How to Report Under ESRS G1: Business Conduct for Non-Big 4 Auditors

Why G1 is different from every other topical ESRS

ESRS G1 is the only governance topical standard. It sits alongside the five environmental standards (E1 through E5) and four social standards (S1 through S4), but it operates differently in two ways that affect how you plan your engagement.

First, G1 covers business conduct matters that apply to virtually every company. The standard’s scope (ESRS G1 paragraph 4) includes business ethics and corporate culture, anti-corruption and anti-bribery, whistleblower protection, animal welfare, management of supplier relationships (with a specific focus on payment practices to SMEs), and political influence including lobbying. A manufacturing company may conclude that ESRS E4 (Biodiversity) is not material because it has no sites near protected areas. It cannot credibly conclude that anti-corruption policies and payment practices are immaterial. The double materiality assessment (DMA) for G1 will almost always identify at least one material sub-topic.

Second, G1 has significant overlap with ESRS 2 General Disclosures. The original 2023 ESRS G1 repeated governance, strategy, risk management, and due diligence disclosures already required by ESRS 2. The December 2025 amended version deleted those duplications. Under the amended ESRS, companies follow ESRS 2 for general governance and management disclosures and apply G1 only for business conduct-specific elements. If your client’s sustainability statement was drafted under the original standard and has overlapping text in the ESRS 2 and G1 sections, the amended standard requires consolidation.

ESRS G1 draws on well-established international frameworks. The UN Convention against Corruption informs the anti-corruption requirements. The EU Whistleblower Protection Directive (Directive (EU) 2019/1937) informs the whistleblower provisions. The SFDR principal adverse impact indicator #15 (“Cases of insufficient action taken to address breaches of standards of anti-corruption and anti-bribery”) links directly to G1-4. For your engagement, these framework references give you external benchmarks to test the client’s disclosures against.

The six disclosure requirements in practice

G1-1: Corporate culture and policies on business conduct

ESRS G1 paragraph 7 requires the undertaking to describe its policies on business conduct matters. The disclosure must cover how the company establishes, develops, promotes, and evaluates its corporate culture. Paragraph 8 adds specific requirements: the mechanisms for identifying, reporting, and investigating concerns about unlawful behaviour or behaviour contradicting the code of conduct; and whether the company accommodates reporting from both internal and external stakeholders.

Where the undertaking has no anti-corruption or anti-bribery policies consistent with the UN Convention against Corruption, paragraph 8 requires the company to state this fact and say whether it plans to implement such policies, including a timetable if so.

Whistleblower protection gets its own sub-requirements. The disclosure must cover the establishment of internal whistleblower reporting channels, training provided to staff who receive reports, the protections in place for whistleblowers, and whether the channel is accessible to external stakeholders. Dutch companies are subject to the Wet bescherming klokkenluiders (the Dutch transposition of Directive 2019/1937), which requires companies with 50 or more employees to have an internal reporting channel. Your assurance procedures should verify that the channel described in the sustainability statement actually exists and is operational, not just that a policy document references it.

ESRS G1 AR 1 (application requirements) lists optional additional disclosures: the frequency with which the board discusses corporate culture, the principal themes promoted as part of corporate culture, specific incentive structures that reinforce ethical behaviour, and whether the effectiveness of those structures is assessed. The amended ESRS moved most of these to non-mandatory illustrative guidance, but the core G1-1 requirements survived intact. We’ve seen firms treat G1-1 as a tick box exercise: copy the code of conduct into the sustainability statement and move on. That doesn’t work. The standard asks whether the company evaluates and promotes its culture, not just whether a policy document exists.

G1-2: Management of relationships with suppliers

ESRS G1 paragraph 13 requires disclosure of how the undertaking manages its relationships with suppliers, with specific attention to payment practices and their impacts on supplier welfare, particularly SMEs. ESRS G1 AR 2 defines “management of relationships” to include the undertaking’s approach to sustainable procurement, fair treatment of suppliers, the consideration of suppliers’ dependencies on the undertaking, and the impact of payment practices on supplier welfare.

ESRS G1 AR 3 defines “vulnerable suppliers” as those exposed to significant economic, environmental, or social risks because of their relationship with the undertaking. For a large Dutch manufacturer, vulnerable suppliers might include small, single-client subcontractors in the value chain who lack bargaining power. The disclosure should address whether the company has identified such suppliers and what it does to avoid exploiting the power imbalance.

In our experience, G1-2 is the disclosure requirement where the gap between “what the standard asks” and “what companies actually have” is smallest. Most companies already have procurement policies and supplier codes of conduct. The question is whether those existing processes produce the specific disclosures G1-2 requires. Check whether the client’s procurement policy explicitly addresses payment terms for SMEs (this links to G1-6 metrics) and whether it covers how the company identifies and manages supplier dependency risks.

