Australian Government
Auditing and Assurance Standards Board
Issued: September 2025
See Sustainability Assurance Homepage for background and copyright information.
When to apply ASSA 5000 and ASAE 3000
ASSA 5000 General Requirements for Sustainability Assurance Engagements (ASSA 5000) applies to both mandatory and voluntary sustainability assurance. See Sustainability Assurance for effective dates and the phasing in of mandatory assurance under the Corporations Act 2001
ASSA 5000 does not apply for assurance over information reported to the Clean Energy Regulator.
Until ASSA 5000 is applied, auditors should follow the relevant version of ASAE 3000 Assurance Engagements Other than Audits or Reviews of Historical Financial Information (ASAE 3000).
Similarities between ASSA 5000 and ASAE 3000
Both ASSA 5000 and ASAE 3000:
Main differences between ASSA 5000 and ASAE 3000
While ASSA 5000 is based on ASAE 3000, ASSA 5000 only deals with assurance engagements on sustainability information whereas ASAE 3000 applies to a broader range of assurance engagements. ASSA 5000 has been enhanced for sustainability engagements and also includes additional requirements and guidance based on the financial reporting auditing standards.
The table below outlines at a high level some of the main differences between ASSA 5000 and ASAE 3000.
|
Area |
ASAE 3000 |
ASSA 5000 |
|
Quality management |
ASAE 3000 requires the practitioner to be a member of a firm that is subject to ASQM 1, or other requirements that are ‘at least as demanding’ as ASQM 1. ASAE 3000 allows this determination to be made by the practitioner or firm. |
ASSA 5000 requires the practitioner to be a member of a firm that is subject to ASQM 1, or other requirements that are ‘at least as demanding’ as ASQM 1. ASSA 5000 requires the determination to be made by an appropriate authority. That authority must be identified in the practitioner’s report. The responsibilities of engagement leaders for engagement resources, direction, supervision and review in ASSA 5000 are closer to those of an engagement partner under the financial reporting auditing standards. |
|
Ethical requirements |
ASAE 3000 requires compliance with APES 110. A revised APES 110 with ethical requirements for sustainability assurance applies from 1 January 2026, subject to any later effective dates and transitional provisions in the revised APES 110. The ‘at least as demanding test’ applies in the same way as described for quality management above. |
ASSA 5000 requires compliance with APES 110. A revised APES 110 with ethical requirements for sustainability assurance applies from 1 January 2026, subject to any later effective dates and transitional provisions in the revised APES 110. The ‘at least as demanding test’ applies in the same way as described for quality management above. |
|
Materiality |
ASAE 3000 doesn’t deal with the materiality concepts listed at right for ASSA 5000. |
ASSA 5000 deals with the following materiality concepts. Disclosures It is not possible to determine a single materiality for the sustainability information as a whole, which includes qualitative and quantitative disclosures about a number of different topics and aspects of topics. ASSA 5000 requires the assurance provider to consider materiality for qualitative disclosures and determine materiality for quantitative disclosures. Double materiality Unlike ISSB and AASB standards, ‘double materiality’ applies under some reporting frameworks. Those frameworks focus on the information needs of both investors (e.g. impact on the entity’s financial performance) and social information requirements (e.g. impact on the environment). ASSA 5000 notes that double materiality may result in more granular materiality thresholds. Performance materiality Unlike ASAE 3000, ASSA 5000 requires the practitioner to determine performance materiality and to consider aggregation of uncorrected misstatements. |
|
Fraud and Non-Compliance with Laws and Regulations (NOCLAR) |
ASAE 3000 doesn’t contain specific requirements and guidance on fraud and NOCLAR. |
ASSA 5000 contains specific requirements and guidance on fraud and NOCLAR. Reporting of sustainability information, and the system of internal control related to sustainability matters and preparation of the sustainability information, may be less mature than for historical financial information. This may increase the susceptibility of the sustainability information to misstatements due to fraud, particularly when there are pressures for management to meet publicly announced targets or goals. ASSA 5000 requires practitioners to address the risk of management override of controls for reasonable assurance engagements. |
|
Pre-acceptance |
ASAE 3000 contains pre‑conditions for engagements but does not contain the specificity in ASSA 5000. |
ASSA 5000 expands on the pre‑conditions for engagements in ASAE 3000 and is more specific on:
