Practical steps for internal audit to design and execute ESG reviews

Internal audit’s comparative advantage is independence, systems-thinking and control testing – capabilities now directly relevant to ESG strategy and reporting. Below, we outline the steps for a pragmatic ESG review programme (scalable by sector and maturity) and offer some reflections on ESG reviews generally.

Bitesize briefing

• Regulatory posture and exposure: Verify scope, contingency plans, and preparedness for CSRD/CSDDD and voluntary reporting standards.
• Governance and accountability: Test board oversight, executive sponsorship, and operational responsibility for ESG data and actions.
• Double materiality and data controls: Ensure workflows are documented, stakeholder inputs evidenced, and ESG data architecture tested for accuracy and readiness.
• Due diligence and ESG maturity: Assess risk mapping, prioritisation, grievance mechanisms, and alignment with organisational ESG maturity and reporting expectations.

Steps

First, confirm regulatory posture and “value chain exposure”. Even if the organisation falls out of CSRD/CSDDD scope after Omnibus I, it may still receive structured information requests from customers, lenders and group entities, and may opt into voluntary reporting standards. Internal audit should verify management’s documented scope assessment and contingency plans.

Second, establish audit governance, roles, and accountability. Effective ESG assurance depends on clear ownership (board oversight, executive sponsorship, and operational accountability for data points). ESMA’s feedback on revised ESRS highlights the need for stronger transparency about sustainability competences of governance bodies and resources allocated to sustainability actions – areas internal audit can test objectively.

Third, test double materiality as a controlled process. Internal audit should treat the DMA as an end-to-end workflow (inputs → criteria → thresholds → decisions → outputs), verify that stakeholder engagement and due diligence inputs are evidenced, and challenge “boilerplate” scoring that is not entity-specific.

Fourth, assure data and measurement controls. ESRS requires connected information and, in practice, limited assurance engagements are identifying omissions and scope limitations. Internal audit should test the ESG data architecture (definitions, calculation logic, reconciliations, review controls and evidence retention) with the explicit aim of supporting external assurance readiness.

Finally, assess due diligence implementation under the amended CSDDD (where relevant): chain-of-activities risk mapping, prioritisation logic, grievance mechanisms, monitoring cadence (now at least every five years plus trigger events), and documentation sufficiency.

Crowe perspective on independent ESG reviews

Crowe’s published view is that internal audit should engage early, embed ESG risks and controls into audit frameworks, and support readiness through structured gap assessment and action planning. In practice, a tailored approach for independent ESG reviews typically means calibrating scope to the organisation’s regulatory perimeter, stakeholder expectations and ESG maturity, then testing the controls that make sustainability disclosures and due diligence defensible.

Non-confidential examples of actionable recommendations that frequently emerge from independent ESG reviews include formalising a documented double-materiality methodology and thresholds (including assumptions disclosure), implementing an ESG data dictionary with clear metric ownership and review controls, strengthening supplier and third-party due diligence workflows to manage constrained information requests, and establishing board-level KPI dashboards that tie material sustainability matters to resourcing and accountability.

Crowe has also published practical assurance experience (for example, limited assurance engagements over environmental metrics), illustrating how independent review can build stakeholder trust while improving underlying processes and controls.

Closing reflections

Omnibus I changes the “who” and “when” of EU sustainability compliance, but it raises the bar for “how” organisations justify ESG claims, due diligence decisions and materiality judgements. For internal auditors and audit committees, the priority is to ensure ESG programmes are evidence-based, controlled and reviewable, so that both mandatory and de facto reporting demands can be met with confidence.

How Crowe can help

At Crowe, we help internal audit teams engage early and embed ESG risks and controls into audit frameworks. We support organisations by calibrating ESG review scope to their regulatory perimeter, stakeholder expectations and ESG maturity, testing governance, double-materiality processes, data architecture and due diligence controls. Our experience in independent ESG reviews and limited assurance engagements helps organisations strengthen ESG reporting, improve underlying processes and controls and build stakeholder trust while ensuring readiness for mandatory and voluntary reporting demands.