CSRD Limited Assurance: What ISSA 5000 Requires From Auditors

Your first CSRD limited assurance engagement is likely already on the desk or arriving within the next two reporting cycles. The Corporate Sustainability Reporting Directive requires assurance, and ISSA 5000 is the standard that governs how you provide it. If you've spent your career on financial statement audits, the terminology will feel familiar. The procedures will not.

ISSA 5000 (General Requirements for Sustainability Assurance Engagements), issued by the IAASB, establishes the requirements for performing limited and reasonable assurance engagements on sustainability information reported under frameworks including the CSRD and ESRS, requiring auditors to obtain sufficient appropriate evidence to form a conclusion on whether the sustainability information is free from material misstatement.

CSRD assurance requirements: what Article 34 mandates

The Corporate Sustainability Reporting Directive (Directive (EU) 2022/2464) amends the Accounting Directive to require assurance on sustainability reporting. CSRD Article 34(1) requires that the statutory auditor or audit firm (or, where permitted by the member state, an independent assurance services provider) express an opinion on the sustainability reporting based on a limited assurance engagement.

The phasing follows the CSRD's entity scope. Large public-interest entities with more than 500 employees reported for the first time for financial years beginning on or after 1 January 2024, with assurance required on those reports. Other large undertakings meeting two of three size thresholds (balance sheet total exceeding €25M, net turnover exceeding €50M, average number of employees exceeding 250) report for financial years beginning on or after 1 January 2025. Listed SMEs (except micro-undertakings) follow for financial years beginning on or after 1 January 2026, with an opt-out possibility until 2028.

Article 34(3) anticipates a transition from limited to reasonable assurance. The European Commission is empowered to adopt reasonable assurance standards by delegated act. The timeline for this transition is not yet fixed, but the CSRD text envisions limited assurance as a transitional measure, with reasonable assurance as the end state. For the immediate future, the engagements auditors are performing and accepting are limited assurance.

The assurance covers sustainability information prepared in accordance with ESRS (European Sustainability Reporting Standards) as adopted by the European Commission. This includes the double materiality assessment, the entity's sustainability-related disclosures across environmental (ESRS E1-E5), social (ESRS S1-S4), and governance (ESRS G1) topics, and the entity's own reporting on due diligence processes.

ISSA 5000: scope and structure

ISSA 5000 is a framework-neutral standard. It applies to sustainability assurance engagements regardless of the sustainability reporting framework (ESRS, GRI, SASB, ISSB). For CSRD engagements, the applicable reporting framework is ESRS as adopted by the EU. ISSA 5000 provides the procedural framework; ESRS provides the criteria.

The standard is structured to cover both limited and reasonable assurance within a single document. Paragraphs that apply only to limited assurance are marked as such. The architecture mirrors the financial audit standards in several respects: acceptance and continuance, planning, risk assessment, obtaining evidence, evaluating evidence, and forming a conclusion. But the differences in execution are substantial.

ISSA 5000 is not ISA 805 applied to sustainability. It was designed for sustainability information, which has characteristics that financial information does not: qualitative disclosures, forward-looking statements, narrative descriptions of processes, and metrics that may not flow from a double-entry system. The evidence-gathering procedures reflect these characteristics.

Accepting a sustainability assurance engagement

ISSA 5000 paragraph 37 requires the practitioner to determine whether the preconditions for a sustainability assurance engagement are present. These include an appropriate sustainability reporting framework (for CSRD engagements: ESRS), access to evidence, and the entity's acknowledgement of its responsibility for the sustainability information.

Paragraph 40 addresses competence. The practitioner must determine that the engagement team (including any specialists) has the competence to perform the engagement. For a financial statement audit firm taking on its first CSRD assurance engagement, this is a real threshold. Sustainability reporting involves subject matters (greenhouse gas emissions calculations, workforce metrics, biodiversity impact assessments) that most audit teams have not previously evaluated. ISSA 5000 does not permit accepting an engagement if the team lacks the competence to perform it.

Paragraph 43 requires the terms of engagement to be agreed in writing. The engagement letter must specify the applicable framework (ESRS), the level of assurance (limited), the scope of the sustainability information covered, and the responsibilities of management and the practitioner.

For statutory auditors already appointed as financial statement auditor, the CSRD engagement may be performed by the same firm. Article 34(1) permits this but does not require it. Some member states allow independent assurance services providers (not audit firms) to perform the engagement. The practitioner should confirm the legal position in the relevant jurisdiction.

Understanding the entity and its sustainability reporting

ISSA 5000 paragraph 52 requires the practitioner to obtain an understanding of the entity and its environment as relevant to the sustainability information. This parallels ISA 315 but the scope is different. Instead of understanding the entity's financial reporting system, the practitioner understands the entity's sustainability reporting processes, including how the entity identifies material sustainability topics, collects data, and applies the ESRS disclosure requirements.

