Key Points
- Every company in scope for the CSRD must obtain at least limited assurance on its sustainability statement from its first reporting year.
- ISSA 5000 was approved by the IAASB in September 2024 and published in November 2024, with an effective date of 15 December 2026.
- The Omnibus I Directive removed the planned transition from limited to reasonable assurance, so limited assurance remains the EU baseline indefinitely.
- The practitioner assesses risks of material misstatement at the disclosure level for limited assurance and at the assertion level for reasonable assurance.
What is Sustainability Assurance?
ISSA 5000 is a stand-alone standard. A practitioner does not need to cross-reference the existing ISAE 3000 (Revised) framework when performing a sustainability assurance engagement, though ISSA 5000 draws on the same conceptual underpinnings. The standard applies to both professional accountants and non-accountant assurance providers, provided they comply with the IESBA Code and operate within a firm that applies ISQM 1.
The engagement follows a structure that auditors will recognise: accept and plan, identify and assess risks of material misstatement, design and perform procedures responsive to those risks, evaluate the evidence, form a conclusion, and report. For limited assurance, ISSA 5000.89 requires the practitioner to identify and assess risks at the disclosure level. For reasonable assurance, ISSA 5000.90 requires assessment at the assertion level for each disclosure. That difference drives the extent of testing. A limited assurance engagement relies more on inquiry, analytical procedures, and observation. A reasonable assurance engagement adds inspection of source data, recalculation, and corroboration against external evidence.
Under the CSRD, Member States may permit either the statutory auditor or an independent assurance services provider to perform the engagement. The CEAOB issued guidelines in 2024 clarifying what regulators expect from a limited assurance engagement on ESRS-compliant sustainability information, including the double materiality assessment and EU Taxonomy disclosures.
Worked example: Bergstrom Skog AB
Client: Swedish forestry and paper company, FY2027, revenue EUR 75M, IFRS reporter. Bergstrom Skog falls within CSRD Wave 1 (large public-interest entity) and publishes its sustainability statement under the ESRS. The engagement team at a mid-tier Swedish firm performs a limited assurance engagement under ISSA 5000.
Step 1 — Accept the engagement and assess preconditions
The engagement partner confirms that Bergstrom's sustainability information is identifiable (presented as a dedicated section of the management report), that the applicable criteria are the ESRS, and that the firm has access to the evidence needed. The partner evaluates team competence, noting that two team members completed ISSA 5000 training in Q3 2027 while a third holds subject-matter expertise in forestry-sector GHG measurement.
Documentation note: record the preconditions assessment per ISSA 5000.50-56, including the competence evaluation, the identified criteria (ESRS set 1), and the engagement letter specifying limited assurance scope.
Step 2 — Understand the entity and identify risks of material misstatement
The team maps Bergstrom's material ESRS disclosures (E1 Climate, E4 Biodiversity, S1 Own workforce) and identifies the IRO assessment process management used to determine materiality. Key risks include Scope 1 emissions from diesel-powered harvesting equipment (estimated at 14,200 tonnes CO2e) and the completeness of Scope 3 upstream transport data.
Documentation note: record the risk identification at the disclosure level per ISSA 5000.89, the rationale for each identified risk, and the link to the entity's double materiality assessment output.
Step 3 — Design and perform procedures
For Scope 1 emissions, the team recalculates the conversion from diesel litres consumed (5.38 million litres per fuel purchase records) to CO2e using the Swedish Environmental Protection Agency emission factors. For Scope 3 upstream transport, the team performs analytical procedures comparing tonne-kilometres reported against procurement contracts and prior-year volumes, and inquires of management about estimation methods for third-party carrier data gaps.
Documentation note: record the nature and extent of procedures for each significant disclosure, the sources of emission factors used, and the results of analytical procedures per ISSA 5000.105-109. File the recalculation workpaper and the inquiry memorandum.
Step 4 — Evaluate evidence and form the conclusion
The Scope 1 recalculation produces 14,350 tonnes CO2e versus management's reported 14,200 tonnes. The difference of 150 tonnes (1.1%) is below the quantitative threshold the team established for climate disclosures. Scope 3 transport data shows a 7% year-on-year increase consistent with the 9% rise in purchased timber volumes. No misstatements exceed the established threshold.
