Quick Read
Following the March 2026 EU directive that removed 42,000 companies from mandatory CSRD scope and capped assurance at limited level, non-financial reporting credibility can no longer rely on regulatory mandate—it must be earned through internal capability. Organizations now need a dedicated Non-Financial Audit Function that coordinates certifications, verifications, and assurance activities while testing underlying controls, rather than depending on external assurance reports alone to establish credibility. This shift places the burden of non-financial governance squarely on boards and audit committees to build and oversee robust internal audit infrastructure.
IN BRIEF
Directive (EU) 2026/470, the Omnibus I directive, entered into force on 18 March 2026. It raised the CSRD scope threshold to more than 1,000 employees and more than €450 million net turnover, removing roughly 42,000 of the 50,000 companies previously preparing to report.
The same directive confirms limited assurance as the permanent CSRD requirement and removes the legislated pathway to reasonable assurance. The strongest opinion a European reporter will ever be required to obtain is a negatively worded conclusion on a bounded scope.
ISSA 5000 is effective for assurance engagements on sustainability information reported for periods beginning on or after 15 December 2026. ISAE 3000 (Revised) and ISAE 3410 are withdrawn for sustainability engagements from that date.
A Non-Financial Audit Function is a coordinated internal capability with four artefacts: a charter, a mapped audit universe, a multi-year risk-based plan, and a single coverage report to the audit committee.
The function has four layers. Only one — independent certification, verification and assurance — can be purchased. The other three must be built.
Executive summary
For fifteen years, the argument for assuring non-financial information has rested on a regulator. Companies built sustainability reporting teams because the CSRD said they must. They engaged assurance providers because limited assurance was mandatory. The business case was written by Brussels.
On 18 March 2026, that argument stopped working. Directive (EU) 2026/470 — the Omnibus I directive — raised the CSRD scope threshold to more than 1,000 employees and more than €450 million in net turnover. Roughly 42,000 of the 50,000 companies that had been preparing for mandatory reporting fell out of scope. In the same instrument, the European legislator confirmed limited assurance as the permanent requirement and removed the pathway that would have escalated it to reasonable assurance.
Two conclusions follow, and they point in the same direction.
First: for most organisations, non-financial assurance has just become voluntary. Which means that for the first time it will be judged on whether it is actually credible, rather than on whether it was required. A voluntary assurance report is only worth what its reader believes it is worth.
Second: for the organisations still in scope, the strongest external opinion available to them is now permanently limited — a negatively phrased conclusion that nothing came to the practitioner's attention. That is a ceiling, and it has just been welded shut. Whatever credibility a company needs above that line must be manufactured somewhere other than the assurance report.
There is only one place it can be manufactured: inside the company. This paper argues that every organisation with material non-financial obligations now needs a Non-Financial Audit Function — a coordinated internal capability that maps the non-financial audit universe, sequences certification, verification and assurance against it, tests the controls that produce the data, and gives the board a single view of coverage. Not a provider. Not a report. A function.
THE ARGUMENT IN ONE SENTENCE
The regulator has left the room, the external opinion has been capped at its weakest form, and so the credibility of every non-financial number a company discloses now depends on infrastructure the company must build for itself.
The paper sets out the four failure modes of the current default, maps the audit universe, provides a hundred-day build plan, and gives audit committee chairs fifteen questions they should be asking at the next meeting.
1. The room where nobody was watching
Some years ago I sat in a meeting where a large listed company reviewed its sustainability assurance report. The engagement had gone well. Limited assurance, clean conclusion, nothing had come to the practitioner's attention. The sustainability director presented it. The audit committee noted it. It took four minutes, and it was the fourth item on a nine-item agenda.
Nobody in the room asked which of the company's sustainability disclosures had been inside the assurance scope and which had not. Nobody asked whether the practitioner had tested any controls, or only inspected documents. Nobody asked who, inside the company, was accountable for the number if it turned out to be wrong. Nobody asked what the practitioner would have flagged if the scope had been wider.
These were not negligent people. They were doing precisely what the system had been designed to have them do. Limited assurance had been obtained because limited assurance had been required. The requirement had been met. The item was closed.
A clean conclusion on a bounded scope, presented to a board that does not know where the boundary is, is not assurance. It is theatre with a footnote.
