In This Guide
- Limited assurance provides a moderate level of confidence through inquiry and analytical procedures, expressed as a negative-form conclusion.
- Reasonable assurance provides a high level of confidence through extensive testing and evidence gathering, expressed as a positive-form conclusion — the same level as a financial audit.
- The CSRD mandates limited assurance initially, with the European Commission expected to adopt reasonable assurance requirements by 2028.
- Reasonable assurance typically costs 40-100% more than limited assurance, reflecting significantly greater practitioner effort and evidence requirements.
- Organizations should begin building the data governance, internal controls, and process maturity needed for reasonable assurance now, even if only limited assurance is currently required.
Introduction
When an organization engages an independent practitioner to examine its sustainability disclosures, one of the most consequential decisions is the level of assurance to be obtained. The two options — limited assurance and reasonable assurance — differ significantly in the depth of evidence gathering, the nature of the practitioner's conclusion, the cost and time required, and the degree of confidence provided to stakeholders.
This guide provides a detailed comparison of both levels, explains the practical implications of each, and helps organizations understand what is required to move from limited to reasonable assurance — a transition that the EU's Corporate Sustainability Reporting Directive (CSRD) will make mandatory for thousands of companies by 2028.
Understanding these levels is not merely academic. The assurance level determines how rigorously your sustainability data will be scrutinized, what internal capabilities you need to have in place, and how much confidence your investors, regulators, and other stakeholders can place in your disclosures. Getting this decision right — and preparing adequately for the chosen level — is essential for a successful assurance engagement.
What Limited Assurance Means
Limited assurance is the lower of the two assurance levels. It provides a moderate level of confidence that the subject matter information is free from material misstatement. The practitioner performs fewer and less rigorous procedures than in a reasonable assurance engagement and, as a result, the conclusion is expressed in a more cautious form.
Typical Procedures
In a limited assurance engagement, the practitioner primarily relies on:
- Inquiry: Asking management and relevant personnel about data collection processes, methodologies, assumptions, and controls. Inquiry is the backbone of limited assurance — it surfaces how data is produced and managed but does not independently verify accuracy.
- Analytical procedures: Examining reported data for internal consistency, plausibility, and expected relationships. For example, comparing year-on-year changes in emission intensity ratios, checking whether energy consumption figures align with production volumes, or assessing whether reported diversity metrics are consistent with headcount data.
- Inspection (limited): Reviewing selected documentation on a limited basis — such as methodology documents, calculation spreadsheets, and sample source data — without the systematic, sample-based testing characteristic of reasonable assurance.
- Walkthrough procedures: Tracing selected data points from source through to the final reported figure to understand the data flow, but without performing detailed recalculations or external confirmations.
The Limited Assurance Conclusion
The conclusion is expressed in negative form:
"Based on the procedures performed and evidence obtained, nothing has come to our attention that causes us to believe that the sustainability information is not prepared, in all material respects, in accordance with [applicable criteria]."
This wording is deliberately cautious. The practitioner is not stating that the information is accurate — only that nothing they found suggests it is not accurate. The distinction is subtle but legally and professionally significant. It reflects the reality that fewer procedures were performed and, consequently, there is a higher risk that material misstatements exist but were not detected.
When Limited Assurance Is Appropriate
- When regulations mandate limited assurance (CSRD initial phase)
- When the organization is at an early stage of sustainability data maturity
- As a first step before progressing to reasonable assurance
- When stakeholders have not yet demanded higher assurance levels
- When budget and time constraints make reasonable assurance impractical in the current period
What Reasonable Assurance Means
Reasonable assurance is the higher level, providing a high degree of confidence that the subject matter information is free from material misstatement. This is the same level of assurance provided in a financial audit. The practitioner performs more extensive procedures, gathers more evidence, and expresses a stronger, positive-form conclusion.
Typical Procedures
In addition to the procedures used in limited assurance, reasonable assurance engagements involve:
- Detailed testing: Selecting samples of reported data points and testing them against source documentation. For GHG data, this might mean selecting a sample of energy invoices, verifying the activity data, confirming the emission factor applied, and recalculating the resulting emissions figure.
