What is the standard structure of an independent sustainability assurance statement?

A properly structured independent sustainability assurance statement includes the following elements: (1) Addressee — who the statement is addressed to (typically the board of directors or management); (2) Scope — the specific subject matter assured, including the reporting period, reporting boundaries, and which indicators or disclosures are covered; (3) Criteria — the reporting standards or framework against which the information was assessed (e.g., GRI Standards, ESRS, ISAE 3000); (4) Level of assurance — whether the engagement provides limited or reasonable assurance; (5) Summary of procedures performed — the methodology used, including inquiry, analytical procedures, testing, and site visits; (6) Assurance provider's responsibilities vs. management's responsibilities; (7) Independence declaration — confirmation of the provider's independence from the reporting entity; (8) Qualifications and competence — credentials and accreditation of the assurance provider; (9) Conclusion — the formal assurance opinion or conclusion; and (10) Date, signature, and provider identification.

How should investors and buyers interpret a limited assurance statement on a sustainability report?

Investors and buyers should understand that a limited assurance statement provides moderate confidence that the reported sustainability information is free from material misstatement. The conclusion is expressed in negative form: 'nothing has come to our attention that causes us to believe the information is materially misstated.' This is less rigorous than reasonable assurance (which provides high confidence) but significantly more reliable than unassured data. Key elements to examine include: (1) Scope — what exactly was assured? Some statements cover only selected indicators, not the full report; (2) Criteria — which reporting framework was used? Look for recognised standards like GRI, ESRS, or GHG Protocol; (3) Procedures — were site visits conducted? Was data testing performed? Very limited procedures may indicate a superficial engagement; (4) Exclusions — what was explicitly excluded from the scope? Common exclusions include Scope 3 emissions, forward-looking statements, and narrative disclosures; (5) Emphasis of matter paragraphs — these highlight uncertainties or estimation methods that readers should be aware of; and (6) Provider credentials — is the assurance provider accredited and experienced in sustainability assurance?

What are the red flags to look for in a sustainability assurance statement that indicate poor quality?

Red flags in a sustainability assurance statement include: (1) Very narrow scope — only a few indicators are assured while the company presents the entire report as 'assured'; (2) No reference to recognised assurance standards — the statement does not cite ISAE 3000, ISAE 3410, AA1000AS, or equivalent standards; (3) Vague procedures description — the statement does not explain what the assurance provider actually did; (4) No independence declaration — the provider does not confirm their independence; (5) Provider also prepared the report — the same firm that prepared or consulted on the report is providing assurance, creating a self-review threat; (6) No qualifications disclosed — the provider's credentials, accreditation, or relevant experience are not stated; (7) Boilerplate language — the statement appears generic and not tailored to the specific engagement; (8) Management responsibility section is missing — suggesting unclear accountability; (9) The conclusion is buried in marketing language; and (10) The date of the assurance statement is far removed from the reporting period, suggesting the engagement may have been rushed or an afterthought.

How does a sustainability assurance statement align with GRI Content Index reporting requirements?

The GRI Standards (specifically GRI 2: General Disclosures 2021, Disclosure 2-5) require organisations to describe their external assurance practices, including which parts of the sustainability report have been externally assured, the assurance standards used, the level of assurance obtained, and a link to or reproduction of the assurance statement itself. For GRI 'in accordance' reporting, external assurance is not mandatory but is recommended and must be disclosed if obtained. The assurance statement should reference the GRI Standards as part of the applicable criteria if the report claims GRI compliance. Best practice involves the assurance provider confirming that the GRI Content Index accurately reflects the report content, that material topics have been appropriately identified through the materiality process, and that the disclosed information for each material topic meets the relevant GRI Standard requirements. Many organisations publish the assurance statement as an appendix to their sustainability report and cross-reference it in the GRI Content Index under Disclosure 2-5.

Independent Assurance Statement: What It Is & What It Contains

Q: What is the difference between a clean conclusion, qualified conclusion, and adverse conclusion in sustainability assurance?

In sustainability assurance, a clean (unmodified) conclusion means the assurance provider found no material misstatements in the reported sustainability information — it is fairly stated in accordance with the applicable criteria. A qualified conclusion means the provider found a specific, identified misstatement or limitation on scope, but the issue is not so pervasive as to invalidate the entire report — the conclusion states 'except for' the identified matter, the information is fairly stated. An adverse conclusion means the provider found material misstatements that are pervasive — the sustainability information is materially misstated overall and should not be relied upon. There is also a disclaimer of conclusion, where the provider was unable to obtain sufficient evidence to form any conclusion, typically due to severe scope limitations. The vast majority of published assurance statements contain clean conclusions, but readers should examine the scope and level of assurance carefully, as a clean limited assurance conclusion provides less confidence than a clean reasonable assurance conclusion.

