Quick Read
Under the CSRD, limited assurance has become the permanent standard globally, meaning every prepared reporter will hold an identical negative conclusion—making the assurance opinion itself insufficient proof of credibility. This whitepaper argues that a certified sustainability management system is now the essential foundation, as it alone tests whether controls actually operated during the reporting period, whereas assurance engagements do not. Certification and assurance are distinct engagements answering different questions: certification examines a system across time, while assurance examines a report after the fact, and organisations must deploy both to establish genuine non-financial credibility.
IN BRIEF
Sustainability assurance examines an output. A sustainability management system is the internal architecture that produces the output, operating throughout the reporting period rather than after it.
Following the Omnibus I directive, limited assurance is the permanent CSRD requirement and the legislated pathway to reasonable assurance has been removed. The assurance conclusion is therefore uniform across the market and cannot differentiate reporters.
A management system is certified under ISO/IEC 17021-1 by an accredited certification body, which examines whether the system exists and operated during the period. This is a different question from whether a report is materially misstated.
SPK CSMS1000:2026 is Speeki's corporate sustainability management system standard, comprising 56 clauses spanning the obligations register, IRO assessment, double materiality, material topic governance, objectives and targets, internal controls over sustainability reporting, GHG, circularity, energy, governance and effectiveness review.
Certification of the system does not replace assurance of the report. It is what makes assurance of the report worth obtaining.
Executive summary
For fifteen years the sustainability profession has treated assurance as the destination. Build the programme, gather the data, publish the report, obtain the opinion. The opinion was the proof.
That logic has quietly stopped working, for a reason that has nothing to do with the quality of assurance practice and everything to do with legislative arithmetic. The Omnibus I directive confirmed limited assurance as the permanent requirement under the CSRD and removed the pathway that would have escalated it to reasonable assurance. From 15 December 2026, ISSA 5000 governs those engagements globally. The consequence is that within two reporting cycles, every prepared reporter in Europe will hold a conclusion in the same negative construction, over a comparable scope, issued under the same standard.
An opinion that everyone holds proves nothing about anyone.
THE ARGUMENT OF THIS PAPER
Assurance tests what a company published. A management system determines whether there was ever anything worth publishing. When the assurance conclusion is uniform and capped, the only remaining lever an organisation can pull is the independently certified quality of the system that produced the information.
This paper sets out why a management system is the load-bearing layer, what distinguishes certification of a system from assurance of a report, what a sustainability management system must contain to carry that load, and how the two engagements interlock.
1. Two different questions
Certification and assurance are routinely conflated by people who should know better, including procurement departments, index providers and the occasional board. They are governed by different accreditation standards, performed against different criteria, and answer different questions.
Term | Definition |
|---|---|
Certification of a management system | An examination, governed by ISO/IEC 17021-1, of whether a management system conforming to a published standard exists within an organisation and operated during a defined period. Performed by a certification body accredited for the relevant scheme. Recurring, with surveillance during the certification cycle. |
Assurance over reported information | An examination, governed by ISSA 5000 from 15 December 2026, of whether reported sustainability information is materially misstated against suitable criteria, expressed at a limited or reasonable level. Performed by an assurance practitioner. Typically annual, and conducted after the reporting period has ended. |
The question certification answers | Did a system operate that was capable of producing reliable information? |
The question assurance answers | Is the information that was published materially misstated? |
Note the temporal difference, because it is the whole of the argument. Certification examines a system across a period. Assurance examines a report after a period. A limited assurance engagement obtains an understanding of internal control but is not required to test its operating effectiveness — which means that in the most common form of sustainability assurance now permanently mandated under the CSRD, nobody tests whether the controls operated at all.
Under limited assurance, the practitioner is not required to test whether your controls worked. Under certification, that is the only question being asked.
The two are therefore not substitutes and not competitors. They are the two halves of a single evidentiary claim, and most organisations have obtained one of them.

Figure 1 — The same clean conclusion, resting on two very different foundations.
2. Why the ceiling changes the calculus
Before Omnibus I, an organisation could reasonably plan a maturity path. Obtain limited assurance now. Build controls. Move to reasonable assurance when the legislation required it, or a little before, and let that transition be the visible signal of maturity to lenders, insurers and investors.
