Supplier audit sustainability: process, obligations and auditable documentation according to LkSG and CSRD
A supplier sustainability audit is not a questionnaire, but a structured process according to LkSG § 7 and CSRD. This article describes the seven phases, the duties of the representatives and how you can document findings and measures in an audit-proof manner.
Since January 1, 2023, the Supply Chain Due Diligence Act (LkSG) has required companies with 3,000 employees or more, and since 2024 with 1,000 employees, to carry out risk-based audits of their supply chains. The CSRD (Directive (EU) 2022/2464) and the ESRS S2 and G1 add expanded reporting requirements on labour in the value chain and on business ethics. Supplier audits on sustainability are no longer a best practice tool, but rather a central component of the duty of care and reporting to the Federal Office of Economics and Export Control (BAFA) as well as to the auditor.
This article describes the audit process in seven clear phases, classifies the duties of LkSG officers, compliance functions and ESG officers and shows how you can document findings, measures and effectiveness controls in such a way that they are... Withstand a BAFA audit or an auditor inquiry. The focus is on practical steps for medium-sized and large companies, without becoming rigid in standard lists or artificially inflating the effort.
Key Takeaways
- A sustainable supplier audit is risk-based and follows seven phases from selection to effectiveness control.
- Findings are classified (critical, essential, worthy of observation) and given binding measures and deadlines.
- Audit documentation is audit-proof if the order, report, action plan and proof of effectiveness are available in version form.
Legal framework: LkSG, CSRD and supplementary standards
The LkSG obliges companies to carry out risk-based due diligence regarding their own business activities and their direct suppliers. § 4 LkSG requires risk management, § 5 an annual risk analysis, § 6 preventive measures and § 7 remedies for identified injuries. Audits are a central instrument for verifying preventive measures and monitoring effectiveness in accordance with Section 6 (5) LkSG. For indirect suppliers, an event-related inspection obligation applies in accordance with Section 9 LkSG. Anyone who also includes complaints about the whistleblower reporting office in accordance with Section 8 LkSG in the risk analysis closes an important interface and significantly increases the informative value of the audit programs.
With the CSRD and the ESRS S2 (employees in the value chain) and G1 (business ethics), additional reporting obligations arise, including statements on the effectiveness of the audit processes. ISO 19011 provides the methodological basis for conducting audits, ISO 26000 provides the substantive framework for sustainability topics. Industry-specific standards are also relevant: amfori BSCI for consumer goods, RBA for electronics, SMETA for multi-stakeholder audits. The function LkSG representative bundles operational responsibility for audit planning and reporting to management. It must be coordinated with the compliance and ESG officer functions so that risk analysis, audit and reporting come from the same database and duplication of work is avoided. In addition, for many industries, there are sector-specific initiatives such as the Responsible Minerals Initiative for conflict raw materials or the alliance standard for textiles, which are integrated into the audit framework as soon as the supply chain shows corresponding risks. Anyone who incorporates these standards into their own audit criteria at an early stage avoids each customer initiating their own audit rounds with redundant questions and reduces the burden on suppliers.
Phase 1: Supplier selection and risk assessment
Audits do not make sense for every supplier. The LkSG risk analysis according to § 5 prioritises according to the severity, probability and immediacy of the effects as well as the contribution to the cause. On this basis, an audit plan is created with suppliers in high-risk industries or high-risk countries. Indicators include industry classifications, country indices (Corruption Perceptions Index, ITUC Global Rights Index, ILO indicators), product risks (conflict minerals, textiles, agricultural raw materials) and historical incidents at the supplier.
The selection is documented with a risk score, justification, audit form (desk, remote, on-site) and planned focal points. Anyone who excludes suppliers from the risk analysis without justification weakens the line of defence against BAFA inquiries. A version-guided risk analysis makes sense, in which changes, new findings and repercussions on the audit plan are transparently reflected. Using the LkSG representative function and the audit templates in the CIVAC workspace, risk scores can be linked to audit cycles so that the selection does not fall into Excel islands. Important: The risk analysis must be updated annually and as appropriate, for example in the case of new suppliers, market changes or reports via the whistleblower reporting centre in accordance with Section 8 LkSG. This means that audit planning remains dynamic and not static. A short evaluation round per quarter with purchasing, compliance and ESG creates the bridge to operational supplier support and ensures that audit priorities match strategic supplier decisions, such as contract extensions or sourcing relocations to other countries. Anyone who prioritises suppliers with high volumes and high risk assessments in this step will achieve the greatest contribution to effectiveness with justifiable effort.
