What you'll learn
- What CSRD Article 34 requires in terms of assurance level, who provides it, and the timeline for the transition from limited to reasonable assurance
- How ISSA 5000 structures a limited assurance engagement on sustainability information, from acceptance through to the assurance report
- How limited assurance procedures differ from the reasonable assurance procedures you perform on financial statements
- What the main procedural requirements are for evidence gathering, risk assessment, and forming a conclusion under ISSA 5000
Your first CSRD limited assurance engagement is likely already on the desk or arriving within the next two reporting cycles. The Corporate Sustainability Reporting Directive requires assurance, and ISSA 5000 is the standard that governs how you provide it. If you've spent your career on financial statement audits, the terminology will feel familiar. The procedures will not.
ISSA 5000 (General Requirements for Sustainability Assurance Engagements), issued by the IAASB, establishes the requirements for performing limited and reasonable assurance engagements on sustainability information reported under frameworks including the CSRD and ESRS, requiring auditors to obtain sufficient appropriate evidence to form a conclusion on whether the sustainability information is free from material misstatement.
CSRD assurance requirements: what Article 34 requires
The Corporate Sustainability Reporting Directive (Directive (EU) 2022/2464) amends the Accounting Directive to require assurance on sustainability reporting. CSRD Article 34(1) requires that the statutory auditor or audit firm (or, where permitted by the member state, an independent assurance services provider) express an opinion on the sustainability reporting based on a limited assurance engagement.
Phasing follows the CSRD's entity scope. Large public-interest entities with more than 500 employees reported for the first time for financial years beginning on or after 1 January 2024, with assurance required on those reports. Other large undertakings meeting two of three size thresholds (balance sheet total exceeding €25M, net turnover exceeding €50M, average number of employees exceeding 250) report for financial years beginning on or after 1 January 2025. Listed SMEs (except micro-undertakings) follow for financial years beginning on or after 1 January 2026, with an opt-out possibility until 2028.
Article 34(3) anticipates a transition from limited to reasonable assurance. The European Commission is empowered to adopt reasonable assurance standards by delegated act. The timeline for this transition is not yet fixed, but the CSRD text envisions limited assurance as a transitional measure, with reasonable assurance as the end state. For the immediate future, the engagements auditors are performing and accepting are limited assurance.
Assurance covers sustainability information prepared in accordance with ESRS (European Sustainability Reporting Standards) as adopted by the European Commission. This includes the double materiality assessment, the entity's sustainability-related disclosures across environmental (ESRS E1-E5), social (ESRS S1-S4), governance (ESRS G1), and the entity's own reporting on due diligence processes.
ISSA 5000 scope and structure
ISSA 5000 is a framework-neutral standard. It applies to sustainability assurance engagements regardless of the sustainability reporting framework (ESRS, GRI, SASB, ISSB). For CSRD engagements, the applicable reporting framework is ESRS as adopted by the EU. ISSA 5000 provides the procedural framework; ESRS provides the criteria.
Structurally, ISSA 5000 covers both limited and reasonable assurance within a single document. Paragraphs that apply only to limited assurance are marked as such. If you have worked with ISAs, the architecture will look familiar: acceptance and continuance, planning, risk assessment, obtaining evidence, evaluating evidence, and forming a conclusion. But the differences in execution are substantial.
ISSA 5000 is not ISA 805 applied to sustainability. It was designed for sustainability information, which has characteristics that financial information does not: qualitative disclosures, forward-looking statements, narrative descriptions of processes, and metrics that may not flow from a double-entry system. The evidence-gathering procedures reflect these characteristics.
Accepting a sustainability assurance engagement
ISSA 5000 paragraph 37 requires the practitioner to determine whether the preconditions for a sustainability assurance engagement are present. These include an appropriate sustainability reporting framework (for CSRD engagements: ESRS), access to evidence, and the entity's acknowledgement of its responsibility for the sustainability information.
