Quick Read
This whitepaper argues that non-financial information has become material to credit pricing, contracts, and regulatory compliance, yet most organisations lack the internal infrastructure to make it credible—instead purchasing disconnected assurance engagements that leave critical decisions unowned between scopes. Integration across four architectural layers closes these gaps by establishing a single evidence base, consolidation methodology, and coverage map that allows boards to answer stakeholder questions about data ownership and materiality determinations without external consultation. The paper identifies the absence of a unified coverage map as the diagnostic for whether an organisation has genuinely integrated its non-financial programme.
IN BRIEF
The non-financial audit architecture has four layers: internal controls and the management system; independent testing; the coordinating function; and board oversight. An organisation buys one of them and must build three.
Failures concentrate not inside engagements but at the seams between them: the reporting boundary, the site list, the value chain scope, the reporting period, and the join between the sustainability statement and the financial statements.
The Omnibus I directive removed the CSRD obligation from roughly 42,000 companies and permanently capped mandatory assurance at the limited level, so credibility can no longer be purchased through the assurance conclusion.
Integration produces one evidence base, one coverage map, one independence test, and one accountable person — not a lower cost.
The test of an integrated programme is whether any executive can answer, on the day the question is asked, how the organisation knows a disclosed non-financial figure is correct.
Executive summary
This programme of papers has argued, from a dozen different directions, for a single proposition. It is worth stating once, plainly, at the end.
Non-financial information has become consequential — it prices credit, wins and loses contracts, determines index inclusion, attracts enforcement, and appears in the same document as audited financial statements — while the infrastructure that would make it believable was never built. The regulator has now stepped back from most of the market, and has permanently fixed the strongest opinion it will ever require at the weakest useful form. Credibility can no longer be purchased. It has to be constructed, internally, by an organisation that decides to.
THE QUESTION THE PROGRAMME EXISTS TO ANSWER
Somebody outside your organisation — a lender, a customer, a regulator, an acquirer, a court — asks how you know that a disclosed non-financial figure is correct. Can any executive in the room answer, on the day, without leaving it? In most large organisations the answer is no, and nobody has ever been asked.
This paper sets out the architecture, the seams where it fails, what integration actually delivers, and the diagnostic that determines whether an organisation has any of it.
1. The architecture

Figure 1 — Every paper in this programme describes one of these four layers, or a seam between two of them.
Layer | What it is | Who owns it | Can it be bought? |
|---|---|---|---|
4 — Oversight | One agenda item, one coverage map, a private session with the people who examined the evidence | The audit committee | No |
3 — Coordination | Charter, universe, plan, independence testing, accountability for the space between engagements | A named individual in the Non-Financial Audit Function | No |
2 — Independent testing | Certification under ISO/IEC 17021-1, verification under ISO/IEC 17029, assurance under ISSA 5000 | Accredited external providers | Yes — and only this |
1 — Controls and system | The management system that operates all year, data lineage, evidence that persists | Named process owners | No |
Most organisations have bought Layer 2 and built almost none of Layers 1, 3 and 4. This produces the characteristic condition of the non-financial estate: an opinion, on a system nobody can describe, from a provider nobody evaluated, for a board that cannot interrogate the result.
The layer you can buy is the only one that cannot substitute for the layers you cannot.
2. The seams
Each engagement in Layer 2 is competently performed within its scope. The failures live between scopes, in decisions that two engagements both depend upon and neither owns.
The seam | Who depends on it | Who is engaged to reconcile it |
|---|---|---|
The consolidation boundary | The financial statements consolidate on control; the GHG inventory on operational control or equity share; circularity on metered sites; nature on significant-impact sites | Nobody |
The site list | Every environmental disclosure rests on a list of places, constructed by three providers from three source systems | Nobody |
The value chain scope | Carbon, circularity and nature all reach into the supply chain; all are constrained by the same value chain cap; none reaches the same distance | Nobody |
The reporting period | Carbon inventories cover a financial year. Ecological surveys are seasonal. Both are presented as describing the same year. | Nobody |
Connected information | The sustainability statement sits inside the management report. The same climate assumption prices an impairment model and publishes a transition plan. | Nobody |
The ratings submission | Prepared by investor relations, describing the same organisation as the assured sustainability statement, in the same year, using different definitions | Nobody |
Why the seams are worse than errors
An error inside an engagement is found by the provider and corrected before publication.
An inconsistency between engagements is found by nobody, because no provider's scope includes the others.
It is then found by the assurance practitioner in the weeks before publication, when nothing can be changed except the disclosure — or afterwards, by a regulator, a competitor, or an NGO reading two of your disclosures side by side.