That signal has been withdrawn. The Omnibus I directive retains limited assurance for the CSRD and removes the pathway to reasonable assurance escalation. An EU limited assurance standard is to be adopted no later than 1 July 2027. Whatever an organisation does, the legally required conclusion on its sustainability statement will be a negative conclusion at a limited level, in perpetuity, indistinguishable in form from the conclusion obtained by its least prepared competitor.
Lever | Before Omnibus I | After Omnibus I |
|---|---|---|
Escalate assurance level | Available, and legislatively anticipated | Removed as a legislated destination; available only voluntarily |
Expand assurance scope | Available | Available, but constrained by the value chain cap at exactly the point where data is most material |
Report more datapoints | Available under full ESRS | Constrained: simplified ESRS reduce prescribed datapoints and shift weight to materiality judgement and documentation |
Certify the underlying system | Available, and largely ignored | The principal remaining lever |
Do nothing | Non-compliant | Compliant, for around 42,000 companies now out of scope |
Read the bottom row carefully. The Omnibus I directive narrowed CSRD scope to undertakings with more than 1,000 employees and more than €450 million in net turnover, removing roughly 90 per cent of previously in-scope companies. For those companies, doing nothing is now lawful.
But lawfulness is not the constraint that binds them. Banks still price sustainability-linked facilities. Insurers still underwrite. Strategic customers still impose supply chain requirements, and the value chain cap limits what they may request but does nothing to stop them declining to buy. Index providers still score. The demand for credible non-financial information has not moved; only the obligation to supply it has.
The position of the out-of-scope company
It no longer has a regulatory reason to report, and its assurance conclusion — if it obtains one voluntarily — carries no statutory weight.
Everything it says about itself is now a voluntary claim, judged entirely on the credibility of the system behind it.
This is a stronger argument for certification than any that existed while the CSRD was mandatory.
3. What the system has to contain
A sustainability management system is not an environmental management system with wider scope. ISO 14001 governs environmental performance. ISO 50001 governs energy. Neither addresses the determination of material topics, the governance of a double materiality assessment, the control environment over reported non-financial information, or the register of obligations an organisation is accountable for.
SPK CSMS1000:2026 is Speeki's corporate sustainability management system standard, developed to occupy that space. It comprises 56 clauses. What matters for this paper is not the clause numbering but the sequence, because the sequence is the argument.
Element | What the system requires | What it makes assurable |
|---|---|---|
Obligations register | A maintained record of every non-financial obligation the organisation carries, from regulation, contract, covenant, certification and public commitment | Completeness. The practitioner can evaluate whether material matters were overlooked against a documented population. |
IRO assessment | Systematic identification of impacts, risks and opportunities across own operations and the value chain | The evidence base for materiality, rather than the conclusion of a workshop |
Double materiality | A governed, evidenced, minuted determination of financial and impact materiality, including matters considered and rejected | The layer ISSA 5000 requires the practitioner to evaluate, and the layer most reporters cannot evidence |
Material topic governance | Named accountability for each material topic, with defined authority and escalation | Evidence ownership. Every disclosed figure has an owner who can produce its support. |
Objectives and targets | Targets that are traceable to material topics, with a documented basis and a restatement policy | Comparability across periods, and a defensible position on forward-looking claims |
ICSR | Internal controls over sustainability reporting: documented data lineage, process ownership, controls that operate during the period, and testing of those controls | The operating effectiveness that limited assurance does not test — and that a certification body does |
GHG, circularity, energy | Topic-specific requirements aligned to the relevant ISO standards for measurement and accounting | Consistency between the management system and the verification engagements performed under ISO/IEC 17029 |
Governance | Board and executive oversight of the sustainability programme, with defined reporting | The governance layer that ISSA 5000 requires the practitioner to understand |
Effectiveness review | Periodic evaluation of whether the system achieved its intended outcomes, with corrective action | Evidence that the system is a control rather than a document |
THE SEQUENCE IS THE POINT
Obligations before impacts. Impacts before materiality. Materiality before targets. Targets before controls. Controls before reporting. An organisation that begins with the report and works backwards will produce all of these artefacts and none of the assurance.
4. How the two engagements interlock
The practical question a CFO asks at this point is whether certification duplicates assurance and therefore duplicates cost. It does not, and the interlock reduces the cost of the assurance engagement rather than adding to it.