The same company's financial statements were the subject of a two-hour audit committee session, a private meeting with the external auditor with management excluded, a management letter on control deficiencies, a report from internal audit on the state of the control environment, and a formal management assertion on internal control over financial reporting. Four minutes on one side of the ledger. Half a morning on the other.
The difference was never about materiality. Some of the numbers in that sustainability report were feeding into supply contracts, credit margins and a pending acquisition. The difference was that one side of the ledger had a function behind it, and the other had a purchase order.
2. What happened in March 2026
The Corporate Sustainability Reporting Directive was, until recently, the engine of the entire non-financial assurance market. It was expected to bring around 50,000 companies into mandatory sustainability reporting, all of them requiring at least limited assurance. Whole practices were built on that number.
The Omnibus I directive dismantled it. Following the political agreement of December 2025 and formal adoption by the Council on 24 February 2026, Directive (EU) 2026/470 was published in the Official Journal on 26 February and entered into force on 18 March 2026. Member States have until 19 March 2027 to transpose it.
What actually changed
Provision | Before | After Omnibus I |
|---|---|---|
CSRD scope | Large undertakings: 250 employees and either €50m turnover or €25m balance sheet; listed SMEs included | More than 1,000 employees and more than €450m net turnover. Listed SMEs fully exempt. Around 90% of previously in-scope companies removed. |
Third-country groups | €150m EU turnover with an in-scope EU subsidiary or a branch above €40m | €450m EU turnover with an EU subsidiary meeting large-undertaking criteria, or an EU branch above €200m |
Assurance level | Limited assurance, with a legislated review of a move to reasonable assurance | Limited assurance confirmed as the permanent requirement. The escalation pathway to reasonable assurance is removed. |
Assurance standard | National standards pending an EU-wide standard by 1 October 2026 | EU-wide limited assurance standard postponed to no later than 1 July 2027, with alignment to ISSA 5000 anticipated |
Value chain | Reporters could request what they needed from suppliers | Value chain cap: undertakings below 1,000 employees have a legal right to refuse requests exceeding the VSME standard |
Sector standards | Sector-specific ESRS mandated | Removed |
Timeline | Wave 2 reporting in 2026 | Stop-the-clock delays made permanent. Wave 2 in-scope entities report for FY2027, publishing in 2028. Revised scope applies for financial years beginning on or after 1 January 2027. |
Read the middle two rows again, because they are the ones nobody is discussing.
The assurance ceiling is now permanent. Under the original CSRD architecture, limited assurance was explicitly a transitional state. The Commission was to assess a move to reasonable assurance. That assessment is gone. Limited assurance is the destination. This means that the strongest sustainability assurance opinion a European reporter will ever be required to obtain is a negative conclusion — the practitioner states that nothing has come to their attention causing them to believe the information is materially misstated. It is, structurally, the weakest useful form of assurance that exists.
The evidence boundary has moved. The value chain cap gives suppliers below 1,000 employees a legal right to refuse information requests that exceed the voluntary VSME standard. This is presented as relief for small companies. For an assurance practitioner it is something else entirely: a category of evidence that can now be lawfully withheld. The practitioner must satisfy themselves that value chain data was obtained in compliance with the cap — and must form a conclusion on a report that may rest, quite legitimately, on data that could not be corroborated at source.
Meanwhile, on 15 December 2026, ISSA 5000 becomes effective for assurance engagements on sustainability information reported for periods beginning on or after that date. ISAE 3000 (Revised) and ISAE 3410 are withdrawn for sustainability engagements. The technical rigour of the assurance profession is rising sharply at exactly the moment the legal requirement to use it is being withdrawn from most of the market.
THE PARADOX
The standards are getting better. The mandate is getting smaller. The assurance ceiling has been fixed at its lowest level. These three facts, taken together, describe a market in which the value of an external assurance report is about to become entirely dependent on what the company did before the assurance provider arrived.
3. The lesson financial audit actually teaches
The comparison between financial and non-financial assurance is made constantly, and almost always backwards. The usual version runs: financial audit is mature and trusted, non-financial assurance is immature and distrusted, therefore non-financial assurance should become more like financial audit. This is true but useless. It describes a destination without describing the road.
The road matters, because the sequence is not what people assume.
Financial audit did not become credible and then get mandated. It was mandated, and then spent ninety years becoming credible. The Securities Act of 1933 and the Securities Exchange Act of 1934 imposed independent audit on US registrants in the aftermath of a market collapse. The mandate arrived first, in a state of near-total public distrust of the profession that would carry it out. Everything that now constitutes audit credibility — mandatory professional standards, regulated independence, public oversight boards, rotation, the audit committee's direct line to the auditor, ICFR attestation under Sarbanes-Oxley in 2002 — was built afterwards, over decades, mostly in response to failures.
