Quick Read
Audit committees historically focused exclusively on financial reporting oversight, but mandatory sustainability reporting under CSRD, ISSB, and other global standards now creates material disclosure obligations that lack equivalent board-level scrutiny. This whitepaper argues that organisations face a structural governance gap where non-financial assurance—including sustainability certifications, ISO management system audits, carbon verification, and supply chain assessments—operates outside the audit committee's purview despite carrying similar legal weight and litigation exposure as financial statements. The paper provides a practical framework for extending the audit committee's mandate and composition to systematically integrate non-financial assurance into board-level governance.
Executive Summary
Audit committees were designed to be the board's most rigorous oversight body. For decades, that rigour was focused almost exclusively on financial reporting: the integrity of numbers, the independence of auditors, the adequacy of internal controls over financial data. That focus was right for its time.
The time has changed. Sustainability reporting is now mandatory across the European Union under CSRD, required in Singapore, Australia, the United Kingdom, Canada, and Hong Kong, and expected under ISSB standards being adopted in jurisdictions representing more than 60 percent of global GDP. These are not voluntary disclosures. They carry the same legal weight, the same assurance requirements, and increasingly the same litigation exposure as financial statements. Yet in most organisations, the audit committee has not been extended to cover them.
The result is a structural governance gap of growing severity. Sustainability teams produce disclosures that are material to investors, regulators, and counterparties. External assurance providers certify those disclosures. ISO management system certifications confirm the integrity of underlying processes. Carbon verification bodies attest to emissions data. Supply chain audits test the claims made about third parties. None of this flows systematically through the audit committee. None of it is subjected to the same rigour the committee applies to the annual financial statements. The board is, effectively, flying partially blind.
This whitepaper makes the case for connecting the audit committee directly and structurally to the full non-financial assurance universe. It is not a theoretical argument. It is a practical governance framework: why the connection must be made, what non-financial assurance actually includes, how to restructure the committee's mandate and composition to accommodate it, what the operating model looks like in practice, and how organisations can close the gap between where their audit committees are today and where they need to be.
Who This Paper Is For Audit committee members and chairs who recognise the gap between their current mandate and the full assurance universe their organisation now operates within. Non-executive directors sitting on sustainability or ESG committees who need to understand why the governance structure may be fragmenting accountability rather than concentrating it. Company secretaries and general counsel advising on governance evolution. Chief Sustainability Officers and internal audit leads who need a shared language with the board around non-financial assurance. CFOs and Chief Risk Officers whose financial and risk oversight now depends on the integrity of sustainability data they do not currently oversee. |
1. The Audit Committee's Historical Mandate — And Its Limits
1.1 Where Audit Committees Came From
The modern audit committee is a product of financial crisis and regulatory response. Its statutory and regulatory foundations — the Companies Act in common law jurisdictions, the Sarbanes-Oxley Act in the United States, the UK Corporate Governance Code, the Singapore Code of Corporate Governance, and their equivalents globally — reflect a consistent logic: independent directors, operating through a dedicated committee, should provide oversight of financial reporting, external audit, and internal controls that management cannot credibly provide for itself.
That logic is sound and remains entirely relevant. The problem is not that audit committees do financial oversight badly. The problem is that the world has added a second, parallel accountability universe — non-financial reporting and assurance — and the governance architecture has not kept pace.
Most audit committee charters were drafted in an era when sustainability disclosures were voluntary, qualitative, and immaterial to investment decisions. A reasonable committee chair in 2010 could honestly say that ESG matters were board-level strategy questions, not audit committee questions. That statement is no longer defensible.
1.2 What Has Changed
Three shifts have made the historical mandate insufficient.
The first shift is regulatory. CSRD requires assurance over sustainability disclosures from large EU companies from financial year 2024, extending progressively to smaller entities. ISSB S1 and S2 — now adopted or in adoption processes across the UK, Australia, Canada, Singapore, Hong Kong, Japan, and others — require disclosure of financially material climate and sustainability information. ISSA 5000, the new global assurance standard from the IAASB, sets out the assurance requirements that practitioners must meet when providing assurance over sustainability information. These are not voluntary frameworks. Non-compliance is a legal matter, not a reputational inconvenience.
The second shift is materiality. Institutional investors — including the largest asset managers globally — now conduct ESG due diligence as a standard element of investment decisions. Lenders price sustainability-linked loans against verified ESG metrics. Customers in regulated supply chains require supplier certifications and verified claims. ESG data has become financially material data. An audit committee that does not oversee the integrity of that data is failing its core function.
The third shift is liability. Directors and officers are increasingly exposed to legal action arising from misleading sustainability disclosures. The attribution science underpinning climate litigation has matured. Regulatory enforcement action on greenwashing has accelerated in the EU, UK, US, and Australia. The exposure is not hypothetical. It is a live governance risk that the audit committee is positioned to address — but only if its mandate extends to the disclosures that create it.
