Beyond the Law - Part 4
Audit as Government: How Due Diligence and Assurance Create Sueable Duties
New laws are being introduced that require companies to prove they’re not harming people or the environment, and these reports have to be checked by outside auditors1. What used to be voluntary guidelines or market pressures is progressively turning into hard legal obligations backed by government enforcement.
Think of it like four layers of control:
Accreditation decides whose approval matters.
Finance decides who gets funding.
Credentials decide who gets access.
Audit decides who can be taken to court.
This fourth layer — audit — is the most powerful. It means the big global accounting firms (Deloitte, PwC, EY, and KPMG) are no longer just bean counters. They’re acting like regulators, deciding what counts as ‘legal compliance’.
But unlike governments, they aren’t elected or accountable to the public.
Weaponising the Infrastructure
The previous three rails created powerful yet voluntary constraints. Companies could choose to operate outside accredited certification systems, accept higher capital costs from poor ESG ratings, or work around credential requirements — at the cost of reduced market access. Each rail created pressure through exclusion rather than compulsion.
Audit as government changes this completely. Once due diligence and assurance become mandatory2, the entire indicator infrastructure becomes legally enforceable through state power3. The accreditation system that determines whose verification counts becomes the foundation for legal evidence. The disclosure templates that affect capital costs become the basis for court proceedings. The credential systems that control participation become the evidentiary trail for liability claims.
What were market mechanisms become legal requirements4. What were business disadvantages become criminal penalties and civil damages. The infrastructure doesn't just exclude non-compliant actors — it prosecutes them.
The Legal Infrastructure
Mandatory Due Diligence Statutes
EU Corporate Sustainability Due Diligence Directive5 (CSDDD): Requires companies to identify, assess, prevent, and mitigate adverse human rights and environmental impacts throughout their value chains. Non-compliance triggers civil liability for damages and administrative fines up to 5% of global turnover. The directive explicitly creates private rights of action, allowing affected parties to sue companies for inadequate due diligence.
Germany's Supply Chain Due Diligence Act6 (Lieferkettengesetz): Demands systematic risk assessments, preventive measures, grievance mechanisms, and public reporting on supply chain human rights and environmental practices. The Federal Office for Economic Affairs and Export Control can impose fines up to €8 million and exclude companies from public procurement for up to three years7.
France's Duty of Vigilance Law8 (2017): Imposes obligations on large French companies to establish and implement vigilance plans monitoring human rights and environmental risks. The law creates civil liability for damages resulting from failure to establish adequate vigilance plans. Civil society organisations have explicit standing to bring enforcement actions9.
Norway's Transparency Act10 (2022): Requires companies to conduct due diligence on actual and potential adverse impacts on fundamental human rights and decent working conditions. Companies must publish annual transparency reports and respond to public information requests about specific supply chain practices.
Disclosure and Assurance Mandates
EU Corporate Sustainability Reporting Directive11 (CSRD): Expands sustainability reporting requirements to approximately 50,000 companies, mandating third-party limited assurance initially, with progression toward reasonable assurance. The directive integrates with due diligence requirements, making assured disclosures evidence of compliance or non-compliance with legal duties.
IFRS Sustainability Disclosure Standards12 (ISSB S1/S2): Establishes global baseline requirements for sustainability and climate-related disclosures. Already endorsed by IOSCO and being implemented across major jurisdictions. The standards specify that disclosures should be subject to external assurance where required by local law or regulation.
UK Sustainability Disclosure Requirements13: Following ISSB standards, with assurance requirements for premium listed companies. The Financial Conduct Authority can impose penalties for inadequate disclosures.
The Big Four as Shadow Regulators
The mandatory assurance system transforms the Big Four accounting firms (Deloitte, PwC, EY, KPMG) and their networks into private regulatory authorities with governmental power but with limited democratic accountability14.
Only accredited auditors may provide the assurance that validates disclosures for legal purposes. When an auditor refuses to provide assurance, or qualifies their opinion, it creates immediate legal exposure. When auditors provide clean opinions, they effectively certify legal compliance. This gives auditors significant influence over legal liability determinations — power they exercise through private professional judgment15.
