The Corporate Sustainability Reporting Directive (CSRD) represents the most significant shift in corporate transparency since the introduction of international accounting standards. Central to this shift is the mandatory requirement for third-party assurance of sustainability information. Unlike previous voluntary frameworks, CSRD mandates a phased transition from "limited assurance" to "reasonable assurance," fundamentally altering the rigor required in data collection, internal controls, and governance.
- Mandatory Progression: All companies in scope of CSRD must initially obtain limited assurance on their sustainability statements. The European Commission intends to adopt standards for reasonable assurance by October 2028, following an assessment of the feasibility of such a transition for both companies and auditors.
- The Rigor Gap: Reasonable assurance requires a significantly higher level of evidence, involving extensive testing of internal controls and substantive procedures similar to a financial audit. Limited assurance is primarily based on inquiries and analytical procedures, offering a "negative" conclusion.
- Internal Control Transformation: To move toward reasonable assurance, organi
The Transition from Limited to Reasonable Assurance under CSRD: A Strategic Roadmap
zations must move beyond spreadsheet-based data collection. This requires the implementation of automated systems, robust audit trails, and "SOX-like" controls over non-financial data points.
- Connectivity of Reporting: The transition forces a convergence between the CFO’s office and the Chief Sustainability Officer (CSO). Under reasonable assurance, the connectivity between sustainability risks and financial statements (e.g., impairment of assets due to climate risk) must be verifiable and consistent.
- Audit Market Capacity: The shift will place immense pressure on the audit profession. Companies must engage early with assurance providers to ensure readiness, as the depth of testing required for reasonable assurance will significantly increase audit fees and resource requirements.
Why It Matters
The shift from limited to reasonable assurance is not merely a technicality for auditors; it is a fundamental change in how corporate value is communicated and verified. For decades, sustainability reporting was viewed as a marketing exercise, often relegated to glossy brochures with little connection to the balance sheet. CSRD ends this era by placing sustainability data on equal footing with financial data.
Investors and financial institutions increasingly rely on ESG data to price risk and allocate capital. Limited assurance provides a "nothing has come to our attention" level of comfort, which may be insufficient for high-stakes investment decisions. Reasonable assurance provides a "positive" opinion, stating that the information is prepared, in all material respects, in accordance with the European Sustainability Reporting Standards (ESRS).
Furthermore, the legal liability for directors increases under this regime. Inaccurate reporting that has been subjected to reasonable assurance carries higher reputational and legal risks if found to be fraudulent or grossly negligent. Organizations that fail to prepare for this transition risk qualified audit opinions, which can trigger debt covenant breaches, increased cost of capital, and divestment by ESG-integrated funds.
"The transition to reasonable assurance is the 'moment of truth' for ESG data. It moves sustainability from the periphery of corporate reporting to the very core of the financial audit, demanding the same level of precision, traceability, and governance as revenue or EBITDA."
The Standard / Framework in Detail
The CSRD (Directive (EU) 2022/2464) outlines the legal requirement for assurance. However, the technical execution is governed by the European Sustainability Reporting Standards (ESRS) and the forthcoming assurance standards from the International Auditing and Assurance Standards Board (IAASB).
Limited Assurance (The Starting Point)
Under limited assurance, the auditor’s objective is to obtain a meaningful level of assurance as the basis for a negative form of expression. The procedures are limited to:
- Inquiries of management and personnel responsible for the reporting.
- Analytical procedures (identifying trends or anomalies).
- Review of the consolidation process.
The auditor does not typically test the operating effectiveness of internal controls or perform extensive physical inspections of primary data sources (e.g., visiting a remote factory to verify water meter readings).
Reasonable Assurance (The 2028 Goal)
Reasonable assurance is a high, but not absolute, level of assurance. It is the same level required for financial statements. The auditor must:
- Evaluate the internal control environment relevant to sustainability reporting.
- Perform "walkthroughs" of data processes from the point of origin to the final report.
- Conduct substantive testing, including physical inspection, observation, and external confirmation.
- Assess the "double materiality" process with a high degree of skepticism, ensuring that the omission of any topic is justified by robust evidence.