The audit committee was designed to be the organisation's most rigorous oversight body. Non-financial assurance is not a new topic. It is the same topic — integrity of material disclosures — applied to a new category of information.
1.3 The Structural Gap
The most common governance response to the rise of ESG has been the creation of a separate sustainability committee at board level. In many organisations, this committee sits alongside the audit committee with overlapping but undefined boundaries. Sustainability strategy goes to the sustainability committee. ESG reporting is managed by the sustainability team and reviewed by the sustainability committee. Assurance — where it exists — may be overseen by neither.
This structure produces predictable problems. The audit committee, with deep controls expertise and independence discipline, never develops sight of sustainability disclosures. The sustainability committee, often composed of directors selected for their ESG enthusiasm rather than their assurance rigour, lacks the framework to apply controls thinking to sustainability data. The external assurance provider reports to management. Nonconformities from ISO audits are managed by the certification team. The board gets a fragmented picture that no one is synthesising.
The alternative — integrating non-financial assurance oversight into the audit committee — is not merely tidier. It is more rigorous. It brings the controls discipline, the independence culture, and the structured challenge methodology of financial oversight to a domain that currently lacks them.
2. What Non-Financial Assurance Actually Includes
Before an audit committee can be extended to cover non-financial assurance, its members need to understand what that assurance universe actually contains. It is substantially larger, and more technically varied, than most directors appreciate.
2.1 Sustainability Report Assurance
The most visible layer of non-financial assurance is the assurance engagement over the sustainability report itself. This is the closest analogy to the financial audit: an independent practitioner reviews the sustainability disclosures and provides a conclusion on whether they are free from material misstatement.
Three standards govern this engagement in most jurisdictions. ISSA 5000, issued by the International Auditing and Assurance Standards Board, is the new global standard for sustainability assurance and is rapidly becoming the mandatory framework under CSRD and other regulatory regimes. It distinguishes between limited assurance (a negative form conclusion: nothing has come to our attention indicating the information is materially misstated) and reasonable assurance (a positive form conclusion: we are satisfied the information is fairly presented). AA1000 Assurance Standard v3, issued by AccountAbility, provides a stakeholder-inclusive assurance framework widely used by organisations that wish to demonstrate assurance against a broader accountability lens. ISAE 3000 (Revised), issued by the IAASB, is the general standard for assurance engagements over non-financial information and remains the technical backbone for many sustainability assurance engagements.
The audit committee's role in sustainability report assurance mirrors its role in financial audit: appointing the assurance provider, confirming independence, approving the scope, reviewing the engagement findings, challenging management on areas of difficulty, and presenting the assurance conclusion to the full board.
2.2 ISO Management System Certifications
ISO management system certifications are a form of assurance that most audit committees have never seen — and that most sustainability teams manage without board oversight. This is a significant gap.
A management system certification under ISO 37001 (anti-bribery), ISO 37301 (compliance management), ISO 14001 (environmental management), ISO 45001 (occupational health and safety), ISO 27001 (information security), ISO 42001 (AI management), ISO 9001 (quality management), or ISO 50001 (energy management) is a statement by an independent accredited certification body that the organisation's management system meets the requirements of the standard. That statement is issued following a formal audit process. It carries surveillance audit obligations. It generates findings — including nonconformities — that must be closed within defined timeframes or the certification lapses.
These certifications are material to the organisation's supply chain relationships, regulatory standing, customer commitments, and increasingly its insurance arrangements and access to capital. An organisation that holds ISO 37001 certification and loses it due to unmanaged nonconformities has a material governance failure. An audit committee that is unaware this is happening is not providing adequate oversight.
Standard | Scope | Why It Is Material to the Audit Committee |
|---|---|---|
ISO 37001 | Anti-Bribery Management | Material to compliance programmes, supply chain due diligence, financial crime controls |
ISO 37301 | Compliance Management | Structural framework for regulatory compliance; increasingly required in regulated sectors |
ISO 14001 | Environmental Management | Material to Scope 1/2/3 claims, regulatory obligations, green procurement requirements |
ISO 45001 | Occupational Health & Safety | Material to worker safety obligations, supply chain codes, insurance underwriting |
ISO 27001 | Information Security | Material to data processing agreements, regulatory requirements, cyber insurance |
ISO 42001 | AI Management | Emerging requirement for AI governance under EU AI Act and similar frameworks |
ISO 9001 | Quality Management | Core operational standard; material to procurement requirements globally |
ISO 50001 | Energy Management | Material to energy reduction targets, Scope 1 emissions, regulatory energy obligations |
2.3 Carbon and GHG Verification
Greenhouse gas emissions data — Scope 1, Scope 2, and Scope 3 — is among the most scrutinised sustainability information an organisation discloses. It is also among the most complex to verify. ISO 14064-3 provides the standard for verification of GHG assertions. The GHG Protocol provides the accounting framework against which those assertions are prepared. For organisations using voluntary carbon markets, the Verified Carbon Standard (Verra VCS) and Gold Standard provide additional verification requirements.
