The assurance-timeline problem in California SB 253 Scope 1 and 2 disclosures

Here's the issue: California's SB 253 (the Climate Corporate Data Accountability Act) requires US entities with over $1 billion in revenue doing business in California to disclose Scope 1 and Scope 2 greenhouse gas emissions annually. The first reporting deadline is August 10, 2026, covering fiscal year 2025 data for most companies. CARB (the California Air Resources Board) announced enforcement discretion for the first year: limited assurance is not required for the August 2026 filing. On the surface, this looks like a reprieve—companies can file emissions totals without paying for an auditor's stamp. Many CFOs are treating 2026 as a soft launch.

However, SB 253 disclosure consists of two things: emissions totals and audit-ready documentation. The first is what gets published on CARB's registry. The second is what auditors verify when limited assurance becomes mandatory in 2027. CARB's enforcement discretion applies only to the assurance engagement itself—it does not waive the documentation standards that underpin assurance.

Emissions totals on their own have no value to an auditor. Audit-ready documentation is what the assurance provider is actually asking for when they price the 2027 engagement. If a company files emissions in August 2026 without the lineage, methodologies, and control evidence that CARB's proposed assurance standards require, the auditor must reconstruct that documentation retrospectively in 2027. For a multi-site manufacturer with decentralized utility invoices and third-party fuel suppliers, retrospective documentation can add 400 to 600 hours of remediation work. At $250 per hour for assurance-qualified staff, that is $100,000 to $150,000 in avoidable costs.

While CARB waived the assurance requirement, the cost of assurance-grade documentation has not decreased. If a company treats 2026 as optional preparation, the 2027 assurance bill might exceed the cost of building the documentation system in the first place. For firms with fiscal years ending in December 2025, the window to build audit-ready documentation before the August 10, 2026 deadline is now six months or less.

How do you solve this? I think the operators who will avoid re-work in 2027 are the ones treating 2026 as an assurance dry-run, not a reporting formality. For now, that means instrumenting the same invoice-to-lineage workflow that limited assurance requires—activity data traceable to source documents, emission factors with published provenance, calculation steps reproducible at line-item level—even though CARB is not enforcing verification in year one. The firms we work with are using 2026 to pressure-test methodology documentation and control design, so the 2027 assurance engagement becomes a confirmation exercise rather than a reconstruction project.

The shape of the argument, visualised below.

The statutory text and its implications

California Health and Safety Code Section 38532 (SB 253) requires covered entities to publicly disclose Scope 1 and Scope 2 emissions starting in 2026, with limited assurance required no later than the 2027 reporting cycle and reasonable assurance by 2030. ^[1] The law does not specify which assurance standards are acceptable. CARB's February 2026 board hearing confirmed that the first Scope 1 and 2 reports are due August 10, 2026, and that CARB will exercise enforcement discretion for the first year: entities may submit emissions data "based on information they already have or were collecting when this Notice was issued, whether or not the data received limited assurance." ^[2]

During CARB's November 2025 workshop, staff emphasised that this discretionary relief is only applicable in the first year of reporting. Subsequent rulemaking will clarify requirements related to assurance standards, with proposals referencing ISSA 5000, ISAE 3000/3410, AICPA AT-C 210/205, AA1000AS v3, and ISO 14064-3. ^[3] The proposed standards are not materially different from the limited assurance frameworks already used for voluntary CDP disclosures or EU CSRD filings—they require population-level evidence, methodology documentation, and control testing.

What this means for reporting entities

The waiver eliminates the external assurance fee in 2026—typically $40,000 to $120,000 for a single-entity Scope 1 and 2 engagement—but it does not eliminate the internal documentation workload that assurance requires. For companies that defer documentation to 2027, the assurance provider will charge for retrospective evidence collection as part of the 2027 engagement, often at a higher hourly rate than prospective documentation would have cost.

The documentation gap and its cost structure

Limited assurance under ISAE 3410 (the most commonly adopted standard for GHG emissions) requires three things: ^[4]

1. Activity data lineage: every emissions calculation must trace back to a source document (utility invoice, fuel purchase receipt, on-site meter reading). The assurance provider tests a sample of these documents for completeness and accuracy.
2. Emission factor provenance: every emission factor must cite a published source (EPA, IEA, Defra, supplier-specific LCA) and version. The assurance provider confirms that the factor is appropriate for the activity and that the version is current.
3. Control evidence: the entity must document the process by which activity data is collected, approved, and consolidated. The assurance provider tests whether the controls are designed effectively and operating consistently.

For a manufacturing firm with ten facilities, three fuel types, and grid electricity from four utilities, building this documentation from scratch typically requires:

• 80 to 120 hours of utility invoice digitisation and reconciliation (if invoices are not already in a structured format).
• 40 to 60 hours of emission factor mapping and version control (if the firm uses a mix of EPA, supplier-specific, and default factors).
• 60 to 100 hours of control documentation and testing (if the firm has not previously operated a SOX-grade emissions process).

