What Happens during a Carbon Audit?

Having to go through a carbon audit can be a daunting prospect, especially if it is the first for an organisation and/or new staff members. This step-by-step explanation of the process is intended to be a guide for organisations and individuals to help them prepare, and set the expectations right for their greenhouse gas audit.

In this article, we use the generic term ‘audit’ to cover assurance, verification and validation (more on this here).

Background Information 

First, some important technical background information. Our audit processes and methodologies follow ISO 14064-3:2019 requirements, which is the international standard for verifying and validating greenhouse gas (GHG) statements or reports.

The five key principles which all audits must adhere to are:  

1. Impartiality – The assurance engagement needs to be objective and not introduce bias.  

2. Evidence-based Approach – Follows a rational method for reaching reliable and reproducible verification/validation based on sufficient and appropriate evidence.  

3. Fair Presentation – The findings, conclusions and opinions are truthfully and fairly presented. Significant obstacles, and unresolved issues are reported to the responsible party and client.  

4. Documentation – Document the engagement and ensure it establishes the basis for the conclusion and conformity with the criteria.  

5. Conservativeness – When assessing comparable alternatives, use a selection that is cautiously moderate. 

Once the level of assurance has been confirmed (read more on this here), the letter of engagement is signed, and the organisation has sent us the pre-audit version of their GHG calculations and emissions inventory report, we follow a clear process which is documented in audit working papers and follows the guidelines and specifications outlined in the ISO standard mentioned above.  

Risk Assessment 

No assurance that we provide can ever be absolute (i.e. we will never guarantee that the work we have audited is free from all errors), but we minimise any risk that would be reasonable to expect to provide inaccurate data and thus results. Therefore, we conduct a risk assessment of known and anticipated factors that can have an impact on the accuracy of the information reported. 

Overall, the risk assessment helps us understand the organisation we are auditing, the intended use and users of the GHG information reported, and the complexities that might be involved in their business activities, their project or product. The result of this informs the extent of the audit activities that we will be undertaking. 

1. Firstly, we conduct a PESTLE analysis. This is an acronym and stands for political, economic, social/cultural, technological, legal and environmental factors. We assess the impact that these factors have on the organisation, taking into consideration the industry environment in which it operates including stakeholders and interested parties.

2. Then we look at the structure of the organisation, and ask questions such as what activities are being undertaken and where, are there any subsidiaries and what legal entities are being included or excluded, how many sites does the organisation have, results of previous audits and if there have been any significant changes in their reporting scope and/or organisational boundaries, and what is the intended use and who is the intended user of this emissions report.  

3. We check that all emission sources have been identified and included in the report. This relies on auditor experience and professional scepticism to do so (an obvious red-flag-example would be if a trucking company’s GHG report does not include emissions from the use of diesel).  

4. We will then look at the complexity and extent of the inventory and the required level of assurance (reasonable vs. limited), as well as the nature of the organisation to determine which sites require a visit and assess whether there are any inherent risks associated with our audit that could be reduced (or eliminated) with a site visit.  

5. We assess the organisation’s information management systems and whether we can identify any risk factors that we need to consider when planning our audit work. This includes the data collection processes, and whether there is independent oversight, internal controls, data collection instructions, record keeping processes, and generally the potential for error in the collection and reporting of the information.  

6. And finally, we do a more detailed data risk assessment of all material emissions which will indicate to us the likelihood of any misstatements in the emissions and information reported. This is a consideration of the inherent, control and detection risks to inform the evidence gathering plan. 

The Nitty-gritty Auditor Checks  

Once the risk assessments are complete, we will have the information we need to decide the level of scrutiny that needs to be placed on the information provided. The level of assurance (reasonable vs limited) is a critical factor in determining this.

This means that for GHG information that is considered low risk and where there are effective controls in place (i.e. we have assessed the client’s data collection processes and found them to be a reliable factor that is taken into consideration in our assessment), there could be smaller sample sizes of evidence reviewed.  

All audits include the following checks:  

1. Measurement Standard Checklist - This is a detailed check of the carbon emissions report and ensures all criteria outlined in the measurement standard are included. The most common measurement standards are ISO 14064-1 and the GHG Protocol.

2. Emission Factors – We ensure that all emission factors are suitable and relevant, and free from errors. 

3. Methodology – We check the methodology used is appropriate including estimations, assumptions, proxy data, the use of models and emission factor selection.

