
What evidence EU sustainability auditors actually look for
CSRD and CSDDD require companies to collect and retain evidence of compliance. This article explains what auditors and regulators actually look for, what sufficient evidence means in practice, and how the evidentiary standard is applied.
This article is for informational purposes only and does not constitute legal advice. Consult a qualified legal professional for advice specific to your situation.
The question behind the question
When a business asks what evidence it needs to collect for EU sustainability compliance, it is usually asking a more specific question underneath: what will an auditor or regulator actually look at, and what will satisfy them?
That question matters because EU sustainability regulation does not answer it directly. CSRD and CSDDD describe what companies must do: identify material impacts, conduct due diligence, engage with affected stakeholders, take corrective action where problems are found. They do not specify what documentary evidence those activities must produce, how that evidence must be organised, or how much is enough. The standard is sufficiency, and sufficiency is a judgement rather than a defined threshold.
This article explains how that judgement works in practice, what categories of evidence auditors look for, what makes evidence credible or weak, and how the evidentiary standard differs depending on who is doing the assessment.
Who is doing the assessing and why it matters
Three distinct types of assessment generate evidentiary requirements under EU sustainability law, and they apply different standards.
The first is third-party assurance under CSRD. Companies required to report under CSRD must have their sustainability reports assured by an independent auditor. The initial requirement is limited assurance, which is a lower standard than the reasonable assurance applied to financial statements. A limited assurance engagement gives the auditor a basis for concluding that nothing has come to their attention indicating the report is materially misstated. The auditor is not certifying that the company’s due diligence process is adequate, or that every figure in the report is precisely accurate. They are assessing whether the report fairly presents the company’s sustainability performance in accordance with the applicable reporting standards.
What this means in practice is that the CSRD assurance process is primarily a documentation review. The auditor looks for records that support the disclosures in the report: records of the materiality assessment process, records of how data was collected and by whom, records of the governance processes around sustainability reporting, and evidence that the information in the report can be traced back to underlying data. The evidentiary bar for CSRD assurance is higher than for a voluntary ESG report, but it is not equivalent to a regulatory inspection.
The second type of assessment is regulatory enforcement. Competent authorities designated under CSDDD and EUDR have the power to request documents, conduct site inspections, and impose penalties. Their standard is not what the auditor’s standard is. They are assessing whether the company’s substantive conduct complied with the regulation, not whether a report about that conduct was accurately prepared. A well-assured CSRD report about an inadequate due diligence process does not protect against a CSDDD enforcement action.
The third type of assessment is civil litigation. CSDDD explicitly opens a route for affected parties to bring claims against EU companies that have failed in their due diligence obligations. A court assessing such a claim applies a reasonableness standard: whether the company made a genuine, proportionate, and well-documented effort to identify and address the relevant risks given its size, sector, and the nature of its supply chain. Here the evidentiary standard is highest, because the company must be able to demonstrate the quality of its process, not just its existence.
Understanding which type of assessment applies to your situation determines what evidence you actually need to prioritise.
What CSRD assurance auditors look for
For companies preparing for CSRD assurance, the evidentiary requirements cluster around five areas.
The materiality assessment process. Auditors want to see that the double materiality assessment was conducted as a genuine analytical exercise, not a retrospective justification for conclusions already reached. Evidence of the process typically includes records of who participated in the assessment, what information sources were used, how financial materiality and impact materiality were evaluated for each topic, what external stakeholders were consulted, and how the final topic selections were determined. A materiality matrix or equivalent output document is expected, but what the auditor is looking for is the process behind it, not just the output.
Data collection methodology. For each metric disclosed in the report, the auditor will look for documentation of how the data was collected, who collected it, and what internal controls exist to ensure accuracy. For a company reporting Scope 3 emissions, this means documentation of the methodology used to estimate value chain emissions, the data sources relied on, and the assumptions applied. For a company reporting on workforce health and safety, this means documentation of how incident data is collected and consolidated across sites, and what definitions were applied.
