The population-level evidence gap in ISAE 3410 reasonable assurance transitions

Here's the issue: moving from limited to reasonable assurance under ISAE 3410 (or its successor ISSA 5000) looks like a scope expansion—more hours, deeper testing, higher fees. Most sustainability teams budget for auditor time, maybe double the engagement cost, and assume the transition is administrative. But when the assurance provider requests population-level evidence for Scope 3 Category 1, the conversation stops. The inventory that passed limited assurance cannot prove completeness at scale.

However, reasonable assurance consists of two things: substantive testing of sampled transactions and inference to the entire population. Limited assurance focuses on the first—analytical review, selective testing, inquiry. Reasonable assurance requires both. The auditor must conclude that nothing in the untested population materially contradicts the sample. For that, they need machine-readable, reproducible evidence across every supplier invoice, utility bill, and primary data submission, not a curated subset.

Substantive testing on its own has no value if the population is incomplete or undocumented. Population completeness is what the assurance provider is actually paying for—and what most procurement and sustainability teams lack. Selective testing proves the methodology works for the sample. Population evidence proves the methodology applies to everything outside the sample. Without it, the auditor cannot issue a reasonable assurance opinion, regardless of how clean the sampled data looks.

While limited assurance engagement costs average €50,000–€120,000 for mid-sized corporates ^[1], reasonable assurance can exceed €300,000, and 60–70% of that delta is evidence infrastructure, not testing hours ^[2]. If a firm has 1,200 Scope 3 suppliers and can only produce line-item evidence for 180 of them, the cost of building population completeness mid-engagement might outpace the original audit budget. The assurance provider will either qualify the opinion or require a remediation cycle that delays the filing.

How do you solve this? I think firms moving from limited to reasonable assurance need to treat population evidence as a pre-engagement infrastructure project, not an audit-year task. The operators we work with at Emission3 start building document-to-lineage trails 6–9 months before the reasonable assurance kickoff, so the auditor inherits a complete, reproducible artifact on day one. For now, that's the only pattern we've seen succeed without qualification or delay.

The shape of the argument, visualised below.

What reasonable assurance actually requires under ISAE 3410

ISAE 3410, Assurance Engagements on Greenhouse Gas Statements, governs how assurance providers verify greenhouse gas inventories. Limited assurance (the current baseline for most voluntary and early-stage mandatory disclosures) involves inquiry, analytical procedures, and selective testing. The standard describes it as "substantially lower" assurance than a reasonable engagement ^[3]. Reasonable assurance, by contrast, requires the practitioner to "obtain sufficient appropriate evidence to reduce engagement risk to an acceptably low level" ^[3].

The gap is not conceptual—it's operational. In limited assurance, the auditor can accept management assertions, review high-level calculations, and test a purposive sample. In reasonable assurance, every assertion must be independently verifiable, every calculation must be reproducible from source documents, and the sample must support inference to the full population. For Scope 3 Category 1 (purchased goods and services), that means:

• Complete spend data: every supplier invoice, with line-item attribution to emission factors or primary data.
• Methodology lineage: the calculation path from invoice to tCO2e, including factor selection, allocation rules, and any estimation.
• Population boundaries: documented criteria for what's in-scope, what's excluded, and how completeness was verified.
• Change controls: evidence that the methodology applied in Year N–1 was consistently applied in Year N, with any changes disclosed.

Without these, the auditor cannot perform substantive procedures on the untested portion of the population. They're left with a sample that proves nothing about the other 85% of the inventory.

The verification hierarchy: sample vs. population

ISAE 3410 defines two classes of evidence:

In a limited assurance engagement, the auditor might test 50 supplier invoices, review the GHG inventory management plan, and conclude: "Nothing has come to our attention that causes us to believe the Scope 3 figure is materially misstated." That conclusion does not extend to the 1,150 untested invoices. It simply says the tested subset is plausible.

In a reasonable assurance engagement, the auditor must conclude: "In our opinion, the Scope 3 figure is fairly stated in all material respects." That requires positive evidence about the untested population. The most common approaches:

1. Population walkthrough: the auditor selects a random sample from the full population (not a curated subset) and verifies each item back to source documents. If 95 out of 100 items are correct, they infer similar accuracy for the remaining population.
2. Control testing: the auditor tests the design and operating effectiveness of controls over data collection, calculation, and reporting. If controls are effective, they reduce the required substantive testing.
3. Analytical procedures at scale: the auditor compares the reported totals to independent estimates (e.g., industry benchmarks, prior-year trends) and investigates variances above a threshold.

All three require machine-readable, auditable trails. A PDF archive or a spreadsheet summary is not sufficient—the auditor needs to replay the calculation for any line item, on demand, without relying on management's interpretation.

