Posted by Jing Wang and Mark Challis

Answering the most frequently asked questions about ESG assurance

In a recent webinar, ESG Assurance – what you need to know, two of Verco’s assurance experts, Jing Wang and Mark Challis, answered the questions they are most frequently asked about the assurance process. This summary details their discussion.

You can watch the full recording of the webinar here.

Question: What is the difference between verification, assurance and certification?

Verification is for those wondering whether their reported data is correct according to the reporting criteria.

It originates from environmental and GHG reporting practice, and it's mostly defined by the ISO standards, such as ISO 14064-3, ISO 17029 and ISO 14065. It’s used as a conformity assessment, confirmation of the reliability of information being declared. It mainly checks whether reporting information is accurate and consistent with defined criteria. It's widely used for technical checks for quantitative claims. The outcome of verification is often called a verification statement.

Assurance is for those wondering whether stakeholders can rely on the information they have for decision making.

It derives from the financial auditing profession but has expanded into sustainability standards and non-financial auditing standards. Examples are ISAE 3000, ISAE 3410, and the recently emerging ISSA 5000. There is also the AA1000 assurance standard, which is particularly developed for sustainability assurance by AccountAbility. Assurance provides an independent conclusion, giving report users confidence that certain data (for example, GHG emission data) is free from material misstatement. In addition to testing data, assurance also considers governance and internal controls, which makes it more complex and formal than verification. It mainly focuses on usefulness in decision-making, and the output is often called an assurance report.

Certification is for those wondering whether a specific system, product or process meets the requirements of a standard, such as ISO 9001 or 14001.

It is a kind of conformity assessment, like verification. However, certification is valid for a defined period – three years, for example. This makes it different from verification, which is a point in time conclusion, with a verification statement only effective at the point of issuance.

Question: How do I choose the right standard(s) to assure against?

Choosing the right standard isn't just a technical choice; it's a strategic decision that depends on your reason for assurance. You might want to ask yourself:

  • Is your company subject to regulatory reporting?

A company may be subject to regulatory reporting, such as EU CSRD or the California Climate Disclosure Laws. Both of these mandate assurance, though the market message points toward assurance under ISAE3000 or ISSA5000 for the former, whereas the latter may also acknowledge ISO verification standards. In the UK, there's a UK SECR for energy and GHG reporting, where assurance is voluntary, and the guidance recognizes both AA1000 and the ISAE assurance standards. It also accepts ISO verification.

  • What do your stakeholders prefer?

If the company is reporting to ESG rating agencies like CDP or GRESB, both accept assurance using ISAE3000 or AA1000, as well as verification using ISO standards as valid third-party checks.

  • What’s your scope of reported/assured information?

If the company only needs to assure its GHG emissions, the most commonly used standards are ISO 14064-3 or ISAE 3410. Note that ISAE 3000 and 3410 are going to be replaced by ISSA 5000 by the end of next year, 2026.

If the assurance scope is full sustainability disclosures, both ISSA 5000 and AA1000AS could be used. The latter is used especially for stakeholder engagement-driven assurance.

  • What is your budget?

Assurance might cost more than verification because it's more complex and formal. When you are considering the different kinds of approaches, it’s important to bear in mind that there are different costs involved, such as the assurers, the staff involved, the time put into the project etc. It may turn out that getting access to the more senior members of staff required for certain standards becomes the largest cost involved in the whole process, slowing everything down. Which standard you assure against affects the approach the assuror takes, so make sure you understand what’s required by each standard so you can keep the project running smoothly.

Question: What is the difference between qualitative and quantitative data?

Quantitative information is often numeric. Examples include GHG information, energy consumption, water usage, waste generation, gender ratio, community investment, board compositions etc. This kind of data fits into all three main pillars (environmental, social, and governance).

Qualitative information is presented as more of a narrative. Examples are climate strategy, biodiversity policies, supply chain management, and stakeholder engagement processes.

Some disclosures combine both types. For example, Net Zero commitments contain quantitative goals and qualitative explanations for the pathway.

