CSRD Limited Assurance: What your Independent Assurance Provider will verify in 2026

What is limited assurance?

‍

Limited assurance is the level of external verification required by the CSRD for published sustainability information. It is already mandatory for Wave 1 companies (formerly NFRD) and is gradually being extended to companies with over 1,000 employees and €450 million in turnover.

‍

In practice, the OTI must be able to conclude thatno significant matters have come to their attention that cause them to believe the published information contains material misstatements. To do this, they do not simply read the report. They trace back the data chain.

‍

The definitive limited assurance standard is expected before July 2027, but the first waves of audits are already underway. Companies waiting for this standard to prepare are taking a risk.

‍

‍

What the OTI Verifies

‍

The auditor does not start with the published report. They start with the raw data and verify that it can reasonably justify what is published.

‍

The five standard questions an OTI always asks:

‍

• Where does this data come from? What is its source, who collected it, and using what methodology?
• Who validated it? Is there a documented validation workflow with an identified owner?
• Has it been modified? If so, by whom, when, and for what reason?
• Is it consistent over time? Can it be compared to the previous period without methodological disruption?
• Is it consistent across entities? For multi-site groups, is the consolidation traceable?

‍

If you can't answer these five questions with a few clicks, you have an infrastructure problem, not a reporting problem.

‍

‍

Why Excel and traditional reporting tools fail the audit

‍

Most CSR teams have built their data collection process around a spreadsheet and a reporting tool. This model has a structural limitation: the audit trail is not native; it is reconstructed.

‍

Reconstructing an audit trail means finding emails, versioned files, scattered notes, and exports that don't exactly match the published figures. It takes time. It involves risk. And it's often impossible when the person who built the model is no longer there.

‍

An auditor who cannot trace data back to its source has two options: issue a reservation, or ask the company to reconstruct the history before concluding. In both cases, the cost is high.

‍

The problem isn't the report. It's that the data wasn't governed from the outset.

‍

‍

The 4 infrastructure requirements an auditor expects

‍

To easily pass limited assurance, your non-financial data infrastructure must meet four concrete requirements.

‍

1. A single source of truth

‍

Each data point must be defined, collected, and reused across all contexts: CSRD report, investor questionnaire, management dashboard. If the same data exists in multiple files with slightly different values, the auditor will notice.

‍

2. Native traceability, not reconstructed

‍

Who entered what, when, and using what method? Who validated it? Who modified it, and why? This information must be automatically recorded by the system, not manually reconstructed before each audit.

‍

3. Documented access rights

‍

The auditor verifies that the people with access to the data are those who are supposed to have it. A system without role-based access management cannot guarantee data integrity.

‍

4. Sovereign Hosting

‍

For companies subject to GDPR, ESG data, including employee information (pay gaps, accident rates, demographic data), constitutes personal data. Processing this data on infrastructure outside European jurisdiction creates direct legal exposure. An external auditor may raise this point in their report.

‍

‍

What this changes for the CFO and CSR Manager

‍

For the CSR Manager, audit preparation doesn't start three months before the closing date. It begins as soon as data collection campaigns are launched. Every data point collected must be validated, sourced, and documented continuously, not just before the audit.

‍

For the CFO, the challenge is to treat non-financial data with the same level of rigor as financial data. In your financial ERP, an auditor can trace any figure back to its source in a few clicks. Traceability is native. It must be the same for your sustainability data.

‍

The right question to ask isn't "is our report compliant?" but "does our infrastructure allow an auditor to verify every figure without our teams spending three weeks reconstructing the history?"

‍

‍

How Harnest meets these requirements

‍

Harnest is built around this principle of native auditability.

‍

Each data point collected in Harnest has a complete history: who entered it, when, with what value, who modified it, and why. This traceability is automatic, not optional.

‍

The validation statuses allow each organization to define its workflows: a contributor enters data, a manager validates, a final approver approves. Each step is timestamped and documented.

‍

The access rights are managed by role and scope. A user only sees and modifies what they are authorized to see. The auditor can verify these rights directly.

‍

Theaudit of an issue allows you to view all modifications made to a sustainability issue, including the identity of each participant and the date of each action.

‍

Harnest is hosted on a cloud infrastructure SecNumCloud, and uses Mistral AI for its artificial intelligence features. Your non-financial data does not leave European jurisdiction.

‍

CSRD reporting is not the starting point for an audit. It's the result of structured management throughout the year. This is precisely why Harnest is a non-financial ERP, not just a reporting tool.

‍

The right question to ask before choosing your ESG management infrastructure

‍

Before selecting a tool to manage your non-financial data, ask four simple questions:

‍

• If my OTI asks me to trace this data back to its source, how long will it take me?
• Can I show who validated each data point, and when?
• Is my ESG data, including information about my employees, processed in compliance with GDPR?
• Will my infrastructure allow me to transition to reasonable assurance if requirements change?
• ‍

If you cannot clearly answer these four questions, you don't have a management tool. You have a document production tool.