The CFO Playbook for First AASB S2 Climate...

You will sign the AASB S2 statement in your company's first integrated annual report. The signature has personal director liability attached. The modified liability shield in section 1707D of the Corporations Act protects forward-looking statements made on a reasonable basis, but the shield expires for financial years starting after 31 December 2027. Current-year Scope 1 and 2 emissions, governance disclosures, and materiality assessments are not protected at any point.

Group 2 entities begin reporting for financial years starting on or after 1 July 2026. That's about a month from now. Most Group 2 CFOs we observe have spent six months in board papers and TCFD gap analyses, yet still don't have a practitioner-grade understanding of what they will actually be signing. This is a finance-leader view of that question.

What you're actually signing

The directors' declaration under section 295 of the Corporations Act now includes climate-related statements. The relevant statutory provisions sit in Chapter 2M, Part 2M.3, as amended by the Treasury Laws Amendment (Financial Market Infrastructure and Other Measures) Act 2024. The sustainability report sits inside the annual report, alongside the financial statements, signed by the same directors, audited by the same auditor, governed by the same audit committee charter.

In Year 1 (financial years between 1 January 2025 and 31 December 2027), the directors' declaration is modified. Directors declare that, in their opinion, the entity has taken reasonable steps to ensure the sustainability report is in accordance with the Corporations Act and AASB S2. That's a lower bar than the equivalent declaration on financial statements, and it reflects ASIC's expectation in Regulatory Guide 280 that systems and controls will mature over the transition years.

The "reasonable steps" formulation is the only concession. The director sign-off, the personal liability framework, the audit committee oversight, the Chapter 2M lodgement process, and ASIC enforcement powers are all otherwise identical to financial statement obligations.

The basis of preparation: this is your accounting policy note

If you take one thing from this piece, take this. The basis of preparation document is the AASB S2 equivalent of your accounting policy note. It carries the same weight under audit. It survives staff turnover. It defines what the auditor will test against. And it is almost always the first document ASIC will request in a surveillance review.

A complete basis of preparation covers, at minimum:

Reporting boundary and consolidation method. Operational control, financial control, or equity share. Disclosed and applied consistently across all metrics. We've written separately on the consolidation method selection because the choice has material consequences for which Scope 1 and 2 figures you report.
Materiality thresholds. Both qualitative and quantitative. Documented, not assumed. See the materiality threshold work for why the 5% rule of thumb from financial statements doesn't translate cleanly.
GWP set used. AR5, AR6, or hybrid. NGER currently uses AR5; AASB S2 paragraph 29 references the latest IPCC assessment, which is AR6. If you run a hybrid, document it.
Emission factor sources and version dates. NGA Factors 2025 edition for Australian electricity. EPDs for materials. Activity-specific factors for fleet.
Methodology selections for each metric. Location-based versus market-based Scope 2 (AASB S2 paragraph 29(a)(v)). Spend-based versus activity-based Scope 3.
Definition of forward-looking statements and which 1707D protections you are relying upon.

If the basis of preparation is not finalised before the disclosure is drafted, the disclosure is not auditable. That sequence isn't negotiable in the financial statements process, and it isn't negotiable here either.

The modified liability shield: what 1707D actually does

Section 1707D of the Corporations Act provides limited civil penalty relief for certain disclosures during the transition period. Only ASIC can bring civil proceedings in respect of a Protected Statement; private actions are confined to criminal matters. The shield covers two distinct categories.

Protected for financial years between 1 January 2025 and 31 December 2027:

Scope 3 greenhouse gas emissions disclosures
Scenario analysis disclosures
Transition plan disclosures

Protected only for financial years between 1 January 2025 and 31 December 2025:

All forward-looking statements in the sustainability report
The auditor's report on those forward-looking statements

Not protected at any point:

Current-year Scope 1 emissions
Current-year Scope 2 emissions
Governance disclosures (AASB S2 paragraphs 6 to 8)
Materiality assessment process and conclusions
Any statement made knowingly false, recklessly, or without reasonable basis
Any statement made outside the formal sustainability report (investor presentations, marketing claims, ASX announcements)

The last category is the one most finance leaders underestimate. The protections live inside the four corners of the annual report. The moment a number leaves the document and lands in a CDP submission, an investor presentation, or a Climate Active claim, the ACCC greenwashing framework applies and so does the unmodified Australian Consumer Law. The Mercer, Vanguard, and Active Super matters all sat in that category.