Paragraph 40 addresses competence. The practitioner must determine that the engagement team (including any specialists) has the competence to perform the engagement. For a financial statement audit firm taking on its first CSRD assurance engagement, this is a real threshold. Sustainability reporting involves subject matters (greenhouse gas emissions calculations, workforce metrics, supply chain due diligence, biodiversity impact assessments) that most audit teams have not previously evaluated. ISSA 5000 does not permit accepting an engagement if the team lacks the competence to perform it. This is the requirement that generates the most uncomfortable conversations at partner level, because it forces an honest assessment of whether the firm can actually do the work.
Paragraph 43 requires the terms of engagement to be agreed in writing. The engagement letter must specify the applicable framework (ESRS), the level of assurance (limited), the scope of the sustainability information covered, and the responsibilities of management and the practitioner.
For statutory auditors already appointed as financial statement auditor, the CSRD engagement may be performed by the same firm. Article 34(1) permits this but does not require it. Some member states allow independent assurance services providers (not audit firms) to perform the engagement. The practitioner should confirm the legal position in the relevant jurisdiction.
Understanding the entity and its sustainability reporting
ISSA 5000 paragraph 52 requires the practitioner to obtain an understanding of the entity and its environment as relevant to the sustainability information. This parallels ISA 315 but the scope is different. Instead of understanding the entity's financial reporting system, the practitioner understands the entity's sustainability reporting processes, including how the entity identifies material sustainability topics, collects and aggregates data, validates that data, and applies the ESRS disclosure requirements.
The double materiality assessment is central. Under ESRS 1, the entity determines which sustainability topics are material from both an impact perspective (how the entity affects people and the environment) and a financial perspective (how sustainability matters affect the entity's financial position). The practitioner must understand how the entity performed this assessment, what topics it determined to be material, what topics it excluded, and why those exclusions were justified. A CSRD limited assurance engagement that does not address the double materiality assessment is incomplete. The ciferi double materiality assessment tool scores impact and financial materiality across all ESRS topics and generates the documentation the practitioner needs to evaluate.
ISSA 5000 paragraph 55 requires the practitioner to obtain an understanding of the entity's system of internal control relevant to sustainability reporting. For many entities, especially those in the first years of CSRD reporting, this system is immature. The controls over greenhouse gas emissions data, for example, may involve manual spreadsheet calculations with limited review procedures, very different from the controls over financial data flowing through an ERP system.
In practice, you document this understanding the same way you would for a financial statement audit under ISA 315 : the understanding informs the risk assessment, and the same logic applies here.
Risk assessment under ISSA 5000
ISSA 5000 paragraph 58 requires the practitioner to identify and assess risks of material misstatement in the sustainability information. For limited assurance engagements, paragraph 59 clarifies that the risk assessment focuses on areas where material misstatements are likely to arise, rather than requiring the granular assertion-level assessment that ISA 315 mandates for financial statement audits.
This is a meaningful difference. In a financial statement audit, you assess risk at the assertion level for every significant account balance. In a limited assurance sustainability engagement, you identify the sustainability topics and disclosures where the risk of material misstatement is highest and focus your procedures there. The depth of the risk assessment is proportionate to the level of assurance.
For a CSRD engagement, the high-risk areas will often include greenhouse gas emissions data (ESRS E1), especially Scope 3 emissions where data availability is weakest. Workforce metrics under ESRS S1 (employee counts, training hours, pay gap data) may carry measurement risk if the entity's HR systems do not capture the data in the format ESRS requires. The double materiality assessment itself is a risk area: if the entity excluded a material topic, all disclosures related to that topic are missing.
ISSA 5000 paragraph 60 requires the practitioner to revise the risk assessment if information obtained during the engagement indicates that the initial assessment was incorrect. This mirrors ISA 315.31 .
Evidence gathering: how limited assurance differs
What separates limited from reasonable assurance is the nature, timing, and extent of evidence-gathering procedures. Limited assurance provides a meaningful level of assurance but less than reasonable assurance. ISSA 5000 paragraph 62 describes limited assurance procedures as primarily consisting of inquiries and analytical procedures.
In a reasonable assurance engagement (the financial statement audit equivalent), the practitioner performs detailed testing: substantive tests of details, tests of controls, inspection of documents, recalculation, observation, and confirmation. In a limited assurance engagement, the practitioner's procedures are deliberately less extensive.
