Professionals in a group discussion at office

How enhanced internal controls lay the foundation for ESG reporting

Companies may need to improve internal control governance for sustainability reporting.


In brief

  • All organizations should consider the importance of obtaining reliable data.
  • Companies may be struggling to assign ownership of the end-to-end ESG reporting process.
  • Interdisciplinary skill sets are needed to improve ESG reporting processes and design effective controls.

As the environmental, social and governance (ESG) landscape continues to evolve, many organizations are preparing for a shift from voluntary to mandatory reporting based on new regulations such as the proposed Securities and Exchange Commission (SEC) climate rule and the European Commission’s Corporate Sustainability Reporting Directive (CSRD), among others.

The increased rigor introduced by mandatory regulatory reporting may drive a need for companies to enhance the overall effectiveness, efficiency and accuracy of underlying processes and reporting. Despite the current uncertainty around the content of and implementation guidance for these rules, some of which are pending, there are actions that companies can take now to develop a strong system of internal controls over ESG reporting, which may benefit all types of communication channels (voluntary or regulated).

To respond to the changing landscape, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) released guidance to help organizations establish effective internal controls over sustainability reporting (ICSR).1 COSO is made up of five global accountancy and auditing organizations and was founded in 1985 in response to regulatory and market concerns about the quality of financial reporting.

The foundation for this guidance is the globally recognized COSO Internal Control–Integrated Framework (ICIF) of 20132 that many organizations use to design, implement and monitor their internal controls over financial reporting (ICFR). The COSO ICSR guidance leverages the 17 principles of the ICIF under five components to help organizations embed processes for, and establish controls over, ESG reporting.

17 principles of ICIF

Control environment

1. Commitment to integrity and ethical values

2. Independent board of directors oversight

3. Structures, reporting lines, authorities, responsibilities

4. Attract, develop and retain competent people

5. People held accountable for internal control

Risk assessment

6. Clear objectives specified

7. Risks identified to achievement of objectives

8. Potential for fraud considered

9. Significant changes identified and assessed

Control activities

10. Control activities selected and developed

11. General IT controls selected and developed

12. Controls deployed through policies and procedures

Information and communication

13. Quality information obtained, generated and used

14. Internal control information internally communicated

15. Internal control information externally communicated

Monitoring activities

16. Ongoing and/or separate evaluations conducted

17. Internal control deficiencies evaluated and communicated

COSO’s 17 principles can help guide various entities, not just large publicly listed companies. All organizations should consider the importance of obtaining reliable data to manage risk, monitor their performance and report accurate information to their stakeholders. By using a familiar framework, the ICSR guidance helps companies apply the same systematic rigor expected in their financial reporting to their ESG reporting. Companies can consider a few key actions:

Actions/considerations 

  • Perform a materiality or double materiality assessment to prioritize ESG topics.
  • Perform a risk assessment to prioritize metrics for material ESG topics.
  • Understand current state internal processes and controls for ESG metric tracking, qualitative disclosures and reporting.
  • Establish standard processes, including robust controls to mitigate risks.
  • Continually improve ESG processes, enhancing policies, data, systems and controls.
1

Chapter #1

Enhance the control environment over ESG reporting

The control environment serves as the foundation for all other components of an internal control framework.

An effective control environment, which also provides structure and discipline, should be flexible and designed to support a variety of topics across ESG and multiple communication channels.

Companies may have already defined high-level activities that shape the “tone at the top” over ESG reporting, including board and executive oversight as well as standards of conduct, among others. Companies should consider leveraging their financial reporting infrastructure to formalize entity-level controls (ELCs) over ESG reporting focused on appropriate oversight, structures, authority and competency of the board and management functions.

With tight budgets, competing priorities and a lack of ESG subject-matter expertise in many functions, companies are likely struggling to assign clear ownership across the end-to-end ESG reporting process, which can lead to duplication of efforts, lack of alignment across functions and gaps in key areas.

By defining board and management oversight roles for managing ESG disclosures, companies can establish ESG-specific roles, increase efficiency in end-to-end reporting processes and increase accountability for ESG across the enterprise.

2

Chapter #2

Formalize internal control activities over priority ESG metrics

Companies may already report on a myriad of ESG topics on a voluntary basis.

To prioritize activities, companies may want to consider performing a risk assessment to identify key ESG reporting processes and metrics that should be subject to a stronger internal control environment based on regulatory reporting requirements and the results of existing materiality assessments.

 

For each prioritized metric, companies are likely building a process library leveraging ICSR that formally documents the current end-to-end metric reporting process, including identified risks and related controls documented in a risk and controls matrix for each process.

 

Interdisciplinary skill sets are needed to enhance current state ESG reporting processes and design effective controls. For example, some finance teams are assigning an ESG controller to:

  • Understand the regulatory reporting requirements.
  • Identify data sources and assess the level of confidence in systems and third-party data.
  • Challenge the assumptions used in judgments and estimates.
  • Formalize policies, including defining relevant guidelines (e.g., Greenhouse Gas Protocol), establish estimation approaches and drive consistent compliance.
  • Design effective controls, determine the extent of procedures performed over data and calculations, and determine required documentation that should be maintained and ultimately monitor the effectiveness of controls once in place.

Conversely, sustainability teams know the subject matter and are best positioned to:

  • Define policies, including selecting calculation methodologies and estimation approaches, and determine appropriate sources of information.
  • Perform control procedures, including performing calculations and reviewing outputs.

Many functions responsible for ESG data and calculations are not familiar with internal controls and the importance of accurate data. Assigning individuals responsible for the completeness and accuracy of information and providing them with training and guidance regarding control expectations can result in greater success in achieving operating effectiveness.3

 

Companies may identify deficiencies in the design or operating effectiveness of controls as they begin implementing them. Monitoring controls and communicating results to those charged with governance will likely be key to proper oversight and effective change management.

3

Chapter #3

Design for the future

It is a journey to properly design, implement and maintain effective controls.

Continuous enhancements should be made to policies, procedures and controls to drive consistency, increase reporting accuracy and shorten the reporting cycle in consideration of future regulatory reporting timelines.4

In some instances, companies may be able to enhance data collection for improved accuracy, while in other instances, more estimation may be required for data that is not available in a timely manner. Over time, the level of data availability and use of automation should improve. In the interim, companies will need to have strong controls in place to assess the methodology, judgments and estimates used in manual calculations to adequately address the risk of error in ESG reporting.

Companies are increasingly shifting from manual to technology-enabled processes to improve structured data sources, perform calculations and connect data to reporting platforms. Some systems may already be leveraged; however, gaps may exist and third-party software may provide a more fit-for-purpose solution. Automating processes can significantly enhance internal controls, though companies should consider information technology general controls (ITGCs) when selecting and implementing systems. Companies should invest the time to define their ESG requirements holistically across all ESG topics to avoid selection of platforms that are too narrow in focus to meet future internal and external reporting needs, including proper controls.


Summary

Enhancing internal controls to improve the reliability of ESG reporting is a complex undertaking, and COSO’s ICSR framework provides companies with a guide to enhance processes and establish controls over ESG reporting. Finance and sustainability teams can leverage each other’s skills and experiences in enhancing the control environment, formalizing internal controls over ESG reporting and preparing for this shift from voluntary to regulated ESG reporting.

About this article

Contributors