At a blended internal rate of $150 per hour (mid-level sustainability analyst plus senior finance review), the total cost is $27,000 to $42,000. If this work is deferred to 2027 and performed under the assurance provider's supervision, the hourly rate increases to $250 to $350 per hour, and the scope expands to include retrospective evidence reconstruction. The total cost becomes $70,000 to $120,000—nearly triple the prospective cost.

Why retrospective documentation is more expensive

When an assurance provider encounters missing documentation, they must either:

• Expand the sample size: if 20% of invoices are missing or illegible, the auditor tests additional invoices to achieve the same confidence level. This increases audit hours by 15% to 30%.
• Issue a qualified opinion: the auditor notes the limitation in the assurance report. For SEC-registered filers, this can trigger investor relations questions or proxy advisory scrutiny.
• Require remediation: the auditor asks the entity to reconstruct the missing documentation before issuing an opinion. This is the most common outcome, and it is the most expensive.

For companies with fiscal years ending December 31, 2025, the documentation window is now six months. For those ending March 31, 2026, the window is three months. The firms that miss this window will pay the retrospective penalty in 2027.

The assurance standards CARB is proposing

CARB's pre-rulemaking documents indicate that the state will accept multiple assurance frameworks, including: ^[5]

• ISSA 5000: the new global sustainability assurance standard issued by the IAASB in 2024. This is the most comprehensive framework, designed for integrated financial and sustainability assurance.
• ISAE 3410: the existing GHG-specific assurance standard. This is the most widely adopted framework for voluntary CDP assurance and is compatible with ISO 14064-3.
• AICPA AT-C 210/205: US-specific attest standards for review and examination engagements. These are common for SOX-compliant firms.
• AA1000AS v3: the AccountAbility assurance standard, which includes stakeholder inclusiveness and materiality assessment. This is less common for GHG-only assurance but is used for integrated sustainability reports.
• ISO 14064-3: the GHG verification standard, often used for carbon credit projects. This is the most granular framework, requiring line-by-line calculation checks.

All five frameworks require the same core documentation: activity data lineage, emission factor provenance, and control evidence. The choice of framework affects the format of the assurance report (opinion vs. verification statement) and the level of stakeholder engagement, but it does not change the underlying documentation workload.

For most SB 253 filers, ISAE 3410 or ISSA 5000 will be the default choice, because these frameworks are compatible with financial audit methodologies and are already used by the Big Four assurance providers. Firms that choose ISO 14064-3 typically do so because they are already operating GHG verification programs for carbon credit projects or EU ETS compliance.

Why 2026 is a strategic preparation year

The assurance waiver in 2026 creates a strategic decision point:

1. Treat 2026 as optional preparation: file emissions totals using existing spreadsheets and best-estimate methodologies. Accept that the 2027 assurance engagement will require retrospective documentation and remediation. Budget $70,000 to $120,000 for the 2027 engagement, plus internal staff time.
2. Treat 2026 as an assurance dry-run: build the documentation system now, file emissions totals in August 2026 with the same lineage and controls that limited assurance requires. Budget $27,000 to $42,000 for documentation in 2026, then $40,000 to $60,000 for the 2027 assurance engagement with no remediation.

The second path front-loads the cost but reduces total spend by 30% to 40% over two years. It also de-risks the 2027 engagement: if the assurance provider identifies control weaknesses, the entity has time to remediate before the filing deadline.

As one ERM consultant noted in a March 2026 briefing: "Organizations that treat 2026 as a strategic preparation year, rather than a temporary grace period, will be in a much stronger position as reporting and assurance expectations increase. For many businesses, these questions are both compliance and assurance readiness questions." ^[6]

The Scope 3 timeline and its documentation burden

SB 253 requires Scope 3 emissions reporting starting in 2027, covering fiscal year 2026 data. CARB has not yet finalised the reporting framework, but the statute references the GHG Protocol Corporate Value Chain (Scope 3) Standard as the baseline methodology. ^[7]

Scope 3 reporting consists of 15 categories, from purchased goods (Category 1) to end-of-life treatment (Category 12). For most SB 253 filers, Category 1 (purchased goods and services) accounts for 60% to 80% of total Scope 3 emissions. Category 1 requires either:

• Supplier-specific data: primary emissions data from suppliers, typically collected via questionnaire or through the supplier's own CDP or CSRD disclosure. This is the most accurate method but requires 6 to 12 months of supplier engagement.
• Spend-based estimation: multiplying procurement spend by industry-average emission factors (e.g., EPA EEIO factors or Exiobase factors). This is faster but less accurate, and it does not meet the "reasonable assurance" threshold that CARB may require in future years.