ISSA 5000 paragraph 64 describes the procedures for limited assurance. Inquiry of management and others within the entity is the primary procedure. The practitioner asks management how it collected the data, what controls exist, what changes occurred during the period, and whether management is aware of any misstatements or non-compliance. Analytical procedures (ISSA 5000 paragraph 65) involve the practitioner evaluating the sustainability information for consistency and plausibility against expected relationships.
Additional procedures beyond inquiry and analytics are available if the risk assessment or other information suggests they are necessary (ISSA 5000 paragraph 66). For example, if inquiry reveals that the entity changed its greenhouse gas emissions calculation methodology mid-year, the practitioner might inspect documentation of the change to understand its effect. If analytical procedures identify an unexpected fluctuation in workforce metrics, the practitioner might request and review supporting data.
The distinction from a financial statement audit is not binary. We sometimes hear teams describe limited assurance as TGIF (Thank God It's Friday, meaning less work), but that misses the point. Limited assurance does not mean the practitioner accepts everything management says. It means the procedures are designed to obtain sufficient appropriate evidence for a limited assurance conclusion, which is expressed in the negative form ("nothing has come to our attention"). Reasonable assurance requires procedures sufficient for a positive-form conclusion ("in our opinion, the sustainability information is prepared, in all material respects, in accordance with ESRS").
Forming the conclusion and reporting
ISSA 5000 paragraph 78 requires the practitioner to form a conclusion on the sustainability information based on the evidence obtained. For a limited assurance engagement, the conclusion is expressed in the negative form. The standard wording: "Based on the procedures performed and the evidence obtained, nothing has come to our attention that causes us to believe that the sustainability information is not prepared, in all material respects, in accordance with [ESRS]."
In form, the assurance report (ISSA 5000 paragraphs 80-87) includes elements that mirror the auditor's report under ISA 700 : identification of the sustainability information, the applicable framework, the practitioner's responsibilities, a description of the procedures performed, and the conclusion. The report must also describe the inherent limitations of a limited assurance engagement (paragraph 83), so that users understand the difference from reasonable assurance.
Modified conclusions follow a structure similar to ISA 705 . If the practitioner identifies a material misstatement, the conclusion is qualified or adverse. If the practitioner is unable to obtain sufficient evidence, the conclusion is qualified or a disclaimer. For CSRD engagements, scope limitations are a real risk in the early years: entities may not have systems in place to provide evidence for every ESRS disclosure, and the practitioner must assess whether the absence of evidence constitutes a scope limitation.
The ISA 450 misstatement tracker may be adapted for sustainability assurance engagements to accumulate identified misstatements and evaluate their materiality, though the materiality thresholds for sustainability information may differ from financial materiality thresholds.
Moving from limited to reasonable assurance
CSRD Article 34(3) anticipates a transition from limited to reasonable assurance for sustainability reporting. The European Commission has the authority to adopt standards for reasonable assurance through a delegated act. The timeline is not fixed, and the Commission has indicated it will assess readiness before mandating reasonable assurance.
For practitioners, the transition means that the procedures described above will become more extensive. The risk assessment will become more granular (closer to the ISA 315 assertion-level model). Evidence gathering will shift from primarily inquiry and analytics to include detailed substantive testing: inspection of source documents for emissions data, recalculation of workforce metrics, external confirmation of supply chain data, and tests of controls over sustainability reporting processes.
Firms that build their limited assurance methodology with the reasonable assurance transition in mind will find the upgrade less disruptive. Documenting the entity's sustainability reporting controls now (even though limited assurance requires less reliance on them) creates a baseline for the control-testing procedures reasonable assurance will require. Understanding the entity's data flows and calculation methodologies in detail (beyond what limited assurance strictly demands) reduces the learning curve when reasonable assurance arrives.
Since ISSA 5000 already covers both levels of assurance, firms using it for limited assurance can refer to the reasonable assurance paragraphs to understand where the bar rises and begin preparing.
One specific area where the gap between limited and reasonable assurance is largest is controls testing. Under limited assurance, the practitioner is not required to test the operating effectiveness of controls over sustainability reporting. Under reasonable assurance, testing controls becomes a consideration, especially for data-intensive disclosures like greenhouse gas emissions where the volume of underlying transactions makes substantive testing of every data point impractical. Firms that document the control environment during limited assurance engagements (even without testing operating effectiveness) create a head start for the transition.
