CSRD's assurance regime starts at limited assurance and progresses to reasonable assurance. For first-wave reporters who navigated their first limited assurance engagement in 2025, the obvious next question is what reasonable assurance will demand — and when the transition happens.
The answer is more nuanced than most ESG teams expect. The shift from limited to reasonable assurance is not just a difference in audit depth — it changes how data is collected, how controls operate, how teams document their work, and how the audit firm scopes the engagement. This guide explains the differences and what to plan for.
What Limited Assurance Means
Limited assurance is the lower of the two assurance levels recognised in international standards. Under ISAE 3000 (Revised) and the new ISSA 5000 sustainability assurance standard:
- The assurance opinion is expressed in the negative: "based on the procedures performed, nothing has come to our attention that causes us to believe that the sustainability statement is not, in all material respects, prepared in accordance with..."
- Procedures are primarily analytical — inquiry, review, recalculation, limited verification
- Sample sizes are smaller — limited testing of underlying data
- Less corroborative evidence is required — auditor may rely more heavily on management representations
- Audit work effort is roughly 30-50% of reasonable assurance for an equivalent scope
Limited assurance still requires evidence and documentation. It is not a "light touch" — but it allows the auditor to express conclusions on the basis of considerably less work than reasonable assurance.
What Reasonable Assurance Means
Reasonable assurance is the higher level — the standard applied to financial statements:
- The assurance opinion is expressed in the positive: "in our opinion, the sustainability statement is, in all material respects, prepared in accordance with..."
- Procedures include substantive testing — vouching of source data, recalculation, third-party confirmation
- Sample sizes are substantially larger — sufficient to draw statistical conclusions
- Independent corroborative evidence is essential — auditor cannot rely heavily on representations
- Tests of controls — where the auditor seeks to rely on controls, those controls must be tested for design and operating effectiveness
- Audit work effort is materially higher — typically 2–3× the limited assurance engagement
The bar for what a reasonable assurance opinion implies is significantly higher than what a limited assurance opinion implies, even where the same standards (ESRS) apply.
When Does CSRD Move to Reasonable Assurance?
The directive itself anticipates the transition, but the timeline is governed by Commission delegated acts and member state transposition decisions.
The original CSRD text envisaged:
- Year 1 onwards: limited assurance over the full sustainability statement
- Subsequent transition (after Commission assessment): reasonable assurance over the sustainability statement
The Commission's delegated act mandating reasonable assurance was originally expected by October 2028. The EU Omnibus simplification package proposes to delay this timeline.
Most realistic scenarios place mandatory reasonable assurance:
- No earlier than FY 2030 for in-scope reporters — but possibly later if Omnibus simplification carries
- With member state-specific transposition timing
- Possibly with phased introduction by topic — e.g. assurance over climate metrics first, broader disclosures later
For reporting teams, the practical implication: you have time, but the data and control infrastructure decisions you make now will determine your reasonable assurance readiness.
What Changes Between Limited and Reasonable Assurance
1. Data quality and provenance
Limited assurance often allows reliance on management-prepared spreadsheets with minimal source documentation. Reasonable assurance requires:
- Auditable provenance from source system to disclosed figure
- Documented data definitions, methodologies, and material assumptions
- Reconciliations to underlying systems with explained adjustments
- Evidence of data validation and quality controls
Most teams find that their Year 1 limited assurance data architecture is inadequate for reasonable assurance. The data needs to be auditable in a way the team didn't initially design for.
2. Internal controls
Limited assurance can be performed without formal reliance on management's controls. Reasonable assurance typically requires either:
- Test of controls — auditor tests the design and operating effectiveness of management's controls over sustainability data, then performs reduced substantive testing
- Substantive approach — auditor does not rely on controls, but performs extensive substantive testing instead
Whichever approach is taken, the auditor expects evidence that controls operate. For sustainability data, this is often the largest gap between Year 1 and reasonable assurance readiness.
3. Documentation depth
Limited assurance documentation may be relatively summary. Reasonable assurance requires:
- Process flow documentation for material disclosures
- Risk and control matrices linking sustainability assertions to controls
- Walkthroughs and process narratives
- Evidence of management review and approval
This is the documentation typical of financial statement audit — applied to sustainability data.
4. Materiality
Limited assurance applies a higher materiality threshold than reasonable assurance for equivalent risk areas. As assurance level rises, materiality tightens — meaning more items become individually relevant and require auditor attention.
5. Forward-looking and qualitative disclosures
Both limited and reasonable assurance face the challenge of how to audit forward-looking statements (targets, transition plans, scenarios) and qualitative disclosures (governance, risk management approach). Reasonable assurance puts more pressure on these areas — auditors expect:
- Documented methodology for forward-looking statements
- Evidence of board review and challenge of forward-looking content
- Reconciliation to operational plans and budgets
- Sensitivity analysis around key assumptions
Practical Readiness for Reasonable Assurance
1. Build data architecture as if reasonable assurance applied from Day 1
Even if your first audit is limited assurance, design for reasonable. The marginal cost of building reasonable-assurance-ready data infrastructure during Year 1 is much lower than retrofitting it later.
Specifically:
- One source of truth for each material metric
- Documented methodology and data lineage
- Validation controls at point of capture
- Auditable workflow for adjustments and revisions
2. Map controls over sustainability data
Every material disclosure has implicit controls — review processes, validations, sign-offs. Document them explicitly. Build a risk and control matrix that mirrors financial reporting controls in structure, even if it doesn't reach the same depth.
Walk through each material disclosure with the auditor in Year 1 limited assurance to identify control gaps. Fix them while you have time.
3. Strengthen governance documentation
Reasonable assurance auditors expect to see formal board oversight evidence:
- Board minutes referencing sustainability matters
- Board papers with sustainability content
- Director training records on sustainability matters
- Committee terms of reference covering sustainability
Most boards have informal oversight already — they just don't document it adequately for audit.
4. Engage your auditor early
Auditor engagement on reasonable assurance scope, approach, and expectations should start at least 12 months before the first reasonable assurance year. Many auditors are willing to perform "readiness reviews" — pre-audit gap analysis — that identify deficiencies while the team has time to fix them.
5. Don't underestimate the team and budget impact
Reasonable assurance engagements are materially more expensive than limited assurance — often 2–3× the fee. Internal team time on audit support also rises substantially.
Plan budget and resource allocation 12–18 months before your first reasonable assurance year.
Where Limited Assurance Is Already Tightening
Even before reasonable assurance becomes mandatory, expect limited assurance procedures to tighten in subsequent years as:
- Auditors build sustainability assurance experience
- Regulators (ESMA, NFRA, member state competent authorities) provide enforcement direction
- Audit firms standardise procedures across engagements
- Auditor liability evolves around sustainability opinions
A Year 2 or Year 3 limited assurance engagement will typically demand more evidence and more documentation than Year 1, even though the standard hasn't changed. Teams that don't continuously improve their data infrastructure and control documentation find audit support burden rising every year.
How ESGFlux Helps
CSRD assurance evolution depends on Commission delegated acts, ISSA 5000 application guidance, IAASB updates, national competent authority enforcement, and Big 4 audit guidance — all moving in parallel.
ESGFlux monitors all of them every 30 minutes, surfacing assurance-relevant updates as they happen.