The double materiality assessment is central. Under ESRS 1, the entity determines which sustainability topics are material from both an impact perspective (how the entity affects people and the environment) and a financial perspective (how sustainability matters affect the entity's financial position). The practitioner must understand how the entity performed this assessment, what topics it determined to be material, and what topics it determined not to be material. A CSRD limited assurance engagement that does not address the double materiality assessment is incomplete.

ISSA 5000 paragraph 55 requires the practitioner to obtain an understanding of the entity's system of internal control relevant to sustainability reporting. For many entities, especially those in the first years of CSRD reporting, this system is immature. The controls over greenhouse gas emissions data, for example, may involve manual spreadsheet calculations with limited review procedures, very different from the controls over financial data flowing through an ERP system.

The practitioner documents this understanding. In a financial statement audit under ISA 315, the understanding informs the risk assessment. The same logic applies here.

Risk assessment under ISSA 5000

ISSA 5000 paragraph 58 requires the practitioner to identify and assess risks of material misstatement in the sustainability information. For limited assurance engagements, paragraph 59 clarifies that the risk assessment focuses on areas where material misstatements are likely to arise, rather than requiring the granular assertion-level assessment that ISA 315 mandates for financial statement audits.

This is a meaningful difference. In a financial statement audit, you assess risk at the assertion level for every significant account balance. In a limited assurance sustainability engagement, you identify the sustainability topics and disclosures where the risk of material misstatement is highest and focus your procedures there. The depth of the risk assessment is proportionate to the level of assurance.

For a CSRD engagement, the high-risk areas will often include greenhouse gas emissions data (ESRS E1), especially Scope 3 emissions where data availability is weakest. Workforce metrics under ESRS S1 (employee counts, training hours, pay gap data) may carry measurement risk if the entity's HR systems do not capture the data in the format ESRS requires. The double materiality assessment itself is a risk area: if the entity excluded a material topic, all disclosures related to that topic are missing.

ISSA 5000 paragraph 60 requires the practitioner to revise the risk assessment if information obtained during the engagement indicates that the initial assessment was incorrect. This mirrors ISA 315.31.

Evidence gathering: how limited assurance differs

The core difference between limited and reasonable assurance is the nature, timing, and extent of evidence-gathering procedures. Limited assurance provides a meaningful level of assurance but less than reasonable assurance. ISSA 5000 paragraph 62 describes limited assurance procedures as primarily consisting of inquiries and analytical procedures.

In a reasonable assurance engagement (the financial statement audit equivalent), the practitioner performs detailed testing: substantive tests of details, tests of controls, inspection of documents, recalculation, observation, and confirmation. In a limited assurance engagement, the practitioner's procedures are deliberately less extensive.

ISSA 5000 paragraph 64 describes the procedures for limited assurance. Inquiry of management and others within the entity is the primary procedure. The practitioner asks management how it collected the data, what controls exist, what changes occurred during the period, and whether management is aware of any misstatements or non-compliance. Analytical procedures (ISSA 5000 paragraph 65) involve the practitioner evaluating the sustainability information for consistency, plausibility, and expected relationships.

The practitioner may also perform additional procedures beyond inquiry and analytics if the risk assessment or other information suggests they are necessary (ISSA 5000 paragraph 66). For example, if inquiry reveals that the entity changed its greenhouse gas emissions calculation methodology mid-year, the practitioner might inspect documentation of the change to understand its effect. If analytical procedures identify an unexpected fluctuation in workforce metrics, the practitioner might request and review supporting data.

The distinction from a financial statement audit is not binary. Limited assurance does not mean the practitioner accepts everything management says. It means the procedures are designed to obtain sufficient appropriate evidence for a limited assurance conclusion, which is expressed in the negative form ("nothing has come to our attention"). Reasonable assurance requires procedures sufficient for a positive-form conclusion ("in our opinion, the sustainability information is prepared, in all material respects, in accordance with ESRS").

Forming the conclusion and reporting

ISSA 5000 paragraph 78 requires the practitioner to form a conclusion on the sustainability information based on the evidence obtained. For a limited assurance engagement, the conclusion is expressed in the negative form. The standard wording: "Based on the procedures performed and the evidence obtained, nothing has come to our attention that causes us to believe that the sustainability information is not prepared, in all material respects, in accordance with [ESRS]."

The assurance report (ISSA 5000 paragraphs 80-87) includes elements that mirror the auditor's report under ISA 700: identification of the sustainability information, the applicable framework, the practitioner's responsibilities, a description of the procedures performed, and the conclusion. The report must also describe the inherent limitations of a limited assurance engagement (paragraph 83), so that users understand the difference from reasonable assurance.

