IAASB’s ISSA 5000 Sets the Global Standard for Sustainability Assurance

As the importance of sustainability has grown globally, so has the need for reliable, credible and consistent information about organizations' sustainability performance. Many regulations globally require a level of assurance over sustainability reporting - in some cases, commencing with limited assurance and progressing to reasonable assurance in the next several years (as applicable).

To facilitate this assurance requirement, the IAASB published ISSA 5000 in November 2024. It is designed for assurance practitioners and applies to assurance engagements on sustainability information reported for periods beginning on or after 15 December 2026. Organizations should understand the standard as well - see"Why should this matter to companies?," below.

ISSA 5000 replaces the International Standard on Assurance Engagements 3000 (Revised) (ISAE 3000), used to audit non-financial information. Once ISSA 5000 comes into effect, ISAE 3000 will no longer apply to sustainability assurance engagements.^[1]

ISSA 5000 is supported by the International Organization of Securities Commissions (IOSCO), the international body of securities regulators, which sees it as fulfilling its recommendations to establish a comprehensive global assurance framework for sustainability-related corporate reporting.

The standard is expected to be adopted by regulators in several countries in the Asia-Pacific region (e.g., Australia, Hong Kong, Japan, Malaysia and Singapore) and eventually by the European Union.

Why should this matter to companies?

While the standard is intended for use by assurance practitioners (i.e., external audit firms), organizations that produce sustainability reports under regulatory regimes should be familiar with what the standard entails and prepare reports aligned with the standard to receive the assurance they need. Specifically, organizations should focus on two key aspects internally: auditability of sustainability data and the role of the internal audit (IA) function. We provide recommended steps at the end of this blog.

ISSA 5000: What are the key highlights?

ISSA 5000 applies to sustainability information, regardless of how this information is presented or which framework is used to prepare it. It covers limited and reasonable assurance and works with both single materiality and double materiality concepts.

ISSA 5000 aligns with most global reporting standards and frameworks, such as the European Sustainability Reporting Standards (ESRS), the IFRS Sustainability Standards and the Global Reporting Initiative (GRI). This is good news for organizations reporting under these standards and frameworks, as the alignment would help them achieve the relevant assurance conclusion.

Below are some notable aspects of ISSA 5000:

• It is specifically applicable to sustainability assurance engagements.
• It provides specific methodologies for assessing the completeness, accuracy and reliability of sustainability data instead of relying solely on the practitioner's judgment. This includes consideration of the processes for collecting, analyzing and reporting sustainability information.
• It relies on the work of the internal audit function, whose competence in sustainability matters is a key criterion.
• It requires the assurance practitioner to conclude whether the sustainability information is prepared or fairly presented, in all material respects, in accordance with the applicable criteria. (Criteria refers to the reporting standard or framework in which the sustainability information is prepared.)
• It considers the relevance of the criteria in determining when financial and/or impact materiality applies. For example, in the case of ESRS, both financial and impact materiality apply.
• It provides a definition of the intended users of the report (internal and external) to ensure that the expressed conclusions and the confidence in the information reported are of decision-making relevance to those users.
• When assessing whether the sustainability information is materially misstated, ISSA 5000 requires consideration of qualitative factors such as impact severity, potential non-compliance and inaccurate narrative disclosure.
• It focuses on reporting compliance, specifically for greenhouse gas (GHG) emissions, ensuring that they align with the relevant framework (e.g., the GHG Protocol).
• It reiterates the importance of auditability of data. Estimates and forward-looking information need to be supported by evidence and based on proper methods, assumptions and management intentions.

How can organizations prepare?

To ensure auditability of sustainability data, organizations should implement robust data management practices and perform regular reviews of their sustainability reporting processes and controls, including data validation prior to assurance, to help reduce the risk of misstatement.

The IA function should be trained in sustainability matters in order to assess the controls over the organization's sustainability disclosures. This includes evaluating the adequacy of controls to mitigate sustainability-related risks as well as reviewing whether the measurement and reporting of sustainability data is aligned with the relevant reporting frameworks (e.g., the GHG Protocol).

Other specific steps organizations can take right now include the following:

Conduct a readiness assessment

• Evaluate the current ESG framework to identify potential gaps which may impact the organization's sustainability disclosures.
• Define an action plan to enhance alignment with ISSA 5000 objectives.

Capacity building

• Provide training for internal stakeholders such as the Chief Financial Officer, Chief Sustainability Officer, Chief Audit Executive, and internal audit and ESG teams.
• Foster cross-functional collaboration between sustainability and operations teams.

Auditability of ESG data

• Conduct a data gap analysis to assess availability, completeness and accuracy of ESG data.
• Establish data governance protocols to improve data integrity and reliability.
• Ensure that ESG data is traceable and verifiable for assurance audits under ISSA 5000.

Protiviti has published a Guide of Frequently Asked Questions which has answers to many of the questions organizations face as they prepare to comply with current and future regulations and standards. In addition, we assist clients by providing expertise in ESG data management, readiness assessment such as data validation of sustainability data and evaluating internal controls over sustainability reporting processes. We also offer capacity-building sessions to train our clients on reporting requirements, ensuring reliable and auditable sustainability disclosures.

1. IAASB-ISSA-5000-Sustainability-Assurance-Frequently-Asked-Questions.pdf