CSRD Assurance: What Limited Assurance Means and How to Prepare

What is CSRD assurance?

Assurance is not an audit in the traditional financial sense, but it serves a similar purpose: giving stakeholders confidence that the reported information is materially accurate and prepared in accordance with the applicable standards.

CSRD introduces two levels of assurance. Limited assurance is required initially — this involves the assurance provider reviewing your data, processes, and disclosures to conclude whether anything has come to their attention that causes them to believe the report is materially misstated. It is less intensive than reasonable assurance but still demands structured evidence and documentation.

Reasonable assurance — the standard applied to financial statements — is planned for introduction by 2028. This requires the assurance provider to obtain sufficient evidence to positively confirm that disclosures are free from material misstatement. The gap between limited and reasonable assurance is significant in terms of evidence requirements, so organisations building their reporting processes now should design for reasonable assurance from the start.

What do assurance providers actually check?

Understanding what assurance providers examine helps you build processes that pass scrutiny the first time. Their focus areas typically include:

Data accuracy and traceability

Every figure in your sustainability report must be traceable back to its source. The assurance provider will select a sample of disclosed data points and follow the trail from the published number through your calculation methodology to the underlying activity data. If that trail is broken — because data was manually transferred between systems, or because the calculation methodology is undocumented — the finding will be flagged.

Methodology consistency

Have you applied the same calculation methodologies consistently across reporting entities, time periods, and data categories? Changes in methodology between years must be disclosed and justified. The assurance provider will check that emission factors, conversion rates, and estimation approaches are applied uniformly and are appropriate for your sector and geography.

Double materiality process documentation

Your double materiality assessment determines which ESRS standards you report against. The assurance provider will examine how you identified material topics, what scoring methodology you used, how stakeholder input was incorporated, and whether exclusion decisions are justified. A materiality assessment without documented methodology and evidence will not survive assurance review.

Governance and internal controls

Who approved the data? Who reviewed the calculations? What internal controls prevent errors from propagating through the report? The assurance provider expects to see defined roles, approval workflows, and segregation of duties between data entry and data review. This is where governance alignment becomes critical.

Completeness of ESRS disclosures

Based on your materiality assessment, certain ESRS standards apply to your organisation. The assurance provider will verify that all required disclosure points under those standards are addressed — either with reported data or with a documented explanation of why a specific disclosure is not applicable. Missing disclosures without explanation will be flagged as findings.

How to prepare your organisation for assurance

Build audit trails from day one. Every data entry should be timestamped, attributed to a named user, and linked to source documentation. If you are using ESG reporting software, this should be automatic. If you are using spreadsheets, you need a manual logging process — which is why most organisations undergoing CSRD assurance move to dedicated software before their first engagement.

Document your methodology decisions. For every calculation approach, emission factor selection, and estimation technique, maintain a methodology note explaining what you chose, why you chose it, and what alternatives you considered. This documentation should be prepared as you build your reporting process, not retrospectively assembled before the assurance engagement.

Maintain evidence for materiality conclusions. Your double materiality assessment should be supported by stakeholder engagement records, scoring matrices, threshold justifications, and minutes from governance meetings where material topics were approved. The assurance provider will ask for this documentation.

Establish clear data ownership. Every data point in your CSRD report should have a named owner — the person responsible for its accuracy. When the assurance provider queries a figure, you need to know immediately who can provide the explanation and evidence.

Run an internal dry run. Before engaging your external assurance provider, conduct an internal review that simulates the assurance process. Select a sample of data points, trace them back to source, check methodology consistency, and verify completeness against ESRS requirements. This identifies gaps you can fix before they become formal findings.

Common assurance pitfalls

Engaging the assurance provider too late. If your first conversation with the assurance provider is after your report is drafted, you have missed the window for them to review your methodology and data processes. Engage them during the preparation phase — most providers offer pre-assurance advisory services for first-time reporters.

Assuming limited assurance is easy. Limited assurance is less intensive than reasonable assurance, but it is not a rubber stamp. Providers will still examine your data, test your calculations, and review your governance processes. Organisations that treat limited assurance casually often receive qualified opinions or management letter findings.

Inconsistent methodology across entities. Multi-site or multi-entity organisations frequently apply different calculation approaches across locations, then struggle to reconcile them at group level. Standardise your methodology before data collection begins.

Undocumented Scope 3 estimates. Most organisations use estimates for Scope 3 emissions, which is acceptable under both the GHG Protocol and ESRS E1. However, the estimation methodology, data sources, and assumptions must be clearly documented. An undocumented estimate is an unsupported figure.

No separation between data entry and review. If the same person enters and approves data, you have a governance weakness. Assurance providers expect a review step between data entry and final disclosure, even in small teams.

The timeline — when to engage your assurance provider

For a company reporting on FY2025 with a filing date in 2026, a realistic assurance timeline looks like this:

6-9 months before filing: Initial conversation with the assurance provider. Discuss scope, timeline, fee structure, and their expectations for documentation and access.

4-6 months before filing: Pre-assurance advisory engagement. The provider reviews your methodology documents, data collection processes, and materiality assessment. You receive early feedback and can address gaps.

2-3 months before filing: Data collection close. Final figures are calculated and internal review is completed.

1-2 months before filing: Formal assurance engagement. The provider conducts their review, tests data samples, and issues their assurance opinion.

How Horizon ESG supports assurance readiness

Horizon ESG is designed with assurance in mind. Every data entry is automatically timestamped and attributed. Calculation methodologies are documented within the platform. Approval workflows enforce separation between data entry and review. And your assurance provider can be granted read-only access to trace any disclosed figure back to its source data without requiring your team to compile evidence packs manually.

The result is a reporting process that is assurance-ready by design, not by afterthought. Learn more about how Horizon ESG can support your assurance readiness.