As part of the efforts to reach the EU Green Deal objectives, the Corporate Sustainability Reporting Directive (CSRD) obliges companies to disclose sustainability information in their management report according to the European Sustainability Reporting Standards (ESRS) and file it in a digital machine-readable format. This enhances corporate accountability but also enables stakeholders, including investors, consumers, and policymakers, to make informed decisions that promote a greener, more sustainable future.
The CSRD increases the reported sustainability information reliability, by introducing an EU-wide assurance requirement to obtain limited assurance over sustainability reporting as from 2025 over 2024 ESRS reporting.
This webpage provides answers to frequently asked questions on sustainability reporting assurance and is structured in two parts: 1) key concepts of assurance on sustainability reporting and 2) EU regulatory framework.
The answers are not meant to provide a detailed technical explanation, but rather a simplified version. We still use, however, some of specific technical terms such as express a conclusion or express an opinion that are normally used in professional standards. The word practitioner refers to both the statutory auditor and independent assurance service provider (IASP).
An assurance engagement is a (mandatory or voluntary) check of sustainability information disclosed by a company. Independent external assurance enhances information’s credibility and supports investors and other users in making decisions related to sustainability matters.
It is important to clarify that an assurance engagement does not serve as company’s performance measurement. While assurance increases the reported information’s credibility, it does not validate the company’s performance as ‘sustainable’.
An assurance engagement typically follows a risk-based approach with three stages: planning, execution and reporting. It requires a year-long cooperation among a multi-disciplinary team of practitioners and experts across various fields. In planning, the engagement team understands the company’s operating environment and the company’s internal control system to identify risks relevant to its sustainability statements.
During the execution phase, practitioners gather and evaluate evidence through various procedures e.g.: inquire management, test the company’s internal controls, analyse transactions and documents, and obtain third party confirmations. The practitioner’s objective is to obtain sufficient evidence to draw reasonable conclusions. The opinion on sustainability statement is based on these conclusions and publicly reported.
Assurance on sustainability reporting can be provided via either a limited or reasonable assurance engagement.
In a limited assurance engagement, the practitioner’s primary focus is to understand the process used to compile the reported information and identify areas where a material misstatement may occur. The practitioner then conducts inquiries, observations, and analytical procedures, e.g., reviewing data at a more aggregated level. If the practitioner identifies a potential material misstatement, additional work is performed to obtain limited assurance.
The primary difference between limited and reasonable engagements lies in the work effort undertaken by the assurance service provider. In a limited assurance engagement, practitioners undertake fewer procedures and require less evidence to draw their conclusion than in a reasonable assurance engagement. Reasonable assurance, typically obtained in an audit of financial statements, is the highest level of assurance, but still not absolute.
In a risk-based approach, engagement resources are focused on reporting areas where the risk of misrepresenting or omitting sustainability information related to material impacts, risks and opportunities i.e. misstatement is higher. To address this, the practitioner starts with identifying and assessing the risk of material misstatements. This is an iterative process throughout the engagement and provides the basis for the practitioner to determine the nature, timing and extent of assurance procedures to be performed. These may include inquiry, inspection, observation, confirmation, recalculation, and sample testing.
The double materiality concept is embedded in the CSRD and ESRS. A double materiality assessment process will help companies identify the material impacts, risks and opportunities (IROs) and the respective material information to report. IROs will need to be assessed for both the company’s own operations and its value chain in the short, medium and long term.
The practitioner’s determination of materiality is linked to, but distinct from, the “double materiality” principle used by the company to determine the matters to be reported in the sustainability statements.
The practitioner’s determination of materiality is based on professional judgment and considers the needs of sustainability information users. A misstatement is considered material if it could reasonably influence users’ decisions taken based on the reported sustainability information.
Materiality is applied by the practitioner in planning and performing the engagement as well as evaluating the effect of identified and uncorrected misstatements on the assurance conclusion. The practitioner communicates all misstatements accumulated to management and requests management to correct them. In forming the assurance conclusion, the practitioner determines whether uncorrected misstatements are material, individually or in the aggregate.
The assurance practitioner issues a publicly available assurance report that clearly expresses their conclusion on the sustainability information reported by a company.
In addition, the practitioner communicates any significant matters that merit attention, such as deficiencies in internal control systems, to company’s management, audit committee or board, as appropriate, via a separate non-public report.
In general, a limited assurance report includes the following key elements:
Unmodified conclusion: in a limited assurance engagement, an unmodified conclusion is issued when the practitioner has not identified any matters that would lead them to believe that the sustainability information is misstated. This type of conclusion is also referred to as clean, positive or unqualified conclusion.