The audit committee should understand that GHG verification is a distinct engagement from sustainability report assurance — though both may be provided by the same firm. It should be briefed on the methodology assumptions underlying the organisation's emissions calculations, the boundaries of the verification engagement, and the key areas of estimation uncertainty.
2.4 Product and Claims Assurance
Organisations increasingly make environmental and social claims about their products: carbon-neutral labels, recycled content certifications, sustainable sourcing attestations, fair trade claims, and net-zero product commitments. These claims are subject to specific verification requirements under frameworks including ISO 14021 (self-declared environmental claims), ISO 14024 (environmental labelling), ISO 14025 (environmental product declarations), and sector-specific schemes including GOTS (Global Organic Textile Standard), RSPO (Roundtable on Sustainable Palm Oil), and FSC (Forest Stewardship Council).
The exposure from unverified or incorrectly verified product claims is substantial. Greenwashing enforcement action by the EU, the UK Competition and Markets Authority, ASIC in Australia, and the FTC in the United States has targeted exactly this category of disclosure. The audit committee should have oversight of the organisation's claims management framework and the assurance arrangements supporting it.
2.5 Supply Chain and Partner Assurance
An organisation's sustainability disclosures extend beyond its own operations to its supply chain. Scope 3 emissions data depends on supplier reporting. Social claims about working conditions in supply chains depend on supplier audits. Anti-bribery certifications depend on due diligence over third parties. The audit committee should have oversight of the supply chain assurance programme — not the day-to-day management of it, which properly sits with procurement and supply chain teams, but the governance of it: programme design, scope, findings management, and escalation protocols.
ISO 19011, the guidelines for auditing management systems, provides the framework for designing and managing an audit programme of this kind. The audit committee should be sufficiently familiar with its principles to challenge management on the adequacy of the programme and the credibility of the findings it produces.
3. The Foundation: Internal Controls Over Sustainability Reporting
The most common mistake organisations make when approaching non-financial assurance is attempting to engage an external assurance provider before the internal control infrastructure is in place to support it. The result is an expensive, uncomfortable engagement that produces findings management is not equipped to address and a conclusion that provides limited comfort to anyone.
The financial reporting parallel is instructive. External auditors do not create the financial controls that make a set of accounts auditable. Management does. The audit committee oversees the internal control framework — documented, tested, and reported — that makes the external audit possible. The same logic applies to sustainability information. Internal Controls over Sustainability Reporting (ICSR) is the sustainability equivalent of Internal Controls over Financial Reporting (ICFR), and the audit committee's role in overseeing ICSR is as important as its role in overseeing ICFR.
3.1 The Six Elements of an ICSR Framework
An effective ICSR framework operates across six elements that the audit committee should understand and receive regular reporting on.
Data governance and ownership
Every sustainability metric disclosed must have a defined owner, a documented methodology, and a clear data lineage from primary source to reported figure. The audit committee should satisfy itself that management has assigned accountability for data quality at the operational level — not merely at the reporting level — and that the methodology documentation is sufficient to support external verification.
Estimation and assumption management
Sustainability data, unlike most financial data, relies heavily on estimation. Scope 3 emissions involve spend-based or activity-based models. Social impact metrics involve population surveys or proxy indicators. The audit committee should be briefed on the key estimation assumptions, the sensitivity of reported figures to those assumptions, and the process by which assumptions are reviewed, challenged, and updated.
Control activities
The organisation should have documented control activities — reviews, reconciliations, approvals, and automated system checks — that reduce the risk of material error in reported sustainability data. These controls should be tested, and the results of testing should be reported to the audit committee in the same way that ICFR control testing results are reported.
Technology and systems infrastructure
Sustainability data managed in shared drives and spreadsheets cannot be assured to the standard that regulators and investors now expect. The audit committee should have a clear view of the technology infrastructure supporting sustainability data — whether it is fit for purpose, what the gaps are, and what the roadmap is for closing them. This is a board-level capital allocation question, not merely a management systems question.
Scope and boundary management
Sustainability reporting boundaries — which entities, which operations, which value chain tiers are included in which disclosures — have significant implications for the accuracy and comparability of reported data. The audit committee should approve the reporting boundary framework and be briefed on any changes to it.
Assurance readiness
Before engaging an external assurance provider, management should conduct an internal readiness assessment: do the controls in place meet the requirements the assurance engagement will test? The audit committee should receive this assessment and be satisfied that engagement is warranted at the assurance level selected (limited or reasonable).
External assurance does not create integrity in sustainability reporting. Internal controls create it. External assurance confirms it. The audit committee must oversee both.
