Insights > Prioritizing Internal Controls: The Essential Step for Effective Sustainability Reporting

Prioritizing Internal Controls: The Essential Step for Effective Sustainability Reporting

The principles used for financial reporting controls can also be applied to sustainability data, ensuring reliability and consistency.

These insights are part of an ongoing series of environmental, social, and governance (ESG) considerations for the office of the CFO and sustainability reporting professionals.

The principles used for financial reporting controls can also be applied to sustainability data, ensuring reliability and consistency.

Sustainability reporting has evolved significantly in recent years. Each organization’s approach to sustainability and ESG initiatives is unique, often involving cross-functional collaboration. Consequently, key stakeholders for sustainability initiatives vary from organization to organization. CFOs and other finance and accounting leaders are increasingly involved or even leading these areas, yet finance and accounting departments often lack a seat at the table when it comes to sustainability. This needs to change because the office of the CFO possesses the skill set to ensure the information being reported is investor-grade.

As sustainability reporting has become an increasingly crucial aspect for stakeholders, including investors, regulators, and customers, the need for this data to be accurate and reliable is as critical as for financial disclosures. Whether a company is just beginning to collect and report this data or has been issuing sustainability reports for years, organizations must consider internal controls around sustainability reporting now. Unfortunately, all too often, the processes for collecting and reporting this data are manual, disparate, and lack proper review.

Prioritizing internal controls in sustainability reporting is not just a best practice; it is essential. Without robust internal controls, the accuracy, completeness, and reliability of ESG data cannot be assured, leading to potential reputational damage, regulatory penalties, and loss of stakeholder trust.

CFOs and sustainability professionals should explore the importance of internal controls in ESG reporting, understand the COSO framework, enact practical steps for establishing these controls, and determine how the process can be strengthened by technology and the role of internal audit.

Importance of Internal Controls in Sustainability Reporting

Ensuring Data Accuracy and Completeness

The demand for high-quality sustainability information is growing. Investors, regulators, and other stakeholders rely on this data to make informed decisions. As sustainability reporting becomes more integral to corporate strategy, ensuring the accuracy and completeness of this information is critical to not only meet stakeholder expectations but also to enhance organizational credibility and build trust. Establishing robust internal controls helps ensure the data collected and reported is reliable and complete, which is essential for maintaining stakeholder confidence.

Regulatory and Assurance Readiness

Several regulations now require assurance over sustainability data, making it imperative for companies to have strong internal controls. The US Securities and Exchange Commission’s (SEC) climate rule mandates that public companies disclose climate-related risks and greenhouse gas emissions, with these disclosures subject to assurance. For example, by 2026, large, accelerated filers will need to provide limited assurance on their Scope 1 and Scope 2 emissions, transitioning to reasonable assurance by 2028. Similarly, California’s Climate Corporate Data Accountability Act requires companies to report and obtain assurance on their greenhouse gas (GHG) emissions starting in 2026 for limited assurance and moving to reasonable assurance in subsequent years. The European Union’s Corporate Sustainability Reporting Directive (CSRD) mandates limited assurance over sustainability reports starting in fiscal year 2024, with the possibility of expanding the scope of assurance in the future. These regulations necessitate rigorous internal controls to ensure compliance.

Learn more about the SEC climate rule and compliance requirements.

Enhancing ESG Scores and Stakeholder Trust

Obtaining third-party assurance on sustainability data not only meets regulatory requirements but also enhances a company’s credibility and ESG scores, such as those from CDP (formerly known as the Carbon Disclosure Project). This can improve stakeholder trust and demonstrate a commitment to transparency and sustainability. Companies that can present verified and reliable sustainability data are better positioned to attract investment and build a positive reputation. Robust internal controls ensure that sustainability data is not only compliant but also trusted by external stakeholders, ultimately fostering stronger relationships and supporting long-term strategic goals.

COSO Framework for Sustainability Reporting

The Committee of Sponsoring Organizations of the Treadway Commission (COSO) provides a comprehensive framework for internal controls that can be adapted for sustainability reporting. The COSO framework is widely recognized for its applicability in various reporting environments, including sustainability. In March 2023, COSO released guidance on applying its Internal Control-Integrated Framework (ICIF) to sustainability reporting. This guidance emphasizes that the principles used for financial reporting controls can also be applied to sustainability data, ensuring reliability and consistency.

