Quick Read
Under the Omnibus I directive, reasonable assurance is no longer a legislated requirement but has become a voluntary signal of competitive differentiation, since companies can no longer rely on an escalation pathway to make it mandatory. The distinction between limited and reasonable assurance is not effort but scope: reasonable assurance requires testing whether controls operated, whereas limited assurance does not, and this difference in rigor now carries signalling value precisely because it is no longer required. Companies pursuing reasonable assurance on selective metrics (rather than full statements) can credibly demonstrate control maturity and stakeholder confidence in a way that compliance alone cannot.
IN BRIEF
The Omnibus I directive confirms limited assurance as the permanent CSRD requirement and removes the legislated pathway to reasonable assurance.
ISSA 5000 addresses both limited and reasonable assurance within a single standard, with requirements applying to only one level identified by an "L" or an "R" designator.
In a limited assurance engagement the practitioner obtains an understanding of internal control but is not required to test its operating effectiveness. In a reasonable assurance engagement, controls are tested where reliance is placed upon them.
A limited assurance conclusion is expressed negatively — nothing has come to our attention. A reasonable assurance opinion is expressed positively — in our opinion, the information is fairly stated.
Reasonable assurance should be applied to the two or three metrics on which an external party makes a decision, not to the sustainability statement as a whole.
Executive summary
For several years the sustainability profession has described reasonable assurance as a maturity destination. Obtain limited assurance now; build controls; move to reasonable assurance when the legislation requires it. The framing was accurate, because the legislation was going to require it.
It no longer is. Under the Omnibus I directive, limited assurance is confirmed as the permanent requirement under the CSRD and the escalation pathway to reasonable assurance has been removed. There is no destination. There is a ceiling, and it has been welded shut.
The conventional reading of this is that reasonable assurance has become irrelevant. The opposite is true, and the reason is a point about signalling that the profession has not yet absorbed.
WHY A VOLUNTARY OPINION IS WORTH MORE THAN A MANDATORY ONE
When every company in a market is required to obtain the same conclusion, the conclusion distinguishes nobody. When no company is required to obtain a stronger one, the company that obtains it anyway has communicated something no compliance exercise could communicate: that it was sufficiently confident in its own controls to invite an examination it could have avoided.
This paper sets out precisely what the two levels are and what each licenses a reader to believe, why the signalling value of reasonable assurance rose when its legal status fell, which metrics justify the cost, and which cannot support it at any price.
1. What the two levels actually are
ISSA 5000 addresses limited and reasonable assurance within a single standard. Requirements applying to only one level are identified by an "L" or an "R" designator. Both are legitimate engagements. Both are honest. They authorise entirely different beliefs.
Limited assurance | Reasonable assurance | |
|---|---|---|
The conclusion | Negative. Nothing has come to our attention that causes us to believe the information is materially misstated. | Positive. In our opinion, the information is prepared, in all material respects, in accordance with the criteria. |
Assurance risk | Reduced to a level acceptable in the circumstances of the engagement, but greater than for reasonable assurance. | Reduced to an acceptably low level. |
Procedures | Primarily enquiry and analytical procedures, with limited further procedures where risks of material misstatement are identified. | Risk assessment, understanding of internal control, tests of controls where reliance is placed on them, and substantive procedures. |
Internal control | Understanding obtained. Operating effectiveness not required to be tested. | Understanding obtained. Controls tested where relied upon. |
What the reader may believe | That an experienced independent practitioner performed a defined set of procedures and encountered nothing suggesting material misstatement. | That the information was examined to a depth at which the practitioner will state an affirmative opinion on it. |
What the reader may not believe | That the numbers were tested. That the controls operate. That an error would necessarily have been found. | That the information is certified correct, or that every immaterial error was detected. |
A limited assurance conclusion is a statement about the practitioner's state of knowledge. A reasonable assurance opinion is a statement about the information. Boards routinely receive the first and hear the second.
The distinction is not a matter of effort applied to the same procedures. It is a difference in what is examined. A practitioner performing a limited engagement may reasonably decline to test whether a control operated. A practitioner performing a reasonable engagement, intending to rely on that control, must test it.
2. What Omnibus I did to the signal

Figure 1 — The signal value of a voluntary opinion, and the metrics that justify it.
Consider the position of a company in 2024. It obtains limited assurance because the CSRD requires it. It notes that the Commission is to assess a move to reasonable assurance. It plans a controls programme so that when the requirement arrives it will be ready, perhaps a little early. Being early is a modest signal: it is ahead of a schedule everybody shares.
Now consider the same company in 2026. The escalation pathway has gone. It obtains limited assurance because the CSRD still requires that, and every prepared reporter in its sector obtains an identical conclusion, in the same negative construction, under the same standard. The conclusion differentiates nobody, because it cannot.
