Quick Read

This whitepaper argues that non-financial audit plans must shift from being built backwards from regulatory deadlines—a framework that collapsed when the Omnibus I directive removed compliance dates in March 2026—to being structured around stakeholder reliance and assertion dependencies instead. The paper distinguishes a genuine audit plan from superficially similar documents like reporting calendars, certification schedules, and sustainability programmes, each of which lacks the independent testing verification that defines actual audit planning. With ISSA 5000 taking effect in December 2026, organisations now face both the loss of their traditional planning anchor and heightened technical rigour requirements, making a dependency-based approach to audit planning essential rather than optional.

IN BRIEF

  • A non-financial audit plan is a multi-year, risk-based sequencing of certification, verification and assurance engagements across a mapped audit universe, approved by the audit committee.

  • It is not a reporting calendar, a list of sustainability initiatives, or a schedule of ISO surveillance visits.

  • The plan's central content is a dependency: management system certification precedes topic verification, which precedes assurance of the report. Reversing the order produces findings that describe the absence of the earlier steps.

  • Following the Omnibus I directive, most companies no longer have regulatory reporting deadlines. A plan sequenced against deadlines that no longer exist must be re-based on external reliance instead.

  • The test of a good plan is that it reduces the number of assurance providers rather than increasing it, and that it makes somebody accountable for the gaps between engagements.

Executive summary

The financial audit plan is among the best-understood governance documents in corporate life. The audit committee approves it, the external auditor executes it, internal audit runs a parallel risk-based plan across the control environment, and the two are reconciled. Nobody argues about whether the plan should exist.

The non-financial equivalent does not exist in most organisations, and where something bearing the name does exist it is usually one of three other documents wearing the title: a reporting calendar showing when the sustainability report is published; a schedule of ISO surveillance audits, driven by certificate expiry dates rather than risk; or a list of sustainability programme initiatives with no independent testing in it at all.

WHAT THE PLAN ACTUALLY IS

A multi-year, risk-based sequencing of independent testing across a mapped audit universe, in which every material non-financial obligation is examined at least once per cycle, in an order determined by dependency rather than by convenience.

Two things have changed that make this urgent rather than tidy. The first is that the Omnibus I directive removed the regulatory deadline that most assurance plans were built backwards from. The second is that ISSA 5000 takes effect for periods beginning on or after 15 December 2026, raising the technical rigour of the assurance engagement at exactly the moment the obligation to obtain it is being withdrawn from most of the market.

A plan built from deadlines has just lost its organising principle. This paper sets out what replaces it.

1. What the plan is not

  • Not a reporting calendar. A calendar records when documents are published. A plan records when assertions are independently tested. The two share almost no dates, because testing that happens after publication is not testing.

  • Not the certification schedule. Surveillance visits are timed by certificate cycles, which are timed by the date the certificate was first issued, which is an accident of when a customer first demanded it. That is not risk-based sequencing; it is sequencing by historical accident.

  • Not the sustainability programme. A programme lists things the organisation intends to do. A plan lists things somebody independent will examine. The distinction matters most where the programme is ambitious and the examination is absent.

  • Not a procurement schedule. If the plan can be executed by placing purchase orders, it has no coordinating content, and coordination is the only thing the plan adds that the individual engagements do not already contain.

2. The dependency is the plan

Diagram showing the sequential relationship: certification, then verification, then assurance, with a note that reversing thi

Figure 1 — Certification precedes verification precedes assurance. Reversing the order costs a cycle.

The single most common and most expensive failure in non-financial assurance programmes is sequencing. An organisation facing a reporting deadline commissions assurance over its sustainability statement. The practitioner arrives, obtains an understanding of the entity's processes as ISSA 5000 requires, and reports that the materiality determination is undocumented, that the GHG inventory has never been verified, and that internal controls over sustainability reporting cannot be evidenced as having operated.

None of that is a surprise to anyone. It is simply the first time it has been written down by somebody independent. The organisation has paid an assurance fee to be told what it already knew, and it must now do the certification and verification work anyway — a cycle later than it should have.

Why the order is not a preference

  1. Certification establishes the control environment that assurance must understand. Under ISSA 5000 the practitioner obtains an understanding of internal control relevant to the preparation of the sustainability information. Where a management system has been certified against a published standard by an accredited body, that understanding is available from documentation that already exists, examined by a third party, covering a period rather than a moment.

  2. Verification establishes the quantities that assurance opines upon. An assurance conclusion over a statement containing an unverified GHG inventory is a conclusion resting on an untested number. In a limited engagement the practitioner is not required to test the controls that produced it, so nobody will.

  3. Certification and verification operate during the period; assurance operates after it. This is the operative reason. Surveillance activity during the certification cycle finds failures in March, when they can be corrected. An assurance engagement finds them in November, when they can only be disclosed.

Assurance is the last thing you buy, not the first. Everything that determines its outcome has already happened by the time the practitioner arrives.

3. Scoping: four questions per domain

The plan is constructed over the audit universe. For each domain in the universe, four questions determine its place in the sequence.

Question

What it establishes

How to answer it badly

What form of independent testing applies?

