ESG Compliance: How Audit and Advisory Firms Can Build Assurance Services That Scale

Key Insights

• California creates a near-term ESG reporting deadline for many U.S. companies.
• Only 29% of companies feel ready for ESG assurance, leaving a sizable advisory market.
• COSO gives firms a practical way to extend ICFR discipline into ESG controls.
• Multi-framework evidence reuse and AI-assisted document review are how firms close the gap between ESG demand and available capacity.

ESG engagement teams spend their fieldwork weeks tracking down where the data actually lives, whether the systems holding it have controls, and how to test disclosures that aren't standardized the way financial statements are. By the time scoping is done, the timeline is half gone and substantive testing hasn't started. This article covers the deadlines, the service lines, and the technology that make ESG engagements work.

What ESG Compliance Means for Your Audit and Advisory Clients Today

ESG stands for environmental, social, and governance. It started as an investment framing: a way to look at companies beyond their financial statements. Over the last decade it's grown into a corporate reporting category, with public companies disclosing things like greenhouse gas emissions, workforce diversity, board governance, and supply chain practices. A growing share of those disclosures now require independent assurance, which is where audit and advisory firms come in.

ESG assurance is the same discipline as a financial audit applied to different subject matter. Instead of testing the trial balance, teams test emissions calculations, supplier certifications, and the systems behind the disclosures. The evidence sits in operational systems like utility bills, HR records, and supplier questionnaires rather than the general ledger, and the frameworks setting the rules are still being settled.

What applies to a particular client depends on where they operate, how large they are, and which jurisdictions touch their business. Three rules are shaping most of the work right now:

• California: SB 253 makes large companies doing business in California publicly report their greenhouse gas emissions. The first reports cover direct emissions from operations (Scope 1) and indirect emissions from purchased electricity (Scope 2), and are due August 10, 2026 under CARB's finalized rules. SB 261, a related law that would have required companies to disclose climate-related financial risks, was paused by a federal court in November 2025 and remains tied up in litigation. For U.S.-headquartered clients, the SB 253 deadline is the most immediate one practitioners are working toward.
• The EU's CSRD: The Corporate Sustainability Reporting Directive is the EU's main sustainability reporting rule. The largest EU public-interest companies started reporting under it in 2025. The next wave was supposed to bring in many more companies, but the EU's Omnibus I simplification package (adopted in February 2026) pushed Wave 2 back two years, narrowed it to companies with 1,000+ employees and €450M+ turnover, and cut the number of required ESRS data points by roughly 60%. U.S. companies still get pulled in through European subsidiaries that fall within the revised scope.
• ISSA 5000: ISSA 5000 is the new global standard for sustainability assurance, issued by the IAASB in November 2024 and effective for engagements covering periods beginning on or after December 15, 2026, with early adoption permitted. It covers both limited and reasonable assurance and applies across the profession, so CPAs and non-CPA practitioners both work to the same standard. If you're building methodology, it's the standard to build toward.

Assurance-ready ESG reporting is no longer optional for a meaningful slice of the client base.

Why ESG Is a Growth Opportunity for Risk Advisory and Assurance Services

Demand for ESG assurance is real, but client readiness lags. A 2024 KPMG survey found 90% of organizations planned to increase investment in ESG reporting over the following three years, with 31% planning to spend more on external assurance specifically. Only 29% of companies say they're ready for that assurance work.

That gap is the opportunity. It defines a pre-assurance advisory market: readiness assessments, controls design, metric definition, data system architecture, and internal control documentation. Firms that lead with advisory work are better positioned to capture the formal attestation mandate that follows.

Key ESG Compliance Risks Your Clients Face (and Where Auditors Add Value)

Your clients face ESG compliance risks across several categories, and each one maps to a service your firm can deliver.

Internal Controls over Sustainability Reporting

ESG disclosures don't yet have the kind of internal controls financial reporting has spent decades building. Companies are figuring out who owns the data, how it's reviewed, and what gets sign-off, often after the disclosures are already going out. The auditing standards for those controls are still catching up: the AICPA's Auditing Standards Board has proposed updates to attestation standards specifically for sustainability information.

California is where this is playing out first. SB 253's August 2026 deadline is creating engagement work now, while the profession is still addressing assurance standards for California's climate laws.

Controls only work if the underlying data is reliable.

IT Governance and ESG Data Systems

ESG data lives in operational systems like utility billing, HR, supply chain platforms, and environmental monitoring tools. These systems rarely have the controls a general ledger has, which is where IT audit work earns its keep. ISACA's IT Audit Framework, ITAF 5th Edition, gives teams a current frame for evaluating governance, data lineage, and AI tools in those systems.

Even with internal controls in place, a growing share of ESG disclosures depends on data from outside the organization.