Modified conclusions follow a structure similar to ISA 705. If the practitioner identifies a material misstatement, the conclusion is qualified or adverse. If the practitioner is unable to obtain sufficient evidence, the conclusion is qualified or a disclaimer. For CSRD engagements, scope limitations are a real risk in the early years: entities may not have systems in place to provide evidence for every ESRS disclosure, and the practitioner must assess whether the absence of evidence constitutes a scope limitation.

The ISA 450 misstatement tracker may be adapted for sustainability assurance engagements to accumulate identified misstatements and evaluate their materiality, though the materiality thresholds for sustainability information may differ from financial materiality thresholds.

The limited-to-reasonable assurance transition

CSRD Article 34(3) anticipates a transition from limited to reasonable assurance for sustainability reporting. The European Commission has the authority to adopt standards for reasonable assurance through a delegated act. The timeline is not fixed, and the Commission has indicated it will assess readiness before mandating reasonable assurance.

For practitioners, the transition means that the procedures described above will become more extensive. The risk assessment will become more granular (closer to the ISA 315 assertion-level model). Evidence gathering will shift from primarily inquiry and analytics to include detailed substantive testing: inspection of source documents for emissions data, recalculation of workforce metrics, external confirmation of supply chain data, and tests of controls over sustainability reporting processes.

Firms that build their limited assurance methodology with the reasonable assurance transition in mind will find the upgrade less disruptive. Documenting the entity's sustainability reporting controls now (even though limited assurance requires less reliance on them) creates a baseline for the control-testing procedures reasonable assurance will require. Understanding the entity's data flows and calculation methodologies in detail (beyond what limited assurance strictly demands) reduces the learning curve when reasonable assurance arrives.

The IAASB's ISSA 5000 already covers both levels of assurance. Firms using ISSA 5000 for limited assurance can refer to the reasonable assurance paragraphs to understand where the bar rises and begin preparing.

One specific area where the gap between limited and reasonable assurance is largest is controls testing. Under limited assurance, the practitioner is not required to test the operating effectiveness of controls over sustainability reporting. Under reasonable assurance, testing controls becomes a consideration, especially for data-intensive disclosures like greenhouse gas emissions where the volume of underlying transactions makes substantive testing of every data point impractical. Firms that document the control environment during limited assurance engagements (even without testing operating effectiveness) create a head start for the transition.

Worked example: limited assurance on a Dutch logistics company

Scenario: Van Houten Transport B.V. is a Dutch logistics and freight forwarding company with €110M revenue, 680 employees, and a balance sheet total of €74M. It falls within the CSRD scope as a large undertaking and reports under ESRS for the financial year beginning 1 January 2025. The statutory auditor has been engaged to perform limited assurance on the sustainability report.

1. At the acceptance stage, the engagement partner confirms the preconditions (ISSA 5000.37). Van Houten's management acknowledges responsibility for the sustainability information. The applicable framework is ESRS as adopted by the EU. The engagement team includes one audit manager with ESRS training and one external environmental specialist for the emissions-related disclosures. The engagement letter specifies limited assurance, ESRS as the framework, and the full scope of the sustainability report.

Documentation note: "Preconditions confirmed per ISSA 5000.37. Engagement team competence: audit manager completed ESRS assurance training (40 hours), external specialist engaged for ESRS E1 emissions calculations. Engagement letter signed 15 September 2025 specifying limited assurance, ESRS framework, full sustainability report scope."

2. The practitioner obtains an understanding of Van Houten's sustainability reporting process (ISSA 5000.52). The company performed a double materiality assessment with support from an external consultant, identifying ESRS E1 (climate change, including Scope 1, 2, and 3 GHG emissions), ESRS S1 (own workforce), and ESRS G1 (business conduct) as material topics. ESRS E2-E5 and ESRS S2-S4 were assessed as not material. The practitioner reviews the double materiality assessment documentation, including the stakeholder engagement process and the criteria used for the impact and financial materiality thresholds.

Documentation note: "Understanding obtained per ISSA 5000.52. Double materiality assessment reviewed: 3 ESRS topics identified as material (E1, S1, G1). Assessment performed with external consultant support, documented in management's double materiality report dated June 2025. Practitioner evaluated methodology against ESRS 1 requirements. No material topics appear to have been inappropriately excluded based on Van Houten's sector and operations."

3. The risk assessment (ISSA 5000.58) identifies two higher-risk areas. Scope 3 GHG emissions (ESRS E1-6) are high risk because Van Houten relies on subcontracted carriers for 45% of freight movements, and the emissions data from these subcontractors is based on estimated fuel consumption rather than actual data. The second higher-risk area is the workforce metrics under ESRS S1 (specifically, training hours per employee and the gender pay gap calculation), because Van Houten's HR system does not capture training hours at the individual employee level, requiring manual aggregation from departmental records.

