Don't audit the data point; audit the process

We do not taste test every biscuit that rolls off a factory line to decide if it is safe. Instead, food companies run system level controls (HACCP and ISO 22000) designed to prevent problems in the first place, then sample and monitor where it matters most.Carbon accounting should work the same way. Rather than demanding third party verification for every single data point across Scope 3, focus assurance on the calculation process and controls, then test the most material and high risk items. That is how modern sustainability assurance works: risk based procedures under ISO 14064-3 and CSRDs phased assurance model.---## Why the food analogy holds up- Food safety is process based. HACCP is a preventive system that identifies hazards and sets critical control points with monitoring and corrective actions, not a test every item regime. ISO 22000 wraps this into a certifiable management system across the food chain.- Assurance in sustainability is also system first. ISO 14064-3 specifies how independent verifiers validate or verify GHG statements using professional judgement, evidence, and a risk based plan, typically including sampling. CSRD begins with limited assurance and evolves the framework over time.Bottom line: Just like food companies do not test every unit for tastiness or safety, sustainability teams should not chase 100% data point verification. Build a robust system, sample smartly, and reserve deep dives for what actually moves the needle.---## What "audit the process" means for Scope 31) Documented, versioned methodologyYour calc engine, factor lineage, and category logic are clear, reproducible, and version controlled. Independent verification (for example, ISO 14064-3) should reference what was verified and when.2) Risk based assurance planDefine materiality thresholds and where evidence is weakest (for example, purchased goods hot spots, supplier provided figures). Test samples at those points, not everything. This matches limited assurance practice and aligns with assurance standards such as ISAE 3000.3) Controls at critical pointsBorrowing HACCP thinking: set critical control points for data ingestion, factor selection, and transformation logic. Monitor them with alerts and audit trails instead of re verifying every number.4) Clear scope statementsWhen you obtain external assurance, ensure the statement clearly names the software or methodology (not just your corporate inventory), the assurance level (limited vs. reasonable), and the version or date covered. Under CSRD, limited assurance is the starting point, with reasonable assurance coming later.---## When to go deep on individual data points- High impact categories where a few suppliers drive most of your footprint.- Outliers that materially swing totals or contradict benchmarks.- New methods or major updates (factor sets, allocation rules, product scope changes).Treat these as HACCP style critical points. They merit more testing because risk and impact are higher.---## A practical 5 step playbook1. Map materiality across Scope 3 categories; rank by impact and uncertainty.2. Lock your methodology (versioned docs, factor sources, allocation rules).3. Design your assurance plan for limited assurance: what will be sampled, why, and how evidence is retained.4. Instrument controls at ingestion, factor, and logic points; maintain audit trails.5. Engage an independent verifier for your software or methodology (not just your corporate inventory) and keep the statement with version and date in your audit file.> Procurement tip: If a vendor claims "audit ready," ask for a public assurance statement that names the methodology, verifier, level, and effective date. Treat "audit ready" as marketing unless a statement exists.## Resources- Codex Alimentarius, General Principles of Food Hygiene (HACCP Annex): https://www.fao.org/fao-who-codexalimentarius/sh-proxy/en/?lnk=1&url=https%3A%2F%2Fworkspace.fao.org%2Fsites%2Fcodex%2FStandards%2FCXC%2B1-1969%2FCXC_001e.pdf- ISO 22000, Food safety management systems (overview): https://www.iso.org/iso-22000-food-safety-management.html- ISO 14064-3:2019, Verification and validation of greenhouse gas statements (overview): https://www.iso.org/standard/66455.html- CSRD, European Commission overview: https://finance.ec.europa.eu/capital-markets-union-and-financial-markets/company-reporting-and-auditing/company-reporting/corporate-sustainability-reporting_en- CEAOB Guidelines on limited assurance for sustainability reporting (PDF): https://finance.ec.europa.eu/document/download/8ac2df18-2ae1-4bc7-9d87-a4a740e48f5e_en?filename=240930-ceaob-guidelines-limited-assurance-sustainability-reporting_en.pdf- ISAE 3000 (Revised), IAASB: https://www.iaasb.org/publications/international-standard-assurance-engagements-isae-3000-revised-assurance-engagements-other-audits-or- ISAE 3410 status (withdrawal effective for periods beginning on or after Dec 15, 2026), IAASB: https://www.iaasb.org/news-events/2025-05/iaasb-announces-withdrawal-isae-3410-assurance-engagements-greenhouse-gas-statements