The European Commission (EC) adopted a proposal for the Corporate Sustainability Reporting Directive (CSRD) to strengthen sustainability reporting. This is fundamental to achieve a sustainable economy. It requires companies to report more comparable, targeted, reliable as well as easily accessible information as the basis for sustainable decision-making.

The EC also introduces an EU-wide requirement for limited assurance on sustainability information (see amendments proposed to Article 34). According to the EC proposal, independent external assurance enhances the reported sustainability information’s credibility. This helps meet the growing demands for reliable information on sustainability matters.

This FAQ provides answers to recurring questions on sustainability information assurance, specifically on:

1. limited and reasonable assurance engagements
2. assurance requirements and the EU regulatory framework
3. technical aspects of professional assurance standards

The questions and answers aim to inform policymakers and other interested stakeholders about assurance on sustainability information. We are happy to continue the discussion on sustainability matters and elaborate on the topics covered. Please contact [email protected] to discuss this further.

Questions & Answers

1. What is assurance? Who can perform an assurance engagement?
2. What are the types of assurance?
3. What are the differences between limited and reasonable assurance?
4. Are there any conditions for providing assurance?
5. What standard is used for sustainability information assurance?
6. Is assurance on sustainability information mandatory in the EU? In which countries?
7. What skills and behaviours must an assurance practitioner demonstrate?
8. What are the preconditions of an assurance engagement?
9. What is the underlying subject matter of the assurance engagement?
10. What does the assurance report cover?

1. What is assurance? Who can perform an assurance engagement?

An assurance engagement is when a company asks an independent expert to give comfort on a metric or statement made by the company in exchange for a fee. Such assurance may be done upon recommendation of investors that want a third-party independent opinion to enhance for instance their confidence in the company’s metrics and targets.

The independent expert that provides this service can be the statutory auditor, another independent assurance practitioner working in an accountancy firm, or another assurance service provider who should all be subject to appropriate ethical and quality management requirements.

Limited and reasonable assurance engagements

2. What are the types of assurance?

Assurance on sustainability information can either be provided via a limited assurance engagement or a reasonable assurance engagement.

Limited assurance

In a limited assurance engagement, the assurance service provider reduces the risk of material misstatement[1] to an acceptably low level in the circumstances of the engagement.

In such engagement, the service provider’s primary focus is to understand the process used to compile the reported information. To that end, the provider concentrates on inquiry, observation, and analytical procedures, e.g.: observe data at a more aggregated level. Professional judgement is important for the practitioner to determine the work to perform and evidence obtained to reach the conclusion.

Based on the procedures performed and evidence obtained, the practitioner then expresses a conclusion: the practitioner states whether a matter(s) came to their attention for them to believe that the subject matter information is unfairly represented according to the applicable criteria. The applicable criteria are the reporting framework, standard or regulation used by the company to prepare their disclosures (see Question 4).

Reasonable assurance

In a reasonable assurance engagement, the assurance service provider obtains sufficient appropriate evidence to reduce the risk of material misstatement to an acceptably low level. Here again, professional judgment, which is based on the service provider’s knowledge, expertise and experience, is very important to ensure that enough work has been performed to reach the conclusion.

The work effort in such engagement entails more extensive procedures than in a limited assurance engagement. They include: (i) risks identification and assessment that any matters may be unfairly represented; (ii) testing the operating effectiveness of the company’s internal controls upon which the practitioner intends to rely on; and (ii) substantive procedures.

The practitioner then expresses a conclusion in a positive form as to whether the subject matter information is free of material misstatement according to the applicable reporting criteria i.e., the applicable reporting framework, standard or regulation.

Reasonable assurance is an assurance type that is obtained in an audit of financial statements. It is the highest level of assurance, but still not absolute. Assurance will never be absolute since it will always come with inherent limitations. This is due to the nature of the evidence obtained via testing, in some instances fraud or error risks, information subjectivity, etc..

3. What are the differences between limited and reasonable assurance?

The two assurance engagements both require the information be verifiable in the first place (see Question 4).

The two engagements only differ in terms of the work effort undertaken by the assurance service provider to present their conclusion in the report. Indeed, in a limited assurance engagement, service providers undertake fewer procedures and require less evidence upon which to base their conclusion than in a reasonable assurance engagement. As an outcome, it does not provide the same level of comfort to the users of the report (see Question 2 for more detail on a limited vs a reasonable assurance engagement).

4. Are there any conditions for providing assurance?

For assurance to be provided, either limited or reasonable, the reported information has to be verifiable:

• with appropriate subject matter and suitable reporting criteria (see Question 9). The reporting criteria suitability is key as it serves as a point of reference to evaluate the subject matter. Reporting standards are suitable as soon as they provide clear definitions and exhibit the following characteristics : relevance, completeness, reliability, neutrality and understandability.
• with effective and properly managed internal processes and controls. That way, the reporting entity is confident about the reported data’s quality and able to provide appropriate evidence. Currently, companies do not always have mature systems and processes in place to collect and report accurate sustainability-related data.

Effective internal processes and controls, however, are not sufficient to make sustainability reporting comparable, relevant and reliable. Assurance by an independent external assurance service provider is necessary to ensure that sustainability reporting is at a high-quality level.

