Establishing Governance and Internal Controls Over ESG Reporting

Spencer Roundy, Managing Director, Internal Audit Services
Daniela Lundin, Senior Manager, Business Consulting Services
Madison Poitras, Senior Manager, Environmental, Social, and Governance Services

Environmental, social, and governance (ESG) reporting is becoming a top priority as organizations understand the benefits related to ESG strategies ranging from long-term value creation to lowered compliance costs.

Management boards increasingly demand strong governance structures and internal controls over ESG data. Organizations are designing and implementing controls over the collection, review, and reporting of sustainability and ESG information.

Establishing effective governance over internal controls isn’t a one-time task but a continuous process that requires commitment.

This article covers:

What Is ESG?

The categories that comprise ESG—environmental, social, and governance—provide an opportunity for organizations to evaluate their impact on, and position in, a society that wants sustainability. ESG is a set of factors that American businesses use to capture and communicate decision-useful information to investors, lenders, shareholders, and stakeholders.

ESG is a framework to assess how well organizations provide reliable, consistent, and comparable ESG data. The framework creates an opportunity for organizations to explain how they increase their competitive advantage in the marketplace. Each ESG category includes criteria an organization can assess to address the needs of investors, customers, shareholders, employees, and members.

How Has the ESG Regulatory Environment Changed?

The ESG regulatory environment continues to tighten within and outside of the U.S. This change is driven by investor demand for consistent and comparable information regarding an issuer’s climate-related risks. The number of ESG-related enforcement actions filed to date continues to grow with this demand.

The SEC indicated a goal of October 2023 for the adoption of the proposed rule 33-11042, The Enhancement and Standardization of Climate-Related Disclosures for Investors. Learn more about the proposed rule in the alert SEC Proposes Rules to Require Climate-Related Disclosures.

Outside of the SEC Climate Disclosure proposal, other regulations and pending bills include:

  • The European Union’s Corporate Sustainability Reporting Directive (CSRD). Approved in November 2022 by the European Council and the European Parliament, the directive modernizes and strengthens the rules concerning the social and environmental information that companies must report. A broader set of large companies, including some US companies with EU operations, will now be required to report on sustainability.
  • California’s Climate Corporate Data Accountability Act (Senate Bill 253). The proposed bill cleared the California senate on May 30, 2023, and will next go before the California State Assembly for another vote. If the bill becomes law, the public and investors know the carbon emissions from partnerships, corporations, limited liability companies, and other California business entities with revenues in excess of $1 billion. The proposed bill reflects California’s goals for sustainability.

Why is an ESG Governance Program Important?

An ESG governance program ensures that the ESG function can achieve its organizational goals. Establishing governance structures is necessary for:

  • Credibility and Accountability. Governance structures ensure that the information disclosed in ESG reports is complete and accurate.
  • Regulatory Compliance. Governance structures can help organizations comply with domestic and global regulatory requirements so as to avoid penalties.
  • Investor & Stakeholder Confidence. Governance structures assures stakeholders that the organization is transparent about its impact and committed to sustainable and ethical practices.
  • Risk Management. Governance structures over ESG reporting help organizations identify, assess, and manage ESG-related risks.
  • Standardization. Organizations usually report on ESG factors differently; this makes cross company comparisons challenging. A standard governance structure can ensure consistency, comparability, and quality in reporting.
  • Long-Term Value Creation. ESG performance is tied to long-term value creation. Governance ensures that organizations embed ESG into their corporate mission and culture.
  • Employee Engagement and Retention. Employees seek purpose-driven work environments. A commitment to ESG values can improve employee engagement, job satisfaction, and retention rates.
  • Adaptability and Competitive Advantage. An ESG governance program enhances a company's ability to adapt to changing circumstances (e.g., climate change impacts and evolving societal expectations) - this innovation enhances an organization’s competitive edge in the market.
  • Supply Chain Management. ESG considerations extend beyond a company's operations to its supply chain. An ESG governance program helps identify risks within the supply chain, promote responsible sourcing, and foster positive relationships with suppliers.

An ESG governance policy must be accompanied by ESG-related internal controls to maintain its effectiveness.

How Do You Establish Effective Governance Over ESG-related Internal Controls?

Establishing governance over ESG-related internal control involves creating roles and responsibilities, risk management and regulator auditing.

Organizations need to create a governance structure that delineates roles and responsibilities across organizations, from the board to management to employees.

Governance over ESG-related internal controls requires training for all staff. Periodic monitoring of these controls ensures that everyone understands their role in the internal control system.

