Quick Read

This whitepaper outlines a method for constructing a non-financial audit universe—the foundational map of what an organization is actually accountable for across sustainability, certification, GHG verification, human rights, and other non-financial obligations. Unlike financial audit, which inherits its scope from the general ledger, non-financial audit has no single source of truth and requires deliberate construction across multiple departments and systems before any assurance provider is engaged. The paper provides five construction rules, a six-column template, a risk-scoring model, and identifies four domains where accredited testing regimes do not yet exist.

IN BRIEF

  • A non-financial audit universe is a documented list of every non-financial obligation an organisation carries, its evidence owner, the form of independent testing that applies to it, and the date it was last tested.

  • Financial audit does not require this exercise because the general ledger defines its scope by construction. Non-financial reporting has no equivalent, so the universe must be built manually.

  • Independent testing of non-financial obligations is governed by at least three separate accreditation regimes: ISO/IEC 17021-1 for management system certification, ISO/IEC 17029 for validation and verification, and ISSA 5000 for sustainability assurance.

  • At least four significant domains — value chain and Scope 3 data, human rights due diligence, forward-looking transition plans, and ESG ratings submissions — have no accredited independent testing regime covering them.

  • The universe is not a list of what an organisation reports. It is a list of what the organisation is accountable for, whether or not it is reported.

Executive summary

Ask a head of internal audit for the audit universe and you will be handed a document within the hour. It will list processes, entities, systems and risks; it will show when each was last audited; it will show the coverage cycle. The document exists because the profession decided, decades ago, that you cannot plan assurance without first defining the thing being assured.

Ask the same organisation for its non-financial audit universe and, in most cases, nothing will be produced. Not because the obligations do not exist — they exist in abundance, across sustainability reporting, management system certification, GHG verification, human rights due diligence, environmental claims and ratings disclosure — but because no one has been asked to enumerate them, and because the individual obligations are owned by twelve different people who have never sat in the same room.

This paper argues that constructing the universe is the first and most consequential act of the Non-Financial Audit Function, and that the act of construction is itself a control. It is the moment at which an organisation discovers the difference between what it reports and what it is accountable for.

THE DISTINCTION THAT MATTERS

A reporting boundary is drawn by a framework. An accountability boundary is drawn by regulators, courts, lenders, customers and insurers. They are not the same boundary, and after Omnibus I they are further apart than they have ever been.

What follows is a method: five construction rules, a six-column template, a defensible risk-scoring model, a coverage heatmap, and an honest account of the four domains where the accreditation architecture simply runs out.

1. There is no ledger

Financial audit solved its scoping problem in the nineteenth century by accident. Double-entry bookkeeping requires that every economic event be recorded once, in one place, in a system that will not balance if anything is omitted. The general ledger is therefore not merely a record of transactions; it is a completeness control. An auditor who tests the ledger has, by construction, tested the population.

Nothing in non-financial reporting works like this.

A company's Scope 1 emissions live in a fuel purchasing system and a set of meter readings. Its Scope 3 emissions live in supplier spreadsheets, industry averages and spend-based estimates. Its human rights due diligence lives in a procurement platform and a set of audit reports commissioned by a different department. Its whistleblowing data lives in a case management system that legal will not let anyone else see. Its environmental claims live on packaging, approved by marketing, reviewed by nobody. There is no system that would fail to balance if one of these were omitted.

The absence of a ledger is not a data problem. It is a completeness problem — and completeness is the assertion that non-financial reporting is least equipped to support.

This has a direct consequence for assurance. When an ISSA 5000 practitioner considers the risk of material misstatement, they must consider the risk that a material sustainability matter has been omitted entirely — not merely that a disclosed number is wrong. In financial audit, omission risk is contained by the ledger. In sustainability assurance, it is contained by nothing except the quality of the organisation's own materiality process and the completeness of its own map of obligations.

If that map does not exist, the practitioner is being asked to opine on the completeness of a population that the entity has never defined.

Diagram contrasting financial audit's inherited universe against non-financial audit's need to construct its own accountabili

Figure 1 — Financial audit inherits its universe. Non-financial audit must construct one.

2. What a universe is, and what it is not

Term

Definition

Non-financial audit universe

The complete, documented set of non-financial obligations an organisation carries, each with a named evidence owner, an applicable form of independent testing, a last-tested date, and a risk score.

