What auditors actually check in a first-cycle IFRS S2 review

Most first-cycle reporters prepare for the wrong exam. They polish the narrative, perfect the prose, and present a beautiful disclosure. Then the assurance team arrives and asks a question the disclosure can't answer: where did this number come from?

An auditor providing assurance over a sustainability disclosure is not grading your writing. Under ISAE 3000 — and increasingly the new ISSA 5000 sustainability assurance standard — their job is to obtain evidence that the figures you've published are supported, controlled, and unchanged. The disclosure is the output. The auditor tests the system that produced it.

Across first-cycle IFRS S2 reviews, the same five things get tested every time. None of them are about how the disclosure reads.

1. Data lineage — every figure traces to a source document

The first question is always traceability. When you disclose Scope 1: 12,450 tCO2e, the auditor needs to walk that number back: which activity data fed it, which emission factor was applied, which invoice or meter reading or fuel log sits underneath. If the answer is "it's in a spreadsheet someone built last quarter," you have a problem — because spreadsheets re-key, overwrite, and lose their provenance.

What passes: a clear, unbroken line from the published figure to the structured data point to the source file. What fails: a number that exists only as a cell, with no recorded path back to where it originated.

2. Internal controls — who entered, reviewed, approved, and when

Assurance is built on segregation of duties. The auditor will ask who prepared each figure, who reviewed it, and who approved it — and they expect those to be different people, with the sequence documented. A single analyst who entered, checked, and signed off their own number is a control weakness, and it gets flagged at planning.

What they want to see is a documented control: a preparer/reviewer/approver workflow where each step is captured automatically, not reconstructed from email threads after the fact.

3. Methodology consistency — same method, same factors, every entity

If you report across multiple entities or sites, the auditor checks that each one measured the same way. Did every subsidiary use the same emission factor source? The same consolidation approach? The same boundary? Inconsistent methodology across the group is one of the most common first-cycle findings — and it's invisible until someone lines the entities up side by side.

Document the method once, apply it everywhere, and record the factor source against each data point. Consistency you can demonstrate beats consistency you assert.

4. Change history — an immutable log of what changed and why

Numbers change during a reporting cycle. That's normal. What the auditor cannot accept is change they can't see. If a figure was 11,800 in March and 12,450 in the final disclosure, they need to know it changed, who changed it, and when. A disclosure with no change history is a disclosure they have to take on faith — and assurance is the opposite of faith.

This is why an append-only activity log matters. Not a log you maintain by discipline, but one the system writes automatically and that cannot be edited or deleted — even by an administrator. When the trail is immutable by design, the auditor can rely on it instead of testing around it.

5. Evidence integrity — source files hash-verified

Finally, the evidence itself. When you hand over a supporting file — a utility bill, a third-party emissions report, a calculation workbook — the auditor needs confidence it's the same file that was used to derive the figure, not a later version. A SHA-256 hash recorded at upload and re-verified at export proves the file is byte-for-byte unchanged. It turns "trust me, this is the right document" into something cryptographically verifiable.

The disclosure is the easy part. The trail is the hard part. A first-cycle disclosure doesn't fail because the writing is weak — it fails because the evidence behind it can't be reconstructed under scrutiny.

Why first-cycle reporters get caught out

None of this is exotic. Big 4 assurance teams have tested financial figures this way for decades. What's new is that sustainability data was, until recently, prepared in tools that were never built for an audit: spreadsheets and Word templates. They produce a disclosure, but they don't produce lineage, controls, change history, or evidence integrity. The first time that gap is exposed is the first assurance review — exactly the worst moment to discover it.

The fix isn't to write a better disclosure. It's to prepare the disclosure inside a system that captures the audit trail as a by-product of doing the work — so that when the assurance team asks "where did this come from?", the answer is one click away.

Want to see how an audit-trail-first system handles this in practice? Have a look at the product, or read how Auditably's workflow maps to the 33 IFRS S2 disclosure paragraphs.