Significant changes to ESG reporting requirements are underway, and according to a recent KPMG survey, almost all respondents (92%) agree that boards express increased expectations for how ESG risks are handled[1].
Effective internal controls are key for companies to meet the new reporting requirements and the increased expectations of ESG risk handling.
What are the new requirements?
With the EU’s new reporting standard, Corporate Sustainability Reporting Directive (“CSRD”), there will be substantial changes that can be summarized as[2]
- Many more companies will have to report, including large private entities and several organizations headquartered outside the EU.
- Expansion of the scope and number of ESG KPIs to be reported for topics including biodiversity, resource use (Environmental), your own organizations, and suppliers, workers (Social), and business conduct (Governance).
- Mandatory third-party assurance of ESG reporting.
- Disclosure will have to follow what the EU calls a “double materiality” perspective, meaning that companies have to report the impacts of their activities on people and the environment, and how sustainability matters affect the company.
Certain transitional measures are in place, such as companies may omit disclosure relating to their value chains if it is unavailable if they disclose efforts made to obtain such information[3].
What are some of the risks related to sustainability reporting?
These new reporting requirements can be a challenging task to implement. According to an article from the Institute of Internal Auditors (IIA), the following can be seen as relevant sustainability reporting risks[4] if these regulatory changes are not handled properly by a company:
- Invalid and misleading information stemming from inadequately designed controls and systems.
- Compromises to credibility because of overly optimistic assumptions in setting targets.
- Reporting beyond the minimum standards and raising stakeholder expectations that may not be met in practice.
- General misalignment risk, where ESG reporting is inconsistent with other financial disclosures or corporate communications.
- ESG is seen as a ‘box-ticking’ exercise. This is a strategic risk because the underlying goal of the ESG policy is to drive a transition to sustainability. Meeting this goal implies business innovation and perhaps changes to core activities, strategies, and even business models.
- ESG is seen as marginal rather than central to a company’s activities.
What is internal control over sustainability reporting?
In order to mitigate the above mentioned risks and meet the growing expectations of sustainability reporting that can be trusted, applying effective internal controls is necessary. COSO’s integrated framework, originally from 1992 and refreshed in 2013, is a good starting point for implementing internal control over sustainability reporting (ICSR). COSO released a new guidance in 2023 on how the internal control framework can be applied to sustainability reporting[5]. One of the key takeaways from the 100-page guidance is that effective internal control is achieved when the 17 COSO principles are present and functioning. See also the table below for an overview of these principles.
Why is it difficult to achieve efficient internal controls over sustainability reporting?
According to COSO, some of the key challenges for internal controls of sustainable reporting is the immature systems and unstructured data. Compared to traditional financial reporting, sustainable business information, at many companies, generally, comprehensive systems are not yet in place and data comes from a variety of sources, including spreadsheets and email. Furthermore, sustainable business reporting, for both internal and external users, typically relies on information that comes from multiple internal systems, including, for example, human resources systems, facilities, operations, and procurement. The COSO guidance furthermore states that many of the existing platforms for ESG reporting are too inflexible[5].
How can use of technology and Corporater help?
As the COSO guidance states, software providers that offer platform solutions for gathering, categorizing, sorting, analyzing, and reporting sustainable business information via dashboards for internal decision making and into reports for external users can be an efficient and instrumental part of an organization’s design of control activities over its sustainable business information processes. Built-in audit trails that capture the steps in processing the information help ensure information completeness, accuracy, and integrity. In short, the technology turns unstructured data into structured data so that it can be integrated and tracked, eventually for reporting on management dashboards, annual reports, and regulatory filings.
Overall, the right technology platform can play a crucial role in improving information and communication related to internal control over sustainability reporting, by providing a centralized platform for storing and managing information, automating the flow of information within the organization, and facilitating communication and collaboration among relevant stakeholders.
Corporater’s strength is in the flexibility and the overall capabilities that can manage all of the above and can be suited to your sustainability reporting process.
In the table below, the 17 COSO principles are summarized together with how they can be applied to ESG according to COSO ESG guidance, and how technology and use of Corporater’s software can contribute.