Key Components of the COSO Framework

  • Control Environment: Establishes the foundation for internal control, emphasizing the importance of a strong tone at the top, ethical values, and accountability. Organizations should demonstrate commitment to integrity and ethical values, fostering an environment where sustainability considerations are integrated into daily operations.
  • Risk Assessment: Identifies and analyzes risks related to achieving sustainability objectives. This involves considering the materiality of sustainability issues and potential impacts on the organization. Regular risk assessments help identify potential sources of error and areas requiring additional controls.
  • Control Activities: Implements policies and procedures to address identified risks and ensure accurate reporting. This includes establishing protocols for data collection, verification, and reporting to ensure consistency and reliability.
  • Information and Communication: Ensures relevant information is captured and communicated effectively within the organization and to external stakeholders. Clear communication channels are essential for maintaining transparency and ensuring all stakeholders are informed about sustainability efforts and performance.
  • Monitoring Activities: Involves ongoing evaluations of the internal control system to ensure it remains effective and adapts to changes. Regular monitoring and reviews help identify weaknesses and areas for improvement, ensuring the control system evolves with the organization’s needs.

Steps to Establish Effective Sustainability Controls

Prioritizing Internal Controls: The Essential Step for Effective Sustainability Reporting 2

Establishing effective internal controls for sustainability reporting is essential for ensuring the accuracy, reliability, and completeness of sustainability data. While the COSO framework provides a solid foundation, the practical steps to implement these controls should be tailored to address specific organizational needs and regulatory requirements. Here are the key steps:

  1. Define Your Sustainability Reporting Scope
    The first step in establishing effective sustainability controls is to define the scope of your sustainability reporting. This involves evaluating regulatory and stakeholder requirements to determine what needs to be reported. Understanding the regulatory landscape, such as the SEC’s climate disclosure rules, California’s Climate Corporate Data Accountability Act, and the European Union’s CSRD, is crucial. Additionally, consider stakeholder expectations, including those of investors, customers, and rating agencies. A comprehensive understanding of these requirements will help in defining the scope and ensuring that all necessary data is collected and reported accurately.
  2. Perform a Gap Assessment
    Once the reporting scope is defined, companies should perform a gap assessment to identify areas where current sustainability reporting processes need improvement. This involves walking through existing sustainability reporting processes to understand how information is currently collected and reported. Organizations should identify any gaps where new processes need to be created or existing processes need to be matured. A thorough gap assessment will highlight discrepancies and inefficiencies in the current system. Based on this assessment, professionals can create a remediation and implementation roadmap that outlines the steps needed to address these gaps and enhance the sustainability reporting framework.
  3. Implement and Remediate Controls
    With the roadmap in hand, the next step is to implement and remediate controls. Sustainability professionals can address the identified gaps by developing and deploying robust control activities. Automating data collection processes can significantly reduce human error and improve accuracy. For example, installing sensors to measure energy consumption and emissions —and automatically uploading the data to a centralized system— helps ensure precise data collection. Cross-referencing this data with external sources, such as utility bills, further enhances reliability. Establishing robust verification processes is also crucial for maintaining the integrity of sustainability data. This step ensures that all control activities are in place and functioning as intended to mitigate identified risks.
  4. Monitor and Review Controls
    Continuous monitoring and regular review of sustainability controls are essential to maintain their effectiveness. The office of the CFO should develop timely, risk-based test plans and procedures for each sustainability-related internal control. Regularly assess the design, implementation, and operating effectiveness of these controls. At least annually, professionals should reassess whether control activities are applied at the appropriate level (e.g., business unit versus enterprise level), are aligned with risk assessment outcomes, and are sufficiently direct and precise. It’s also important to ensure that all parties involved —both internal and external— have the necessary qualifications and certifications. As new gaps are identified, roles and responsibilities change, and regulatory requirements evolve, the internal control environment should be updated accordingly. The team should communicate the results of these assessments with those charged with governance to maintain transparency and accountability.

How Technology Can Better Enable Sustainability Reporting

The aim of developing, integrating, and prioritizing sustainability-related internal controls is to deliver complete, accurate, and reliable information to stakeholders. Many businesses today still face significant challenges in accessing and ensuring the integrity of the data required to comply with both voluntary and mandatory disclosure requirements. Sustainability data can be complex, qualitative, forward-looking, and harder to quantify than traditional financial data. This data may have different reporting boundaries and timelines, be subject to more estimates and assumptions, originate from systems that do not have the same level of internal control, and often require involvement from various departments across an enterprise.


Sustainability data can be complex, qualitative, forward-looking, and harder to quantify than traditional financial data.

To address these challenges, companies must carefully decide how to source, transform, and report sustainability-related data while anticipating future data needs as stakeholder expectations evolve. It is crucial to integrate sustainability disclosure considerations into data management policies and procedures. For companies that have already started developing processes for gathering and processing sustainability data, it is essential to ensure a thorough understanding of the entire data flow and current-state data acquisition strategy. Processes should be designed to result in consistent, accurate, and complete data sets, promoting timely collection and dissemination of information.