3.2 The ICFR-ICSR Parallel
Dimension | ICFR |
|---|---|
Source of authority | Companies Act / SOX / equivalent statutory requirements |
What is controlled | Financial data: revenues, costs, assets, liabilities, cash flows |
Control framework | COSO Internal Control — Integrated Framework |
Internal testing | Management's assessment of ICFR effectiveness (SOX 302/404 or equivalent) |
External assurance | Financial statement audit (ISA/GAAS) |
Audit committee role | Oversee ICFR; receive testing results; challenge management; appoint auditor |
Director liability | Personal liability for false or misleading financial statements |
4. Restructuring the Audit Committee
Establishing that the audit committee should oversee non-financial assurance is the easy part. The harder part is doing it. Most audit committees are not currently structured, composed, or resourced to perform this function. This section addresses the three dimensions of restructuring required: mandate, composition, and operating model.
4.1 The Structural Choice
Before addressing mandate and composition, boards must make a structural choice. There are three models for organising non-financial assurance oversight at board level, each with genuine trade-offs.
Model A: Full integration into the existing audit committee
The audit committee's terms of reference are extended to include all non-financial assurance oversight. The sustainability committee (where it exists) retains responsibility for sustainability strategy and target-setting but has no assurance oversight function. All assurance flows — sustainability report assurance, ISO certifications, carbon verification, supply chain audit — are reported to the audit committee.
This model is the most governance-coherent. It concentrates assurance oversight in the body with the strongest controls culture and the clearest independence mandate. It eliminates the governance gap between financial and non-financial assurance. The trade-off is workload: the audit committee's agenda expands significantly, and its members need to develop new competencies in non-financial assurance.
Model B: Sustainability assurance sub-committee
A sub-committee of the audit committee is formed, comprising some audit committee members plus additional directors with sustainability expertise. It reports to the full audit committee, which retains ultimate oversight. This model allows for deeper technical focus without overwhelming the main committee's agenda.
The risk with this model is that the sub-committee becomes de facto independent, losing the connection to the audit committee's controls discipline. Governance quality depends heavily on how well the reporting relationship between sub-committee and main committee is maintained.
Model C: Integrated oversight with a dedicated sustainability committee
The sustainability committee is rechartered to include assurance oversight — sustainability strategy, target-setting, and assurance — with a direct reporting line to the audit committee for anything that touches internal controls, data integrity, and external assurance providers. The audit committee retains a defined review role on assurance matters.
This model can work but requires very clear delineation of responsibilities and strong communication between the two committees. Where the boundaries are unclear, it tends to drift toward the status quo: assurance sitting in a governance gap between two committees, neither of which owns it properly.
Speeki's position is that Model A — full integration — is the most governance-sound approach for most organisations. It is not always the most politically achievable in the short term, particularly where a sustainability committee is well-established and its members are invested in a broad mandate. But governance design should be driven by what is most effective, not what is most comfortable.
4.2 Extending the Mandate: Terms of Reference
Whatever model is adopted, the mandate extension must be formal and specific. A vague statement in the terms of reference that the committee will 'consider sustainability matters where relevant' creates no governance obligation and no accountability. The terms of reference should specify, at a minimum:
Appointment, oversight, independence confirmation, and removal of the sustainability assurance provider, on the same basis as the external auditor
Approval of the scope and boundary of each annual sustainability assurance engagement
Review of the assurance engagement management letter and findings, and oversight of management's response
Oversight of the organisation's ICSR framework, including receipt of management's annual effectiveness assessment
Receipt and review of ISO management system audit reports, certification status, and nonconformity registers
Oversight of the carbon and GHG verification programme, including review of methodology, boundary decisions, and verification findings
Receipt of the supply chain and partner assurance programme report, including scope, completion rates, and material findings
Integration of financial and non-financial assurance findings into the committee's overall risk and assurance assessment
Annual reporting to the full board on the integrated assurance picture
A Critical Governance Principle The audit committee does not manage non-financial assurance. Management manages it. The audit committee oversees it. The distinction matters. An audit committee that gets drawn into managing the assurance process — selecting methodologies, reviewing draft reports before they go to the assurance provider, directing the sustainability team's preparation — loses its independence and its oversight effectiveness. The committee's job is to ask the right questions, receive credible answers, and hold management accountable for the integrity of the result. |
4.3 Composition: The Competence Gap
Extending the mandate without addressing composition is insufficient. Audit committee members who understand financial controls deeply but have no framework for thinking about sustainability assurance will struggle to provide meaningful oversight. The competence gap is real and must be addressed.
