The audit-trail gap in CSRD limited assurance engagements

Here's the issue: CSRD wave-2 filers in 2026 must obtain limited assurance over ESRS E1 disclosures. The engagement fee appears manageable—typically €40,000 to €80,000 for a mid-cap filer. However, by Q3 2026, at least 40% of wave-2 engagements will require scope extensions, second rounds of evidence collection, or deferred opinions because the audit trail is incomplete.

However, a CSRD limited assurance engagement consists of two things: the sustainability disclosure itself and the evidence lineage that supports it.

The disclosure on its own has no assurance value. The evidence lineage is what the auditor is actually verifying—and what most filers are unprepared to produce.

While disclosure drafting has become faster—thanks to ESRS templates and AI summarisation tools—evidence lineage construction has become more expensive. If a filer's Scope 1 and 2 emissions rest on 18 months of utility invoices, supplier correspondence, and calculation worksheets, reconstructing that lineage after the fact might cost €60,000 in internal labour and external assurance time. That cost now exceeds the original engagement budget.

How do you solve this? I think the operators who succeed in 2026 treat evidence lineage as a primary artefact, not a secondary audit response. For now, that means building the audit trail in parallel with the disclosure—document ingestion, calculation lineage, and traceability from day one.

The shape of the argument, visualised below.

What limited assurance actually verifies

The CSRD defines limited assurance as a conclusion "provided in a negative form of expression by stating that the practitioner has identified no matter to conclude that the subject matter is materially misstated."^[1] This standard—scheduled to be formalised by the European Commission by October 2026—requires fewer in-depth procedures than reasonable assurance, but still demands robust evidence.^[2]

Limited assurance practitioners perform:

• Inquiries with responsible persons
• Analytical procedures over reported metrics
• Sample checks of underlying data
• Assessment of the materiality assessment process
• Verification that calculation methods align with ESRS technical guidance

The engagement does not require the practitioner to test internal controls or perform extensive substantive testing. However, it does require that every material assertion in the disclosure can be traced back to a source document, a calculation method, and a responsible party.^[3]

Most filers interpret "limited" as "light touch." The evidence requirement is not light.

The four pillars auditors now demand

These four pillars are not CSRD-specific jargon. They are standard audit concepts, now applied to sustainability disclosures. The gap is that most sustainability teams have never built audit trails before.

Terms your auditor will use in 2026

1. Limited assurance

A conclusion expressed in negative form: "Nothing has come to our attention that causes us to believe the sustainability statement is materially misstated." Requires fewer procedures than reasonable assurance, but still demands sufficient appropriate evidence. The CSRD mandates limited assurance from 2025 onwards, with a possible transition to reasonable assurance from 2028.^[8]

2. Reasonable assurance

A conclusion expressed in positive form: "In our opinion, the sustainability statement is presented fairly, in all material respects." Involves more extensive testing, including verification of internal controls and substantive sampling. The European Commission will assess feasibility of this transition by October 2028.^[1]

3. Material misstatement

An error or omission in the disclosure that would influence the decisions of intended users. Materiality in sustainability reporting is defined by double materiality: financial materiality (impact on enterprise value) and impact materiality (impact on people and environment). ESRS 2 requires a documented materiality assessment process.

4. Sufficient appropriate evidence

Evidence that is both adequate in quantity (sufficiency) and relevant and reliable in nature (appropriateness). For a Scope 2 emissions figure, this means utility invoices (source), emission factors (method), and a calculation worksheet (lineage). The practitioner determines sufficiency and appropriateness based on engagement risk.

5. Traceability

The ability to follow an assertion in the disclosure back to its source document, and forward from the source document to the final reported number. A traceable Scope 1 figure means: invoice → consumption data → emission factor → calculation → disclosure. Breaks in traceability are the most common cause of qualified opinions.

6. Engagement risk

The risk that the practitioner expresses an inappropriate conclusion when the subject matter is materially misstated. In limited assurance, the acceptable level of engagement risk is higher than in reasonable assurance—but it is not zero. Practitioners manage this risk by assessing the quality of internal controls and the reliability of data sources.

7. Internal controls

Processes and policies that ensure the accuracy and completeness of reported data. Examples: monthly reconciliation of utility invoices to facility meter readings; segregation of duties between data entry and data approval; documented sign-off on emission factor selections. Weak controls increase engagement risk and trigger more extensive procedures.

8. Negative assurance

Synonym for limited assurance. The conclusion is framed as "we found nothing wrong" rather than "we verified everything is correct." This phrasing reflects the reduced scope of procedures compared to reasonable assurance.

9. Positive assurance

Synonym for reasonable assurance. The conclusion is framed as "we verified this is correct" rather than "we found nothing wrong." This requires more evidence and more testing.

10. Population completeness

Confirmation that all relevant items are included in the scope of testing. For Scope 1 and 2 emissions, this means all facilities, all months, all energy types. A common deficiency: filers report 11 months of data because one invoice arrived late, but do not disclose the gap.

