ASSA 5010 in Practice: The 8 Evidence Tests Your...

Your first sustainability assurance engagement won't start with a conversation about strategy. It won't start with your scenario analysis or your transition plan narrative. It will start with a request that sounds something like this: "Pick any Scope 2 number in your report. Now show me the bill."

That's the reality of ASSA 5010 limited assurance in Australia. The AUASB finalised the standard in January 2025, and it's now operative for all entities preparing sustainability reports under Chapter 2M of the Corporations Act 2001. Group 1 entities are already in the thick of it. Group 2 entities starting from July 2026 are next. And most of them have never been through anything like this for emissions data.

We've spent 18 years building enterprise data systems at BHP, Rio Tinto, and Senex Energy. Audits were a fact of life in those environments. Financial audits. Safety audits. Environmental compliance audits. The one constant? Auditors don't care about your narrative. They care about your evidence chain. The same principle applies to ASSA 5010, only now it's your carbon numbers under the microscope.

What ASSA 5010 puts in scope (the short version)

We've covered the full ASSA 5010 phasing timeline in a separate post. But for context here, the key points are:

Year 1: Limited assurance over governance disclosures (AASB S2 paragraph 6), strategy on risks and opportunities (paragraphs 9-10), and Scope 1 and Scope 2 emissions (paragraph 29).

Years 2 and 3: Limited assurance extends to all disclosures in the sustainability report, including Scope 3, transition plans, risk management, and metrics and targets.

Year 4 onward (from 1 July 2030): Reasonable assurance over everything.

Limited assurance isn't a free pass. Under ASSA 5000, the practitioner uses inquiry and analytical procedures to identify whether anything suggests your disclosures are materially misstated. They express a negative-form conclusion: "nothing has come to our attention..." But that doesn't mean they only glance at the report. They pull threads. They sample source documents. They test calculations. And if something doesn't add up, they're required to dig deeper until they can either clear the issue or flag it as a material misstatement.

ASIC's published FAQs make the enforcement posture clear: they'll take a "pragmatic and proportionate approach" during the early years, but they're "more likely to commence an enforcement investigation where we see misconduct of a serious or reckless nature." Translation: honest mistakes get grace. Sloppy data governance doesn't.

Here are the eight evidence tests that auditors actually run during a limited assurance engagement over climate disclosures. These aren't theoretical. They're based on what assurance providers have been asking Group 1 entities to produce since late 2025, cross-referenced with the requirements in ASSA 5000 and the NGER (Measurement) Determination.

1. Data completeness: prove nothing material was left out

The auditor's first question isn't about the numbers you reported. It's about the numbers you didn't.

They want evidence that your emissions inventory is complete. That means a documented list of every facility under your operational control, every emission source within each facility, and a rationale for anything excluded. Under the NGER Act (section 9), a "facility" isn't necessarily a building. It's an activity or series of activities. Construction project sites, vehicle fleets, remote camps, leased offices where you pay the utility bill directly: these all potentially qualify.

The auditor will cross-reference your facility list against your corporate structure. If you acquired a business mid-year, they'll ask whether those emissions were included from the acquisition date. If you divested, they'll check whether you correctly stopped counting at the divestment date. Joint ventures get special attention because operational control (sections 11-11B of the NGER Act) is genuinely ambiguous in JV structures.

What trips companies up: forgetting about small sources. Backup diesel generators that run 20 hours a year. Refrigerant top-ups on air conditioning systems. Company cars that aren't in the fleet management system. Individually, each might be immaterial. Collectively, they sometimes aren't. Your Basis of Preparation should document a materiality threshold for excluded sources, and the auditor will test whether that threshold is reasonable.

2. Data accuracy: trace the number to the source document

This is the test that breaks most spreadsheet-based processes.

The auditor selects a sample of reported figures (under limited assurance, typically 15 to 25 data points across your operations) and traces each one backwards. They start at the number in your AASB S2 disclosure, work through the aggregation, down to the facility-level calculation, through the activity data, and all the way to the original source document. An electricity bill from your retailer. A fuel delivery docket. A gas invoice.

Every link in that chain needs to be documented and retrievable. Not "I think it's in an email somewhere." Not "the contractor sends those to accounts payable." The actual document. With the actual numbers matching what was entered into your system.

The Clean Energy Regulator requires NGER reporters to retain records for five years from the end of the reporting year. That means your 2025-26 source documents need to be accessible until at least June 2031. If an auditor asks for the Origin Energy electricity bill for your Parramatta office from February 2026 and you can't produce it, that's a finding. A finding that, if repeated across enough data points, becomes a scope limitation on the assurance conclusion.