- Recalculation: Independently recalculating reported figures using the organization's stated methodology and source data. This goes beyond reviewing spreadsheets to independently verifying mathematical accuracy.
- External confirmation: Obtaining evidence from third parties to corroborate reported information. For example, confirming energy consumption with utility providers, verifying waste disposal volumes with waste management companies, or confirming supply-chain audit results with certification bodies.
- Inspection of source documents: Systematically examining supporting documents — invoices, meter readings, payroll records, training logs, incident reports — for selected data points.
- Site visits: Visiting operational sites to observe data collection processes, inspect measurement equipment, and assess the operating environment. Site visits are more common and more extensive in reasonable assurance engagements.
- Internal control testing: Evaluating the design and operating effectiveness of internal controls over sustainability data — the processes, checks, and approvals that prevent and detect errors. This is a significant differentiator from limited assurance.
- Management representation letter: While also obtained in limited assurance, the representations sought in reasonable assurance are typically more detailed and specific.
The Reasonable Assurance Conclusion
The conclusion is expressed in positive form:
"In our opinion, the sustainability information is prepared, in all material respects, in accordance with [applicable criteria]."
This is a direct, affirmative statement about the reliability of the information. The practitioner is saying, based on the evidence gathered, that the information is reliable. This provides stakeholders with a high level of confidence — the same confidence they have in audited financial statements.
When Reasonable Assurance Is Appropriate
- When regulations mandate reasonable assurance (CSRD post-2028, SEBI BRSR for top-listed companies in India)
- When investors, lenders, or key customers demand the highest level of confidence in sustainability data
- When the organization has mature data systems, robust internal controls, and the resources to support extensive testing
- For sustainability-linked financial instruments where data accuracy directly affects financial outcomes
- When the organization wants to be a market leader in transparency and accountability
Evidence Requirements: A Detailed Comparison
The fundamental difference between limited and reasonable assurance lies in the nature and extent of evidence gathering. The following table provides a detailed, procedure-by-procedure comparison.
| Procedure | Limited Assurance | Reasonable Assurance |
|---|---|---|
| Inquiry of management | Primary procedure; extensive inquiry across data owners | Conducted, supplemented by corroborating evidence |
| Analytical procedures | Primary procedure; comparisons, trend analysis, ratio analysis | Conducted alongside detailed testing |
| Sample-based testing | Limited or none | Extensive; statistically or judgmentally selected samples tested against source data |
| Recalculation | Limited; high-level reasonableness checks | Detailed; independent recalculation of selected data points |
| External confirmation | Typically not performed | Performed for material data points where third-party corroboration is available |
| Source document inspection | Limited walkthroughs | Systematic inspection of supporting documents for sample items |
| Site visits | May not be required; virtual reviews may suffice | Typically required for material sites; observation of data collection |
| Internal control evaluation | Understanding of controls (inquiry-based) | Testing of design and operating effectiveness of controls |
| Risk assessment depth | Identifies areas of higher risk; responds with focused inquiry | Comprehensive risk assessment; procedures designed to address each identified risk |
| Professional skepticism | Required but applied in context of limited procedures | Heightened; practitioner actively seeks contradictory evidence |
Conclusion Forms: Negative vs Positive
The form of the conclusion is perhaps the most visible difference between limited and reasonable assurance. Understanding what each form means — and does not mean — is critical for stakeholders interpreting assurance statements.
Negative-Form Conclusion (Limited Assurance)
The negative form — "nothing has come to our attention" — communicates that the practitioner did not find evidence of material misstatement based on the procedures performed. It does not communicate that the practitioner found the information to be accurate. The distinction is important: the absence of detected problems is not the same as confirmation of accuracy.
Stakeholders should understand that a clean limited assurance conclusion means:
- The practitioner performed inquiry and analytical procedures
- These procedures did not reveal material misstatements
- However, the procedures were not designed to detect all possible misstatements
- There is a higher residual risk of undetected material misstatement compared to reasonable assurance
Positive-Form Conclusion (Reasonable Assurance)
The positive form — "in our opinion, the information is fairly stated" — communicates that the practitioner has obtained sufficient evidence to positively conclude on the reliability of the information. This provides a much stronger signal to stakeholders.