Design and Implement ESG-Related Internal Controls

To design internal control activities, an organization should complete the following:

  • Complete an ESG Risk Assessment. Control activities should address the organization’s ESG risk appetite. By completing a risk assessment, the organization will identify and rank high risk processes within the organizations related to ESG. The risk assessment should include factors such as impact and likelihood so as to rank those risks which need control activities.
  • Define the ESG Control Objective. Based on the risk, define a clear and concise control objective. The objective should describe the desired outcome of implementing the control. It should be measurable.
  • Determine ESG Control Activities. Determine the control activities that need to be implemented to achieve the control objective.
  • Assign Responsibility. Assign responsibility for each control objective to specific controls owner or team. Those assigned should have the necessary authority and resources to effectively implement and operate the controls.
  • Monitor and Review. Once control objectives are defined and controls are implemented, monitor their effectiveness. This ensures controls are working as intended and identifies areas of improvement.

The organization should consider an integrated approach when defining ESG control objectives and implementing ESG controls. The control environment should already be in place within the organization before this implementation. Most organizations already have risk assessments, risk appetite metrics, and risk strategies that include ESG risk considerations. Including ESG risks and corresponding controls within the existing control framework will ease ESG control implementation efforts and create a stronger control environment.

Areas of ESG Internal Controls

ESG internal controls cover key areas.

A table describing topics governed by ESG controls

Lessons Learned from the Sarbanes-Oxley Act (SOX)

Pressure on organizations to assess, manage, and disclose ESG risk has created an increase in ESG audits and financial audits that incorporate ESG data. A demand for the same rigor that goes into SOX financial reporting will soon be required for ESG. Companies that plan for these new regulations are at an advantage when external assurance is needed.

In March 2023, Committee of Sponsoring Organization (COSO) developed an integrated framework that provides guidance on Achieving Effective Internal Controls over Sustainability Reporting. This framework mentions the value in leveraging existing controls. SOX processes may be modified and applied to ESG information.

Who Should Be Involved with ESG Governance?

Cross-functional teams provide a holistic viewpoint across an organization to create stronger control environments and governance structures. Assembling and educating a cross-functional should be done early. Cross-functional teams provide diverse perspectives and subject matter expertise in assessing sustainability-related issues, metrics, and controls. Organizations should draw from multiple departments, including human resources, risk, internal audit, finance, legal, and compliance to support and lead the ESG function.

Internal Audit Team

The role of internal audit is to assure ESG initiatives’ effectiveness, integrity, and alignment with organizational objectives. With regards to ESG, internal audit can pinpoint areas where the company might be subject to ESG risk related to reputational damage, non-compliance, and operational inefficiencies.

Internal audits to review, verify, and improve ESG practices becomes increasingly vital as ESG concerns become more integrated into business operations and strategy. ESG auditing helps in risk management and fosters trust among all stakeholders.

Chief Financial Officer

The role of the Chief Financial Officer (CFO) in ESG has evolved and expanded. Today, a CFO should help identify, assess, and mitigate ESG-related risks to help ensure the organization’s financial resilience.

Controller

The role of a controller in a company revolves around overseeing control environments related to the accounting and financial reporting functions. The controller’s role intersects with ESG in various ways.

The controller must ensure the accuracy and completeness of ESG metrics alongside other financial data. Ensuring the reliability of ESG data requires robust internal control. Successful controllers oversee these controls to ensure ESG reporting integrity.

IT Team

Many institutions have never gathered ESG data before or are gathering this data from third parties. This raises concerns over the quality and reliability of ESG data. Teams have relied on manual processes that don’t achieve completeness and accuracy objectives.

ESG reporting requires the collection, storage, and analysis of vast amount of data, much of which comes from diverse sources. The IT team ensures that there are adequate systems in place to support these data collection and retention processes.

IT teams should ensure that general IT controls are in place for system access, changes, and monitoring related to the collection, verification, security, and retention of ESG data. IT general controls should be designed and implemented to consider protection of ESG data from cybersecurity threats and data regulation requirements.

We’re Here to Help

For guidance on establishing governance and internal controls around ESG initiatives, contact your Moss Adams professional.

Additional Resources

Ask a Question

Assurance, tax, and consulting offered through Moss Adams LLP. ISO/IEC 27001 services offered through Cadence Assurance LLC, a Moss Adams company. Wealth management offered through Moss Adams Wealth Advisors LLC. Services from India provided by Moss Adams (India) LLP.

Related Topics

How Internal Audits Help Organizations Grow and Adapt to Change
Common Questions About Environmental, Social, and Governance (ESG)
The Rise of ESG

Contact Us with Questions

Enter security code:
 Security code