We're not going to pretend this is easy. For a company with 15 facilities processing 200 utility documents per quarter, that's 800 source documents per year that need to be stored, indexed, and linked to their downstream calculations. Most organisations we talk to are doing this in shared drives or email folders. Some are doing it well. Many aren't.

3. Calculation method: which method, applied how?

Under the NGER (Measurement) Determination 2008, reporters can choose from multiple estimation methods for each emission source. For fuel combustion, there are four methods. Method 1 uses default NGA emission factors multiplied by fuel quantity. Method 2 requires facility-specific sampling and analysis of the fuel's energy content and emission characteristics. Methods 3 and 4 use progressively more direct measurement approaches.

Your auditor will ask which method you used for each emission source. Not at the entity level. At the source level. You might use Method 1 for diesel across your fleet (quantity times default factor) but Method 2 for natural gas at a large manufacturing facility where you've had the gas analysed.

The method choice needs to be documented in your Basis of Preparation. And critically, it needs to be applied consistently. If you used Method 1 for diesel at Site A, you should be using Method 1 for diesel at Site B, unless there's a documented reason for the difference.

Where this gets genuinely tricky is at the NGER-ASRS boundary. NGER uses AR5 global warming potentials (methane = 28). AASB S2 references the latest IPCC assessment, which is AR6 (methane = 27.9 for fossil sources). If you're an NGER reporter who's also reporting under ASRS (and most will be, since NGER reporters are automatically captured under ASRS Group 2), you may need to produce two sets of numbers from the same activity data using different GWP values. Your auditor will want to see that both calculations are correctly derived and clearly distinguished.

4. Emission factor provenance: which version of which factor?

This one is more specific than "did you use the right factor?" The auditor wants to know the pedigree of every factor you applied.

For Scope 2 electricity, that means: which edition of the NGA Factors workbook? The 2025 edition updated state-based grid factors across all jurisdictions. Victoria went to 0.78 kg CO2-e/kWh. NSW dropped to 0.64. Queensland fell to 0.67. Tasmania jumped to 0.20. If you used the 2024 edition's factors for a 2025-26 reporting period, that's an error. If you can't demonstrate which edition you used because your spreadsheet just has a number in a cell with no source reference, the auditor can't verify it either way.

We've written extensively about emission factor versioning and why it matters for audit trails. The short version: every factor should carry a reference to its source (NGA Factors 2025, Table 1), the date it became effective, and a link between that factor version and every calculation it was used in. When DCCEEW publishes the 2026 edition and some factors change, historical calculations should still reference the factor that was valid at the time. Overwriting last year's factor with this year's number is how audit trails die.

For companies using non-standard factors (product-specific EPDs, supplier-provided emission factors for Scope 3, custom energy content factors under NGER Method 2), the documentation burden is even higher. The auditor needs to see the original source of the factor, evidence that it's applicable to the specific activity, and justification for why it was preferred over the default NGA factor.

5. Boundary completeness: is operational control correctly defined?

This test overlaps with data completeness but focuses specifically on whether your organisational boundary is right, not just whether you've captured everything within it.

Under NGER, the boundary is defined by operational control (sections 11-11B of the NGER Act). Under AASB S2, you follow the same boundary as your financial statements, which is typically a consolidation basis. For most companies these produce similar results. But not always.

The auditor will ask for a boundary determination document. This should map every entity in your corporate group, identify which ones are within your operational control or consolidation boundary, and flag any that changed during the reporting period. Acquisitions, divestments, joint ventures, changes in management agreements for properties, new project sites that crossed the NGER facility threshold: all of these can shift the boundary.

The gap we see most often? Property managers. A commercial property manager might control 30 buildings but only pay the utility bills directly for 12 of them. The rest are tenant-paid. Whether those tenant-paid utilities fall within the property manager's Scope 1 and 2 boundary depends on who has operational control over the energy procurement decisions. It's genuinely ambiguous in some lease structures. The auditor won't expect a perfect answer to every edge case, but they will expect documented reasoning.

6. Process controls: who can change data, and is it logged?

This is where the audit shifts from testing numbers to testing systems. The auditor wants to understand your control environment around emissions data.

Specific questions they'll ask: Who has access to enter or modify emissions data? Is there a segregation between the person who enters data and the person who approves it? What happens when someone changes a number after initial entry? Is there an edit log showing the original value, the new value, who changed it, and when?

