Disclosure LibraryPractitioner guidance for every reporting disclosure
Home Disclosure Library ESRS ESRS 2 GOV-4
ESRS 2: General Disclosures · 2026-5010-final
Disclosure Requirement GOV-4

Statement on Due Diligence

Practical guidance for preparing this disclosure. Use this card to identify datapoints, verify claims and organise supporting evidence. For exact requirements, always refer to the official EFRAG source.

Dr Ross Kurinko, Sustainability Reporting Trainer
Reviewed by Dr Ross Kurinko · Sustainability Reporting Trainer LRA educational guidance · Not issued or endorsed by EFRAG
To prepare this disclosure
Disclosure focus

This disclosure asks the organisation to explain whether, and how, it carries out due diligence as part of its governance and decision-making. In practice, that means describing the main processes used to identify, assess, prevent, mitigate and track material impacts, risks and opportunities, rather than simply stating that a policy exists.

The practical focus is on the real scope and consistency of those processes across the business. Report whether due diligence applies across the whole organisation and value chain, or only to selected activities, regions or flagship sites, and explain any important gaps, exceptions or differences in coverage.

This LRA educational guidance supports disclosure preparation. For the exact requirements, always refer to the official EFRAG source.

Before you start

A quick mental checklist before you prepare this disclosure — tick each as you settle it.

Preparation

Key datapoints to prepare

Datapoint What to capture Evidence hint Owner
Control framework overview A plain description of how the reporting process is governed and controlled, including the main checks, approvals and responsibilities that sit around the data and reporting cycle. Process maps, control narratives, RACI or responsibility matrix, approval workflow, internal control documentation. Finance / Reporting Controls
Data checking process How reported data is reviewed for accuracy and consistency before it is published, including the checks performed, who performs them and when they happen. Validation checklists, review logs, exception reports, sign-off records, data quality rules. Data Management / Reporting
Risk control measures The controls used to manage reporting-related risks, covering the key risk areas identified and the actions in place to reduce or monitor them. Risk register, control matrix, mitigation plans, monitoring reports, issue logs. Risk Management / Internal Control
Estimation control methods The methods and checks used when reported figures are estimated rather than directly measured, including how assumptions are set, reviewed and updated. Estimation methodology, assumption papers, calculation files, review and approval records, model governance notes. Finance / Technical Accounting
+ Show GOV-4 sub-elements (LRA working checklist)

How to prepare it

1Set the reporting boundary first: decide which parts of the business, entities, systems and processes are in scope for the control narrative, and make that choice consistent across the four required areas.
2Define the control content in plain business terms: describe how the organisation oversees controls, how it checks data quality, how it manages risk-related checks, and how it handles controls used where figures are estimated.
3Gather the underlying support before drafting: collect the policies, procedures, sign-offs, reconciliations, review notes, exception logs and other records that show the controls actually operate.
4Prepare the disclosure text or tables from the evidence: explain the control setup, the validation approach, the risk checks and the estimation approach in a way that matches the records you have assembled.
5Record any limits, exclusions or changes clearly: note what was left out, why it was left out, and whether the control approach or evidence base changed during the reporting period.
6Check the final draft against the official source and internal records: confirm the wording still reflects the source requirement, the evidence supports each statement, and nothing material has been missed or overstated.
Request the data

Request the due diligence controls evidence

Translate the disclosure into an internal business question — then adapt it to your organisation's own language.

How do we describe the checks, controls and review steps that sit behind our due diligence process, and who owns them?

Use your organisation’s own names for the process, control owners and review forums first, then map them to the disclosure wording. Keep the request in business language rather than framework terms, and check the source material before sign-off.

Weak request

Please provide the ESRS 2:GOV-4 due diligence statement and all related controls, validation, risk and estimation controls.

Why it fails: This uses framework language that many teams do not use day to day, and it does not tell the owner what practical evidence to return. It also bundles several ideas together without asking for the underlying records, owners, dates or source systems.

Better request

Please share the evidence that shows how your team checks, reviews and signs off the information used in [process name] for [period]. Use your normal team terms, and include the control owner, source system or record set, latest version/date, and any logs, approvals or review notes.

