Environmental, Social and Governance (ESG) issues have been a growing priority for both public and private companies across all industries. With evolving SEC regulations and investor pressure, companies need to quickly adapt to these changes — including assessing and improving their internal control environment. In this episode of AuditTalk, Steve Wang, Managing Director at Protiviti, explores ESG internal controls and what organizations can do to address this changing landscape, including:
- The role of internal controls in ESG, and why ESG internal controls are important.
- Key ESG internal control objectives.
- Three types of ESG internal controls, and five kinds of internal audits over sustainability.
- Key considerations for implementing ESG technology.
Watch the full video and read the can’t-miss highlights below.
What Is the Role of Internal Controls in ESG?
“To start, what is ESG? Environmental is what most people think about when you mention sustainability, things like impact to climate, climate risk, carbon emissions, energy usage, waste and water management. Climate risk is obviously a hot topic right now especially in financial services and energy. It’s getting a lot more attention from some of the different regulators out there.
Social is the people aspect: human capital management, employee safety, human rights, diversity, equity, inclusion.
Governance is the corporate principles and behavior, and how the board is structured. Having proper board oversight, ethics, code of conduct, compensation, these are all examples.”
“Internal controls are going to be important in the world of ESG. With pending SEC guidance, this is only going to gain in significance. COSO was thinking about this years ago. If you remember back to 2013, COSO made some changes to their internal control framework. One of those changes that they made was removing the word “financial” from reporting. The purpose of that change was to broaden their focus to all aspects of reporting, which includes sustainability reporting — so the COSO framework can be applied to managing ESG controls.”
Why Are ESG Internal Controls Important?
“There is some level of mandatory assurance in the future around ESG data, the internal controls around the data will also need to be evaluated. The SEC has made some comments around this, and legal and litigation risk is only going to go up if inaccuracies in disclosures and data are found.”
- Data Integrity & Accountability: “More and more people are making decisions based on nonfinancial metrics, and there’s going to be a lot more visibility into the internal controls you have in place over those metrics. Both data integrity and accountability through internal controls are areas that businesses need to focus on.”
- Regulations: “There are and will be pending regulations around the world on ESG. If assurance over data and metrics are required, then the regulators as well as the public accounting firms will all be focused on looking at controls.”
- Reputation: “Poor internal control environments can lead to higher cases of fraud, greenwashing, and can adversely impact a firm’s reputation, which can have other immediate and long-term implications for companies.”
Approach to ESG Internal Controls
“A similar approach used for Internal Controls over Financial Reporting can be applied to ESG performance data and reporting. Define your objectives, define your risk, and then you need to look at both design and test operational effectiveness. Both the second line and third lines of defense can have significant responsibilities in those areas. A lot of companies right now are just starting out — most haven’t actually gotten into testing ESG controls yet, but I anticipate that the testing of controls will happen sometime in the second half of 2022 or maybe even early next year.”
Key ESG Internal Control Objectives
“I’ve seen several companies starting to put together risk and control matrices for ESG internal controls. When you go through that methodology, you do want to start with objectives. These are the objectives that I think are relevant to ESG controls.
- Relevant (meets stakeholder needs, useful)
- Complete (scope, clarified, consistent)
- Accurate (and complaint with specified criteria and calculations)
- Protected and secure
- Approved and authorized
If you are a company that needs to be SOX compliant, many of these should already be pretty familiar to you. The one that probably is not as familiar would be relevance. Essentially, does it meet stakeholder needs? Typically, the corresponding control to this would be whether an ESG materiality assessment or stakeholder engagement activities are done within the organization.”
Three Types of ESG Internal Controls
“In my mind, there are three levels of controls within ESG.
- Entity level: Do you have policies in place or have you done an ESG materiality assessment?
- Transactional level: This is where most companies are weakest because a lot of departments might not necessarily be familiar with controls or perhaps they’ve never been audited before.
- Monitoring controls: These are some of the controls you need after you aggregate all the data across the organization.
