Looking for an Advantage? Focus on Internal Controls for ESG

Management and boards are increasingly seeking a competitive advantage in the complex landscape of sustainability reporting.  Whether it allows a company to stand behind sustainability metrics that differentiate them from competitors, improve ESG ratings, or minimize the execution risk associated with ESG reporting requirements; timely, relevant and reliable data are key elements in achieving this.  With heightening demand for granular reporting and attestation on sustainability and ESG metrics, internal controls have emerged for many as one of the areas with the greatest potential for gains. 

“For many companies, establishing proper processes and controls around ESG data may simultaneously be one of their biggest challenges while also offering the greatest potential for competitive advantage in the months ahead,” said Dan Harris, BDO Audit Partner and Sustainability & ESG Assurance Leader. “As scrutiny of ESG data continues to increase, risks are mounting for those who fail to meet stakeholder expectations, and establishing effective internal controls is key to accurate and timely reporting.”  

ESG reporting is no longer a corporate fashion statement. To resonate with stakeholders, ESG efforts must be verifiable and transparent. This article — part of a BDO series on ESG assurance — describes the critical need for robust controls over ESG data and how companies can think strategically about developing their capabilities in this area.

Complex data demands effective controls

A variety of forces are driving organizations to report on their ESG performance — requirements from investors and lenders, demands from customers and vendors (often for the purpose of reporting their own ESG data), a focus on ESG ratings, and expectations from employees, to name a few.  And as ESG reporting evolves, the level of detail at which reporting is made and performance tracked is becoming more granular.  All of which serves to increase the complexity and importance to the business of ESG reporting.  

Regulators are reinforcing this trend. Final and proposed rules in the U.S., Europe and elsewhere could bring ESG metrics into public filings, intensifying the scrutiny of ESG data — and increasing the risk associated with any potential errors in reporting. This is particularly true for ESG disclosures that would be subject to attestation, for example certain climate-related disclosures under the Securities and Exchange Commission (SEC) proposed rule, or broader ESG disclosures under the EU rules.  In both cases, exposure to misstatements in ESG data increases for companies with their inclusion in public filings.

Fulfilling stakeholder ESG reporting expectations can pose challenges that include establishing robust processes and controls over data collection and reporting. And for many companies who are collating ESG data for the first time, the related processes and controls will not yet have the formality and rigor that is associated with those over financial data. “The controls and processes supporting preparation of corporate ESG disclosures are identified by many companies as ripe for improvement,” Harris said. “This may expose companies and their management and boards to unanticipated levels of risk - and on the flip-side, have the potential to represent a differentiator when designed and implemented effectively.” 

Several other factors may complicate the process for reporting on ESG data as compared to reporting on financial data (see exhibit 1). It is critical that companies establish robust controls to ensure data quality and produce meaningful disclosures that can withstand the rigors of third party attestation, which has become a key competitive differentiator. “Internal controls over data collection may currently be a lower priority task for rank-and-file managers, but poor quality at the source exposes companies to serious risks,” said Christopher Tower, National Managing Partner, Sustainability and ESG. “Managers need to be appropriately informed and incentivized to ensure rigor and limit potential risk.”

Exhibit 1: Contrasts in Financial Information and ESG Information

Financial InformationESG Information
RegulationsEstablished, with incremental changeEvolving rapidly
FrameworksSingle, commonly used frameworks (e.g., GAAP and IFRS)Multiple, independently developed frameworks that may differ by topic (e.g., SASB, TCFD, GRI)
Reporting formatStandardized, with consistent presentationHighly variable with inconsistent presentation
Location of recordsLargely within a single department (Finance)Spread across multiple departments (e.g., Human Resources, Procurement, Facilities, Operations, Finance)
AssuranceRequired, standardized, provided by public accounting firmsIncreasingly important, evolving, provided by a range of firms, with a shift from smaller boutique firms to public accounting firms.
Processes and controlsRobust, generally functioning well, automatedWork in progress, frequent use of spreadsheets and manual collection methods

ESG is a team sport

While ESG reporting shares some attributes with financial reporting, the controls environment and responsibilities for ESG reporting reach more broadly throughout the organization. Below is a summary of the key functions involved in the ESG reporting process and their responsibilities.  


