Quick Read
Under ISSA 5000, ESG assurance engagements examine far more than reconciling numbers to source documents—they require practitioners to evaluate the governance of the reporting process itself, including how materiality was determined and what was deliberately excluded from disclosure. The engagement operates across five layers, beginning with reporting governance and proceeding through double materiality assessment, data systems, value chain boundaries, and finally the disclosed information, meaning substantive preparation work must occur months before publication, not in the final weeks. Limited assurance provides a lower level of confidence than reasonable assurance and licenses readers only to conclude that nothing has come to the practitioner's attention suggesting the information is materially misstated.
IN BRIEF
ISSA 5000 is effective for assurance engagements on sustainability information reported for periods beginning on or after 15 December 2026, or as at a specific date on or after that date, with early application permitted.
ISSA 5000 is a standalone standard. Practitioners applying it are not required also to apply ISAE 3000 (Revised), which is withdrawn for sustainability assurance engagements from the effective date, as is ISAE 3410.
ISSA 5000 addresses both limited and reasonable assurance, with requirements differentiated by an "L" or "R" designator. In a limited assurance engagement the practitioner obtains an understanding of internal control but is not required to test its operating effectiveness.
Where the applicable reporting framework requires double materiality, the practitioner must evaluate the entity's materiality process — including whether material sustainability matters were omitted.
Following the Omnibus I directive, limited assurance is the permanent requirement under the CSRD. The legislated pathway to reasonable assurance has been removed, and an EU limited assurance standard is to be adopted no later than 1 July 2027.
Executive summary
Ask a sustainability team what happens during an assurance engagement and the answer will describe a reconciliation. The practitioner requests supporting documents. The team produces them. Numbers are traced from the report to a spreadsheet, and from the spreadsheet to an invoice or a meter reading. Where a discrepancy is found, it is corrected. At the end, a conclusion is issued.
This is a description of the final week of an engagement, mistaken for the engagement.
What an ISSA 5000 practitioner is actually required to do begins several layers below the report. It begins with the governance of the reporting process: who determined what was material, on what evidence, with what oversight, and whether they were competent to make the determination. It proceeds through the double materiality assessment, and where the applicable framework requires double materiality, the practitioner must satisfy themselves that significant sustainability matters have not been overlooked by the entity's own assessment. Only then does it reach the systems that produced the data, the boundary at which value chain evidence stops being obtainable, and — last — the disclosed information itself.
THE CONSEQUENCE
An entity can correct a number in the week before publication. It cannot retrospectively construct a materiality process, a governance record, or a control that was supposed to operate in March. The engagement is largely decided before the practitioner arrives, and the practitioner's principal finding is often about a process the entity did not know was in scope.
This paper sets out the five layers the engagement examines, the precise difference between limited and reasonable assurance and what each licenses a reader to believe, the evidence problem the Omnibus I value chain cap has created, and the eleven things to have in place before the engagement letter is signed.
1. The five layers of an engagement

Figure 1 — What companies think is in scope, and what ISSA 5000 actually examines.
Read the figure from the bottom. Layer 1 is where engagements are won and lost, and it is the layer that appears in no project plan.
Layer 1 — Governance of the reporting process
Sustainability assurance under ISSA 5000 was designed for a world in which sustainability information is prepared by people who are not accountants, using systems not designed for reporting, under criteria that permit substantial judgement. The standard's response is to require the practitioner to understand the entity, its environment, the applicable criteria, and the entity's process for preparing the information — including the oversight exercised over that process.
This means the practitioner will ask who signed off the material topics, on what basis, and whether that person had the authority and the information to do so. It means the minutes of the committee that approved the materiality assessment are audit evidence. It means that if the assessment was performed by a consultancy and adopted without challenge, that is a finding about governance, not a compliment about rigour.
Layer 2 — The double materiality assessment
This is the layer companies are least prepared for, because they have understood the materiality assessment as a scoping exercise conducted before the report, rather than as a disclosure subject to examination after it.