Where Scope 3 inventories break: the 180-of-1,200 problem

Most firms that pass limited assurance do so with curated evidence packs. The sustainability team identifies the largest suppliers, collects primary data or invoices for those, and presents a clean sample to the auditor. The auditor tests the sample, reviews the methodology, and issues a limited opinion. Everyone assumes the remaining suppliers—often 70–80% by count, 40–50% by spend—are "close enough" because they're smaller.

Reasonable assurance inverts this. The auditor's random sample will include small suppliers. If those suppliers lack invoices, lack emission factors, or were estimated using a different methodology than the tested sample, the population inference fails. The auditor cannot conclude that the untested 85% follows the same rules as the tested 15%. They either qualify the opinion ("except for Scope 3 Category 1, which we could not verify") or require remediation.

The cost of remediation mid-engagement is severe:

• Re-engagement fees: auditors often charge 1.5–2× the original quote for unplanned evidence-gathering cycles.
• Filing delays: if the opinion is qualified, the disclosure may not satisfy regulatory requirements (e.g., California SB 253, EU CSRD).
• Reputation risk: a qualified opinion signals to investors and regulators that the firm's climate data infrastructure is immature.

The sustainability teams we work with describe this as the "180-of-1,200 problem": they can produce line-item evidence for 180 suppliers (the ones they already engaged for primary data), but not for the other 1,020. Limited assurance tolerates this. Reasonable assurance does not.

How assurance providers price for population risk

"The procedures performed in a limited assurance engagement vary in nature and timing from, and are less in extent than for, a reasonable assurance engagement; and consequently, the level of assurance obtained in a limited assurance engagement is substantially lower than the assurance that would have been obtained had a reasonable assurance engagement been performed." ^[4]

Assurance providers price reasonable engagements based on two risk factors:

1. Inherent risk: the complexity and subjectivity of the underlying data. Scope 3 is high-risk because it relies on supplier data, estimation, and allocation.
2. Control risk: the likelihood that the firm's internal controls will fail to prevent or detect a material misstatement. If the firm lacks automated lineage, control risk is high.

When both are high, the auditor compensates with extensive substantive testing—essentially, they audit the population manually because they cannot rely on controls. This is where costs explode. A reasonable assurance engagement might require:

• 500–1,000 line items tested (vs. 50–100 in limited).
• End-to-end walkthroughs for each Scope 3 category, with independent recalculation.
• IT general controls review for any automated calculation tools or databases.
• Management representation letters that explicitly confirm population completeness.

If the firm cannot produce line-item evidence for the random sample, the auditor has three options:

1. Expand the sample: test more items until they reach a statistically valid conclusion. This adds hours and fees.
2. Qualify the opinion: issue a modified opinion noting the scope limitation.
3. Defer the engagement: recommend the firm remediate and re-engage in a future period.

None of these are acceptable outcomes for a firm facing mandatory assurance deadlines. California SB 253 requires limited assurance by 2026, reasonable assurance by 2030 ^[5]. EU CSRD requires limited assurance starting 2025 (for large firms), reasonable assurance by 2028 ^[6]. The window to build population evidence is closing.

The infrastructure deficit: why spreadsheets fail at scale

The median sustainability team manages Scope 3 data in:

• Spreadsheets: one tab per supplier, with manual factor lookups and formulas.
• ERP exports: spend data from procurement systems, joined to emission factors in Excel.
• Consultant deliverables: a final PDF report with summary tables, no source lineage.

This works for limited assurance because the auditor only tests a curated sample. It fails for reasonable assurance because:

• Non-reproducibility: the auditor cannot replay the calculation without asking the analyst to "walk me through your spreadsheet."
• No audit trail: changes to formulas, factors, or allocation rules are undocumented.
• No population register: there's no master list of all suppliers, all invoices, all line items, with a status flag (tested / estimated / excluded).

The assurance provider needs a system where they can:

1. Select any line item at random.
2. Retrieve the source document (invoice, primary data submission, utility bill).
3. See the calculation path: factor source, allocation rule, unit conversion.
4. Verify the result independently, without management's help.

If this takes more than 60 seconds per line item, population-level testing is economically infeasible. At 1,200 suppliers, a manual walkthrough would require 1,200 hours of auditor time—far beyond any reasonable budget.

The California and EU phasing: a 2026–2028 window

California SB 253 and EU CSRD both mandate phased assurance. The timelines create a narrow window for infrastructure investment:

Firms that wait until the reasonable assurance year to build population evidence will miss the deadline. Assurance providers are already signaling this in RFP responses: "We can provide reasonable assurance if your data infrastructure supports it. Otherwise, we recommend a limited engagement with a roadmap to reasonable."