Audit did not earn a mandate by being credible. It was handed a mandate, and then spent a century earning the right to keep it.
Non-financial assurance is now required to do this in reverse. Its mandate is contracting, not expanding. It has no equivalent of the 1934 Act to fall back on for most of the market. It must therefore establish credibility first — before, and largely without, the coercive backing that gave financial audit ninety years of room to make its mistakes in public.
This inverted sequence has one enormous practical consequence. When credibility is conferred by statute, an organisation can outsource it: hire the auditor, obtain the opinion, and the opinion carries the weight of the law behind it. When credibility must be earned in the absence of statute, it cannot be outsourced, because there is nothing external to lean on. The company must be able to demonstrate — to a bank, an insurer, a customer, an index provider, a court — that its own systems produce numbers that can be relied on.
That is not an assurance engagement. That is a function.
4. The ceiling you cannot climb
It is worth being precise about what limited assurance is and is not, because the entire strategic problem sits inside the definition.
Limited assurance | Reasonable assurance | |
|---|---|---|
Form of the conclusion | Negative. Nothing has come to our attention. | Positive. In our opinion, the information is fairly stated. |
Work effort | Primarily enquiry and analytical procedures. Substantive testing is limited. | Risk assessment, understanding and testing of controls, substantive procedures. |
Controls | The practitioner obtains an understanding but is not required to test operating effectiveness. | Controls are understood and, where relied upon, tested. |
What the reader learns | That an experienced practitioner did not trip over anything obvious. | That the information has been tested to a level at which the practitioner will state an affirmative opinion. |
Status under CSRD after Omnibus I | Permanent requirement. The ceiling. | No longer a legislated destination. |
Both are legitimate engagements under ISSA 5000, which addresses limited and reasonable assurance and differentiates the requirements applying to each. Neither is dishonest. But they answer different questions, and only one of them answers the question a stakeholder is actually asking.
A limited assurance conclusion is a statement about the practitioner's state of knowledge. A reasonable assurance opinion is a statement about the information. Boards routinely receive the first and hear the second.

Figure 2 — Where credibility comes from, and how much of it an external opinion can supply.
The shaded region in Figure 2 is the part of the problem that Omnibus I has made permanent. Every organisation whose stakeholders need more confidence than a negative conclusion on a bounded scope can provide — which is to say, every organisation seeking sustainability-linked finance, defending a green claim, satisfying a customer's supply chain requirements, or supporting an ESG rating — must now generate that confidence from below the ceiling rather than above it.
Generating it from below the ceiling means three things: controls that are designed and tested; a coordinating function that plans and sequences independent testing across the whole obligation set; and a board that can see coverage rather than reports. Those three things are the Non-Financial Audit Function.
5. The non-financial audit universe
Financial audit has an easy scoping problem. The subject matter is a set of financial statements, prepared under a single reporting framework, produced by a general ledger. Non-financial audit has no general ledger. Its subject matter is scattered across a dozen obligation sets, each with its own standard, its own evidence base, its own attestation regime, and its own owner.
Mapping that universe is the first act of the function, and it is the act that most organisations skip. Below is a working universe for a large multinational. It is not exhaustive, and the point is not to adopt it — the point is that until an organisation has drawn its own version, it cannot know what its coverage is, which means it cannot know what its exposure is.