Worked example: limited assurance on a Dutch logistics company
Scenario: Van Houten Transport B.V. is a Dutch logistics and freight forwarding company with €110M revenue, 680 employees, and a balance sheet total of €74M. It falls within the CSRD scope as a large undertaking and reports under ESRS for the financial year beginning 1 January 2025. The statutory auditor has been engaged to perform limited assurance on the sustainability report.
Acceptance: confirm preconditions and team competence
At the acceptance stage, the engagement partner confirms the preconditions (ISSA 5000.37). Van Houten's management acknowledges responsibility for the sustainability information. The applicable framework is ESRS as adopted by the EU. The engagement team includes one audit manager with ESRS training and one external environmental specialist for the emissions-related disclosures. The engagement letter specifies limited assurance, ESRS as the framework, and the full scope of the sustainability report.
Documentation note: "Preconditions confirmed per ISSA 5000.37. Engagement team competence: audit manager completed ESRS assurance training (40 hours), external specialist engaged for ESRS E1 emissions calculations. Engagement letter signed 15 September 2025 specifying limited assurance, ESRS framework, full sustainability report scope."
Obtain an understanding of the entity and its double materiality assessment
The practitioner obtains an understanding of Van Houten's sustainability reporting process (ISSA 5000.52). The company performed a double materiality assessment with support from an external consultant, identifying ESRS E1 (climate change, including Scope 1, 2, and 3 GHG emissions), ESRS S1 (own workforce), and ESRS G1 (business conduct) as material topics. ESRS E2-E5 and ESRS S2-S4 were assessed as not material. The practitioner reviews the double materiality assessment documentation, including the stakeholder engagement process and the criteria used for the impact and financial materiality thresholds.
Documentation note: "Understanding obtained per ISSA 5000.52. Double materiality assessment reviewed: 3 ESRS topics identified as material (E1, S1, G1). Assessment performed with external consultant support, documented in management's double materiality report dated June 2025. Practitioner evaluated methodology against ESRS 1 requirements. No material topics appear to have been inappropriately excluded based on Van Houten's sector and operations."
Identify higher-risk areas in the sustainability information
The risk assessment (ISSA 5000.58) identifies two higher-risk areas. Scope 3 GHG emissions (ESRS E1-6) are high risk because Van Houten relies on subcontracted carriers for 45% of freight movements, and the emissions data from these subcontractors is based on estimated fuel consumption rather than actual data. The ciferi Scope 3 emissions estimator structures these category-level estimates and generates the calculation backup that assurance files need. The second higher-risk area is the workforce metrics under ESRS S1 (specifically, training hours per employee and the gender pay gap calculation), because Van Houten's HR system does not capture training hours at the individual employee level, requiring manual aggregation from departmental records.
Documentation note: "Risk assessment per ISSA 5000.58. Higher-risk areas identified: (1) Scope 3 GHG emissions from subcontracted carriers (45% of freight volume), data based on estimated rather than actual fuel consumption, measurement uncertainty elevated. (2) ESRS S1 training hours metric, manual aggregation from departmental records creates completeness risk. Lower-risk areas: Scope 1 and 2 emissions (company-owned fleet, direct fuel purchase records available), ESRS G1 disclosures (anti-corruption policy documentation readily available)."
Perform inquiry, analytics, and targeted inspection on higher-risk areas
Evidence-gathering procedures focus on the higher-risk areas (ISSA 5000.64-66). For Scope 3 emissions, the practitioner inquires about the estimation methodology (emission factors used, source of activity data from subcontractors), performs an analytical comparison of current-year Scope 3 emissions to prior-year estimates and to industry benchmarks for logistics companies, and inspects a sample of subcontractor data submissions to evaluate consistency with the reported figures. For the training hours metric, the practitioner inquires about the data collection process, compares the reported total to the HR budget for training, and inspects departmental training records for two of six operating divisions. For lower-risk areas (Scope 1 and 2 emissions, ESRS G1 disclosures), the practitioner performs inquiry and analytical procedures only.