Comparison of Assurance Levels
| Feature | Limited Assurance (Current) | Reasonable Assurance (Target 2028) |
|---|---|---|
| Nature of Opinion | Negative ("Nothing has come to our attention") | Positive ("The report presents fairly, in all material respects") |
| Evidence Gathering | Primarily inquiries and analytics | Extensive testing of controls and data |
| Internal Controls | Understanding of controls is required | Testing of control effectiveness is mandatory |
| Sample Sizes | Smaller, focused on high-level data | Larger, statistically significant samples |
| Cost and Effort | Moderate | High (estimated 2x to 4x increase in effort) |
| Risk of Misstatement | Higher risk of undetected errors | Lower risk due to depth of procedures |
The Role of ISSA 5000
The IAASB is developing International Standard on Sustainability Assurance (ISSA) 5000, General Requirements for Sustainability Assurance Engagements. This standard is designed to be framework-agnostic, meaning it can be used for ESRS, ISSB, or GRI reporting. It will serve as the global benchmark for both limited and reasonable assurance, providing the methodology for auditors to evaluate the qualitative and quantitative disclosures required by CSRD.
Practical Applications
Transitioning to reasonable assurance requires a multi-year transformation of the corporate reporting function. This is not a task that can be completed in a single reporting cycle.
1. Data Governance and Lineage
Organizations must map their data lineage from the "sensor" to the "disclosure." For example, if a company reports Scope 1 emissions from natural gas consumption, the auditor under reasonable assurance will want to see the original utility invoices, the conversion factors used (and their source), and the evidence that the data was reviewed by a second person before being entered into the reporting system.
2. Internal Control Frameworks
Companies should adopt a recognized internal control framework, such as COSO (Committee of Sponsoring Organizations of the Treadway Commission). The COSO "Internal Control over Internal Financial Reporting" (ICIF) framework was updated in 2023 to include "Internal Control over Sustainability Reporting" (ICSR). Implementing ICSR involves:
- Control Environment: Establishing accountability for ESG data at the Board level.
- Risk Assessment: Identifying where ESG data is most likely to be misstated.
- Control Activities: Implementing automated validations in ESG software to prevent data entry errors.
3. Digital Reporting (XBRL)
CSRD requires reports to be prepared in XHTML format with digital tagging according to the ESRS XBRL taxonomy. Under reasonable assurance, the auditor must also verify that the digital tags are applied correctly. This adds a layer of technical complexity, as the "machine-readable" version of the report must be as accurate as the "human-readable" version.
4. Supply Chain Transparency
A significant portion of ESRS disclosures relates to the value chain (Scope 3, human rights in the supply chain). Obtaining reasonable assurance over Scope 3 data is notoriously difficult because the data resides outside the company’s direct control. Practical application involves including "right to audit" clauses in supplier contracts and requiring suppliers to provide their own assured data.
Industry Examples
Example 1: Global Consumer Goods Manufacturer (Western Europe)
A major FMCG company began preparing for CSRD two years ahead of the mandate. They initially sought limited assurance on their 2023 sustainability report.
- The Challenge: The auditor found that while the corporate headquarters had strong controls, the regional subsidiaries were using disparate spreadsheets for water and waste data, with no standardized definitions.
- The Action: The company implemented a centralized ESG data platform and conducted "mock" reasonable assurance audits on three key KPIs: Carbon Emissions, Gender Pay Gap, and Plastic Packaging.
- The Lesson: The mock audit revealed that the documentation for "avoided emissions" claims would never pass reasonable assurance. The company decided to remove these claims from their primary report until the methodology could be verified to a higher standard.
Example 2: Heavy Industrial Equipment Provider (Nordics)
This organization operates in a high-impact sector and is subject to the first wave of CSRD reporting in 2025 (for the 2024 financial year).
- The Challenge: Their materiality assessment identified "Circular Economy" as a material topic, but they lacked a system to track the lifecycle of components returned for refurbishment.
- The Action: To prepare for the eventual shift to reasonable assurance, they integrated their "Product Lifecycle Management" (PLM) system with their ERP. This allowed for an automated audit trail of refurbished parts.
- The Lesson: Investing in system integration early reduced the manual labor required for the audit by 40%. They found that "reasonable assurance readiness" is actually a driver for operational efficiency.
