Key Takeaways
  • Every in-scope ESG KPI needs a formal definition sheet specifying what is measured, how it is calculated, what data sources are used, and what is included or excluded.
  • Data lineage traces each data point from raw source (meter reading, invoice, system extract) through every processing step to the final reported figure.
  • Internal controls -- including review, approval, reconciliation, and variance analysis -- are essential for assurance readiness, particularly at reasonable assurance level.
  • Evidence packs should be organized by KPI, with each pack containing the definition sheet, calculation workbook, source evidence, control documentation, and a traceability matrix.
  • The quality of your evidence pack directly determines the efficiency, cost, and outcome of the assurance engagement.

Why Evidence Packs Matter

An ESG KPI evidence pack is the collection of documentation that supports each reported ESG metric. It is the raw material that assurance providers examine during an engagement. A well-constructed evidence pack enables the verifier to efficiently trace reported figures back to source data, understand the calculation methodology, and evaluate the controls that ensure data accuracy.

The quality of your evidence pack has a direct and measurable impact on the assurance engagement in three critical ways:

  • Engagement efficiency: Complete, well-organized evidence packs reduce the time the assurance provider spends requesting information, waiting for responses, and performing additional procedures to compensate for missing documentation. This directly reduces engagement duration and cost.
  • Assurance outcome: Gaps in evidence may lead to scope limitations, qualified conclusions, or inability to form a conclusion on specific KPIs. A comprehensive evidence pack supports an unmodified (clean) assurance conclusion.
  • Continuous improvement: The discipline of building evidence packs drives improvements in underlying data processes, controls, and governance. Organizations that invest in evidence packs consistently report better data quality in subsequent reporting cycles.

This guide provides a practical, detailed framework for building ESG KPI evidence packs that meet the expectations of assurance providers operating under ISAE 3000 (Revised) and ISSA 5000.

KPI Definition Sheets

The KPI definition sheet is the foundational document for each metric. It serves as both the reporting criteria and the reference point against which the assurance provider evaluates the reported data. Without clear, documented KPI definitions, the assurance provider cannot assess whether the data is "correctly prepared" because there is no defined basis for correctness.

Required Elements

Every KPI definition sheet should include the following elements:

Element Description Example (Scope 1 GHG Emissions)
Metric name Formal name of the KPI Total Scope 1 GHG Emissions
Unit of measurement Unit in which the KPI is reported Metric tonnes CO2 equivalent (tCO2e)
Organizational boundary Which entities and operations are included All entities under operational control
Operational boundary Which emission sources are included Stationary combustion, mobile combustion, fugitive emissions, process emissions
Calculation formula How the KPI is calculated Activity data (fuel consumed in litres) x emission factor (kgCO2e/litre) / 1000
Data sources Where raw data originates Fuel purchase invoices, meter readings, fleet management system
Emission/conversion factors Factors applied and their source DEFRA 2025 emission factors for UK operations; IPCC 2006 for international
Inclusions What is specifically included All fuels consumed in owned/operated boilers, generators, and fleet vehicles
Exclusions What is specifically excluded (with justification) Employee commuting (Scope 3), refrigerant top-ups below de minimis threshold of 50kg
Reporting frequency How often data is collected and reported Monthly collection, annual aggregation
Data owner Person responsible for data accuracy Group EHS Manager
Version and date Document version control v2.1, last updated January 2026

Common Pitfalls

  • Ambiguous boundaries: Stating "all operations" without specifying whether joint ventures, leased facilities, or newly acquired entities are included
  • Missing exclusions: Not documenting what is excluded and why, leaving the assurance provider unable to assess completeness
  • Undocumented assumptions: Using estimation approaches (e.g., extrapolation for missing months) without documenting the methodology
  • Inconsistent definitions across sites: Different locations interpreting the same KPI differently due to lack of standardized definitions

Calculation Methodologies

Beyond the KPI definition sheet, detailed calculation methodologies document the step-by-step process for transforming raw activity data into reported figures. This is particularly important for complex metrics like GHG emissions, water stress calculations, and intensity ratios.

Elements of a Robust Methodology Document

  • Step-by-step calculation process: From raw data input to final output, each transformation step documented
  • Emission factor tables: Complete listing of all factors used, their sources, vintage year, and applicability
  • Unit conversions: All conversion factors documented (e.g., litres to cubic metres, MWh to GJ)
  • Estimation and extrapolation methods: When actual data is not available (e.g., estimated electricity consumption for a site missing one month of bills), the estimation approach is documented
  • Allocation rules: How shared resources are allocated across entities or products (e.g., shared building energy allocated by floor area)
  • GWP values: Which Global Warming Potential values are used for converting non-CO2 gases (AR4, AR5, AR6)
  • Base year methodology: If reporting against a base year, how the base year is defined and when recalculation is triggered

Methodology Consistency

Assurance providers will check that the methodology is applied consistently across all sites and reporting periods. Any changes from the prior year must be disclosed and justified. Common methodology changes that require documentation include:

  • Switching emission factor sources (e.g., from IPCC to DEFRA)
  • Changing consolidation approach (e.g., from equity share to operational control)
  • Revising boundary to include or exclude entities
  • Updating GWP values
  • Modifying estimation approaches

Data Sources and Lineage

Data lineage is the documented trail that traces each data point from its original source through every processing, transformation, and aggregation step to its final reported value. Assurance providers follow this trail to verify that the reported figure is accurately derived from reliable source data.