The expiry date matters too. By the time Group 3 entities are filing for FY28, the modified liability shield is fully expired. Group 2 entities filing for FY27 still have one transition year of cover on Scope 3, scenarios, and transition plans.

ASIC surveillance and the personal liability dimension

ASIC has named climate disclosure as a supervision priority in its 2025-26 corporate plan. The surveillance approach is consistent with how financial statement misstatements are handled: declaration of contravention under section 1317E, civil penalty under section 1317G.

For an individual, the maximum civil penalty under section 1317G is the greater of 5,000 penalty units (currently $1.65 million at the $330 penalty unit value) or three times the benefit derived. For a body corporate, the maximum is the greatest of 50,000 penalty units ($16.5 million), three times the benefit derived, or 10% of annual turnover capped at 2.5 million penalty units. These are the same penalty provisions used in the financial statement context. The numbers are not theoretical.

ASIC's pattern in the greenwashing enforcement cases signals what to expect. The regulator builds cases on documentary evidence: what the basis of preparation said, what the supporting calculations showed, what the methodology document specified, and where the disclosure departed from any of those. The defence to a misstatement claim is the audit trail. There is no other defence that holds.

This is the personal accountability framing finance leaders will recognise from the Sarbanes-style controls discussion in the early 2000s. The standard is not perfection. The standard is documented, reasoned, supported.

The audit committee charter implications

In most ASX-listed structures, the audit committee charter does not currently authorise the committee to oversee sustainability disclosures. The charter typically references "financial reporting" and "the financial statements", and that's it. The remedy is a charter amendment that explicitly adds sustainability report oversight, climate-related risk management oversight, and assurance provider engagement on the sustainability report.

Get the charter amendment through the board before the disclosure is drafted, not after. Auditors reviewing first-year disclosures are testing governance documentation as part of the limited assurance scope. A retroactively amended charter is a finding.

The committee will also need a sustainability report management representation letter analogous to the existing financial statements representation letter. Same structure, different subject matter. The CFO and CEO sign it. The auditor relies on it. The audit committee reviews it.

Materiality: the question every CFO will be asked at audit

Climate materiality under AASB S2 follows the financial materiality lens (impact on the entity), not the double materiality lens used under the European CSRD framework. That sounds like familiar ground for a finance leader. It isn't, quite.

The 5% rule of thumb from financial statements doesn't translate. A 4% error in a Scope 1 figure can be material if:

The entity is within 10% of a Safeguard Mechanism baseline
A sustainability-linked loan KPI references the affected metric
A publicly announced reduction target is calculated against the affected baseline
The error pattern suggests a methodology fault that propagates across periods

Quantitative thresholds need to be documented in the basis of preparation. Qualitative factors need to be explicit. "Materiality is assessed in line with AASB S2" is not enough. ASIC RG 280 sets the expectation that the assessment is reasoned and recorded.

What the auditor will actually do under ASSA 5010

The Auditing and Assurance Standards Board's ASSA 5010 governs assurance over sustainability information. In Year 1 (FY26 for Group 1, FY27 for Group 2), the auditor provides limited assurance over governance disclosures, strategy disclosures at AASB S2 paragraphs 9(a), 10(a) and 10(b), and Scope 1 and Scope 2 emissions at paragraph 29. By Year 4 (FYs from 1 July 2030), it steps up to reasonable assurance over everything.