Phase 2: Audit planning and communication with the supplier
After the selection, the audit planning follows. It includes the audit order with scope, criteria, methods and audit team, the selection of audit standards (ISO 19011, amfori BSCI, RBA, SMETA), the determination of the audit type and advance communication with the supplier. The audit order is issued in writing, with clear reference to the legal basis (LkSG § 6 Paragraph 5) and to the contractual obligations in the supply contracts, which typically expressly provide for audit rights.
The advance communication contains an audit announcement, a catalogue of criteria (topics, standards, document requirements), a description of the expectations of the supplier and a confidentiality declaration. For high-risk suppliers, an unannounced audit can also make sense, if contractually agreed. A common weak point is the unclear scope definition: Anyone who mentions all ESG topics in general in the audit announcement will receive a shallow collection of material and no reliable findings on the day of the audit. A more focused scope makes more sense, such as occupational safety and labour law in a specific production facility. CIVAC's audit templates contain standardised audit order formats that are LkSG, CSRD and ISO-compliant and also document the interface to the whistleblower reporting centre in accordance with HinSchG. This means the process remains traceable and reproducible. It also makes sense to have an advance data request with a clear deadline (typically two weeks) and a minimum catalogue: organisational chart, list of subcontractors, safety statistics, wage structures and relevant certificates. Anyone who starts the audit with incomplete preliminary data spends the audit day with procurement questions instead of with substantive testing and loses valuable time. The preparation phase therefore determines the quality of the entire audit. A standardised pre-audit checklist, which is briefly adapted for each industry, ensures the reproducibility of the tests.
Phase 3: Implementation – opening, inspection, interviews, document review
The audit day begins with an opening meeting in which the scope, process and criteria are confirmed. This is followed by inspections of the production facility (during on-site audits), structured interviews with management and employees, and a document review. Interviewing takes confidentiality, language and cultural factors into account. In occupational safety and social audits, employee interviews without the presence of superiors are mandatory in order to obtain credible answers.
Typically, employment contracts, wage statements, time records, safety instructions, training records, supplier management documents, environmental permits, energy consumption and waste records are examined. Additional documentation requirements apply to topics such as conflict minerals (Section 10 LkSG, EU Conflict Minerals Regulation 2017/821) or freedom from deforestation (EUDR, Regulation (EU) 2023/1115). Each finding is documented with a receipt, photo or quote, with a date and auditor. The auditor calls, the evidence is ready., provided that the audit team structures the findings immediately and not in a free report in the evening. In the CIVAC workspace, findings are recorded in predefined subject areas, with a link to the audit criterion, risk analysis and action plan. This creates a file without double entry that is suitable for both LkSG and CSRD and is immediately understandable in the report to management. A short final discussion with the supplier on the day of the audit serves as validation, prevents misunderstandings and gives the supplier the opportunity to submit supporting documents at short notice before the findings are finally formulated in the report. This significantly increases the acceptance of action planning. It is important that auditors clearly separate observations from their own interpretations and store evidence in a structured manner in the file so that the later evaluation remains comprehensible and is not affected by different interpretations. A short internal quality check of the findings before submitting the report further increases consistency.
Phase 4: Finding classification and audit report
Findings are classified. Common levels are critical (human rights violations, serious security deficiencies, acute danger), essential (systemic deficiencies in the management system, regular violations) and worthy of observation (indications of potential for improvement). Each stage is associated with a response period: critical findings require immediate remedial action and ad hoc escalation, essential findings require an action plan within 30 days, findings worth monitoring go to the next audit cycle.