The competence requirements for non-financial assurance oversight are not the same as those for financial audit oversight, and they should not be treated as identical. The core competencies required include:
Familiarity with the major sustainability reporting frameworks: GRI, ISSB S1/S2, CSRD and the ESRS, and the national frameworks in jurisdictions where the organisation operates
Understanding of the assurance standards: ISSA 5000 and the distinction between limited and reasonable assurance; AA1000AS v3 and its stakeholder accountability dimension; ISAE 3000 as the general assurance standard
Working knowledge of ISO management system principles: what a management system is, how certification works, what a surveillance audit involves, and what different categories of nonconformity mean
Understanding of GHG accounting principles: the GHG Protocol framework, Scope 1/2/3 definitions, the key estimation methodologies, and the limitations of current Scope 3 data
Familiarity with double materiality assessment: the distinction between financial materiality and impact materiality, and how materiality scope affects what is disclosed and what requires assurance
Director liability awareness: the legal exposure directors face under CSRD, national sustainability reporting laws, and securities regulation in respect of sustainability disclosures
Most audit committees currently have zero members with formal competence in more than one or two of these areas. The options for closing this gap include structured education programmes for existing members, the targeted recruitment of a director with specific non-financial assurance expertise, the use of specialist advisers to support the committee on technical matters, and targeted executive education such as the programmes offered by Speeki Executive Education.
The competence assessment should be conducted honestly. A committee that collectively cannot define the difference between ISSA 5000 limited and reasonable assurance, does not know what a major nonconformity means in an ISO audit, and has never seen a GHG verification report is not in a position to provide adequate oversight of the assurance matters it is now being asked to govern. The starting point is assessment, not assumption.
5. The Operating Model: What the Audit Committee Does in Practice
A restructured mandate and a more competent committee are necessary but not sufficient. The operating model — the actual cadence, information flows, meeting disciplines, and reporting protocols through which the committee exercises its oversight — is where governance theory becomes governance practice.
5.1 The Annual Assurance Calendar
Non-financial assurance does not operate on a single annual cycle. ISO surveillance audits are scheduled throughout the year. Carbon verification may have a different timeline from sustainability report assurance. Supply chain audit programmes run continuously. The audit committee needs an annual assurance calendar — a structured view of when each assurance activity is scheduled, what deliverables are produced, and when they will be presented to the committee.
Period | Activity | Audit Committee Action |
|---|---|---|
Q1 (Jan–Mar) | ICSR effectiveness assessment (management) | Audit committee receives management's assessment of ICSR framework effectiveness; challenges key assumptions; approves assurance scope |
Q1–Q2 | Sustainability assurance engagement | Audit committee appoints/reconfirms assurance provider; approves scope; receives interim progress briefing |
Q2 | ISO surveillance audits (scheduled) | Committee receives audit programme report; reviews nonconformity register; satisfies itself that major findings are being addressed |
Q2 (Apr–Jun) | GHG verification engagement | Committee receives verification scope and methodology briefing; confirms independence of verifier |
Q3 (Jul–Sep) | Supply chain assurance programme mid-year report | Committee receives completion rates, material findings, and escalation report from supply chain programme |
Q3 | Assurance provider findings — draft management letter | Committee holds private session with assurance provider (without management); reviews draft findings |
Q4 (Oct–Dec) | Final assurance conclusions | Committee receives final sustainability assurance report; approves for inclusion in annual sustainability report |
Q4 | Annual assurance report to full board | Committee presents integrated financial and non-financial assurance picture to full board |
Rolling | Nonconformity escalation | Major nonconformities from any assurance source escalated to committee within defined timeframe |
5.2 The Sustainability Team — Audit Committee Interface
One of the most practically important governance questions is how the sustainability team connects to the audit committee. The relationship is structurally different from the relationship between the finance team and the audit committee, and it must be designed deliberately.
The Chief Sustainability Officer (or equivalent) should report to the audit committee at least twice annually on the state of the ICSR framework, the status of active assurance engagements, and the organisation's readiness for external assurance. This is a formal reporting relationship, not an ad hoc briefing. The committee should have defined questions it asks at each session and a structured format for the CSO's presentation.
The committee chair and the CSO should also have a direct working relationship outside formal meetings. This mirrors the relationship between the audit committee chair and the CFO or CAE: an ongoing dialogue that allows the chair to stay informed between meetings and to flag concerns early. Where no CSO exists, the sustainability reporting lead should perform this function.
The internal audit function has a critical bridging role. Internal audit should include sustainability controls in its annual audit plan, testing ICSR controls and reporting findings to the audit committee in the same format as financial controls findings. This is the most direct mechanism for giving the committee assured, independent insight into the quality of sustainability data infrastructure, and it does not require waiting for the external assurance engagement to surface problems.
5.3 Managing the Assurance Provider Relationship
The relationship between the audit committee and the sustainability assurance provider must be structured on the same principles as the relationship with the external financial auditor: independence confirmation, direct communication without management intermediation, private sessions, and a clear protocol for escalating concerns.