Professional Standards as Shadow Law: When auditing bodies update their interpretation of ‘reasonable assurance’ for climate disclosures or supply chain due diligence, they effectively change the legal standards companies must meet. These standards changes happen through private technical committees, not legislative processes.
Audit Decisions as Regulatory Enforcement: Individual auditor judgments about materiality, evidence adequacy, and assurance scope directly determine legal compliance16. Companies have limited recourse when auditors make interpretive decisions that create legal vulnerability — appeals processes exist but are expensive and time-consuming, while professional standards remain opaque — auditor professional judgment receives legal deference despite operating without traditional due process protections.
Market Power as Regulatory Authority: The limited number of firms capable of providing credible sustainability assurance creates oligopoly power. Companies must accept auditor demands for operational changes or restrictive standard interpretations — auditors shape business practices through commercial relationships, independent of formal regulatory processes.
This creates a privatised regulatory system where enormous public power is exercised through private commercial relationships.
The Enforcement Chain: From Indicators to Liability
The transformation follows a precise sequence:
Indicator Definition17: Legislators or regulators specify sustainability metrics that companies must assess (e.g., greenhouse gas emissions, child labour risks, deforestation in supply chains).
Due Diligence Obligation18: Statutes require companies to systematically assess, prevent, and mitigate risks related to these indicators throughout their operations and value chains.
Disclosure Mandate19: Companies must publicly report their due diligence processes, findings, and remedial actions according to standardised templates (CSRD, ISSB standards).
Assurance Requirement20: External auditors must verify the accuracy and completeness of these disclosures, applying professional standards for audit evidence and materiality.
Legal Evidence21: Assured disclosures become admissible evidence in legal proceedings, whilst inadequate or false disclosures become grounds for liability claims. Courts typically assess compliance based on good faith efforts and reasonableness standards, but auditor opinions significantly influence these determinations.
Behavioural Response22: Companies restructure operations, change suppliers, and implement new management systems to reduce legal exposure, regardless of business efficiency considerations.
Case Studies: Legal Weaponisation in Action
German Supply Chain Act: When Auditor Decisions Become Market Exclusions
A major German automotive manufacturer terminated contracts with East Asian suppliers after auditors concluded they could not provide adequate assurance regarding labour conditions under Lieferkettengesetz requirements. The suppliers faced no direct regulatory action — they lost business because continued relationships created legal liability for the German company23.
The auditors' professional judgment became regulatory enforcement. The suppliers had no recourse against auditor decisions and no clear remediation path, since professional standards for ‘adequate assurance’ remain opaque. This shows how privatised regulatory power operates without traditional due process protections.
French Duty of Vigilance: Assured Disclosures as Legal Evidence
Environmental groups sued TotalEnergies under France's Duty of Vigilance Law, using the company's auditor-assured vigilance plans as evidence that due diligence was inadequate to prevent foreseeable harms in Uganda and Tanzania. Courts must now determine whether sustainability metrics certified by auditors meet legal standards of care24.
The litigation reveals how technical auditing decisions — what constitutes ‘adequate’ due diligence, which risks are ‘material’ — become determinations of legal liability with massive financial consequences. Professional audit judgments become judicial evidence with legal force.
EU CSRD: Assurance as Legal Insurance
Companies in CSRD pilots increasingly treat auditor sign-off as legal protection. Where auditors express concerns about data quality or methodology, companies modify operations to obtain clean assurance opinions rather than improve actual sustainability performance.
This reveals how shadow regulatory power works: companies reorganise not to achieve policy objectives, but to satisfy auditor requirements that protect against legal liability. The auditors' technical demands become de facto regulatory mandates enforced through legal exposure25.
From Theory to Practice
These enforcement mechanisms are no longer theoretical. In 2025, the Corporate Sustainability Reporting Directive began mandatory limited assurance requirements, while California's climate disclosure laws survived legal challenge with enforcement dependent on auditor-verified ‘good faith efforts’. The SEC's Climate and ESG Task Force has brought multiple enforcement actions where auditor-assured disclosures became evidence in securities fraud proceedings, including $19 million in fines against Deutsche Bank for misleading ESG statements26.
