Addressing the Gap Between Looming ESG Reporting Requirements and Internal Audit Functions
In 2021, the United States Securities and Exchange Commission (SEC) created the Climate and ESG Task Force to proactively identify ESG-related misconduct and protect investors from inaccurate ESG disclosures[1]. Throughout 2021 and 2022, the Climate and ESG Task Force filed enforcement actions against publicly-traded companies across a variety of industries for the provision of misleading ESG disclosures.[2] With proposed SEC[3] regulations in the United States and Corporate Sustainability Reporting Directive (CSRD)[4] regulations in the European Union (EU) on the horizon, public companies must prepare for potential requirements to include detailed sustainability data in financial and related reporting as soon as 2025. Beyond SEC regulations, some U.S. companies and financial institutions that meet certain size thresholds and do business in the EU may need to comply with the CSRD. With expanded reporting requirements and complexity, it is likely that scrutiny from regulatory agencies will increase in tandem. Consequences of noncompliance could include litigation, regulatory enforcement, and monetary fines.
Internal audit processes supported by comprehensive internal controls provide a foundation for the successful governance of ESG data tracking, monitoring, and analysis by ensuring the ability to accurately measure and monitor performance. However, despite movement by regulatory bodies globally to mandate ESG and climate-related disclosures, according to a 2021 white paper from The Institute of Internal Auditors’ North American Pulse of Internal Audit, ESG and sustainability-related engagements only made up about 1% of typical internal audit plans for North American companies in 2021.[5] If efforts needed to comply with SEC and/or CSRD reporting requirements are remotely similar to those that were required by internal finance, accounting, and audit teams upon the passing of The Sarbanes-Oxley Act of 2002 (SOX), then companies should begin strategically allocating resources as soon as feasible to the development of internal controls and an effective governance structure to ensure relevant high-quality data can be made available for public reporting. To prepare for impending reporting requirements as soon as 2025, companies must act now.
Leveraging insights from SOX compliance requirements and guidance from the internal control framework provided by the Committee of Sponsoring Organizations of the Treadway Commission (COSO),[6] companies should begin conducting risk assessments, evaluating the control environment, creating control activities, and testing and monitoring existing and evolved processes to address control gaps on an ongoing basis. COSO provides supplemental insights to its authoritative 2013 Internal Control – Integrated Framework (ICIF) in a 2017 study focused on improving sustainability performance data,[7] and additional guidance on sustainability is currently in development.[8] When done correctly, robust processes can be developed that allow relevant individuals at all levels of the organization to effectively track and input critical ESG data in a compliant manner.
With this context, below we have outlined a roadmap aligned with the COSO framework that will allow corporates to begin developing sound audit processes and internal controls to accelerate compliance with the impending regulations:
Benefits of Ensuring Proper Internal Controls Are In Place Over Your ESG Program:
1. Proactive identification and mitigation of ESG risk
Identify processes and metrics that currently lack controls and may be exposing the company to risk. Performing a well-rounded risk assessment can help serve as a starting point for the design or evaluation of any internal audit process. ESG aside, the identification of risk should be followed by the implementation of proper internal controls to manage identified risks. This same logic, assessment, and process applies to ESG data management and reporting, including the identification and analysis of material misstatements which can include inaccurate data, inconsistencies within formal financial filings, or omissions.[9] In depth risk assessments focused on audit and controls can be used to identify material issues – often performed in conjunction with a traditional ESG materiality assessment – and ensure organizations can effectively prioritize focus and resource allocation to critical areas, such as technology and personnel.
Along with risk assessments and ongoing testing of the control environment, organizations must establish policies, processes, and control activities to produce accurate information for decision-making and gain the ability to confirm the quality of data being generated and reported.[10] Organizations should develop internal controls that address the relevance, completeness, accuracy, timing, and consistency around ESG metrics and reporting. A robust internal control environment will ensure an organization can appropriately address and mitigate ESG risks in an effective and timely manner, increase an organization’s confidence in the completeness and accuracy of external reporting, and ultimately limit liability.
2. Clear delineation of data governance and oversight responsibilities
Clearly define roles and responsibilities to manage ESG processes, data, and public disclosures.
We find that a well-defined and strategic governance structure with clear oversight, accountability, roles, and responsibilities serves as the cornerstone of a company’s data and the integrity of related disclosures. In addition to defining an executive-level ESG Steering Committee and designating ESG responsibilities within the Board of Directors – relatively commonplace occurrences today – best practices also underscore the importance of assigning a dedicated control owner that is responsible for managing the data associated with each ESG-related process. Control owners would have a similar role to control owners in companies’ internal control over financial reporting. Among others, control owner responsibilities may include understanding where ESG data lives in an organization and ensuring the organization-wide execution of defined processes.
Additionally, the formal documentation of policies and processes is critical. It serves as an efficient and effective way for organizations to communicate expectations regarding the collection and presentation of ESG data both internally and externally. Additionally, well-defined policies, such as a Data Use and Protection Policy or a Human Rights Policy, serve as critical guidelines for building processes and controls. Such policies allow an organization to remain transparent and clear about expectations in addition to identifying dedicated owners that support its governance and overall accountability. With the above context, we believe the creation of an explicit role with responsibility and accountability for the integrity of ESG data is critical to enabling auditability, improving decision-making capabilities, and limiting liability.
3. Informed decision making and management of ESG issues
Implement consistent monitoring of data and review of internal controls.