The audit committee should confirm the assurance provider's independence annually, taking into account any consulting or advisory services the provider renders to management. Where the sustainability assurance is provided by the same firm as the financial audit, the independence analysis is more complex and should be documented with corresponding care.
The committee should hold a private session with the assurance engagement leader at least annually — separate from management's presence — in which the engagement leader can communicate concerns, observations, or areas of management resistance that would not be raised in a joint meeting. This is standard practice in financial audit governance. It is largely absent in sustainability assurance governance and should be introduced.
5.4 Nonconformity Oversight
Nonconformities are the assurance system's mechanism for identifying and tracking failures to meet requirements. They arise from ISO management system audits, sustainability assurance engagements, internal audit, carbon verification, and supply chain assurance programmes. Most organisations manage nonconformities in functional silos — the ISO nonconformities are managed by the certification team, the assurance findings are managed by the sustainability team, the internal audit findings are managed by the internal audit function. The audit committee sees none of them until something goes seriously wrong.
This must change. The audit committee should receive a consolidated nonconformity register — covering all assurance sources — at each quarterly meeting. The register should classify findings by source, severity, assigned owner, target closure date, and actual status. The committee should have a defined escalation protocol: major nonconformities (those that threaten certification status or require regulatory notification) should be escalated to the committee chair within five business days of identification, not held for the next quarterly meeting.
The committee should also receive trend analysis: is the nonconformity rate improving or deteriorating over time? Are there patterns across assurance sources that suggest systemic control weakness? Are closure rates meeting committed timescales? These are governance questions the committee should be asking on a recurring basis, not exceptional ones triggered only by crisis.
5.5 The Integrated Assurance Report to the Board
The ultimate output of the restructured audit committee's work is an integrated assurance report to the full board. This report synthesises the committee's findings across financial and non-financial assurance and gives the board a single, coherent view of the organisation's assurance position.
The integrated assurance report should address: the assurance activities completed during the period; the key findings across financial audit, sustainability assurance, ISO certifications, GHG verification, and supply chain assurance; the status of open nonconformities and findings; the committee's overall assessment of the integrity of the organisation's financial and non-financial disclosures; areas of material uncertainty or risk that the committee considers require board-level attention; and the committee's assessment of the adequacy of the ICSR and ICFR frameworks.
This report should be a standing agenda item at the board's first meeting following the audit committee's final annual assurance review — typically in the fourth quarter or early in the following year when annual assurance engagements are complete.
6. Common Failure Modes and How to Avoid Them
Organisations that have attempted to extend their audit committee's mandate to non-financial assurance frequently encounter predictable failure modes. Understanding them in advance is more efficient than discovering them through experience.
6.1 The Competence Illusion
Audit committees sometimes assume that financial controls expertise transfers automatically to sustainability assurance. It transfers more than nothing, but less than everything. A director who understands ICFR deeply will have useful conceptual tools for thinking about ICSR. But they will need active development to apply those tools to the specific methodological complexity of sustainability data, the standards framework of ISSA 5000 and ISO management systems, and the governance structure of a sustainability assurance engagement. Assuming competence that does not yet exist leads to superficial oversight — the committee asks the right form of questions but lacks the knowledge to evaluate the quality of the answers it receives.
6.2 Mandate Without Accountability
Some boards extend the audit committee's mandate on paper without providing the committee with the information flows, management time, or meeting time to exercise it in practice. The committee's terms of reference reference non-financial assurance, but the quarterly pack contains no sustainability assurance materials, the CSO has never presented to the committee, and the ISO nonconformity register has never been sighted. Mandate without accountability is governance theatre. The committee should refuse to accept mandate extension without the corresponding reporting infrastructure and management engagement.
6.3 The Assurance Engagement Substituting for Controls
A common management error is treating the external sustainability assurance engagement as the control mechanism for data integrity — rather than as the confirmation of a pre-existing control mechanism. When the assurance provider finds problems, management treats this as the system working. The audit committee should challenge this framing. An assurance engagement that consistently surfaces significant findings is not evidence of a well-functioning assurance system. It is evidence of an inadequate ICSR framework. The committee's response should be to require management to build the internal controls that should have prevented the findings, not merely to close the findings on their own terms.
6.4 The Separate Committee Trap
Where a sustainability committee exists and has developed a strong organisational identity, the governance restructuring required to bring assurance oversight into the audit committee can meet significant political resistance. The sustainability committee's members may perceive the change as a diminution of their role. The sustainability team may prefer to report to a committee they have an established relationship with. These pressures are real and should not be dismissed. But governance design cannot be subordinated to political comfort. The audit committee's mandate extension should be framed as an addition of rigour to the full assurance universe — not a takeover of the sustainability committee's territory — and the sustainability committee should retain its strategic and target-setting functions.
