The unchecked ESG report is over
Sustainability reporting used to run on trust and formatting. A company described its progress, chose its own scope, and published. If a number was soft or a claim was thin, there was often less external testing than finance would expect. The report was a narrative, and narratives are easy to write.
The CSRD changed that for in-scope companies. Accountancy Europe explains that the directive introduced an EU-wide assurance requirement to obtain limited assurance over sustainability reporting from 2025 on 2024 ESRS reporting. The later stop-the-clock Directive postponed application for large companies that had not yet started reporting and for listed SMEs, but it did not turn assurance back into a voluntary exercise. For companies in scope for a reporting year, the sustainability statement becomes something an external practitioner examines and signs a conclusion on. Sorena AI ESG compliance is built for that reality, not the old one.
Assurance reads like your books, not your brochure
An assurance engagement is not a proofread. Accountancy Europe describes it as a risk-based process across planning, execution, and reporting: the practitioner understands the company's environment and internal controls, then gathers and evaluates evidence by inquiring of management, testing controls, analysing transactions and documents, and obtaining third-party confirmations.
That is assurance discipline applied to sustainability. KPMG makes the parallel explicit for reasonable assurance: it follows a similar methodology to an audit, gaining an understanding of the company, assessing and reviewing its controls, identifying risks, and undertaking detailed testing before forming a conclusion. Limited assurance is less extensive, but it still tests evidence. The practitioner is not grading your prose. They are testing whether your reported figures are supported. A polished report with no evidence behind it can fail the same way an unsupported management assertion fails.
Limited today, reasonable tomorrow
The requirement starts at limited assurance, and it may climb. Accountancy Europe notes the CSRD's mandatory requirement is limited assurance, with the European Commission foreseeing a move toward reasonable assurance, and obligating the Commission to adopt reasonable assurance standards by 1 October 2028 if it assesses that the transition is feasible for companies and practitioners.
The difference is work effort, not spirit. In a limited engagement, Accountancy Europe explains, the practitioner performs fewer procedures and gathers less evidence before concluding. KPMG likens reasonable assurance to a full audit opinion and limited assurance to a lighter review. Both test evidence; reasonable assurance tests more of it, harder. Companies that build only for the limited bar today may have to rebuild when the bar rises. The evidence trail that satisfies reasonable assurance is the one worth designing toward now.
Build the assurance file behind one ESG number
Pick one reported ESG metric and ask whether it can survive assurance. The file should show the source record, reporting period, calculation method, owner, reviewer, version history, assumptions, control performed, exception handling, and final sign-off. If the disclosure is an Article 8 KPI, connect it to the EU Taxonomy eligibility and alignment evidence too.
That is the shift CSRD-style assurance forces. A disclosure is no longer just a sentence in a report. It is the visible tip of a process that has to prove where the number came from, who touched it, what changed, and why the company believes it is complete.
No trail, no sign-off
Assurance exposes exactly where ESG data management is weakest. KPMG warns that in the early years it expects modified opinions to be relatively common, issued when key data is missing because a company lacks the systems or information flow to report it, or when data cannot be tested because it is not of sufficient quality or granularity. KPMG compares this to a qualified audit opinion, while noting it may not be as serious.
The root cause is often the same: a number in the report that cannot be traced back to a source. Financial data survives audit because finance has built records, controls, and ownership around reported figures. ESG data has historically lived in spreadsheets, email threads, and one-off pulls that no one can reconstruct six months later. When the practitioner asks where a figure came from and the honest answer is nobody is sure, the assurance conclusion reflects it.
Give ESG data the trail finance already has
The fix is to treat ESG data like financial data from the start. Every reported figure should trace to a source, carry an owner, and keep a record of how it was produced, so that when an external practitioner tests it, the answer is already easier to retrieve. That is not extra reporting work. It is the difference between an engagement that can move through evidence and one that gets stuck on missing data.
Sorena AI Assessment Autopilot builds obligations from authoritative source texts, assigns clear owners, and tracks evidence continuously as work progresses, so the trail is assembled as the work happens rather than reconstructed under pressure. Humans decide what the company reports; the system keeps every figure traceable to its source and ready for assurance review. When assurance season arrives, the materials should already exist.
One standard is coming, so stop improvising
Assurance is converging, and improvised evidence is exactly what assurance exposes. Accountancy Europe notes the CSRD mandates the Commission to adopt a single EU limited assurance standard by 1 October 2026, and that the IAASB has adopted ISSA 5000, a comprehensive global standard for sustainability assurance. Until the EU standard is adopted, Member States may use national assurance standards, procedures, or requirements. The direction is more harmonised, tested, comparable assurance.
Companies cannot control which standard governs their engagement, but they can control whether their data is ready for a tested one. The organizations that treat this cycle as practice for a lighter, still-forming requirement may rebuild under pressure when the standard tightens. The ones that build a defensible audit trail now are better placed whichever bar arrives. Assurance is not likely to get looser. Prepare for the version that does not.
Report it like it will be assured, because it will be
For in-scope companies, the sustainability statement is now an assured statement, not just a communications asset. A practitioner will test evidence, trace figures, and publish a conclusion you do not control. Narrative will not carry it. The companies that come out clean are the ones that gave ESG data a finance-grade trail: sourced, owned, traceable, and continuous. Stop writing sustainability reports only to be read. Build them to survive assurance, because now they have to.
Frequently asked questions
Is sustainability assurance mandatory under the CSRD?+
Yes, for companies in scope for the relevant reporting year. Accountancy Europe explains the [CSRD](/artifacts/eu/corporate-sustainability-reporting-directive) introduced an EU-wide requirement to obtain limited assurance over sustainability reporting from 2025 on 2024 ESRS reports, with the statutory auditor expressing a conclusion. The later stop-the-clock Directive postponed application by two years for large companies that had not yet started reporting and for listed SMEs, but it did not remove the assurance model.
What is the difference between limited and reasonable assurance?+
The difference is work effort. Accountancy Europe describes limited assurance as fewer procedures and less evidence before concluding. KPMG likens reasonable assurance to a full financial audit opinion, following a similar methodology of understanding the company, testing controls, and evaluating evidence in detail. The Commission is to adopt a reasonable assurance standard by 1 October 2028 if it deems the transition feasible.
Why does ESG data now need an audit trail?+
Because assurance tests evidence, not narrative. A practitioner gathers evidence, tests internal controls, and traces reported figures to their sources. KPMG expects modified opinions where data is missing or cannot be tested. A sourced, owned, traceable trail, the kind Sorena Assessment Autopilot builds continuously, is what lets a figure survive that examination.
Sources
- Accountancy Europe, FAQs: fundamentals to assurance on sustainability reportinghttps://accountancyeurope.eu/publications/faqs-fundamentals-to-assurance-on-sustainability-reporting/?ref=sorena.io
- KPMG, Limited vs reasonable assurance over ESGhttps://kpmg.com/xx/en/our-insights/esg/limited-vs-reasonable-assurance-over-esg.html?ref=sorena.io
- EUR-Lex, Directive (EU) 2025/794 stop-the-clock amendmentshttps://eur-lex.europa.eu/eli/dir/2025/794/oj/eng?ref=sorena.io
- IAASB, Understanding International Standard on Sustainability Assurance 5000https://www.iaasb.org/focus-areas/understanding-international-standard-sustainability-assurance-5000?ref=sorena.io
- European Commission, Corporate sustainability reportinghttps://finance.ec.europa.eu/financial-markets/company-reporting-and-auditing/company-reporting/corporate-sustainability-reporting_en?ref=sorena.io