A clean reasonable assurance conclusion means:
- The practitioner performed extensive testing, inspection, recalculation, and other evidence-gathering procedures
- Sufficient appropriate evidence was obtained to support a positive conclusion
- The residual risk of undetected material misstatement is low (but not zero — absolute assurance is never provided)
- Stakeholders can rely on the information with a high degree of confidence
Even reasonable assurance does not eliminate all risk of material misstatement. Assurance standards acknowledge inherent limitations: sampling risk, the possibility of collusion or management override, and the use of estimations and judgments. "Reasonable" means high but not absolute confidence — the same limitation applies to financial audits.
Cost and Time Implications
The difference in effort between limited and reasonable assurance translates directly into cost and time differences. Organizations should plan for these implications when deciding on the assurance level and when budgeting for assurance engagements.
| Factor | Limited Assurance | Reasonable Assurance |
|---|---|---|
| Practitioner hours (indicative) | Baseline (1x) | 1.5x to 2.5x baseline |
| Engagement duration | 4-8 weeks typically | 8-16 weeks typically |
| Cost premium | Baseline | 40-100% above limited assurance |
| Internal resource demand | Moderate: respond to inquiries, provide documentation | Significant: prepare detailed evidence packs, support testing, facilitate site visits |
| Lead time needed | 2-3 months before reporting deadline | 4-6 months before reporting deadline |
The cost differential reflects the significantly greater volume of work required for reasonable assurance. More hours are spent on detailed testing, more senior practitioners are involved in judgment-heavy areas, site visits may be required, and the quality review process is more extensive. Organizations should factor these costs into their sustainability reporting budgets and recognize that the transition from limited to reasonable assurance is not merely an incremental increase in effort — it is a qualitative shift in the nature of the engagement.
Hidden Costs to Consider
Beyond direct assurance fees, organizations should account for:
- Internal preparation time: Compiling evidence packs, preparing for site visits, and responding to detailed testing requests
- Data system improvements: Upgrading data collection, aggregation, and reporting systems to support reasonable assurance requirements
- Process documentation: Developing and maintaining detailed process documentation, control descriptions, and data flow diagrams
- Training: Educating data owners and internal stakeholders on assurance expectations and their roles
- Remediation: Addressing findings from the assurance engagement, which may require process changes, system updates, or additional data collection
The CSRD Trajectory: Limited Now, Reasonable by 2028
The EU's Corporate Sustainability Reporting Directive establishes a clear trajectory from limited to reasonable assurance, making this topic directly relevant to the approximately 50,000 companies that will fall within its scope.
Timeline
| Period | Requirement | Who Is Affected |
|---|---|---|
| FY 2024 (reports in 2025) | Limited assurance on ESRS disclosures | Large public-interest entities already subject to NFRD (approx. 11,600 companies) |
| FY 2025 (reports in 2026) | Limited assurance on ESRS disclosures | All large companies meeting two of three size thresholds |
| FY 2026 (reports in 2027) | Limited assurance on ESRS disclosures | Listed SMEs (opt-out possible until 2028) |
| FY 2028 (reports in 2029) | Reasonable assurance (expected, subject to feasibility assessment) | All in-scope companies |
The Feasibility Assessment
The move to reasonable assurance is not automatic. The European Commission is required to conduct a feasibility assessment before adopting reasonable assurance standards. This assessment will consider:
- Whether the assurance profession has sufficient capacity and competence to deliver reasonable assurance at scale
- Whether reporting organizations have achieved sufficient data maturity and internal control quality
- Whether the cost-benefit balance justifies the transition
- The experience gained during the limited assurance phase
Most observers expect the transition to proceed, potentially with phased implementation by disclosure topic (e.g., reasonable assurance on climate data first, followed by social and governance data).