| COSO component | Internal control principle | Applied to ESG sustainability reporting[6] | How Corporater’s software can help |
| Control Environment | 1. Commitment to integrity and ethical values | An entity demonstrates its commitment to acting sustainably. | Use of an integrated platform where values and sustainability commitments are transparent and efficiently communicated. |
| 2. Independent board of directors’ oversight | Oversight by an independent board of directors serves as a check that management is acting in accordance with the organization’s sustainable business objectives. | Ensure efficient oversight through custom, role-based dashboards for your teams, departments, and business units, and generate comprehensive reports for the Board, executive leadership, and other key stakeholders. | |
| 3. Structures, reporting lines, authorities, responsibilities | As it endeavors to meet its sustainable business objectives, an organization’s management establishes internal structures that set out authority and responsibilities. | Corporater’s digital twin model mirrors the structures of the organization, interconnects different departments, and offers a comprehensive virtual overview of the business. | |
| 4. Attract, develop, and retain competent people | To meet its sustainable business objectives, an organization depends on its human resources. | With Corporater, you can align employee goals, training, and incentives with your business strategy and link compensation to targeted metrics. | |
| 5. People held accountable for internal control | To meet its sustainable business objectives, an organization needs to establish and implement meaningful ways to support its human resources and, at the same time, monitor performance. | With Corporater you can manage, monitor, and improve performance at an organizational, departmental, and individual level, including internal control responsibilities. | |
| Risk Assessment | 6. Clear objectives specified | An organization’s sustainable business objectives follow from its commitment to integrity and ethical values. Explicit expression of these objectives is a predicate to considering risks, that is, the likelihood that events will occur that may be detrimental to the organization’s ability to satisfy them. | With Corporater you can customize KPIs and metrics and monitor them at various levels of your organization. Keep track of your strategic plans, projects, and initiatives on executive, management, or team dashboards, and include analyzed risks related to your sustainability objectives. |
| 7. Risks identified to achievement of objectives | In identifying and assessing risks, the organization estimates the potential effects of various scenarios on its sustainable business objectives. This process includes both qualitative identification and, as appropriate, quantitative assessment that monetizes the potential effects of the risks. | With Corporater you have an integrated system where users can identify, analyze, evaluate, communicate, and carry out regular risks assessments and set up stronger controls on risks. It includes an early risk warning system designed specifically for risk identification, risk assessment, and risk communication. The solution also comes with Monte Carlo simulation functionality, which enables estimation of the probability for loss according to the Value at Risk methodology – both on the individual risk level and on aggregated / consolidated scenarios. | |
| 8. Potential for fraud considered | In identifying and assessing the risks to achieving its sustainable business objectives and developing an effective response, an organization considers the risk that actors will engage in fraudulent activities such as intentional misstatements or misappropriation of valuable resources. | Corporater can reduce misconduct through increase transparency, strengthen ethical behavior and demonstrate compliance with various individual accountability and conduct (IAC) regimes. | |
| 9. Significant changes identified and assessed | As part of identifying and assessing risks to the achievement of its sustainable business objectives, an organization considers emerging trends. Sustainability-related risks are evaluated in an ongoing manner or periodically to respond to regulatory trends and economic drivers. | Corporater ERM solution enables you to continuously assess risks and threats posed to your organization’s operations and objectives. The solution enables automated aggregation of risks up the chain and provides a systematic flow of information that aids in efficient, risk-based decision making. | |
| Control Activities | 10. Control activities selected and developed | Once an organization has identified and assessed risks to achieving its sustainable business objectives, it designs, develops, and implements means to counter these risks, partly or completely. This helps ensure that oversight activities are responsive to sustainable business objectives, including reporting, and related risks. | Corporater Internal Control System can be configured with a comprehensive set of tools and functionalities needed for effective internal control information including control dashboards, risk analysis, data integration (including third-party data integration), data visualization, automated workflows, alerts and notifications, and reporting. |
| 11. General IT controls selected and developed | An organization designs its control activities to respond to risks to achieving its sustainable business objectives. In doing so, it considers the extent to which it will rely on technology. This includes leveraging existing IT systems to the collection, processing, reporting, and security of sustainable business information. | Use Corporater for gathering, categorizing, sorting, analyzing, and reporting sustainable business information, and turn unstructured data into structured data so that it can be integrated and tracked. | |
| 12. Controls deployed through policies and procedures | An organization uses various means of oversight to direct its sustainable business objectives. Primary among these means is established policies and procedures. These policies and procedures promote clarity in how the organization will meet its sustainable business objectives. | Use Corporater for a single source of truth for your corporate policies and procedures with Corporater Policy Management software. Provide your employees with an easy-to-use centralized system to create policies, manage policy updates, and generate compliance reports. | |
| Information and Communication | 13. Quality information obtained, generated, and used | An organization needs quality data that informs whether its processes are facilitating its ability to meet its sustainable business objectives. | Corporater can be used for Unifying your data into a single source of truth and making it easily accessible to those who need it, when they need it, leads to improved communication, streamlined operations, better decision making, and company-wide transparency. |
| 14. Internal control information internally communicated | Once an organization establishes oversight structures and expresses policies and procedures, it communicates these structures and policies throughout the organization. This communication facilitates the understanding of all actors regarding their responsibilities for meeting the organization’s sustainable business objectives. | Corporater can be used to Communicate policies and procedures across your organization and ensure that they are read and understood. Keep policies and procedures up-to-date and easily accessible to your employees. | |
| 15. Internal control information externally communicated | Once an organization establishes oversight structures and expresses policies and procedures, it communicates these structures and processes to external parties, such as debt and equity investors and other stakeholders, who are relying on these processes for the delivery of reliable sustainable business information. | With Corporater you can achieve a holistic oversight of your organizational compliance in a single view. Make your policies, procedures, and controls available on shared dashboards, where everyone can access them. | |
| Monitoring Activities | 16. Ongoing and/or separate evaluations conducted | Once implemented, an organization revisits its oversight structures and processes to ensure that they are effective in facilitating its ability to meet its objectives around sustainable business. These reassessments may be scheduled and ongoing, or they may be performed as specific needs arise. | With Corporater you can conduct risk-based internal audits on the effectiveness of the organization’s risk and compliance management and provide reports to the governing body and management. Drive a culture of continuous improvement by aligning audits to strategic priorities and operational needs and assessing the effectiveness of the implemented controls. |
| 17. Internal control deficiencies evaluated and communicated | As an organization reassesses its structures, policies, and procedures regarding its sustainable business activities, it communicates its findings so that actors better align their activities in accordance with the organization’s sustainable business objectives. | Corporater can accelerate the resolution of audit issues by reviewing uncovered issues within business context. Create action plans to reduce risk and track their implementation progress. Use standardized remediation plans and templates to address repeated issues. |
