For businesses based in the US and EU, establishing internal control over your climate-related disclosures will soon be a compliance requirement, in addition to an excellent way to signal your organization’s commitment to sustainability. Setting up internal control over sustainability reporting (ICSR) does not necessitate starting from scratch, as climate-related disclosure controls come within the scope of internal control over financial reporting (ICFR). This allows organizations to follow the precedent set by their existing structure and practices surrounding ICFR, while also relying on existing personnel and procedures to guide the way.
Moreover, taking steps to establish internal control over ESG reporting data from the starting point of disclosure controls can help set an assurance precedent for your business’s nonfinancial ESG internal controls.
Download the full Sustainability and ESG Guide for a deep dive into the subject and read on to learn:
- Leveraging COSO’s Internal Control — Integrated Framework to get started with internal controls over sustainability reporting
- Opportunities and areas for integrating climate-related disclosure data into your SOX disclosure controls and procedures
- Tips for ESG teams when developing internal control over sustainability reporting (ICSR) via an integrated approach
Getting Started With COSO Guidance
In Leveraging the COSO Internal Control — Integrated Framework to Improve Confidence in Sustainability Performance Data, authors Robert Hertz, a Board Director of the SASB Foundation, and Brad Monterio, a former Board Member of the IMA, write:
“[A]n organization may find it most effective to leverage the control framework currently used in financial reporting to also establish internal control over the achievement of both internal and external sustainability reporting objectives.”
Before getting started, your sustainability reporting stakeholders should first familiarize with COSO’s guidance on achieving internal control over sustainability reporting using the 2013 COSO Internal Control Integrated Framework. This guidance details how the 17 ICIF principles apply to sustainability in a way that is comparable to traditional financial accounting and reporting and highlights areas of opportunity for integration.
Integrating Climate Disclosures Into Your SOX Disclosure Controls and Procedures
SOX Section 302 disclosure controls and procedures represent the last mile of approval before a SOX report is published and filed. The structure around this particular process of certifying financial disclosure controls can be utilized to establish internal control over climate-related financial statement metrics and related disclosures. Some opportunities and areas for integrating climate-related disclosure data into your SOX disclosure controls and procedures include:
- Disclosure Committee. Integrate climate disclosures into your existing SOX 302 process by expanding your existing disclosure committee for SEC reporting to oversee climate-related material disclosure controls and procedures. This can involve adding the appropriate sustainability individual(s) to the committee. Another option is for your existing disclosure committee to designate a subcommittee or working group that oversees climate-related disclosure controls and procedures. If your business decides to create a separate sustainability disclosure committee, it can be highly beneficial to designate members who sit on both committees to streamline coordination and formal communication between the two.
- Audit Committee/Board Oversight. Relevant activities can include the review of controls’ effectiveness—particularly where significant deficiencies or material weaknesses related to sustainability information are identified—as well as oversight of the independent auditor, if one is engaged, to provide assurance over reported material sustainability information.
- Risk and Materiality Assessments. The SOX risk assessment is a core component of designing, implementing, and maintaining effective internal control over financial performance data. Risk assessment and determining materiality are key activities to determining what matters to your business. Therefore, incorporate questions in your risk assessment that aim to capture the environmental and climate-related risks and opportunities most likely to have material impacts on your business’s bottom line and operating performance.
- Key Sustainability Metrics. In Leveraging the COSO Internal Control — Integrated Framework to Improve Confidence in Sustainability Performance Data, the authors write: “By viewing sustainability through the lens of financial materiality[,] an organization can focus on covering a small subset of sustainability metrics that are most important to its success over time by reducing risk and contributing to growth and value creation.” The key takeaway is to start small so you don’t overwhelm your ICFR team. Begin by integrating several key sustainability performance indicators into your financial disclosure controls and procedures. “Pick your top five KPIs and let it grow and develop over time,” advises Cora Olsen, project lead on sustainability reporting at Novo Nordisk.
- Control Activities. Leverage existing control activities and documentation from financial transactions and reporting areas when developing controls around sustainability-related material risks. “Even if responsibilities for performance management and internal control cross departmental lines, they can be agreed to and carefully documented,” COSO’s ICSR guidance states. This requires engaging and educating relevant ICFR stakeholders, including the legal team, financial reporting team, and board of directors, on their new areas of responsibility. Your designated sustainability disclosure committee member or subgroup should lead this education process.
- Sub-Certifications. Integrating climate-related disclosure controls in your SOX certification process is an efficient way to create internal control over material sustainability performance data. Representatives from your sustainability disclosure committee should engage process and control owners in charge of certifying financial reporting transactions and educate them about their new areas of responsibility in certifying climate-related disclosure controls.
Integrating ESG Into Your Existing Audit and Risk Management Processes
“Where possible, the organization should consider leveraging existing controls, systems, and expertise to establish effective internal control over sustainability performance data in the most efficient and cost-effective way.”
— Leveraging the COSO ICIF to Improve Confidence in Sustainability Performance Data
Establishing an ESG risk and controls program from scratch is daunting — though it does not need to be this way. Depending on the maturity of your business’s enterprise risk program, there will be opportunities to integrate ESG risks and controls into your existing processes. Based on guidance from COSO and other industry sources, the following are tips for ESG teams when developing internal control over sustainability reporting (ICSR) via an integrated approach.
