Leveling Up Your ESG Disclosures, Reporting, and Assurance

As U.S., U.K., and EU companies approach impending climate disclosure deadlines, industry veterans are likening the incoming assurance requirements to the advent of Sarbanes-Oxley. While companies are initially required to provide limited assurance, they can expect more stringent assurance demands as time goes on. The pressure for stronger assurance can be seen reflected in the SEC’s March 2024 climate-related disclosure rules that call for large accelerated filers to issue limited assurance reports for Scope 1 and Scope 2 Greenhouse Gas (GHG) emissions for the fiscal year beginning (FYB) in calendar year 2029, with reasonable assurance starting in FYB 2033. 

Download the full Sustainability and ESG Guide for a deep dive into the subject and read on to learn:

• What your organization can expect in terms of assurance costs and upcoming climate disclosure deadlines
• How internal audit can lead the charge to leverage existing financial reporting structures to achieve similar transparency for climate reporting
• A checklist of key capabilities to seek in your ESG technology solution. 

Climate Disclosures, Reporting, and Assurance: What to Expect

Like SOX, preparing for ESG assurance is expected to be not only time consuming, but also costly for impacted businesses. The SEC’s initial proposal estimated assurance costs as follows: 

• Limited Assurance (Accelerated Filers):
  • Cost Range: $30,000 to $60,000
  • Median Cost: $45,000
• Limited Assurance (Large Accelerated Filers):
  • Cost Range: $75,000 to $145,000
  • Median Cost: $110,000
• Reasonable Assurance (Accelerated Filers):
  • Cost Range: $50,000 to $100,000
  • Median Cost: $75,000
• Reasonable Assurance (Large Accelerated Filers):
  • Cost Range: $115,000 to $235,000
  • Median Cost: $175,000

Yet, according to a recent KPMG research study of over 750 companies across industries, global regions, and revenue sizes, 75 percent of businesses do not feel adequately equipped to have their ESG data independently assured. As compliance deadlines draw near, how can internal audit teams support their organizations in developing the necessary ESG policies, skills, and systems required for adequate assurance? 

Upcoming Climate Disclosure Deadlines 

SEC Climate-Related Disclosure Rules (US)

• Large accelerated filers
  • All required disclosures except for GHG emissions for FYB 2025
  • Material Scope 1 and Scope 2 GHG emissions for FYB 2026
  • Limited assurance on GHG disclosures for FYB 2029; reasonable assurance on GHG disclosures for FYB 2033
• Accelerated filers
  • All required disclosures except for GHG emissions for FYB 2026
  • Material Scope 1 and Scope 2 GHG emissions for FYB 2028
  • Limited assurance on GHG disclosures for FYB 2031
• Smaller reporting companies, emerging growth companies, and non-accelerated filers
  • All required disclosures (no GHG reporting requirements) for FYB 2027 

Corporate Sustainability Reporting Directive (EU)  

• Companies already subject to the Non Financial Reporting Directive (NFRD): FY 2024
• Large companies that are not currently subject to the NFRD: FY 2025

California Climate Accountability Package

• SB 261: FY 2025
• SB 253: FY 2026

Understanding Internal Audit’s Role in ESG Assurance

The internal audit function should act as an objective third line in ensuring audit-ready data ahead of an external ESG audit, relying on guidance from departments like Finance and Compliance/Ethics to ensure coverage against frameworks and requirements. Internal audit should therefore take the lead in incorporating ESG into their audit plans, from annual and ongoing risk assessments, audit planning, and audit execution. Internal audit can provide additional assurance by advising on ESG reporting and validating risk mitigation activities. In the AuditBoard and Deloitte guide, How to Audit ESG Risk & Reporting, the authors describe several approaches to integrating ESG risk and reporting in internal audit plans, depending on the business’s baseline ESG program maturity:    

1. Integrated audit approach: For ESG program elements not yet mature enough for standalone assessments, organizations can employ an integrated audit approach, incorporating ESG-related considerations into existing audits to ensure appropriate identification and documentation of ESG activities. By integrating ESG-focused questions into planning documents or checklists, internal auditors can gain an initial understanding of potential risks and opportunities across the organization.
2. Standalone reviews: Internal audit can conduct standalone reviews of mature aspects of their ESG program, offering insights into policies, controls, and responsibilities at a specific point in time. This includes evaluating executive sponsorship, resource allocation, project plans, and the source data’s completeness, accuracy, and availability for ESG disclosures.
3. Focused reviews: For ESG areas of high stakeholder concern or low-risk appetite, internal audit may conduct more targeted reviews resembling traditional audits. These focused reviews, increasingly mandated by regulators, involve comprehensive assessments of policies, processes, and individual elements within the ESG program. Internal audit teams may incorporate periodic checkpoints to ensure effective implementation of action plans, although in some cases, findings may be identified with management discretion for issue remediation, lacking subsequent oversight.