Domain | Typical obligation | Independent testing form | Evidence owner |
|---|---|---|---|
Sustainability report | CSRD / ESRS, IFRS S1 & S2, GRI | Assurance (ISSA 5000) | Head of sustainability reporting |
GHG inventory | GHG Protocol, ISO 14064-1, ISO 14067 | Verification (ISO/IEC 17029) | Carbon / energy manager |
Environmental management | ISO 14001 | Certification (ISO/IEC 17021-1) | EHS director |
Energy management | ISO 50001 | Certification | Operations / facilities |
Health and safety | ISO 45001 | Certification | EHS director |
Anti-bribery | ISO 37001, UKBA, FCPA | Certification | Chief compliance officer |
Compliance system | ISO 37301 | Certification | Chief compliance officer |
Whistleblowing | ISO 37002, EU Whistleblower Directive | Certification | Ethics / legal |
Information security | ISO 27001 | Certification | CISO |
AI governance | ISO/IEC 42001, EU AI Act | Certification | CISO / chief data officer |
Human rights & due diligence | CSDDD (from 2029), UNGP, national supply chain laws | Assurance / audit | General counsel |
Circularity | ISO 59020, ISO 59040 | Verification | Product / operations |
Nature & biodiversity | ISO 17298, GRI 101, ESRS E4, TNFD | Certification and verification | Sustainability |
Environmental claims | EU Green Claims regime, national consumer law | Assurance | Marketing / legal |
ESG ratings submissions | MSCI, Sustainalytics, S&P CSA methodologies | Independent review | Investor relations |
Fifteen domains. Twelve owners. At least four distinct forms of independent testing, each governed by a different accreditation regime. In most organisations these are procured separately, on different cycles, by different budget holders, reported to different committees, with no single map showing which parts of the universe were tested this year and which were last tested three years ago.
THE COVERAGE QUESTION
Ask your organisation a simple question: which non-financial obligations were subject to independent testing in the last twelve months, which were not, and who decided? If nobody can produce that map within a day, the function does not exist.
6. Four failure modes of the current default
Failure mode one: the advisory–assurance conflict
The most common way to obtain sustainability assurance is to ask the firm that helped build the sustainability programme. This is efficient. The firm already knows the data, the systems, the people. The engagement is cheaper and faster because the learning curve was paid for during the consulting phase.
It is also the arrangement that financial reporting outlawed. Sarbanes-Oxley section 201 prohibits an auditor from providing a long list of non-audit services to an audit client precisely because the profession concluded, after Enron, that a firm cannot objectively test its own recommendations. The IESBA's International Ethics Standards for Sustainability Assurance, effective on the same date as ISSA 5000, extends independence requirements into sustainability assurance. Yet the practice persists across most of the non-financial estate, and in the certification world it is why ISO/IEC 17021-1 draws a structural line between consultancy and certification that a great many providers navigate by way of legal-entity separation rather than genuine independence.
The test is not whether a firewall exists on paper. The test is whether the assurance team is capable of concluding that the advisory team's work was wrong, and whether concluding so would cost the firm money.
Failure mode two: the fragmented provider portfolio
A large group will typically hold an ISO 14001 certificate from one body, an ISO 27001 certificate from a second, GHG verification from a third, sustainability assurance from a Big Four firm, and an ESG ratings submission prepared by an agency with no independence obligations at all. Five providers. Five methodologies. Five reports. No consolidated view.
The failure here is not that any individual engagement is poor. It is that gaps between engagements are invisible by construction. Nobody is looking at the seams, because nobody has been asked to, and no single provider has the scope to see them.
Failure mode three: the evidence boundary at the value chain
This one is new, and Omnibus I created it. A reporter's Scope 3 emissions, its supplier human rights data, and much of its circularity reporting depend on information generated outside the reporting entity. The value chain cap now gives undertakings below 1,000 employees a legal right to refuse requests that exceed the VSME standard.
The assurance practitioner must consider whether value chain data was obtained in compliance with those restrictions. The consequence is that the boundary of what can be corroborated has moved inwards, at precisely the point where the most material and least reliable data sits. This does not make assurance impossible. It makes the reporter's own supplier data controls the load-bearing element of the whole disclosure — and those controls are the company's responsibility, not the practitioner's.
Failure mode four: the annual snapshot
Financial reporting is continuous. Transactions are recorded as they occur, controls operate daily, and internal audit tests them throughout the year. Non-financial data is, in most organisations, assembled once a year, by spreadsheet, in the eight weeks before the report is published, from sources that were never designed to be auditable.
An annual assurance engagement performed on an annually assembled dataset can only ever test the assembly. It cannot test the year. Whatever went wrong in March is invisible in November, because nothing recorded it in March.
You cannot audit a number into existence at the end of the year. Either the control operated in March, or the number is an estimate wearing a suit.
7. Designing the function
The Non-Financial Audit Function is not a department, a headcount request, or a provider. It is an architecture with four layers, three of which the organisation must build and only one of which it can buy.

Figure 1 — The four layers of the Non-Financial Audit Function, with their financial reporting counterparts.