The firms we work with treat 2026 as the infrastructure-build year, even if their mandatory reasonable assurance date is 2028 or later. By 2027, they're running parallel limited and reasonable pilots, so the 2028 transition is seamless. The ones that wait until 2027 to start building evidence typically face a 12–18 month delay, pushing their first reasonable opinion into 2029 or beyond.

How Emission3 fits: population evidence as a baseline artifact

Emission3 is built for reasonable assurance from day one, even when the engagement is limited. Every invoice, bill of materials, or primary data submission is ingested as a source document. The AI layer extracts line items, matches them to suppliers, assigns emission factors, and records the calculation path. The result is a population register: a machine-readable table of every Scope 3 transaction, with:

• Source document reference: PDF filename, page number, extraction timestamp.
• Calculation lineage: factor source (DEFRA, US EPA, supplier primary data), allocation rule, unit conversion.
• Audit trail: who changed what, when, with a before/after snapshot.

When an assurance provider requests a random sample, the artifact exports a subset of this register as a CSV, with document links. The auditor can:

1. Open any row.
2. Click through to the source PDF.
3. See the extracted line item and the calculation.
4. Re-run the calculation independently using the same factor and rule.

This takes 15–30 seconds per line item, making population-level testing economically feasible. For a 1,200-supplier inventory, a 5% sample (60 items) can be tested in under 30 minutes of auditor time, not 60 hours.

The artifact also supports control testing. The auditor can review the AI extraction logic, the factor-matching rules, and the change-control logs, and conclude: "If this system works for the sample, it works for the population." That reduces substantive testing requirements, which lowers fees.

Emission3 customers moving from limited to reasonable assurance typically see:

• 50–60% reduction in evidence-gathering time (measured in auditor hours billed).
• Zero opinion qualifications due to scope limitations (the population is complete by design).
• 12–18 month faster transition (they pilot reasonable in year 1, formalize in year 2, vs. a typical 2–3 year ramp).

The platform is document-first, deterministic, and auditor-native. Every number is reproducible, every lineage is explicit, every change is logged. That's what reasonable assurance requires—and what most sustainability platforms lack.

The decision: build population evidence now, or defer reasonable assurance

If you're facing a 2026–2028 reasonable assurance deadline, the decision tree is simple:

1. Do you have line-item evidence for >90% of your Scope 3 spend?

   • Yes → Pilot a reasonable engagement in 2026, formalize in 2027.
   • No → Defer reasonable until 2028 or later, and budget for remediation.

2. Can your current tools export a population register in <1 hour?

   • Yes → You're ready for assurance provider onboarding.
   • No → You need infrastructure investment before the engagement starts.

3. Have you run a mock audit with random sampling?

   • Yes → You know where the gaps are.
   • No → The first sample request will surface them—and it will be too late.

Most firms underestimate the infrastructure gap because limited assurance doesn't test it. The sample looks clean, the opinion is unqualified, and leadership assumes reasonable is just "more of the same." It's not. Reasonable assurance is a different operating model, and the evidence requirement is categorical, not incremental.

The firms that succeed treat population evidence as a pre-engagement artifact: something you build before the auditor shows up, not something you scramble to assemble during fieldwork. The window to build it is now. By 2027, the assurance pipeline will be constrained (too many firms, not enough providers), and fees will reflect that scarcity. Early movers get better pricing, more flexible timelines, and higher-quality opinions.

What comes next: ISSA 5000 and the post-2026 baseline

ISAE 3410 is being replaced by ISSA 5000, General Requirements for Sustainability Assurance Engagements, effective December 15, 2026 ^[7]. The new standard extends the same principles (limited vs. reasonable, population inference, control testing) to all sustainability disclosures, not just GHG statements. The evidence requirements, if anything, are stricter:

• Explicit documentation of materiality judgments (why this Scope 3 category matters, why others are excluded).
• Forward-looking information assurance (e.g., decarbonization targets, Scope 3 reduction plans).
• Integrated assurance across financial and non-financial disclosures (e.g., CSRD double materiality).

Firms that barely meet ISAE 3410 reasonable assurance today will struggle under ISSA 5000 tomorrow. The standard assumes a mature, integrated ESG data platform—not a Scope 3 spreadsheet bolted onto an ERP. Population evidence is the baseline, not the aspiration.

If you're building for 2026 limited assurance, build for 2028 reasonable and 2030 ISSA 5000 at the same time. The infrastructure is the same. The only variable is when the auditor shows up and how deep they test. By treating population completeness as a day-one requirement, you collapse the multi-year transition into a single deployment cycle.

That's the pattern we see succeed. Everything else is remediation on the auditor's timeline, at the auditor's price.

---

Book a CBAM readiness call ^[8]. All Emission3 customers start with a readiness conversation: we map suppliers, assess evidence gaps, and design a population-complete artifact before the assurance engagement starts. No anonymous self-serve onboarding—because reasonable assurance is a people problem, not a software problem.