Not every reporting framework requires double materiality. Where the framework does require it — as the ESRS do — the practitioner is required to assess the entity's double materiality determination and to consider whether significant sustainability matters have been overlooked. Impact materiality, the "inside out" perspective, is the harder half: it rests on qualitative evidence and demands substantial practitioner judgement as to the nature and extent of evidence required. A matter needs to be material from only one of the two perspectives to require disclosure.
The materiality assessment is the only part of a sustainability report that determines what is in every other part of it. It is also the only part most companies have never subjected to a control.
The practical exposure is asymmetric. If a company discloses a topic that turns out to be immaterial, it has wasted effort. If it omits a topic that was material on an impact basis, the practitioner is required to consider whether the omission causes the information to be materially misstated — and the omission is the kind of matter that later appears in an enforcement notice.
Layer 3 — The value chain evidence boundary
Sustainability information is unusual among assurance subject matters in that the majority of the most material data is generated by parties the reporting entity does not control. Scope 3 emissions, supplier labour conditions, and upstream water and biodiversity impacts all originate outside the reporting boundary.
The Omnibus I directive has now made a portion of that data lawfully unobtainable. Undertakings in the value chain with fewer than 1,000 employees — "protected undertakings" — have a legal right to refuse information requests that go beyond the forthcoming voluntary standard for SMEs. Assurance providers must satisfy themselves that reported data was obtained in compliance with these restrictions; failure to do so could raise questions about the validity of the report.
This creates an evidence position with no equivalent in financial audit. The practitioner must form a conclusion on information that includes material amounts which, as a matter of law, could not be corroborated at source. What can be examined is the entity's own control over estimation: whether the estimation methodology is documented, consistently applied, disclosed as an estimate, and reviewed by someone other than its author.
Layer 4 — Systems and controls
Here the difference between limited and reasonable assurance becomes operative, and section 2 addresses it directly. In both engagements the practitioner obtains an understanding of internal control relevant to the preparation of the sustainability information. In a reasonable assurance engagement, where the practitioner intends to rely on controls, those controls are tested. In a limited assurance engagement, they are not required to be.
Layer 5 — The disclosed information
The reconciliation the sustainability team was expecting. It is real, it is necessary, and it is the last five per cent of the work.
2. Limited and reasonable assurance: what each licenses
ISSA 5000 addresses both levels within a single standard, with requirements applying to only one level identified by an "L" or an "R" designator. Both are legitimate. Both are honest. They authorise entirely different beliefs.
Limited assurance | Reasonable assurance | |
|---|---|---|
Form of conclusion | Negative. Nothing has come to our attention that causes us to believe the information is materially misstated. | Positive. In our opinion, the information is prepared, in all material respects, in accordance with the criteria. |
Risk | Assurance risk is reduced to a level that is acceptable in the circumstances of the engagement, but greater than for reasonable assurance. | Assurance risk is reduced to an acceptably low level. |
Procedures | Primarily enquiry and analytical procedures, with limited further procedures where risks of material misstatement are identified. | Risk assessment, understanding of internal control, tests of controls where reliance is placed on them, and substantive procedures. |
Internal control | Understanding obtained. Operating effectiveness not required to be tested. | Understanding obtained. Controls tested where relied upon. |
What the reader may believe | That an experienced, independent practitioner performed a defined set of procedures and did not encounter anything that suggested material misstatement. | That the information has been examined to a depth at which the practitioner is prepared to state an affirmative opinion on it. |
What the reader may not believe | That the numbers were tested. That the controls operate. That an error would necessarily have been found. | That the information is certified correct, or that every immaterial error was detected. |
Status under the CSRD after Omnibus I | The permanent requirement. | No longer a legislated destination. Available only voluntarily. |
The final row is the strategic fact of this paper. Under the original CSRD architecture, limited assurance was a transitional state and the Commission was to assess a move to reasonable assurance. The Omnibus I directive confirms limited assurance as the final requirement and removes that escalation pathway. An EU limited assurance standard is to be adopted no later than 1 July 2027, with alignment to ISSA 5000 anticipated.
