ESG Controls Essentials: Complying With New Requirements

ESG Controls Essentials: Complying With New Requirements

ESG disclosures have taken the spotlight in recent years as part of a trend of increased scrutiny around risk, compliance, and cybersecurity. In 2022, the US Securities and Exchange Commission (SEC) released a proposal to require select climate- and greenhouse gas (GHG) related disclosures from registrants — similar to existing frameworks, like the Task Force on Climate-Related Financial Disclosures (TCFD) and the Greenhouse Gas Protocol. The proposal aims to standardize ESG reporting, giving investors and other stakeholders a common foundation with which to make their decisions. The SEC’s announcement suggested that these reporting processes take a risk management-based approach.

ESG reporting is currently voluntary, however there are regulatory reporting requirements in flight, including the European Commission’s Corporate Sustainability Reporting Directive (CSRD), which could affect companies as soon as FY2024.

In the UK, ESG and climate-related disclosures are expected to be tweaked in 2023, and go into effect by 2025.

As customers and consumers have become increasingly conscious of environmental and social issues, so too have investors, corporate executives, employees, and stakeholders. Around the world, priority has been placed on sustainability and human rights, driving the focus on ESG reporting. While ESG reporting is not required or included as part of financial reporting, many investors are now incorporating ESG information into their financial decision-making.

2023 ESG Maturity Benchmarking Report

What Is Environmental, Social, and Governance (ESG) Reporting?

ESG stands for Environmental, Social, and Governance. ESG reporting or disclosures involves releasing reports on a company or organization’s impact on the environment, society, and how their governance structure enables them to oversee these areas. 

  • The “E” in ESG focuses on climate change, greenhouse gas emissions, and other matters related to climate risk. 
  • The “S” in ESG covers civil rights; diversity, equity, and inclusion (DEI); human rights; human capital, and even healthcare-related topics. 
  • The “G” in ESG involves governance, and has to do with how well an organization’s internal controls are functioning; a business’s ESG strategy; and how the company handles ESG risks.

To publish reports on ESG topics, an organization must first be prepared to collect relevant ESG data. Aggregating valid ESG data can be a challenge for public companies and beyond, since businesses today may not have the equipment, technology, or automation in place to gather the right ESG information. Selecting the right ESG metrics, technology, and methods of data collection can make the road to effective ESG disclosures that much smoother.

What Are ESG Metrics?

ESG metrics are those metrics that feed into ESG reporting, and include metrics relevant to environmental, social, and governance matters. The SEC in particular has taken a strong stance against public companies and mutual funds from “greenwashing,” which occurs when companies misrepresent their ESG posture, often overstating their credentials or data. The current trend in formalizing ESG reporting is partially derived from the desire to stymie greenwashing and establish clear, common measures for reporting on ESG matters.

However, as we await the finalization of ESG requirements around the world, there are some common trends for acceptable and frequently used metrics. Organizations are encouraged to take a risk-based approach to ESG metrics, starting with the company’s ESG goals and objectives, and taking into consideration the expectations of what stakeholder and investors would want to see. Then, based on those goals, an organization can determine what ESG data to collect and what ESG key performance indicators (KPIs) should be included in reporting, and what initiatives could affect ESG information. Establishing industry and year-over-year benchmarks can indicate how well a company is doing versus its competitors and how the organization is trending in either reduction (i.e. environmental) or increase (i.e social) of metrics.

Some environmental and sustainability reporting metrics and data companies should consider for ESG disclosures are:

  • Greenhouse gas emissions
  • Air pollution
  • Water consumption
  • Energy efficiency
  • Waste management
  • Supply chain considerations

Socially-relevant metrics to consider for ESG disclosure include:

  • Diversity, Equity, and Inclusion (DEI)
  • Community involvement
  • Customer satisfaction
  • Data protection and privacy
  • Charitable contributions
  • Employee engagement
  • Human rights
  • Labor regulations

Governance metrics to consider for ESG reporting might include:

  • Compliance with regulatory requirements, like Sarbanes-Oxley (SOX)
  • Design and effectiveness of internal controls and overall control environment, ideally based on an internal control framework like COSO’s
  • Policies and procedures governing the organization and entity-level controls
  • Executive compensation

Organizations can also select topics and metrics that are relevant to their industry or that affect their line of business, beyond those listed above. These topics can be identified through the use of a materiality assessment, either with internal stakeholders or with key investors or customers. In this case, the organization should document its reasoning for including that metric or KPI in its ESG disclosures.