Implications for Organizations
Organizations subject to the CSRD should not wait until 2028 to prepare for reasonable assurance. The transition requires significant improvements in data systems, internal controls, and organizational capabilities that cannot be achieved overnight. Key actions include:
- Treat limited assurance as a learning phase: Use the initial limited assurance engagements to identify weaknesses in data systems and internal controls
- Progressively strengthen internal controls: Implement the controls needed for reasonable assurance incrementally over 2025-2027
- Invest in data infrastructure: Upgrade sustainability data collection and aggregation systems to support detailed testing and audit trails
- Build internal expertise: Develop sustainability data governance capabilities, including dedicated data ownership, validation processes, and internal audit coverage
- Engage early with your assurance provider: Discuss the reasonable assurance transition and understand what will change in terms of scope, procedures, and fees
When to Choose Each Level
Beyond regulatory requirements, several factors should inform the choice between limited and reasonable assurance.
Choose Limited Assurance When:
- Regulation requires it but not more: If limited assurance satisfies your current regulatory obligations, it provides a pragmatic starting point
- Data systems are immature: If your sustainability data collection relies heavily on manual processes, spreadsheets, or incomplete audit trails, reasonable assurance may be premature — the engagement could surface so many issues that a clean conclusion is unachievable
- First-time assurance: Organizations engaging in assurance for the first time often start with limited to build familiarity with the process before committing to the more demanding reasonable level
- Budget constraints: If resources are limited, limited assurance provides meaningful credibility enhancement at a lower cost, while you invest in building capabilities for reasonable assurance
- Stakeholders have not demanded more: If your investor base, customers, and regulators are satisfied with limited assurance, there may be no immediate business case for the additional investment
Choose Reasonable Assurance When:
- Regulation mandates it: CSRD post-2028, SEBI BRSR for top-listed companies, or other jurisdictional requirements
- Investors demand high confidence: Institutional investors, particularly those making allocation decisions based on ESG data, increasingly prefer or require reasonable assurance
- Sustainability-linked financing: Green bonds, sustainability-linked loans, and ESG-indexed products often specify assurance requirements; reasonable assurance strengthens the credibility of the linked metrics
- Competitive advantage: In industries where sustainability leadership is a differentiator, reasonable assurance signals the highest level of commitment to transparency
- Mature data systems: If your organization has robust internal controls, documented processes, and reliable data infrastructure, reasonable assurance is achievable and maximizes the value of your investment
- Proactive preparation: Organizations that want to be ahead of the curve can adopt reasonable assurance voluntarily before it becomes mandatory, building capabilities early and avoiding last-minute compliance pressure
Impact on Data Quality and Internal Controls
One of the most significant but often underappreciated effects of the assurance level is its impact on the organization's own data quality. Higher assurance levels drive higher internal standards — a positive feedback loop that benefits the organization beyond the assurance engagement itself.
Limited Assurance: Foundational Improvements
Even limited assurance engagements drive meaningful improvements in data quality. Organizations preparing for limited assurance typically:
- Document their data collection processes for the first time
- Identify data gaps and inconsistencies that were previously unnoticed
- Establish clearer roles and responsibilities for sustainability data
- Begin to formalize calculation methodologies and assumption documentation
- Implement basic validation checks on reported data
Reasonable Assurance: Systematic Control Environment
Reasonable assurance requires — and therefore drives — a much more mature control environment. Organizations preparing for reasonable assurance must:
- Establish formal internal controls over sustainability data (analogous to financial reporting controls)
- Implement systematic validation and reconciliation procedures
- Maintain complete audit trails from source data to reported figures
- Apply consistent, documented methodologies with version control
- Conduct internal reviews and management sign-off before external assurance
- Address estimation uncertainty through documented assumptions, sensitivity analyses, and disclosure of uncertainty ranges
These improvements have benefits that extend far beyond the assurance engagement. Better data quality supports better decision-making, more reliable target-setting, more accurate progress tracking, and more credible stakeholder communication. The investment in data infrastructure for reasonable assurance pays dividends across the organization.
Internal Controls Readiness for Reasonable Assurance
The transition from limited to reasonable assurance is fundamentally a transition in internal control maturity. Organizations accustomed to financial reporting controls should apply similar principles to sustainability data.