Certification establishes the control environment; assurance relies on it. An ISSA 5000 practitioner must obtain an understanding of internal control relevant to the preparation of the sustainability information. Where a management system has been independently certified against a published standard, that understanding is obtained faster, from documentation that already exists, and with independent evidence that the system operated during the period.
Certification operates during the period; assurance operates after it. Surveillance activity during the certification cycle tests the system while the reporting period is running. Failures are identified in March rather than discovered in November, when nothing can be done about them.
Certification examines the materiality process; assurance examines its output. The double materiality determination is a clause of the management system standard and therefore a subject of certification. It is also the layer ISSA 5000 requires the practitioner to evaluate. An organisation whose materiality process has been certified arrives at the assurance engagement with the layer 2 problem already solved.
Certification is independent of the reporting boundary; assurance is not. The value chain cap constrains what an assurance practitioner can corroborate. It does not constrain a certification body examining whether the organisation's own estimation controls are documented, consistently applied, and reviewed.
The sequencing that follows from this is straightforward, and it is the reverse of what most organisations do.
Order | Engagement | Why in this position |
|---|---|---|
First | Certify the management system | Establishes the obligations register, the materiality governance and the control environment. Corrects failures while the period is still running. |
Second | Verify the topic-specific claims | GHG inventory, circularity, nature — under ISO/IEC 17029, against measurement standards, with the system already in place to support them. |
Third | Assure the report | Under ISSA 5000, on information produced by a certified system whose components have been independently verified. |
Never | Assure the report first, then build the system | The assurance findings will describe the absence of the system. The organisation will have paid to be told what it already knew. |
5. What certification says that assurance cannot
Consider two reporters in the same sector, publishing in the same year. Both hold a clean limited assurance conclusion under ISSA 5000. Their conclusions are, in form and substance, indistinguishable.
The first assembled its sustainability data in the eight weeks before publication, from spreadsheets maintained by people with other jobs, against a materiality assessment performed by consultants in 2024 and never revisited. Its practitioner obtained an understanding of internal control, as required, and did not test whether any control operated, as permitted.
The second operated a management system certified against a published sustainability management system standard by an accredited certification body. Its obligations register is current. Its materiality determination is minuted and evidenced. Its data lineage is documented. Its controls over sustainability reporting were tested during the period by a certification body with no advisory relationship to the company, and the certificate was maintained through surveillance.
The two conclusions are identical. The two organisations are not, and every sophisticated reader of a sustainability report now knows to look past the conclusion for the difference.
What the second reporter can say, and the first cannot:
That an independent, accredited third party examined whether its sustainability management system operated throughout the period, not merely whether its report was misstated at the end of it.
That its determination of material topics was governed, evidenced and subject to independent examination — the layer that an ISSA 5000 practitioner is required to evaluate and that most reporters cannot support.
That its internal controls over sustainability reporting were tested for operating effectiveness by somebody, notwithstanding that limited assurance did not require it.
That the party which examined its system had no role in building it.
None of these statements is available for purchase at the end of a reporting period. Each of them is a description of what the organisation did during the year.
6. Where Speeki Meridian™ fits
Speeki Meridian™ is certification against SPK CSMS1000:2026, performed by Speeki as an accredited certification body. Speeki does not provide consulting services; the independence obligations that accreditation imposes are the reason it has never built an advisory practice. Details of Speeki's accreditations and their scope are published at speeki.com and should be treated as the authoritative source.
The claim being made for it here is deliberately narrow. Meridian does not assure a report; Speeki Guardian® does that under ISSA 5000. Meridian does not verify a GHG inventory; the Speeki Lens Suite™ does that under ISO/IEC 17029. Meridian certifies that a sustainability management system conforming to a published standard exists and operated.
That is the layer this paper argues has become decisive — not because certification is more rigorous than assurance, but because the assurance conclusion has been fixed by legislation at a level that cannot express the difference between a company that manages its sustainability performance and one that reports on it.
THE ONE-LINE VERSION
The opinion is now a commodity. The system beneath it is not.
Questions this paper answers
What is the difference between certifying a management system and assuring a report?
Certification, governed by ISO/IEC 17021-1, examines whether a management system conforming to a published standard exists and operated during a defined period, and is performed by an accredited certification body. Assurance, governed by ISSA 5000, examines whether reported sustainability information is materially misstated against suitable criteria, at a limited or reasonable level. Certification asks whether a system was working. Assurance asks whether a report is wrong. They are complementary rather than alternative.
