CSRD Assurance and Audit Requirements: What Companies Need to Know in 2026

One of the most significant — and often underestimated — aspects of the Corporate Sustainability Reporting Directive (CSRD) is its mandatory assurance requirement. For the first time in EU history, sustainability reports must be independently verified, just like financial statements.

This guide breaks down everything you need to know about CSRD assurance: what's required, when, and how to prepare your organisation for a smooth audit process.

Why Does the CSRD Require Assurance?

Before the CSRD, sustainability reporting in Europe was largely voluntary and unverified. Companies could publish glossy ESG reports without any independent check on accuracy. The result was inconsistent data, greenwashing risks, and a lack of trust from investors and stakeholders.

The CSRD changes this fundamentally. By mandating third-party assurance, the directive aims to:

• Build credibility — verified data earns trust from investors, banks, and regulators
• Reduce greenwashing — independent checks make inflated claims harder to sustain
• Standardise quality — assurance enforces consistency across the 12 ESRS standards
• Align with financial reporting — sustainability data gets the same rigour as financial data

Limited Assurance vs. Reasonable Assurance

The CSRD introduces assurance in two phases, each with a different level of scrutiny.

Limited Assurance (2024–2028)

This is the starting requirement. Limited assurance means the auditor reviews your sustainability report and checks whether anything appears materially misstated. Think of it as a "nothing came to our attention" conclusion rather than a full deep-dive.

In practice, limited assurance involves:

• Reviewing processes and internal controls for sustainability data collection
• Analytical procedures and inquiries with management
• Checking consistency between the sustainability report and financial statements
• Assessing whether the double materiality assessment was conducted properly

Reasonable Assurance (expected from 2028+)

The EU plans to transition to reasonable assurance, which is the same level applied to financial audits. This means auditors will perform substantive testing — verifying underlying data, sampling transactions, and testing controls more rigorously.

The European Commission will adopt limited assurance standards first (expected via the ISSA 5000 standard from IAASB) and develop reasonable assurance standards by October 2028.

What this means for you: Even if you're starting with limited assurance now, build your data infrastructure as if reasonable assurance is coming — because it is.

Who Needs CSRD Assurance?

Every company subject to the CSRD must obtain assurance on its sustainability report. The phased timeline applies:

Wave	Companies	First Report	Assurance Required
Wave 1	Large public-interest entities (500+ employees, already under NFRD)	2025 (FY 2024 data)	Yes — limited
Wave 2	Other large companies meeting 2 of 3 criteria (250+ employees, €50M+ revenue, €25M+ assets)	2026 (FY 2025 data)	Yes — limited
Wave 3	Listed SMEs (with opt-out until 2028)	2027 (FY 2026 data)	Yes — limited
Wave 4	Non-EU companies with €150M+ EU revenue	2029 (FY 2028 data)	Yes — limited

If you're unsure whether your company falls in scope, our CSRD overview guide covers the applicability criteria in detail.

Who Can Perform CSRD Assurance?

This is where it gets interesting — and where member states have some flexibility.

Statutory Auditors

The default option under the CSRD is your statutory auditor (the firm that audits your financial statements). They can also handle sustainability assurance, provided they have the necessary ESG expertise.

Independent Assurance Service Providers (IASPs)

Some EU member states allow independent assurance providers — firms that are not statutory auditors but specialise in sustainability assurance. France, for example, has historically allowed organisations des experts-comptables (OEC) to perform this role.

Whether IASPs are permitted depends on how each country transposes the CSRD into national law.

Key Considerations When Choosing

When selecting an assurance provider, consider:

• ESG expertise — financial auditors don't automatically understand Scope 3 emissions or biodiversity metrics
• Industry knowledge — sector-specific ESRS requirements demand domain expertise
• Independence — the same firm providing CSRD consulting cannot typically provide assurance (independence rules apply)
• Cost — assurance fees vary significantly depending on the provider and company complexity

If you're weighing Big 4 firms against independent providers, remember that assurance and advisory must be kept separate. A firm advising you on CSRD implementation generally cannot also audit the result.

What Auditors Actually Check

Understanding what an assurance engagement covers helps you prepare. Auditors will typically examine:

1. Governance and Process

• Is there a clear governance structure for sustainability reporting?
• Who is responsible for data collection, validation, and sign-off?
• Are roles and responsibilities documented?