For a firm with 200 Tier 1 suppliers, collecting supplier-specific data for Category 1 typically requires:

• 40 to 60 hours of supplier engagement (sending questionnaires, following up, validating responses).
• 60 to 100 hours of data normalisation (converting supplier responses into GHG Protocol-compliant formats).
• 40 to 60 hours of methodology documentation (explaining allocation methods, data quality tiers, and gap-filling procedures).

At $150 per hour, the total cost is $21,000 to $33,000. If this work is deferred until 2027, the same retrospective penalty applies: the 2027 assurance engagement will require reconstruction of supplier engagement records, allocation methodologies, and gap-filling rationale.

The firms that start Scope 3 documentation in 2026—even though reporting is not required until 2027—will avoid this penalty. The firms that wait until 2027 will pay it.

How Emission3 fits

Emission3 is designed for the firms that are treating 2026 as an assurance dry-run. We start with the documentation system, not the emissions total.

Our CBAM implementation workflow is the same workflow that SB 253 limited assurance requires:

• Invoice-to-lineage: every activity data point traces back to a source document (utility invoice, fuel receipt, supplier emission report). We digitise the invoice, extract the activity data, and store the original document as an evidence artifact.
• Factor provenance: every emission factor cites a published source (EPA, IEA, Defra, IPCC) and version. We maintain a version-controlled factor library, so the auditor can confirm that the factor is appropriate and current.
• Control documentation: we document the process by which activity data is collected, approved, and consolidated. This includes approver names, approval timestamps, and change logs—the same evidence that SOX-grade controls require.

When the 2027 assurance engagement begins, the auditor receives a pre-built evidence pack: line-item calculations, source documents, factor provenance, and control logs. The engagement becomes a confirmation exercise, not a reconstruction project. For a ten-facility manufacturer, this reduces assurance hours by 40% to 60%, which translates to $20,000 to $40,000 in avoided fees.

We also export the evidence pack in the formats that CARB's proposed assurance standards require: ISAE 3410-compliant calculation lineage, ISO 14064-3-compliant verification logs, and ISSA 5000-compliant control narratives. The auditor does not need to reverse-engineer our methodology—they can test it directly.

What this means in practice

For a firm filing its first SB 253 report in August 2026:

1. Weeks 1-4: CBAM readiness call, supplier mapping, documentation gap analysis. We identify which activity data sources are already digitised and which require manual collection.
2. Weeks 5-12: Invoice digitisation, emission factor mapping, calculation lineage build. We instrument the same invoice-to-lineage workflow that limited assurance requires, even though assurance is not required in 2026.
3. Weeks 13-16: Internal control documentation, approval workflows, change logs. We document the process by which activity data is collected and approved, so the 2027 auditor can test the controls without requiring retrospective evidence.
4. Week 17: CARB filing, evidence pack export. We generate the emissions totals for the August 10, 2026 filing, plus a pre-built evidence pack for the 2027 assurance engagement.

The result: the firm files its 2026 report on time, with the same documentation quality that 2027 assurance requires. When the 2027 engagement begins, the auditor confirms the controls and issues an opinion—no remediation, no retrospective reconstruction, no penalty.

Closing recommendation

If your firm is subject to SB 253 and your fiscal year ends in December 2025 or March 2026, the documentation window is now six months or less. The firms that will avoid the 2027 retrospective penalty are the ones instrumenting audit-ready workflows now, not in 2027. ^[8]

The first step is a CBAM readiness conversation: we map your suppliers, identify documentation gaps, and scope the implementation timeline. This is the same conversation we run for EU importers preparing for CBAM quarterly reporting—the documentation system is identical, the only difference is the regulatory endpoint.

Book a CBAM readiness call to begin. ^[9]

^[1] California Air Resources Board, "California Air Resources Board Approves Regulations Implementing Climate Disclosure Laws SB 253 and SB 261," February 2026.

^[2] Deloitte DART, "Sustainability Spotlight — California Climate Legislation Update — Status of CARB Rulemaking and Next Steps," December 2025.

^[3] Persefoni, "California SB 253 and SB 261: What Businesses Need to Know," 2026.

^[4] IAASB, "ISAE 3410: Assurance Engagements on Greenhouse Gas Statements."

^[5] Sidley Austin, "California Climate Disclosures Webinar Continues to Keep Companies Guessing on Reporting Obligations," August 2025.

^[6] ERM, "SB 253 Compliance and Assurance: How California's climate disclosure law creates business value," 2026.

^[7] Optera, "California's climate disclosure laws: An overview of SB 253 & SB 261 (Updated November 2025)," 2025.

^[8] Willkie Farr & Gallagher, "California Air Resources Board Approves Regulations Implementing Climate Disclosure Laws SB 253 and SB 261," March 2026.

^[9] Emission3, "Book a CBAM readiness call," /book-demo.