Governance and oversight. ESRS G1 requires disclosures about governance processes for sustainability reporting. Auditors look for evidence that the board or relevant governance body actually reviewed and approved the sustainability information, not just that the governance policy says they should. Board minutes, committee papers, and sign-off records are the relevant evidence.
Boundary and scope decisions. Where a company has excluded certain subsidiaries, joint ventures, or supply chain tiers from its reporting scope, the auditor will look for documented justification. Where the reporting boundary differs from the financial reporting boundary, the reasons for that difference need to be documented and defensible.
Corrections and restatements. If any figures have been restated from prior disclosures, the auditor will look for documentation of what changed and why. The absence of any corrections across a large, complex dataset over multiple years is itself a finding that warrants scrutiny.
What CSDDD enforcement looks for
CSDDD enforcement operates at a different level of specificity. Regulators are not reviewing a report. They are assessing whether a company’s supply chain due diligence process met the standard the directive requires. The evidence that matters is evidence of the process itself.
Supply chain mapping records. A company subject to CSDDD must be able to demonstrate that it identified the relevant entities in its supply chain, at least to the depth that a proportionate risk assessment requires. This means records of the mapping exercise: what tiers were covered, what data sources were used to identify suppliers, and when the mapping was last updated.
Risk assessment records. The risk assessment that follows the mapping exercise needs to be documented in a way that shows it was a genuine analysis of the specific risks in the specific supply chain, not a generic template applied without customisation. Evidence of sector-level risk analysis, country-level human rights and environmental risk information, and supplier-specific risk factors is expected. Where certain suppliers or categories of supplier were identified as higher risk, the reasoning for that classification needs to be retained.
Evidence of preventive and corrective action. Where the risk assessment identified actual or potential adverse impacts, the company must be able to demonstrate what it did in response. This means records of corrective action plans, supplier engagement on specific issues, monitoring of whether corrective actions were implemented, and where impacts were not remediated, what further steps were taken. A risk assessment that identified problems followed by no documented follow-up action is a significant evidentiary gap.
Stakeholder engagement records. CSDDD requires meaningful engagement with affected stakeholders, including workers and their representatives, at specified stages of the due diligence process. Evidence of this engagement needs to go beyond a policy statement that engagement took place. Records of who was consulted, in what format, at what stage, and what information those consultations generated are expected.
Complaints mechanism records. The company must have a complaints or grievance mechanism and be able to demonstrate that workers and other affected parties can access it. Evidence of how the mechanism is communicated, whether complaints have been received and how they were handled, and what monitoring of the mechanism’s accessibility exists is typically what regulators look for.
What courts look for in civil litigation
Civil litigation under CSDDD applies a proportionality standard: was the company’s due diligence adequate given its size, the nature of its operations, and the severity of the risks in its supply chain? The evidentiary requirements are the most demanding because the burden falls on the company to demonstrate the quality of its process, not just its existence.
The key distinction courts draw is between a compliance programme that was designed to actually identify and address adverse impacts, and one that was designed to produce documentation of compliance. These can look similar from the outside but generate very different evidentiary records.
A process designed for genuine identification of adverse impacts will produce evidence of engagement with workers and communities that generated new information. It will show instances where the process identified problems that were not already known from public sources. It will include records of corrective actions that required real effort and had measurable outcomes. It will show monitoring over time that was capable of detecting whether corrective actions worked.
A process designed to produce documentation will generate signed policies, completed questionnaires, and assurance certificates, but will tend not to show engagement that produced unexpected findings, corrective action on issues that were not already publicly reported, or monitoring mechanisms that were genuinely capable of detecting whether conditions were improving.
Courts assessing CSDDD claims will look at both the documentary record and the plausibility of the process it purports to describe. A large, sophisticated company sourcing from a high-risk geography that produced no significant findings in several years of due diligence is a company whose process warrants scrutiny, regardless of how complete its documentation is.