2. Double Materiality Assessment

• Was a proper double materiality assessment conducted?
• Were relevant stakeholders engaged?
• Is the rationale for material topics (and omitted topics) documented?

3. Data Quality and Controls

• Where does the underlying data come from?
• Are there internal controls over sustainability data (similar to financial controls)?
• Can data points be traced back to source systems?
• Are estimates and assumptions reasonable and documented?

4. Disclosure Completeness

• Does the report cover all mandatory disclosures under the applicable ESRS standards?
• Are cross-cutting standards (ESRS 1 and ESRS 2) properly addressed?
• Is the report consistent with the entity's materiality assessment?

5. Consistency with Financial Statements

• Do sustainability disclosures align with information in the management report?
• Are there contradictions between financial and non-financial data?

How to Prepare for CSRD Assurance

Getting audit-ready is not a last-minute exercise. Here's a practical roadmap:

Start Early — At Least 6 Months Before

Don't wait until the report is written to think about assurance. Engage your assurance provider early so they can review your processes, flag gaps, and conduct a pre-assurance readiness assessment.

Build an Audit Trail

The single biggest pain point in sustainability assurance is traceability. For every data point in your report, you need:

• A clear source (system, spreadsheet, survey, invoice)
• A documented methodology (how was it calculated?)
• Evidence of review and approval

If your auditor asks "where does this number come from?" and the answer is "someone in operations emailed it to us," you have a problem.

Invest in Internal Controls

Treat sustainability data with the same discipline as financial data:

• Segregation of duties for data entry and validation
• Regular reconciliation of key metrics
• Version control on data files and calculation models
• Clear escalation paths for data quality issues

Conduct a Dry Run

Consider a pre-assurance engagement or internal audit before the formal assurance process. This identifies gaps while you still have time to fix them.

Document Everything

Auditors love documentation. Ensure you have written records of:

• Your materiality assessment methodology and results
• Stakeholder engagement processes
• Data collection procedures per ESRS topic
• Assumptions behind estimates (especially for Scope 3 emissions)
• Board or management committee approvals

Common Pitfalls to Avoid

Based on early CSRD assurance engagements across Europe, these are the most frequent issues:

1. Treating assurance as a formality — Auditors will ask hard questions. A checkbox mentality leads to qualified opinions.
2. Poor data granularity — Aggregate numbers without supporting detail are red flags.
3. Inconsistent boundaries — The reporting boundary for sustainability data must align with the financial consolidation scope.
4. Ignoring the value chain — ESRS requires upstream and downstream data. "We don't have it" is not an acceptable long-term answer.
5. Last-minute provider selection — Assurance providers have limited capacity. Secure your engagement early.

What Happens If You Fail Assurance?

If an auditor identifies material issues, they can issue a qualified opinion or, in severe cases, an adverse opinion or disclaimer of opinion. The consequences include:

• Regulatory scrutiny — national competent authorities may investigate
• Reputational damage — a qualified sustainability opinion is public information
• Investor concerns — ESG-focused investors rely on assured data for allocation decisions
• Potential legal liability — directors are responsible for the management report, which includes the sustainability statement

The Cost of CSRD Assurance

Assurance fees depend on company size, complexity, and the provider. Early estimates suggest:

• Mid-sized companies: €20,000–€60,000 for limited assurance
• Large corporates: €50,000–€150,000+
• Complex multinationals: €150,000–€500,000+

These costs will likely increase as the transition to reasonable assurance occurs. For a full breakdown of CSRD-related costs, see our guide to CSRD consultant costs.

Next Steps

If your company is in scope for the CSRD, assurance readiness should be a priority — not an afterthought. Here's what to do now:

1. Confirm your timeline — which CSRD wave applies to you?
2. Engage an assurance provider — ideally 6–12 months before your first reporting deadline
3. Assess your data infrastructure — can you trace every data point back to its source?
4. Run a gap analysis — compare your current reporting against ESRS requirements
5. Consider expert help — a qualified CSRD consultant can bridge the gap between your team and the assurance provider

The companies that treat assurance as an opportunity to build trust — rather than a compliance burden — will be the ones that benefit most from the CSRD transition.