Sustainability reporting has entered a critical phase. As regulatory requirements tighten, the reliability of ESG data is becoming just as important as financial reporting. Under the Corporate Sustainability Reporting Directive (CSRD), limited assurance is now mandatory, and reasonable assurance is on the horizon. This means it’s no longer acceptable for companies to treat ESG data as an afterthought. It’s time to build robust internal controls that ensure the credibility of ESG disclosures.
Why This Matters Now
In most organizations, ESG data doesn’t live within core financial systems. It’s often sourced from spreadsheets, third-party platforms, and manual inputs, making it prone to errors and regulatory risk. This decentralization leaves a significant gap for inaccuracies that could expose companies to reputational damage, greenwashing allegations, and even failed assurance reviews.
Without internal controls, ESG disclosures become unreliable, leading to a loss of trust both internally and externally. Companies that cannot stand behind and explain their ESG numbers will face growing scrutiny from regulators, investors, and stakeholders. To maintain credibility, strong internal controls are now a need.
Start with Culture, Not Checklists
Building effective controls begins with a solid control environment. The Committee of Sponsoring Organizations (COSO) framework emphasizes that Board-level oversight is critical in setting the tone at the top. This is not merely a compliance task – it is about embedding ownership and accountability across teams, particularly for ESG data quality. As with financial reporting, ESG reporting should be recognized as a core business responsibility, not an afterthought.
Leadership must demonstrate that sustainability is embedded into the organization’s culture. ESG data cannot simply be a reporting obligation; it must be a driving force behind strategy and decision-making.
Risk Assessment Needs to Be ESG-Specific
You cannot control what you do not understand. As such, companies must conduct a specific ESG risk assessment. The first step is to clearly define reporting objectives, whether that’s emissions data, workforce metrics, or supply chain impacts. Once objectives are clear, it is essential to identify potential risks to the data quality, such as estimation errors, gaps in third-party data, or selective disclosure.
Further, assessing fraud risk is critical. Without appropriate controls, companies risk misrepresenting data, whether intentionally or not. Finally, it’s essential to continuously monitor changes in regulations, business strategy, and data systems, all of which can impact ESG disclosures.
Building Controls that Work
While theory and frameworks are essential, the focus should be on implementing controls that are practical and actionable at all levels of data handling. Controls must be designed to address both the transaction-level and the oversight level, ensuring that ESG data is verified and can be explained at every stage of the reporting process.
- Preventive controls: Implement automated validation rules at the point of data entry to catch errors early.
- Detective controls: Conduct trend analysis and regular reviews of emissions data or other key ESG metrics to identify anomalies.
- Corrective controls: Establish escalation procedures to address inaccuracies as soon as they are discovered.
These controls should be embedded at all levels of the business:
- Transaction-level: Field checks, validation rules, and system flags at the point of data entry.
- Oversight level: Reviews, reconciliations, and approvals to ensure data is accurate before finalization.
- Entity level: Governance structures, role clarity, and escalation procedures to ensure accountability.
The goal of these controls is simple: ensure that ESG disclosures are accurate, verifiable, and continuously improved (well before auditors arrive).
Information Flow Is Critical
One of the most significant weaknesses in ESG reporting occurs when data isn’t available at the right time or in the right format. Proper data flow is crucial to building effective controls. This starts with setting quality standards for ESG data, ensuring that all information is collected and managed according to clear, consistent guidelines.
- Real-time oversight: Dashboards can provide visibility into key data points across different departments, allowing for immediate detection of discrepancies.
- Cross-departmental collaboration: ESG reporting should not be siloed. Creating ESG reporting forums will facilitate alignment and ensure the accuracy of data across departments.
One best practice that can be applied here comes from Aviva. The company integrated financial reporting professionals into ESG roles, ensuring that the same robust controls used in financial reporting were applied to ESG data. It’s an efficient strategy that avoids reinventing the wheel.
Monitoring: A Critical Component
Designing controls is only the first step. You cannot assume that your controls will continue to be effective without regular monitoring. Controls should be continuously reviewed by ESG teams, and independent audits or second-line assurance should be carried out to ensure that the controls are functioning as intended.
- Ongoing review: ESG teams should regularly review the effectiveness of controls.
- Independent testing: External audits or second-line assurance should validate the controls.
- Issue tracking: Use issue logs to track failures and ensure remediation is implemented.
- Walkthroughs: Demonstrate how controls are operating in practice.
If you can’t explain and evidence your controls, they might as well not exist.
Double Materiality: More Controls, Not Less
The CSRD introduces the concept of double materiality. Companies are and will be required to report on both financial materiality (how sustainability issues affect the company) and impact materiality (how the company’s activities impact the environment and society). This vastly expands the scope of ESG reporting and requires more stringent controls.
- Narrative disclosures: Companies must validate claims about climate risks and transition plans.
- Impact assessments: Disclosures about biodiversity, communities, and supply chains must be validated.
- Stakeholder feedback: Qualitative metrics should be documented and reviewed.
Without the right controls, this information could become vague or misleading. In today’s environment, that’s a reputational and regulatory risk.
How to Start
Establishing internal controls for ESG reporting can feel like a daunting task, but it doesn’t have to be. The first step is to map what you already have. Most companies likely have informal controls in place, even if they’re not documented. These need to be identified and formalized.
Once informal controls are mapped out, companies should prioritize their efforts by focusing on disclosures that pose the highest risk. This might include areas where data quality is more difficult to measure or where reporting inaccuracies could cause significant damage to reputation.
Next, it’s important to embed controls upstream – in the early stages of data collection. By addressing data quality at the point of entry, rather than just at the report sign-off stage, companies can improve the reliability of their ESG data from the outset.
Finally, everything should be documented. If a control or process is not written down, it is unlikely to be consistently followed. Documentation ensures that controls are repeatable and auditable.
What Good Looks Like
Internal controls mature over time, and the goal is not perfection but progress. At the outset, controls may be informal, undocumented, and inconsistent. As they develop, controls become more defined, documented and regularly reviewed, but perhaps limited in testing. The aim should be to move towards a defined system that is embedded in business processes and continuously tested for improvement.
Leading organizations achieve fully automated, real-time controls that are audit-ready at any moment. However, companies should focus on continuous improvement, striving for transparency and accountability, rather than expecting perfection right away.
Control Equals Confidence
Internal controls provide the foundation for credible, trustworthy ESG reporting. If your ESG data is not backed by structured, tested, and documented controls, it will not stand up to scrutiny, whether from regulators, investors, or your own leadership.
Now is the time to build that foundation. Strong internal controls are not just a regulatory requirement. They are critical to building trust both within your organization and in the broader market. The goal is to ensure that your ESG reporting is credible, transparent, and capable of withstanding the growing scrutiny it will face in the coming years. The future of sustainable business depends on it.
→ Do you need support in implementing internal controls for your sustainability report? Let's talk!