Obligation

Any requirement to make, hold or substantiate a non-financial assertion. Its source may be regulation, a management system standard, a contract, a lending covenant, a customer requirement, or a public voluntary commitment.

Evidence owner

The named individual — not the department — who can produce, on request, the source data and the control evidence for a given obligation.

Testing form

The applicable regime of independent examination: certification under ISO/IEC 17021-1, validation or verification under ISO/IEC 17029, assurance under ISSA 5000, internal audit, or none.

Coverage

The proportion of the universe, weighted by risk score, that has been subject to independent testing within the current cycle.

Three things the universe is not, each of which is a common and expensive substitution:

  • It is not the list of ESRS datapoints. A datapoint list is an output of a materiality assessment under one framework. The universe is an input to the materiality assessment, and it spans obligations that no reporting framework touches — a lending covenant, an ISO certificate, a claim on a package.

  • It is not the risk register. A risk register catalogues things that might happen. The universe catalogues assertions the organisation has already made, or is already required to be able to make. Risk registers are prospective. Universes are evidentiary.

  • It is not the certification schedule. A schedule of ISO surveillance audits tells you when providers are arriving. It tells you nothing about the obligations for which no provider will ever arrive — which, as section 6 shows, is where the exposure concentrates.

3. Five rules for constructing the universe

Rule 1 — Start from accountability, not from reporting

The instinctive starting point is the sustainability report, because it is the artefact everyone can see. It is the wrong starting point, because it has already been filtered through a materiality assessment that the universe is supposed to inform.

Start instead with the question: what has this organisation asserted, or committed to be able to assert, about its non-financial performance? That question captures the report, but it also captures the net-zero commitment made in a press release four years ago, the ISO 37001 certificate the sales team cites in tenders, the human rights clause in the top ten customer contracts, and the sustainability-linked margin ratchet in the revolving credit facility. None of these are in the ESRS datapoint list. All of them are enforceable.

Rule 2 — One obligation, one named owner

Departments cannot own evidence. Individuals can. If the evidence owner column contains "Sustainability" or "Group EHS", the exercise has not been done. The test is whether a named person can, within twenty-four hours and without escalation, produce the source data and the control evidence for the obligation. Where no such person exists, the correct entry is "unassigned", and unassigned is a finding, not a gap to be tidied up before the board sees the sheet.

Rule 3 — Record the last-tested date honestly, including "never"

The single most useful column in the universe is the one that most organisations soften. The temptation is to record that a domain was "covered" by a broader engagement — that Scope 3 was "in scope" of the assurance engagement, for instance, because the sustainability statement containing it received a limited assurance conclusion.

It was in scope. It was not tested. Under a limited assurance engagement the practitioner is required to obtain an understanding of the entity and its processes, but is not required to test the operating effectiveness of controls. A limited conclusion over a statement containing a Scope 3 figure is not a test of the Scope 3 figure, and recording it as one destroys the value of the map.

Rule 4 — Name the accreditation regime, not the provider

The column records the form of independent testing that applies, governed by its accreditation standard: ISO/IEC 17021-1 for management system certification, ISO/IEC 17029 for validation and verification, ISSA 5000 for sustainability assurance. This matters because the three regimes answer different questions and confer different credibility. A certificate says a system exists and operates. A verification statement says a specific claim is supported. An assurance conclusion says a report is not materially misstated, to a specified level.

Recording "audited by a Big Four firm" tells you who came. It does not tell you what they concluded, at what level, under what standard, subject to whose oversight.

Rule 5 — Include the domains with no regime

The instinct of every mapping exercise is to omit the rows that cannot be filled in. The instinct is precisely wrong. A row reading "human rights due diligence / no accredited testing regime / unassigned / never tested" is the most valuable line on the sheet, because it is the only place where the map does what maps are for: showing you the territory you have not entered.

4. The template

Six columns. One row per obligation. One page, or the exercise has become a project and will not be completed.