European enforcement has escalated to criminal prosecution, with the UK making dishonest greenwashing a ‘failure to prevent fraud’ offense. Companies now treat ‘every environmental and social claim as a potential legal exposure point’27, modifying operations to obtain clean audit opinions rather than improve actual performance. AI tools scan supply chains in real-time28, while the Corporate Sustainability Due Diligence Directive — set for 2027 enforcement — will create civil liability for inadequate due diligence throughout global value chains2930.
The audit infrastructure has achieved what earlier sections predicted: private professional judgment now determines legal compliance, with auditor decisions creating immediate regulatory and legal exposure. Most large multinationals have hired dedicated ‘ESG counsel’ specifically to manage legal requirements determined by audit standards rather than legislative processes3132.
Why Audit Sits Above Market Mechanisms
From Voluntary Exclusion to Legal Compulsion
The previous three rails operated through market-based exclusion. Companies could choose to remain outside accredited systems, accept higher capital costs, or work around credential requirements — but they remained within the legal economy.
Audit as government converts market exclusion into legal compulsion enforceable by state power. Once auditor decisions determine legal compliance, resistance moves from business disadvantage to criminal penalty and civil liability. Courts become the ultimate enforcement mechanism, backed by police power and asset seizure.
Converting Infrastructure into Evidence
The audit rail weaponises the infrastructure established by previous rails:
Accreditation becomes Legal Foundation: The ‘trust of trust’ layer that determines whose verification counts becomes the evidentiary foundation for court proceedings. Only accredited assessments become admissible legal evidence.
Liquidity Requirements become Legal Duties: The disclosure templates that affect capital costs become mandatory legal reporting requirements. Poor ESG ratings become evidence of legal non-compliance.
Credentials become Liability Trails: The identity systems that control participation become evidentiary records of legal compliance or non-compliance in court proceedings.
The infrastructure doesn't just gate access — it creates legal records that can be subpoenaed, audited, and used as evidence against those who fail to comply.
The Governance Architecture of Legal Liability
Auditors as Shadow Regulators
The Big Four accounting firms and their networks function as a private regulatory cartel for global sustainability compliance33. Their professional standards, interpretive guidance, and individual audit decisions determine what constitutes adequate legal compliance for thousands of companies worldwide.
This regulatory function operates without democratic mandate or direct governmental oversight. Professional auditing bodies set standards; individual auditors interpret them; audit decisions determine legal compliance. The entire system operates under the fiction that auditors provide neutral technical services, when in reality they exercise quasi-governmental regulatory authority.
Professional Standards as Shadow Law
Professional auditing standards for sustainability assurance become de facto legal requirements through the mandatory assurance system. When auditing bodies update their interpretation of ‘reasonable assurance’ for climate disclosures or supply chain due diligence, they effectively change the legal standards that companies must meet.
These standards changes happen through technical committees and professional consultations, not legislative processes. Yet they have the force of law through the assurance requirement mechanism.
Liability Cascades Through Global Supply Chains
Due diligence obligations create liability cascades that extend legal requirements far beyond the jurisdictions that enact them. European due diligence laws become global requirements when multinational companies pass assurance obligations down their supply chains through contractual terms.
A small supplier in Bangladesh or Vietnam suddenly finds its market access dependent on satisfying ESG audit requirements written in Brussels or Frankfurt, implemented by auditors trained in London or New York, and enforced through contract termination rather than direct regulation.
Constitutional Implications of Private Legal Enforcement
Due Process in Professional Judgment
Audit as government raises fundamental questions about due process when private professional judgment determines legal liability. Auditor decisions about materiality, evidence adequacy, and assurance scope directly affect legal exposure, yet these decisions happen through private professional processes without traditional due process protections.
Companies have limited recourse when auditors make interpretive decisions that create legal vulnerability. Auditor professional judgment receives legal deference, yet operates without the procedural safeguards typically required for governmental decision-making.
Democratic Accountability Gaps
The audit infrastructure exercises governmental regulatory functions — determining legal compliance, shaping corporate behaviour, enforcing public policy objectives — without direct democratic accountability. Professional auditing bodies are private organisations; audit firms are commercial enterprises; individual auditors are private professionals.