What this means commercially
Every CSRD reporter will publish the same form of conclusion, in the same negative construction, from providers applying the same standard. The conclusion will not differentiate one reporter from another, because it cannot.
Differentiation is available only below the conclusion: in the certified maturity of the management system that produced the information, and in whether the entity voluntarily obtained reasonable assurance on any part of it.
A QUESTION WORTH PUTTING TO YOUR BOARD If every company in your sector will hold an identical limited assurance conclusion by 2028, what will a lender, an insurer or a strategic customer use to tell you apart? |
3. Definitions the engagement turns on
Term | Definition |
|---|---|
Sustainability information | Information about sustainability matters, prepared under a reporting framework or other suitable criteria. Under ISSA 5000 this includes greenhouse gas statements, which is why ISAE 3410 is withdrawn from the standard's effective date. |
Suitable criteria | The framework against which the information is prepared and evaluated. The ESRS are suitable criteria for CSRD reporting. Criteria that are entity-developed must be evaluated by the practitioner for suitability. |
Double materiality | The determination that a sustainability matter is material from a financial perspective, an impact perspective, or both. A matter material from only one perspective requires disclosure. |
Impact materiality | The "inside out" perspective: the entity's actual and potential impacts on people and the environment. Rests substantially on qualitative evidence and practitioner judgement. |
Protected undertaking | Under the Omnibus I directive, an undertaking in the value chain below 1,000 employees, entitled to refuse information requests exceeding the voluntary SME standard. |
Value chain cap | The limitation on what a reporting entity may request from protected undertakings. Assurance providers must consider whether value chain data was obtained in compliance with it. |
4. Where engagements actually fail
Across sustainability assurance engagements, findings cluster in a small number of places, and none of them is arithmetic.
The materiality process is undocumented. A workshop was held. Slides exist. There is no record of which matters were considered and rejected, on what evidence, or by whom. The practitioner cannot evaluate whether significant matters were overlooked, because the entity cannot evidence what it considered.
The materiality assessment was performed by the entity's advisers. Not fatal in itself, but it converts a governance question into an independence question, and it means nobody inside the entity can explain the judgements when asked.
Scope 3 estimation methodology is undisclosed or inconsistent. Spend-based factors in one category, supplier-specific in another, industry average in a third, with no documented basis for the choice and no disclosure that the figure is an estimate of a particular character.
Controls are described but not operated. A control matrix exists, drafted for the assurance engagement, describing controls that were not in place during the reporting period. In a limited engagement this may go untested; it will still be visible, and it is worse than having no matrix.
Prior period comparatives were restated silently. Emissions baselines move. Boundaries change with acquisitions. Where restatement is not disclosed and explained, the comparability of the entire series fails.
The narrative is not supported by the data. Sustainability statements contain assertions of progress, leadership and improvement that are not reducible to the disclosed figures. These are within the assurance scope, and they are frequently the assertions most likely to attract a green claims action.
Value chain data was obtained outside the cap. New, and about to become common. A reporter that has extracted data from a protected undertaking beyond the permitted scope has a disclosure supported by evidence that should not have been provided.
