Kenya’s draft 2025 Code of Corporate Governance does not stop at asking companies to report on sustainability.
It builds a path toward having that data checked by someone outside the company, the same way financial statements already are.
Sustainability Risk Joins the Main Risk Register
The Code requires boards to fold sustainability risk, including climate transition and physical climate risk, into the same risk taxonomy, registers, and controls the company already uses for financial and operational risk. This is not a side list. It sits inside the enterprise risk management system and flows into the annual report through the same cycle.
Management carries a standing duty here: report to the board and relevant committees each quarter on sustainability risks across the value chain. Quarterly reporting, not annual, keeps the board from finding out about a supply chain or climate risk only when the year end report lands.
Best practice adds a longer horizon. At least once every two years, the board should review management’s climate scenario analysis, testing how the business model holds up under different climate pathways, then direct strategy changes where the analysis calls for them.
The Audit Committee Extends Its Reach
The Audit Committee already oversees financial reporting integrity as a mandatory duty. The 2025 draft, as best practice, extends that oversight to non-financial information: the integrity of sustainability related financial data, the internal controls behind sustainability reporting, and the company’s plan to get key sustainability metrics independently assured.
What an Assurance Provider Must Actually Do
The Code sets out, in detail, what an assurance engagement on sustainability data should look like:
- The provider must be independent of the company and meet standard ethical requirements before starting the work.
- The provider must confirm the sustainability information follows suitable criteria, naming IFRS S1 and S2, GRI, and ESRS as accepted frameworks, and check that the reporting boundary fits the assurance scope.
- The provider must assess what counts as material in the sustainability context and understand the company’s governance, strategy, and risk management before testing anything.
- The provider applies procedures such as tracing data back to source, interviews, and site visits to gather evidence.
- The provider then issues a report stating whether the sustainability information holds up against material misstatement, and states clearly whether the assurance given is limited or reasonable.
Two international standards anchor this: ISAE 3000 (revised) and ISSA 5000, the general standard for sustainability assurance.
Assurance Starts Small and Grows
The Code does not expect companies to reach full assurance overnight. Best practice recommends starting with limited assurance and moving toward reasonable assurance over time, as the company’s reporting system matures, its underlying data improves, and the needs of the people reading the reports grow more demanding. This mirrors how financial audit assurance itself developed over decades, just compressed into a shorter runway.
Internal Audit Gets a New Watch Item
Best practice also asks the internal audit function to monitor how sustainability related policies get implemented day to day, not just check the numbers at year end. That closes a gap: a company can report strong sustainability metrics while the underlying policy sits unused on a shelf. Internal audit is the function positioned to catch that gap before external assurance ever sees it.
The Direction of Travel
Every rule in this section points the same way: sustainability data should earn the same scrutiny financial data already gets. Companies that treat ESG reporting as a one off writing exercise will find the Code asking harder questions than that: who checked this number, against what standard, and how confident are they in it. Building that answer now, ahead of the one year implementation window, costs less than building it under deadline pressure.