What makes evidence credible
Across all three types of assessment, certain characteristics make evidence credible and others make it weak.
Independence. Evidence generated through independent channels carries more weight than evidence generated entirely through the company’s own processes or through processes mediated by parties with a conflicting interest. Third-party audits, worker interviews conducted by external specialists, and satellite-based deforestation verification are more credible than supplier self-declarations, management interviews, and internal spot checks precisely because they do not rely on the cooperation or honesty of the party whose conduct is being assessed.
Contemporaneity. Records created at the time of the activity they document are more reliable than records created retrospectively. A risk assessment dated at the time it was conducted, with contemporaneous notes from the assessment team, is more credible than a risk assessment document that was finalised months after the assessment period it purports to cover.
Specificity. Specific evidence about particular suppliers, particular facilities, and particular risks is more credible than general statements about policy and approach. An auditor or regulator looking at supplier engagement records wants to see records of specific conversations with specific suppliers about specific issues, not a template letter sent to all suppliers about the company’s human rights commitment.
Internal consistency. Evidence that is consistent across sources, where worker interviews corroborate document review findings, where risk assessment findings are consistent with what is known about the sector and geography, and where monitoring records show outcomes that are plausible given the corrective actions taken, is more credible than evidence that conflicts internally or that conflicts with publicly available information about the relevant risks.
Proportionality. The depth and rigour of the evidence should be proportionate to the risk. A company sourcing a low-risk commodity from a low-risk geography does not need the same evidentiary depth as a company sourcing a high-risk commodity from a high-risk geography. Evidence that is disproportionately sparse for a high-risk situation, or disproportionately elaborate for a genuinely low-risk one, both raise questions.
What is not sufficient
Several categories of documentation are commonly presented as evidence of compliance but do not, on their own, meet the standard regulators and courts apply.
Supplier self-declarations. A signed code of conduct or supplier declaration of compliance is a starting point, not an end point. It establishes that the supplier was informed of the applicable standards and acknowledged them. It does not establish that those standards are being met. Relying on supplier declarations as the primary evidence of due diligence is a well-documented compliance gap.
Certification alone. Third-party certifications such as SMETA, SA8000, or commodity-specific sustainability schemes have value in a due diligence system, but they do not substitute for company-specific due diligence. Certification schemes assess against their own standards at a point in time. They are not designed to identify all of the adverse impacts that CSDDD requires a company to identify in its specific supply chain. Using certification as a proxy for due diligence works as a risk management tool but not as an evidentiary substitute.
Policies without implementation records. A human rights policy, an environmental policy, and a supplier code of conduct establish the company’s stated commitments. They tell an auditor or regulator nothing about whether those commitments are operationally implemented. The evidentiary gap between a policy document and operational implementation is exactly where enforcement attention tends to focus.
Completed questionnaires without follow-up. Supplier questionnaires that identify risks but show no record of follow-up action are an evidentiary liability rather than an asset. They demonstrate that the company knew, or had the means to know, about conditions it did not act on.
The relationship between documentation and process
The most important thing to understand about evidentiary standards in EU sustainability compliance is that documentation does not substitute for process. A company that builds a genuine, well-structured due diligence process and documents it adequately is in a strong position. A company that builds documentation of a process it did not actually run is not protected by that documentation and may be in a worse position than one that did nothing, because the documentation demonstrates awareness of the obligation.
For an explanation of why no official checklist defines what compliance requires, and how that affects the evidentiary standard, see Why there is no official checklist for EU sustainability compliance.
Verdandi monitors CSRD, CSDDD, and EUDR continuously, including assurance standards and enforcement guidance as they develop, so the evidence you build is anchored to current requirements. Start for free.
Source transparency, currency, and scope discipline: the framework for evaluating any regulatory intelligence tool, applied honestly to the major players in the EU financial regulation market.