Formal email template
Subject: Request for due diligence controls evidence for [reporting period]

Hi [name/team],

We are preparing the sustainability reporting pack and need your help with the evidence behind our due diligence process for [reporting period].

Please send the following in your own team’s terms, using the names you normally use internally:
- a short description of the control set or review steps that support the process
- how data or information is checked before it is used in reporting
- the main controls used to manage identified risks
- the controls used where judgement or estimates are involved
- the owner for each control or review step
- any supporting records, logs, approvals or review notes

Please include the reporting boundary, the period covered, the source system or record set, and the latest version/date for each item.

If helpful, you can return this as a table or attach the relevant documents. Please adapt this to your organisation’s language and check the source material before sign-off.

Thanks,
[preparer name]
Short Teams / Slack version
Hi [name/team] — could you share the evidence for the controls and review steps behind our due diligence process for [period]? Please use your team’s own terms, and include the owner, source record, latest version/date, and any supporting logs or approvals. Thanks.
Industry examples
Manufacturing

Context. The business uses a plant-level quality and compliance review process with manual sign-off on operational data.

Adapted request. Please share the evidence for the checks and sign-off steps used in the plant review process for [period]. Include the control owner, the line or site review step, the log or tracker used, and any exception notes.

Example response. A site control matrix, monthly review log, exception tracker, and sign-off sheet showing the plant manager, quality lead and finance reviewer.

Financial services

Context. The business relies on a formal risk and controls framework with documented testing and escalation.

Adapted request. Please send the evidence behind the risk review and control testing process for [period]. Include the control owner, the testing method, the system of record, and any issues raised or closed.

Example response. A controls register, testing results, issue log, escalation memo, and approval record from the risk committee secretary.

Draft your disclosure

Notes that turn data into a disclosure

LRA training templates — adapt them to your organisation, and check the official source before sign-off.

Method note

Explain how the control framework is defined, what counts as a validation check, how risk controls are identified, and how estimation controls are applied in practice.

Context note

Set out what the control information shows about how the reporting process is governed, checked, and managed, and why those controls matter for the reliability of the reported data.

Fluctuation statement

If the control picture has changed, point to updates in the framework, stronger or weaker validation, revised risk handling, or changes in how estimates are reviewed and supported.

Content index entry
GOV-4 Statement on Due Diligence — [location / page] / [notes]
Download Centre

Preparation tools & forms

Professional preparation tools for GOV-4 — free with an LRA Community membership. Register once (it's free) and every download unlocks, together with the Disclosure Library, templates and the LRA AI-assistant.

Free · Community members
Go deeper · GOV-4
Learn to prepare this disclosure end-to-end

This guide covers one Disclosure Requirement. The ESRS / CSRD Reporting course walks the full European workflow — double materiality, datapoints, evidence and assurance — with exercises on your own data.

Available as Guided Flex, Live Cohort, 1:1 Expert Mentorship or Corporate Programme.

Assurance readiness

For each claim, check the evidence

ClaimRiskEvidence to check
We limited the figure to the parts of the business and reporting process we had actually defined for this report, and we documented where the boundary starts and ends.The assurer will test whether the boundary was set consistently, whether any material parts were left out without reason, and whether the stated scope matches the underlying reporting process.Reporting boundary memo; process maps showing included entities, sites, functions and data owners; scope approval notes; reconciliation between the reported boundary and the source population.
We checked that the underlying data set was complete and that the records had not been altered or lost between source systems and the final disclosure.The assurer will probe for missing records, duplicate entries, manual overrides, weak transfer controls, and whether the final figure can be traced back to source data without unexplained gaps.Data lineage and transfer logs; completeness checks; exception reports; access and change logs; reconciliation between source extracts, working papers and the published number.
We built the disclosure from a defined control set, including ownership, review steps, sign-off points and escalation routes before publication.The assurer will assess whether the control design is adequate, whether responsibilities were clear, whether reviews happened as described, and whether issues were escalated and resolved in time.Control framework documentation; RACI or role assignments; review and approval workflow records; issue logs; evidence of escalation and closure; publication sign-off pack.
Where the figure relied on estimates, we tested the assumptions, checked the calculation method and compared the result with available supporting evidence before we released it.The assurer will look for weak assumptions, unsupported inputs, calculation errors, bias in the estimate, and whether sensitivity or reasonableness checks were performed and documented.Estimation methodology; assumption papers; calculation sheets or model outputs; source evidence supporting inputs; sensitivity or reasonableness checks; reviewer comments and approval records.

