What is Limited vs. Reasonable Assurance?

What is Limited vs. Reasonable Assurance?

Assurance in ESG reporting refers to the independent verification of sustainability disclosures by a third-party provider. Limited assurance involves narrower procedures—primarily analytical reviews and inquiries—resulting in a "nothing has come to our attention" conclusion. Reasonable assurance requires more extensive testing, substantive procedures, and evidence gathering, yielding a positive opinion that the reported information is fairly stated.

Why It Matters

The credibility gap in sustainability reporting has become a board-level concern. A 2024 KPMG survey found that 79% of the world's largest 250 companies now obtain some form of external assurance on sustainability data, up from 71% in 2022. Yet most of that assurance remains limited in scope. As investors, regulators, and civil society increasingly scrutinize ESG claims, the distinction between limited and reasonable assurance carries significant implications for trust, liability, and market positioning.

The EU's Corporate Sustainability Reporting Directive (CSRD) mandates limited assurance on sustainability reports starting in 2025, with a planned transition to reasonable assurance by 2028. This phased approach acknowledges the current state of ESG data infrastructure—many companies simply lack the internal controls, data lineage, and audit trails needed to support reasonable assurance today. Organizations that begin preparing early will avoid the scramble when requirements tighten.

From a cost perspective, reasonable assurance typically runs 30–50% more expensive than limited assurance for comparable scope, though the delta narrows as companies mature their data systems. The real expense isn't the assurance provider's fee—it's the internal investment in controls, processes, and documentation that reasonable assurance demands. Companies that view this as merely a compliance cost miss the strategic value: robust data infrastructure improves decision-making across the organization.

The reputational calculus matters too. In a market where greenwashing allegations make headlines weekly, voluntary reasonable assurance sends a powerful signal. It tells stakeholders you're confident enough in your data to invite deep scrutiny. For companies in high-emitting sectors or those with aggressive sustainability targets, that signal can differentiate you from peers still relying on self-reported figures.

How It Works / Key Components

Limited assurance engagements follow standards like ISAE 3000 (Revised) or ISAE 3410 for greenhouse gas statements. The practitioner performs inquiry and analytical procedures—reviewing trends, comparing data to expectations, and asking management about processes and controls. The work is less granular than a financial audit. The resulting report uses negative language: "Based on our procedures, nothing has come to our attention that causes us to believe the sustainability information is materially misstated."

Reasonable assurance demands a fundamentally different approach. Practitioners must understand the entity's internal control environment, test those controls for operating effectiveness, and perform substantive procedures on underlying data. This includes sampling source documents, recalculating emissions factors, tracing data from origin systems through aggregation, and evaluating management judgments. The conclusion is expressed positively: "In our opinion, the sustainability information is presented fairly, in all material respects."

The gap between these two levels shows up in practical terms. A limited assurance engagement on Scope 1 and 2 emissions might involve reviewing the emissions calculation methodology, checking a handful of utility invoices, and comparing year-over-year trends. Reasonable assurance on the same metrics would require testing meter readings against utility bills at a sample of facilities, verifying emission factor selections, recalculating conversions, and evaluating the completeness of the facility inventory.

Readiness assessments have emerged as a critical intermediate step. Before jumping from limited to reasonable assurance, companies benefit from a gap analysis that identifies weaknesses in data collection, internal controls, documentation, and governance. This assessment maps the current state against reasonable assurance requirements and produces a prioritized remediation plan—typically spanning 12–18 months for organizations starting from a low maturity baseline.

Council Fire's Approach

Council Fire helps organizations navigate the assurance continuum by first assessing data maturity and control readiness, then building the internal infrastructure—policies, procedures, system controls, and documentation—needed to move from limited to reasonable assurance on a timeline that aligns with regulatory requirements and strategic priorities. We work alongside your assurance provider, not as a replacement, ensuring that remediation efforts directly address the gaps practitioners will test.

Frequently Asked Questions

Which assurance standard do most ESG assurance providers use?

The majority of ESG assurance engagements globally follow ISAE 3000 (Revised), issued by the International Auditing and Assurance Standards Board (IAASB). For greenhouse gas-specific assurance, ISAE 3410 applies. In the United States, some practitioners use the AICPA's AT-C Section 105 and related attestation standards. The IAASB is also developing a dedicated sustainability assurance standard, ISSA 5000, expected to become the global baseline.

Can a company get reasonable assurance on some metrics and limited on others?

Absolutely, and this is common practice. Many organizations pursue reasonable assurance on their most material or investor-scrutinized metrics—such as Scope 1 and 2 emissions—while maintaining limited assurance on broader disclosures like social metrics or supply chain data where controls are less mature. This mixed approach allows for a phased buildout of assurance readiness.

How long does it take to transition from limited to reasonable assurance?

For most mid-to-large enterprises, the transition takes 18–24 months of focused effort. The timeline depends on your starting point: organizations with mature EHS data systems and existing financial-style controls can move faster, while those relying on spreadsheets and manual processes need more runway. The critical path usually runs through data system upgrades, control design, and at least one cycle of internal testing before the external practitioner steps in.