Quick Read

Reasonable assurance engagements require assurance providers to evaluate the design and operating effectiveness of internal controls over sustainability reporting—a substantially more demanding standard than limited assurance, which focuses primarily on testing reported figures. Organisations with a certified SPK CSMS1000:2026 and documented internal controls over sustainability reporting (ICSR) can reduce the scope and cost of reasonable assurance engagements and achieve higher assurance outcomes than those relying on substantive testing alone. A functioning CSMS and external assurance are mutually reinforcing: the system creates the control infrastructure that assurance providers need to assess, while assurance validates the system's design and operating effectiveness.

Executive Summary

The transition from limited to reasonable assurance for sustainability reporting is underway — driven by CSRD's assurance pathway and by investor and regulatory expectations in multiple markets. Reasonable assurance is a substantively more demanding engagement than limited assurance, requiring assurance providers to assess the design and operating effectiveness of internal controls, not just test reported figures. Organisations without a functioning sustainability management system, defined ICSR controls, and tested governance processes will find reasonable assurance engagements significantly more difficult, more expensive, and more likely to produce significant findings.

This paper explains what reasonable assurance requires that limited assurance does not, how SPK CSMS1000:2026 certification creates the management infrastructure that supports both assurance levels, and why a certified CSMS and external assurance are more effective together than either alone.

A sustainability report assured at reasonable assurance level from an organisation without a certified CSMS is a thoroughly verified output of an unverified system. The report may be accurate. The system that produced it has not been independently evaluated. These are different propositions with different credibility for sophisticated stakeholders.

1. Limited vs Reasonable Assurance — What Changes

Limited assurance engagements — conducted under ISSA 5000 or AA1000AS — primarily involve analytical procedures and targeted testing of reported figures. The assurance provider asks: are the reported numbers consistent with the underlying data, and is the methodology applied consistently? The evidence base is primarily documentary, the sample is targeted, and the conclusion is expressed in negative terms ('nothing has come to our attention...').

Reasonable assurance is a fundamentally different engagement. The assurance provider must obtain sufficient appropriate evidence to reduce assurance risk to an acceptably low level — the same standard applied in financial audit. This requires: assessment of the design of internal controls (are ICSR controls designed to address the risks they are intended to address?); testing of operating effectiveness (did the ICSR controls operate as designed throughout the reporting period?); more extensive substantive testing of reported figures; and assessment of governance over the sustainability reporting process.

An organisation without documented ICSR controls has nothing for the assurance provider to assess in terms of control design. This typically results in extensive substantive testing — more testing per data point, across more data points — which is both time-consuming and expensive. And even with extensive substantive testing, the assurance provider cannot obtain the same level of assurance from substantive testing alone as from a combination of controls testing and substantive testing.

2. What SPK CSMS1000:2026 Provides for Assurance Readiness

2.1 ICSR controls (Clause 10.4)

The ICSR requirement is the most direct enabler of assurance readiness. Documented data collection procedures, calculation methodology documentation, independent validation processes, and reconciliation controls provide the assurance provider with a controls framework to assess. Where controls are well-designed and operating effectively, the assurance provider can place reliance on them and reduce substantive testing accordingly — reducing engagement time and cost.

2.2 Governance over sustainability reporting (Clause 7.5)

Reasonable assurance engagements under ISSA 5000 require the assurance provider to understand and evaluate the governance over the sustainability reporting process. The governing body governance requirements of SPK CSMS1000:2026 — direct access, active oversight, competence — provide the governance framework that the assurance provider needs to see. Organisations without these governance structures will receive findings about governance gaps.

2.3 Management review inputs (Clause 12.3)

The three-level management review — including governing body review of sustainability data quality — provides documented evidence of governance over the reporting process. This is directly relevant to the assurance provider's evaluation of governance. An organisation that can provide minutes of governing body discussions about sustainability data quality, including questions asked and actions directed, provides stronger governance evidence than one that can only demonstrate that sustainability appeared on the agenda.

3. The Complementary Relationship

Speeki Meridian™ certification and Speeki Guardian® ESG report assurance are designed to be complementary. Speeki Meridian™ certifies the management system. Speeki Guardian® assures the report the management system produces. They answer different questions and provide different evidence — but together they provide end-to-end credibility that neither provides alone.

The practical benefit: organisations that pursue Speeki Meridian™ certification before or alongside Speeki Guardian® ESG report assurance will consistently find that the assurance engagement is more efficient. The ICSR controls assessed during the Speeki Meridian™ engagement are available for the Speeki Guardian® ESG report assurance team to rely upon, reducing duplicate work. The governance assessed during the Speeki Meridian™ engagement provides context that informs the Speeki Guardian® engagement scope and approach.

For organisations that are building toward reasonable assurance, the sequencing is clear: build the management system first (or in parallel with the assurance programme), because the management system is the infrastructure that makes reasonable assurance achievable. Starting with reasonable assurance without the management system infrastructure is like attempting to audit financial statements from a company with no internal controls.

Speeki Meridian™ — Auditor Expectations

This paper addresses assurance readiness from the CSMS perspective. Assurance engagements are conducted by Speeki Guardian® — separate from the Speeki Meridian™ certification function. The two products are designed to be complementary but are conducted independently, maintaining the separation between management system certification and sustainability report assurance that is fundamental to the credibility of both. Organisations considering both Speeki Meridian™ and Speeki Guardian® should speak to the Speeki team about sequencing and how the two engagements can be structured to maximise efficiency. Details at speeki.com.

About Speeki

Speeki is an accredited certification body operating across more than 100 countries. Speeki certifies organisations against SPK CSMS1000:2026 through the Speeki Meridian™ certification programme. Speeki is a certification body — it does not provide sustainability consulting or advisory services of any kind.

For current details of Speeki's accreditations, scope of certification, and service offerings, visit speeki.com. You can also ask Nicole AI on the Speeki website to find the information you need.

speeki.com | © Speeki Pte Ltd 2026