CSRD Audit: Where the IT Data Chain Breaks
Eva Mickler
5 Min. reading time The first CSRD audits for the 2025 financial year will be signed in the second quarter ...
Read Article
5 Min. reading time
The first CSRD audits for the 2025 financial year will be signed in the second quarter of 2026. In most DACH corporations, the auditor will sit down with IT executives for the first time and ask an uncomfortable question: Which system provides the server energy numbers, and who can verifiably prove it? If you can’t answer this question in two sentences, you have a data chain gap between asset register, electricity contract, and ESG report, and the finding will end up in the audit reservation.
May 10, 2026
Key Takeaways
- Situation: First CSRD audits for 2025 will be signed in Q2 2026. Auditors are scrutinizing Scope 2 electricity and Scope 3 cloud emissions with the same rigor as an HGB balance sheet, and most medium-sized companies have not yet hardened their data chain.
- Leverage: IT holds the data chain for server power, cloud workloads, and end devices. Consolidating asset registers, electricity contracts, and ESG reporting into one data source per metric reduces audit preparation from eight weeks to two.
- Consequence: An audit reservation for ESG metrics in 2026 is no longer just noise. Banks, major customers, and insurers use the reports for their own supply chain obligations and amplify the impact of every inaccurate line.
Related:Sustainable IT 2026: CIOs under Scope 3 pressure / The 40 percent question: Where the AI budget comes from
What is actually audited in the first CSRD assurance statement
What is a CSRD assurance statement? A CSRD assurance statement is the external audit of sustainability reporting by an auditor within the framework of the EU’s Corporate Sustainability Reporting Directive. The audit covers information on Scope 1, Scope 2, and Scope 3 emissions, energy consumption, climate risks, and social indicators with limited assurance, and from 2028 with reasonable assurance.
In the first wave, the Big Four audit firms are using adapted assurance programs structurally close to the annual financial statement audit. This means specifically for IT: server power numbers must come from sources that are verifiable in a sample audit. Cloud emissions require a provider’s proof that matches the reporting cutoff. Device numbers must be reconciled with asset management.
The most common findings in the pilot assurance statements of recent months are not incorrect numbers, but a lack of traceability. A table was built from three tools, but no one can say which value was pulled on which date. Provider reports are available, but not versioned. Asset registers and power contracts are on different meter readings, without anyone having explained this in writing.
Boardroom Insight
68 %
According to the KPMG ESG Survey 2026, 68% of medium-sized companies subject to reporting obligations expect a qualified opinion in the first reporting year, primarily in the areas of IT energy and cloud emissions.
Source: KPMG ESG Reporting Maturity Survey 2026
Three gaps that the auditor finds first
From the completed pilot assurance statements, three recurring weak points can be reconstructed where the IT data chain breaks.
Firstly, the asset register. What is maintained in the CMDB system is rarely congruent with what actually runs in the server room. Devices are disposed of without the entry being removed, new hardware is added without appearing in the balance sheet. If the energy number is calculated per asset, this gap directly affects the ESG report. Pilot projects around Scope 3 emissions for CIOs have shown this multiple times.
Secondly, the power contract. Colocation providers often calculate on a quarterly basis, some on an annual basis. If a monthly energy value is reported, it has either been estimated or derived from a sub-measurement that the auditor does not know. This is exactly where the question arises as to which date which value applies. Contracts with sub-metering must be explicitly referenced.
Thirdly, the ESG reporting tool. Most companies have introduced a specialized platform in preparation, often parallel to the existing BI landscape. Data flows between the ESG tool and CMDB are rarely documented, and mappings are manually maintained. If this cannot be shown in a data flow diagram, the company will receive one follow-up question after another during the audit.
The 90-Day Plan Before the Audit
Those who start now will have a robust data chain by the end of Q2.
Who is Responsible for the IT Data Chain
The most common friction in the pilot audit was organizational. ESG managers often come from sustainability or finance, IT asset data resides in infrastructure, and power contracts are handled by procurement or facilities. If no one is responsible for the data chain as a whole, it will not be reliable.
In companies that passed the pilot audit without reservations, a designated person oversees this interface. The title is secondary, but often it’s a senior IT strategy lead or a sustainability-IT manager who reports directly to the CIO. This role has access to the CMDB, procurement, ESG tool, and auditor, and ultimately signs off on the data chain documentation. Without this person, the audit is a gamble.
Those who do not establish this role in 2026 will have to set it up under audit pressure in 2027. The difference is that preparation will then take place under the next reporting cycle, and the AI budget question will simultaneously put pressure on the same IT team.
Frequently Asked Questions
Which companies are required to comply with CSRD for the first time in 2026?
In Germany, large stock companies and large partnerships are required to report as of the 2025 financial year, if they exceed two of the following three thresholds: 250 employees, €50 million in revenue, €25 million in balance sheet total. The audit for this will be signed in spring 2026. Medium-sized businesses that have previously reported voluntarily usually fall under external review with limited assurance immediately.
What is limited assurance and how does it differ from the annual financial statement audit?
Limited assurance is a reduced audit depth compared to reasonable assurance in the HGB annual financial statement audit. The auditor formulates their opinion as a negative assurance: They have not found any indications that the information is incorrect. This may seem minimal, but it is enough to express reservations if the data chain is not verifiable. From 2028, CSRD requires reasonable assurance, with the same level of rigor as the balance sheet audit.
Should cloud emissions be reported under Scope 2 or Scope 3?
In practice, cloud emissions end up in Scope 3 category 1 (purchased goods and services). AWS, Azure, and GCP now provide detailed reports with lifecycle values. Self-operated servers in own premises or colocation fall under Scope 2 (purchased energy). If workloads are distributed across multiple providers, a consolidated table and a clean reference to the provider records are required.
How time-consuming is data chain documentation in practice?
In mid-sized setups with three to five cloud providers and a manageable on-premises landscape, this requires one to two person-months of effort for the first iteration. In the following year, this becomes a quarterly update with two to three person-days. The more expensive option is when documentation is created while the auditor is already on site and asking questions.
About the Author
Eva Mickler is a Senior Project Manager at Evernine. She knows transformations where the method had a name and the result was a gap. She writes about projects where discipline makes the difference and calls out the places where theory meets operations.
More from the MBF Media Network
cloudmagazin
digital-chiefs
Source of title image: AI-generated with Google Imagen 4 Fast, SynthID-verified