Skip to content
GT
πŸ“‹ Sustainability / ESG Reporting in Practice
Back to course
Revisions, QA & the GRI Content IndexLesson 4 of 48 min read

Assurance & Verification: What You Need to Know

Assurance and Verification

At some point during the engagement, someone will ask: "Should we get the report assured?" The answer is usually yes, but the timing, scope, and implications of assurance are more nuanced than most people realize.

This lesson covers what assurance means in the context of ESG reporting, when it happens, how it affects your workflow as the report writer, and the one piece of practical advice that will save you significant rework.

What Assurance Actually Means

Assurance is an independent verification of the data and claims in your ESG report by a third party. The assurance provider (typically an audit firm, a specialized sustainability assurance firm, or a Big Four accounting practice) reviews the company's data collection processes, checks source documentation, tests calculations, and issues a statement about the reliability of the reported information.

There are two levels:

Limited assurance: The assurance provider performs procedures sufficient to state that "nothing has come to our attention" that suggests the data is materially misstated. This is a negative confirmation: they are not saying the data is definitely correct, just that they did not find evidence it is wrong. This is the more common level for ESG reports.

Reasonable assurance: A higher bar. The provider performs more extensive procedures and provides a positive confirmation that the data is "fairly stated" or "free from material misstatement." This is the standard used for financial audits and is increasingly being applied to sustainability data, particularly under frameworks like CSRD.

Assurance is the company's choice, it is not mandatory for all ESG reports (though regulation is changing this). But if they choose to do it, it significantly increases the credibility of the data and the report as a whole. Rating agencies and investors give more weight to assured data.

Who Does It

Assurance providers fall into a few categories:

  • Big Four accounting firms (Deloitte, PwC, EY, KPMG): the most recognized and expensive option. They apply ISAE 3000 (the international standard for assurance on non-financial information) or AA1000AS.
  • Specialized sustainability assurance firms: smaller firms that focus specifically on ESG data verification. Often more affordable and more attuned to sustainability-specific nuances.
  • Engineering and environmental consultancies: sometimes used for specific environmental data (emissions calculations, for instance) rather than the full report.

The choice of assurance provider is the company's decision, not yours as the report writer. But you should be aware of who is doing it because their requirements will affect your data documentation.

The Assurance Process from the Report Writer's Perspective

Here is what matters to you: the assurance provider will need access to source data, calculation methodologies, and supporting documentation for every assured metric. This means:

  1. Data trails must exist. Every number in the report needs to trace back to a source document: a utility bill, an HR database export, a procurement record, an internal tracking system. If the assurance provider asks "where does this number come from?" and the answer is "someone emailed it to us," that is a problem.

  2. Methodology must be documented. How were emissions calculated? What conversion factors were used? What was the boundary? If you changed the calculation methodology from last year, why? The assurance provider will ask all of these questions.

  3. Consistency will be tested. They will check whether the same number appears consistently throughout the report and across other public documents (BRSR, annual report). They will check whether year-on-year trends make logical sense. They will flag anomalies.

Think of assurance like a tax audit for your ESG data. The auditor does not take your numbers at face value: they trace them back to source documents, check the math, and verify that everything adds up. Just as you keep receipts for tax purposes, you need to keep data trails for assurance purposes. The better your documentation, the smoother (and cheaper) the assurance engagement.

The Timing Question: The Most Important Practical Advice

Here is the single most valuable piece of advice in this lesson: try to get your final report data only after assurance is complete.

In practice, here is what happens when you do not follow this rule:

  1. You collect data from the client and write the report.
  2. The assurance provider reviews the data and finds issues: numbers that do not match source documents, calculations with errors, missing data points.
  3. The client corrects the data based on assurance findings.
  4. You now have to go back through the entire report and update every instance of every corrected number. In the narrative. In the tables. In the charts. In the infographics. In the GRI Content Index.
  5. The design team has to re-lay out the affected pages.
  6. You have to re-run QA on the updated sections.

This cascade of rework can add weeks to the engagement. And it happens frequently because the typical timeline has the report writer working in parallel with (or ahead of) the assurance provider.

The ideal workflow:

  1. Company collects data
  2. Assurance provider verifies and finalizes data
  3. You receive assured, final data
  4. You write (or finalize) the report using verified numbers
  5. No data corrections needed after writing

The common (problematic) workflow:

  1. Company collects data
  2. You start writing immediately with preliminary data
  3. Assurance begins in parallel
  4. Assurance finds errors; data gets corrected
  5. You spend two weeks updating the report with corrected numbers
  6. Design revisions follow
  7. QA has to be re-done on affected sections

The ideal workflow is not always possible (timelines rarely allow it). But push for it whenever you can. Even a partial version works: get assurance completed on the key quantitative disclosures (emissions, energy, water, waste, employee data) before you finalize those sections.