Layer 1 — Internal controls over sustainability reporting
Every disclosed non-financial number should have a documented lineage from source system to published figure, a named process owner, a control that operates during the period rather than at the end of it, and evidence that the control was tested. This is the discipline that ICFR imposed on financial reporting after 2002. There is no version of credible non-financial reporting that does not eventually require it, and the Omnibus I preamble to a simplified ESRS makes this more, not less, important: fewer prescribed datapoints means more weight on materiality judgement and documentation.
Layer 2 — Independent certification, verification and assurance
This is the layer organisations buy, and it is the only one they can. It contains three distinct disciplines, governed by three distinct accreditation regimes, which are routinely conflated:
Certification of a management system against a standard such as ISO 37001, ISO 27001 or ISO/IEC 42001, performed by a body accredited under ISO/IEC 17021-1. This tests whether a system exists and operates — not whether any particular number is correct.
Verification and validation of a specific claim or statement — a GHG inventory, a circularity claim, a nature disclosure — performed by a body accredited under ISO/IEC 17029. This tests the claim.
Assurance over reported sustainability information under ISSA 5000, at a limited or reasonable level. This tests the report.
A certificate is not an assurance opinion. A verification statement is not a certificate. An organisation that holds ISO 14001 and believes it has therefore assured its ESRS E1 disclosures has confused a system with a number.
Layer 3 — The function itself
This is the layer that almost nobody has built, and it is by a wide margin the cheapest. It consists of five artefacts:
A charter. A short document, approved by the audit committee, that states what the function covers, who owns it, to whom it reports, and what authority it has to require information from the business.
A universe. The map from section 5, drawn for this organisation, listing every non-financial obligation with its owner, its testing form, and the date it was last independently tested.
A plan. A rolling three-year plan sequencing certification, verification and assurance across the universe on a risk basis, so that everything material is independently tested at least once in the cycle.
A coordination protocol. An agreed interface with internal audit and with the external financial auditor, so that non-financial controls testing is not duplicated and, more importantly, so that the connected-information requirements linking sustainability and financial disclosures are not orphaned between the two.
A single report. One paper to the audit committee, each cycle, showing coverage, findings, remediation status and next-period plan across the entire universe.
Layer 4 — Board and audit committee oversight
The output of the function is not a stack of certificates. It is one agenda item, supported by one coverage map, at which independent directors can ask what was tested, what was not, and why. Everything else is input.
The ownership rule
Layer 2 is procured. Layers 1, 3 and 4 are governed.
An organisation that has bought Layer 2 and built none of the others has purchased an opinion on a system it cannot describe, from a provider it cannot evaluate, for a board that cannot interrogate the result.
8. The first hundred days
The function does not require a budget cycle, a consulting engagement, or a new team. It requires a decision and about a hundred days of disciplined effort by people who mostly already work at the company.
Period | Action | Output and test of completion |
|---|---|---|
Days 1–15 | Appoint an owner and write the charter. | A two-page charter approved by the audit committee. The owner is named, sits outside the sustainability reporting line, and has a direct reporting line to the committee chair. Test: the owner can decline a request from the CFO. |
Days 16–40 | Draw the audit universe. | A single sheet listing every non-financial obligation, its regulatory or contractual source, its evidence owner, its testing form, its last independent test date, and its next. Test: the sheet fits on one page and nobody disputes an entry. |
Days 41–55 | Score the universe for risk. | Each domain scored on materiality of the disclosure, reliance placed on it by external parties, maturity of the underlying controls, and consequence of error. Test: the top five are not the five you assumed. |
Days 56–70 | Map current coverage against the universe. | A red / amber / green overlay. Every domain independently tested in the last twelve months is green. Test: expect more red than the executive team predicted, and expect the reds to cluster in the value chain. |
Days 71–85 | Build the three-year plan. | A sequencing of certification, verification and assurance engagements that brings every material domain into scope at least once. Test: the plan reduces the number of providers rather than increasing it. |
Days 86–95 | Agree the coordination protocol. | A one-page interface with internal audit and the external financial auditor covering scope, overlap, connected information, and information sharing. Test: the external auditor signs it. |
Days 96–100 | Report once, to one committee. | A single paper: universe, coverage, risk, plan, gaps, remediation. Test: it replaces at least three existing papers. |
Two of these steps will be uncomfortable. Day 56 to 70 is uncomfortable because the coverage map is usually the first time anybody has seen how much of the non-financial estate has never been independently tested. Day 86 to 95 is uncomfortable because the external financial auditor may resist a protocol that makes visible the connected-information territory that neither party has been treating as theirs.
