Chapter #1
Enhance the control environment over ESG reporting
The control environment serves as the foundation for all other components of an internal control framework.
An effective control environment, which also provides structure and discipline, should be flexible and designed to support a variety of topics across ESG and multiple communication channels.
Companies may have already defined high-level activities that shape the “tone at the top” over ESG reporting, including board and executive oversight as well as standards of conduct, among others. Companies should consider leveraging their financial reporting infrastructure to formalize entity-level controls (ELCs) over ESG reporting focused on appropriate oversight, structures, authority and competency of the board and management functions.
With tight budgets, competing priorities and a lack of ESG subject-matter expertise in many functions, companies are likely struggling to assign clear ownership across the end-to-end ESG reporting process, which can lead to duplication of efforts, lack of alignment across functions and gaps in key areas.
By defining board and management oversight roles for managing ESG disclosures, companies can establish ESG-specific roles, increase efficiency in end-to-end reporting processes and increase accountability for ESG across the enterprise.
Chapter #2
Formalize internal control activities over priority ESG metrics
Companies may already report on a myriad of ESG topics on a voluntary basis.
To prioritize activities, companies may want to consider performing a risk assessment to identify key ESG reporting processes and metrics that should be subject to a stronger internal control environment based on regulatory reporting requirements and the results of existing materiality assessments.
For each prioritized metric, companies are likely building a process library leveraging ICSR that formally documents the current end-to-end metric reporting process, including identified risks and related controls documented in a risk and controls matrix for each process.
Interdisciplinary skill sets are needed to enhance current state ESG reporting processes and design effective controls. For example, some finance teams are assigning an ESG controller to:
- Understand the regulatory reporting requirements.
- Identify data sources and assess the level of confidence in systems and third-party data.
- Challenge the assumptions used in judgments and estimates.
- Formalize policies, including defining relevant guidelines (e.g., Greenhouse Gas Protocol), establish estimation approaches and drive consistent compliance.
- Design effective controls, determine the extent of procedures performed over data and calculations, and determine required documentation that should be maintained and ultimately monitor the effectiveness of controls once in place.
Conversely, sustainability teams know the subject matter and are best positioned to:
- Define policies, including selecting calculation methodologies and estimation approaches, and determine appropriate sources of information.
- Perform control procedures, including performing calculations and reviewing outputs.
Many functions responsible for ESG data and calculations are not familiar with internal controls and the importance of accurate data. Assigning individuals responsible for the completeness and accuracy of information and providing them with training and guidance regarding control expectations can result in greater success in achieving operating effectiveness.3
Companies may identify deficiencies in the design or operating effectiveness of controls as they begin implementing them. Monitoring controls and communicating results to those charged with governance will likely be key to proper oversight and effective change management.
Chapter #3
Design for the future
It is a journey to properly design, implement and maintain effective controls.
Continuous enhancements should be made to policies, procedures and controls to drive consistency, increase reporting accuracy and shorten the reporting cycle in consideration of future regulatory reporting timelines.4
In some instances, companies may be able to enhance data collection for improved accuracy, while in other instances, more estimation may be required for data that is not available in a timely manner. Over time, the level of data availability and use of automation should improve. In the interim, companies will need to have strong controls in place to assess the methodology, judgments and estimates used in manual calculations to adequately address the risk of error in ESG reporting.
Companies are increasingly shifting from manual to technology-enabled processes to improve structured data sources, perform calculations and connect data to reporting platforms. Some systems may already be leveraged; however, gaps may exist and third-party software may provide a more fit-for-purpose solution. Automating processes can significantly enhance internal controls, though companies should consider information technology general controls (ITGCs) when selecting and implementing systems. Companies should invest the time to define their ESG requirements holistically across all ESG topics to avoid selection of platforms that are too narrow in focus to meet future internal and external reporting needs, including proper controls.
Summary
Enhancing internal controls to improve the reliability of ESG reporting is a complex undertaking, and COSO’s ICSR framework provides companies with a guide to enhance processes and establish controls over ESG reporting. Finance and sustainability teams can leverage each other’s skills and experiences in enhancing the control environment, formalizing internal controls over ESG reporting and preparing for this shift from voluntary to regulated ESG reporting.