Third-Party and Supply Chain Risk

Supplier sustainability certifications, Scope 3 emissions from contract manufacturers, and value chain impact claims all need independent verification. Most clients have nothing close to assurance-ready evidence for them.

How to Design ESG Compliance and Assurance Offerings in Your Firm

The firms winning ESG work have picked a standards baseline and are building services that match where clients actually are today.

Which Standard Governs Your Engagement?

ISSA 5000 is the practical baseline. The IAASB issued it in November 2024, effective for engagements covering periods beginning on or after December 15, 2026, with early adoption permitted. ISAE 3410, the prior greenhouse gas assurance standard, will be withdrawn the same day as ISSA 5000 absorbs that work. In the U.S., practitioners operate under existing AICPA AT-C sections, with proposed AT-C Sections 325 and 330 still moving through the standard-setting process. Methodology built to ISSA 5000's evidentiary direction will hold up as U.S. rules settle.

Structuring the Service Continuum

Firms that win this work tend to lead with advisory, then graduate clients into assurance. A workable model is to build sustainability expertise through non-assurance services and then apply that expertise to assurance work. Mid-market firms can replicate this progression without Big Four resources by starting with readiness assessments and controls advisory, then scaling into formal attestation as client maturity and firm capabilities grow.

The competency question is real. Nearly three-fourths of firms cite gathering internal resources and expertise as their biggest challenge for ESG assurance engagements. AICPA training, including sustainability assurance attestation courses and an ESG and Sustainable Financial Strategy course developed with Oxford, is available through CPA.com to help close the gap.

Building ESG into Your Existing Audit and Risk Advisory Methodologies

Most firms don't need to build ESG assurance methodology from scratch. The discipline is the same; the subject matter is what changes. The major standards-setting bodies have already extended their frameworks to ESG:

• COSO issued Internal Control over Sustainability Reporting (ICSR) supplemental guidance, applying its five-component internal control structure to ESG disclosures.
• PCAOB's AS 2110 covers climate-related factors in financial statement risk assessment when they affect the financials (asset impairments, regulatory liabilities, going-concern indicators). There's no dedicated PCAOB sustainability assurance standard.
• The IIA's Global Internal Audit Standards identify Sustainability: ESG as an expected Topical Requirement, following Cybersecurity (released February 2025).

For risk advisory teams accustomed to ICFR work, the shift to emissions data, social metrics, and governance disclosures is mostly familiar territory.

Tackling ESG Engagement Challenges: Data, Evidence, and Capacity Constraints

Three constraints are shaping how firms scope and price ESG work today:

• Client data is not assurance-ready: Many clients have not built the data infrastructure to support an opinion. Scope 3 capture tends to be the weakest area, and teams are often asked to assure disclosures that lack a defensible evidence trail.
• Standards are still settling: Sustainability assurance has nothing close to the codified standards or interpretive precedent financial audit work relies on. Teams have to exercise professional judgment on forward-looking climate targets, double materiality, and engagements where GRI, ISSB, and ESRS conflict.
• Talent does not exist at scale: The work needs a hybrid skill set: deep assurance methodology plus substantive sustainability knowledge. The profession has not built that capacity in volume. Sustainability hiring has kept shifting even as mandatory reporting requirements scale up.

All three point in one direction. Only a different operating model works at scale: technology doing the procedural work, practitioners doing the judgment.

Using Technology and AI to Scale ESG Compliance and Assurance Services

ESG engagements generate more documents and evidence than teams can handle manually. Firms that lean on technology for gathering and validation free practitioners for the judgment calls.

Three places where technology matters most on ESG engagements:

• Document analysis at scoping: AI can review uploaded ESG documents and extract relevant data from unstructured materials like sustainability reports, supplier questionnaires, and utility invoices, compressing scoping from construction to review.
• Data validation and anomaly review: Technology can surface potential inconsistencies in emissions calculations for practitioner follow-up, instead of teams relying only on manual spot-checking. Reviewing flagged Scope 2 utility records across facilities improves both assurance quality and efficiency.
• Multi-framework evidence reuse: A single energy consumption record may support more than one framework where criteria overlap. Reusing supporting documentation across frameworks cuts the redundant collection and testing that drags down margins on multi-jurisdictional engagements.

With deadlines already here, pushing the procedural work onto technology is the most practical way to close the gap between required engagements and available practitioners.

Scale ESG Compliance and Assurance with Fieldguide

ESG engagements carry a higher administrative burden than traditional financial audits, with evidence scattered across operational, HR, environmental, and supply chain functions, and frameworks that keep shifting. Fieldguide is an end-to-end AI-native platform purpose-built for audit and advisory firms, with the engagement workflow, evidence management, and multi-framework architecture that emerging service lines need. Field Agents execute procedures across the engagement lifecycle, while practitioners review, approve, and apply professional judgment to every output. That operating model is how firms scale into new service lines without scaling headcount at the same rate. See how Fieldguide AI works in a live demo.