Yet through the mandatory assurance system, their decisions determine how public policy objectives are implemented and enforced across the global economy. The privatisation of regulatory enforcement creates an accountability gap where enormous public power is exercised through private mechanisms.
Economic Effects of Audited Liability
Compliance Costs and Market Concentration
Mandatory assurance requirements create significant compliance costs that favour large companies over smaller enterprises. Big Four audit services for complex sustainability assurance can cost millions annually, creating barriers to market entry and competitive advantages for established players.
This dynamic accelerates market concentration as smaller companies struggle to afford the audit infrastructure necessary for legal compliance, whilst larger companies can spread these costs across broader operations.
Auditor Market Power
The limited number of auditing firms capable of providing credible sustainability assurance creates oligopoly market power. Companies have few alternatives when auditors demand operational changes or impose restrictive interpretations of professional standards.
This market power enables auditors to shape global business practices through their commercial relationships, independent of formal regulatory processes or democratic oversight.
Global Implications and Resistance
Regulatory Arbitrage and Jurisdiction Shopping
As different jurisdictions implement varying due diligence and assurance requirements, companies engage in regulatory arbitrage, structuring operations to minimise exposure to the most stringent audit requirements.
However, the global nature of supply chains and the extraterritorial effects of due diligence laws limit the effectiveness of jurisdiction shopping. Major multinational companies find themselves subject to the most stringent requirements regardless of their legal domicile.
Developing Country Impacts
The globalisation of due diligence and assurance requirements through supply chain contracts creates particular challenges for developing country suppliers. They must comply with standards designed for developed country contexts, using audit services that may be unavailable or prohibitively expensive locally.
This can create new forms of economic dependence where market access depends on compliance with foreign-designed audit requirements, enforced by international audit firms, according to professional standards developed primarily in wealthy countries.
The Liability Rail
Audit as government represents the completion of the transformation from voluntary standards to binding legal duties. By converting sustainability metrics into legal evidence through mandatory assurance requirements, it weaponises the entire indicator system with the threat of litigation and state sanctions34.
This is the fourth enforcement rail:
Rail 1 (Accreditation): Controls whose verification counts
Rail 2 (Liquidity): Controls who gets financed
Rail 3 (Credentials): Controls who participates
Rail 4 (Audit): Controls who gets sued
Together, these rails create a comprehensive system where technical standards become legal requirements enforceable through market exclusion, financial pressure, access control, and state sanctions. The indicator regime achieves binding authority without requiring new democratic mandates or legislative processes.
But even legal liability depends on the underlying data that feeds into the indicators, models, and audit processes. The next question becomes: who controls access to the raw material of measurement itself? If auditors determine legal compliance based on sustainability indicators, who determines what data can be used to generate those indicators — and who gets excluded from the data that drives the entire system?
The answer reveals the most fundamental control layer of all: the governance of data access that determines which models, indicators, and policies are even possible to implement.
Addressing Common Objections
‘Auditors are just providing technical services, not acting as regulators’
This misunderstands the functional reality of mandatory assurance systems. When auditor opinions determine legal compliance and market access, auditors exercise regulatory authority regardless of their formal designation. A ‘technical service’ that determines whether a company faces civil liability, criminal penalties, or market exclusion is regulatory enforcement by definition. The German automotive suppliers excluded from contracts based on auditor decisions faced no formal regulatory action - they lost business because auditors determined their compliance was inadequate. This is regulatory power exercised through private commercial relationships, not neutral technical assessment.
‘These laws serve legitimate purposes - preventing human rights abuses and environmental harm’
Legitimate policy objectives don't resolve the governance problem of how those objectives are implemented and enforced. The issue isn't whether due diligence laws serve valid purposes, but whether private professional judgment should determine legal compliance for those purposes without traditional democratic oversight. Environmental protection and human rights are important - which is precisely why their enforcement mechanisms should operate through accountable institutions rather than private commercial relationships. The concentration of quasi-governmental authority in unelected technical bodies creates risks regardless of underlying policy merits.