Key Control Areas
| Control Area | What It Means for Sustainability Data |
|---|---|
| Data collection controls | Documented processes for collecting activity data (energy invoices, meter readings, headcounts, incident records) with defined frequencies, sources, and responsibilities |
| Aggregation and calculation controls | Validated calculation models with embedded checks; automated aggregation where possible; manual processes documented with reviewer sign-off |
| Emission factor management | Controlled library of emission factors with documented sources, version history, and change management procedures |
| Data validation | Systematic checks for completeness, accuracy, and reasonableness — comparing against expected values, prior periods, and external benchmarks |
| Segregation of duties | Separation between data collection, aggregation, review, and approval functions to prevent and detect errors |
| Access controls | Restricted access to sustainability data systems and calculation tools; audit logs of changes |
| Management review | Senior management review and sign-off on reported sustainability data before submission for assurance |
| Documentation and audit trail | Complete, retrievable trail from source data (invoices, meter reads, HR records) through intermediate calculations to final reported figures |
Readiness Checklist: Preparing for Each Assurance Level
For Limited Assurance
- Sustainability data collection processes are documented
- Calculation methodologies are written down and consistently applied
- Data owners are identified for each material metric
- A reporting boundary (organizational boundary) is defined and documented
- Key assumptions and estimations are documented
- Basic data validation checks are in place
- Supporting documentation (invoices, records) is accessible for selected walkthroughs
- Management can articulate the data flow from source to report
For Reasonable Assurance (all of the above, plus):
- Formal internal controls over sustainability data are designed and operating
- Segregation of duties exists between data collection, aggregation, and review
- Complete audit trails exist from source documents to reported figures
- Calculation models include embedded validation checks and error detection
- Emission factor library is controlled with version history and change management
- Data validation includes comparisons against prior periods, budgets, and external benchmarks
- Management review and sign-off processes are documented and evidenced
- Internal audit has reviewed sustainability data processes (or equivalent internal review)
- Site-level data collection processes can support on-site verification visits
- Third-party data sources (utility providers, waste contractors) can be contacted for external confirmations
- Estimation methodologies include documented assumptions and sensitivity analyses
- A process exists for identifying and correcting errors discovered during the reporting period
Frequently Asked Questions
What is the difference between limited and reasonable assurance?
Limited assurance involves primarily inquiry and analytical procedures, resulting in a negative-form conclusion ("nothing has come to our attention that causes us to believe the information is materially misstated"). Reasonable assurance requires more extensive evidence gathering — including detailed testing, recalculation, and external confirmations — and results in a positive-form conclusion ("in our opinion, the information is fairly stated"). Reasonable assurance provides a higher level of confidence.
Does the CSRD require limited or reasonable assurance?
The CSRD initially requires limited assurance on sustainability reports prepared under the European Sustainability Reporting Standards (ESRS). The European Commission is expected to adopt reasonable assurance requirements by 2028, subject to a feasibility assessment. This two-stage approach allows organizations and the assurance profession to build capacity before the higher standard takes effect.
How much more does reasonable assurance cost than limited assurance?
Reasonable assurance typically costs 40-100% more than limited assurance for the same scope, reflecting the significantly greater volume of evidence gathering, testing, and practitioner effort required. Exact cost differences depend on subject-matter complexity, data maturity, organizational size, and the number of locations involved.
Should my organization choose limited or reasonable assurance?
Consider regulatory requirements first: if limited assurance is mandated or sufficient, it may be the pragmatic starting point. However, if investors or key stakeholders demand higher confidence, if your data systems are mature, or if you want to get ahead of the expected move to reasonable assurance under the CSRD, reasonable assurance provides greater credibility. Many organizations start with limited assurance and progressively expand to reasonable assurance.
What internal controls are needed for reasonable assurance?
Reasonable assurance requires robust internal controls over sustainability data, including documented data collection and aggregation processes, defined roles and responsibilities for data ownership, validation and reconciliation checks, audit trails from source data to reported figures, change management for methodologies and emission factors, and management review and sign-off procedures. Organizations accustomed to financial reporting internal controls should apply similar rigor to sustainability data.