When a third-party assurance provider sits down with your CSRD report, they're not primarily interested in whether your Scope 1 total is 3,400 tCO2e or 3,600 tCO2e. What they're interrogating is whether you can demonstrate how you got there. The number itself is almost secondary. The trail of evidence behind it is everything.
This is a distinction that most sustainability managers understand intellectually but underestimate practically. We've seen companies invest months in getting their emission factors right — debating natural gas combustion coefficients to three decimal places — while maintaining their source data in a collection of Excel files with no version history, no access log, and no record of which utility invoice each kWh figure came from. That's a failed audit trail, regardless of how technically accurate the calculation might be.
What "audit trail" means in GHG assurance
Under ISO 14064-3 (the international standard for GHG statement verification) and the assurance requirements embedded in CSRD's ESRS E1, an auditor performing limited or reasonable assurance needs to verify three things:
- Source traceability — every emission figure can be traced back to a primary source document (utility bill, fuel delivery receipt, freight manifest, supplier response)
- Calculation reproducibility — given the source data and the emission factors used, an independent party can reproduce the tCO2e figure
- Change history — if any figure was revised after initial entry, there's a documented record of what changed, when, and why
Notice that precision of emission factors doesn't appear on that list. Auditors are pragmatic: they understand that using the EPA's eGRID subregion average instead of a supplier-specific factor is a methodology choice, and methodology choices are disclosed in your GHG inventory report. What they can't work with is a figure that appears to have been entered by someone at some point based on something.
The specific failure modes we keep seeing
Working with mid-market manufacturers on their first assurance engagement, we've encountered the same audit trail breakdowns repeatedly. They cluster into four categories.
The spreadsheet aggregation problem
A sustainability manager pulls utility data from twelve different facilities, each of which sends invoices in a different format. She enters monthly kWh consumption into a master spreadsheet, calculates emissions using a single grid factor, and produces a Scope 2 total. The number may be correct. But the auditor has no way to verify it without re-requesting every original invoice and rechecking every data entry manually. There's no linkage between the tCO2e cell in the summary tab and the original invoice PDF from the Warren, Michigan facility in July.
Emission factor substitution without documentation
Midway through the year, someone switches from the EPA's default natural gas combustion factor (53.06 kg CO2 per MMBtu) to a newer version published in a subsequent year. The annual total changes. There's no record of when the switch happened or what the prior calculation produced. When the auditor asks about the restatement, the answer is "we just updated to a better factor." That's not a documented methodology change — that's unexplained variance.
Supplier data without provenance
Scope 3 Category 1 (purchased goods and services) figures often arrive as single numbers from suppliers with no supporting methodology. "Our product has an emissions intensity of 0.42 kgCO2e per unit" — full stop. Auditors will ask for the calculation behind that figure. If it doesn't exist, the number gets classified as unverifiable and may need to be replaced with a spend-based estimate, which carries its own methodology disclosure requirements.
Retroactive corrections without a change log
An error is found in Q2 data — a fuel delivery was double-counted. The correction is made in the master spreadsheet. The original entry is overwritten. Three months later, the auditor notices that the Q1-Q3 subtotal doesn't match what was recorded in the quarterly internal report. The correction was real and justified, but it's now unverifiable because the original entry no longer exists anywhere.
What a defensible audit trail actually contains
Let's be concrete. For each emission source in your inventory, the audit trail should link:
- The source document (utility invoice number, fuel receipt reference, freight manifest ID, supplier questionnaire submission timestamp)
- The activity data extracted (e.g., 487,300 kWh consumed at Facility 3 in June 2024)
- The emission factor applied (e.g., EPA eGRID MROE subregion, 2023 version, 0.4236 lb CO2e/kWh)
- The tCO2e result (with the arithmetic visible, not just the output cell)
- The entry timestamp and user (who entered or approved this data point)
- Any revision history with timestamps and stated reasons
This isn't particularly exotic — it's essentially the same documentation standard applied to financial records. The challenge is that most organizations weren't collecting emissions data with this level of structure when they started. The data lives in too many places, in too many formats, touched by too many people.
A concrete scenario: limited assurance for a Tier 1 auto supplier
Consider a mid-size stamping and assembly operation in the Detroit metro area with six manufacturing facilities. As a direct supplier to a major OEM, they're facing downstream pressure to provide verified emissions data as part of Scope 3 Category 1 reporting. They engaged an assurance firm for limited assurance under ISAE 3000.
The initial audit found that Scope 1 figures for natural gas combustion were well-documented — they had monthly gas delivery receipts from their utility, entered systematically into a single source of record. No problems there.
Scope 2 was more complicated. Two facilities purchased electricity under renewable energy contracts with accompanying RECs. The location-based calculation was fine, but the market-based calculation required reconciling the REC certificates against specific invoice periods. The certificates were in a separate folder, not linked to the invoice entries. The auditor had to manually match them, which added three days to the engagement and introduced reconciliation questions that took another week to resolve.
Scope 3 Category 4 (upstream transportation) was a qualified finding. The company had freight emissions calculated from carrier invoices, but several small carriers hadn't provided fuel efficiency data. The sustainability manager had applied an industry-average intensity factor for those lanes without documenting which invoices fell into that bucket, what the assumed factor was, or what percentage of total Category 4 emissions the estimate represented. The assurance provider flagged this as a disclosure gap — not wrong, but insufficiently documented to support the stated figure.
The lessons from that engagement directly shaped how we structured Circulyft's data model: every emission record carries its source document reference, factor version, calculation timestamp, and revision log from the moment it's created.
The limited vs. reasonable assurance distinction
CSRD's ESRS E1 requires limited assurance for the first reporting years, with a trajectory toward reasonable assurance. It's worth understanding what that difference means for your audit trail requirements.
Limited assurance means the auditor performs inquiry and analytical procedures sufficient to conclude that nothing has come to their attention that would cause them to believe the information is materially misstated. It's a negative conclusion — "we didn't find problems" — and the procedures are less extensive than a full audit.
Reasonable assurance involves positive evidence-gathering. The auditor is concluding that the statement is fairly presented, which requires verifying a statistical sample of source records, testing the calculation engine, and reviewing controls over data entry and access.
The practical implication: an audit trail that passes limited assurance may not survive reasonable assurance. If you're building your documentation system now, build it to reasonable assurance standards. Retrofitting provenance tracking after the fact is significantly harder than building it in from the beginning.
What this doesn't mean
We're not saying you need a fully automated system to have a defensible audit trail. Some organizations maintain excellent documentation in structured spreadsheets with linked source files and disciplined change management. The audit trail requirement is about the quality and completeness of documentation, not the technology used to maintain it.
We're also not saying that emission factor precision is irrelevant. Methodology choices matter — using a 2019 eGRID factor when a 2022 version is available will be questioned. But auditors will accept a documented methodology choice. What they can't accept is a figure with no documented methodology at all.
Building the habit now, before the deadline pressure
The companies that struggle most with assurance engagements are those who treated data collection and documentation as two separate activities. They collected data efficiently for internal management purposes, then tried to reconstruct documentation retroactively when an audit was imminent.
The correct sequence is: documentation structure first, then data collection into that structure. Every source document gets a reference ID. Every activity data entry references a source document. Every emission factor applied references a version-dated source. Every revision carries a reason and a timestamp.
When we talk to sustainability directors who've been through a first assurance engagement, the consistent feedback is that the audit trail documentation consumed more time than the calculations themselves. That ratio inverts once the documentation structure is in place — calculations run automatically, but documentation requires deliberate design.
Your emission number will be scrutinized. The trail you built to get there is what determines whether it stands.