Evidence pack to prepare

Common reporting gaps

The information is presented without a date or as-at point.The scope or boundary of the statement is left undefined.Key terms are used inconsistently across the report.Material changes since the previous period are not disclosed.Assertions are made without supporting detail or a source record.Boilerplate is used that does not actually answer what is asked.
Common gaps

Mistakes to avoid when collecting the data

Wrong owner
Chasing the board pack team for operational controls data leaves the evidence with people who do not run the checks in practice.
Framework words, not business terms
Asking for the control framework in reporting jargon instead of the organisation’s own process names makes teams send the wrong files or summaries.
No clear boundary
Collecting information without fixing which business units, sites, or activities are in scope leads to a mixed set that cannot be used cleanly.
+ Show 5 more

Where judgement is often needed

Acquisitions and disposals during the year
Set a clear cut-off for when a bought-in or sold business starts or stops feeding the control, checking and risk processes, then explain any mid-year boundary change and its effect on the figures or narrative.
Different local definitions for the same control topic
Where country teams use different legal or operational labels for the same issue, choose one group-wide interpretation, describe the mapping used, and note any local exceptions that affect the way the process is described.
Units that sit partly inside and partly outside scope
Decide how to treat shared services, joint operations or other mixed arrangements, state the inclusion rule you used, and explain any material exclusions or partial coverage.
+ Show 5 more
Examples

Illustrative examples

Synthetic, written by LRA — not from a company report, not text from any standard.

Illustrative (synthetic) example — Consumer goods manufacturing

We keep our oversight model simple: the board sets the tone, the audit and risk committees review key controls, and management owns day-to-day checks across reporting, operations, and compliance. - Before figures are reported, our finance team runs a documented review of source data, reconciles key balances to the ledger, and logs any corrections; in the latest cycle, 18 of 18 material data sets were checked, and 3 required adjustment before sign-off. - We use a risk register and control testing plan to track the main threats to delivery and reporting quality; 12 of 12 priority risks had named owners, and 10 had active mitigation actions in place at period end. - Where we rely on estimates, we apply approved assumptions, compare them with prior outcomes, and challenge unusual movements; 7 of 7 significant estimates were reviewed by a second person, and 5 were also tested against external benchmarks.

This example shows a plain-language description of how oversight is organised, how reported data is checked, how key risks are managed, and how estimates are reviewed and challenged.

Illustrative (synthetic) example — Renewable energy services

Our group uses a three-line approach: operational teams prepare the information, specialist functions test it, and the board and its committees receive escalation on matters that could affect reporting or delivery. - We validate data through automated checks, manual review of exceptions, and reconciliation to underlying records; in the period, 24 of 24 critical data feeds were tested, 4 exceptions were found, and all 4 were cleared before publication. - For major business and reporting risks, we maintain a control map, assign owners, and monitor whether actions are completed on time; 9 of 9 top risks were assigned, and 8 had controls operating as intended at the reporting date. - For estimates, we document the basis used, compare assumptions with recent actual results, and require independent review for higher-judgement items; 6 of 6 material estimates were reviewed, and 2 were updated after challenge from the review team.

This example illustrates a different sector’s way of describing governance, data checking, risk management, and controls over judgement-based estimates.

Company reportsReal published reports
Compare side by side →Get it free

How companies report GOV-4 in practice

Real reports where this topic is disclosed. These are report practice, not exact disclosure templates to copy.