Does a limited assurance engagement test whether internal controls operated?
No. In a limited assurance engagement the practitioner obtains an understanding of internal control relevant to the preparation of the sustainability information, but is not required to test its operating effectiveness. Testing of controls where reliance is placed on them is a feature of reasonable assurance. Since the Omnibus I directive removed the legislated pathway to reasonable assurance under the CSRD, controls testing is not part of the mandatory engagement for any European reporter.
Why does a certified management system matter now more than it did before?
Because the assurance conclusion has become uniform. The Omnibus I directive confirmed limited assurance as the permanent CSRD requirement and removed the escalation to reasonable assurance. Every prepared reporter will therefore hold a conclusion in the same negative construction under the same standard. The conclusion no longer differentiates. The independently certified quality of the system that produced the information is the principal remaining lever.
What is SPK CSMS1000:2026?
SPK CSMS1000:2026 is Speeki's corporate sustainability management system standard. It comprises 56 clauses covering the obligations register, the assessment of impacts, risks and opportunities, the double materiality determination and its governance, material topic accountability, objectives and targets, internal controls over sustainability reporting, greenhouse gas, circularity and energy requirements, governance, and periodic effectiveness review. Certification against it is performed through Speeki Meridian™.
Is a sustainability management system the same as ISO 14001?
No. ISO 14001 specifies requirements for an environmental management system. It does not address the determination and governance of material topics for sustainability reporting, the double materiality assessment, internal controls over reported non-financial information, or the register of non-financial obligations across the organisation. An organisation holding ISO 14001 has certified its environmental management, not its sustainability reporting system.
In what order should certification, verification and assurance be obtained?
Certify the management system first, because it establishes the obligations register, the materiality governance and the control environment, and because surveillance corrects failures while the reporting period is still running. Verify the topic-specific claims second, under ISO/IEC 17029. Assure the report last, under ISSA 5000, on information produced by a certified system whose components have been independently verified. Obtaining assurance first produces findings that describe the absence of the system.
Should a company that has fallen out of CSRD scope still certify its system?
The argument is stronger, not weaker. An out-of-scope company's disclosures are now voluntary claims carrying no statutory weight, judged entirely on the credibility of the system behind them, at a time when banks, insurers, index providers and strategic customers continue to rely on those disclosures. Certification of the underlying system is the only independent evidence such a company can offer that its voluntary claims are produced by a controlled process.
References and sources
Directive (EU) 2026/470 (the Omnibus I directive), published in the Official Journal on 26 February 2026, in force 18 March 2026; Member State transposition deadline 19 March 2027. Narrows CSRD scope to undertakings above 1,000 employees and €450 million net turnover; confirms limited assurance as the permanent requirement; removes the escalation pathway to reasonable assurance; postpones an EU limited assurance standard to no later than 1 July 2027; introduces the value chain cap.
IAASB, International Standard on Sustainability Assurance (ISSA) 5000, General Requirements for Sustainability Assurance Engagements, issued November 2024; effective for periods beginning on or after 15 December 2026. Addresses limited and reasonable assurance, with requirements differentiated between the two levels.
IESBA, International Ethics Standards for Sustainability Assurance (including International Independence Standards), issued January 2025; generally effective from 15 December 2026.
ISO/IEC 17021-1:2015, Conformity assessment — Requirements for bodies providing audit and certification of management systems.
ISO/IEC 17029:2019, Conformity assessment — General principles and requirements for validation and verification bodies.
ISO 14001:2015, Environmental management systems — Requirements with guidance for use.
SPK CSMS1000:2026, Corporate Sustainability Management System — Requirements. Speeki.
Speeki, The Non-Financial Audit Function (Whitepaper Series 1, Paper 01) and What ESG Report Assurance Actually Requires (Whitepaper Series 2, Paper 07), July 2026.
About Speeki
Speeki is an accredited ESG assurance and certification body operating in more than 100 countries. Speeki provides management system certification, verification and validation, and sustainability assurance. Speeki does not provide consulting services. Its independence is structural.
For current details of Speeki's accreditations and their scope, please refer to speeki.com.
© 2026 Speeki. This paper is provided for general information and does not constitute legal, accounting or assurance advice.