How to Prepare Sustainability Data for External Assurance
External assurance is now a mandatory requirement for Australian climate reports. Here's what assurance providers will look at, what they'll ask for, and how to get your data ready.
Walid Hajj
Co-founder, Ayika Labs
Under the ASRS framework, external assurance of sustainability reports is mandatory from year one. Most entities starting with limited assurance, with reasonable assurance phased in over subsequent years. This means an independent assurance provider — typically an audit firm or specialist sustainability assurance practitioner — will review your figures and issue a formal conclusion.
Understanding what assurance providers actually do, and preparing your data accordingly, is one of the most practical investments you can make before your first mandatory report.
What limited assurance means
Limited assurance is defined under ASSA 5000 as a conclusion expressed in negative form: “Based on our procedures, nothing came to our attention that causes us to believe the information is materially misstated.”
It requires less evidence than reasonable assurance, but it is still substantive. The assurance provider will:
- Review your emissions methodology and assess whether it is appropriate
- Test a sample of underlying calculations against source documents
- Review your governance and completeness controls
- Assess whether any material areas are excluded without disclosure
- Consider the appropriateness of your emission factor selection
A common misconception is that limited assurance is “easy” or largely a tick-and-flick. For a well-prepared organisation with clean data and clear methodology, it flows smoothly. For an organisation with incomplete data, undocumented methods, and no source document linkage, it is painful — and may produce a qualified conclusion.
The assurance package
Assurance providers will ask for a documentation package to support their review. While each firm has its own process, you should typically expect to provide:
1. Methodology documentation
A written description of:
- The organisational boundary you’ve applied (operational control, equity share, or financial control)
- The reporting period
- Which GHG Protocol categories are included and excluded (and why)
- The emission factor source and version used
- How activity data is collected, by source type
- How gaps or estimated values were handled
- The review and approval process for the final figures
This doesn’t need to be a 50-page document. A clear 5–10 page methodology note covers most of what assurance providers need.
2. Data register
A complete register of every data input used to calculate your reported figures:
- Data source (invoice, meter read, fuel card, etc.)
- Site and period coverage
- Actual vs estimated (with estimation method for estimates)
- Completeness status
The data register is your evidence that the figures are complete — that you’ve accounted for every expected source.
3. Source documents
For the sample of transactions the assurance provider selects, you need to produce the original source document (invoice, meter reading, delivery docket) that supports the figure. These must be retrievable. “I’ll have to look for it” is not an acceptable response to an assurance request.
4. Calculation workings
The calculation linking each activity data point to its CO₂e figure: the consumption figure, the factor applied, the reference for the factor, and the result.
5. Internal review records
Evidence that someone within the organisation reviewed the figures before they went into the report. This could be an approval email, a sign-off on a formal review sheet, or a logged approval in a system.
Timeline: when to engage your assurance provider
The single most common mistake organisations make is engaging their assurance provider too late. Assurance is not a sign-off at the end of the process — it’s a review that works best when the data is already well-structured and documented.
A typical timeline:
| Activity | Timing |
|---|---|
| Engage assurance provider | 3–4 months before report due date |
| Provide draft methodology | 8–10 weeks before due date |
| Provide data package | 6–8 weeks before due date |
| Fieldwork (provider review) | 4–6 weeks before due date |
| Review of draft report | 2–3 weeks before due date |
| Final conclusions issued | 1–2 weeks before due date |
Getting the source documents, methodology, and data register ready 6–8 weeks before the report is due should be your target.
What triggers a qualified conclusion
An assurance provider will issue a qualified or adverse conclusion when:
- A material portion of the figures cannot be verified against source documents
- The methodology has material gaps or inconsistencies
- An error is identified that materially affects the reported figures
- The scope is significantly incomplete without adequate disclosure
Each of these is avoidable with preparation. The most common trigger is the first one: figures that can’t be traced back to source documents because the link was never maintained.
Preparation checklist
Before handing your data to an assurance provider, run through this checklist:
- Methodology is documented and consistent with GHG Protocol
- Organisational boundary is defined and applied consistently
- All expected data sources are in the data register
- Each data point is tagged with a source document reference
- Emission factor versions are recorded for every calculation
- Estimated values are flagged and their estimation method documented
- An internal review sign-off exists
- Source documents are retrievable by reference
Ayika maintains the documentation trail that makes assurance straightforward — source links, factor references, methodology records, and review approvals are stored with the data. See how assurance preparation works in the platform.
From Ayika Labs
Ready to see how Ayika handles your reporting?
Built specifically for construction and infrastructure teams in Australia. Book 15 minutes to see it in action.