Independent ESG Reviews After the EU sustainability reset

The European Union’s March 2026 sustainability reset narrows who must comply with corporate sustainability reporting and due diligence, without lowering expectations for governance, decision-making evidence, or data integrity. For Internal Audit, the message is not to stand down, but to re‑focus on assurance that is material, well‑documented and audit‑ready. Key changes include higher thresholds, shifted timelines, streamlined obligations and a stronger emphasis on defensible double materiality and evidence trails.

Bitesize summary

• The EU’s March 2026 sustainability reset narrows corporate sustainability reporting and due diligence requirements but maintains expectations for governance, decision-making evidence, and data integrity.
• The CSRD now applies mainly to companies above €450 million turnover and 1,000 employees, while the CSDDD applies to the largest companies with thresholds raised to 5,000 employees and €1.5 billion net worldwide turnover.
• Internal Audit should re-focus on assurance priorities including scope testing, governance and accountability, double materiality workflows, ESG data integrity, and due diligence under the amended CSDDD.
• Even where direct EU requirements do not apply, public and private sector bodies must maintain robust ESG controls to mitigate risks from value-chain obligations, tender processes, lender inquiries and potential greenwashing.

What changed – and why this matters for Internal Audit

• Omnibus I (Directive (EU) 2026/470) was published on 26 February 2026 and enters into force on 18 March 2026. It amends elements of CSRD reporting and the CSDDD due diligence framework.
• CSRD scope is narrowed primarily to undertakings above €450 million net turnover and 1,000 employees, with mechanisms to limit excessive information requests on smaller value‑chain entities.
• The CSDDD now applies to the very largest companies: thresholds raised to 5,000 employees and €1.5 billion net worldwide turnover; the climate transition plan requirement is removed; and the monitoring cadence is reframed to at least once every five years (and after significant changes).
• ESRS simplification is under way, with revised ESRS targeted by summer 2026 via delegated act, while double materiality remains the gateway to required disclosures.

Implications for Ireland’s HIAs

1. For listed groups and large private groups/non‑EU parents with material EU turnover, the scope decision is now a formal control point.
2. For public bodies and State‑sponsored entities, even where the CSRD/CSDDD do not directly apply, value‑chain pull, tender requirements, lender inquiries and greenwashing risk still demand robust ESG controls and defensible disclosures.

Internal Audit priorities to re‑focus assurance

• Scope and perimeter testing: Confirm CSRD/CSDDD thresholds and document conclusions for each entity; assess residual obligations from customers, lenders or parent entities.
• Governance and accountability: Test RACI, board oversight, executive ownership, control owners for key metrics, and evidence of competence and resourcing for sustainability actions.
• Double materiality as a controlled process: Treat the DMA as an end‑to‑end workflow (inputs → criteria → thresholds → decisions → outputs); require documented thresholds, assumptions and data sources; check connectivity to financial reporting and challenge boilerplate rationales.
• Data and measurement integrity: Validate the ESG data architecture, definitions, calculation logic, reconciliations, control design, evidence retention and management review, aiming for external assurance readiness.
• Due diligence under the amended CSDDD (where in scope): Evaluate chain‑of‑activities risk mapping, prioritisation logic, grievance mechanisms, monitoring cadence (≥ five years plus triggers) and documentation sufficiency to withstand national enforcement.

What good looks like: Evidence, not aspiration

• A signed scope memo with calculations and assumptions (plus a watchlist for near‑scope scenarios).
• A documented DMA methodology with thresholds tied to ESRS severity criteria for impact materiality and explicit financial linkages to forecasts, capital allocation and principal risks.
• An ESG data dictionary defining each metric, source systems, owners, reconciliation points and control frequency.
• Third‑party due diligence playbooks that respect constraints on information requests to smaller partners, supported by alternative evidence where direct data cannot reasonably be obtained.

Sector‑specific notes for Ireland

• Public sector bodies to align with public interest standards such as verifiable claims, documented stakeholder engagement and clearly evidenced assumptions, whether or not ESRS is adopted.
• Private sector bodies with even exiting scope, prepare for value‑chain questionnaires and lender reporting. Ensure consistency between sustainability claims and statutory financial information to mitigate greenwashing risk.

A 90‑day action plan for HIAs

• Confirm scope (entity by entity) and document the conclusion.
• Stand up a DMA review: agree criteria, thresholds, evidence lists and sign‑off pathways.
• Map the ESG control landscape: identify control owners and gaps against assurance readiness.
• Prioritise third‑party controls: procurement, contract terms, and information request protocols.
• Report to the Audit Committee: key findings, remediation plan, and an evidence‑retention policy.

Crowe perspective and examples

Our experience across Irish public bodies and private groups shows that early Internal Audit engagement accelerates assurance readiness and reduces late‑stage adjustments during external assurance. Typical high‑impact recommendations include:

• Formalising a DMA methodology with transparent thresholds and an assumptions register approved by the Audit Committee.
• Standing up an ESG data dictionary and control matrix that integrates with financial control frameworks (e.g., reconciliations to the general ledger and defined maker‑checker reviews).
• Introducing proportionate third‑party due‑diligence tiers that respect constraints on SME information requests while maintaining credible alternative evidence routes.
• Implementing board‑level KPI dashboards that tie material sustainability matters to resourcing and accountability.

Disclaimer

This article provides Internal Audit assurance perspectives and does not constitute legal advice. Organisations should obtain legal counsel on the interpretation of EU law and Irish transposition measures.

How Crowe can help

Navigating the evolving EU sustainability landscape requires timely and focused Internal Audit engagement. Crowe Ireland works with public and private sector organisations to support assurance readiness under the CSRD and CSDDD frameworks. By applying practical methodologies for double materiality, ESG data integrity and third-party due diligence, we help organisations strengthen governance, demonstrate evidence-based decision-making, and align sustainability controls with broader financial and operational reporting. Our experience shows that early, structured engagement accelerates compliance readiness, reduces late-stage adjustments, and provides Internal Audit with a robust framework to deliver credible, defensible ESG assurance.