Example 3: Financial Services Firm (EU-wide)
A large bank must report on its "Financed Emissions" (Scope 3, Category 15).
- The Challenge: The data quality from their lending portfolio was poor, relying heavily on sector averages rather than borrower-specific data.
- The Action: The bank launched a portal for its corporate clients to submit energy usage data directly. They also hired a third-party firm to perform limited assurance on the process of data collection, as the data itself was too volatile for reasonable assurance.
- The Lesson: For financial institutions, the path to reasonable assurance is dependent on the maturity of their clients. The bank is now using "assurance readiness" as a criterion for its high-value corporate loans.
Regulatory Implications
The transition is governed by a complex web of European and international regulations.
- CSRD (Directive (EU) 2022/2464): The primary legislation. Article 34 mandates the assurance requirement. Link to Directive
- ESRS (Delegated Regulation (EU) 2023/2772): The reporting standards that define what must be assured. Link to ESRS
- IAASB (ISSA 5000): The global standard for sustainability assurance, currently in finalization. It will likely be the basis for the EU’s adopted assurance standards. Link to IAASB
- IFRS / ISSB (S1 & S2): While CSRD is European, many global firms will report under ISSB standards. The IAASB is working to ensure ISSA 5000 works seamlessly with IFRS S1 and S2. Link to IFRS
- GRI (Global Reporting Initiative): Many ESRS disclosures are derived from GRI. Companies already using GRI have a head start on the data structures needed for assurance. Link to GRI
- EU Taxonomy (Regulation (EU) 2020/852): CSRD requires assurance over the "Taxonomy Alignment" disclosures, which are notoriously technical and require rigorous evidence of "Do No Significant Harm" (DNSH) criteria. Link to EU Taxonomy
The 2026 ESG Reporting & Assurance Playbook
A 42-page practical guide covering IFRS S1/S2, CSRD/ESRS and ISSA 5000 — written for finance, audit and sustainability teams.
Implementation Roadmap
The transition from limited to reasonable assurance requires a phased approach.
Phase 1: Foundation (2024 - 2025)
- Gap Analysis: Conduct a "dry run" audit to identify where data is currently unverifiable.
- Double Materiality Audit: Ensure the process for determining material topics is documented and can withstand auditor scrutiny.
- Software Selection: Move away from spreadsheets to an ESG controller-grade software solution with built-in audit trails.
Phase 2: Limited Assurance Maturity (2025 - 2026)
- First Mandatory Report: Publish the first CSRD-compliant report with limited assurance.
- Internal Audit Engagement: Task the internal audit function with reviewing sustainability controls quarterly, not just annually.
- Data Policy Formalization: Create a "Sustainability Accounting Manual" that defines every KPI, its source, and the responsible owner.
Phase 3: Reasonable Assurance Preparation (2026 - 2027)
- Control Testing: Begin testing the operating effectiveness of controls over the most material KPIs (e.g., GHG emissions, employee safety).
- Supply Chain Engagement: Require key suppliers to provide limited assurance reports on the data they provide to you.
- Connectivity Review: Ensure that the assumptions used in sustainability reporting (e.g., carbon prices) are consistent with those used in financial impairment testing.
Phase 4: Transition to Reasonable Assurance (2028 and beyond)
- Full Scope Testing: The external auditor performs extensive substantive testing across all material ESRS disclosures.
- Continuous Monitoring: Implement real-time data monitoring to catch anomalies before the year-end audit.
- Board Certification: The Board provides a formal statement on the effectiveness of internal controls over sustainability reporting.
Common Pitfalls
- Underestimating the "Evidence" Burden: In limited assurance, a management representation letter might suffice for certain data points. In reasonable assurance, the auditor will demand original source documents (e.g., shipping logs, sensor calibration records).
- The "Silo" Trap: Treating the sustainability audit as separate from the financial audit. Reasonable assurance requires consistency. If you claim a building is "green" in the ESG report but depreciate it over 50 years in the financial report without considering climate-related obsolescence, the auditor will raise a finding.
- Late Engagement with Auditors: Waiting until the end of the fiscal year to discuss the assurance plan. Auditors need to be involved during the design of the controls, not just the output of the data.
