Sustainability reporting - CEAOB publishes guidelines on limited assurance

From January next year, companies within scope will have to publish sustainability statements as required under the EU’s Corporate Sustainability Reporting Directive (CSRD), and drawn up in accordance with the European Sustainability Reporting Standards (ESRS). 

These statements must be assured by statutory auditors or other assurance services providers (‘auditors’). But the European Commission won’t publish its limited assurance standards until 1 October 2026 - leaving a gap in terms of knowing what will be expected at EU level.

For corporates, there are two places they can look for help to understand what will be expected of them in the meantime: national standards (to the extent available), and the Committee of European Auditing Oversight Bodies’ (CEAOB) new non-binding guidelines on limited assurance on sustainability reporting.

Providing a common understanding of limited assurance

The guidelines look to provide a high-level common understanding of some of the key aspects of the limited assurance engagement requirements introduced by the CSRD. Importantly, they do not override national standards, so must be read in conjunction with them, where relevant. They can also be used for voluntary limited assurance of sustainability statements, which will be relevant especially to early voluntary adopters of CSRD reporting.

Key aspects of the common approach that CEAOB expects

CEAOB lays out the approach it would like to see auditors apply when engaged to provide limited assurance, including:

1. Providing assurance that is more limited than reasonable assurance. Auditors must obtain limited assurance that the information reported by the entity is free from material misstatement(s), using appropriate procedures designed by the auditor. Limited assurance is less extensive than reasonable assurance, so the amount of work expected is less[1].
    
2. Taking a view on the materiality of any misstatement(s). A misstatement is the difference between a quantitative or qualitative disclosure provided (or omitted) and the appropriate disclosure required by the reporting framework (being the ESRS, and the EU Taxonomy). It is open to auditors to determine whether misstatements, individually or in aggregate, are not material. This must be based on the auditor’s professional judgement that these misstatements would not reasonably be expected to influence the decisions taken by the intended users of the sustainability statements. The materiality of a misstatement is related to, but distinct from, the “double materiality” assessment required by the CSRD and ESRS. 
    
3. Understanding the entity. Auditors should obtain an understanding of the entity, its environment, and its system of internal control, that is sufficient to identify and assess the risks of material misstatements at disclosure level, and from there, what more might need to be done. Specific attention should be given to disclosures that are likely to be the most important to intended users, and whether they are relevant and a faithful representation.
    
4. Focussing on the entity’s double materiality assessment process. Auditors should understand the process the entity used to identify what information to include in the sustainability statement, and whether the process described in the sustainability statement matches up with reality and what the ESRS requires. If an auditor believes that not all material sustainability-related impacts, risks and opportunities have been disclosed, then the limited assurance report should reflect that. 
    
5. Keeping a critical eye on forward-looking statements and estimates. Auditors are not expected to provide a guarantee that any forward-looking information provided will play out as disclosed, but they should maintain a critical eye. For example, around whether the underlying methods used for developing forward-looking information are appropriate and have been applied consistently, and if the information is reasonable.
    
6. Ensuring the whole group is included, where relevant. Where the entity prepares consolidated sustainability statements at group level, auditors should check in particular that the entity has carried out the assessment of material impacts, risks and opportunities for all the consolidated entities to be covered under the ESRS and has provided information at the consolidated level.
    
7. Taking account of the value chain. The ESRS require the inclusion of value chain information in certain circumstances in the sustainability statement. Depending on the specific circumstances and on the risk of material misstatements, auditors should design and perform further procedures where appropriate.

Taxonomy-related disclosures 

Auditors must also assess whether the entity’s reporting complies with the reporting requirements of Article 8 of the EU’s Taxonomy Regulation, which provides a definition of economic activities that can be considered ‘environmentally sustainable’. They should identify and assess the risks of material misstatements in Article 8 disclosures (or, for the first year, identify where material misstatements are likely to arise) and perform appropriate further procedures on selected disclosures.

As well as understanding the entity, auditors must understand the processes that the entity has implemented to identify the nature of its activities in line with the Taxonomy, and disclose them. They must also look at whether the entity has presented the disclosures properly (i.e. that the disclosures are provided for each of the Taxonomy’s environmental objectives in line with the relevant rules and included in a clearly identifiable part of the environmental section of the sustainability statement). 

The limited assurance report

The report should include, amongst other things, the practical details of the subject of the engagement, the period covered, and the scope of the engagement, and state the practitioner’s conclusions on (i) the sustainability statement with regards to the relevant legal requirements, i.e. the ESRS (this includes the entity’s process and disclosures in the sustainability statements); (ii) the information provided to address Article 8 of the Taxonomy Regulation; and (iii) a mark-up of the sustainability statements with regards to EU digitalisation requirements. It should also include a summary of the procedures performed by the auditors, and can call out key matters to be highlighted or addressed. 

When, according to the auditor’s judgment, the sustainability statements and/or the Article 8 disclosures contain one or more material misstatement(s), the auditors should express a qualified conclusion if the extent of the misstatement(s) is not pervasive, or otherwise an adverse conclusion.

[1] The European Commission must adopt reasonable assurance standards by 1 October 2028, and specify when reasonable assurance will be required.