G1-3: Prevention and detection of corruption and bribery

ESRS G1 paragraph 17 requires disclosure of the undertaking’s anti-corruption and bribery prevention system. This includes the scope of the system (which functions and geographies it covers) and the identification of “functions-at-risk” (defined in AR 4 as functions deemed to be at risk of corruption and bribery), plus the training provided to those functions.

Paragraph 19 requires quantitative data: the percentage of functions-at-risk covered by the anti-corruption training programme. This is one of G1’s few hard metrics. The denominator is all functions the company has identified as at-risk; the numerator is those that received training in the reporting period. If the client has not formally identified its functions-at-risk, this metric cannot be calculated, and the gap should be flagged.

The anti-corruption disclosure requirement also connects to the SFDR. The SFDR principal adverse impact indicator #15 specifically references cases of insufficient action taken to address breaches of anti-corruption and anti-bribery standards. Financial market participants looking at your client’s sustainability statement will check G1-3 disclosures as part of their PAI reporting.

G1-4: Confirmed incidents of corruption or bribery

ESRS G1 paragraph 22 requires the undertaking to disclose confirmed incidents of corruption or bribery during the reporting period. The disclosure covers the number of convictions for violation of anti-corruption and anti-bribery laws, the amount of fines incurred, any actions taken to address breaches, and whether those actions resulted in changes to the prevention system.

If the undertaking has had no confirmed incidents, the disclosure is straightforward: a statement that no incidents occurred. But “no incidents” requires a functioning detection system. If the client has no whistleblower channel, no internal investigation procedure, and no monitoring of high-risk functions, a claim of “no incidents” is less credible. Your assurance procedures should assess whether the client has detection mechanisms in place, not just whether incidents were detected.

ESRS G1 paragraph 23 adds that disclosures about incidents should include only those involving actors in the value chain where the company or its employees are directly involved. If a client’s supplier was convicted of bribery in a jurisdiction where the client operates, but the client had no involvement, that incident falls outside G1-4’s scope.

G1-5: Political influence, including lobbying

ESRS G1 paragraph 27 requires the undertaking to disclose its activities related to political influence, including lobbying. Paragraph 29 specifies the information to be provided: the financial and in-kind political contributions made (aggregated by country and type of recipient) and the main topics covered by lobbying activities. It also requires disclosure of the alignment between the company’s public statements on sustainability matters and its political engagement positions.

AR 14 and AR 15 provide an illustrative example of how this disclosure might look, including a table showing amounts spent on lobbying by topic and jurisdiction. For most mid-sized Dutch companies, lobbying is limited to industry association memberships. The disclosure should state the monetary value of association fees where those associations engage in political advocacy, and the main regulatory topics those associations lobby on.

The alignment requirement in paragraph 29(c) is the sharpest part of this disclosure. It asks the undertaking to demonstrate that its lobbying positions are consistent with its stated sustainability commitments. If the client’s sustainability statement says it supports the EU Green Deal but its industry association lobbied against the CSRD scope expansion, that inconsistency is a disclosure point.

G1-6: Payment practices

ESRS G1 paragraph 33 requires the undertaking to disclose its payment practices, with particular attention to late payments to SMEs. The original standard required the average time to pay an invoice. The amended ESRS removed this metric. The December 2025 technical advice replaced it with entity-specific disclosures on late payments to SMEs, supported by a new Application Requirement providing methodological guidance.

What remains in G1-6 includes the undertaking’s standard contractual payment terms (disaggregated by category if they vary), and the number or percentage of payment transactions that are paid past the contractual due date. ESRS G1 AR 16 notes that the standard contractual terms may differ significantly from actual payment behaviour, and requires the undertaking to address this gap if it exists.

For your engagement, G1-6 produces testable data. You can verify contractual payment terms against standard supplier contracts. You can verify actual payment times against the accounts payable ledger. If the standard term is 30 days but the client’s average actual payment is 67 days, that discrepancy needs to appear in the disclosure. The EU Late Payment Directive (Directive 2011/7/EU) caps payment terms at 60 days for B2B transactions and 30 days for public authorities. If the client’s actual payment behaviour exceeds these limits, the G1-6 disclosure intersects with a legal compliance question.

What changed under the December 2025 Omnibus amendments

ESRS G1’s changes under the Omnibus simplification were less dramatic in percentage terms than the environmental standards, but structurally meaningful.

Duplications with ESRS 2 deleted. The original G1 repeated governance, strategy, risk management, and due diligence requirements already required by ESRS 2. The amended version makes explicit that companies should follow ESRS 2 for general governance disclosures and add G1 only for business conduct-specific content. If the sustainability statement previously had identical governance text in both the ESRS 2 and G1 sections, the amended standard eliminates this. Clients can consolidate into a single governance section with cross-references.

