The CSRD has changed sustainability reporting from a marketing exercise into a regulated, audited disclosure. For many Dutch SMEs — whether directly in scope or pulled in through a customer’s value chain — the first wave of reports is being prepared right now. What most teams underestimate is not the writing of the report. It is what happens after the report is finished: the assurance engagement.

Under the CSRD, sustainability information must obtain at least limited assurance from an independent auditor, with the European Commission empowered to move the requirement to reasonable assurance at a later stage. This is the same legal mechanism that already underpins the audit of financial statements. The implication is straightforward: sustainability data must now be defensible to the same evidentiary standards as financial data.

This article sets out, in practical terms, what a sustainability auditor will actually ask — and what a credible response looks like.

What “limited assurance” actually means

Limited assurance is a lower level of certainty than the reasonable assurance used for financial statements, but it is not a light-touch review. The auditor performs analytical procedures and substantive testing to conclude whether anything has come to their attention that would suggest the sustainability information is materially misstated. In ESRS terms, that includes the company’s double materiality assessment, its reported KPIs (e.g. Scope 1, 2 and 3 emissions, energy mix, workforce metrics, governance disclosures), and the consistency of these with the underlying processes and source records.

The auditor will work backwards from the report to the source data. Anything that cannot be traced, recalculated, or independently verified is a finding.

The five questions every sustainability auditor will ask

In practice, almost every assurance engagement Royaal Project supports surfaces the same five questions. They are predictable. They should be rehearsed.

1. “Where did this number come from?”

Every figure in the report must be traceable to a primary source. For Scope 1 emissions that means meter readings, fuel invoices, or fleet records. For Scope 2 it means electricity invoices and supplier disclosure of the residual mix. For Scope 3 it means the chosen calculation method (spend-based, average-data, supplier-specific) and the underlying transactions or volumes. The auditor will pick a sample, follow the trail, and expect documentary evidence at the end of it.

2. “Who calculated this, when, and who reviewed it?”

Sustainability KPIs prepared by a single person with no second review are a near-automatic finding. Auditors look for separation of duties — preparer and reviewer must be different individuals — and dated evidence of that review. This applies whether the calculation lives in a SaaS tool or a spreadsheet. A version history, a sign-off line, or a workflow record in the carbon accounting platform all qualify; an undocumented spreadsheet does not.

3. “Which emission factor did you use, and is it current?”

Emission factors are not constants. They are updated annually by sources such as the IEA, DEFRA, the Dutch CO₂-emissiefactoren list, and supplier-specific disclosures. A 2024 factor applied to 2025 activity data without rationale is a finding. The expectation is a documented policy: which database is authoritative, when factors are refreshed, how exceptions are approved.

4. “Show me the evidence behind your material topics.”

The double materiality assessment is the foundation of the entire CSRD report. The auditor will ask how stakeholders were identified, how they were consulted, how impacts, risks and opportunities (IROs) were scored, and how the threshold for materiality was set. A workshop summary, a stakeholder log, and a documented scoring methodology are the minimum. A list of topics without provenance will not survive review.

5. “Explain the variance.”

If Scope 2 emissions dropped 18% year-on-year, the auditor expects a documented driver: a new green electricity contract effective on a known date, a verified production decline, a methodology change with restated comparatives. Unexplained movements signal either an error in the data or an undisclosed change in approach — both of which are material findings under ESRS 1.

The shift: from reporting project to auditable process

The common thread across all five questions is that a CSRD report cannot be assured if the data behind it has no controls. The deliverable is not the PDF. The deliverable is an auditable process that produces the PDF.

Companies that already operate a credible ISO 9001, 14001, or 27001 management system have a significant head start. The control concepts — documented procedures, version control, internal audit, management review, corrective actions — translate directly to sustainability data. The work is to extend those controls into the ESG dataset, not to invent a new system.

A defensible CSRD readiness baseline

Before an assurance engagement, the following baseline is what we recommend to clients:

A documented data inventory that maps every reported KPI to its source system, owner, and calculation method. A methodology log that records every assumption, emission factor, and conversion rule, with the date of adoption. A review and sign-off workflow that ensures separation of duties on every material number. A variance commentary prepared internally before the auditor asks for it. A stakeholder and materiality file that evidences the double materiality assessment from inputs to conclusions. And, increasingly important, a change log for any restatement of prior-period figures.

None of this requires perfection. It requires defensibility.

What this means for SMEs not (yet) in direct scope

Following the CSRD Omnibus adjustments, many smaller companies are no longer directly in scope. That has not removed the assurance pressure — it has displaced it. Large in-scope companies pass requirements down the value chain through procurement clauses and supplier questionnaires, and increasingly request data with evidence attached. An SME that can produce traceable, reviewed, version-controlled sustainability data wins on commercial terms, regardless of whether it files its own CSRD report.

Closing position

Limited assurance under CSRD is not a softer version of the financial audit. It is the same evidentiary logic applied to a younger dataset. The companies that fare best in their first engagement are not the ones with the most ambitious sustainability narrative — they are the ones whose numbers are quietly defensible.

That preparation is best done before the auditor arrives, not during the engagement.

---

Next step: If your first CSRD assurance engagement is on the horizon, or your largest customer is asking for evidence-backed sustainability data, Royaal Project runs a structured CSRD assurance readiness review. We map your data flows against ESRS expectations, identify the control gaps, and leave you with a prioritised remediation plan.

→ Visit royaalproject.com to book a 30-minute readiness call.

This article reflects current best practice under the Corporate Sustainability Reporting Directive (Directive (EU) 2022/2464) and the European Sustainability Reporting Standards (ESRS). It is provided for informational purposes and does not constitute legal, audit, or assurance advice.