11. Safe harbor

A regulatory provision that protects filers from liability if they follow specified procedures in good faith. The CSRD does not include a safe harbor for limited assurance—filers are liable for material misstatements even if the auditor did not detect them. This is why evidence lineage matters: it is the filer's proof of due diligence.

12. Qualified opinion

An assurance conclusion that includes exceptions or limitations. Example: "Except for the matter described in the Basis for Qualified Conclusion section, nothing has come to our attention..." Qualified opinions are public and trigger investor scrutiny. Most result from incomplete evidence, not incorrect calculations.

"The statutory auditors must pass an exam and complete at least eight months of practical training in assurance of annual and consolidated sustainability reporting or other sustainability related services. The CSRD foresees transitional arrangements for those statutory auditors who qualified before 1 January 2024 or intend to complete their accreditation by 1 January 2026."^[8]

This constraint is material. Many audit firms are training partners on ESRS requirements in parallel with client engagements. The result: auditors are risk-averse and evidence-hungry in 2026, because they are still building their own competence frameworks.

How the gap compounds

The audit-trail gap does not stay contained within the assurance engagement. It cascades:

1. Evidence reconstruction cost: If the sustainability team built the disclosure without tracking source documents, reconstructing the lineage in Q3 2026 (ahead of the Q4 assurance engagement) costs 200-400 hours of internal labour. For a mid-cap filer, that is €40,000 to €80,000 in fully loaded cost—equal to the original engagement fee.

2. Scope extension: If the auditor identifies gaps during interim testing, the engagement scope expands. Additional sampling, second rounds of inquiries, and extended analytical procedures add 20-30% to the original fee. A €60,000 engagement becomes €75,000.

3. Deferred opinion: If evidence gaps cannot be closed before the filing deadline, the auditor may defer the opinion. This triggers restatement risk, investor questions, and potential regulatory scrutiny. For a listed company, the reputational cost is difficult to quantify but non-zero.

4. Executive liability exposure: SB 253 in California and CSRD in the EU both require executive officer sign-off on sustainability disclosures. If a qualified opinion reveals material misstatements, the CFO or CEO is personally exposed. This is why the evidence lineage is not just an audit problem—it is a governance problem.^[3]

The compounding effect is worst for wave-2 filers in 2026, because they have no prior assurance experience and no peer benchmarks to reference.

How Emission3 fits

Emission3 is built around evidence lineage as the primary artefact, not the disclosure. Every number in an ESRS E1 export or a CBAM filing traces back to a source document—invoice, bill of materials, supplier correspondence—with full calculation lineage and reproducibility.

Key capabilities for CSRD limited assurance:

• Document ingestion: Upload utility invoices, supplier emission factors, and calculation worksheets in bulk. The system parses line items, links them to facilities or product codes, and flags missing data.
• Deterministic calculation: Apply named emission factors (IEA, IPCC, DEFRA, EPA) to consumption data, with full lineage from input to output. No hidden assumptions, no model drift.
• Audit export: Generate an evidence pack that includes source documents, calculation worksheets, emission factor references, and a signed attestation. The export is what the auditor reviews—not the internal system.
• Population completeness checks: Flag gaps in monthly data, missing facilities, or excluded suppliers. The system surfaces these gaps before the auditor does.

The result: filers who use Emission3 enter the limited assurance engagement with a complete audit trail already built. The engagement becomes a verification exercise, not a reconstruction project.

For more on the audit-ready export format, see Audit-ready exports in Emission3.

What to do in Q2 2026

If you are a wave-2 filer preparing for limited assurance in Q4 2026, here is the checklist:

1. Map your evidence sources now: List every data source that feeds into your Scope 1, 2, and 3 calculations. Identify gaps—missing invoices, incomplete supplier data, facilities without meter readings.
2. Build the lineage in parallel with the disclosure: Do not wait until Q3 to reconstruct the audit trail. As you draft the disclosure, tag every assertion with its source document and calculation method.
3. Run a self-assessment against the four pillars: Evidence lineage, deterministic calculation, reproducibility, population completeness. Score yourself 0-10 on each. If any score is below 7, escalate.
4. Engage your auditor early: Brief them on your evidence collection process in Q2, not Q3. Ask them to flag gaps during interim testing, when you still have time to close them.
5. Budget for scope extension: Assume 20-30% cost overrun on the original engagement fee. If the engagement is scoped at €60,000, budget €75,000 internally.

The operators who succeed in 2026 treat evidence lineage as a first-class deliverable, not an audit response. The cost of building it in parallel is lower than the cost of reconstructing it under deadline pressure.

Closing thought

Limited assurance is not light assurance. The "limited" refers to the scope of procedures, not the quality of evidence required. By October 2026, when the European Commission formalises the limited assurance standard, filers who built audit trails from day one will have a 6-9 month head start on those who did not.^[2]

The audit-trail gap is not a technical problem. It is a workflow problem—and workflow problems compound.

If you are a wave-2 filer preparing for limited assurance in 2026, book a CBAM readiness call. We start every engagement with a readiness conversation: we map your evidence sources, identify gaps, and scope the implementation timeline. No anonymous self-serve onboarding—every customer begins with a structured assessment.