Why it matters:
ESG regulations are shifting faster than most organizations can recalibrate, leaving internal auditors to provide assurance amid changing rules, scopes and expectations.
What’s happening:
From the EU narrowing CSRD through the Omnibus bill to the U.S. abandoning its SEC disclosure rule, companies are reassessing whether to pause, pivot or proceed with ESG reporting.
What internal audit should do:
Focus less on the flux and more on sound governance, decision quality, controls and readiness — so organizations stay compliant and defensible today and prepared for the future.
One of the most significant challenges for companies today is the volatility of ESG regulations. In the past year alone, we have seen mandatory requirements delayed, narrowed, withdrawn or replaced — sometimes within the same jurisdiction. For example, the Omnibus bill in the EU narrowed several CSRD provisions, adjusted timelines, changed assurance requirements and significantly reduced the number of in scope companies. A widely anticipated U.S. climate rule for listed companies was abandoned altogether. Other regulations, like the Corporate Sustainability Due Diligence Directive (CSDDD), the EU Green Claims Directive and the California Climate Corporate Data Accountability Act (SB 253) remain active and enforceable.
This fluidity has created understandable confusion for organizations and their internal audit functions. Some companies that fell out of scope with the most recent Omnibus updates have chosen to “drop the pen” and halt their ESG reporting efforts entirely until required otherwise. Others, believing reporting is of benefit to their stakeholders, are pushing forward but may be shifting from mandatory to voluntary standards. Yet another group, those out of scope for some but not all regulations, is recalibrating to a changed set of mandatory requirements. Amidst the changes, internal auditors are asking “How do we provide audit support in times of regulatory uncertainty?”
To help internal auditors navigate this moment, Protiviti recently convened a webinar focusing on the CSRD changes and offering a practical EU Taxonomy audit example. This blog builds on the webinar conversation by offering six baseline recommendations for internal auditors in this confusing period.
1. Maintain independence
It’s natural for some internal audit teams to feel concerned when their company makes a potentially risky decision, such as stepping back from ESG reporting despite public expectations or long-term regulatory trends. However, the key question for auditors isn’t what a company decides to do, but how it decides.
Action: Avoid involvement in decision-making especially if you later have to examine the organization’s choices for reasonableness and control integrity. Instead, prepare to assess whether the processes behind strategic determinations are documented, sound and appropriately informed.
2. Understand your company’s current status
Three types of organizations are currently shifting gears to respond to changed requirements. Auditors should understand the changed regulatory status of their company in order to provide the proper support.
- Companies still in CSRD scope that have not begun reporting but for whom timelines and requirements changed. These organizations may have already begun laying the groundwork for reporting under the pre-Omnibus regulatory framework. Now, however, they must revisit earlier design decisions — reassessing data pathways and decision criteria in light of modified rules.
Action: Assess whether your company has interpreted the new materiality thresholds, scoping rules and disclosure requirements (e.g., the reduced number of required data points) accurately and verify that new controls are designed effectively for the updated rules, not the outdated ones.
- Companies in CSRD scope already reporting under older, often stricter, CSRD requirements. These companies must walk a tightrope: scaling back where appropriate while making sure critical disclosures remain in place.
Action: Evaluate the process for removing or scaling back controls and ensure there is a documented rationale aligned with the new rules — and that removing or modifying the controls does not introduce new material risk.
- Companies not in CSRD scope but in scope of other regulations due to global footprint, or those electing to report voluntarily. It’s important to know that reporting voluntarily does not remove the requirement for truthfulness and accuracy. Misleading claims are subject to greenwashing laws with steep penalties and potential for reputational damage. Any organization that makes social or environmental claims publicly must ensure the claims are backed by verifiable data.
Action: Be familiar with the assurance expectations; some global regulations may start as voluntary or limited but progress to reasonable assurance over time. Implement an Internal Controls Over Sustainability Reporting (ICSR) framework to ensure data quality. Use internal controls along the data flows leading to disclosures to ensure their reliability.
3. Audit using rules for the appropriate time period
Audits of completed periods must be performed against the regulatory framework in place at that time. Yet the recommendations auditors make and the remediations they implement should be aligned to the regulatory picture today, and anticipatory of the future.
Action: Be aware not only of the requirements applicable to the period under review but also of the updated requirements that will govern the next reporting cycle. It’s another level of complexity, and for auditors new to ESG, a double learning curve, which needs to be surmounted.
4. Build ESG literacy
ESG literacy is a recurring theme for internal auditors as regulations not only change but become more technically complex. Many auditors today rely heavily on sustainability teams to interpret regulatory updates, raising the risk of over‑reliance on the same teams whose processes they are responsible for evaluating.
Action: Build your ESG literacy independently:
- Invest in ESG ‑specific training
- Develop multidisciplinary capabilities
- Understand regulatory logic, not just reporting outputs
- Learn ESG terminology, materiality frameworks and value chain data considerations
5. Lean on COSO’s ICSR
Leaning on COSO’s well-established internal control framework is an excellent way for internal auditors to gain some stability in the moving landscape and fill the gap between regulatory uncertainty and the need for credible, defensible reporting processes. The framework is particularly useful given the uncertain definition of “limited assurance,” which has replaced the “reasonable assurance” requirement for the time being, and how external auditors might define it.
Action: Use COSO’s ICSR to build stronger control environments, document decision-making more consistently, align with recognized internal control principles and prepare for the external assurance standards.
6. Build a network
ESG internal audits can be done entirely in‑house — which has both advantages and drawbacks. Effective ESG audits require broad engagement across sustainability, finance, compliance, procurement, operations, and more. Identifying the right stakeholders is not always straightforward, especially in decentralized or global organizations.
Action: Define your stakeholder groups proactively and ensure that audit walkthroughs involve the correct experts and data owners. Partner with external experts to accelerate learning and understand what internal alliances are key to their success while ensuring audits remain robust and independent.
Conclusion
As ESG regulations continue to evolve, internal auditors find themselves in often uncharted territory, simultaneously learning and guiding. By following core principles, well-designed controls and transparent documentation — and by building literacy and collaborative networks — auditors can set the foundation for proper governance, help their organization navigate the current uncertainty and position themselves for a role in ESG reporting oversight that is sure to grow more complex.
To learn more, check out the following resources or reach out to the authors with your questions:
Bruno Pousinho, Manager, Business Process Improvement, Protiviti Germany, contributed to this content.