Strong controls in combination with well-designed enterprise data management systems can streamline the translation of an organization’s raw data into decision-useful KPIs. Automated processes to extract, transform, and load data can help to preserve data lineage through ties to source documents while mandating points of interaction or signoff by internal stakeholders. Processes can also be introduced to calculate KPIs based on a systematized methodology, provide comparisons to historical and industry performance, assess outliers, and create responsive dashboards to enhance the presentation and monitoring of key ESG metrics.
Such focus on data tracking and monitoring forces organizations to hold themselves accountable against expected progress while also helping to rally leadership and the broader employee base around any needed improvements. For example, if an organization tracks greenhouse gas emissions, has related reduction targets, and recognizes weak performance, it is a signal to management of the potential need to allocate additional resources to this effort. In this way, high-quality data in which leaders have the confidence to make critical business decisions will enable organizations to continuously improve their ESG performance over time.
4. Confident public disclosure of ESG data
Enable streamlined reporting processes backed by accurate quantitative data.
As with financial reporting, data presented in ESG reports should be accurate. Inaccurate disclosures put an organization at risk of litigation as well as tarnishing their reputation and reducing interest from the investment community. Proper internal controls around ESG performance data should allow an organization to have confidence to leverage data for both reporting and strategic decision making. They also facilitate constant data-readiness, which will allow an organization to save time and potentially reduce the complexity and cost of ESG reporting whether companies report on an annual, interim, or event-based schedule.
Equally as important, a company can remain confident in its ability to interact authentically and accurately with investors, suppliers, customers and community members. With consistent monitoring, organizations can demonstrate progress on ESG goals and initiatives. When the time comes for annual reporting, a repository of data will be available for disclosure which can lead to improved ESG scores, increased investor confidence, and improved public perception. To enhance data integrity, while also increasing efficiency and control in ESG data collection and reporting processes, companies are exploring ESG reporting software solutions. These solutions govern data collection and related workflows, support framework mapping, provide clear audit trails around data and report content changes, and serve as a “one source of the truth” collaboration environment for reporting stakeholders.
Conclusion
As sustainability reporting matures, strong internal controls and data integrity are important to streamline reporting, demonstrate strong ESG management, and avoid greenwashing by backing up reported efforts and progress with reliable quantitative measures. With a strong internal controls environment that is tested and monitored throughout the year to identify and remediate control gaps, executives can be confident in attesting to externally reported ESG data. Amidst a backdrop of pending and uncertain regulatory action, internal audit processes present an opportunity to proactively introduce measures to ensure data integrity and prepare for potential ESG and climate reporting regulations, including third-party assurance requirements. Development of internal controls can help to hedge against policy developments, but regardless of final regulatory action, the benefits of audit stand to advance companies’ ESG programs beyond compliance through stronger oversight, data availability for decision making, and accurate reporting backed by quality data.
[1] “SEC Announces Enforcement Task Force Focused on Climate and ESG Issues,”. U.S. Securities and Exchange Commission (March 4, 2021), https://www.sec.gov/news/press-release/2021-42.
[2] “Spotlight on Enforcement Task Force focused on Climate and ESG Issues,” U.S Securities and Exchange Commission (modified November 29, 2022), https://www.sec.gov/spotlight/enforcement-task-force-focused-climate-esg-issues.
[3] “SEC Proposes Rules to Enhance and Standardize Climate-Related Disclosures for Investors,” U.S. Securities and Exchange Commission (March 21, 2022), https://www.sec.gov/news/press-release/2022-46.
[4] “Corporate Sustainability Reporting,” European Commission (last accessed January 27, 2023), https://finance.ec.europa.eu/capital-markets-union-and-financial-markets/company-reporting-and-auditing/company-reporting/corporate-sustainability-reporting_en.
[5] “Internal audit’s role in ESG reporting: Independent assurance is critical to effective sustainability reporting,” The Institute of Internal Auditors, p. 6 (2021), https://www.theiia.org/globalassets/site/content/articles/iia-white-paper—internal-audits-role-in-esg-reporting.pdf.
[6] “Guidance on Internal Control,” Committee of Sponsoring Organizations of the Treadway Commission (last accessed February 23, 2023), https://www.coso.org/sitepages/internal-control.aspx?web=1.
[7] Robert H. Herz, Brad J. Monterio, and Jeffrey C. Thomson, “Leveraging the COSO Internal Control—Integrated Framework to Improve Confidence in Sustainability Performance Data,” The Association of Accountants and Financial Professionals in Business (September 2017), https://www.imanet.org/research-publications/white-paper/coso-framework-and-sustainability.
[8] “COSO Board Approves Study on Sustainability/ESG,” The Committee of Sponsoring Organizations of the Treadway Commission (February 24, 2022), https://www.coso.org/Shared%20Documents/COSO-Board-Approves-Study-on-Sustainability-ESG-Press-Release.pdf.
[9] “Audit Risk Assessment,” Association of International Certified Professional Accountants (last accessed January 27, 2023), https://www.aicpa.org/topic/audit-assurance/risk-assessment.
[10] “Internal audit’s role in ESG reporting: Independent assurance is critical to effective sustainability reporting,” The Institute of Internal Auditors, p. 3 (2021), https://www.theiia.org/globalassets/site/content/articles/iia-white-paper—internal-audits-role-in-esg-reporting.pdf.
The views expressed in this article are those of the author(s) and not necessarily the views of FTI Consulting, its management, its subsidiaries, its affiliates, or its other professionals.
©2023 FTI Consulting, Inc. All rights reserved. www.fticonsulting.com