The practitioner expresses a modified conclusion under the following circumstances:
The company’s management or other governance structures are responsible for preparing sustainability information in accordance with the applicable reporting standards. This may include designing and implementing the necessary internal controls to ensure that sustainability information is free from material misstatement.
Management is also responsible for providing the practitioner with:
The CSRD brings the following changes:
The CSRD foresees a possibility to move from limited to reasonable assurance in 2028 subject to the EC’s positive assessment of whether the transition is feasible for companies and practitioners.
The CSRD mandates the statutory auditor to express an opinion on sustainability reporting. Members States may allow another statutory auditor or an independent assurance services provider (IASP) to express an opinion on sustainability reporting.
Shareholders with more than 5% of voting rights or 5% of capital of a company have the right to ask to involve an accredited third party to “prepare a report on some elements of the sustainability reporting”. This accredited third party cannot belong to the same audit firm or network as the auditor carrying out the statutory audit.
The CSRD requires practitioners to express an opinion based on a limited assurance engagement on:
The practitioner follows specific standards and pronouncements to conduct an assurance engagement effectively and efficiently.
The CSRD mandates the EC to adopt, through delegated acts, a limited assurance standard by 1 October 2026. This EU standard should define expectations for practitioners conducting assurance engagements on sustainability reporting prepared in accordance with the ESRS. All assurance practitioners will be required to use this EU limited assurance standard under the CSRD.
The EC requested the Committee of European Auditing Oversight Bodies (CEAOB) to prepare a technical advice for the EU limited assurance standard development, to be delivered to the EC by May 2025. For this purpose, the CEAOB is expected to identify EU specific add-ons and possible carve-outs to the International Standard on Sustainability Assurance (ISSA) 5000 for the preparation of the delegated act. The International Auditing and Assurance Board (IAASB) has recently adopted ISSA 5000, a new global comprehensive standard for sustainability information assurance.
In the meantime, Member States may apply national assurance standards, procedures or requirements as long as the EC has not adopted an assurance standard covering the same subject matter. If no decision has been taken at Member State, audit oversight body or audit institute level, practitioners will have to exercise professional judgement to determine which standard to use for limited assurance engagements until the EC adopts an EU standard.
Additionally, the CEAOB has adopted non-binding guidelines for limited assurance engagements to facilitate sustainability reporting assurance harmonisation across Member States during the transition period.
The EC shall adopt reasonable assurance standards by 1 October 2028, if the EC assesses that reasonable assurance is feasible for practitioners and for companies.
Statutory auditors must meet specific requirements to be eligible to carry out assurance engagements of sustainability reporting. They are required to obtain knowledge in the following subjects:
The statutory auditors must pass an exam and complete at least eight months of practical training in assurance of annual and consolidated sustainability reporting or other sustainability related services.
The CSRD foresees transitional arrangements for those statutory auditors who qualified before 1 January 2024 or intend to complete their accreditation by 1 January 2026. Member States must ensure that the necessary knowledge is acquired via continuing education.
In case Member States opt to authorise IASP, they must establish equivalent requirements for training, examination, and continuing education. The CSRD also foresees the same transitional arrangements for IASPs.
The EU legislation requires each Member State to set up a dedicated audit oversight body (AOB) independent from auditors and audit firms. These AOBs supervise auditors at national level and cooperate at EU level within the CEAOB. Public oversight ensures that statutory auditors abide by the rules and requirements, including quality management, ethics and independence.
Additionally, the Audit Directive requires Member States to have in place an investigations and sanctions regime for statutory auditors and audit firms carrying out statutory audits. Such requirements – for public oversight and investigations and sanctions regime – should be extended to statutory auditors and audit firms that conduct assurance of sustainability reporting. This ensures consistency in the investigations, sanctions and oversight frameworks for the auditor’s work in the statutory audit and the assurance of sustainability reporting.
If a Member State allows IASPs to carry out sustainability reporting assurance (see question 11), the CSRD requires Member State to set up equivalent requirements as for statutory auditors, including on investigations and sanctions.
For more information on how audit oversight is organised in Europe (see our publication Organisation of the public oversight of the audit profession in 30 European countries).
| DISCLAIMER: Accountancy Europe makes every effort to ensure, but cannot guarantee, that the information in this publication is accurate and we cannot accept any liability in relation to this information. We encourage dissemination of this publication, if we are acknowledged as the source of the material and there is a hyperlink that refers to our original content. If you would like to reproduce or translate this publication, please send a request to [email protected]. |