The auditor will:

Walk through the basis of preparation and challenge methodology selections
Sample-test source documents for emission records
Recompute material disclosures from underlying data
Review governance documentation including audit committee minutes
Issue an opinion that sits in the annual report alongside the opinion on the financial statements

We've covered the eight specific tests an ASSA 5010 auditor runs in detail. The short version: the auditor cannot accept a number without a source document trail. If your finance team has built that discipline for invoices and journals, the same discipline now applies to fuel dockets, utility bills, refrigerant invoices, and waste manifests.

Internal controls over sustainability reporting

The same internal controls framework that supports financial statements has to extend to climate data:

Source document retention. NGER requires five years minimum (Records must be kept five years from end of reporting year). The ASSA 5010 auditor will want seven, aligned with the financial records retention period under Corporations Act section 286.
Period locking. Once a figure is submitted in a disclosure, post-submission changes need to be tracked, reasoned, and disclosed if they materially affect prior periods. Treat this the same way you treat a prior period error correction under AASB 108.
Segregation of duties. Creation, approval, and disclosure of emission records should not be the same person. This is rarely the case in first-time reporters and is a common limited assurance finding.
Methodology documentation that survives staff turnover. If the only person who can recompute a metric leaves the company, the audit trail breaks.

The relationship with the sustainability team

The sustainability team are the practitioners. The CFO is the accountable officer. Healthy operating model:

Sustainability team designs methodology, produces the data, drafts the narrative
Finance team validates internal controls, retention, segregation of duties, basis of preparation
Audit committee reviews both, holds the CFO accountable for sign-off

If the sustainability team is reporting through operations or marketing rather than finance, the operating model breaks. The disclosure goes into the annual report under the CFO's signature; the data discipline needs to live in the finance function's risk and controls framework.

For Group 2 CFOs working with Big Four advisors, the same logic applies. The advisor provides methodology and gap analysis. The finance team provides controls and accountability. The auditor tests both.

The 90-day pre-FY playbook for Group 2

With FY27 starting 1 July 2026, this is the practical sequence we'd recommend a Group 2 CFO is running right now.

Days 1-30 (most CFOs are here):

Basis of preparation document drafted
Consolidation method confirmed and minuted by the audit committee
Audit committee charter amendment passed
Materiality threshold documented (both quantitative and qualitative)
Assurance provider engaged with scope letter

Days 31-60:

Methodology document complete for each metric
Data system selection finalised (or current system reconfirmed)
Source document inventory built
Internal controls over sustainability reporting mapped to the existing controls framework

Days 61-90:

Dry-run calculation on prior-year data
Gap analysis against ASSA 5010 limited assurance scope
Draft disclosure narrative prepared
Board pre-brief on first-year limitations and the 1707D position

If you're behind this sequence, prioritise the basis of preparation and the assurance scope letter. Everything else can be parallel-tracked.

The data discipline that makes this defensible

A defensible disclosure depends on the same data discipline that supports the financial statements: source-document attribution on every emission record, period locking once figures are submitted, methodology versioning, role-based access control with a sign-off trail. Whether you build that internally, extend an existing finance system, or use a specialised tool like Carbonly, the requirements are the same. The system that produces a clean first-year disclosure is the same system that handles years 2 through 10 without escalating manual effort, restated baselines, and audit findings.

This is not a technology question for the CFO. It's a controls question. The same way you would not accept revenue recognition built on a spreadsheet that cannot reconcile to source invoices, you should not accept emissions disclosure built on a spreadsheet that cannot reconcile to source bills.

For Group 1 CFOs entering second-year disclosure, this is also the moment to review what you signed last year. The 1707D shield on forward-looking statements for FY25 expired at the end of that financial year. Whatever scenario or transition plan content you carried forward into FY26 needs to stand on a reasonable basis without the broader shield. If your basis of preparation needs strengthening, the time is now, not at the next half-year close.

The signature is yours. The framework is the one you already know. Treat it that way.

If you'd like to walk through how data discipline applies to your first AASB S2 cycle, email us at hello@carbonly.ai or join the waitlist.

Related reading:

Authoritative sources: