ASRS Assurance Requirements: What Your Auditor Will Actually Ask For

A Group 1 entity we've spoken with — large, ASX-listed, well-resourced — had their sustainability assurance provider walk in for the first engagement in late 2025. The team had spent months preparing disclosures. Nice formatting. Professional scenario analysis. Comprehensive narrative. The auditor's first request? "Show me the electricity bill for your Melbourne facility for October 2024, and walk me through how that bill became the number in paragraph 29."

Silence.

Not because the number was wrong. Because nobody could find the bill. It was somewhere in an accounts payable inbox, maybe forwarded to the sustainability team, maybe not. The calculation referenced a spreadsheet that pulled from another spreadsheet. The trail went cold within about three clicks.

That's what ASRS assurance requirements in Australia actually look like in practice. It isn't about whether your report reads well. It's about whether every number can survive someone pulling the thread.

What ASSA 5010 actually requires (and when)

The AUASB finalised ASSA 5010 in January 2025 and amended it in December 2025. It sets out exactly which parts of your sustainability report need assurance, and at what level, for each year of mandatory reporting. The standard applies to sustainability reports prepared under Chapter 2M of the Corporations Act 2001.

Here's the phasing that matters for most readers of this article.

Year 1 of your mandatory reporting: Limited assurance (a review, not a full audit) over three specific areas — governance disclosures under AASB S2 paragraph 6, strategy disclosures on climate risks and opportunities under paragraphs 9-10, and your Scope 1 and 2 emissions under paragraph 29. The directors' declaration on the sustainability report doesn't need to be covered by assurance in Year 1.

Years 2 and 3: Limited assurance extends to all disclosures in the sustainability report. That means risk management, metrics and targets, Scope 3 (which you'll be reporting by then), transition plans — everything.

Year 4 onward (financial years from 1 July 2030): Reasonable assurance over all disclosures. This is the equivalent of a full financial statement audit applied to your sustainability report.

For Group 2 entities with a July 2026 start, Year 1 means the financial year beginning 1 July 2026. So you're looking at limited assurance over governance, strategy, and Scope 1 and 2 emissions for that first period. Group 3 entities starting July 2027 follow the same phasing from their start date.

One detail that trips people up: ASSA 5010 requires your financial statement auditor to perform the sustainability assurance. You can't engage a separate firm. If KPMG audits your financials, KPMG does your sustainability assurance. This is deliberate — the legislation wants integrated assurance, not parallel workstreams that don't talk to each other.

Limited assurance vs reasonable assurance — the practical difference

Everyone asks this. Here's the honest answer: limited assurance is less work than reasonable assurance, but it's a lot more work than most companies expect.

Under limited assurance, the auditor performs what ASSA 5000 calls "review procedures." They're looking for anything that suggests your disclosures are materially misstated. The conclusion uses negative language — "nothing has come to our attention that causes us to believe the disclosures are materially misstated." They're testing maybe 10-20% of your underlying data in detail.

Reasonable assurance is a different animal. The auditor needs to reduce their risk to a low level, not just a moderate one. That means positive language in the conclusion — "in our opinion, the disclosures are presented fairly, in all material respects." They'll examine 80-90% of relevant evidence. Site visits. Larger sample sizes. More interviews. More source document testing.

The cost difference is real. Treasury's Policy Impact Analysis estimated total compliance costs of $1.0 to $1.3 million per entity per year for the full regime. Limited assurance engagements for mid-market entities currently run $30,000 to $80,000. When reasonable assurance kicks in from 2030, expect that to roughly double — possibly more if your data systems aren't ready. We've heard estimates from mid-tier firms suggesting reasonable assurance fees could hit $120,000 to $200,000 for entities with ten or more facilities.

But here's what matters right now: don't let "limited" assurance lull you into thinking the auditor won't dig deep. They will. They just won't dig into everything.

The five things your auditor will actually test

Forget the theory. After talking to assurance providers who've been through Group 1 engagements, and seeing what they've asked our users to produce, here's what happens in practice.

1. Source document to reported number traceability

This is the big one. The auditor picks a number from your report — say, your total Scope 2 emissions for NSW operations — and works backwards. They want to see every step: the reported figure, the calculation, the emission factor applied, the activity data (kWh consumed), and the original source document (the electricity bill from your retailer).