According to the professional standard followed by assurance providers, other preconditions should also be met. See Question 8.

5. What standard is used for sustainability information assurance?

The practitioner follows specific standards and procedures to conduct an assurance engagement in an effective and efficient manner. The International Standard on Assurance Engagements (ISAE) 3000 Revised (ISAE 3000) [2] is the standard mostly used when dealing with sustainability information assurance as practice has evolved.

There is no legal requirement to use ISAE 3000 at European level. However, Member States (MSs) like France, Italy and Spain, used this standard to base on their national developments as well as other countries like the Netherlands where voluntary assurance is common practice. Other professional standards may also be applied to deal with specific parts of sustainability information, e.g., ISAE 3410 for assurance engagements relating to greenhouse gas statements.

Assurance requirements and the EU regulatory framework

6. Is assurance on sustainability information mandatory in the EU? In which countries?

Assurance on sustainability information is not yet mandated at EU level.

The Non-Financial Reporting Directive 2014/95/EU (NFRD) only requires the statutory auditor to check that a non-financial statement within the management report or a separate report has been provided, but not to check its content. All EU Member States (MSs) had to transpose this requirement into national law.

The NFRD also provided MSs with an option to require verification of the non-financial/sustainability information by an independent assurance service provider. Three MSs – France, Italy, Spain – opted for mandatory independent assurance. Based on our survey, in 14 other MSs, many entities voluntarily chose to ask for assurance on the sustainability information they are required to report.

The EC’s proposal for the CSRD introduces an EU-wide requirement for limited assurance on sustainability information[3]. The EC suggests starting with a limited assurance requirement and potentially go for reasonable assurance at a later stage.

The EC proposes assurance on sustainability information to be performed by the statutory auditor or audit firm arguing that this would help ensure the connectivity between the financial and sustainability information. This is particularly important for users of sustainability information. In addition, the EC leaves an option to MSs to allow any independent assurance service provider to provide a conclusion on sustainability information on a basis of a limited assurance engagement, considering that the service providers are accredited by conformity assessment bodies in accordance with Regulation (EC) No 765/2008.

Technical aspects of professional assurance standards

7. What skills and behaviours must an assurance practitioner demonstrate?

When providing assurance on sustainability information, similarly as for other assurance services, professional accountants are required to always demonstrate strong ethical behaviour and professional judgement. They must apply the fundamental principles of the Code of Ethics of the International Ethics Standards Boards for Accountants (IESBA), namely:

• integrity
• objectivity, including independence
• professional competence and due care
• confidentiality
• professional behaviour

Assurance service providers abide by strong ethical principles and rules, including independence. Independence safeguards their ability to form an assurance conclusion without compromising their professional judgement. It allows the service provider to act with integrity, and exercise objectivity and professional scepticism.

An assurance service provider applying ISAE 3000 has to abide by the requirement to have a quality control or quality management system in place to ensure assurance engagement is carried out with consistent high quality.

8. What are the preconditions of an assurance engagement?

According to ISAE 3000, an assurance engagement requires the following elements to take place:

• suitable roles and responsibilities of involved parties
• appropriate underlying subject matter
• suitable reporting criteria that exhibit certain characteristics to be met for an assurance engagement: relevance, completeness, reliability, neutrality, understandability (also see Question 4)
• effective and properly managed internal processes and controls to ensure that the information to be reported is supported by sufficient appropriate evidence
• assurance report (see Question 10)

9. What is the underlying subject matter of the assurance engagement?

Any assurance engagement, whether a reasonable or a limited assurance engagement, needs a clearly identified underlying subject matter to be assessed. The assurance practitioner can provide assurance on various subject matters, for example:

• a full sustainability report or a part of it
• specific ESG aspects and/or key performance indicators
• the reporting process

The CSRD proposal includes an EU-wide requirement for independent third-party assurance, but it does not provide further details yet in terms of subject matter.

10. What does the assurance report cover?

ISAE 3000 describes the main elements that should be included in the assurance report:

• a description of the level of assurance obtained, i.e., limited or reasonable
• the assurance engagement’s scope and subject matter
• significant inherent limitations associated with measuring the underlying subject matter against the applicable criteria – if applicable
• the company and the assurance service provider’s respective responsibilities, naming the applicable assurance standards and confirming adherence to further professional requirements and standards as applicable
• compliance statements with
  • ISAE
  • the quality control/quality management system requirement (ISQC1/ISQM1);
  • the IESBA Code independence and other ethical requirements (or other professional code, but valued as demanding)
• the work effort that has been performed as the basis for the conclusion (sites concerned, processes and data tested, etc.)
• assurance service provider’s conclusion, either unmodified or modified

[1] A material misstatement is a reported information that is sufficiently incorrect so that it may impact the economic decisions of someone relying on this information.

[2] The International Standard on Assurance Engagements (ISAE) 3000 Revised, Assurance engagements other than audits or reviews of historical financial information; the standard is published by the International Auditing and Assurance Standards Board, see more.

[3] Companies within the CSRD scope would have to disclose sustainability information in accordance with the CSRD starting 2024 for the fiscal year of 2023. Those companies would have to comply also with an assurance requirement starting in 2024.