Documentation note: "Risk assessment per ISSA 5000.58. Higher-risk areas identified: (1) Scope 3 GHG emissions from subcontracted carriers (45% of freight volume), data based on estimated rather than actual fuel consumption, measurement uncertainty elevated. (2) ESRS S1 training hours metric, manual aggregation from departmental records creates completeness risk. Lower-risk areas: Scope 1 and 2 emissions (company-owned fleet, direct fuel purchase records available), ESRS G1 disclosures (anti-corruption policy documentation readily available)."

4. Evidence-gathering procedures focus on the higher-risk areas (ISSA 5000.64-66). For Scope 3 emissions, the practitioner inquires about the estimation methodology (emission factors used, source of activity data from subcontractors), performs an analytical comparison of current-year Scope 3 emissions to prior-year estimates and to industry benchmarks for logistics companies, and inspects a sample of subcontractor data submissions to evaluate consistency with the reported figures. For the training hours metric, the practitioner inquires about the data collection process, compares the reported total to the HR budget for training, and inspects departmental training records for two of six operating divisions. For lower-risk areas (Scope 1 and 2 emissions, ESRS G1 disclosures), the practitioner performs inquiry and analytical procedures only.

Documentation note: "Procedures performed per ISSA 5000.64-66. Scope 3 GHG: inquiry of sustainability manager, analytical comparison to prior year and EUROPEM logistics sector benchmark, inspection of 8 subcontractor data submissions (representing 62% of subcontracted freight volume). Training hours: inquiry of HR director, analytical comparison to training budget, inspection of departmental records for Divisions 2 and 5. Scope 1/2, ESRS G1: inquiry and analytics only, consistent with lower risk assessment."

5. The practitioner forms the conclusion (ISSA 5000.78). Based on the procedures performed, no matters have come to the practitioner's attention that cause them to believe the sustainability information is not prepared, in all material respects, in accordance with ESRS. The assurance report includes the negative-form conclusion, a description of the procedures performed, the inherent limitations of limited assurance, and identification of the applicable framework (ESRS as adopted by the EU).

Documentation note: "Unmodified limited assurance conclusion per ISSA 5000.78. No material misstatements identified. The assurance report describes the limited nature of the procedures and states that the procedures do not provide all the evidence that would be required for a reasonable assurance engagement. Report dated 28 April 2026."

A reviewer sees clear documentation of the risk-based approach: higher-risk areas received more extensive procedures, lower-risk areas received procedures proportionate to the limited assurance level, and the conclusion is supported by the evidence obtained.

Practical checklist for ISSA 5000 engagements

1. Before accepting the engagement, confirm that the team has the competence to perform it (ISSA 5000.40). If the team lacks sustainability-specific expertise (emissions calculations, ESRS disclosure requirements), engage a specialist or invest in training before signing the engagement letter.
2. Obtain and review the entity's double materiality assessment before designing procedures. Evaluate whether any material topics have been excluded. This assessment determines the scope of the sustainability report and therefore the scope of the assurance engagement.
3. Identify the higher-risk areas in the sustainability information during risk assessment (ISSA 5000.58). Focus evidence-gathering procedures on these areas. For most first-time CSRD reporters, Scope 3 emissions and workforce metrics are likely higher-risk areas due to data immaturity.
4. Document the procedures performed at a level that allows a reviewer to understand what evidence was obtained and how it supports the conclusion. Limited assurance does not mean limited documentation.
5. Use the negative-form conclusion precisely (ISSA 5000.78). Do not inadvertently use positive-form language ("we are satisfied that...") in a limited assurance report.
6. Begin documenting the entity's sustainability reporting controls now, even though limited assurance relies less heavily on them. When reasonable assurance becomes mandatory, this baseline will reduce transition effort.

Common mistakes on sustainability assurance engagements

• Performing only inquiry and no analytical procedures. ISSA 5000 paragraph 64-65 requires both inquiry and analytical procedures as the baseline for limited assurance. An engagement file with only inquiry notes and no analytical comparison of reported sustainability data to benchmarks, budgets, or prior periods does not meet the standard.

• Failing to evaluate the double materiality assessment. If the entity excluded a sustainability topic that should have been material, every disclosure related to that topic is missing from the sustainability report. The practitioner must evaluate the assessment, not accept it at face value.

Related content

• ISA 570 going concern checklist: Climate-related risks identified during CSRD assurance may feed into the financial statement auditor's going concern assessment. The checklist includes financial and operational indicators that connect to ESRS E1 disclosures.
• Analytical review tool: The dual-threshold variance analysis can be adapted for analytical procedures on sustainability metrics under ISSA 5000.65, comparing reported data to benchmarks and prior periods.
• FUTURE POST: CSRD double materiality: how to assess and document under ESRS 1: Covers the double materiality assessment process that determines which ESRS topics the entity reports on and the practitioner assures.