Every step needs documentation. Not "we think we used 0.64 kg CO2-e per kWh because that's the NSW factor." They want to see that you referenced the 2025 NGA Factors workbook, Table 1, and that the figure matches. If you used a different factor — say because of a GreenPower contract — they want to see the contractual evidence and your methodology for calculating Scope 2 emissions under the market-based method.

This is where spreadsheet-based processes fall apart. The chain from PDF bill to final number passes through human transcription, manual cell references, and calculation logic that exists only in one person's head. Auditors test this chain because they know it's fragile. And when it breaks — when a link is missing or a number doesn't reconcile — they escalate.

2. Governance evidence

AASB S2 paragraph 6 requires you to disclose how your governance body oversees climate risks and opportunities, including management's role and whether specific controls exist. The auditor doesn't just read your disclosure. They ask for proof.

That means board minutes where climate was a specific agenda item — not just mentioned in passing during an AOB discussion. Committee charters that explicitly reference climate oversight. Delegations of authority showing who's responsible for climate data at the management level. Evidence of competency — does someone on your board actually understand emissions reporting, or is this a box-ticking exercise?

One pattern from Group 1: companies that had climate as a standing board agenda item from early 2025 sailed through governance assurance. Companies where climate appeared once in a board pack in November and again in the sustainability report... didn't.

3. Methodology documentation (your Basis of Preparation)

This is the document most companies don't have and most auditors immediately ask for. Your Basis of Preparation explains the rules you followed to create your sustainability report. Think of it as the "significant accounting policies" note in your financial statements, but for climate disclosures.

It should cover: your reporting boundary and how you determined it. Which emission factors you used and why. How you handle estimation and data gaps (because you will have them — pretending you won't is worse than documenting how you manage them). Any changes from prior period methodology. Your approach to materiality for climate disclosures.

Auditors love this document because it gives them a framework to test against. If your Basis of Preparation says you use NGA Factors 2025 for Scope 2, the auditor can verify that you actually did. If it says you estimate natural gas consumption for two unmetered sites using a square-metre intensity method, they can test whether that method is reasonable and consistently applied.

We're still working out best practice for Basis of Preparation documents across different industries — the standard doesn't prescribe a template, which means auditors' expectations vary. But having something documented is infinitely better than having nothing.

4. Data quality controls

The auditor wants to understand how errors get caught before they reach the report. Who reviews the data? Is there a second-person check? What happens when a bill looks wrong — is there a process, or does someone just quietly fix it?

This is directly connected to the ANAO's finding that 72% of NGER reports contained errors in the scheme's early years. Auditors know emissions data is error-prone. They're not expecting perfection. They're expecting a system that catches mistakes.

If your current system is one person entering data into Excel with no review process, say that honestly in your risk assessment and explain what compensating controls exist. Maybe the person reconciles against energy retailer portal data quarterly. Maybe there's a reasonableness check against prior periods. These aren't fancy controls, but they're real ones that auditors can evaluate.

What they can't evaluate is "Sarah checks it and she's been doing this for years." That's a key-person risk, not a control.

5. Completeness of emissions inventory

Did you capture everything? The auditor checks whether your Scope 1 and 2 boundary captures all material sources. They'll ask about facilities you might have missed — leased premises where you pay utilities directly, backup generators, fleet vehicles, refrigerant top-ups.

The NGER Act's facility definition (section 9) doesn't map neatly to physical buildings, and the same ambiguity carries into ASRS. A construction company's "facility" might be a project site that exists for eighteen months and then closes. A property manager's boundary might shift when a tenant moves from a gross to net lease. Auditors probe these edge cases because incomplete boundaries are one of the most common sources of material understatement.

If you're already an NGER reporter, your existing facility boundary is a good starting point — but remember that AASB S2 uses AR6 GWP values while NGER uses AR5, so you'll need to reconcile the difference even where the boundary is the same.

The engagement timeline (what actually happens, week by week)

Most limited assurance engagements for mid-market entities run eight to twelve weeks from kickoff to signed report. Here's a realistic breakdown.

Weeks 1-2: Planning and scoping. The auditor reviews your prior year financial audit, understands your operations, and identifies what they'll focus on. They'll send you an initial document request list. This is where they ask for your Basis of Preparation, your emissions inventory, your governance documentation, and access to your data systems. If you don't have these ready, the engagement stalls before it starts.