Certification under ISO/IEC 17021-1, verification under ISO/IEC 17029, assurance under ISSA 5000, internal audit, or none

Name a provider instead of a standard. "Audited by a Big Four firm" describes who came, not what was concluded.

What does it depend on?

Whether a management system must be certified, or a quantity verified, before this domain can be meaningfully examined

Assume independence between domains. The GHG verification depends on the site list; the site list depends on the system.

Who relies on it externally, and when?

The date by which the testing must be complete — set by a lender's covenant test, a customer's audit, an index submission window, not by a regulator

Use the regulatory deadline. For most companies it no longer exists.

What is its risk score?

Priority within the cycle, from materiality, external reliance, consequence of error and control immaturity

Let the domain owner score it. Nobody rates their own control environment as immature.

The third question is the one that changed

Before 18 March 2026, the answer to "when must this be done?" was almost always a regulatory date. The CSRD required limited assurance; the assurance had to be complete before the management report was published; the plan worked backwards from there.

The Omnibus I directive raised the CSRD scope threshold to more than 1,000 employees and more than €450 million in net turnover, removing roughly 42,000 companies from scope, and confirmed limited assurance as the permanent requirement rather than a step toward reasonable assurance. For most organisations there is now no regulatory date at all, and for those still in scope the date has moved.

Re-basing the plan on reliance

Replace "when is it required?" with "who relies on this assertion, and when do they act on it?"

A sustainability-linked loan tests its KPI on a covenant date. A strategic customer audits suppliers on a procurement cycle. An index provider closes its submission window. An insurer renews. An acquirer diligences.

These dates are in contracts and calendars, not in directives. They did not move on 18 March 2026, and they will not move when the next directive is amended.

4. A three-year cycle

Every material domain independently tested at least once per cycle; the highest-scoring domains annually; the dependency respected throughout.

Year 1

Year 2

Year 3

Foundation

Certify the management system. Establish obligations register, materiality governance, ICSR.

Surveillance. Extend ICSR to the next tier of material topics.

Recertification. Effectiveness review.

Verification

GHG inventory (ISO 14064-1). The highest-scoring domain.

Circularity (ISO 59020). Product footprints where claims are made (ISO 14067).

Nature claims. Product circularity data sheets where claims are made.

Assurance

Limited assurance over the sustainability statement, on a verified GHG base.

Limited assurance. Consider voluntary reasonable assurance on one or two priced metrics.

Limited assurance, plus voluntary reasonable assurance on the covenant metric.

Coverage

Highest-risk third of the universe

Middle third, plus repeat of the highest-risk

Remaining third. Full universe now tested once.

Coordination

Agree the protocol with internal audit and the financial auditor.

Reconcile ratings submission to the assured statement.

Reconcile all environmental boundaries. Close the seams.

TWO TESTS OF A GOOD PLAN

First: it reduces the number of independent providers rather than increasing it, because the seams between providers are where the failures live. Second: at least one line item in it will produce a finding the executive team will not enjoy reading. A plan that cannot embarrass anybody is a schedule.

5. Independence governance is a plan matter

The audit committee's most important act in approving the plan is not approving the schedule. It is confirming, for each engagement in it, that the provider has no advisory relationship with the organisation in respect of the subject matter being examined.

This has to happen at plan approval, because by the time the engagement is under way the conflict is a sunk cost and the committee's practical options are to accept it or to lose a cycle. Confirmation should be in writing, from the provider, covering the current and three preceding years, addressing the entity and its affiliates.

From 15 December 2026, the IESBA's International Ethics Standards for Sustainability Assurance take effect on the same date as ISSA 5000, extending independence requirements into sustainability assurance engagements. ISO/IEC 17021-1 already requires impartiality of certification bodies and constrains the provision of management system consultancy. The standards exist. Whether they are applied at the point of appointment is a matter for the committee, and it is the plan approval meeting at which that happens or does not.

An independence question asked after the engagement letter is signed is not a governance control. It is a request for reassurance.

6. A template plan structure

Six sections. It should run to fewer than ten pages, and if it runs to more it has become a project document.

  1. Charter reference and authority. What the function covers, who owns it, to whom it reports, and its authority to require information from the business. One paragraph, referencing the approved charter.

  2. The audit universe and its risk scoring. One page. Every material non-financial obligation, its evidence owner, its testing form, its last-tested date, its score.

  3. The three-year sequence. Which domains are examined in which year, in which order, and by what form of testing. The dependency from section 2 is visible on the page.

  4. Reliance dates. For each domain, the external date driving it: covenant test, customer audit, index submission window, insurance renewal. Not regulatory deadlines, unless the entity remains in CSRD scope.

  5. Provider list and independence status. Every provider, its accreditation, its scope, and a written confirmation of no advisory relationship covering the current and three preceding years.

  6. Coordination protocol. The agreed interface with internal audit and the external financial auditor, covering scope, overlap, connected information and information sharing. One page, signed by all three.

WHAT IS DELIBERATELY ABSENT FROM THE TEMPLATE

A budget. The plan is approved on the basis of coverage and dependency, and then costed. Plans that begin with a budget are sequenced by affordability, and affordability is not correlated with risk.