What Gets Assured

Not every ESG report gets full assurance on every metric. Companies commonly choose to assure a subset of disclosures - typically the ones that matter most to their stakeholders or that regulation requires.

Common targets for assurance:

  • GHG emissions (Scope 1, Scope 2, sometimes Scope 3): the most frequently assured metric
  • Energy consumption: closely linked to emissions
  • Water withdrawal and discharge: especially for water-intensive industries
  • Waste data: generation, diversion, disposal
  • Employee headcount and safety metrics: increasingly assured
  • Select social indicators: diversity ratios, training hours

Some companies assure only their environmental data in the first year and expand to social and governance data in subsequent years. This phased approach is pragmatic and common.

Where the Assurance Statement Goes

The assurance provider produces a formal assurance statement (a letter or report that describes what was assured, the procedures performed, the assurance standard applied (usually ISAE 3000 or AA1000AS), and the conclusion).

This statement is included in the ESG report. Placement varies by client preference:

  • Near the beginning: some companies place it right after the "About the Report" section, signaling early that the data is independently verified
  • Near the end: others place it as an appendix, keeping the front of the report focused on content

There is no right answer. Ask the client where they want it. Either placement is standard practice.

The Report Writer's Relationship with the Assurance Provider

You are not the one being assured: the company is. But in practice, you will interact with the assurance provider because you built the report, you know where the data came from (or at least where it was supposed to come from), and you can help locate source documentation.

Keep a few things in mind:

Do not act as the intermediary. The assurance provider needs to work directly with the company's data owners. If every data question gets routed through you, you become a bottleneck and potentially compromise the independence of the assurance process.

Be responsive when asked for report-related information. If the assurance provider wants to understand how a particular number was calculated for the report, or why a metric appears in a certain section, answer factually and promptly.

Flag issues you found. If during your data sanity checks (lesson 3.4) you identified inconsistencies or data gaps, share those with the assurance provider (with the client's knowledge). This transparency builds trust and helps the assurance process move faster.

The regulatory landscape for ESG assurance is shifting. The EU's Corporate Sustainability Reporting Directive (CSRD) requires limited assurance on sustainability disclosures, with a pathway to reasonable assurance in the future. India's BRSR Core framework also mandates reasonable assurance on select metrics for top listed companies.

This means assurance is moving from "nice to have" to "legally required" in several major markets. If your client operates in or reports to stakeholders in these jurisdictions, assurance is not a discussion about whether to do it, it is a discussion about scope and timing.

For the report writer, the practical implication is clear: assume the data will be scrutinized by an independent party, and build your documentation and data trails accordingly from day one. Do not wait until someone decides to get assurance to start worrying about data traceability.

When Assurance Is Not Done

Some companies (particularly smaller ones, first-time reporters, or those in jurisdictions without mandatory requirements) choose not to get their ESG report assured. This is their prerogative.

As the report writer, your data sanity process (lesson 3.4) becomes even more important in these cases. Without an external assurance provider checking the numbers, you are the last line of defense against data errors. This does not mean you are performing assurance (you are not qualified to do so unless you are an accredited assurance provider), but your QA process should be thorough enough to catch obvious inconsistencies and errors.

If the company plans to get assurance in future years, advise them to start building their data documentation processes now. Retroactively creating data trails is much harder than maintaining them from the beginning.

The golden rule of assurance timing: get final data after assurance is complete, not before. If timelines force you to draft with preliminary data, at least get the key quantitative metrics assured before you lock the report. Every number that changes after design is finalized costs time, money, and sanity.

Key Takeaways

  • 1Push to receive final report data only after assurance is complete - every number that changes post-design triggers cascading rework across narrative, tables, charts, and the GRI Content Index
  • 2Limited assurance (negative confirmation) is the most common level for ESG reports; reasonable assurance (positive confirmation) is a higher bar increasingly required under regulations like CSRD
  • 3Every assured metric needs a complete data trail - source documents, calculation methodologies, conversion factors, and boundary definitions must be documented from day one
  • 4GHG emissions are the most frequently assured metric, followed by energy, water, waste, and employee safety data - prioritize documentation for these categories
  • 5When assurance is not performed, your data sanity checks become the last line of defense - apply extra rigor to catch inconsistencies before publication
  • 6Assurance is shifting from voluntary to mandatory in key markets (EU under CSRD, India under BRSR Core) - build data processes assuming independent scrutiny

Knowledge Check

1.What is the key difference between limited assurance and reasonable assurance?

2.What is the single most important timing advice for coordinating report writing with the assurance process?

3.When assurance is not being conducted, how does the report writer's role change?

4 of 4