On March 6, 2024, the SEC issued a final rule requiring registrants to disclose climate-related information in their registration statements and annual reports. See additional details in the alert, SEC Finalizes Climate Disclosure Rule, published March 12, 2024.
Environmental, social, and governance (ESG) reporting is becoming a top priority as organizations understand the benefits related to ESG strategies ranging from long-term value creation to lowered compliance costs.
Management boards increasingly demand strong governance structures and internal controls over ESG data. Organizations are designing and implementing controls over the collection, review, and reporting of sustainability and ESG information.
Establishing effective governance over internal controls isn’t a one-time task but a continuous process that requires commitment.
This article covers:
The categories that comprise ESG—environmental, social, and governance—provide an opportunity for organizations to evaluate their impact on, and position in, a society that wants sustainability. ESG is a set of factors that American businesses use to capture and communicate decision-useful information to investors, lenders, shareholders, and stakeholders.
ESG is a framework to assess how well organizations provide reliable, consistent, and comparable ESG data. The framework creates an opportunity for organizations to explain how they increase their competitive advantage in the marketplace. Each ESG category includes criteria an organization can assess to address the needs of investors, customers, shareholders, employees, and members.
The ESG regulatory environment continues to tighten within and outside of the U.S. This change is driven by investor demand for consistent and comparable information regarding an issuer’s climate-related risks. The number of ESG-related enforcement actions filed to date continues to grow with this demand.
The SEC indicated a goal of October 2023 for the adoption of the proposed rule 33-11042, The Enhancement and Standardization of Climate-Related Disclosures for Investors. Learn more about the proposed rule in the alert SEC Proposes Rules to Require Climate-Related Disclosures.
Outside of the SEC Climate Disclosure proposal, other regulations and pending bills include:
An ESG governance program ensures that the ESG function can achieve its organizational goals. Establishing governance structures is necessary for:
An ESG governance policy must be accompanied by ESG-related internal controls to maintain its effectiveness.
Establishing governance over ESG-related internal control involves creating roles and responsibilities, risk management and regulator auditing.
Organizations need to create a governance structure that delineates roles and responsibilities across organizations, from the board to management to employees.
Governance over ESG-related internal controls requires training for all staff. Periodic monitoring of these controls ensures that everyone understands their role in the internal control system.
To design internal control activities, an organization should complete the following:
The organization should consider an integrated approach when defining ESG control objectives and implementing ESG controls. The control environment should already be in place within the organization before this implementation. Most organizations already have risk assessments, risk appetite metrics, and risk strategies that include ESG risk considerations. Including ESG risks and corresponding controls within the existing control framework will ease ESG control implementation efforts and create a stronger control environment.
ESG internal controls cover key areas.
Pressure on organizations to assess, manage, and disclose ESG risk has created an increase in ESG audits and financial audits that incorporate ESG data. A demand for the same rigor that goes into SOX financial reporting will soon be required for ESG. Companies that plan for these new regulations are at an advantage when external assurance is needed.
In March 2023, Committee of Sponsoring Organization (COSO) developed an integrated framework that provides guidance on Achieving Effective Internal Controls over Sustainability Reporting. This framework mentions the value in leveraging existing controls. SOX processes may be modified and applied to ESG information.
Cross-functional teams provide a holistic viewpoint across an organization to create stronger control environments and governance structures. Assembling and educating a cross-functional should be done early. Cross-functional teams provide diverse perspectives and subject matter expertise in assessing sustainability-related issues, metrics, and controls. Organizations should draw from multiple departments, including human resources, risk, internal audit, finance, legal, and compliance to support and lead the ESG function.
The role of internal audit is to assure ESG initiatives’ effectiveness, integrity, and alignment with organizational objectives. With regards to ESG, internal audit can pinpoint areas where the company might be subject to ESG risk related to reputational damage, non-compliance, and operational inefficiencies.
Internal audits to review, verify, and improve ESG practices becomes increasingly vital as ESG concerns become more integrated into business operations and strategy. ESG auditing helps in risk management and fosters trust among all stakeholders.
The role of the Chief Financial Officer (CFO) in ESG has evolved and expanded. Today, a CFO should help identify, assess, and mitigate ESG-related risks to help ensure the organization’s financial resilience.
The role of a controller in a company revolves around overseeing control environments related to the accounting and financial reporting functions. The controller’s role intersects with ESG in various ways.
The controller must ensure the accuracy and completeness of ESG metrics alongside other financial data. Ensuring the reliability of ESG data requires robust internal control. Successful controllers oversee these controls to ensure ESG reporting integrity.
Many institutions have never gathered ESG data before or are gathering this data from third parties. This raises concerns over the quality and reliability of ESG data. Teams have relied on manual processes that don’t achieve completeness and accuracy objectives.
ESG reporting requires the collection, storage, and analysis of vast amount of data, much of which comes from diverse sources. The IT team ensures that there are adequate systems in place to support these data collection and retention processes.
IT teams should ensure that general IT controls are in place for system access, changes, and monitoring related to the collection, verification, security, and retention of ESG data. IT general controls should be designed and implemented to consider protection of ESG data from cybersecurity threats and data regulation requirements.
For guidance on establishing governance and internal controls around ESG initiatives, contact your Moss Adams professional.