What Are Current and Future ESG Requirements?

ESG reporting requirements differ based on geography. Different countries and regions are in the process of implementing new ESG regulations, while others, like the EU and the UK have already launched their implementation of several standards. urrently the EU and UK require companies to comply with various ESG requirements.

US ESG Requirements

Currently, ESG disclosures in the US are voluntary, however over 90% of the S&P have opted to release reports. The SEC has proposed standardized ESG reporting requirements, though those are still in flight. Public companies in the US should expect mandatory ESG requirements in the next few years as the SEC combats greenwashing in corporate disclosures.

EU ESG Requirements

The EU and UK are ahead of the curve in terms of ESG regulations. The EU has released several directives and regulations for governing ESG disclosures, including:

  • Sustainable Finance Disclosure Regulation (SFDR): Governs investment management sustainability reporting.
  • Corporate Sustainability Reporting Directive (CSRD): Directives for corporate sustainability reporting.
  • EU Taxonomy for Sustainable Activities: Classifications for sustainable projects, investments, and other economic activities.

UK ESG Requirements

Like the EU, the UK has released guidance and requirements for regulating ESG disclosures. This guidance includes: 

  • Department for Business, Energy, and Industrial Strategy Climate-Related Financial Disclosure (BEIS CFRD): This UK department mandates UK companies that are either public or private, with over 500 employees, or over £ 500M in revenue to produce reporting based on TCFD.
  • Sustainability Disclosure Requirements (SDR): A set of requirements seeking to reduce greenwashing and unify sustainability reporting.
  • Streamlined Energy and Carbon Reporting (SECR): Mandates large UK enterprises to include energy use, carbon footprint, and GHG emissions in annual financial reporting.
  • Financial Conduct Authority TCFD Reporting: FCA-regulated asset managers and asset owners, as well as companies with UK-listed shares or deposit receipts are required to complete Task Force for Climate-Related Financial Disclosures (TCFD)-guided disclosures.​​ 
    Commonly Used ESG Reporting Frameworks and Disclosure Guidelines

To summarize, presently, the US does not require ESG disclosures. However, more regions and countries around the world continue to develop standards for ESG reporting. Companies should anticipate that ESG reporting will be required, especially those doing business in the US, UK, and EU.

As the field and practice of ESG disclosures continues to mature and develop, companies will doubtless be subject to additional requirements in the future, no matter where they are located. With an eye toward tomorrow, organizations should iterate on their ESG practices and consider appointing an ESG controller.

What Are ESG Controls?

Simply put, ESG controls are those controls that address risks related to environmental, social, and governance matters. Controls are put into place to mitigate risks, limiting the impact should the risk be realized, or the likelihood that the risk would come to fruition. While ESG risks are not as well-documented as business risks, the methodology for risk management remains the same.

ESG experts have identified three layers of ESG controls: Entity level controls (ELCs), Transactional level controls, and Monitoring controls.

Entity Level Controls (ELCs)

Entity-level controls govern the entire organization at a macro level. These controls include the policies and procedures in place that drive how management behaves and conducts control activities. Entity-level controls can also include activities like completing a periodic ESG risk assessment or materiality assessment. ELCs incorporate tone at the top, overall ESG strategy, and high-level corporate policy.

Transactional-Level Controls

Transactional-level controls are the most difficult for companies to identify, measure, and implement for ESG disclosures. Various transactions may have an impact on ESG metrics without the process owner or transaction owner being aware of it. Contracting with a third party or conducting an ESG risk assessment can help organizations identify their key transactional controls that are relevant to ESG. The discovery process may reveal gaps in transactional-level controls, which should then be incorporated into a risk register to be mitigated. Examples of transactional-level controls might include a cap on certain transactions, approvals for transactions, and even reconciliation controls.