Column

What it records

Source

Common error

Test

Example entry

Domain

The obligation, at a level of granularity that has one owner

Enumeration

Too coarse: "Environment"

One owner per row

Scope 3 purchased goods and services

Obligation source

Regulation, standard, contract, covenant or public commitment

Legal, treasury, procurement, comms

Only regulation is listed

Includes at least one contract and one public statement

ESRS E1; RCF margin ratchet; customer supply chain code

Testing form

The accreditation regime that applies

This paper, section 2

Provider name recorded instead

Names a standard, not a firm

None

Evidence owner

A named individual

The person who would be called

A department is named

Can produce evidence in 24 hours

Unassigned

Last tested

Date, tester, level

Certification and assurance records

"In scope of" recorded as "tested"

A limited conclusion is not a test

Never

Risk score

Priority index, per section 5

Scoring workshop

Scored by the owner of the domain

Scored by people who do not own it

68 — highest in universe

THE ONE-PAGE TEST

If the universe does not fit on one page, the granularity is wrong. Fifteen to twenty-five rows is typical for a large multinational. Fifty rows means processes are being catalogued rather than obligations.

5. Scoring the universe

Every mapping exercise produces the same next question: where do we start? Answering it by materiality alone produces a plan that tests the things everybody already watches. The following model is designed to surface the domains that are simultaneously important and unexamined — which are not the same domains at all.

Four variables, each scored one to five:

Variable

Question

Score 5 looks like

M — Materiality

How material is this obligation, on either an impact or a financial basis?

A material topic in the double materiality assessment, or a figure that moves a covenant

R — External reliance

Who outside the organisation relies on this, and what do they do with it?

A lender prices credit on it; a customer's contract turns on it; an index provider scores it

C — Consequence of error

If the assertion were materially wrong and that became public, what would follow?

Regulatory enforcement, contractual termination, securities litigation, a green claims action

K — Control immaturity

How mature are the internal controls producing the evidence? Score inverted: 5 is least mature.

No documented process, no named owner, no evidence trail, assembled annually by spreadsheet

Priority index

Priority = (M + R + C) × K

Range 3 to 75. Control immaturity multiplies rather than adds, because a mature, well-controlled domain does not urgently require independent testing however material it is — while an immature domain becomes more dangerous with every point of materiality, reliance and consequence attached to it.

The thresholds are a starting position, not doctrine:

  • 45 and above — test this cycle. Independent testing within twelve months, and interim controls remediation immediately. These domains are material, externally relied upon, consequential if wrong, and structurally uncontrolled.

  • 25 to 44 — test next cycle. Schedule into the three-year plan. Begin controls work now so that the domain scores lower on K before the testing arrives.

  • Below 25 — monitor. Either the domain is well controlled, or nobody outside the organisation relies upon it. Confirm which, annually.

One instruction on process, and it is the whole of the value: the scoring workshop must not be run by the owners of the domains being scored. A carbon manager will not score K at 5 for the carbon inventory. Score the universe with internal audit, the general counsel and the audit committee chair in the room, and score every domain against the same four questions in a single sitting. The relative ranking is what matters; the absolute numbers are a device for producing it.

6. Where the architecture runs out

The accreditation architecture for non-financial testing is more developed than most executives realise. Management system certification is governed by ISO/IEC 17021-1 and policed by national accreditation bodies. Validation and verification are governed by ISO/IEC 17029. Sustainability assurance is governed by ISSA 5000 from 15 December 2026, supported by the IESBA's ethics and independence standards from the same date.

And then there are four domains where none of it applies.

Value chain and Scope 3 data

For most companies this is the largest number in the disclosure and the least controlled. It is also the domain where Omnibus I moved the boundary against the reporter: undertakings below 1,000 employees now have a legal right to refuse information requests exceeding the VSME standard, and the assurance practitioner must consider whether value chain data was obtained in compliance with those restrictions.

There is no accredited regime for testing a supplier's data at source when the supplier is entitled to decline. What remains testable is the reporter's own control over how the data was obtained, estimated, and disclosed as an estimate. That control is the only thing standing between the disclosure and the accusation.

Human rights due diligence

The CSDDD applies from 26 July 2029 to a much narrower population than originally contemplated — EU undertakings above 5,000 employees and €1.5 billion turnover, and non-EU undertakings above €1.5 billion of EU turnover. There is no certification standard for human rights due diligence, no ISO/IEC 17029 scheme, and no assurance standard specific to it. Social audits of suppliers are conducted by firms operating under no accreditation at all, using proprietary methodologies, and they are commissioned by the party being reassured.