Automating and digitizing the data-gathering process can significantly enhance performance and reliability. Investing in new technologies to address current limitations is vital. Commonly used systems and processes include IoT sensors for real-time data collection, comprehensive reporting and data governance platforms, and automation tools for complex calculations. For instance, IoT sensors can be installed to measure energy consumption and emissions automatically, uploading the data to a centralized system for analysis.

Comprehensive reporting and data governance platforms can integrate data from various sources, streamline reporting processes, and ensure data accuracy. For example, a global retail chain may adopt a data governance platform to integrate sustainability data from its suppliers, warehouses, and stores. This platform can facilitate the consolidation and verification of data, ensuring consistent and reliable sustainability reports. The integration of data from various sources allows the company to track its carbon footprint more accurately and report on its progress toward its sustainability goals in a more timely manner.

Automation tools can assist with the calculation of greenhouse gas emissions, reducing the manual effort required and increasing precision. For example, a financial services firm can utilize an advanced automation tool to calculate its greenhouse gas emissions across multiple office locations. This tool can aggregate data from utility bills, travel records, and waste management reports, automatically performing the complex calculations needed to determine the firm’s overall emissions. This approach not only saves significant time but also improves the accuracy and consistency of the emissions data, allowing the firm to meet regulatory requirements and provide transparent disclosures to stakeholders.

Automated information and communication systems help organizations effectively collect, measure, and present sustainability-related information in a manner that is understandable to process owners, relevant to external users, and supportive of effective internal controls. This leads to greater efficiency and better decision-making capabilities. When designed appropriately, automated controls are also inherently more reliable than manual controls, reducing the opportunity for human error.

Before implementing new technology, it is important to:

  • Evaluate the potential limitations of the technology to preserve the reliability and integrity of information.
  • Establish effective data migration or integration controls to mitigate risks associated with new systems, ensuring a smooth transition.
  • Conduct a thorough risk assessment to identify which systems require further monitoring, guaranteeing they meet internal control requirements.

By taking these steps, companies can use technology to enhance their sustainability reporting, ensuring it is robust, accurate, and trustworthy.

The Role of Internal Audit in Sustainability Reporting

Internal audit functions play a critical role in supporting sustainability reporting. Their involvement includes risk assessment and evaluation, data validation, process improvement recommendations, and assurance services. Internal auditors assess the organization’s sustainability risks and evaluate the effectiveness of internal controls. They verify the accuracy and completeness of sustainability data, ensuring it meets regulatory standards. Providing recommendations to improve data collection and reporting processes helps in enhancing the reliability of sustainability disclosures. Offering an independent perspective on the effectiveness of sustainability controls and reporting builds stakeholder trust and supports compliance with regulatory requirements.

Internal audit teams can identify areas for improvement and provide actionable recommendations to enhance the organization’s internal controls. By conducting regular audits and assessments, internal auditors help ensure the organization’s sustainability reporting processes are robust and reliable. This not only supports compliance with regulatory requirements but also enhances the organization’s credibility with stakeholders.

Looking Ahead

As the significance of sustainability reporting continues to rise, the necessity for robust internal controls cannot be overstated. Internal controls should not be an afterthought; they must be a central focus of any sustainability initiative to ensure accurate, reliable, and complete sustainability data. This is essential not only for regulatory compliance but also for building stakeholder trust and enhancing a company’s reputation. Organizations must integrate internal controls into their sustainability reporting processes from the outset, leveraging the COSO framework, advanced technologies, and internal audit functions to meet the high standards expected by all stakeholders. Prioritizing internal controls prevents inaccuracies, mitigates risks, and supports strategic decision-making.

How Riveron Can Help

Our team is here to guide the office of the CFO and sustainability reporting professionals through this complex landscape, helping organizations establish and maintain effective internal controls that enhance the credibility of their sustainability reporting and support long-term strategic goals.

Our cross-functional team of experts has extensive experience in both sustainability regulatory requirements and reporting, as well as in establishing effective internal controls. We can assist your organization in several ways:

  • Gap Analysis and Risk Assessment: Conduct a thorough assessment of your current sustainability reporting requirements and the underlying processes and identify gaps and areas of risk, leading to the creation of a remediation or implementation roadmap.
  • Control Design and Implementation: Help design and implement effective internal controls for sustainability reporting.
  • Technology Integration: Assist in selecting, implementing, and integrating technology solutions to streamline data collection and reporting.
  • Training and Development: Provide training programs for employees on sustainability reporting requirements and best practices.
  • Internal Audit Support: Co-source or outsource internal audit functions to ensure the effectiveness of sustainability controls and reporting.


Want to learn more about internal controls for sustainability reporting?

Riveron’s financial reporting and ESG experts can guide you through the process of establishing robust internal controls, ensuring your organization can build a strong foundation, meet regulatory requirements, and maintain the integrity of your sustainability reporting.

Connect with an Expert

No Executive Leaders or Managing Directors matched your search.