5. Eleven things to have before the engagement letter is signed
# | Have this | Because |
|---|---|---|
1 | A dated, minuted record of the double materiality assessment, listing matters considered, matters rejected, the evidence for each, and the approver | The practitioner must evaluate whether significant matters were overlooked. Slides are not evidence of a process. |
2 | A stakeholder engagement record supporting the impact materiality conclusions | Impact materiality is qualitative. Its evidence is who you asked and what they said. |
3 | A written statement of the criteria applied, including any entity-developed criteria | The practitioner must evaluate whether the criteria are suitable. |
4 | Data lineage documentation from source system to disclosed figure, for every material metric | This is the artefact that determines whether the engagement takes six weeks or sixteen. |
5 | A control matrix describing controls that actually operated during the period, with evidence of operation | A matrix drafted for the engagement is a finding, not a mitigation. |
6 | A documented Scope 3 estimation methodology, applied consistently, with the basis for each category's approach | Inconsistent estimation without documented rationale is the single most common cause of qualification. |
7 | A register of value chain data requests showing which counterparties are protected undertakings | Practitioners must consider whether data was obtained in compliance with the value chain cap. |
8 | A restatement policy and a record of any restatement of prior period figures, with reasons | Silent restatement breaks the comparability of the series and is visible to the practitioner immediately. |
9 | Substantiation files for every qualitative assertion of progress or leadership in the narrative | Narrative is in scope. Marketing language without substantiation is the raw material of a green claims action. |
10 | A conflicts declaration confirming that the assurance provider has no advisory relationship with the entity | The IESBA's ethics and independence standards for sustainability assurance are effective from 15 December 2026. |
11 | A named individual accountable for each material metric, available to the practitioner | Where evidence has no owner, the engagement stalls, and the stall is itself the finding. |
THE EIGHT-WEEK RULE
Items 1, 2, 3, 5 and 6 cannot be created in the eight weeks before publication. They are records of decisions and controls that either existed during the reporting period or did not. Everything else on this list can be assembled late. These five cannot, and they are the five the practitioner examines first.
6. What a clean conclusion is worth
There is a version of this paper that ends by urging companies to prepare thoroughly so that they obtain a clean limited assurance conclusion. It would be a comfortable ending, and it would misstate the position.
A clean limited conclusion is what every prepared reporter will obtain. It is a low bar by design, expressed in the negative, on a bounded scope, under a level of work effort that does not require controls to be tested. It is now, following Omnibus I, the highest bar the CSRD will ever set. Obtaining it distinguishes an organisation from nobody.
When the conclusion is identical across an entire market, the conclusion stops being the message. What produced it becomes the message.
Three things remain available to an organisation that wants its disclosures to be believed rather than merely permitted.
Certify the system, not just the report. A management system certified against a published standard by an accredited body, and re-examined during the period rather than after it, is independent evidence that a process existed. An assurance conclusion resting on a certified system says something an identical conclusion resting on a spreadsheet does not.
Obtain reasonable assurance voluntarily, on something. Not on the whole statement. On the two or three metrics that external parties actually price: the Scope 1 and 2 inventory, the covenant metric, the safety figure. A positive opinion on a material number, obtained voluntarily when no law required it, is the clearest possible statement about an organisation's confidence in its own controls.
Disclose the boundary. State plainly which figures are estimates, which value chain data could not be corroborated, and where the assurance scope ended. Reporters fear this. Readers of reports — the ones who lend money and write insurance — read the absence of it as evasion.
Questions this paper answers
When does ISSA 5000 take effect?
ISSA 5000 is effective for assurance engagements on sustainability information reported for periods beginning on or after 15 December 2026, or reported as at a specific date on or after 15 December 2026. Early application is permitted. From that date ISAE 3000 (Revised) and ISAE 3410 are withdrawn for sustainability assurance engagements, and ISSA 5000 applies as a standalone standard.
Does an assurance engagement examine the materiality assessment?
Yes, where the applicable reporting framework requires double materiality. The practitioner must assess the entity's double materiality determination and consider whether significant sustainability matters have been overlooked by the entity's own assessment. This means the materiality process, its evidence base and its governance are all within the assurance scope — not only the disclosures that resulted from it.
What is the difference between limited and reasonable assurance?
