Identity Evidence and Auditability Under CSRD and EU Sustainability Reporting
CSRD assurance under ISSA 5000 requires testing of the internal controls that produce sustainability data. That includes who has access, whether duties are segregated, and whether changes are logged. Four identity artifacts answer those tests: provisioned access with justification, enforced segregation of duties, periodic access certifications, and immutable change and emergency-access logs.
Together they form the audit evidence package CSRD assurance providers will request, and the gap most enterprises face in their first reporting cycle.
What CSRD assurance providers actually test under ISSA 5000
ISSA 5000 is the assurance standard the IAASB issued for sustainability engagements. It now governs how CSRD reports are reviewed. The practitioner is required to understand the entity's system of internal control over sustainability information. That includes the control environment, information-system controls, and the process by which figures are produced and approved.
Two levels of assurance exist. Limited assurance is the level mandated for Wave 1 CSRD reporters. It requires the practitioner to design responses to risks of material misstatement when control deficiencies are identified in the control environment or in information-system controls. Reasonable assurance was on the original CSRD roadmap. It requires deeper testing of internal controls, including operating effectiveness across the reporting period.
Both levels put internal controls on the test plan. That is the inflection point most enterprises miss. Once an external practitioner is testing the controls that produce a Scope 1 figure or a workforce headcount disclosure, the question is no longer whether sustainability data was collected. The question is whether the systems producing it carried the same controls a financial figure would.
Why ESG data fails the internal-control test that financial data passes
Financial data lives inside a control perimeter that has been hardened for two decades. ERP access is provisioned through formal request workflows. Segregation of duties is enforced through SoD policy libraries. Quarterly access certifications run on schedule. Emergency access is logged and reviewed. SOX testing has made all of this audit-grade.
ESG data does not live there. Scope 1 and Scope 2 emissions sit in carbon accounting platforms procured by sustainability teams under separate budget lines. Workforce diversity metrics live in HRIS modules the security organization has rarely treated as financial-system equivalents. Supplier ESG data flows through procurement portals and shared spreadsheets. Materiality assessments are maintained in document management systems with permissive access models.
The result is a control gap that an ISSA 5000 practitioner can identify in the first half-day of fieldwork. Who provisioned access to the carbon platform? Who can change a reported figure? Was the preparer also the approver? Where is the certification record? Most enterprises cannot answer with audit-grade evidence because the systems were never governed at that level.
The four identity artifacts every CSRD assurance file should contain
The four artifacts below answer the four questions an ISSA 5000 practitioner is required to ask during control testing. Each maps to a specific control area in the standard, and each is producible from a properly governed identity layer.
| Audit question | Identity evidence required | Where it should live |
|---|---|---|
| Who has access to the systems that produce this disclosure? |
Provisioning records with documented business justification | IGA platform |
| Could a single person both prepare and approve a reported figure? |
SoD policy enforcement and conflict-resolution logs | IGA platform |
| Is access reviewed and re-attested on a defined cadence? |
Periodic access certifications signed by line managers | IGA platform |
| Can every change to a reported figure be traced to an identity? |
Immutable change logs and reviewed emergency-access sessions | IGA platform plus source system |
Provisioned access with documented justification
Every user with the ability to read, edit, or approve sustainability data should have access granted through a request workflow that records the business reason, the approver, and the date. This is the same standard SOX programs have applied to ERP access for a decade. The artifact is the access request record itself.
Enforced segregation of duties
Preparer, approver, and reviewer roles for any material disclosure should be enforced as policy. SoD conflicts in carbon, workforce, and supply-chain reporting systems should be detected at the moment of access provisioning, not at audit time. The artifact is the SoD policy library plus the conflict-resolution log.
Periodic access certifications
Access to sustainability reporting systems should be re-attested by managers on a defined cadence. Quarterly is the SOX equivalent. The artifact the auditor wants is the signed certification record showing who reviewed what and when.
Immutable change and emergency-access logs
Every change to a reported figure should be traceable to an identity. Emergency or break-glass access used to fix a figure before publication should be logged, reviewed, and justified after the fact. The artifact is the change log plus the post-session review record.
What Omnibus I changed, and what it did not
The Omnibus I Directive was adopted by the European Council on 24 February 2026. It raised CSRD scope thresholds to 1,000 employees and EUR 450 million in turnover. It delayed Wave 2 reporting to 2028. It removed the pathway to reasonable assurance.
Three things did not change. Wave 1 entities still report under CSRD. Limited assurance under ISSA 5000 is still mandatory. The practitioner's obligation to test internal controls over sustainability information is intact.
The identity-evidence requirement is unaffected. Omnibus I reduced the population in scope and softened the assurance trajectory. It did not lift the control-testing requirement that already sits at the limited-assurance level. Enterprises reading Omnibus I as relief on identity-layer evidence are reading it wrong.
Where Anugal fits
Anugal produces the four identity artifacts continuously, across the entire application landscape. SoD enforcement runs against a configurable Risk Library. Access certifications run as automated campaigns with AI-prepared recommendations. Joiner-Mover-Leaver automation provisions and deprovisions access without manual coordination. FireFighter Access Review Automation continuously reviews emergency-access sessions and correlates executed actions against stated justification. The coverage point matters: traditional IGA tools see 30 to 40 percent of the application estate, while Anugal extends to the 60 to 70 percent of apps where sustainability data lives, including the long tail of platforms procured outside the security organization. The audit file gets populated automatically rather than reconstructed at year-end.
Conclusion
CSRD assurance has moved from optional to obligation, and the assurance standard that governs it puts internal controls on the test plan. Identity has moved with it. The access provisioned to a sustainability system, the duties segregated on it, the certifications run against it, and the changes logged inside it are no longer security artifacts only. They are audit artifacts. Enterprises that treat sustainability-system access with the same discipline as financial-system access will close the first-cycle finding gap before the practitioner arrives.
To see how Anugal produces this evidence continuously across your application landscape, book a meeting with our experts.
Frequently asked questions
What is identity evidence in CSRD assurance?
Identity evidence is the access-layer documentation that proves who could touch sustainability data, who approved that access, whether duties were segregated, and what changes they made. CSRD assurance under ISSA 5000 treats it as part of the internal-control evidence package required for limited or reasonable assurance opinions.
Does ISSA 5000 require testing of access controls?
Yes. ISSA 5000 requires the assurance practitioner to understand the entity's system of internal control over sustainability information, including the control environment and information-system controls. Access controls and segregation of duties on systems that produce ESG figures fall inside that scope, even at the limited-assurance level.
How is a CSRD audit trail different from a financial audit trail?
The mechanics are identical. Every value change should record who, what, when, and on what authority. The difference is coverage. Financial audit trails sit inside the SOX perimeter on ERP systems. CSRD audit trails must extend across sustainability platforms, HRIS, EHS systems, supplier portals, and spreadsheets that have rarely been governed at the same level.
Which identity artifacts do CSRD assurance providers expect?
Four: provisioned access with documented justification, enforced segregation of duties on preparer, approver, and reviewer roles, periodic access certifications attested by managers, and immutable change and emergency-access logs. Each maps to a specific audit question the practitioner is required to ask under ISSA 5000.
Did Omnibus I change the identity-evidence requirement?
No. The Omnibus I Directive (adopted February 2026) raised CSRD scope thresholds, delayed Wave 2 reporting to 2028, and removed the pathway to reasonable assurance. It did not change the requirement for limited assurance under ISSA 5000 for Wave 1 entities, and the internal-control testing scope remains intact.