I’ve seen a lot of companies put their control set into these three buckets. Again, normally the transactional controls are the most problematic for companies because the data owner might not even know what an internal control is.”
Five Kinds of Internal Audits Over Sustainability
“What should we be doing from an internal audit standpoint? A lot of this depends on the maturity of the ESG program. As a general rule, if an ESG program is nonexistent or very immature, internal audit tends to help out with more consulting projects. If a program is more mature, then internal audit can do assurance reviews related to the program. Many companies have ESG projects somewhere in the middle maturity level.”
1. Data Validation Assessment (Proxy Reviews)
“The most common reviews that I’ve seen are data validation assessments. This is linking publicly reported metrics to the source data to validate the completeness and accuracy of the reporting. I’ve seen certain companies look at every single disclosed data point. They have a spreadsheet that lists out all 75, they go through and validate what are the reports and who are the control owners, and then they test. Others have taken a risk-based approach. In certain cases where limited assurance is already obtained by the organization, internal audit can look at the metrics that haven’t been covered by the third party. I’ve seen it tackled in a bunch of different ways, but in my opinion, data validation should be done. If you’re disclosing something to the public, you should have an objective review of it. There’s so much in the past that’s been focused on the financial side and not a lot on the nonfinancial ESG side, but you could argue that this is just as important if investors are making decisions based off of it.”
2. Internal Controls Assessment
“Internal control assessments are what internal audit and SOX teams are great at, right? This is helping to identify what the ESG controls are and then looking at the design and operational effectiveness of these controls. Many of these controls can end up being very similar to what you’re looking at in SOX, and you can have the three levels that I mentioned before as well.”
3. ESG Governance Assessments
“I’ve seen a lot of governance assessments done as well. This is making sure that your ESG structure makes sense for the organization, that the right functions are involved. You can also look at any of the policies and procedures that are out there, as well as internal and external communication protocols as part of these governance reviews.”
4. Review of Commitments
“This is becoming more and more important as companies are starting to set targets. I’ve seen organizations go out and do standalone commitment audits. We’ve seen a shift in expectations the last few years. The expectations from investors on sustainability are moving from qualitative to quantitative. Investors want more data — they don’t necessarily just want historical data. Now they want forward-looking data as well. In commitment reviews, you want to make sure that you have mechanisms in place to monitor these commitments over time: specifically KPIs as well as the process to review them. A lot of organizations right now are making statements like, ‘We want to be carbon neutral by 2030,’ or, ‘We want to commit a lump sum of funds to hunger and social justice issues.’ These are all commitments. I would argue at the end of the day, these can all be audited and should be.”
5. Benchmarking and Maturity Assessment
“We’ve done several maturity model assessments as well within internal audit. This is essentially just looking at the current state versus future state. These reviews are gaining popularity as well. What is internal audit’s involvement in helping to increase ratings? I’ve seen some internal audit shops do this through benchmarking activities. Benchmarking an organization’s response to their peers is a common thing since a lot of it is public information. I’ve seen several instances where a sustainability function might send internal audit a draft of their CDP responses or their CSA prior to submission for a benchmarking and data validation project. But most of the time, I’ve seen sustainability teams own this activity around evaluating ratings.”
Key Considerations for Implementing ESG Technology
“At the end of the day, you want to make sure you address your pain points within the organization in choosing a solution. Ask questions like: Is it time consuming for people? Is it inefficient? Is the process highly manual? Are you nervous about inconsistent data or processes across the enterprise? How much work do you need to do to put in? How much money is your organization willing to spend?
All these questions are not new, but I would say that as the ESG landscape gets more complicated and scrutinized, you’ll want to have technology to track your controls. You want to make sure that you have a good tool that has the functionality of RWR, which is a repository, a workflow, and reporting. You also want to make sure that in these efforts that you’re coordinated across risk, compliance, the sustainability function, and the internal audit function as well for things like a common risk universe or establishing a common language, a common risk language and definitions.”
Looking for more thought leadership? Check out our on-demand webinar library, and stay tuned for more AuditTalk videos featuring audit community leaders about industry issues, insights, and experiences.