In a limited assurance engagement the practitioner performs primarily enquiry and analytical procedures, obtains an understanding of internal control without being required to test its operating effectiveness, and expresses a negatively worded conclusion that nothing has come to their attention. In a reasonable assurance engagement the practitioner performs risk assessment, tests controls where reliance is placed on them, performs substantive procedures, and expresses a positive opinion. ISSA 5000 addresses both, with requirements applying to only one level identified by an L or R designator.
Is limited assurance still required under the CSRD?
Yes. Following the Omnibus I directive, which entered into force on 18 March 2026, limited assurance remains mandatory for entities within the narrowed CSRD scope. It is now confirmed as the permanent requirement rather than a transitional step, and the legislated pathway to reasonable assurance has been removed. An EU limited assurance standard is to be adopted no later than 1 July 2027.
How does the value chain cap affect an assurance engagement?
The Omnibus I directive gives undertakings in the value chain with fewer than 1,000 employees a legal right to refuse information requests exceeding the voluntary standard for SMEs. Assurance providers must consider whether reported value chain data was obtained in compliance with these restrictions. The practical effect is that a portion of the most material sustainability data — principally Scope 3 emissions and supplier social data — cannot be corroborated at source, and the reporting entity's own estimation controls become the load-bearing element of the disclosure.
What most commonly causes a sustainability assurance engagement to go badly?
Not arithmetic. The recurring findings are an undocumented materiality process, inconsistent Scope 3 estimation methodology without a documented basis, control matrices drafted for the engagement rather than operated during the period, silent restatement of prior period comparatives, and narrative assertions of progress that the disclosed data does not support. Five of these cannot be remediated in the weeks before publication, because they are records of what happened during the reporting period.
If every reporter obtains the same clean limited conclusion, what differentiates them?
Three things, none of which is the conclusion itself. Whether the management system that produced the information is certified against a published standard by an accredited body. Whether the entity has voluntarily obtained reasonable assurance on any material metric. And whether the entity has disclosed plainly which figures are estimates, which value chain data could not be corroborated, and where the assurance scope ended.
References and sources
IAASB, International Standard on Sustainability Assurance (ISSA) 5000, General Requirements for Sustainability Assurance Engagements, approved September 2024, issued November 2024. Effective for assurance engagements on sustainability information reported for periods beginning on or after 15 December 2026, or as at a specific date on or after that date; early application permitted.
IAASB, ISSA 5000 Frequently Asked Questions: Applicability Matters, August 2025 — confirming that ISAE 3000 (Revised) is no longer applicable to sustainability assurance engagements after the effective date of ISSA 5000, and that the IAASB approved the withdrawal of ISAE 3410 in March 2025 with effect from that date.
IAASB, ISSA 5000 Frequently Asked Questions relevant to the European Union, November 2025.
IESBA, International Ethics Standards for Sustainability Assurance (including International Independence Standards), issued January 2025; generally effective for assurance engagements on sustainability information reported for periods beginning on or after 15 December 2026.
Directive (EU) 2026/470 (the Omnibus I directive), in force 18 March 2026; Member State transposition deadline 19 March 2027. Confirms limited assurance as the permanent CSRD requirement, removes the escalation pathway to reasonable assurance, postpones adoption of an EU limited assurance standard to no later than 1 July 2027, and introduces the value chain cap for protected undertakings.
Accountancy Europe, Omnibus explained: key changes to the CSRD and CSDDD, 2026.
European Sustainability Reporting Standards (ESRS), as amended following the Omnibus I directive; sector-specific standards removed.
Speeki, The Non-Financial Audit Function (Whitepaper Series 1, Paper 01), July 2026.
About Speeki
Speeki is an accredited ESG assurance and certification body operating in more than 100 countries. Speeki provides management system certification, verification and validation, and sustainability assurance. Speeki does not provide consulting services. Its independence is structural.
For current details of Speeki's accreditations and their scope, please refer to speeki.com.
© 2026 Speeki. This paper is provided for general information and does not constitute legal, accounting or assurance advice.