Board of Directors and CEO

The board and CEO play an important role in leading and overseeing the ESG control environment. They set the “tone at the top” by demonstrating active, visible support for reliable and transparent data. Given evolving ESG expectations, board members must ensure they are adequately educated in the intricacies of ESG reporting and data needs. A board or CEO that lacks expertise in topics such as diversity, equity and inclusion (DE&I) or climate disclosures may inadvertently fail to meet stakeholder expectations.  


Chief Sustainability Officer (CSO)

It is critical that organizations designate a leader who is responsible for collation, tracking and reporting of ESG data. The number of companies employing CSOs and giving them a seat on the executive team is growing rapidly, while many smaller companies may assign these duties to a senior-level employee involved in investor relations or finance. The CSO generally works closely with the finance function to ensure proper collection, evaluation and reporting of ESG information, coordinating disparate departments responsible for collecting data, and providing updates to the board. 



The finance department often serves as a final repository for ESG data and may be heavily involved in the management of the data and supporting records, particularly if the CSO lacks their own team. The finance team may also be involved in the internal controls and processes for ESG data and ESG reporting largely because of their established expertise in these areas from a financial reporting perspective, and familiarity with reporting requirements of the SEC and other regulators. We expect the ESG-related responsibilities of finance departments to intensify as new regulatory frameworks take effect. 


Internal Audit

The internal audit team independently evaluates processes and controls related to data collection and reporting. The team works independently of the CSO and CFO, and reports to the board. The internal audit team is the last line of defense in ensuring the Company is ready to bring in a third party to attest to the data. As organizations increase their internal audit team’s responsibilities to evaluate ESG reporting, it is essential that there is a corresponding level-up in the related expertise of the internal audit team members.   


Operations, Human Resources, and Procurement

Numerous other functions are assuming ESG reporting responsibilities, mainly for producing and collating data and ensuring that it is accurate and timely. For example, human resources professionals gather data on DE&I; the procurement department aggregates climate and other environmental data from suppliers; and the operations team provides data from manufacturing, logistics, and transportation, to support sustainability metrics. These and other functions that are part of the ESG reporting cycle will need to ensure that they have effective data collection processes and controls.

Go for technological advantage

Given the emerging nature of ESG reporting, many companies have relied on manual spreadsheets to collate and manage ESG data. But as Harris cautions, “A system based on spreadsheets makes it very difficult to establish an effective control environment. It’s expensive, inefficient and prone to errors.” 

In response to the breadth and complexity associated with ESG reporting, there has recently been a proliferation of ESG technology platforms. These tools can promote data quality by streamlining and alleviating some of the challenges associated with manual tracking of ESG data. When selecting a platform, companies should consider the following:

  • Wide variety of scope, capabilities and cost between differing software solutions
  • Point solution vs. a full enterprise solution
  • Integration with legacy software systems
  • Ability to capture ESG data for multiple topics and indicators
  • Flexibility in data visualization and analysis
  • Cybersecurity safeguards that allow for restricted access and segregation of duties
  • Alignment between the platform’s development roadmap and the company’s future technology needs
  • Project and change management capabilities
  • Sufficiency technical support, company and product longevity

How do you move your ESG controls forward?

Given the increasing importance of ESG data and its potential as a competitive differentiator, companies can benefit from establishing a rigorous control environment, particularly as they move towards seeking third party attestation of this data. Developing a strong ESG program, of which establishing robust and formal internal processes and controls is a critical component, provides stakeholders with confidence in the quality of ESG reporting. 

BDO prioritizes producing leading insights to help companies understand how they can navigate the ESG assurance landscape. Executives are encouraged to follow this series for comprehensive, value-added insights on ESG reporting and assurance.