Documentation note: record the evaluation of identified misstatements (individually and in aggregate) against the materiality threshold per ISSA 5000.131-133, the basis for concluding that no material misstatement exists, and the final limited assurance conclusion.
Conclusion: the engagement produces an unmodified limited assurance conclusion, defensible because each material ESRS disclosure was subjected to risk-responsive procedures, the emission recalculation confirmed management's figures within tolerance, and the documentation traces every procedure to the assessed risks.
Why it matters in practice
Firms performing early sustainability assurance engagements frequently apply the same materiality threshold they use for the financial statement audit. Sustainability disclosures require separate materiality considerations that reflect both quantitative significance and qualitative factors (such as stakeholder decision-relevance). ISSA 5000.76-78 requires the practitioner to determine materiality for the sustainability information as a whole, considering the information needs of intended users. Importing the financial audit threshold without adjustment leaves the engagement under-scoped for qualitative disclosures and over-scoped for quantitative ones.
Teams often limit their risk assessment to the quantitative climate metrics (Scope 1, Scope 2) while overlooking governance and social disclosures that carry equal weight under the ESRS. ISSA 5000.89 requires risk identification across all material disclosures, not only those that lend themselves to recalculation. Skipping narrative disclosures such as ESRS S1 (own workforce policies) or ESRS G1 (business conduct) creates coverage gaps that regulators will flag once inspection programmes mature.
Sustainability assurance vs. financial statement audit
| Dimension | Sustainability assurance (ISSA 5000) | Financial statement audit (ISA) |
|---|---|---|
| Subject matter | Sustainability disclosures reported under criteria such as ESRS, GRI, or entity-developed frameworks | Historical financial information prepared under IFRS, local GAAP, or other financial reporting frameworks |
| Assurance level | Limited or reasonable, as specified in the engagement terms | Reasonable assurance is the default and only level |
| Governing standard | ISSA 5000 (internationally); national transpositions may apply | ISA 200-810 series |
| Risk assessment granularity | Disclosure level (limited) or assertion level (reasonable) per ISSA 5000.89-90 | Assertion level per ISA 315.28-30 |
| Evidence characteristics | Mix of quantitative data (emissions, energy) and qualitative narrative; external data sources common; estimation uncertainty often higher | Primarily quantitative; internal accounting records are the primary source; estimation uncertainty varies by account |
The distinction matters because practitioners accustomed to financial statement audits sometimes assume that the same procedures transfer directly. Sustainability data frequently originates outside the financial reporting system (from operational teams, third-party data providers, satellite imagery), and the practitioner must evaluate whether the entity's information systems and internal controls over sustainability reporting are sufficient to produce reliable data.
Related terms
Frequently asked questions
Who can perform sustainability assurance under the CSRD?
The statutory auditor of the financial statements may perform the engagement. Member States can also authorise independent assurance services providers, provided they meet the qualifications set out in CSRD Article 34. In practice, most Wave 1 reporters have appointed their existing statutory auditor to preserve coordination between the financial and sustainability engagements. ISSA 5000.17 applies regardless of whether the practitioner is an auditor or a non-accountant provider.
What is the difference between limited and reasonable sustainability assurance?
In a limited assurance engagement, the practitioner assesses risks at the disclosure level and performs primarily inquiry and analytical procedures. In a reasonable assurance engagement, the practitioner assesses risks at the assertion level and performs more extensive procedures including inspection, recalculation, and external confirmation. ISSA 5000.89-90 sets out the distinction. The CSRD currently requires limited assurance only; the Omnibus I Directive removed the planned transition to reasonable assurance.
Do I need to apply ISSA 5000 for FY2025 sustainability reports?
ISSA 5000 is effective for periods beginning on or after 15 December 2026. For FY2025 and FY2026 engagements, practitioners apply ISAE 3000 (Revised) or the national equivalent adopted by their jurisdiction. Early adoption of ISSA 5000 is permitted. Firms that adopt early should document the decision in the engagement letter and confirm that the engagement quality management infrastructure meets the standard's requirements.