Council Fire
Guides

Sustainability Assurance Guide

Prepare for mandatory sustainability assurance under CSRD — from selecting providers to building internal controls and audit-ready evidence.

Last updated: · 9 min read

Overview

Sustainability assurance — the independent verification of ESG disclosures — is transitioning from voluntary best practice to regulatory mandate. Under the CSRD, all in-scope companies must obtain at least limited assurance on their sustainability statements from the first year of reporting. The EU plans to transition to reasonable assurance (the same level applied to financial statements) by 2028–2030, pending the adoption of assurance standards by the European Commission.

This represents a seismic shift. Historically, fewer than 40% of sustainability reports received any form of external assurance, and most of that was limited assurance conducted under less rigorous standards. CSRD mandates assurance under the ISSA 5000 standard (International Standard on Sustainability Assurance) issued by the IAASB, or equivalent EU-adopted standards.

For organizations accustomed to unaudited sustainability reports, the implications are significant. Assurance providers will test the reliability of underlying data, evaluate internal controls, assess the completeness and accuracy of disclosures, and form an opinion on whether the sustainability statement is free from material misstatement. This requires the same infrastructure of controls, documentation, and evidence trails that financial reporting has refined over decades.

Who Does It Apply To?

  • All CSRD-reporting entities — mandatory limited assurance from day one of reporting obligations (phased from 2024–2028), with reasonable assurance expected by late 2020s
  • Companies listed on regulated markets in jurisdictions adopting ISSB standards with assurance requirements (UK, Australia, Singapore, Japan)
  • Organizations voluntarily seeking assurance to enhance credibility with investors, lenders, and rating agencies
  • Companies reporting to CDP — CDP applies a quality scoring methodology and increasingly values third-party verification
  • SBTi target holders — while SBTi doesn't require assurance, verified emissions data strengthens target progress reporting
  • Financial institutions subject to SFDR and EU Taxonomy reporting, where data reliability directly affects product classification

Key Requirements

  1. Understand the assurance hierarchy. Limited assurance provides a "negative" conclusion ("nothing has come to our attention..."). Reasonable assurance provides a "positive" conclusion ("in our opinion, the sustainability statement is fairly presented..."). Reasonable assurance requires substantially more testing and evidence.

  2. Select a qualified assurance provider. Under CSRD, statutory auditors or accredited independent assurance services providers (IASPs) may perform sustainability assurance. Ensure your provider has relevant sector experience and ISSA 5000 competency.

  3. Establish internal controls over sustainability reporting (ICSR). Document control activities for each material data point: who collects it, how it's validated, who approves it, and where the evidence resides.

  4. Maintain complete audit trails. Every reported figure must be traceable from the sustainability statement back to source documentation — invoices, meter readings, system reports, survey responses.

  5. Prepare a management assertion confirming that the sustainability statement has been prepared in accordance with applicable reporting standards (ESRS, GRI, etc.) and that underlying data is complete and accurate.

  6. Document estimation methodologies. Where ESG data involves estimates, models, or assumptions (emission factors, allocation methods, extrapolations), document the methodology, rationale, and sensitivity of results.

  7. Plan for reasonable assurance readiness. Even if limited assurance is your current requirement, build controls and processes that will scale to reasonable assurance within 2–3 years.

Timeline & Milestones

Months 1–3: Readiness Assessment Engage your assurance provider (or a separate advisory firm) to conduct a readiness assessment. This evaluates your current data management, controls, documentation, and governance against assurance requirements. The output is a gap analysis with prioritized remediation actions.

Months 4–7: Control Design & Implementation Design and implement controls for each material ESG data point. Create process documentation, validation procedures, and approval workflows. Establish a sustainability reporting controls matrix analogous to a financial controls matrix.

Months 8–9: Dry Run Conduct an internal dry run of the assurance process. Have your sustainability team prepare a complete draft sustainability statement with full supporting evidence. Simulate assurance procedures: sample testing, walk-throughs, analytical review.

Months 10–11: Pre-Assurance Engagement Engage the assurance provider for a pre-assurance review (if available). Address any preliminary findings before the formal assurance engagement begins.

Month 12: Formal Assurance Engagement The assurance provider performs their procedures — planning, risk assessment, evidence gathering, testing, and conclusion. Respond to information requests promptly. Receive the assurance report for inclusion in your annual report.

Step-by-Step Compliance Roadmap

Step 1: Understand What Will Be Assured

Review your ESRS disclosures and identify every quantitative metric and qualitative statement that falls within the assurance scope. Under CSRD, the entire sustainability statement is subject to assurance — this includes narrative disclosures, policies, targets, and metrics. Assurers will test whether qualitative statements are supported by evidence, not just whether the numbers add up.

Prioritize preparation for the areas with the highest risk of material misstatement: GHG emissions (particularly Scope 3), workforce metrics, and environmental impact data.

Step 2: Build Your Controls Framework

For each material data point, document:

  • Data source: Where does the raw data originate?
  • Collection process: How is it gathered and by whom?
  • Validation rules: What checks are applied to ensure accuracy?
  • Approval workflow: Who reviews and approves before reporting?
  • Evidence retention: What documentation is retained and where?

Organize this into a sustainability reporting controls matrix. A well-structured matrix allows assurance providers to efficiently plan their testing and reduces the cost and duration of the engagement.