If that company now obtains reasonable assurance on its Scope 1 and 2 inventory, it has done something no law requires, no competitor must match, and no regulator will ever thank it for. The only reason to do it is that the company believes its controls will withstand testing, and wants a third party to say so in a positive opinion.
The signal, decoded
A required assurance report proves that a company obeyed the law.
A voluntary one proves that a company was confident enough in its own numbers to invite examination it could have avoided.
The second proposition is the only thing a lender, an insurer or a strategic customer actually wants to know, and no mandatory regime has ever been able to communicate it.
THE COROLLARY NOBODY ENJOYS
A company that declines reasonable assurance on its most externally relied-upon metric, when a competitor obtains it, has also communicated something. The signal runs both ways, and once one company in a sector escalates, the absence of escalation becomes information.
3. A decision framework: which metrics
Reasonable assurance is expensive, and applied to a whole sustainability statement it is prohibitively so. It is also, applied to most of the statement, unobtainable at any price, because no evidence exists on which a practitioner could form a positive opinion.
The framework is therefore not "are we mature enough?" It is "which numbers does somebody outside the company make a decision on?"
Category | Examples | Why |
|---|---|---|
Escalate | The covenant metric in a sustainability-linked facility. Scope 1 and Scope 2 inventory. The safety figure cited in tenders. | Someone external acts on these. A lender prices credit. A customer awards a contract. The number determines money. |
Consider later | Circularity performance under ISO 59020. Verified Scope 3 categories. Water and waste intensity. | Reliance is growing and controls are maturing, but nothing is priced on them yet. Verify now; escalate when somebody starts acting on them. |
Do not escalate | Forward-looking targets. Transition plans. Estimated Scope 3 categories. | No evidence exists on which a positive opinion could be formed. A target is not, at the date of assertion, susceptible to evidence. An estimate has no source to test. |
The third row is worth dwelling on, because organisations under pressure to demonstrate rigour sometimes ask for reasonable assurance over precisely these items. A practitioner cannot provide it. What they can examine is whether a target is supported by a plan, whether the plan is internally coherent, and whether the base year data is accurate. None of that is an opinion on whether the target will be met.
Reasonable assurance is not a maturity badge to be worn across the whole statement. It is an expensive, targeted instrument applied to the two or three numbers on which somebody outside the company makes a decision.
4. What escalation actually requires
A company that decides to escalate one metric will discover that the decision was the easy part.
Controls that operated during the period. Not described. Operated, with evidence, before the practitioner arrived. Where reliance is placed on a control, it will be tested, and a control that was designed in October cannot be tested for March.
Data lineage from source system to disclosed figure. Documented, per metric, with named process owners who can produce evidence without escalation.
An estimation methodology, where estimation is involved. Consistently applied, documented at the time, reviewed by somebody other than its author.
A boundary that does not move. Restatement policy in place. Comparatives explained. An acquisition mid-period is not a reason to change the consolidation approach quietly.
At least one prior cycle of verification. Escalating to a positive opinion on a number that has never been independently examined at any level is a request to discover, in public, what one would have preferred to discover privately.
THE REALISTIC TIMELINE
Two cycles. In the first, build the controls and verify the metric. In the second, escalate. A company attempting to escalate in a single cycle is usually a company that has been told by its adviser that its controls are adequate, by an adviser who will not be testing them.
5. What to tell the board
Three propositions, in this order, and the third is the one that changes the decision.
Every prepared competitor will hold an identical limited assurance conclusion. It is the permanent CSRD requirement, expressed negatively, on a bounded scope, without controls testing. It will not differentiate this company from any other.
Nothing will ever require more. The escalation pathway was removed on 18 March 2026. There is no future date on which the bar rises. Any increase in the credibility of our disclosures must be a decision, not a compliance event.
Our lender, our largest customer and our insurer each act on a specific number. Name them. For each, ask whether a negative conclusion on a bounded scope, without controls testing, is what we want that party relying upon when the number turns out to be wrong.
The third proposition is where the conversation stops being about assurance and starts being about exposure. A sustainability-linked loan margin ratchet turns on a KPI that received limited assurance. The interest expense it determines sits in financial statements that received reasonable assurance. The company has permitted a number examined to the weaker standard to determine a number examined to the stronger one.
Wherever a number assured to a limited level determines a number assured to a reasonable level, the reasonable assurance is only as good as the limited assurance beneath it.
6. Where Speeki Guardian® fits
Speeki Guardian® provides sustainability assurance under ISSA 5000, at limited or reasonable level, performed by Speeki as an accredited body. Speeki does not provide consulting services; details of its accreditations and their scope are published at speeki.com.