6.5 The Assurance Provider as Adviser
Independence requirements for sustainability assurance providers are not as clearly established in most jurisdictions as they are for financial auditors. Some organisations use their sustainability assurance provider as an adviser on sustainability strategy, reporting framework selection, and disclosure drafting — and then engage the same firm for assurance over the disclosures the firm helped prepare. The audit committee should apply the same independence discipline to the sustainability assurance provider as it applies to the financial auditor. Where significant advisory relationships exist, the committee should either require separation or document the independence assessment with particular care.
7. A Practical 90-Day Transition Framework
For an audit committee beginning this transition from a financial-only mandate to an integrated financial and non-financial assurance mandate, the first 90 days are the most important. They establish the information flows, the reporting relationships, and the governance disciplines that determine whether the extension is substantive or nominal.
Days 1–30: Assessment and Mandate
Conduct a baseline competence assessment
The committee chair should lead a structured assessment of the committee's current competence across the non-financial assurance domains identified in Section 4.3. The output is a competence gap map and a development plan for each gap. This assessment should be completed before any formal mandate change is announced — knowing what you do not know is a prerequisite for knowing what to ask for.
Commission a non-financial assurance inventory
Management should be asked to produce a complete inventory of the organisation's non-financial assurance activities: all sustainability assurance engagements currently contracted or anticipated; all ISO certifications held, their current status, scheduled surveillance audit dates, and any open nonconformities; all carbon and GHG verification arrangements; and all supply chain assurance programmes and their governance structure. This inventory is the baseline from which the audit committee's oversight scope is defined.
Review and revise the terms of reference
Based on the assurance inventory and the competence assessment, the committee should revise its terms of reference to specify its non-financial assurance oversight responsibilities explicitly. The revised terms of reference should be presented to the full board for approval, with a clear explanation of the rationale for the change.
Days 31–60: Information Infrastructure
Establish the assurance calendar
Management should produce the annual non-financial assurance calendar and present it to the committee for review. The calendar should be integrated with the existing audit committee meeting schedule to ensure that assurance deliverables arrive in advance of the relevant committee meetings.
Establish the nonconformity register
Management should present the consolidated nonconformity register — covering all assurance sources — to the committee for the first time. The committee should agree with management the format, frequency, and escalation protocols for ongoing nonconformity reporting.
Brief the sustainability team
The audit committee chair should meet with the CSO and the sustainability reporting lead to establish the direct reporting relationship, agree the format and frequency of CSO presentations to the committee, and clarify the boundary between strategy (sustainability committee) and assurance integrity (audit committee).
Days 61–90: First Oversight Cycle
Receive the ICSR effectiveness assessment
Management should present the first ICSR effectiveness assessment to the committee — even if it is preliminary and identifies significant gaps. The committee should apply its controls discipline to the assessment: Are the controls described adequate? Has the assessment been independently tested, or is it management self-assessment? What are the priority remediation actions?
Hold the first private session with the assurance provider
If an external sustainability assurance engagement is in progress or recently completed, the committee chair should arrange a private session with the engagement leader to establish the direct communication relationship and receive the engagement leader's unfiltered view of management's data quality and assurance readiness.
Present the transition status to the full board
At the end of the 90-day period, the committee should present to the full board a status report on the mandate transition: what has been put in place, what the first oversight cycle has revealed, and what the committee's priorities are for the coming year. This presentation establishes the committee's accountability for the extended mandate and gives the full board visibility of the governance evolution underway.
8. The Role of Independent Assurance Providers
The quality of audit committee oversight of non-financial assurance depends significantly on the quality of the assurance providers the organisation engages. Not all sustainability assurance is equal, and the audit committee's ability to distinguish high-quality assurance from low-quality assurance is a governance skill in its own right.
8.1 What Accreditation Means
In the ISO management system certification world, accreditation is the formal mechanism by which certification bodies are verified as competent and independent. Accreditation under ISO/IEC 17021-1 — the standard for requirements for bodies providing audit and certification of management systems — is provided by national accreditation bodies that are themselves subject to peer review through the International Accreditation Forum (IAF). In France, the accreditation body is COFRAC. In the United States, it is ANAB. In the United Kingdom, it is UKAS. In Singapore, it is SAC.
An audit committee should confirm that any ISO management system certification the organisation holds, or intends to obtain, is issued by an accredited certification body operating within the IAF Multilateral Recognition Arrangement (MLA). Certificates issued by unaccredited bodies have no international standing and cannot be relied upon in supply chain due diligence, regulatory submissions, or legal proceedings.
In sustainability report assurance, the equivalent quality signal is membership of, and adherence to, the relevant professional standards bodies — the IAASB for ISSA 5000 engagements, AccountAbility for AA1000AS v3 engagements — and the regulatory requirements in the relevant jurisdiction for who may provide assurance under mandatory frameworks such as CSRD.
