The ESG Assurance Gap: What Indian Companies Need to Know Before Their Auditors Ask the Question
- Apr 28
- 6 min read
Updated: May 5
The question of ESG assurance is moving, in the Indian regulatory context, from "if" to "when." For the top 150 listed entities, reasonable assurance for BRSR Core disclosures is already mandated. For the broader listed company universe, the trajectory is clear: SEBI has consistently moved toward stricter requirements, and the direction will not reverse.
The companies that will navigate this transition smoothly are not those with the best disclosure documents. They are those with the best underlying data infrastructure - the operational measurement systems, internal controls, and data management processes that make a disclosure auditable rather than merely plausible.
Most Indian companies have the first. Very few have the second.
Disclosure Infrastructure and Data Infrastructure Are Not the Same Thing
This distinction is the central issue in ESG assurance, and it is one that the current conversation around BRSR compliance largely avoids.
Disclosure infrastructure is everything that goes into producing the annual report: the reporting templates, the consolidation process, the internal review chain, the external consultant who cross-checks the figures, the disclosure document itself. Over the past three years, Indian listed companies have invested significantly in building this. Most can now produce a credible BRSR report on an annual cycle. Some can do it with a reasonable degree of internal rigour.
Data infrastructure is different. It is the system of measurement, collection, and control that sits upstream of the report - the operational systems that generate the underlying numbers before anyone thinks about what the report will say. Specifically: are the energy, water, waste, and emission figures in the BRSR traceable to actual measurement points at the facility level? Are they collected consistently, with defined methodologies, by accountable individuals, at defined frequencies? Are there documented internal controls that would allow an auditor to verify the data trail from facility to consolidated figure?
For a large, well-resourced listed entity, this infrastructure may exist - particularly where ISO 14001 or ISO 50001 management systems have been implemented and maintained seriously. For the majority of mid-to-large listed companies that have built ESG reporting capabilities over the past few years, the infrastructure is partial. The disclosure is produced. The data trail behind it is variable.
What Reasonable Assurance Actually Tests
When an external assurance provider conducts reasonable assurance on a BRSR Core report, they are not checking whether the figures in the report are internally consistent with each other. They are examining whether the underlying data can withstand scrutiny.
This typically involves:
Reviewing the methodology used to collect and calculate each reported metric
Tracing a sample of reported figures back to the source data - utility bills, meter readings, production records, waste transfer notes
Evaluating whether the internal controls over data collection and consolidation are adequate to detect and prevent material errors
Assessing whether the methodologies and boundaries used are consistent with the applicable framework
A company whose BRSR figures are built on a combination of meter readings, facility manager estimates, and consultant-adjusted benchmarks will face significant difficulty in this process - not because the final numbers are necessarily wrong, but because the data trail does not exist at the depth an assurance engagement requires. The finding from the assurer will typically be a qualified conclusion or a statement noting significant limitations in the completeness and verifiability of the data.
For a company whose ESG report is read by analysts, investors, and lenders, a qualified assurance conclusion is not a minor technical footnote. It is a signal about the reliability of the organisation's ESG data - and by extension, about the credibility of its sustainability commitments.
The Preparation Window Is Now
The timeline for mandatory assurance expansion is not fixed, but the direction is. Companies that are currently outside the BRSR Core mandatory assurance scope but within the listed universe should not wait for the requirement to formalise before beginning preparation.
The reason is practical: building audit-ready data infrastructure is a multi-year process. It requires identifying the measurement gaps, designing and implementing measurement systems at the facility level, establishing the internal controls and documentation protocols, running the systems through at least one full reporting cycle to identify inconsistencies, and then stress-testing the data trail against the kind of scrutiny an assurance engagement will apply.
A company that begins this process six months before assurance becomes mandatory will spend that six months discovering problems it cannot fix in time. A company that begins now has two to three years to build the infrastructure properly - which is approximately how long it takes to do it well.
The Specific Questions to Be Asking Now
For CFOs and CSOs assessing their organisation's assurance readiness, the diagnostic questions are operational, not strategic:
Can we trace every figure in our BRSR report to a defined measurement point and a documented calculation methodology?
For each reported metric, is there a clear data owner - a named individual or function responsible for the accuracy of that figure?
Are our facility-level ESG data collection processes documented, consistently applied, and subject to any form of internal review?
Would a change in the person responsible for data collection at any facility produce materially different numbers?
Are our reporting boundaries - what is included and excluded in our ESG data - clearly defined and consistently applied year over year?
Where the answer to any of these questions is uncertain or negative, that is where the preparation work begins.
A Different Conversation with Your Auditor
The relationship between a company and its ESG assurance provider should not begin when the assurance engagement begins. It should begin at least twelve months prior, in a readiness assessment conversation that honestly maps the gaps between current data infrastructure and assurance requirements.
This conversation is most productive when it involves not just the sustainability function but the CFO, the internal audit function, and the operational teams responsible for the primary data. Because ESG assurance is ultimately an operational data challenge - and the people who can solve it are the ones who control the operational systems, not the ones who compile the report.
The companies that engage early, invest in the infrastructure systematically, and build internal ownership of data quality across the organisation will meet assurance requirements without disruption. Those that treat assurance as a report-level compliance exercise will find that the auditors' questions reach much deeper than the document they have been preparing.
Build Your Audit-Ready Data Infrastructure
Sustera Global advises Indian companies on building the data infrastructure, operational measurement systems, and internal governance processes required for credible ESG assurance. Our approach draws on technical expertise across Indian industrial sectors and deep experience with the measurement systems that sit beneath reliable ESG disclosure.
FAQs
What is the ESG assurance gap?
The ESG assurance gap refers to the disconnect between what companies disclose in sustainability reports and the robustness, accuracy, and audit-readiness of the underlying data and systems.
Why is ESG assurance becoming critical in India?
With increasing regulatory pressure (like SEBI’s BRSR requirements) and investor scrutiny, companies must ensure ESG data is reliable, verifiable, and audit-ready.
What happens if ESG data is not assurance-ready?
Unverified or weak ESG data can lead to audit qualifications, reputational risks, and reduced investor confidence, as credibility depends on data integrity.
How is ESG assurance different from ESG reporting?
ESG reporting is about disclosing sustainability performance, while ESG assurance involves independent verification of that data to ensure accuracy and reliability.
What are the key challenges companies face in ESG assurance?
Common challenges include fragmented data systems, lack of internal controls, inconsistent methodologies, and limited governance over ESG processes.
What role do auditors play in ESG assurance?
Auditors evaluate whether ESG disclosures are consistent, complete, and aligned with underlying data, similar to how financial audits assess financial statements.
What is meant by “audit-ready ESG data”?
Audit-ready ESG data is structured, traceable, well-documented, and supported by internal controls, enabling independent verification without significant gaps.
How does governance impact ESG assurance?
Strong governance ensures accountability, proper oversight, and integration of ESG into decision-making, which is essential for reliable reporting and assurance.
Are Indian companies required to get ESG data assured?
Currently, assurance is mandatory for specific disclosures (like BRSR Core for top companies) and is expected to expand over time as regulations evolve.
How can companies close the ESG assurance gap?
Companies should invest in data systems, establish internal controls, align with global frameworks, and integrate ESG into core business processes rather than treating it as a reporting exercise.
Comments