Scope 3 Assurance Prep Kit

Prepare for review/assurance with evidence, controls, sampling discipline, and honest limitations (not audit advice)

Scope 3, Made PracticalGuide60 min

Important: This is operational readiness guidance, not audit advice. Assurance requirements vary by standard, provider, and scope.

What you'll accomplish

  • Define what "assurance readiness" means for your Scope 3 work
  • Create a structured evidence binder and control matrix
  • Implement sampling and review workflows (so you're not scrambling)
  • Document methods, boundaries, and limitations consistently
  • Reduce the risk of restatements and credibility damage

Who this is for

  • Sustainability teams preparing Scope 3 disclosures
  • Finance/risk teams supporting controls and governance
  • Teams implementing Carbon Data Governance + Audit Readiness

When to use this

Use this when:

  • you anticipate external review/assurance in the next 6–18 months
  • leadership wants higher confidence in reported Scope 3
  • you want to harden controls before scaling supplier engagement

Prerequisites

  • Carbon Data Governance + Audit Readiness Pack
  • Scope 3 Screening Playbook + category kits (at least Cat 1/2/3/5 as applicable)
  • Supplier engagement tracking (requests/responses and evidence links)

Related resources:

Quick start (60 minutes)

  • Create the Scope 3 Methods Index (Template 1)
  • Create the Evidence Binder Index (Template 2)
  • Create the Control Matrix (Template 3)
  • Run a "mock review" on one category (Template 5)

Assurance readiness in plain English

To be "assurance ready," you need:

  • a traceable path from numbers → inputs → evidence
  • documented methods and boundaries
  • QA checks that are repeatable (not in someone's head)
  • a change log for restatements
  • honest limitations and improvement plans

Beginner rule: You don't need perfect data. You need transparent, controlled data.

Step-by-step

Step 1 — Define scope of assurance (even if informal)

Decide:

  • which categories are in scope
  • what level of confidence you want (internal review vs external)
  • what your biggest risk areas are (tenant utilities, supplier nonresponse, proxies)

Step 2 — Build a methods and boundaries package

For each category in scope:

  • definition
  • method type (spend/activity/supplier-specific)
  • data sources
  • limitations
  • plan to improve

Step 3 — Build an evidence binder

Evidence types:

  • AP spend exports and mapping logic
  • supplier responses and attachments
  • utility datasets used to support Cat 3
  • waste reports and tickets (Cat 5)
  • capex ledgers and project lists (Cat 2)
  • leased asset utility datasets and allocation memos (Cat 13/8)

Step 4 — Implement sampling discipline

You should be able to sample:

  • top vendors by spend
  • a subset of invoices
  • a subset of supplier responses
  • a subset of buildings for leased assets

Document:

  • how samples are chosen
  • what is verified
  • outcomes and fixes

Step 5 — Run mock reviews and close gaps

Mock review output:

  • a list of exceptions and missing evidence
  • methods clarifications
  • data quality improvements needed

Templates

Template 1 — Scope 3 Methods Index

Scope 3 Methods Index

| Category | Method type | Key data sources | Evidence location | Limitations summary | Owner |
|---|---|---|---|---|---|

Template 2 — Evidence Binder Index

Evidence Binder Index

| Category | Evidence type | File or folder link | Notes |
|---|---|---|---|

Template 3 — Control Matrix

Control Matrix

| Control | Category | Description | Frequency | Owner | Evidence of control (link) |
|---|---|---|---|---|---|

Examples of controls:
- QA checklist executed monthly for Scope 2 dataset
- supplier request tracker updated weekly
- exceptions log reviewed monthly
- change log updated for restatements

Template 4 — Sampling Plan

Sampling Plan

Sampling Plan

Scope:
Sample approach:
- Top X vendors by spend
- Random sample of Y vendor records
- Targeted sample of high-risk records (proxy/unknown)

What we verify:
- source data exists
- evidence links open
- method applied consistently
- boundaries documented

Outputs:
- issues found
- fixes implemented
- change log entries (if required)

Template 5 — Mock Review Checklist

Mock Review Checklist

Mock Review Checklist (per category)

- Methods memo exists and is clear
- Data sources listed and accessible
- Evidence links open
- QA checks completed and recorded
- Exceptions log exists and is current
- Change log captures restatements
- Limitations are documented honestly

Template 6 — Findings Log

Findings Log

| Date | Category | Finding | Severity (L/M/H) | Fix | Owner | Due date | Status |
|---|---|---|---|---|---|---|---|

Common pitfalls

  • "Evidence" is implied but not stored
  • Inconsistent vendor categorization and mapping
  • Proxies used without labeling and improvement plan
  • Restatements happen without a change log
  • No sampling process → assurance becomes chaotic

Change log

v1.0 (2026-01): Latest release