8.2 Scope and Level of Assurance
The audit committee should understand, for each assurance engagement, the scope (what data and disclosures are covered), the boundary (which entities and operations are included), and the level (limited or reasonable assurance). These are the three dimensions that determine what the assurance conclusion actually means and how much reliance the committee can place on it.
Limited assurance is a negative form conclusion. It means the assurance provider did not find anything that caused them to believe the information is materially misstated. It does not mean the information is correct. The testing procedures under limited assurance are substantially less extensive than those under reasonable assurance. An organisation that discloses sustainability information under mandatory frameworks while obtaining only limited assurance should be aware that this level of assurance may not satisfy regulatory requirements as those requirements evolve.
Reasonable assurance is a positive form conclusion, analogous to the opinion issued in a financial statement audit. It requires substantially more testing, more rigorous evaluation of internal controls, and a higher evidentiary threshold. As CSRD and equivalent frameworks mature, reasonable assurance is expected to become the standard requirement for large public interest entities.
8.3 Independence and Objectivity
The independence of the sustainability assurance provider from the organisation's management is the foundation of the assurance's credibility. The audit committee should inquire about the nature and extent of any non-assurance services provided by the assurance firm to management, apply the same self-interest, familiarity, and advocacy threat analysis it applies to the financial auditor, and satisfy itself that the assurance provider's conclusion is genuinely independent.
The audit committee should also be aware of the concentration of sustainability assurance work in the Big Four accounting firms. The Big Four's scale, brand, and existing audit relationships make them the default choice for many organisations. But they are not necessarily the most technically specialised for every type of non-financial assurance, and their significant consulting relationships with the same clients they assure creates independence questions that deserve careful consideration.
9. Conclusion: The Audit Committee as the Board's Assurance Anchor
The argument of this whitepaper is simple, though its implementation is not. The audit committee is the right governance body to oversee non-financial assurance. It has the independence culture, the controls discipline, the structured challenge methodology, and the accountability architecture that non-financial assurance oversight requires. No other board committee has all of these characteristics.
The case is not that sustainability strategy, ESG targets, and long-term sustainability ambition should be moved from the sustainability committee or the full board to the audit committee. These are properly strategic matters and belong in the governance spaces where strategy is discussed. The case is that the integrity of sustainability disclosures — the controls behind them, the assurance over them, the management of findings that arise from auditing them — belongs in the governance space where controls and assurance are discussed. That space is the audit committee.
The stakes are no longer theoretical. Sustainability disclosures are material to investment decisions, regulatory compliance, litigation exposure, and reputational standing. Directors who oversee an organisation that makes material sustainability disclosures without adequate internal controls, without credible external assurance, and without board-level oversight of the assurance universe that covers those disclosures are exposed. The audit committee is the mechanism for closing that exposure.
This is not easy work. It requires competence development that takes time and commitment. It requires mandate revision that requires board approval and sometimes political navigation. It requires information infrastructure that management must build and maintain. It requires a relationship between the sustainability team and the audit committee that most organisations have never established. None of this happens automatically or quickly.
But the alternative — maintaining a governance architecture designed for a world in which sustainability disclosures were immaterial, voluntary, and unassured — is no longer a defensible choice. The regulatory and legal environment has made it untenable. The audit committee's mandate must evolve. The question is not whether, but how quickly and how well.
The organisations that govern non-financial assurance most effectively will not be those that created the most elaborate sustainability committees. They will be those that brought their most rigorous governance body — the audit committee — to bear on the full assurance universe, and gave it the mandate, the competence, and the information it needed to do the job.
Speeki
Speeki is an independent ISO/IEC 17021-1 accredited certification body and sustainability assurance provider, accredited by COFRAC (France) and ANAB (United States), and operating in more than 100 countries.
We provide certification against leading ISO management system standards, including ISO 37001, ISO 37301, ISO 42001, ISO 14001, ISO 45001, ISO 27001, ISO 9001, and ISO 50001. Our assurance services cover ISSA 5000, AA1000AS v3, and ISAE 3000 (Revised), alongside carbon and GHG verification under ISO 14064-3 and the GHG Protocol.
Speeki Executive Education offers practitioner-led training for audit committee members, board directors, sustainability professionals, compliance officers, and internal auditors. Our flagship programme, Extending Audit Committees to Non-Financial Assurance (ACE01), is available as both a private cohort for individual boards and a public course. Learn more at speeki.com/executive-education.
Speeki’s AI system, Nicole, enhances assurance and certification delivery at scale, supporting 24/7 client engagement, audit planning, and continuous compliance monitoring across our global client base.
Learn more at speeki.com
Disclaimer
This whitepaper is produced for general informational and educational purposes. It does not constitute legal, regulatory, or professional advice. Organisations should obtain advice specific to their circumstances from qualified practitioners. The regulatory frameworks and standards referenced in this paper are subject to ongoing development; readers should verify current requirements with appropriate professional advisers.