Weeks 3-5: Fieldwork. They test your numbers. They sample source documents. They interview your sustainability manager, your CFO, possibly a board member. Under limited assurance they might select 15-25 source documents across your operations for detailed tracing. They'll test whether your emission factors match the NGA Factors workbook. They'll check unit conversions. They'll look at whether your reporting boundary is complete.

Weeks 5-7: Issue resolution. Every assurance engagement finds something. Maybe a gas bill was entered in GJ when it should have been MJ. Maybe a facility was excluded from the boundary without a documented rationale. Maybe a board minute references climate but doesn't evidence actual decision-making. The auditor raises these as findings and you have a window to respond, correct, or explain.

Weeks 8-10: Reporting. The auditor drafts their assurance report. For limited assurance, this is a review conclusion. They'll share a draft management letter highlighting control deficiencies they want you to address before next year.

Two things slow this process down more than anything else: missing source documents and undocumented methodology. Both are fixable. Neither is fixable during the engagement.

Choosing your assurance provider (you don't actually choose)

Here's the bit that catches most people. Under the legislation, your sustainability assurance must be performed by the same firm that audits your financial statements. So if Deloitte is your financial auditor, Deloitte does your sustainability assurance. Full stop.

This matters because the sustainability assurance team within your audit firm might be different people from your regular audit team. They'll have sustainability expertise, but they might not know your business yet. Start that relationship early — ask your audit partner to introduce you to their sustainability assurance lead now, not three weeks before the engagement starts.

What you can influence is how that engagement goes. Companies that do a pre-assurance readiness assessment with their auditor — essentially a dry run six months before the real engagement — consistently have smoother first-year experiences. The auditor tells you what they'll ask for. You fill the gaps. Nobody gets surprised in December.

For companies that are also selecting a new financial auditor (maybe the current firm is rotating off), sustainability assurance capability should be a selection criterion. The Big Four all have dedicated teams now. Mid-tier firms like BDO, Grant Thornton, and Pitcher Partners have been building capacity fast — Grant Thornton in particular has been recruiting senior sustainability assurance specialists from Big Four firms throughout 2025. Mid-tier firms often offer more partner-level attention and faster response times, which matters when you're working through issues at pace.

How we built Carbonly's audit trail for exactly this problem

We spent 18 years in enterprise data platforms at BHP, Rio Tinto, and Senex Energy before building Carbonly. One thing that was drilled into us across mining and resources: if you can't prove where a number came from, the number is worthless to a regulator.

That thinking shapes everything about how our AI document processing pipeline works. When Carbonly extracts a figure from a utility bill — say, 12,847 kWh from an Origin Energy bill for your Parramatta office — it stores the original PDF, the extracted data point, the confidence score, the emission factor applied (with a reference to the specific NGA Factors table and year), and the calculated emissions. Every step is logged with a timestamp.

When your auditor asks "show me the source document for this number," you don't go hunting through inboxes. You click one link. The bill is there. The extraction is there. The calculation is there. The factor reference is there.

That's not a feature we added as an afterthought. It's the reason we built the platform. Because we knew that ASRS Group 2 reporting would make thousands of mid-market companies face an assurance provider for the first time, and most of them would be running spreadsheet processes that can't survive the first audit question.

We're honest about what Carbonly doesn't do. It won't write your scenario analysis. It won't prepare your governance disclosures. It won't tell your board what to put in their minutes. But the part of assurance that causes the most pain — proving that your emission numbers trace back to real source documents through a documented calculation chain — that's exactly what it does.

Start with the document request list

If you take one thing from this article, make it this: ask your auditor for their standard document request list before the engagement starts. Every firm has one. It typically runs 30-50 line items. Some of them you'll have. Some of them you won't.

The gap between those two lists is your preparation workplan. Start closing it now, not when the engagement letter arrives.

Assurance doesn't need to be painful. It needs to be prepared for.

Related Reading:

Carbonly.ai provides the auditable emissions data trail that ASRS assurance providers require — from source document to reported number, with every step logged. Built for Australian emission factors, NGER alignment, and the specific evidence requirements of ASSA 5000 and ASSA 5010.