Monitoring Controls

Monitoring the company’s ESG program is critical after implementation of the program is complete. Monitoring controls detect and correct anomalies in day-to-day operations and can alert an organization to an incident or an issue. These controls may also be useful for aggregating or sourcing ESG data.

ESG Controls Framework

To start an ESG program, organizations might consider the following example ESG controls framework, which takes common risk management practices and applies them to the ESG landscape. This particular controls framework consists of: 

  1. Assessing the control environment
  2. Performing an ESG-focused risk assessment
  3. Implementing effective control activities
  4. Establishing clear information and communication with stakeholders
  5. Monitoring activities, including internal audit

1. Assessing the Control Environment

In assessing the control environment for ESG reporting, organizations consider the overall perspective towards ESG matters, as well as policies, procedures, and organizational norms in place to support the company’s ESG objectives. This step in the controls framework looks at who is responsible and accountable for ESG initiatives. Buy-in from senior leadership and management into ESG efforts is crucial for success in this arena, and this first step assesses the organization’s readiness and willingness to comply with ESG requirements.

2. Performing an ESG-Focused Risk Assessment

The next step in this framework is to perform an ESG-focused risk assessment that aims to identify the organization’s ESG-related risks and controls. This risk assessment can be performed by internal or external parties, but should include qualified ESG professionals. The risk assessment should result in potential updates to the risk register, recommendations, and best practices, as well as gaps in the organization’s ESG program. From there, the company can use the results of the risk assessment to address, mitigate, and treat ESG risks.

3. Implementing Effective Control Activities

Once the company has assessed the control environment and performed an ESG-centric risk assessment, they should take the aggregate gaps, recommendations, and best practices and establish or modify their ESG strategy to accommodate for those findings. Some findings may only require small changes to existing controls to optimize them, while other gaps and findings may require a new control, or an overhaul of existing controls to address in totality. Any policies and procedures that are changed in the process should be updated in documentation as well.

4. Establishing Clear Information and Communication with Stakeholders

To promote transparency with regards to ESG at a corporation, teams must establish clear information and communication expectations and lines with key stakeholders to effectively implement or optimize an ESG program. ESG risks often require senior management buy-in to address, and by setting up clear reporting lines off the bat, an organization can ensure that the right people are in the room at the right time. There should also be a defined escalation path for bubbling up major risks or issues that could affect the organization’s overall ESG reporting.

5. Monitoring, including Internal Audit

Monitoring an ESG program takes many forms. It can involve real-time data analysis and real-time reporting, and it can involve tip-to-toe assessments of the organization’s ESG posture. At this stage, having an internal audit team perform an assessment or evaluation of the overall ESG program at an organization, or components of it, can glean significant findings and optimization opportunities. Internal auditors might consider the validity and integrity of ESG data, or identify opportunities for improvement. In addition, comprehensive monitoring can help identify issues, define benchmarks, and detect anomalies. Check out our ESG audit checklist to help prepare for an audit. 

ESG Program Management

Managing an effective ESG program comes with significant challenges. As a relatively new area of disclosure, not all regions have standardized their ESG reporting requirements yet. In other regions, new and emerging ESG requirements are throwing companies for a loop. As more compliance frameworks and reporting requirements get added to the stack that compliance, audit, and risk professionals must handle, the need for solutions to enable enterprises to centralize and streamline their risk, governance, and compliance efforts becomes increasingly necessary. AuditBoard’s ESG Software enables your organization to coordinate communications between stakeholders and process owners; consolidate evidence collection; and comprehensively map risks and controls. Schedule your personalized walkthrough today!


Mike Wych is a Manager of Product Solutions at AuditBoard with a focus on ESG, Risk, and Controls. Mike joined AuditBoard from KPMG where he was a manger in their Risk Assurance practice specializing in external audits, internal audits, and information security audits. Mike also bring experience assisting audit, risk, and control functions with streamlining and optimize processes. Connect with Mike on LinkedIn.