3. What integration delivers
Not a discount. Integrated procurement is frequently cheaper, and that is the least interesting thing about it.
One evidence base. One site list, one consolidation approach, one value chain scope, one reporting period, one repository from which the financial auditor and the assurance practitioner both draw. The seams close during the engagement rather than after publication.
One coverage map. A single page showing which non-financial obligations were independently tested in the period, which were not, and who decided. This is the artefact the audit committee cannot currently obtain, and its absence is the diagnostic for whether a function exists.
One independence test, applied before appointment. Every provider, every year, in writing, covering the current and three preceding years: what an adverse finding would cost them. Applied at plan approval, not after the engagement letter.
One accountable person. Somebody whose scope is defined as the space between the others, who can be asked what was not examined, and who reports to the audit committee rather than through the people whose data is being tested.
THE INTEGRATION DIVIDEND, STATED EXACTLY
It is not cost. It is that the question — how do you know? — can be answered by somebody in the room, on the day, from a document that already exists.
4. The diagnostic
Six questions. They take twenty minutes and they will not be answered.
Produce, today, a single page listing every non-financial obligation this organisation carries, its named evidence owner, the form of independent testing that applies, and the date it was last tested.
Name the individual who is accountable if a material non-financial figure turns out to be wrong.
State the consolidation boundary used for the financial statements, the greenhouse gas inventory, the circularity disclosure and the nature disclosure, and explain any differences.
Produce the minute of the double materiality determination, showing what was considered, what was rejected, on what evidence, and who approved it.
Reconcile the last ESG ratings submission to the assured sustainability statement on emissions, incidents and board oversight frequency.
State what the assurance provider would have raised had their scope been unlimited.
An organisation that can answer all six has an integrated non-financial programme, whatever it calls it. An organisation that can answer none has purchased assurance and built nothing, which is the ordinary condition and is no longer a defensible one.
The gap between what an executive team believes about its non-financial controls and what the coverage map shows is the finding. It is never as visible as on the day the map is first drawn.
5. The argument of the whole programme
Twelve papers, one claim, arrived at from twelve directions.
Paper | Subject | The proposition it establishes |
|---|---|---|
01 | The Non-Financial Audit Function | The regulator has left and the assurance conclusion is capped, so credibility must be built internally |
02 | The audit plan | A plan sequenced against deadlines dies when the deadlines do. Sequence it against reliance. |
03 | The audit universe | There is no general ledger for non-financial information, so completeness must be constructed by hand |
04 | Independence | Independence is an incentive, not an organogram. Ask what an adverse finding would cost. |
05 | The audit committee agenda | Nobody has ever held a private session with the party that examined the evidence |
06 | Connected information | Wherever a limited-assurance number determines a reasonable-assurance number, the stronger opinion is only as good as the weaker one |
07 & 10 | What assurance requires | The engagement examines the process that decided what to report, and that process cannot be reconstructed |
08 | Scope 3 | The largest number in the inventory is now partly, and lawfully, unverifiable at source |
09 | Scope after Omnibus | Reporting became a choice, and a voluntary claim is judged on the system behind it |
11 | Reasonable assurance | An opinion nobody requires says more than one everybody must obtain |
12, 13, 17 | The system | When the conclusion is uniform, the certified system beneath it is the only differentiator |
15, 16, 18 | Claims and seams | Verification became a defence rather than a gate, and the failures live between engagements |
19, 20, 21 | Ratings | The output is regulated; the input is not; and only a party with nothing to sell you can examine it |
Read the right-hand column downward. Every proposition is a restatement of the same fact in a different register: that the credibility of a non-financial assertion is determined by what the organisation did before anybody arrived to examine it, and that no examination, however rigorous, can supply what the organisation did not build.
6. Where Speeki fits, and where it does not
Speeki is an accredited certification and assurance body. It does not provide consulting services. Its product architecture maps onto Layer 2 and onto Layer 2 alone: certification against SPK CSMS1000:2026 through Speeki Meridian™; verification under ISO/IEC 17029 through the Speeki Lens Suite™; assurance under ISSA 5000 through Speeki Guardian®; independent pre-submission review through Speeki RatingsReady™. Details of Speeki's accreditations and their scope are published at speeki.com.
Coordinating those engagements under one provider makes the seams somebody's responsibility, which is the substantive commercial argument of this programme and the only one Speeki is entitled to make.
Layers 1, 3 and 4 are not for sale. Not from Speeki, and not from anybody who tells you otherwise. The charter, the universe, the plan, the controls, the accountable person and the audit committee's willingness to ask an uncomfortable question in a room without management — these constitute the work, and the organisation does the work or it does not.