Forward-looking transition plans and targets

Assurance and verification are exercises in evidence. A commitment to reach net zero by 2040 is not, at the date of assertion, susceptible to evidence. Practitioners can and do examine whether a stated target is supported by a plan, whether the plan is internally coherent, and whether the base year data is accurate. Nothing tests whether the target will be met, and Omnibus I removed the requirement for in-scope companies to adopt a Paris-compatible climate transition plan at all.

Forward-looking claims therefore sit in the universe with a testing form of "none" and a consequence-of-error score that is frequently the highest on the sheet, because they are the claims most likely to attract a greenwashing action.

ESG ratings submissions

Companies routinely submit hundreds of datapoints to MSCI, Sustainalytics and the S&P Corporate Sustainability Assessment. The resulting scores influence index inclusion, capital allocation and cost of debt. The submissions are prepared by investor relations or sustainability teams, reviewed by nobody independent, and governed by no assurance standard. The rating agency does not audit the submission; it scores it.

Four domains. In each, the assertion is consequential, the reliance is external, the control is thin, and no accredited party is required to look. That is not a coverage gap. It is the shape of the next enforcement cycle.

The correct response is not to pretend a regime exists. It is to record the absence, score the domain honestly, and apply the only two instruments that remain available: internal controls designed to the standard that would apply if a regime existed, and voluntary independent review commissioned on the organisation's own initiative.

7. Reading the coverage map

Once the universe is scored, overlay coverage. A domain is green if it was subject to independent testing within the current cycle, amber if within the previous cycle, red if never or beyond the cycle. Then sort by priority index descending.

Three patterns appear with such regularity that they are worth naming in advance.

  1. The certified perimeter. The top of the green list is dominated by ISO-certified management systems — 14001, 45001, 27001, 9001 — because certification cycles are contractually mandated by customers and therefore funded. These are also, typically, the lowest-scoring domains on the priority index, because they are the most controlled. The organisation is testing what it has already fixed.

  2. The assured surface. The sustainability statement appears green because it received a limited assurance conclusion. Applying Rule 3, most of its constituent domains revert to red, because a limited conclusion over an aggregate is not a test of its components.

  3. The red spine. Sorted by priority index, the top five are almost always: Scope 3, supplier human rights, forward-looking targets, ratings submissions, and one environmental claim made in marketing material that nobody in the room knew about. All red. All unassigned. All scoring above 50.

WHAT TO DO WITH THE MAP ON THE DAY IT IS FINISHED

Not remediate it. Show it. The map's first job is to be seen by the audit committee in its unimproved state, because the gap between the map and the executive team's prior belief about the map is the finding, and it will never be as visible again.

8. Six ways the map goes wrong

Failure

How it appears

Correction

Scoped to the report

Universe contains exactly the ESRS material topics

Add contracts, covenants, certificates, public commitments and claims

Owned by sustainability

Sustainability team builds and owns the map

The map is built by the function; sustainability is one evidence owner among twelve

Scored by incumbents

Every domain's control maturity is rated 4 or 5

Score in one sitting, with internal audit and the general counsel present, and the domain owners absent

Coverage inflated

"In scope of the assurance engagement" recorded as tested

A limited assurance conclusion tests the report, not the component. Record the component as untested.

Blank rows deleted

Domains with no testing regime silently omitted

A testing form of "none" is the most important entry the map contains

Built once

The map is produced for the board, then filed

Reviewed each cycle; a new obligation without a map entry is a control failure, not an administrative oversight

9. Maintaining it

The universe is a living control, and it fails in a specific way: through accretion. A new customer contract adds a supply chain assertion. A new lending facility adds a sustainability-linked covenant. A new product adds a circularity claim. Each is agreed by someone with no reason to think about the audit universe, and each adds an obligation that will not appear on the map until somebody goes looking.

Three interlocks prevent this, and each costs nothing:

  • Contract review: any contract containing a non-financial assertion, warranty or covenant is notified to the function before signature.

  • Communications review: any public commitment to a non-financial target or claim is notified before publication.

  • Certification review: any new certification, verification or assurance engagement is entered on the map at the point of engagement, not at the point of conclusion.

An organisation that operates these three interlocks and reviews the map once a cycle has a non-financial audit universe. An organisation that produced a map for a board paper in 2026 has an artefact.

Questions this paper answers

What is a non-financial audit universe?