‘Companies can choose different auditors if they don't like one firm's approach’
This ignores the practical reality of auditor market concentration and professional standard convergence. Only a handful of firms can provide credible sustainability assurance for complex multinational operations. When all major auditors apply similar professional standards developed by the same technical committees, ‘choice’ becomes largely illusory. Moreover, companies need auditor sign-off for legal protection - they can't simply shop around until they find more lenient interpretations without creating legal exposure. The market structure and regulatory function combine to eliminate meaningful choice.
‘Democratic institutions still oversee the overall regulatory framework’
Democratic oversight exists at the policy level but disappears at the implementation level where actual regulatory power is exercised. Legislatures can establish due diligence requirements, but professional auditing bodies determine what constitutes adequate compliance through technical standards development. Individual auditors interpret these standards through professional judgment that courts typically defer to. The democratic mandate covers the general objective; unelected technical bodies control operational reality. This creates an accountability gap where enormous practical authority operates without democratic oversight.
‘This is just normal corporate accountability - companies should be liable for their impacts’
The issue isn't whether companies should face accountability, but who determines the standards for that accountability and through what processes. Traditional corporate liability operates through legislatively-defined standards interpreted by courts through adversarial proceedings with due process protections. The audit-as-government model places legal compliance determinations in the hands of private professionals applying opaque standards developed by technical committees. The shift from judicial interpretation of legislative standards to private professional interpretation of technical standards represents a fundamental change in how legal accountability operates.
‘Professional standards ensure auditor objectivity and consistency’
Professional standards are developed by private technical bodies without democratic input, applied through subjective professional judgment, and enforced through commercial relationships rather than judicial processes. ‘Objectivity’ in professional standards doesn't eliminate the underlying political choices about materiality thresholds, evidence adequacy, and risk assessment - it obscures them behind technical language. When professional standards change, they effectively change legal requirements without legislative action. This is law-making by technical committee, not neutral application of objective criteria.
‘The Big Four compete with each other, preventing cartel behavior’
Market competition doesn't prevent regulatory cartel behavior when all major players apply standardised technical requirements developed by shared professional bodies. The Big Four compete for clients while converging on similar interpretations of professional standards - they compete commercially while harmonising regulatory approach. Moreover, the regulatory function itself isn't disciplined by market mechanisms. When auditors make decisions that exclude suppliers or create legal exposure, they face no competitive consequences for the regulatory impacts of their decisions.
‘Courts, not auditors, make final determinations about legal compliance’
Courts typically defer to auditor professional judgment about technical compliance matters, making auditor opinions effectively determinative in practice. More importantly, auditor decisions create immediate business consequences - supplier exclusions, contract terminations, financing restrictions - that operate independently of court proceedings. Companies restructure operations to satisfy auditor requirements for legal protection, not to await judicial interpretation. The practical regulatory power operates through commercial relationships before cases ever reach courts.
‘This analysis exaggerates auditor power - they can't force business decisions’
Auditors don't need direct coercive authority when their opinions determine legal exposure and market access. Companies voluntarily restructure operations, change suppliers, and modify business practices to obtain clean audit opinions that protect against liability. This is more effective than direct regulation - businesses proactively conform to auditor expectations to avoid legal and commercial consequences. The power operates through creating incentive structures, not through direct commands.
‘Existing appeal processes and professional oversight prevent abuse’
Professional appeal processes operate within the same unaccountable technical frameworks that create the problem. Auditing professional bodies reviewing auditor decisions applies technical standards developed by similar technical bodies without democratic oversight. These internal accountability mechanisms don't address the fundamental issue of private exercise of public authority. Moreover, professional oversight focuses on technical competence and adherence to professional standards, not on whether those standards serve broader public interests or operate with appropriate democratic accountability.
‘This system provides needed expertise that democratic institutions lack’
Technical expertise is essential, but it should inform democratic decision-making rather than replace it. The current system doesn't just provide technical input to democratic institutions - it exercises regulatory authority through private professional judgment. Democratic institutions can and should use technical expertise while maintaining ultimate authority over policy implementation. The issue isn't whether expertise matters, but whether expert judgment should operate as regulatory authority without democratic oversight and accountability mechanisms.