Leveraging Assurance Lessons From SOX Compliance 

The climate disclosure regulations above call for a comparable level of transparency as financial disclosures. Therefore, another useful approach when preparing for ESG assurance is applying established SOX methodologies to assess, evaluate, and monitor the effects of climate risks, including their impact on specific financial metrics. AuditBoard and Deloitte’s How to Audit ESG Risk & Reporting guide provides a number of example SOX activities that can be used in ensuring audit-ready ESG data, including:

• Identification of material balance sheet accounts.
• Mapping material accounts to underlying processes.
• Identifying key controls and secondary controls for those processes.
• Documenting the processes and controls with walkthrough narratives, flowcharts, and risk/control matrices (RCMs).
• Identifying applications and IT general controls (ITGCs) that support the processes and controls.
• Capturing a risk assessment of the ESG environment.
• Defining your organization’s level of required assurance covering internal controls over ESG.
• Training for control owners, reviewers, and internal auditors that includes discussion about the cultural mindset across the organization.
• Providing reporting to senior management.

Third-Party Certifications 

In addition to internal audit and external audit assurance, another type of ESG assurance is third-party certifications. COSO’s Achieving Effective Internal Control Over Sustainability Reporting (ICSR) guidance notes reliance on third-party certifications is a key risk relating to sustainable business information. The report also mentions third-party certifications as a control activity, stating: “As a control activity, organizations may look to certifications (other than the reports of independent auditors on the financial statements). This includes third-party verification of supplier operations and representations. In doing so, however, it is important for the organization to consider and ensure that the confirmation mechanisms of the information provider are reliable. An organization will benefit from understanding the underlying methodologies and criteria for certification and whether they align with its own policies and objectives.”

Internal audit can greatly benefit from utilizing enabling technology to facilitate its assurance efforts, including testing, review, and issue remediation efforts. We explore this in more detail in Chapter 9. 

Using Enabling Technology For ESG Auditing and Reporting

Auditing and reporting on ESG data is a complex challenge given the volume and decentralized nature of ESG data. From our experience, the top auditing and reporting related challenges businesses frequently experience when implementing ESG programs include: 

• Lack of visibility into ESG risks and controls for effective prioritization 
• Difficulty adjusting framework coverage to keep up with a shifting regulatory landscape
• Labor-intensive evidence collection and inconsistent data collection methods
• Data quality issues, as referenced in Chapter 7
• Lack of timeliness, transparency, and agility to effectively address gaps  
• Labor-intensive reporting  

If your organization does not already have an audit, risk, or compliance management solution, investing in enabling technology should be a priority on your ESG committee’s agenda. The right technology can help alleviate a number of common challenges inherent in achieving effective ESG assurance, most importantly by centralizing and standardizing your ESG data. As illustrated in the visual below, your choice of ESG repository will sit at the intersection of many critical junctures in ESG data collection, testing, and reporting. The right solution will also play a role in supporting a healthy reporting ecosystem, where ESG data is updated and communicated between relevant stakeholders in a continuous feedback loop. 

The right ESG compliance solution can enable efficient data management and safeguard data integrity. Good quality data is essential for effective ESG strategy, and technological solutions ensure data accuracy, consistency, and ease of access. Moreover, tech platforms are becoming increasingly effective for ESG reporting, helping to simplify the process of collecting, aggregating, and reporting ESG metrics. This, in turn, makes it easier for companies to communicate their sustainability efforts with shareholders, employees, and the public. 

Based on AuditBoard’s experience helping teams implement and improve their ESG programs, the following are our top recommendations for capabilities to look for when sourcing an ESG technology solution. 

Checklist: Key Capabilities to Seek in Your ESG Technology Solution

• Centralizes data and facilitates data collection. The solution should efficiently collect quantitative and qualitative metric data across reporting locations in an auditable manner that can then be seamlessly linked to one or multiple frameworks. This connection facilitates automatic updates in the output framework.
• Framework-to-framework mapping. Seek a solution that functions like a best-in-class compliance management platform that easily accommodates ESG frameworks. Best-in-class compliance solutions support multiple compliance requirements by enabling framework-to-framework mapping for coverage across various regulatory requirements and standards. 
• Streamlines external and internal reporting. The same process used to map data to frameworks in the technology solution is also utilized to create custom reports. The solution should enable the generation of reports in various formats, suitable for both periodic external documents and impromptu internal documents. Reports should allow for cross-functional collaboration while maintaining data accuracy and auditability.  
• Automates audit processes. Look for workflow capabilities that facilitate and streamline audit testing processes, including version control monitoring, audit logs, and change management documentation. 
• Easy to use, intuitive interface. This is important for user adoption time and impacts the likelihood that your ESG stakeholders will utilize the technology. Pay attention to not only the interface used to collect data, but if it improves users’ visibility into key information like reporting period, unit of measure, etc. 
• Quick implementation timeframe. How quickly the solution can be implemented is directly connected to how soon benefits can be realized, and is a good indicator of the technology’s ability to integrate into ESG processes. 
• Flexibility to evolve. Not only is it important for the solution to support your ESG processes, it is equally important that it is flexible enough to adapt to changing business conditions with ease. After all, you don’t want to get stuck with ongoing scope creep, implementation costs, or having to contact support every time you want to change something.

The future of more responsible sustainability and ESG reporting starts with informed and proactive steps today. For more insight on navigating the challenges of new and upcoming ESG disclosures, AuditBoard’s Sustainability and ESG Guide provides actionable solutions to ensure a resilient and effective ESG program. Seize the opportunity to stay ahead — download the full guide to uncover essential tips and best practices for shaping your ESG strategy.