Key Takeaways

An independent assurance statement is the formal output of a sustainability assurance engagement — the equivalent of an audit opinion for ESG data
Every statement should include scope, criteria, level of assurance, procedures summary, independence declaration, and a formal conclusion
Conclusions come in three forms: clean (unmodified), qualified (except-for), and adverse — each carrying different implications
Red flags include narrow scope, missing independence declarations, and the same firm both preparing and assuring the report
Understanding how to read an assurance statement is essential for investors, buyers, and sustainability professionals evaluating ESG credibility

As sustainability reporting becomes regulated and investor-critical, the independent assurance statement is emerging as one of the most important documents in corporate ESG disclosure. Yet many sustainability professionals, investors, and procurement managers do not fully understand what an assurance statement is, what it should contain, or how to evaluate its quality.

This guide provides a comprehensive explanation of independent assurance statements — their purpose, structure, conclusion types, and the practical skills needed to read them critically.

What Is an Independent Assurance Statement?

An independent assurance statement is the formal written conclusion issued by a qualified, independent assurance provider after completing an assurance engagement on an organisation's sustainability report or specific sustainability disclosures.

It serves the same function for sustainability data that an audit opinion serves for financial statements: it tells the reader whether, in the professional judgement of an independent expert, the reported information is fairly stated and free from material misstatement.

Key Characteristics

Independence: The provider has no financial, advisory, or operational relationship with the reporting organisation that could compromise objectivity
Standards-based: The engagement is conducted in accordance with recognised assurance standards (ISAE 3000, ISAE 3410, AA1000AS, or ISSA 5000)
Evidence-based: The conclusion is supported by evidence gathered through structured procedures — not simply a review of the published report
Scope-defined: The statement clearly identifies what was assured and what was not
Formally concluded: The statement contains a formal conclusion in standardised language

What It Is Not

An assurance statement is not:

A validation that the company is "sustainable" or "doing enough"
A guarantee that the data is 100% accurate
A certification or seal of approval
A review of strategy, targets, or ambition
A legal opinion on regulatory compliance

It is a professional conclusion on whether the reported information is fairly stated in accordance with the applicable criteria, to the level of assurance specified.

Who Issues Assurance Statements?

Assurance statements are issued by qualified assurance providers. The market currently includes several types of providers:

Types of Assurance Providers

Provider Type	Standards Commonly Used	Typical Clients
Big 4 accounting firms	ISAE 3000, ISAE 3410	Large listed companies, CSRD-scope entities
Specialist assurance bodies	AA1000AS, ISAE 3000, ISSA 5000	Mid-market, sustainability leaders, voluntary assurance
Certification bodies	ISO 14064-3, ISO 14065, ISAE 3410	GHG verification, carbon credit projects
Boutique consultancies	AA1000AS, custom criteria	SMEs, first-time assurance, sector-specific

Under the CSRD, assurance providers must be either statutory auditors with sustainability assurance qualifications or Independent Assurance Services Providers (IASPs) accredited by national accreditation bodies. This is a significant change that will shape the assurance provider landscape. For guidance on selecting the right provider, see our article on how to choose a sustainability assurance provider.

Standard Structure of an Assurance Statement

A well-structured independent assurance statement follows a standardised format. While there is some variation between providers and standards, the following elements should be present in every statement:

1. Addressee

The statement begins by identifying to whom it is addressed — typically the board of directors, the audit committee, or the management of the reporting organisation. This establishes who the intended users of the statement are.

2. Scope of the Engagement

This is arguably the most critical section. The scope defines:

The specific subject matter assured (e.g., "selected sustainability performance indicators as presented in the 2024 Sustainability Report")
The reporting period covered
The reporting boundaries (which entities, operations, or geographies are included)
Any specific indicators, disclosures, or sections covered
Any explicit exclusions from scope

Readers must pay careful attention to scope. A statement that assures "selected indicators" is very different from one that assures the entire sustainability report.

3. Applicable Criteria

The criteria section identifies the reporting framework or standards against which the information was assessed. Common criteria include:

GRI Standards (2021)
European Sustainability Reporting Standards (ESRS)
GHG Protocol Corporate Standard
IFRS S1/S2 (ISSB Standards)
Company-specific reporting criteria

4. Level of Assurance

The statement must clearly state whether the engagement provides limited assurance or reasonable assurance. This determines the depth of procedures and the form of the conclusion.

5. Management's Responsibilities

This section clarifies that management is responsible for the preparation of the sustainability information, the selection of reporting criteria, and the design of internal controls. The assurance provider does not take responsibility for the data — they evaluate it.

6. Assurance Provider's Responsibilities

This describes the provider's responsibility to plan and perform the engagement in accordance with the applicable assurance standard and to express a conclusion based on the evidence obtained.