Both discomforts are the point. A function that produces no uncomfortable meetings in its first hundred days is not a function.
9. What each role must do differently
If you are a chief financial officer
You already own an architecture for making numbers believable, and you have owned it for twenty years. Non-financial data is being disclosed in your annual report, under your signature, in a section that increasingly determines your cost of capital, and it is being produced by systems you have never subjected to a single one of the disciplines you apply to the general ledger.
The question to ask yourself is not whether the sustainability team is competent. It is whether you would sign a financial number produced the way your Scope 3 figure was produced. If the answer is no, the exposure is yours, not theirs.
If you are a chief sustainability officer
Your reflex, when Omnibus I landed, was probably relief followed by anxiety about relevance. Both are the wrong response. The regulatory floor fell away; the commercial demand did not. Banks still price sustainability-linked facilities. Customers still impose supply chain requirements. Insurers still ask. Ratings agencies still score. What changed is that none of these parties will now be reassured by the fact that you were required to obtain assurance, because you no longer are.
This is the moment to stop describing your programme in terms of compliance and start describing it in terms of controls. The organisations that emerge from this period with commercial advantage will be the ones that can answer, in front of a lender, the question: how do you know?
If you are the head of internal audit
The non-financial universe is either in your audit universe or it is nobody's. Most internal audit functions have taken a handful of sustainability topics into the plan opportunistically and left the rest alone, on the reasonable basis that they lack the technical competence to test a GHG inventory or a biodiversity disclosure.
The competence argument is sound for testing. It is not sound for coverage. You do not need to be able to verify a Scope 3 calculation to be able to establish that nobody has verified it, that the control owner cannot be identified, and that the data lineage is undocumented. Coverage, ownership and lineage are internal audit questions, and they are the questions that matter most.
If you chair the audit committee
You have a direct line to the external financial auditor, a private session, and a standing right to ask what they would have raised had their scope been wider. You have none of these things for non-financial assurance, and in most companies no equivalent relationship exists.
Build one. Ask to see the non-financial coverage map. Ask who decided the scope of the assurance engagement and whether the practitioner had the mandate to challenge it. Ask what the practitioner would have flagged with unlimited scope — and note carefully whether anyone in the room has ever asked before. Appendix A gives you fifteen questions to start with.
If you sit on the board
Omnibus I did not reduce your exposure. It reduced the number of people who are obliged to look at it. Directors' duties did not narrow on 18 March 2026; the reporting perimeter did. The gap between what you are required to disclose and what you may be held responsible for knowing has just widened, and the instrument that used to close it — a mandatory assurance report — has been capped at its weakest form.
The regulator's departure does not transfer the risk to the regulator. It leaves the risk exactly where it always sat, and removes the person who was checking.
10. Where Speeki fits
Speeki is an accredited certification and assurance body. It does not provide consulting services. That separation is structural rather than contractual: the independence obligations that accreditation imposes are the reason Speeki has never built an advisory practice. Speeki's accreditations are listed on speeki.com, which should be treated as the authoritative source, as their scope is periodically updated.
This matters for the argument of this paper in one specific way. Layer 2 — the independent testing layer — is the only layer an organisation can buy, and the entire value of that purchase depends on the provider being genuinely capable of reaching an adverse conclusion. A provider that also sold the organisation its programme is not so capable, whatever its engagement letter says.
Speeki's product architecture maps directly onto the layers described here. Management system certification, including certification against SPK CSMS1000:2026 through Speeki Meridian™. Verification and validation under ISO/IEC 17029 through the Speeki Lens Suite™. Sustainability assurance under ISSA 5000 through Speeki Guardian®. Independent pre-submission review of ratings responses through Speeki RatingsReady™. One coordinating provider across the universe, so that the seams between engagements are somebody's responsibility.
But the substantive claim of this paper is not a claim about providers. Layers 1, 3 and 4 are not for sale, from Speeki or anybody else. They are the work.
Conclusion: The mandate was never the point
For fifteen years, the sustainability profession asked the wrong question about assurance. The question was: what are we required to obtain? It was a reasonable question, because for fifteen years the answer determined the budget.
On 18 March 2026 the answer became, for most companies: nothing. And the profession discovered that it had built its case on a foundation that the legislature could remove in a single directive.