Average invoice payment time removed from G1-6. EFRAG’s December 2025 technical advice deleted the metric requiring average time to pay an invoice. The replacement is an entity-specific disclosure on late payments to SMEs, with new Application Requirements providing methodological guidance. This change reflects feedback from Wave 1 reporters that the original metric was difficult to calculate accurately (particularly where payment systems use different date fields for invoice receipt versus payment initiation) and that the metric was not comparable across companies.

Voluntary datapoints eliminated. The amendments either deleted or moved all “may disclose” content in G1 to non-mandatory illustrative guidance (NMIG). The AR provisions that previously provided optional disclosures on corporate culture, training, supplier relationship details, and incentive structures are now guidance rather than standard text. The mandatory core requirements remain unchanged.

No targets required. Neither the original nor the amended ESRS G1 includes a specific disclosure requirement for targets related to business conduct. This is unusual across the ESRS set (most topical standards have a targets DR). PwC’s sustainability reporting guide (December 2024) confirms that no target-setting disclosure requirement exists in ESRS or ISSB standards specifically for business conduct. If your client has set voluntary targets (for example, “100% of at-risk functions trained by 2025”), they can disclose them under the general ESRS 2 GDR-T provisions, but they’re not required to.

Worked example: Veenstra Engineering B.V.

Client profile: Veenstra Engineering B.V. is an industrial equipment manufacturer based in Zwolle, Netherlands, with €78M revenue and 210 employees. The company exports to 14 countries, including markets with elevated corruption risk (Turkey, Nigeria, Indonesia). It uses 45 suppliers, of which 28 are SMEs. The company has a code of conduct from 2019 that references anti-corruption but provides no specific procedures.

A reviewer sees a company with corruption risk exposure through export markets, a freshly updated code of conduct, 100% training coverage on at-risk functions, a nascent whistleblower system with zero reports in year one, and payment practices to SMEs that exceed the EU Late Payment Directive threshold. The governance systems are being built. The gaps are documented and open. The file should tell a story, and here it does: this is a company that identified its G1 gaps late and is closing them in sequence.

Practical checklist for your next CSRD engagement

Common mistakes in first-year ESRS G1 filings

• Disclosing a code of conduct without mapping it to G1’s requirements. G1-1 paragraph 8 requires specific disclosures on reporting mechanisms and whistleblower channels, plus the anti-corruption procedures backing them up. A code of conduct that says “we act ethically” without describing those mechanisms doesn’t satisfy the disclosure requirement. Map the code’s content against paragraph 8’s sub-requirements before concluding it covers G1-1.
• Ignoring the payment practices disclosure. G1-6 is the disclosure requirement most clients want to skip, because the data often reveals unflattering payment behaviour. I get it. Nobody enjoys telling the CFO that the sustainability report will say the company pays small suppliers late. But under the EU Late Payment Directive, late payment to SMEs is not just a disclosure issue; it’s a compliance issue. Companies that avoid G1-6 because the numbers look bad are making a strategic error. The sustainability statement must report the data regardless of whether it’s favourable.
• Treating industry association memberships as immaterial for G1-5. An association fee of €10,000 may seem small, but if that association lobbied against sustainability legislation the client publicly supports, the inconsistency becomes a G1-5 disclosure point under paragraph 29(c). The materiality test for G1-5 isn’t the size of the contribution. It’s whether the political influence activities are consistent with the company’s stated sustainability commitments.

Related content

• Double materiality assessment. How the DMA determines which ESRS topical standards apply, including why G1 is likely material for almost every company in CSRD scope.
• Financial Ratio Calculator. Use the AP turnover ratio and days payable outstanding calculations to benchmark your client’s payment practices against industry norms and the EU Late Payment Directive thresholds.
• How to report under ESRS S2: Workers in the value chain for mid-tier auditors. Covers the social standard that most closely interacts with G1-2 (supplier relationships), including how supply chain due diligence intersects with payment practices and supplier welfare.
• How to report under ESRS S4: Consumers and end-users. The social standard that shares G1’s emphasis on human rights policy alignment and grievance mechanisms, applied to a different stakeholder group.

Related ciferi content

Related guides:

Put audit concepts into practice with these free tools:

Frequently asked questions

Further reading and source references

• ESRS G1, Business Conduct: the governance topical standard covering corporate culture, anti-corruption, whistleblower protection, political influence, and payment practices.
• ESRS 2, General Disclosures: the baseline governance and strategy disclosures that G1 builds upon (duplications removed under the amended ESRS).
• EU Whistleblower Protection Directive (Directive (EU) 2019/1937): informs the whistleblower provisions in G1-1.
• EU Late Payment Directive (Directive 2011/7/EU): caps B2B payment terms at 60 days, directly relevant to G1-6 payment practices disclosures.