The audit report contains the order, method, scope, audit team, findings with classification, evidence, recommendations, statement from the supplier and next steps. An executive summary summarizes the core results for the management and the LkSG representatives. It is important to make a strict separation between findings (fact) and assessment (conclusion): A finding is objective, an assessment derives the risk classification from it. Others run compliance like a filing cabinet. We run it like software. CIVAC's 490 audit templates contain a unified findings schema with classification rules that speeds reporting and remains consistent in one's ESG and compliance file. This means that the report is not only readable, but can also be used in a structured manner for effectiveness monitoring and for the annual LkSG reporting to BAFA. A two-page executive summary with a heatmap, top findings and recommended immediate actions makes it easier for management to prioritise resources and escalations. Anyone who standardises this summary increases the comparability of audits across suppliers and reporting periods and creates the basis for structured escalations with supplier management.
Phase 5: Action plan and remedial measures
The action plan follows the report. Section 7 LkSG requires remedial measures that are suitable to end or at least minimise the identified violation. In the case of your own business area or direct suppliers, the remedy is usually mandatory; For indirect suppliers, it takes place on an ad hoc basis in accordance with Section 9 LkSG. Measures can be preventive (training, process changes), reactive (correcting individual issues) or structural (investment in protective equipment, wage adjustment).
Each measure is assigned to a person responsible, a deadline and an effectiveness indicator. The deadline expires as soon as we become aware of them, this applies in particular to critical findings with human rights relevance. The action plan is coordinated with the supplier and integrated into the contractual relationship, for example via appendices with binding corrective measures. Anyone who unilaterally orders measures without involving the supplier will lose time in implementation. Anyone who manages the plan via the CIVAC workspace can link measures with audit findings, risk analysis and effectiveness controls and display them in a dashboard for management. The plan is part of the file and is summarized in the annual LkSG report to BAFA without having to be reconstructed from multiple tools. It is also important to integrate the internal purchasing and quality management functions so that measures are compared with orders, specifications and supplier evaluations and do not run parallel to operational supplier management. This interface increases the likelihood that measures will actually be implemented. Where suppliers do not implement the measures, an escalated reaction is planned, up to and including termination of the business relationship in accordance with Section 7 Paragraph 3 LkSG as a last resort.
Phase 6: Effectiveness control and re-audit
Section 6 Paragraph 5 LkSG requires the effectiveness of preventative measures to be monitored at least once a year and as required. For audits, this means: measures are not just checked off, but their effect is checked. Methods include follow-up audits, supplier self-disclosures with plausibility checks, KPI evaluations (accident numbers, wage levels, training status) and random on-site verifications.
A re-audit usually takes place 12 to 24 months after the initial audit, earlier if there are critical findings. In the re-audit, the action plan is compared, new risks are identified and the classification of findings is updated. The effectiveness control is documented with a sample, method, result and evaluation. Audit-proof, documented, § 6 LkSG-proof. Anyone who systematically controls effectiveness can prove to BAFA, the auditor and stakeholders that due diligence does not result in control, but in effect. In the workspace, CIVAC combines audit templates, action plans and effectiveness controls in one file, so that the life cycle of a finding remains visible from the initial audit to the documented completion. This means that complaint processing can also be carried out via the whistleblower reporting centre in accordance with Section 8 LkSG, without a shadow process being created in parallel. Anyone who specifically formulates effectiveness indicators, for example as a reduction in the accident rate per 1,000 employees or as a proportion of signed training certificates, can quantify improvements and support them with arguments in the report to BAFA and management instead of relying on qualitative impressions. A compact key figures page for each supplier supports this quantification and also facilitates stakeholder dialogue with customers who increasingly expect verifiable ESG data as a prerequisite for supplier approvals.
Phase 7: Reporting, BAFA report and CSRD integration
The seventh phase is reporting. The LkSG report to BAFA must be prepared annually and submitted electronically via the BAFA portal (§ 10 LkSG). It describes risk analysis, preventive measures, information and complaints, identified injuries and remedies, effectiveness control and the findings for the following year. The BAFA handout specifies a standardised reporting structure that internal file management should follow in order to avoid duplication of work.