7. The plan after Omnibus I, for the two populations

Still in CSRD scope

Out of scope

Organising date

The management report publication date, still. Limited assurance is a permanent requirement.

Contractual and commercial dates. Covenant tests, customer audits, index windows, renewals.

Assurance destination

Limited, permanently. The escalation pathway to reasonable assurance has been removed.

Voluntary. Which makes it evidence of confidence rather than evidence of compliance.

What the plan must prioritise

Evidencing the double materiality determination; registering protected undertakings in the value chain; controls that operate during the period

Determining which assertions still carry external reliance, and testing only those. The universe shrinks; it does not disappear.

The temptation

Collect the full ESRS datapoint set. The amended ESRS cut datapoints substantially; over-collection against an obsolete list is now a common error.

Stop entirely. Available only to organisations that can name every party relying on their disclosures, and find none.

Both columns lead to the same instruction, which is the instruction this series keeps arriving at from different directions. Test the assertions somebody outside the organisation is acting upon, in an order determined by what has to exist before the testing means anything, and make one person accountable for the parts nobody tested.

Questions this paper answers

What is a non-financial audit plan?

A multi-year, risk-based sequencing of independent testing across a mapped non-financial audit universe, approved by the audit committee, in which every material non-financial obligation is examined at least once per cycle. It specifies which domains are examined in which year, by which form of testing — certification, verification, assurance or internal audit — and in what order, with the order determined by dependency.

Why must certification precede assurance?

Three reasons. Certification establishes the control environment that an ISSA 5000 practitioner is required to understand, and does so through documentation examined by an accredited third party across a period rather than a moment. Verification establishes the quantities the assurance conclusion rests upon, which in a limited engagement the practitioner is not required to test. And certification and verification operate during the reporting period, so failures are found in March when they can be corrected, rather than in November when they can only be disclosed.

What happens if assurance is commissioned first?

The practitioner obtains an understanding of the entity's processes, as required, and reports that the materiality determination is undocumented, the greenhouse gas inventory unverified, and the internal controls over sustainability reporting unevidenced. The organisation pays an assurance fee to be told what it already knew, and must then perform the certification and verification work a cycle later than it should have.

How should a plan be sequenced now that most companies have no CSRD deadline?

By external reliance rather than by regulatory date. The Omnibus I directive removed roughly 42,000 companies from CSRD scope. For those companies the organising dates are contractual and commercial: a sustainability-linked loan covenant test, a strategic customer's supplier audit cycle, an index provider's submission window, an insurance renewal, an acquirer's diligence. These dates sit in contracts and calendars rather than in directives, and they did not move on 18 March 2026.

What is the difference between an audit plan and a certification schedule?

A certification schedule is timed by certificate expiry, which is timed by the date a certificate was first issued, which is usually an accident of when a customer first demanded it. An audit plan is timed by risk and dependency. A schedule tells you when providers are arriving; it says nothing about the obligations for which no provider will ever arrive.

When should independence be confirmed?

At plan approval, before any engagement letter is signed. Confirmation should be in writing from the provider, covering the current and three preceding years, addressing the entity and its affiliates. From 15 December 2026 the IESBA's International Ethics Standards for Sustainability Assurance take effect on the same date as ISSA 5000, and ISO/IEC 17021-1 already requires impartiality of certification bodies. An independence question asked after the engagement letter is signed is a request for reassurance rather than a control.

How can an audit committee tell whether a plan is any good?

Two tests. It should reduce the number of independent providers rather than increase it, because the seams between providers are where failures live and no provider's scope includes the seams. And at least one line item in it should produce a finding the executive team will not enjoy reading. A plan that cannot embarrass anybody is a schedule.

References and sources

  • Directive (EU) 2026/470 (the Omnibus I directive), in force 18 March 2026; Member State transposition deadline 19 March 2027. Narrows CSRD scope, confirms limited assurance as the permanent requirement, and removes the escalation pathway to reasonable assurance.

  • IAASB, ISSA 5000, General Requirements for Sustainability Assurance Engagements, issued November 2024; effective for periods beginning on or after 15 December 2026.

  • IESBA, International Ethics Standards for Sustainability Assurance (including International Independence Standards), issued January 2025; generally effective from 15 December 2026.

  • ISO/IEC 17021-1:2015, Conformity assessment — Requirements for bodies providing audit and certification of management systems, including impartiality requirements and constraints on management system consultancy.

  • ISO/IEC 17029:2019, Conformity assessment — General principles and requirements for validation and verification bodies.

  • Speeki, The Non-Financial Audit Function (Series 1, Paper 01), The Non-Financial Audit Universe (Series 1, Paper 03), and The System Beneath the Opinion (Series 3, Paper 12), July 2026.

About Speeki

Speeki is an accredited ESG assurance and certification body operating in more than 100 countries. Speeki provides management system certification, verification and validation, and sustainability assurance. Speeki does not provide consulting services. Its independence is structural.

For current details of Speeki's accreditations and their scope, please refer to speeki.com.

© 2026 Speeki. This paper is provided for general information and does not constitute legal, accounting or assurance advice.