The question that survives is older and harder. Not what are we required to obtain, but: can we demonstrate that the things we say about ourselves are true? That question was never answered by a mandate, and it will never be answered by a negative conclusion on a bounded scope. It is answered by controls that operate, by testing that is independent, by a function that coordinates, and by a board that looks.
The organisations that build that function in the next eighteen months will do so voluntarily, at a moment when their competitors are congratulating themselves on having fallen out of scope. When a lender, a customer or a court eventually asks how they know, they will have an answer. The others will have relief, a saved fee, and a four-minute agenda item.
WHERE TO BEGIN
Not with a provider. With a single sheet of paper listing every non-financial obligation the organisation carries, who owns it, and the date it was last independently tested. Most executive teams cannot produce that sheet. Producing it is the first act of the function, and it costs nothing but the willingness to see the answer.
Appendix A: Fifteen questions for the audit committee
These are drafted to be asked out loud, in a meeting, of the executive team. They are ordered so that the first five are answerable, the second five are uncomfortable, and the last five are the ones that reveal whether a function exists.
Which of our non-financial disclosures were within the scope of an independent assurance, verification or certification engagement in the last twelve months — and which were not?
Who decided the scope of our sustainability assurance engagement, and on what basis?
Does our assurance provider have any other commercial relationship with this company, currently or in the last three years?
Are we still in scope of the CSRD following Omnibus I? If not, what are we continuing to report, and why?
For each material non-financial number we disclose, can we name the process owner and produce the data lineage?
Which of our non-financial controls were tested during the period, as opposed to at the year end?
What proportion of our Scope 3 emissions data comes from suppliers who now have a legal right to refuse our information requests under the value chain cap?
What would our assurance provider have flagged if their scope had been unlimited?
When our external financial auditor considers connected information between the sustainability statement and the financial statements, who inside the company owns that boundary?
If a material non-financial number turned out to be wrong, who would be accountable — by name?
Is there a written charter for our non-financial audit activity, approved by this committee?
Can management produce, today, a single map of our non-financial audit universe showing coverage and last test date?
How many separate providers are involved in independently testing our non-financial obligations, and who looks at the gaps between them?
What is our three-year plan for bringing every material non-financial domain into independent testing at least once?
Are we prepared to obtain reasonable assurance on any of our non-financial disclosures voluntarily — and if not, what does that tell our stakeholders?
HOW TO READ THE ANSWERS
Questions 1 and 12 are the diagnostic. If the answer to either is 'we would need to come back to you on that', then no function exists, and the remaining thirteen questions have no answers either — they simply have not been asked yet.
Appendix B: Non-financial audit universe template
Reproduce this as a single sheet. One row per obligation. If a row cannot be completed, that is the finding.
Domain | Obligation source | Testing form | Evidence owner | Last tested | Risk score |
|---|---|---|---|---|---|
Regulation, standard, contract or voluntary commitment | Certification / verification / assurance / internal audit / none | Named individual, not a department | Date, and by whom | Materiality × external reliance × control maturity × consequence | |
Example: GHG inventory | GHG Protocol; ESRS E1; sustainability-linked loan covenant | Verification (ISO/IEC 17029) | Group carbon manager | Mar 2025, third-party verifier | High — external reliance by lender |
Example: Scope 3 supplier data | ESRS E1; customer supply chain requirements | None | Unassigned | Never | High — no control, high reliance |
The second example row is the one that appears in almost every organisation that completes this exercise honestly. It is also, almost always, the largest number in the disclosure.
Questions this paper answers
What is a Non-Financial Audit Function?
A coordinated internal capability that maps the organisation's non-financial audit universe, sequences certification, verification and assurance against it on a risk basis, tests the controls that produce non-financial data, and gives the board a single view of coverage. It consists of a charter approved by the audit committee, a mapped universe, a rolling multi-year plan, a coordination protocol with internal audit and the external financial auditor, and one report per cycle. It is a function, not a provider and not a report.
What did the Omnibus I directive change?
Directive (EU) 2026/470 entered into force on 18 March 2026, with Member State transposition due by 19 March 2027. It raised the CSRD scope threshold to more than 1,000 employees and more than €450 million in net turnover, removing roughly 42,000 companies from scope and fully exempting listed SMEs. It confirmed limited assurance as the permanent requirement and removed the pathway to reasonable assurance. It removed sector-specific ESRS. And it introduced the value chain cap, giving undertakings below 1,000 employees a legal right to refuse information requests exceeding the voluntary SME standard.