The CSRD reporting according to ESRS S2 and G1 creates further requirements: materiality analysis of workers in the value chain, description of the audit processes, statements on effectiveness, number of complaints, use of funds. Anyone who keeps the data in the LkSG file in a version-controlled manner can easily transfer it to the ESRS report. The auditor requires evidence of data origin, methodology and scope for the ESRS audit. This evidence consists of the above-mentioned audit files, action plans and effectiveness controls. Anyone who has breaks between tools generates considerable audit costs. A central, version-managed file via the CIVAC workspace solves this problem structurally and thus also contributes to reducing audit costs in the coming years. It makes sense to have an annual preparation routine in which LkSG officers, compliance, ESG and auditors compare the file status, prioritise open points and coordinate the reporting timeline. This creates a predictable reporting cycle that does not become hectic in the last few weeks before submission, but rather runs as a predictable routine throughout the financial year.
Conduct audit processes with CIVAC
A supplier audit Sustainability is the interface between due diligence, compliance and reporting. CIVAC is a compliance platform and officer-as-a-service, designed for the supplier auditor function and the LkSG officer, supplemented by 490 ready-to-use audit templates, a reporting line to management, an NIS-2 24/72 reporting path for security-related incidents and EU data residency for sensitive supplier data. The audit files are linked to risk analysis, action plan and effectiveness control, so that phases 1 to 7 do not have to be reconstructed from emails.
Licence the workspace for your internal representatives, or have our representatives appoint them. Both paths end in the same auditable file. Three questions help you get started: Which suppliers have you audited and with what risk justification? How do you manage the action plan based on findings and how do you measure effectiveness? Where is the interface to the whistleblower reporting centre and CSRD reporting? Turn reading into an assignment. Write to info@civac.de or use the contact form on civac.de. You will receive structured feedback within two working days with templates and a sketch for your audit file, tailored to the industry, supplier structure and reporting density. This gives you time for sourcing and supplier development instead of for file reconstruction before the reporting date. The audit process thus becomes a routine with clear file management instead of an annual special operation, and the risk of BAFA inquiries visibly decreases without increasing the effort for supplier support.
FAQ
Which suppliers do we need to audit?
Audits are risk-based. The LkSG risk analysis according to Section 5 prioritises suppliers according to severity, probability, immediacy and contribution. On this basis, an audit plan is created that typically includes high-risk industries, high-risk countries and suppliers with historical incidents.
Is a supplier self-disclosure sufficient instead of an audit?
If the risk is low and business relationships are established, self-disclosure may be sufficient, but with plausibility checks and random verification. For high-risk suppliers, an on-site or structured remote audit according to ISO 19011 is recommended to prove the effectiveness control according to Section 6 Paragraph 5 LkSG.
How long does a typical supplier sustainability audit take?
Preparation and audit implementation usually take two to four weeks per supplier, while on-site audits themselves take one to three days. Follow-up, coordination of measures and effectiveness monitoring last several months, depending on the classification of the findings and the complexity of the supply chain.
Who is internally responsible for audit processes?
Operational responsibility typically lies with the LkSG officer, coordinated with Compliance and ESG. The management bears overall responsibility in accordance with Section 4 LkSG and receives annual reports. External auditors can carry out audits, but control remains internal.
Which audit standards are relevant?
ISO 19011 as a methodological basis, supplemented by amfori BSCI (consumer goods), RBA (electronics), SMETA (multi-stakeholder), SA8000 (social standards) and ISO 26000 as a content framework. Industry and conflict minerals-specific standards (e.g. RMI) are added depending on the supply chain.
How does audit data connect to the CSRD report?
Audit files provide data points for ESRS S2 (value chain workforce) and G1 (business ethics), particularly on reach, effectiveness, complaints and actions. Anyone who keeps the LkSG file in a version-controlled manner can transfer these data points into the ESRS-compliant management report without duplicating work.
Sounds like a lot of work?
Officer duties, deadlines, paperwork — that's exactly what we take off your hands. Say hello and we'll show you how.
Turn this into a mandate.
Let us carry the operational weight. External officer, templates and documentation in one workspace. No obligation.