Tip 1: Specify ESG Objectives With Sufficient Clarity
When developing your ESG controls, start by working backwards from your desired ESG disclosures, both financial and nonfinancial. Your ESG steering committee should aim to uncover — through discussions with the financial disclosure committee and executive leadership — what the business’s top ESG reporting objectives are. COSO ICIF-2013 Principle 6 tells us that an organization’s oversight system functions well when the reporting objectives are considered along with the organization’s other objectives, including its internal and operating objectives. This promotes the development of an effective system and enterprise-wide engagement.
In Leveraging the COSO ICIF to Improve Confidence in Sustainability Reporting, the authors write: “An organization may wish to use a similar approach to the one it uses for financial reporting, such as establishing information processing objectives—for example, completeness, accuracy, validity, and restricted access (CAVR)—related to key sustainability-related assertions.”
Tip 2: Determine Which Compliance Requirements Overlap With ESG
Depending on the scope and maturity of your company, you will likely have some compliance requirements related to ESG already. As discussed in the preceding chapter, SOX compliance is one such example. Just as integrating climate-related disclosures into your SOX report will save you time and energy, there may be other areas of ESG covered by your organization’s existing compliance and reporting activities that can serve as a starting point for enhancing ICSR.
Some examples include:
- Data privacy and protection regulations, such as GDPR, CCPA, and UK GDPR.
- ISO’s ESG-related standards, including:
- ISO 27001: Information Security, Cybersecurity and Privacy Protection
- ISO 1400: Environmental Management Systems
- ISO 45001: Occupational Health and Safety
- ISO 50001: Energy Management
- ISO 26000: Social Responsibility
- The SEC’s human capital disclosure rule, which requires publicly-traded companies to submit annual reports on human capital resources.
Identifying these overlapping areas can help direct your compass for maturing your ESG control structure and avoiding redundant controls and control activities.
Tip 3: Focus First On Financial Materiality
Honing in on your business’s financially material ESG disclosures first can shed light on the necessary operational controls required to support their related processes and outputs. Not only does doing so tame the scope of establishing an ESG controls program, but it also helps create a foundation for non-financial ESG disclosures that aligns with the structure and rigor of ICFR. Another benefit is the weight placed on accurate and verifiable ESG statements and claims. Adopting a similar approach to substantiating non-financial sustainability metrics is an optimal way to direct your business away from potential greenwashing in its sustainability reporting efforts.
“As disclosure controls should already be in place for periodic and special reporting, a company’s disclosure committee, and legal and financial reporting teams, may be well-positioned to implement a control structure for the reporting of ESG data that is integrated with a company’s regular public reporting, including data that is voluntarily disclosed.”
— COSO, Achieving Effective Internal Control Over Sustainability Reporting (ICSR)
Tip 4: Incorporate ESG Into Your Overarching Risk Management Plan
As you develop or revise your organization’s risk management plan, you’ll want to consider how ESG risks and opportunities intersect with other types of risks. Take stock of your risks and opportunities and use your stakeholders’ answers to help you keep track of ESG risks that may not have shown up in your initial drafting. A report by Deloitte Ireland promotes full integration of ESG into risk management plans, concluding that “future developments in regulation, an increase in ESG expertise in the industry and resulting improvements in available data should lead to the ongoing maturity of firm’s ESG risk management capabilities.” This is also the approach promulgated by the IFRS and ISSB’s Integrated Reporting Framework.
Tip 5: Ask Your Sarbanes-Oxley Specialists for Help
Your SOX team has a wealth of knowledge and expertise in developing and maintaining internal controls. Tap into this valuable experience by asking for their help and guidance in developing your ESG controls. As your ESG reporting team develops entity- and transaction-level controls, manual and automated controls, and preventive and detective controls, engaging your internal audit and SOX colleagues can help shed light on gaps in coverage and identify opportunities for improvement.
Tip 6: Leverage Sub-Certifications
Even non-financial sustainability metrics should be verified and substantiated to avoid greenwashing claims. Leveraging the SOX sub-certification process when testing your ESG controls is a way to subject your ESG disclosures to a similar level of coverage and assurance as your financial reporting disclosures. The following are some considerations when performing sub-certifications on your ESG disclosures:
ESG Sub-Certifications Checklist
- Be aware of any changes to disclosures and related requirements.
- Be cognizant of any promotions or role changes that have resulted in changes to disclosure ownership.
- Understand if any changes have altered the organization’s ability to meet its control objective.
- Determine if any changes to disclosures result in any gaps that would need to be mitigated.
- Leverage the power of an integrated platform to surface risks early to allow for careful evaluation and disclosure.
The future of more responsible sustainability and ESG reporting starts with informed and proactive steps today. For more insight on navigating the challenges of new and upcoming ESG disclosures, AuditBoard’s Sustainability and ESG Guide provides actionable solutions to ensure a resilient and effective ESG program. Seize the opportunity to stay ahead — download the full guide to uncover essential tips and best practices for shaping your ESG strategy.