Why can credibility no longer be purchased through an assurance report?
Because every prepared reporter obtains the same conclusion. Limited assurance is now the permanent CSRD requirement, expressed as a negatively worded statement that nothing came to the practitioner's attention, on a bounded scope, in an engagement where the practitioner is not required to test whether controls operated. A conclusion that everybody holds distinguishes nobody, and the escalation pathway that would have allowed a company to signal maturity by obtaining reasonable assurance has been removed.
What does financial audit actually teach about non-financial assurance?
The opposite of what is usually claimed. Financial audit did not become credible and then get mandated; it was mandated by the Securities Act of 1933 and the Securities Exchange Act of 1934, in a condition of near-total public distrust, and spent ninety years earning credibility afterwards through professional standards, regulated independence, public oversight boards, rotation and ICFR attestation. Non-financial assurance must do this in reverse: establish credibility first, with a contracting rather than expanding mandate. Credibility conferred by statute can be outsourced. Credibility earned without statute cannot.
What are the four layers of the Non-Financial Audit Function?
Layer 1 is internal controls over sustainability reporting: documented data lineage, named process owners, controls that operate during the period and are tested. Layer 2 is independent certification under ISO/IEC 17021-1, verification under ISO/IEC 17029, and assurance under ISSA 5000. Layer 3 is the coordinating function itself — charter, universe, plan, coordination protocol, single report. Layer 4 is board and audit committee oversight. Only Layer 2 can be bought.
What is the difference between certification, verification and assurance?
Certification, governed by ISO/IEC 17021-1, examines whether a management system exists and operates against a published standard. Verification and validation, governed by ISO/IEC 17029, examine whether a specific claim is supported. Assurance, governed by ISSA 5000 from 15 December 2026, examines whether reported sustainability information is materially misstated, at a limited or reasonable level. A certificate is not an assurance opinion, and a verification statement is not a certificate.
How does an organisation start building the function?
With a single sheet of paper listing every non-financial obligation the organisation carries, who owns the evidence for it, the form of independent testing that applies, and the date it was last independently tested. Most executive teams cannot produce that sheet. Producing it costs nothing but the willingness to see the answer, and the gap between the map and the executive team's prior belief about the map is the first finding the function will ever record.
References and sources
Directive (EU) 2026/470 (the Omnibus I directive), published in the Official Journal of the European Union on 26 February 2026, in force 18 March 2026. Member State transposition deadline 19 March 2027.
Council of the European Union, press release, 24 February 2026: final adoption of the simplification of sustainability reporting and due diligence requirements.
Accountancy Europe, Omnibus explained: key changes to the CSRD and CSDDD, 2026 — confirming that limited assurance remains mandatory, with an EU limited assurance standard to be adopted no later than 1 July 2027.
IAASB, International Standard on Sustainability Assurance (ISSA) 5000, General Requirements for Sustainability Assurance Engagements, issued November 2024; effective for assurance engagements on sustainability information reported for periods beginning on or after 15 December 2026, or as at a specific date on or after that date. Early application permitted.
IAASB, ISSA 5000 Frequently Asked Questions: Applicability Matters, August 2025 — confirming the withdrawal of ISAE 3000 (Revised) and ISAE 3410 for sustainability assurance engagements from the effective date of ISSA 5000.
IESBA, International Ethics Standards for Sustainability Assurance (including International Independence Standards), issued January 2025; generally effective for periods beginning on or after 15 December 2026.
Securities Act of 1933 and Securities Exchange Act of 1934 (United States) — the statutory origin of mandatory independent audit of registrants.
Sarbanes-Oxley Act of 2002, sections 201 and 404 (United States) — prohibited non-audit services, and management assertion and auditor attestation on internal control over financial reporting.
ISO/IEC 17021-1:2015, Conformity assessment — Requirements for bodies providing audit and certification of management systems.
ISO/IEC 17029:2019, Conformity assessment — General principles and requirements for validation and verification bodies.
About Speeki
Speeki is an accredited ESG assurance and certification body operating in more than 100 countries. Speeki provides management system certification, verification and validation, and sustainability assurance. Speeki does not provide consulting services. Its independence is structural.
For current details of Speeki's accreditations and their scope, please refer to speeki.com.
© 2026 Speeki. This paper is provided for general information and does not constitute legal, accounting or assurance advice.