Step 3: Close Documentation Gaps

The most common assurance finding is insufficient documentation. Areas that frequently lack adequate evidence include:

  • Emission factor selection rationale
  • Scope 3 methodology choices and assumptions
  • Supplier-provided data (original source documents behind aggregated figures)
  • Materiality assessment process and outcomes
  • Stakeholder engagement processes and how feedback influenced reporting

Create documentation templates and retrospectively document choices made for the current reporting period. Going forward, build documentation into the real-time workflow rather than reconstructing it at year-end.

Step 4: Train Your Organization

Assurance extends beyond the sustainability team. Data owners across the organization (facilities managers, HR analysts, procurement officers) will be asked to explain their data, walk through collection processes, and provide supporting evidence during assurance testing.

Conduct awareness training for all ESG data contributors covering: what assurance is, what the provider will ask, what documentation is expected, and common pitfalls. Provide specific guidance for each data owner on the controls and evidence relevant to their data points.

Step 5: Manage the Assurance Engagement

Treat the assurance engagement as you would a financial audit. Assign a single point of coordination to manage information requests, track open items, and facilitate communication. Prepare a comprehensive evidence package in advance — organized by ESRS datapoint — rather than responding ad hoc to requests.

Schedule management representation meetings, review draft findings promptly, and address any exceptions before the final report. If the provider identifies a material finding, discuss remediation options early.

Common Pitfalls

Engaging the assurance provider too late. Assurance planning should begin 6–12 months before the reporting date, not after the sustainability statement is drafted. Late engagement compresses timelines, increases costs, and may result in qualified opinions if issues cannot be resolved in time.

Assuming limited assurance is easy. Limited assurance is less extensive than reasonable assurance, but it is not superficial. Providers still perform analytical procedures, inquiries, walk-throughs, and limited testing. Organizations with poor controls and documentation will struggle even with limited assurance.

Separating sustainability and financial audit processes. Under CSRD, sustainability assurance may be performed by the statutory auditor or a separate IASP. Either way, coordination between financial and sustainability reporting teams is essential — the two statements are published together and share interconnections (e.g., climate-related financial impacts, environmental provisions).

Treating assurance as a compliance cost rather than a quality driver. The real value of assurance lies in the discipline it imposes on data management, controls, and governance. Organizations that embrace this perspective achieve better data quality, faster reporting cycles, and stronger stakeholder confidence — benefits that far exceed the assurance fee.

How Council Fire Can Help

Council Fire prepares organizations for sustainability assurance with practical, results-oriented programs. We conduct readiness assessments that pinpoint gaps and prioritize remediation. We design controls frameworks, build documentation systems, and train teams across the organization to be assurance-ready.

Our team includes professionals with Big Four assurance backgrounds who understand exactly what providers look for — and where engagements typically stumble. We work alongside your sustainability, finance, and internal audit teams to build integrated processes that serve both financial and sustainability reporting.

We support clients through their first assurance engagement and beyond, ensuring continuous improvement as the transition from limited to reasonable assurance approaches.

FAQs

Who can provide sustainability assurance under CSRD?

CSRD allows two categories of providers: statutory auditors (the firm auditing your financial statements) and accredited independent assurance services providers (IASPs). Member states determine whether IASPs are permitted. In either case, providers must meet competency requirements, including expertise in sustainability matters and assurance methodology.

What's the difference in cost between limited and reasonable assurance?

Reasonable assurance typically costs 2–3x more than limited assurance due to the greater extent of testing, larger sample sizes, and more detailed evidence evaluation. For a mid-sized CSRD reporter, limited assurance fees might range from €50,000–€150,000, while reasonable assurance could reach €100,000–€400,000, depending on complexity. These costs are expected to decline as processes mature and market capacity increases.

Can we use the same firm for financial audit and sustainability assurance?

Yes, and there are efficiency advantages to doing so — the provider already understands your business, systems, and risk profile. However, some organizations prefer separation to avoid concentration risk and ensure independence. Either approach is permitted under CSRD. Discuss implications with your audit committee.

What happens if the assurer identifies a material misstatement?

You'll have the opportunity to correct the misstatement before the final report is issued. If correction is not possible or management disagrees, the assurer may issue a qualified opinion, adverse opinion, or disclaimer — all of which are public and carry significant reputational consequences. Early engagement and thorough preparation dramatically reduce this risk.

Sustainability Assurance Guide — sustainability in practice

See how we've done this

Fortune 500 Manufacturer Prepares for CSRD Compliance

How a global manufacturer built CSRD-ready reporting across 14 countries in under 18 months.

Read case study →

See how we've done this

State DOT Develops Fleet Electrification Strategy

A state DOT developed a phased electrification plan to cut fleet emissions 65% by 2035.

Read case study →

📝 From #AroundTheFire

ESG Reporting Compliance: The Complete 2026 Strategic Guide Navigating CSRD & CSDDD: New Reporting Rules for 2025 The Complete Guide to Corporate Sustainability Strategy

CSRD Readiness Checklist

Assess your organization's readiness for EU sustainability reporting.

Get Free Resource

Frequently Asked Questions

Under the CSRD, all in-scope companies must obtain at least limited assurance on their sustainability statements from the first year of reporting.
Under the CSRD, all in-scope companies must obtain at least limited assurance on their sustainability statements from the first year of reporting.
Even if limited assurance is your current requirement, build controls and processes that will scale to reasonable assurance within 2–3 years.
Related in This Section
GuideCSRD Compliance Guide: What You Need to KnowGuideESG Data Management GuideGuideSupply Chain Due Diligence GuideGuideBiodiversity Assessment Guide
Get Expert Help

Need hands-on guidance?

This guide covers the basics — Council Fire’s team can help you implement Sustainability Assurance Guide with confidence.

Get Expert Help