collected in the form the standard demands. The standard requires headcount broken down by gender, by employment contract type (permanent vs. temporary), by full-time vs. part-time status, and by geographic region - simultaneously. This is a four-dimensional breakdown that does not correspond to how most HR systems report headcount.
The data gap audit teams find is not that companies lack headcount data - they have it. The problem is that the data exists in different systems or reports that were never designed to produce the ESRS S1 cross-tabulation. Payroll systems have gender and employment type. Regional management reports have geography. The intersection of all four dimensions typically does not exist as a standing report anywhere in the organization.
Closing this gap requires extracting a workforce data extract at the individual employee level (with appropriate anonymization and data protection controls), then producing the required cross-tabulations. Most HR platforms can produce this extract - the work is in defining the extract specifications, obtaining data governance approval, and building the aggregation logic.
CSRD requires disclosure of sustainability targets where the company has set them, along with the baseline year, the target year, and the metrics used to measure progress. Assurance teams routinely find target disclosures that state the target ("net zero by 2040") without the baseline value against which progress will be measured, or that cite a science-based target without disclosing the underlying pathway and interim milestones.
This matters for assurance because a target without a baseline cannot be verified. If you disclose a 50% reduction in Scope 1 emissions by 2030, your assurance provider needs to know: 50% reduction from what baseline year? What was the baseline figure? If the baseline year was 2019 and you restated your 2019 emissions in 2023 due to a methodology change, what is the post-restatement baseline? These questions are entirely predictable, and companies that cannot answer them at the start of the assurance engagement delay the process by weeks.
As we discuss in our article on SEC climate disclosure requirements, the same baseline documentation discipline that the SEC rule requires for GHG emissions applies equally to CSRD target tracking. The underlying data management problem is jurisdiction-agnostic.
ESRS 2 requires disclosure of governance processes and controls that have been established to manage sustainability risks and opportunities. A recurring finding in first-cycle assurance engagements is governance disclosures written in the future tense - describing what the board "plans to do" or what controls will "be implemented by 2025" rather than describing what is actually in place for the reporting period.
This typically reflects a genuine lag: many companies first turned attention to CSRD-level governance requirements in 2024, and their board and management processes were still being designed during the period they are reporting on. The honest answer is that the governance was not fully in place during the reporting year. That disclosure is permissible under ESRS (it can be paired with a forward-looking description of planned improvements), but governance disclosures written as if processes exist when they do not can constitute a material misstatement.
Assurance teams will ask for evidence that the governance processes described in the sustainability statement actually operated during the reporting year. Board meeting minutes, risk committee reports, and ESG integration procedures with dated effective dates are the kinds of evidence required. If those documents do not exist for the reporting year, the governance section needs to accurately reflect what was in place rather than what was intended.
Looking across all five gaps, the underlying problem is the same: companies are reporting numbers without being able to show where those numbers came from. A Scope 3 figure without its constituent categories. A headcount without its cross-tabulation detail. A target without its baseline. A governance process without its operational records.
CSRD assurance is designed to test provenance, not just accuracy. The question your assurance provider is asking is not "is this number correct?" but "can this number be traced back to an underlying source that we can independently verify?" That is a fundamentally different standard than the materiality-based review that characterized voluntary sustainability reporting assurance.
Companies that invest in data infrastructure before their first CSRD filing - structured data pipelines, version-controlled calculations, centralized documentation repositories - are the ones whose assurance engagements proceed smoothly. Those relying on annual spreadsheet exercises and email-based data collection typically encounter the five gaps described here, and spend the first two weeks of their assurance engagement in remediation rather than verification.
If your CSRD filing is in the next 6-9 months, here are the priority actions for each gap:
If your team is working through these preparations, contact us to see how Nossa Data's CSRD module structures the evidence collection and documentation process to produce assurance-ready output at each stage of your reporting cycle.