4. Information Checks – These are usually done by a team that supports the lead auditor as there can be thousands of lines of data and many more thousands of pieces of evidence that need to be audited. The more material a specific source is to the inventory, the higher the scrutiny that is being placed on the data. Possible audit tests that are being done by our auditors are: control tests, retracing from data acquisition to reporting, recalculations, sampling of evidence, reconciliation of activity data and emission factors, quality of third-party data, sense checks, reasonableness of assumptions and sensitivity testing. 

5. Site Visits - If a site visit is undertaken, then we will arrange a time to get a tour of the facilities to confirm the use (or lack) of certain machineries, materials, suppliers and processes. Often these in-person meetings are used to clear up any other questions that might otherwise become audit findings (more on those in the next section), and to get a better understanding of the nature of the activities at the site which often helps to understand the information that has been provided.  

Audit Findings and Completion 

Once all the checks have been completed, we will compile a list of audit findings that need to be addressed by the organisation. Audit findings will be assessed for materiality and graded on severity of the finding.  

Depending on the level of preparation and experience of the organisation as well as its nature, this list can be intimidatingly long, so it is important to consider the type or severity of the finding, as not all findings necessarily need to be addressed to finalise the audit. Each audit firm will have its own terminology for each type (grade) of audit finding and communicate the issues found. We use the following: 

1. Material Misstatement – This is an omission, misrepresentation, or error in an assertion, or information (usually data) that, in the professional judgment of the auditor, could affect the decision of the intended user. If not corrected a modified opinion would be issued in the assurance report.  

2. Material Nonconformity – This is a nonconformity with the requirements of the assurance criteria and measurement standards (including the terms of engagement) that, in the professional judgment of the auditor, could affect the decision of the intended user. If not corrected a modified opinion would be issued in the assurance report. 

3. Misstatement – Other than the material misstatement, this is an omission, misrepresentation or error that, in the professional judgment of the verifier, is unlikely to affect the decision of the intended user. So, while it is possible for us to issue an unmodified opinion if the misstatement isn’t corrected, the issue may be communicated within the assurance report.  

4. Nonconformity – In a similar vein, this nonconformity with the requirements of the assurance criteria is unlikely found to affect the decision of the intended user. Again, if not corrected an unmodified opinion is possible, but the issue may be communicated within the assurance report.   

5. Recommendation – This is an opportunity for improvement noted by the auditor. The auditor cannot provide consultancy or advice, so recommendations often focus on areas such as internal controls, data quality and record keeping. 

6. Request for Information (RFI) – This means that further information is required for the audit checks to be complete. A request for information may be upgraded to higher audit finding based on the outcome of the review of the information provided. 

These findings will be issued as an Excel spreadsheet to the organisation who will get a date by which requested evidence and RFIs should be responded to. It will look something like this:

Depending on the nature and number of findings there is often a bit of to-and-fro between the organisation and the auditor before the findings can be closed and a decision is made on which findings the reporter will not address this audit.  

Independent Review 

In order to ensure that the audit work meets the high standards required an independent (quality) review is completed. The review ensures that the assurance process outlined in ISO 14064-3:2019 (including independence, competency and ethical requirements) have been met. The independent reviewer is either an experienced auditor from within our organisation or external. Either way, the independent reviewer has not been involved in any of the checks and audit preparations and is independent.   

Independent Assurance Report 

Once the independent review has been completed the lead auditor will issue the independent assurance report on the organisation’s greenhouse gas information. This report outlines the scope of our assurance engagement, our audit opinion and conclusion, the final total emissions in tonnes of carbon dioxide equivalents (CO₂e), and a summary of the work we performed, including any limitations and areas that the lead auditor would like to highlight to the reader of the emissions inventory report. The wording of this document is standardised and follows the ISO 14064-3:2019 and NZ SAE 1 requirements. 

Once this assurance report is issued, the reporting organisation can claim that the GHG emissions reported in the emissions inventory reported have been independently assured. 

Please contact us at info@mchugh-shaw.co.nz to discuss your assurance requirements. We have over 15 years of experience and complete ISO 14064-1, GHG Protocol, ISO 14067, Airport Carbon Accreditation, Eco Choice Aotearoa, Product Stewardship, and Aotearoa New Zealand Climate Standard assurance. 

Last updated January 2025