7. Summary of Procedures Performed

The statement should describe, at least in summary, what the assurance provider did. Typical procedures include:

Inquiries of management and sustainability personnel
Analytical procedures on sustainability data
Review of documentation and evidence
Testing of data aggregation and calculations
Site visits (if applicable)
Review of internal controls over sustainability data
Comparison of reported data to source records

8. Independence and Competence Declaration

The provider must confirm their independence from the reporting organisation and declare their qualifications, accreditation, and competence to perform sustainability assurance engagements.

9. Conclusion

The formal conclusion is the core output of the statement. Its form depends on the level of assurance and whether any issues were identified. This is explained in detail in the sections below.

10. Date, Signature, and Provider Identification

The statement is dated (typically the date procedures were completed), signed by the engagement leader, and identifies the assurance provider by name, address, and relevant accreditation.

Levels of Assurance: Limited vs Reasonable

The two levels of assurance — limited and reasonable — differ fundamentally in the depth of work performed and the confidence the conclusion provides.

Dimension	Limited Assurance	Reasonable Assurance
Confidence Level	Moderate	High (same as financial audit)
Conclusion Form	Negative: "Nothing has come to our attention..."	Positive: "In our opinion, the information is fairly stated..."
Procedures	Primarily inquiry and analytical procedures	Extensive testing, site visits, corroboration
Evidence	Sufficient to form negative conclusion	Sufficient to form positive opinion
Cost and Effort	Lower	Significantly higher (2-3x limited)
Current Regulatory Default	CSRD (initial), SEC, most jurisdictions	CSRD (planned 2028), India BRSR Core

Conclusion Types: Clean, Qualified, and Adverse

Clean (Unmodified) Conclusion

A clean conclusion means the assurance provider found no material misstatements. The sustainability information is fairly stated in accordance with the applicable criteria. This is the outcome most reporting organisations aim for and the one most commonly issued.

Qualified (Except-For) Conclusion

A qualified conclusion means the assurance provider identified a specific material misstatement or was unable to obtain sufficient evidence on a specific matter, but the issue is not pervasive enough to affect the entire report. The conclusion states that "except for" the identified matter, the information is fairly stated.

Qualifications are relatively rare in published assurance statements, partly because they can be avoided through correction of identified issues before the statement is finalised. When they appear, they signal a specific, identified problem that readers should investigate.

Adverse Conclusion

An adverse conclusion means the assurance provider found material misstatements that are pervasive — the sustainability information as a whole is materially misstated. Adverse conclusions are extremely rare in published reports, because most organisations would correct the issues rather than publish an adverse statement.

Disclaimer of Conclusion

A disclaimer is issued when the assurance provider was unable to obtain sufficient evidence to form any conclusion. This typically results from severe scope limitations — the provider was denied access to records, personnel, or sites needed to perform their procedures. A disclaimer is a serious matter and suggests fundamental problems with the engagement or the organisation's cooperation.

Practical Examples of Conclusion Wording

Limited Assurance — Clean Conclusion

"Based on the procedures performed and the evidence obtained, nothing has come to our attention that causes us to believe that the selected sustainability performance indicators as presented in [Company]'s 2024 Sustainability Report are not prepared, in all material respects, in accordance with the GRI Standards (2021)."

Reasonable Assurance — Clean Conclusion

"In our opinion, the greenhouse gas emissions data presented in [Company]'s 2024 Sustainability Report for Scope 1 and Scope 2 emissions is prepared, in all material respects, in accordance with the GHG Protocol Corporate Standard and the organisation's stated reporting criteria."

Limited Assurance — Qualified Conclusion

"Except for the effects of the matter described in the Basis for Qualified Conclusion paragraph [relating to the inability to verify water consumption data for the [Location] facility due to incomplete metering records], based on the procedures performed and evidence obtained, nothing has come to our attention that causes us to believe that the selected sustainability performance indicators are not prepared, in all material respects, in accordance with the stated criteria."

How Investors and Buyers Interpret Assurance Statements

For investors, lenders, customers, and procurement professionals, the ability to critically evaluate an assurance statement is increasingly important. Here is a structured approach:

Step 1: Check the Scope

Before reading anything else, determine exactly what was assured. Was it the full sustainability report, or only selected indicators? Does it cover all material topics, or just environmental data? Are all entities and operations included, or only certain geographies?

Step 2: Verify the Level of Assurance

Limited assurance is the most common level. If you are comparing two companies, one with limited assurance and one with reasonable assurance, the latter's data carries significantly more weight.

Step 3: Examine the Criteria

Assurance against recognised standards (GRI, ESRS, GHG Protocol) is more meaningful than assurance against "company-specific criteria," which may be less rigorous.

Step 4: Review Procedures

Look at what the provider actually did. Did they visit sites? Did they test data back to source records? Engagements limited to "desk-based review and management inquiry" provide less confidence than those involving substantive testing.

Step 5: Evaluate the Provider

Is the provider accredited? Do they have demonstrated sustainability assurance experience? Are they genuinely independent from the reporting organisation?

Step 6: Read the Conclusion Carefully

Is it clean, qualified, or adverse? Are there emphasis of matter paragraphs that highlight uncertainties? Does the conclusion language match standard ISAE 3000 or AA1000AS wording?

What a Good vs Weak Assurance Statement Looks Like

Element	Strong Statement	Weak Statement
Scope	Full report or all material indicators clearly listed	Vague "selected indicators" without specifying which
Criteria	GRI Standards, ESRS, GHG Protocol cited	No standards referenced or "internal criteria"
Procedures	Detailed: site visits, data testing, source verification	Vague: "review of documentation and discussions"
Independence	Explicit independence declaration with code of ethics reference	No independence statement or buried in footnotes
Conclusion	Standard ISAE 3000 wording, clearly stated	Non-standard wording, mixed with marketing language
Provider info	Named, accredited, experience disclosed	Anonymous or unaccredited provider

Red Flags in Assurance Statements

When reviewing assurance statements — whether as an investor, buyer, board member, or sustainability professional — watch for these warning signs:

Scope Red Flags

Cherry-picked indicators: Only easy-to-verify metrics are in scope, while material topics like Scope 3 emissions, human rights, or supply chain labour practices are excluded
Geographic exclusions: High-risk operations or geographies are excluded from the assurance scope
Forward-looking claims in scope: Targets and commitments presented as assured, when in reality only historical data can be assured

Independence Red Flags

Self-review threat: The assurance provider also prepared or consulted on the sustainability report — a fundamental conflict of interest
No independence declaration: The statement does not explicitly confirm the provider's independence
Long tenure without rotation: The same individual or firm has provided assurance for many years without rotation

Quality Red Flags

Boilerplate language: The statement reads as a generic template with no engagement-specific content
No procedures described: The reader cannot determine what the provider actually did
Missing accreditation: The provider's qualifications and accreditation are not disclosed
Undated or unsigned: The statement lacks a date, signature, or provider identification
Marketing tone: The conclusion is mixed with promotional language about the company's sustainability leadership

GRI Content Index Alignment

For organisations reporting under the GRI Standards, the assurance statement should align with GRI 2: General Disclosures 2021, Disclosure 2-5 (External assurance).

What GRI Requires

Disclosure 2-5 requires organisations to:

Describe the organisation's policy and practice for seeking external assurance
Provide a link to or reproduction of the external assurance statement(s)
Describe what topics, disclosures, or information are covered by external assurance
Describe the relationship between the organisation and the assurance provider

Best Practice Integration

In best practice, the assurance statement and the GRI Content Index should cross-reference each other. The Content Index should indicate which disclosures have been externally assured and reference the statement. The statement should confirm that it covers the specific GRI disclosures identified in the Content Index.

When assurance covers the materiality process (GRI 3: Material Topics), the provider confirms that the organisation has followed a robust process for identifying material topics — adding credibility to the entire report's focus and completeness.

Reading Between the Lines

Experienced readers of assurance statements look beyond the formal conclusion to understand the nuances:

Emphasis of Matter Paragraphs

These paragraphs draw attention to matters that are appropriately presented in the report but that the assurance provider considers important for readers to understand. Common subjects include:

Significant estimation uncertainty (e.g., Scope 3 emissions calculations using industry-average emission factors)
Changes in reporting methodology from previous periods
Restatement of prior year data
Inherent limitations of the subject matter

An emphasis of matter paragraph does not modify the conclusion, but it signals that the reader should exercise judgement when interpreting the assured information.

Other Matter Paragraphs

These highlight matters relevant to the reader's understanding of the engagement itself (as opposed to the subject matter). Common examples include:

Restrictions on use of the statement
The fact that prior year data was assured by a different provider
Inherent limitations of limited assurance procedures

What the Scope Excludes Tells You

Sometimes what is not in the scope of assurance is as informative as what is. If a company's sustainability report covers environmental, social, and governance topics but only the environmental data is assured, readers should question why social and governance disclosures were excluded. If Scope 3 emissions — often the largest emissions category — are excluded from an otherwise comprehensive greenhouse gas assurance, the carbon footprint figures should be interpreted with caution.

Our Approach

Glocert International's assurance statements follow ISAE 3000 and AA1000AS standards with full transparency on scope, procedures, independence, and provider qualifications. We believe an assurance statement should be a clear, honest communication to stakeholders — not a marketing tool. Our statements include detailed procedures descriptions and explicit scope definitions, ensuring readers can make informed judgements about the reliability of the assured information.

Independent Assurance Statement: What It Is and What It Contains

In This Article