Telecom Italia S.p.A.
Telecommunication Services · Italy · 2025
Open report →
Telecom Italia S.p.A.'s 2025 Annual Report includes a statement on due diligence, describing how the TIM Group identifies, assesses, and manages actual and potential negative sustainability impacts and risks, with details on operational phases provided (p.125). The report also mentions controls to ensure the completeness, accuracy, consistency, and traceability of sustainability information, although this is not a clear disclosure of the specific datapoint GOV 4.4 (p.127). However, no evidence was found for GOV 4.2 and GOV 4.3 disclosures in the report.
Globalvia
Ground Transportation — Highways and Railtracks · Spain · 2025
Open report →
Globalvia’s 2025 Sustainability Report provides detailed information on its management approach and policies related to due diligence procedures for identifying, assessing, preventing, and mitigating risks, as outlined on page 108. The report also references a due diligence procedure aimed at strengthening risk management and reinforcing ethical, compliance, and sustainability standards (p.30). However, the report offers only unclear or partial disclosures regarding the process for determining and assessing material impacts, risks, and opportunities (p.95), as well as the oversight and monitoring of strategic, financial, operational, and compliance risks by the Risk Department (p.32), with no clear evidence found for the methodology or narrative on this topic.
Pirelli & C. S.p.A.
Automobiles and Components · Italy · 2025
Open report →
Pirelli & C. S.p.A.’s 2025 Annual Report provides clear evidence of established due diligence processes and systems, as stated on page 139. The report includes related context on validation and risk assessment processes (pp. 107, 142), though these do not clearly disclose specific details of the due diligence governance elements. There is no explicit information found regarding the methodology or narrative for one of the governance disclosure points.
✓ LRA AI Assistant · Human-in-the-loop
Dr Ross Kurinko
Ask Study Studio AI assistant about this disclosure
Get practical answers for your reporting context. Your first two answers are free — join LRA Community for free to continue without a limit.
TryHow do I prepare GOV-4?What data do I need to collect?Where can I see a real-report example?What mistakes should I avoid?
2 free answers
Check your understanding

Scenarios to work through

An organisation uses models and estimates to fill gaps in supplier data and to approximate the scale of certain impacts. The team is unsure whether to mention those estimates because the numbers are not exact.

QWhat should the preparer include about estimation methods in the due diligence statement?
Reveal model answer →

The preparer receives partial evidence for ESRS 2:GOV-4 shortly before sign-off.

QWhat should they check before using it?
Reveal model answer →

A business unit sends data for ESRS 2:GOV-4 using labels that do not match the reporting workbook.

QHow should the preparer handle the mismatch?
Reveal model answer →
Framework references

Related framework references

How this disclosure maps across the major reporting frameworks.

ESRS
GOV-4
within ESRS 2: General Disclosures
Open official source →
Primary
Related & explore
Go deeper · GOV-4
Learn to prepare this disclosure end-to-end

This guide covers one Disclosure Requirement. The ESRS / CSRD Reporting course walks the full European workflow — double materiality, datapoints, evidence and assurance — with exercises on your own data.

Available as Guided Flex, Live Cohort, 1:1 Expert Mentorship or Corporate Programme.

FAQ

Questions this page answers

What do I need to gather for GOV-4 before I start drafting the disclosure?+
How do I use the GOV-4 step-by-step 'how to prepare' section in practice?+
Who should own the GOV-4 data and narrative in my organisation?+
What evidence do I need to build an assurance-ready GOV-4 pack?+
What are the four assurance claims in GOV-4 and how do I check them?+
What common mistakes should I avoid when preparing GOV-4?+
How do I use the GOV-4 workbook to prepare the disclosure?+
What is the printable Library Card for GOV-4 used for?+
Can I use the synthetic example disclosure on the GOV-4 page as a template?+
How do I turn GOV-4 data into a draft narrative and content index line?+
More questions this page can help with
What should a sustainability manager check first when using the GOV-4 page for the first time?How do I scope the GOV-4 disclosure using only the datapoints listed on the page?What does the GOV-4 control framework overview need to cover in a draft?How should HR or a data owner support the GOV-4 data checking process?What kind of records belong in the GOV-4 evidence pack for assurance?How do I link the risk control measures to the assurance claims on GOV-4?What are the best ways to use the visualisation ideas in the GOV-4 draft-output section?How can I use the narrative starters on the GOV-4 page without overclaiming?What should I do if my GOV-4 draft has gaps in estimation control methods?How do I use the 'From company reports' table on the GOV-4 page for benchmarking?Can the GOV-4 page help me prepare for internal assurance review?What is the fastest way to move from the GOV-4 workbook to a first draft?
How this library is built 312 published reports indexed 63171 pages with page-level citations 272 practitioner guides