When it comes to assurance, quantitative information equals numbers and will be tested on its accuracy and qualitative information equals narratives and will be tested on its credibility.

ISSA 5000 requires assurance to determine materiality for quantitative disclosure,but only consider materiality when assure qualitative information.

Question: What is the difference between limited and reasonable assurance?

According to ISSA 5000, limited assurance is an assurance engagement in which the practitioner reduces engagement risk to a level that is acceptable. It is a moderate level of assurance, in which the practitioner concludes whether anything has come to their attention that would suggest a material statement. The risk of material misstatement is identified and assessed at disclosurelevel.

Limited assurance focuses on inquiry and analytical procedure, places less emphasis on internal controls and detailed testing, and requires evidence that is not as exhaustive as reasonable assurance. It relies mainly on inquiries, plausibility checks, trend analysis, and limited recalculation.

Reasonable assurance, on the other hand, provides a high level of assurance. The practitioner determines whether the information is free from material misstatement. The risk of material misstatement is identified and assessed at assertion level. It requires extensive evidence and rigorous procedures, so it is often a more comprehensive, time-consuming process. However, it provides deeper confidence overall.

Reasonable assurance requires detailed, substantive tests and more robust corroboration such as sampling underlying records, checking measurement methodologies, recalculating emissions, and verifying against external resources. It might involve reviewing the board minutes, interviewing management, benchmarking policies against recognised frameworks, and/or assessing implementation evidence.

Question: Can I change assurance level from reasonable to limited during an engagement?

Sadly, the answer is largely no. Under ISSA 5000, the reporting company cannot simply ask to change from reasonable to limited assurance just because they cannot provide sufficient evidence. The practitioner would instead need to consider issuing a modified opinion or withdrawing the engagement. A change to limited assurance from reasonable assurance is only acceptable if it's justified by external factors (e.g. regulation) rather than by lack of evidence.

Question: Can an assurance engagement consist of both limit and reasonable assurance?

Absolutely. A common practice we've observed is to have reasonable assurance for GHG emissions Scope 1 or 2 emissions, and limited assurance for Scope 3 emissions. Companies tend to build confidence in their reported data year by year. As their disclosure maturity increases, they begin to select the data they feel most confident in for reasonable assurance, while keeping the areas that aren’t as ready to limited assurance.

Really, it’s about trying to make sure you're getting the right solution for the right data set. There will be areas where you won't be able to provide evidence because it's not there. It may be outside of your organisation's control, or it might be too expensive. All you need to do is organise your assurance engagement accordingly.

Question: What is the difference between pre-assurance and formal assurance?

Pre-assurance is a preparation review of reporting information before a formal assurance engagement. The aim is to help the reporting company identify gaps, errors or control weaknesses in advance. The output is advisory feedback and not an assurance opinion.

This is very helpful for those starting out with sustainability reporting – those who might be struggling with immature data systems or unclear methodologies. It can be carried out in the early stage of the reporting cycle, giving them a safe space to find and fix issues before the results are disclosed to the public.

On the other hand, formal assurance is a formal, independent engagement under a professional standard such as AA1000 AS, ISAE 3000 or ISSA 5000. The aim of assurance is to provide an opinion to enhance user confidence in the reported information. The output is a formal assurance report that can be published along with a sustainability report and shared with external stakeholders.

To summarise, pre-assurance is like a mock test, and the audience is the company’s internal management team. Assurance is a formal test, with assurance opinion, and the audience is majorly external stakeholders.

Question: How can Verco help with pre-assurance and assurance?

If you can see why assurance is beneficial, but feel far from being assessment-ready, pre-assurance support is a good next step. It guides you through the process, enlightens your team and calms nerves, all without breaking the bank.

Find out more about our pre-assurance service

Verco’s team of specialists can also:

  • deliver a formal, independent assurance statement, enhancing your credibility with investors, regulators and rating agencies;

  • produce a report outlining a roadmap for continual improvement; and

  • help you demonstrate your commitment to transparency, accountability, and ESG leadership.

Find out more about our assurance service

Experts on the topic