For NGER reporters, the Clean Energy Regulator's compliance guidance notes that "while the NGER Act does not explicitly require corporations to implement such controls, their absence can lead to persistent and significant reporting inaccuracies." The Beach Energy enforceable undertaking in July 2025 was driven in part by the absence of adequate internal controls. The CER's remedy? Three years of externally commissioned reasonable assurance audits at the company's expense, plus a consultant to rebuild the control framework.

Your auditor will also ask about period locking. Can someone go back and modify Q1 data after Q1 has been submitted? In a spreadsheet, the answer is always yes. That's a control weakness. The auditor won't necessarily give you a qualified opinion for it under limited assurance, but they'll flag it in their management letter as something to fix before reasonable assurance kicks in from 2030.

We're honest about this: most mid-market companies don't have formal change management processes for emissions data yet. We're not sure there's a single "right" model for this across all industries. But at minimum, your auditor will expect to see an approval workflow where someone senior signs off on the final numbers before they go into the report. A timestamp on that sign-off. And some evidence that the person signing actually reviewed the data, not just clicked "approve."

7. Consistency: same methods, same factors, across all sites and periods

Auditors are trained to spot inconsistency because it's often the canary in the coal mine for deeper problems.

They'll compare your methodology across sites. Are you using the same NGER method for diesel at every facility? Are you applying the same NGA emission factor edition across all electricity calculations? If you switched from location-based to market-based Scope 2 accounting mid-year for some sites but not others, they'll want to know why.

They'll also compare year-on-year. If your emissions dropped 15% but your revenue grew 8%, they'll run analytical procedures to understand whether that's genuine (maybe you switched to renewable energy, installed solar, or closed a high-emitting facility) or whether something was omitted or miscalculated. These analytical procedures are a core part of limited assurance under ASSA 5000. The auditor doesn't need to test every number when the overall picture tells a story. And if the story doesn't make sense, they'll dig into the specific numbers that don't fit.

Any methodology change between years needs to be disclosed and explained. AASB S2 (paragraph 20) requires disclosure of changes in the estimation methods or assumptions used. If you changed your Scope 3 calculation methodology from spend-based to activity-based (or vice versa), the auditor needs to see that disclosed, with restated comparatives where practicable.

8. Evidence retention: can you produce the source document for any number?

This is the foundational test that underpins all the others. Not "do you have the right number" but "can you prove it."

NGER requires five-year retention from the end of the reporting year. ASRS doesn't specify a separate retention period, but your auditor will expect at least the same standard. Records must be in a format that can be "easily accessed," per the Clean Energy Regulator's guidance. A box of paper invoices in a warehouse technically counts, but good luck producing a specific bill within the two-week window of an assurance engagement.

What counts as a "record" under NGER is broad. It includes: the source documents themselves (bills, invoices, delivery dockets), the data extracted from those documents, the calculations performed, the emission factors used and their source references, the methodology selection rationale, and any business decisions about reporting scope or boundary.

Consider a mid-market entity with 20 facilities over a five-year retention window. That's potentially 4,000+ source documents that need to be retrievable, indexed by facility, period, and emission source. Plus the calculations derived from each one. Plus the factor version applied to each calculation.

If your current system is "PDFs in a shared drive sorted by date," you can probably survive a Year 1 limited assurance engagement where the auditor samples 20 documents. You probably won't survive a Year 4 reasonable assurance engagement where they sample 200.

The audit-ready test

Here's the question we use internally, and it's the simplest way to know whether you're prepared.

Pick any number in your NGER report or AASB S2 disclosure. Any one. Now trace it back through four layers: the reported figure, the calculation that produced it, the emission factor version applied (with source and effective date), the activity data extracted, and the original source document.

Can you do that in under five minutes, for any number someone picks at random? If yes, you're audit-ready. If it takes 30 minutes of searching through email threads and shared drives, you've got work to do. And if the trail goes cold at any point, if you can't find the bill, can't confirm the factor version, can't show who approved the final number, that's exactly what an auditor will find too.

This isn't about perfection. Limited assurance accepts that data quality is still maturing for most Australian entities. ASIC has said they'll be proportionate. But "proportionate" still means your evidence chain has to exist. A disclosed limitation is forgivable. A missing audit trail is not.

Carbonly was built to make that click-through test trivially easy. Every record links to its source document. Every emission factor carries version history with effective dates. Every change is logged with who changed what, when, and why. Period locking prevents post-submission modifications. Approval workflows capture sign-off timestamps. That's not marketing language. It's the architecture we chose because we knew this exact audit scenario was coming for thousands of Australian companies.

If you want to see how it works for your reporting structure, reach out at hello@carbonly.ai. We price per project.

Related Reading: