Independent ESG Assurance Statement: What It Includes

What Is an Independent ESG Assurance Statement?

An independent ESG assurance statement is a formal document issued by a qualified third-party practitioner — typically an accredited assurance body or professional services firm — that expresses a conclusion on the reliability of an organization's environmental, social, and governance (ESG) disclosures. Unlike an internal review or management assertion, the statement carries weight because the provider is organizationally, financially, and professionally independent of the reporting entity.

The statement serves multiple audiences simultaneously. Investors use it to gauge the reliability of ESG data feeding into valuations and portfolio decisions. Procurement teams reference it when evaluating supply-chain sustainability claims. ESG rating agencies factor it into confidence scores. Regulators — especially under the EU Corporate Sustainability Reporting Directive (CSRD) — require it as a compliance artefact. And the board itself uses the assurance provider's management letter (a separate, private document) to understand where internal ESG processes need strengthening.

In practice, the assurance statement is the public-facing output of a multi-week engagement that involves planning, evidence gathering, site visits, analytical procedures, and management representations. The statement distils all of that work into a concise, structured document — usually two to four pages — that communicates what was examined, how, and with what result.

Standard Structure of an ESG Assurance Statement

While formatting varies by provider, the substantive elements of an assurance statement are governed by the assurance standard used. Under ISAE 3000 (Revised) — the most widely adopted standard for sustainability assurance engagements — the statement must include the following components in a logical sequence:

1. Title and Addressee — who the statement is directed to
2. Scope of the Engagement — which disclosures, metrics, or report sections were examined
3. Applicable Criteria — the reporting framework against which ESG data was evaluated
4. Responsibilities — delineation between management's and practitioner's duties
5. Summary of Procedures Performed — the nature and extent of evidence-gathering work
6. Level of Assurance — limited or reasonable
7. Conclusion — the practitioner's formal finding
8. Independence and Quality Management Declaration — confirmation of ethical compliance
9. Practitioner's Qualifications — credentials and accreditation references
10. Date and Signature — engagement partner sign-off

Each of these elements serves a specific communicative function. Omitting or weakening any one reduces the statement's utility for its intended audiences.

Addressee and Scope

Addressee

The statement is typically addressed to the board of directors, audit committee, or management of the reporting entity. Under CSRD, it may also be addressed to shareholders and stakeholders who rely on the sustainability statement. The addressee signals who commissioned the engagement and who bears primary responsibility for acting on findings.

Scope Definition

The scope section is arguably the most consequential part of the statement for readers. It defines precisely which ESG metrics, disclosures, or report sections the practitioner examined. Common scope configurations include:

• Full-report assurance: All quantitative and qualitative disclosures in the sustainability report are in scope. This is the broadest — and most expensive — approach.
• Selected-indicator assurance: Specific KPIs such as Scope 1 and Scope 2 GHG emissions, energy consumption, water withdrawal, gender diversity ratios, and lost-time injury frequency rates are individually scoped. This is the most common approach today.
• Topic-specific assurance: An entire disclosure topic — for example, climate-related disclosures aligned to TCFD/ISSB — is in scope, covering both quantitative metrics and qualitative narrative.
• Framework-specific assurance: Assurance over disclosures prepared under a specific framework such as GRI Standards or ESRS, covering all material topics reported under that framework.

A well-drafted scope section specifies the reporting period (e.g., "for the financial year ended 31 December 2024"), the reporting entity and its boundaries (including whether subsidiaries and joint ventures are included), and lists each metric or disclosure by name or reference number. Vague scope language such as "selected sustainability data" without specifying which data undermines the statement's value.

Applicable Criteria and Procedures Performed

Criteria

Criteria are the benchmarks against which ESG data is evaluated. The assurance statement must explicitly name the criteria used, which typically include:

• GRI Standards (2021): The most widely used sustainability reporting framework globally, with disclosure-specific requirements for each ESG topic.
• ESRS (European Sustainability Reporting Standards): Mandatory criteria for CSRD-reporting entities, with detailed data-point requirements across environment, social, and governance topics.
• ISSB/IFRS S1 and S2: Investor-focused standards for sustainability and climate-related disclosures.
• GHG Protocol Corporate Standard: Specific criteria for Scope 1, 2, and 3 greenhouse gas emissions quantification.
• Company-specific criteria: Internally developed measurement methodologies documented in the report's basis of preparation.

When company-specific criteria are used, the statement should describe them in sufficient detail for readers to evaluate their suitability. If the criteria are embedded in the sustainability report itself (e.g., a "Basis of Reporting" appendix), the statement should cross-reference the specific pages or sections.

Responsibilities

The statement delineates two sets of responsibilities. Management is responsible for the preparation of the ESG disclosures in accordance with the applicable criteria, the design and operation of internal controls over ESG data, and the prevention and detection of fraud or errors. The practitioner is responsible for expressing a conclusion based on the evidence obtained, conducting the engagement in accordance with professional standards, and maintaining independence and applying professional scepticism throughout.

This separation is not merely procedural. It establishes that the assurance provider does not prepare, correct, or enhance the ESG data — they evaluate it as presented. Any advisory work must be clearly separated from assurance to maintain independence.

Summary of Procedures

The procedures section describes the nature and extent of evidence-gathering work performed. While practitioners cannot disclose every detail (to maintain audit integrity for future periods), the summary should give readers a clear picture of the engagement's rigour. Typical procedures include:

• Inquiries with management and personnel responsible for ESG data collection and reporting
• Analytical procedures comparing current-period data to prior periods, budgets, or industry benchmarks
• Inspection of documentary evidence supporting reported metrics (e.g., utility invoices, payroll records, waste manifests)
• Recalculation and re-performance of selected computations (e.g., GHG emission factors applied to activity data)
• Site visits to operational facilities to observe data collection processes and verify source data
• Evaluation of the design and operating effectiveness of internal controls over ESG data
• Assessment of the appropriateness of estimation methodologies, conversion factors, and assumptions
• Review of ESG disclosures for consistency with underlying evidence and the applicable criteria

For limited assurance engagements, procedures are primarily inquiry and analytical in nature. For reasonable assurance, they are significantly more extensive and include substantive testing, detailed site visits, and control effectiveness evaluation.

Level of Assurance

The assurance statement must clearly state whether a limited or reasonable level of assurance has been obtained. This distinction is fundamental because it determines the depth of work performed and the form of the conclusion expressed.

Limited Assurance

Limited assurance (sometimes called "moderate assurance" under AA1000AS) involves fewer procedures and results in a negative-form conclusion. The practitioner states that nothing has come to their attention to suggest the data is materially misstated. The evidence threshold is lower — sufficient to identify plausible misstatements through inquiry and analytical procedures, but not to provide positive confirmation of accuracy.

Limited assurance is the current baseline for most ESG assurance engagements globally and is the initial requirement under CSRD for the first wave of reporting entities. It is appropriate for organizations building assurance readiness, for metrics with less mature data infrastructure, or where stakeholder expectations do not yet require the higher standard.

Reasonable Assurance

Reasonable assurance involves extensive procedures — substantive testing, site visits, control testing, and detailed re-performance — and results in a positive-form conclusion. The practitioner states that, in their opinion, the data is fairly stated in all material respects in accordance with the applicable criteria.

Reasonable assurance is equivalent in rigour to a financial statement audit. It is increasingly demanded by institutional investors, required by certain regulations (CSRD will transition to reasonable assurance by 2028), and expected for high-stakes metrics such as Scope 1 and 2 GHG emissions or workplace safety data tied to executive remuneration.

Conclusion and Independence Declaration

Conclusion Wording

The conclusion is the single most important sentence in the entire statement. It communicates the practitioner's formal finding and takes one of the following forms:

Unqualified limited assurance conclusion:

"Based on the procedures performed and the evidence obtained, nothing has come to our attention that causes us to believe that the selected sustainability metrics identified in the scope above are not prepared, in all material respects, in accordance with the applicable criteria."

Unqualified reasonable assurance conclusion:

"In our opinion, the selected sustainability metrics identified in the scope above are prepared, in all material respects, in accordance with the applicable criteria."

The difference in wording — negative form versus positive form — directly reflects the depth of evidence obtained. Readers familiar with assurance practice immediately understand the distinction. Those unfamiliar may need education, which is why many organizations include a brief explanatory note in their sustainability report alongside the assurance statement.

Independence Declaration

The practitioner must declare their independence from the reporting entity. Under ISAE 3000, this includes compliance with the International Ethics Standards Board for Accountants (IESBA) Code of Ethics or equivalent national requirements. The declaration typically states:

• The firm and engagement team are independent of the entity in accordance with the IESBA Code
• No services have been provided that would impair independence
• The firm has applied International Standard on Quality Management (ISQM 1) or equivalent quality management standards

For non-accounting assurance providers, independence requirements under AA1000AS or ISO/IEC 17029 apply. Accreditation bodies (such as national accreditation bodies under the IAF umbrella) verify that these independence requirements are systematically embedded in the provider's management system.

Qualifications of the Practitioner

The statement should reference the practitioner's credentials: accreditation status (e.g., accredited under ISO/IEC 17029 or ISO 14065), professional memberships, and the engagement partner's relevant qualifications. This allows readers to independently verify the practitioner's competence and standing.

How Procurement Teams and Buyers Read Assurance Statements

Corporate procurement teams increasingly require ESG assurance from supply-chain partners. Understanding how they read your statement helps you ensure it communicates effectively.

What Buyers Check First

1. Scope coverage: Do the assured metrics align with the buyer's ESG requirements? If the buyer requires Scope 3 emissions data but your statement only covers Scope 1 and 2, it creates a gap.
2. Conclusion type: Buyers look for unqualified conclusions. A qualified opinion triggers follow-up questions and may flag risk in supplier scorecards.
3. Assurance level: Reasonable assurance is preferred for critical metrics. Some buyers explicitly require it for Tier 1 suppliers.
4. Provider credentials: Buyers verify the assurance provider is independent and credentialed — not an internal function or affiliated consulting arm.
5. Recency: Statements older than 18 months raise questions about data currency. Annual assurance aligned to the reporting period is expected.

Red Flags for Buyers

• Scope limited to a single facility when the supplier operates multiple sites
• Qualifications or disclaimers related to data completeness
• Absence of a named assurance standard (ISAE 3000, ISSA 5000, AA1000AS)
• Assurance provider with no disclosed accreditation or professional affiliation
• Statement date significantly after the reporting period end (suggests delays or issues)

What ESG Rating Agencies Look For

ESG rating agencies — MSCI, Sustainalytics (Morningstar), S&P Global CSA, CDP, ISS ESG — are among the most systematic consumers of assurance statements. Their assessment methodologies explicitly factor in whether ESG data has been externally verified.

How Ratings Are Influenced

• Data confidence score: Agencies assign higher confidence to externally assured data points compared to self-reported data. This directly influences the weight assigned to those metrics in the overall rating calculation.
• Scope alignment: Agencies check whether the assured scope covers the metrics they evaluate. Partial assurance (e.g., only environmental metrics) limits the uplift to those specific pillars.
• Assurance level recognition: Reasonable assurance typically earns a higher confidence multiplier than limited assurance. Some agencies explicitly score the assurance level as a separate governance indicator.
• Provider credibility: Agencies note whether the assurance provider is a recognised firm with relevant accreditation. Assurance from unrecognised providers may receive reduced credit.
• Consistency and continuity: Multi-year assurance coverage demonstrates mature ESG reporting processes. Agencies view single-year assurance less favourably than established, ongoing engagements.

Good vs Weak Assurance Statements

Not all assurance statements are created equal. The difference between a strong statement and a weak one often lies in specificity, transparency, and adherence to professional standards.

Characteristics of a Strong Statement

• Specific scope: Names each metric, disclosure, or report section with precise references (e.g., "GRI 305-1, 305-2, 305-3 as reported on pages 42-48")
• Named criteria: Explicitly identifies the reporting framework and version (e.g., "GRI Standards 2021" or "ESRS E1, E2, S1")
• Detailed procedures: Describes the nature and extent of work performed beyond generic language, including number of site visits, facilities covered, and types of evidence inspected
• Clear conclusion: Uses standard wording aligned to the assurance standard, with unambiguous positive or negative form language
• Full independence declaration: References the specific ethics code followed and confirms no independence-impairing services were provided
• Provider credentials: States accreditation body, accreditation standard (e.g., ISO/IEC 17029), and engagement partner qualifications
• Materiality threshold: Discloses the materiality level applied in planning and evaluating misstatements

Characteristics of a Weak Statement

• Vague scope: "Selected sustainability indicators" without specifying which ones
• Missing criteria: No reference to a reporting framework — making it impossible to evaluate what "correct" looks like
• Boilerplate procedures: Generic descriptions like "we performed inquiries and analytical procedures" without engagement-specific detail
• Ambiguous conclusion: Non-standard wording that neither confirms nor denies reliability in recognisable professional terms
• No independence reference: Silent on the ethics code followed or independence requirements met
• Unknown provider: No accreditation, no professional affiliation, no evidence of competence in ESG assurance
• Outdated period: Statement covering a period more than 18 months prior, with no explanation for the delay

Understanding Qualified Opinions

A qualified opinion (or qualified conclusion) is issued when the practitioner identifies specific issues that prevent an unqualified conclusion but are not so pervasive as to warrant an adverse conclusion or disclaimer. Qualifications are more common than many assume and are not necessarily damaging — transparency about limitations can actually enhance credibility.

Common Reasons for Qualification

• Scope limitation: The practitioner could not obtain sufficient evidence for specific metrics — for example, Scope 3 Category 6 (business travel) data was unavailable from a travel management provider
• Methodology departure: The entity applied an estimation methodology that departs from the stated criteria — for example, using spend-based factors for Scope 3 where the GHG Protocol recommends activity-based calculation
• Data completeness gap: A subsidiary or operational site was unable to provide data for part of the reporting period
• Restatement without explanation: Prior-period data was restated but the basis of restatement is not adequately disclosed
• Internal control weakness: A material weakness in the ESG data collection process was identified that could not be remediated before the statement date

How a Qualification Is Expressed

The qualification appears as an "Emphasis of Matter" or "Qualification" paragraph immediately before the conclusion. It describes the issue, the affected metrics, and the potential impact. The conclusion itself is then modified to state "except for the matter described above" before expressing the opinion.

Example qualified limited assurance conclusion: "Except for the possible effects of the matter described in the Qualification paragraph above, based on the procedures performed and the evidence obtained, nothing has come to our attention that causes us to believe that the selected sustainability metrics are not prepared, in all material respects, in accordance with the applicable criteria."

Practical Wording Examples

The following examples illustrate how key sections of an assurance statement should read. These are based on ISAE 3000 (Revised) conventions and reflect current professional practice.

Scope Paragraph — Strong Example

"We have performed a limited assurance engagement on the following selected sustainability metrics of [Company Name] for the year ended 31 December 2024, as reported in the Annual Sustainability Report 2024 on pages 38–67: total Scope 1 GHG emissions (GRI 305-1), total Scope 2 GHG emissions — location-based and market-based (GRI 305-2), total energy consumption (GRI 302-1), water withdrawal by source (GRI 303-3), total recordable injury frequency rate (GRI 403-9), and gender diversity ratio (GRI 405-1)."

Criteria Paragraph — Strong Example

"The selected sustainability metrics have been prepared by management in accordance with the GRI Standards (2021), the GHG Protocol Corporate Accounting and Reporting Standard (Revised Edition), and the company-specific measurement methodologies described in the Basis of Reporting section on pages 68–72 of the Sustainability Report."

Independence Declaration — Strong Example

"We have complied with the independence and other ethical requirements of the International Code of Ethics for Professional Accountants (including International Independence Standards) issued by the International Ethics Standards Board for Accountants (IESBA Code). Our firm applies International Standard on Quality Management 1 (ISQM 1), which requires the firm to design, implement, and operate a system of quality management."

Weak Scope Example — What to Avoid

"We reviewed certain sustainability data included in the company's ESG report."

This tells the reader nothing about which data, which report, or which period. It is functionally useless for any assurance consumer — investor, buyer, or rating agency.

Weak Conclusion Example — What to Avoid

"Based on our work, the company's sustainability data appears to be reasonable."

This does not follow any recognised assurance standard's conclusion format. "Appears to be reasonable" is not a professional assurance conclusion and provides no basis for reliance.

Frequently Asked Questions