The Data Lineage Chain

A complete data lineage chain includes the following stages:

  1. Source generation: The original measurement or record (e.g., electricity meter reads 45,230 kWh)
  2. Source documentation: The document capturing the source measurement (e.g., utility bill from provider showing 45,230 kWh for January 2026)
  3. Data capture: Entry of the source value into the data collection system (e.g., entered into site-level spreadsheet or ESG platform)
  4. Data processing: Any transformation applied (e.g., conversion from kWh to MWh, application of emission factor)
  5. Data aggregation: Combination of site-level data into business unit and group totals
  6. Quality review: Verification steps applied (e.g., reviewer sign-off, variance analysis)
  7. Final reported figure: The value published in the sustainability report

Building a Traceability Matrix

A traceability matrix maps each reported figure to its supporting evidence at every stage of the lineage chain. For a typical ESG report with 15-20 KPIs, the matrix links:

  • Each reported figure to the aggregation workbook
  • Each workbook total to site-level data submissions
  • Each site-level submission to source documents (bills, readings, system extracts)
  • Each calculation to the applicable methodology and emission factors
Practical Tip

Create a "data lineage map" for each major KPI category -- a visual diagram showing how data flows from source to reported figure. These maps are invaluable during assurance provider walkthroughs and help identify control gaps where data changes hands between systems or teams.

Internal Controls over ESG Data

Internal controls are the policies, procedures, and activities that provide reasonable assurance that ESG data is accurate, complete, and reported on time. For limited assurance engagements, the assurance provider needs to understand the control environment. For reasonable assurance, they must test whether controls are designed effectively and operating as intended.

Preventive Controls

Controls that prevent errors from entering the data:

  • Input validation: Data entry forms with validation rules (e.g., rejecting negative values, checking units, flagging outliers)
  • Access controls: Restricting who can enter, modify, or approve ESG data in systems and spreadsheets
  • Standardized templates: Consistent data collection templates across all sites to prevent interpretation differences
  • Training: Formal training programs for site-level data owners on data collection requirements and common errors

Detective Controls

Controls that identify errors after they have entered the data:

  • Review and approval: Independent review of data entries by a supervisor or quality function before aggregation
  • Variance analysis: Comparing current-period data against prior period, budget, or expected values and investigating significant differences
  • Reconciliation: Checking aggregated totals against source record counts and investigating discrepancies
  • Cross-validation: Comparing related KPIs for consistency (e.g., energy consumption should correlate with production output)

Corrective Controls

Controls that ensure identified errors are properly addressed:

  • Error logging: Documented process for recording identified errors, their root cause, and correction
  • Restatement procedures: Clear criteria for when prior-period data must be restated and the process for doing so
  • Root cause analysis: Investigating systematic errors to prevent recurrence

Documenting Controls for Verifiers

The assurance provider expects to see evidence that controls exist and are operating. Documentation should include:

  • Written procedures or process narratives describing each control
  • Evidence of control operation (e.g., signed review forms, approval emails, variance analysis workbooks)
  • RACI matrix showing who is responsible, accountable, consulted, and informed for each control
  • Calendar showing the frequency at which each control operates

Evidence Requirements by KPI Type

Different KPI categories require different types of supporting evidence. The following table provides a practical reference for common ESG metrics:

KPI Category Source Evidence Required Supporting Documentation
GHG Emissions (Scope 1) Fuel purchase invoices, meter readings, fleet fuel cards, refrigerant purchase/disposal records Emission factor tables, GWP values, calculation workbooks, boundary documentation
GHG Emissions (Scope 2) Electricity bills, district heating invoices, renewable energy certificates (RECs/GOs) Grid emission factors (location-based), supplier-specific factors (market-based), contractual instruments
Water Water utility bills, meter readings, abstraction licenses, discharge permits Water stress area classification, calculation workbooks, unit conversions
Waste Waste contractor invoices, waste transfer notes, hazardous waste manifests Waste classification methodology, recycling rate calculations, disposal category definitions
Health & Safety Incident management system extracts, investigation reports, hours worked data Incident classification criteria, rate calculation methodology, contractor inclusion/exclusion policy
Workforce Diversity HRIS/payroll system extracts, headcount reports Diversity category definitions, counting methodology (FTE vs headcount), reporting date basis
Energy Electricity and fuel bills, meter readings, renewable energy certificates Energy conversion factors, intensity denominator source, renewable energy accounting methodology

Sampling Approach for Verifiers

Assurance providers do not verify every data point. Instead, they apply sampling approaches to select a representative subset of data for detailed testing. Understanding how verifiers sample helps organizations prepare evidence more effectively.