The relevance to escalation is specific. Reasonable assurance requires the practitioner to test controls where reliance is placed upon them. A practitioner who designed those controls cannot test them, and a company seeking a positive opinion on a metric its assurance provider helped it construct is seeking a document rather than an opinion.
Guardian will decline to escalate where the evidence does not support it. That is not a limitation of the engagement. It is the engagement.
Questions this paper answers
What is the difference between limited and reasonable assurance?
In a limited assurance engagement the practitioner performs primarily enquiry and analytical procedures, obtains an understanding of internal control without being required to test its operating effectiveness, and expresses a negatively worded conclusion that nothing has come to their attention. In a reasonable assurance engagement the practitioner performs risk assessment, tests controls where reliance is placed on them, performs substantive procedures, and expresses a positive opinion. ISSA 5000 addresses both, with requirements applying to only one level identified by an L or R designator.
Is reasonable assurance still required under the CSRD?
No. The Omnibus I directive confirms limited assurance as the permanent requirement and removes the legislated pathway that would have escalated it to reasonable assurance. There is no future date on which the mandatory bar rises. Reasonable assurance is now available only voluntarily.
Why is a voluntary assurance opinion worth more than a mandatory one?
Because when every company in a market is required to obtain the same conclusion, the conclusion distinguishes nobody. A required assurance report proves a company obeyed the law. A voluntary one proves the company was confident enough in its own numbers to invite an examination it could have avoided. The second proposition is what a lender, insurer or strategic customer actually wants to know, and no mandatory regime has ever been able to communicate it.
Which metrics should receive reasonable assurance?
The two or three on which somebody outside the company makes a decision: the covenant metric in a sustainability-linked facility, the Scope 1 and Scope 2 inventory, the safety figure cited in tenders. Circularity performance, verified Scope 3 categories and water metrics are candidates for later, when external parties begin acting on them. Forward-looking targets, transition plans and estimated Scope 3 categories cannot receive reasonable assurance at any price, because no evidence exists on which a positive opinion could be formed.
Can a company obtain reasonable assurance on its net-zero target?
No. A target is not, at the date of assertion, susceptible to evidence. A practitioner can examine whether the target is supported by a plan, whether the plan is internally coherent, and whether the base year data is accurate. None of that constitutes an opinion on whether the target will be met, and no practitioner will express one.
What does escalating to reasonable assurance require?
Controls that operated during the period, with evidence, because a control designed in October cannot be tested for March. Documented data lineage from source system to disclosed figure, with named process owners. A documented and consistently applied estimation methodology reviewed by somebody other than its author. A stable boundary with a restatement policy. And at least one prior cycle of verification, because escalating to a positive opinion on a number never independently examined is a request to discover in public what one would prefer to discover privately. Two cycles is the realistic timeline.
Why does the assurance level matter for a sustainability-linked loan?
Because the KPI determining the margin ratchet receives limited assurance — a negative conclusion on a bounded scope, without controls testing — while the interest expense it determines sits in financial statements that received reasonable assurance. Wherever a number assured to a limited level determines a number assured to a reasonable level, the reasonable assurance is only as strong as the limited assurance beneath it.
References and sources
IAASB, ISSA 5000, General Requirements for Sustainability Assurance Engagements, issued November 2024; effective for periods beginning on or after 15 December 2026. Addresses limited and reasonable assurance, with requirements applying to only one level identified by an "L" or an "R" designator.
Directive (EU) 2026/470 (the Omnibus I directive), in force 18 March 2026 — confirming limited assurance as the permanent CSRD requirement, removing the escalation pathway to reasonable assurance, and postponing an EU limited assurance standard to no later than 1 July 2027.
Accountancy Europe, Omnibus explained: key changes to the CSRD and CSDDD, 2026.
IESBA, International Ethics Standards for Sustainability Assurance (including International Independence Standards), issued January 2025; generally effective from 15 December 2026.
ISO/IEC 17029:2019, Conformity assessment — General principles and requirements for validation and verification bodies.
Speeki, What ESG Report Assurance Actually Requires (Series 2, Paper 07); The System Beneath the Opinion (Series 3, Paper 12); The Boundary Nobody Owns (Series 1, Paper 06), July 2026.
About Speeki
Speeki is an accredited ESG assurance and certification body operating in more than 100 countries. Speeki provides management system certification, verification and validation, and sustainability assurance. Speeki does not provide consulting services. Its independence is structural.
For current details of Speeki's accreditations and their scope, please refer to speeki.com.
© 2026 Speeki. This paper is provided for general information and does not constitute legal, accounting or assurance advice.