- Ignoring Qualitative Disclosures: Companies often focus on the numbers (KPIs) but forget that narrative descriptions of strategy and policy also require assurance. Vague or "fluffy" language will be challenged under reasonable assurance.
- Scope 3 Over-reliance: Relying on industry average databases for Scope 3 without attempting to collect primary data. While some estimation is allowed, reasonable assurance requires a higher degree of accuracy and a clear plan for improving data quality over time.
Case Snapshot
| Category | Detail |
|---|---|
| Organization | Mid-sized European Energy Utility |
| Status | Transitioning from GRI to CSRD/ESRS |
| Key Challenge | Verifying "Social" metrics across 15 jurisdictions with different HR systems. |
| Strategy | Implemented a "Control Self-Assessment" (CSA) program where local HR managers must certify the accuracy of their data monthly. |
| Outcome | Reduced the year-end audit time by 3 weeks and identified a significant under-reporting of "training hours" in two regions. |
| Assurance Level | Currently Limited; aiming for Reasonable Readiness by 2027. |
Key Takeaways
- The Clock is Ticking: While the formal requirement for reasonable assurance is slated for 2028, the systems and controls needed to support it must be built now.
- Control is King: Reasonable assurance is as much about the process as it is about the data. Without a robust internal control framework (like COSO ICSR), reasonable assurance is unattainable.
- CFO Leadership is Essential: The CFO’s office has the expertise in rigorous financial controls. This expertise must be exported to the sustainability team to ensure audit-readiness.
- Investment in Technology: Manual data collection is the single greatest barrier to reasonable assurance. Automated data ingestion and "blockchain-like" traceability are becoming necessities.
- Audit Costs will Rise: Organizations should budget for significantly higher assurance fees. The depth of work required for reasonable assurance is a step-change, not an incremental increase.
- Transparency as a Competitive Advantage: Companies that achieve reasonable assurance first will likely enjoy lower cost of capital and higher trust from institutional investors.
Frequently Asked Questions
Q1: Is reasonable assurance definitely going to be mandatory in 2028? The CSRD includes a "review clause." The European Commission will assess the feasibility of reasonable assurance and is expected to adopt the standards by October 2028. While the date could theoretically shift, the legislative intent is clear: reasonable assurance is the end goal.
Q2: Can our current financial auditor also perform the sustainability assurance? Yes, and in many cases, this is preferred due to the need for "connectivity" between financial and ESG data. However, the CSRD also allows Member States to permit "independent assurance services providers" (IASPs) to perform the work, provided they are subject to equivalent requirements.
Q3: What happens if we get a "qualified" opinion during the limited assurance phase? A qualified opinion means the auditor found material misstatements or was unable to obtain sufficient evidence. This is a significant red flag for investors and regulators and could lead to fines under national transpositions of the CSRD.
Q4: How does reasonable assurance affect our Scope 3 reporting? This is one of the most difficult areas. For reasonable assurance, you will need to demonstrate that your Scope 3 calculations are based on the best available data and that you have a rigorous process for selecting emission factors and managing data quality from suppliers.
Q5: Does the "Double Materiality" assessment need to be assured? Yes. The auditor must provide assurance on the process you used to determine what is material. They will look for evidence of stakeholder engagement, the criteria used to define "impact" and "financial" materiality, and why certain topics were excluded.
Q6: What is the difference between a "negative" and "positive" opinion? In limited assurance (negative), the auditor says: "We didn't find anything that suggests the report is wrong." In reasonable assurance (positive), the auditor says: "In our opinion, the report is correct and follows the standards."
Q7: Will reasonable assurance require us to audit our suppliers? Not necessarily directly, but you will need to have "assurance" over the data they provide. This might mean requiring your suppliers to get their own data assured by a third party, which you then rely upon.
Q8: How does the EU Taxonomy fit into this? The EU Taxonomy disclosures are part of the sustainability statement and are therefore subject to the same assurance requirements as the ESRS disclosures. Given the technical nature of the Taxonomy, this is often where auditors find the most errors.
Further Reading
Frequently asked questions
Become a certified specialist on this topic.
Enroll in Certified Sustainability Reporting Professional (CSRP) or request a corporate training programme for your team.
References & sources
Join the conversation
Sign in to comment and discuss this analysis with other ESG professionals.
Sign in to comment