Documentation note: "Procedures performed per ISSA 5000.64-66. Scope 3 GHG: inquiry of sustainability manager, analytical comparison to prior year and EUROPEM logistics sector benchmark, inspection of 8 subcontractor data submissions (representing 62% of subcontracted freight volume). Training hours: inquiry of HR director, analytical comparison to training budget, inspection of departmental records for Divisions 2 and 5. Scope 1/2, ESRS G1: inquiry and analytics only, consistent with lower risk assessment."
Form the negative-form conclusion and issue the report
The practitioner forms the conclusion (ISSA 5000.78). Based on the procedures performed, no matters have come to the practitioner's attention that cause them to believe the sustainability information is not prepared, in all material respects, in accordance with ESRS. The assurance report includes the negative-form conclusion, a description of the procedures performed, the inherent limitations of limited assurance, and identification of the applicable framework (ESRS as adopted by the EU).
Documentation note: "Unmodified limited assurance conclusion per ISSA 5000.78. No material misstatements identified. The assurance report describes the limited nature of the procedures and states that the procedures do not provide all the evidence that would be required for a reasonable assurance engagement. Report dated 28 April 2026."
A reviewer looking at this file sees clear documentation of the risk-based approach: higher-risk areas received more extensive procedures while lower-risk areas received procedures proportionate to the limited assurance level. Each conclusion is supported by the evidence obtained.
Practical checklist for ISSA 5000 engagements
Common mistakes on sustainability assurance engagements
Failing to evaluate the double materiality assessment. If the entity excluded a sustainability topic that should have been material, every disclosure related to that topic is missing from the sustainability report. The practitioner must evaluate the assessment, not accept it at face value.
Related content
- ISA 570 going concern checklist: Climate-related risks identified during CSRD assurance may feed into the financial statement auditor's going concern assessment. The checklist includes financial and operational indicators that connect to ESRS E1 disclosures.
- Analytical review tool: The dual-threshold variance analysis can be adapted for analytical procedures on sustainability metrics under ISSA 5000.65, comparing reported data to benchmarks and prior periods.
- CSRD double materiality: how to assess and document under ESRS 1: Covers the double materiality assessment process that determines which ESRS topics the entity reports on and the practitioner assures.
Frequently asked questions
What level of assurance does the CSRD currently require on sustainability reports?
The CSRD (Article 34(1)) currently requires limited assurance on sustainability reporting prepared under ESRS. The European Commission has the authority to adopt reasonable assurance standards by delegated act under Article 34(3), but the timeline for this transition is not yet fixed, so all current CSRD assurance engagements are performed at the limited assurance level.
How do limited assurance procedures under ISSA 5000 differ from reasonable assurance?
Limited assurance procedures under ISSA 5000 primarily consist of inquiries of management and analytical procedures (ISSA 5000 paragraphs 64–65), whereas reasonable assurance requires detailed substantive testing, tests of controls, inspection of documents, recalculation, and confirmation. The conclusion is also expressed differently: limited assurance uses negative form (nothing has come to our attention), while reasonable assurance uses positive form.
Must the practitioner evaluate the entity's double materiality assessment during a CSRD engagement?
Yes. Under ESRS 1, the entity determines which sustainability topics are material from both impact and financial perspectives. The practitioner must understand how the assessment was performed, which topics were determined to be material, and which were excluded (ISSA 5000 paragraph 52). An incorrectly excluded topic means all related disclosures are missing.
What competence requirements must the team meet for an ISSA 5000 engagement?
ISSA 5000 paragraph 40 requires the practitioner to determine that the engagement team has the competence to perform the engagement. Sustainability reporting involves subject matters such as greenhouse gas emissions calculations, workforce metrics, and biodiversity impact assessments that most financial audit teams have not previously evaluated. The standard does not permit accepting the engagement if the team lacks the necessary competence.
How should the risk assessment work for a CSRD limited assurance engagement?
ISSA 5000 paragraphs 58–59 require the practitioner to identify and assess risks of material misstatement, focusing on areas where misstatements are likely to arise rather than the granular assertion-level assessment required by ISA 315 for financial audits. High-risk areas typically include Scope 3 GHG emissions data and workforce metrics where HR systems may not capture data in the ESRS-required format.