It is a documented list of every non-financial obligation an organisation carries, recording for each one the source of the obligation, the named individual who owns the evidence, the form of independent testing that applies, the date the obligation was last independently tested, and a risk score. It is the non-financial equivalent of the audit universe maintained by internal audit for financial and operational processes.

Why does non-financial audit need a universe when financial audit does not?

Financial audit inherits its scope from the general ledger, which is a completeness control: any material transaction that is omitted causes the ledger not to balance. Non-financial reporting has no equivalent system. Sustainability data originates in dozens of unconnected systems, and no mechanism exists that would signal an omission. The universe is therefore built manually, and building it is itself the completeness control.

What is the difference between certification, verification and assurance?

Certification, governed by ISO/IEC 17021-1, examines whether a management system exists and operates against a published standard. Verification and validation, governed by ISO/IEC 17029, examine whether a specific claim or statement is supported. Assurance, governed by ISSA 5000 from 15 December 2026, examines whether reported sustainability information is materially misstated, at either a limited or a reasonable level. They answer different questions and confer different degrees of credibility. A certificate is not an assurance opinion.

Does a limited assurance conclusion mean a disclosure has been tested?

No. In a limited assurance engagement the practitioner obtains an understanding of the entity and its processes and performs primarily enquiry and analytical procedures. The practitioner is not required to test the operating effectiveness of controls. A limited assurance conclusion over a sustainability statement that contains a Scope 3 figure is not a test of that Scope 3 figure, and recording it as one materially overstates coverage.

Which non-financial obligations have no accredited testing regime?

Four significant categories. Value chain and Scope 3 data, where suppliers below 1,000 employees now have a legal right under the Omnibus I directive to refuse information requests exceeding the VSME standard. Human rights due diligence, for which no certification scheme, verification scheme or dedicated assurance standard exists. Forward-looking transition plans and targets, which are not susceptible to evidence at the date of assertion. And ESG ratings submissions, which are prepared internally and scored, not audited, by the rating agency.

How should the audit universe be prioritised?

Score each domain one to five on materiality, external reliance, consequence of error, and control immaturity, then apply the priority index: the sum of the first three multiplied by control immaturity. Control immaturity multiplies rather than adds because a well-controlled domain does not urgently require independent testing however material it is, while an uncontrolled domain grows more dangerous with every point of materiality attached to it. Domains scoring above 45 should be independently tested within twelve months.

Who should own the non-financial audit universe?

A named individual within the Non-Financial Audit Function, reporting to the audit committee, sitting outside the sustainability reporting line. The universe must not be owned by the sustainability team, because the sustainability team is one of the evidence owners the map is designed to hold accountable.

References and sources

  • Directive (EU) 2026/470 (the Omnibus I directive), published in the Official Journal of the European Union on 26 February 2026, in force 18 March 2026; Member State transposition deadline 19 March 2027. Introduces the value chain cap and narrows the scope of the CSRD and the CSDDD.

  • IAASB, International Standard on Sustainability Assurance (ISSA) 5000, General Requirements for Sustainability Assurance Engagements, issued November 2024; effective for periods beginning on or after 15 December 2026. Addresses both limited and reasonable assurance engagements, with requirements differentiated between them.

  • IAASB, ISSA 5000 Frequently Asked Questions: Applicability Matters, August 2025 — confirming withdrawal of ISAE 3000 (Revised) and ISAE 3410 for sustainability assurance engagements.

  • ISO/IEC 17021-1:2015, Conformity assessment — Requirements for bodies providing audit and certification of management systems.

  • ISO/IEC 17029:2019, Conformity assessment — General principles and requirements for validation and verification bodies.

  • Corporate Sustainability Due Diligence Directive, as amended by Directive (EU) 2026/470: application from 26 July 2029, Member State transposition by 26 July 2028.

  • Speeki, The Non-Financial Audit Function (Whitepaper Series 1, Paper 01), July 2026.

About Speeki

Speeki is an accredited ESG assurance and certification body operating in more than 100 countries. Speeki provides management system certification, verification and validation, and sustainability assurance. Speeki does not provide consulting services. Its independence is structural.

For current details of Speeki's accreditations and their scope, please refer to speeki.com.

© 2026 Speeki. This paper is provided for general information and does not constitute legal, accounting or assurance advice.