|
|
Identifying and assessing risks of material misstatement |
ASAE 3000 doesn’t explicitly require a risk assessment but requires a broad understanding of the underlying subject matter sufficient to identify where a material misstatement is likely to arise. |
ASSA 5000 explicitly requires the practitioner to identify and assess the risk of material misstatement at the disclosure or assertion level (dependent on the level of assurance). The practitioner is required to obtain an understanding of several matters as a basis for the risk assessment, including:
|
|
Internal control |
ASAE 3000 only contains a high-level requirement for the practitioner to obtain an understanding of internal control over the preparation of the subject matter information in a reasonable assurance engagement. |
ASSA 5000 contains requirements on understanding and testing the system of internal control for both limited and reasonable assurance engagements. The practitioner must obtain an understanding of the aspects of the entity’s system of internal control relevant to the sustainability matters and the preparation of the sustainability information. For limited assurance, the practitioner obtains an understanding, through enquiry, of the entity’s system of internal control. For reasonable assurance obtaining an understanding is not limited to enquiry. |
|
Substantive procedures |
ASAE 3000 doesn’t require the response to risk of material misstatement to be addressed at the disclosure or assertion level. Requires the practitioner to design and perform procedures to respond to assessed risk but is not explicit on the nature of these procedures. |
ASSA 5000 requires the response to risk of material misstatement to be addressed at the disclosure or assertion level (dependent on the level of assurance). Requires the practitioner to design and perform procedures to respond to assessed risk and is explicit on the nature of these procedures. For reasonable assurance engagements, requires further substantive procedures where the assessed risk is at the upper end of the spectrum of risk. Irrespective of the assessed risks of material misstatement, the assurance provider must consider the need to design and perform substantiative procedures on disclosures that in the practitioner’s judgement are material. |
|
Estimates and forward‑looking information |
ASAE 3000 doesn’t provide specific procedures and responses required for limited and reasonable assurance on estimates and forward-looking information. |
ASSA 5000 provides specific procedures and responses required for both limited and reasonable assurance on estimates and forward-looking information. This includes applying the criteria and assessing management’s methods for developing estimates and forward‑looking information, and testing or developing a point estimate or range for reasonable assurance. |
|
Using the work of the practitioner’s expert |
ASAE 3000 has broad requirements when using the work of an expert. |
ASSA 5000 has more granular requirements on evaluating the adequacy of the expert’s work for the practitioner’s purposes. |
|
Using the work of another practitioner |
ASAE 3000 contains one high level requirement to evaluate whether the work of another practitioner is adequate for the practitioner’s purposes. |
ASSA 5000 defines ‘another practitioner’ and provides extensive requirements if the practitioner intends to obtain evidence from using the work of another practitioner. |
|
Group engagements |
ASAE 3000 doesn’t contain requirements for group engagements. |
ASSA 5000 contains requirements for group engagements, including defining component practitioners and including them as part of the engagement team. |
|
Documentation |
ASAE 3000 has less detailed requirements on engagement documentation. |
ASSA 5000 has more detailed requirements on engagement documentation, including documentation on quality management, materiality, risk assessment, overall responses to risk assessment, misstatements, stand back and subsequent events. |
|
Reporting |
ASAE 3000 doesn’t include illustrative assurance reports. |
ASSA 5000 includes illustrative assurance reports. The IAASB and AUASB are developing further illustrative reports, including reports under the Corporations Act 2001. |
|
Other information |
ASAE 3000 has a less rigorous approach to the practitioner obtaining, reading and considering other information and responding when a material inconsistency appears to exist or exists. |
ASSA 5000 has a more rigorous approach to the practitioner obtaining, reading and considering other information and responding when a material inconsistency appears to exist or exists. Other than being limited to cases where a material inconsistency appears to exist or exists, this is similar to the approach in the financial reporting audit standards. |
An educational video on this topic is under development.