Key Points
- The CSRD requires at least limited assurance on sustainability statements for all in-scope entities, with no current plan to mandate reasonable assurance following the Omnibus I changes.
- Limited assurance procedures are less extensive than reasonable assurance but still require the practitioner to design and perform procedures sufficient to identify likely material misstatements.
- The CEAOB published non-binding guidelines in September 2024 as a bridge until the European Commission adopts formal limited assurance standards by 1 July 2027.
- Issuing limited assurance without performing analytical procedures on the reported sustainability data is the most frequent procedural gap in early CSRD engagements.
What is Limited Assurance Engagement on Sustainability?
The practitioner accepts a limited assurance engagement on the entity's sustainability statement and plans procedures that address the risk of material misstatement in the reported ESRS disclosures. Under ISAE 3000 (Revised) paragraph 49, the practitioner designs procedures to obtain a meaningful level of assurance as the basis for a negative-form conclusion ("nothing has come to our attention..."). This stands in contrast to a reasonable assurance engagement, where the practitioner expresses a positive-form conclusion.
Procedures in a limited assurance engagement typically include inquiries of management, analytical procedures over reported datapoints, inspection of selected documentation supporting key disclosures, and evaluation of the entity's preparation process. ISAE 3000 (Revised) paragraph 50 requires the practitioner to accumulate sufficient appropriate evidence to reduce engagement risk to an acceptable level, even though that level is higher than for reasonable assurance. The practitioner evaluates whether the entity's double materiality assessment is consistent with the reported disclosures, and whether the sustainability information is prepared in accordance with the applicable criteria (the ESRS framework for CSRD reporters).
ISSA 5000, effective for periods beginning on or after 15 December 2026, replaces ISAE 3000 (Revised) for sustainability assurance. It retains the negative-form conclusion for limited assurance but adds requirements for procedures over value chain data and forward-looking statements (ISSA 5000 paragraph 105).
Worked example: Dupont Ingenierie S.A.S.
Client: French engineering services firm, FY2026, revenue EUR 92M, IFRS reporter, 680 employees. Dupont falls within CSRD scope as a large undertaking. The engagement team performs a limited assurance engagement on Dupont's first sustainability statement under the ESRS framework.
Step 1 — Assess preconditions and plan the engagement
The engagement partner confirms that the ESRS framework constitutes suitable criteria under ISAE 3000 (Revised) paragraph 24(b)(ii). The team reviews Dupont's IRO assessment to identify the material sustainability topics: climate change (E1), own workforce (S1), business conduct (G1), and pollution prevention (E2, assessed as not material and excluded). Engagement risk is assessed as moderate given the first-time reporting.
Step 2 — Perform procedures over E1 (climate change) disclosures
Dupont reports Scope 1 emissions of 4,200 tonnes CO2e and Scope 2 (location-based) of 1,850 tonnes CO2e. The team inquires of the sustainability controller about the calculation methodology and inspects the emission factor sources (ADEME factors for France). Analytical procedures comparing reported emissions to prior-year energy consumption data reveal no anomalies. A recalculation of Scope 1 using gas and fuel invoices confirms the figure within 3%.
Step 3 — Perform procedures over S1 (own workforce) disclosures
Dupont reports a gender pay gap of 8.2% and a training hours figure of 14,600 hours across the workforce. The team traces the gender pay gap to payroll data extracts and reconciles the training hours figure to the HR system log. Inquiry of the HR director reveals no methodology changes from the pilot reporting performed in FY2025.
Step 4 — Evaluate and conclude
The team identifies no material misstatements across the four topics evaluated. The engagement partner reviews the accumulated evidence and determines that engagement risk has been reduced to a level acceptable for limited assurance. The report concludes: "Nothing has come to our attention that causes us to believe that Dupont's sustainability statement for FY2026 is not prepared, in all material respects, in accordance with the ESRS."
Conclusion: the engagement is defensible because the team performed inquiry, analytical procedures, recalculation, and inspection for each material ESRS topic, then expressed a negative-form conclusion consistent with ISAE 3000 (Revised) paragraph 53.
Why it matters in practice
- Teams sometimes limit their procedures to inquiry alone and omit analytical procedures over the reported sustainability data. ISAE 3000 (Revised) paragraph 50 requires the practitioner to design procedures sufficient to obtain a meaningful level of assurance. The CEAOB's September 2024 guidelines (paragraph 82) explicitly state that inquiry alone is not sufficient for limited assurance on sustainability reporting; analytical procedures and inspection of supporting evidence are expected even at the limited level.
- Practitioners frequently fail to evaluate whether the entity's double materiality assessment is complete before scoping the engagement. If the entity omitted a material ESRS topic, the practitioner's conclusion covers incomplete information. ISAE 3000 (Revised) paragraph 46(b) treats such omissions as matters requiring the practitioner's attention.
Limited assurance vs. reasonable assurance on sustainability
| Dimension | Limited assurance | Reasonable assurance |
|---|---|---|
| Conclusion form | Negative ("nothing has come to our attention...") | Positive ("in our opinion, the sustainability statement is prepared, in all material respects, in accordance with...") |
| Level of assurance obtained | Meaningful but lower than reasonable | High but not absolute |
| Typical procedures | Inquiry, analytical procedures, inspection of selected evidence | All limited assurance procedures plus detailed testing, walkthroughs, corroboration of assertions |
| Engagement risk | Acceptable at a higher level than reasonable assurance | Reduced to a lower (more demanding) level |
| CSRD requirement | Mandatory for all in-scope entities | Not mandated following Omnibus I changes |
| Governing standard (from December 2026) | ISSA 5000 paragraphs 105–113 | ISSA 5000 paragraphs 96–104 |
The distinction matters because the level of assurance directly affects the work effort and the reliance users can place on the conclusion. A limited assurance report tells the reader that the practitioner performed less extensive procedures than would be required for a positive opinion.
Related terms
Frequently asked questions
What procedures are required for limited assurance on sustainability?
The practitioner performs inquiries of preparers, analytical procedures over reported data, inspection of selected supporting documentation, and evaluation of the entity's reporting process. ISAE 3000 (Revised) paragraph 49 requires procedures designed to obtain a meaningful level of assurance. The CEAOB guidelines add that the practitioner should evaluate whether the double materiality assessment is consistent with the disclosures reported.
Will limited assurance on sustainability move to reasonable assurance under the CSRD?
The Omnibus I directive (Directive (EU) 2026/470), published on 26 February 2026, removed the provision that would have allowed the European Commission to mandate a transition from limited to reasonable assurance. Limited assurance remains the required level for CSRD sustainability statements. The Commission must adopt formal limited assurance standards by 1 July 2027.
Can a non-auditor perform a limited assurance engagement on sustainability?
The CSRD permits both statutory auditors and accredited independent assurance services providers (IASPs) to perform the engagement, subject to Member State transposition. ISSA 5000 paragraph 14 extends applicability to professional accountants and other assurance practitioners, provided they meet the ethical and competence requirements set out in the IESBA Code.