THE LAST WORD
The organisations that build this in the next eighteen months will do so voluntarily, at a moment when their competitors are congratulating themselves on having fallen out of scope. When somebody eventually asks how they know, they will have an answer. The others will have relief, a saved fee, and a four-minute agenda item.
Questions this paper answers
What is an integrated non-financial programme?
A four-layer architecture: internal controls and the management system that operate throughout the period; independent testing through certification, verification and assurance; a coordinating function holding a charter, an audit universe, a plan and accountability for the space between engagements; and board oversight exercised through one coverage map and one agenda item. An organisation can purchase the second layer. It must build the other three.
What is the integration dividend?
Not cost. One evidence base — a single site list, consolidation approach, value chain scope and reporting period, from which the financial auditor and the assurance practitioner both draw. One coverage map. One independence test applied to every provider before appointment. And one accountable person whose scope is defined as the space between the others. The dividend is that the question 'how do you know?' can be answered by somebody in the room, on the day, from a document that already exists.
Where do non-financial assurance programmes actually fail?
Not inside engagements, which are generally competently performed within their scopes, but at the seams between them. The consolidation boundary, the site list, the value chain scope, the reporting period, the join between the sustainability statement and the financial statements, and the relationship between the ratings submission and the assured statement. Each is a decision that two engagements depend upon and neither owns, and no provider is engaged to reconcile them.
Why can credibility no longer be purchased?
Because the Omnibus I directive removed the CSRD obligation from roughly 42,000 companies and confirmed limited assurance as the permanent requirement for those remaining, removing the escalation pathway to reasonable assurance. Every prepared reporter therefore obtains an identical conclusion, expressed negatively, on a bounded scope, without controls testing. A conclusion everyone holds distinguishes nobody, and what remains is the independently evidenced quality of the system that produced the information.
What six questions diagnose whether an integrated programme exists?
Produce a single page listing every non-financial obligation, its evidence owner, its testing form and its last-tested date. Name the individual accountable if a material figure is wrong. State the consolidation boundary used for the financial statements, the GHG inventory, the circularity disclosure and the nature disclosure, and explain the differences. Produce the minute of the double materiality determination. Reconcile the last ratings submission to the assured statement. And state what the assurance provider would have raised with unlimited scope.
Which parts of a non-financial programme can be bought?
Only independent testing: certification under ISO/IEC 17021-1, verification under ISO/IEC 17029, and assurance under ISSA 5000. The management system and its controls, the coordinating function with its charter and universe and plan, and the board oversight that reads the coverage map — none of these is for sale from any provider. An organisation that has bought the testing layer and built none of the others has purchased an opinion on a system it cannot describe, for a board that cannot interrogate the result.
What is the single test of an integrated programme?
Whether any executive can answer, on the day the question is asked and without leaving the room, how the organisation knows that a disclosed non-financial figure is correct. In most large organisations somebody must leave to find out, and returns with a document rather than an answer.
References and sources
Directive (EU) 2026/470 (the Omnibus I directive), in force 18 March 2026 — narrowing CSRD scope, confirming limited assurance as the permanent requirement, removing the escalation pathway to reasonable assurance, and introducing the value chain cap.
IAASB, ISSA 5000, General Requirements for Sustainability Assurance Engagements; effective for periods beginning on or after 15 December 2026.
IESBA, International Ethics Standards for Sustainability Assurance (including International Independence Standards), issued January 2025; generally effective from 15 December 2026.
Regulation (EU) 2024/3005 on the transparency and integrity of ESG rating activities; date of application 2 July 2026.
Directive (EU) 2024/825, Empowering Consumers for the Green Transition; applicable from 27 September 2026.
ISO/IEC 17021-1:2015 and ISO/IEC 17029:2019 — the accreditation standards for certification bodies and for validation and verification bodies.
ISO 17298:2025, Biodiversity — Requirements and guidelines; GRI 101: Biodiversity 2024, effective 1 January 2026.
SPK CSMS1000:2026, Corporate Sustainability Management System — Requirements. Speeki.
Speeki Whitepaper Programme, Papers 01 to 21, July 2026.
About Speeki
Speeki is an accredited ESG assurance and certification body operating in more than 100 countries. Speeki provides management system certification, verification and validation, and sustainability assurance. Speeki does not provide consulting services. Its independence is structural.
For current details of Speeki's accreditations and their scope, please refer to speeki.com.
© 2026 Speeki. This paper is provided for general information and does not constitute legal, accounting or assurance advice.