Sampling Strategies

  • Key item sampling: Selecting items that individually represent a large portion of the total (e.g., the three largest sites contributing 60% of total emissions)
  • Random sampling: Selecting items at random from the population to provide coverage across the full dataset
  • Judgemental sampling: Selecting items based on risk factors (e.g., sites with known data quality issues, new acquisitions, sites with unusual variances)
  • Stratified sampling: Dividing the population into strata (e.g., by region or site type) and sampling from each stratum

What This Means for Evidence Preparation

Because the assurance provider may select any data point for testing, organizations must ensure that evidence packs are complete for all sites and all months within the reporting period -- not just the largest or most visible. Common gaps arise when:

  • Small sites are assumed to be immaterial and evidence is not retained
  • Evidence exists for annual totals but not monthly breakdowns
  • Source documents are available for some months but missing for others
  • Estimated data points are not flagged and documented

From Raw Data to Reported Figure: Complete Traceability

The ultimate test of your evidence pack is whether a verifier can independently trace from a source document (e.g., a gas bill) to the final reported figure (e.g., total Scope 1 GHG emissions in the sustainability report) without encountering any unexplained gaps or transformations.

Traceability Checklist

For each in-scope KPI, confirm:

  1. The source document exists and is retained
  2. The value on the source document can be located in the data collection system
  3. Any conversions or calculations applied to the raw value are documented and reproducible
  4. The site-level total can be verified by summing the individual data entries
  5. The group total can be verified by summing the site-level totals
  6. The reported figure matches the group total in the calculation workbook
  7. Any adjustments between the workbook total and the reported figure are documented and justified

Common Traceability Breaks

  • Manual transcription errors: Values copied incorrectly between systems or spreadsheets
  • Undocumented adjustments: Late corrections or reclassifications made directly to the final figure without updating underlying workbooks
  • Version control issues: Multiple versions of calculation workbooks with different values, and uncertainty about which is final
  • Formula errors: Incorrect cell references, missing rows in sum ranges, or hard-coded overrides in spreadsheets
  • Unit conversion errors: Inconsistent application of conversion factors (e.g., mixing litres and gallons across sites)

Recommended Evidence Pack Structure

Organize your evidence pack by KPI, with a consistent folder structure that the assurance provider can navigate efficiently:

  • Folder: KPI Name (e.g., "Scope 1 GHG Emissions")
    • KPI Definition Sheet (PDF or Word)
    • Calculation Methodology Document
    • Calculation Workbook (Excel) with all raw data, conversions, and aggregation
    • Emission Factor Reference Table
    • Source Evidence subfolder (organized by site and month)
    • Internal Control Documentation (review sign-offs, variance analyses)
    • Traceability Matrix
    • Change Log (any methodology or boundary changes from prior year)

For organizations with many KPIs and sites, a master index document that lists all evidence items, their locations, and their status (complete, pending, estimated) helps both internal teams and the assurance provider track evidence completeness.

Think of your evidence pack as a story that the verifier reads. If there are gaps in the narrative -- missing chapters, unexplained jumps, or contradictions -- the reader cannot reach a confident conclusion. Every data point should tell a complete, consistent, and verifiable story from source to report.

Frequently Asked Questions

What is a KPI definition sheet?

A KPI definition sheet is a formal document for each ESG metric that specifies the metric name, unit of measurement, organizational boundary, calculation formula, data sources, emission or conversion factors used, inclusions and exclusions, reporting frequency, and the responsible data owner. It serves as the primary criteria document that assurance providers evaluate during an engagement.

What is data lineage in ESG reporting?

Data lineage traces the journey of an ESG data point from its original source (e.g., a utility meter reading or HR system record) through every processing step (data entry, conversion, aggregation, calculation) to the final reported figure. It provides a clear audit trail that assurance providers follow to verify accuracy and completeness.

How long should ESG evidence be retained?

ESG evidence should be retained for at least the current reporting period plus one prior period (two years minimum). For regulatory filings like BRSR or CSRD, longer retention may be required. Best practice is to retain evidence for the full certification or assurance cycle plus one year, aligning with the organization's document retention policy.

What internal controls should exist over ESG data?

Minimum internal controls include: segregation of duties between data collection and review, documented review and approval at each aggregation level, reconciliation of data entry against source records, variance analysis comparing current and prior period data, access controls on ESG data systems, and change management procedures for methodology or boundary changes.

What happens if the assurance provider finds errors in my evidence pack?

Errors identified during assurance are communicated to management and categorized as corrected misstatements (errors you fix before publication) or uncorrected misstatements (errors remaining in the final report). If uncorrected misstatements individually or in aggregate exceed the assurance provider's materiality threshold, the assurance conclusion will be modified (qualified or adverse).

ESG Assurance Sustainability Assurance Data Quality Evidence