During the Decade of Action – the label the United Nations has given to the global push to deliver on the Sustainable Development Goals’ vision by 2030 – many businesses have declared that they are firmly committed to sustainability strategies focused on long-term value creation. How effectively a company can deliver on their strategy depends on the tone set from the top – board, audit committee, chief sustainability officer – and their approach to managing sustainability priorities.
Every element of a sustainability strategy – net zero goals, nature based solutions, engaging your value chain – has to be supported by rigorous internal controls. And the effectiveness of those controls starts with strong governance and equally strong assurance. Does the company have guardrails in place to ensure the integrity of its people, performance, and data? If misconduct occurs, are there systems to detect and correct? How can internal controls guide a company’s journey from basic environmental compliance to true human and natural resource stewardship? Or, for the courageous, from incremental improvements to society-transforming products and services? In answering these questions, more and more organizations are realizing that strong internal controls are fundamental to the good governance required.
Defining Internal Controls
Two important definitions of internal controls to consider come from Committee of Sponsoring Organizations of the Treadway Commission (COSO) and the U.S. Securities Exchange Commission (SEC):
- COSO’s Internal Control Guidance states: Internal control is a process, effected by an entity's board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives relating to operations, reporting, and compliance.
- The Sarbanes-Oxley Act of 2002, section 404, draws on the COSO guidance and defines internal controls for financial reporting as: A process designed by, or under the supervision of, the registrant's principal executive and principal financial officers, or persons performing similar functions, and effected by the registrant's board of directors, management and other personnel, to provide reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements for external purposes in accordance with generally accepted accounting principles.
For GHG emissions reporting, an important definition of internal controls comes from the International Organization for Standardization (ISO):
- ISO 14064 defines controls for reporting GHG emissions as: policies and procedures that help ensure GHG data is free from material misstatements and conforms to the criteria. (The criteria are typically the GHG Protocol Corporate Accounting and Reporting Standards.)
Under the SEC’s draft proposed climate-related disclosure rule, which was released on March 21, 2022, many companies would have to obtain reasonable level assurance of their GHG emissions data as early as 2026, which requires controls-based testing. This type of testing is routine for ERM Certification & Verification Services, however, if a company has not embedded or transferred those internal controls over to its GHG emissions data, now is the time to understand what those controls will look like for GHG data and prevent qualified assurance opinions or restatements of GHG data.
Setting Up Internal Controls: Five Integrated Components
Successful internal controls need to align with three categories of objectives: operations, reporting, and compliance. From an ESG perspective, a company’s GHG strategy will have operational objectives (e.g., a 10% reduction goal), reporting objectives (e.g., alignment with regulations and standards like EFRAG, ISSB and the SEC, and even with ESG ratings like CDP or S&P CSA), and compliance objectives (e.g., state, country or regional emissions trading systems, or local air permits).
Setting up controls within each objective requires five integrated components, which may be in effect at the group, business unit, site and/or function levels. At a high level, the purpose of each component is as follows:
- Control Environment. This is that tone from the top again, encompassing commitment to integrity, structured reporting, and accountability for objectives. A strong control environment should filter through the entire organization.
- Risk Assessment. Companies must identify internal and external risks associated with their objectives, reassess them periodically for changes to business context, and ensures that they able to manage those risks effectively.
- Control Activities. Control activities are significant and include policies and procedures to cover all risk mitigation efforts at all levels of the company, and may include reviews/approvals, verifications, and reconciliations. It is best practice to include coverage of technology as well as segregation of duties.
- Information and Communication. This refers to the fact that the data needed to meet objectives must be relevant and of high quality, and that communication to internal and external stakeholders must be ongoing.
- Monitoring Activities. Present and functioning evaluation of each of these five components must yield timely, actionable findings that can be used to take corrective action.
Think for a moment about how a company might apply each of these five components to how much revenue was generated, or a site’s production totals, or how many recordable injuries there were in a given month. Any company supporting delivery of the SDGs in the Decade of Action will require numerous, refined internal controls woven through multiple levels of the organization to ensure completeness and accuracy of information.
Setting up Internal Controls for GHG Emissions Data
Now think about GHG emissions data. How much electricity was used last month? How much diesel was consumed? What about refrigeration and air conditioning recharges? Not how much a company spent on the energy sources – how much they consumed. Extended billing cycles from regulated electric utilities, antiquated invoicing practices from fuel suppliers, and disparate units of measure are just some of the variables affecting GHG data quality. The control environment needs to extend to these performance indicators under the SEC’s proposed climate-related rule changes as well.
What do good control activities look like for GHG data?
- Create a GHG inventory management plan to govern the entire process. If there are changes to the carbon accounting methodology, create and retain documentation of the changes.
- Review and confirm the GHG inventory boundary, because there should not be locations listed in Item 2 Properties of the 10-k that aren’t accounted for in the GHG inventory.
- Review joint ventures, sites with tenants, and acquisitions/divestitures to ensure proper accounting.
- Establish roles and responsibilities for collecting, reviewing, and approving input data as well as for aggregating and finalizing outputs; this is particularly important for companies using data collection systems or software, where users can have varying permission and authority profiles.
- Institute reviews by personnel adjacent to and above those responsible for collecting, reviewing and approving GHG data.
- Define the frequency for GHG data collection – it should be monthly, just like financial, production, and safety metrics.
- Require sites to verify their energy activity is complete and that there are no omitted sources.
- Identify areas where data is manually transferred and take appropriate action when needed.
- Review all estimations, unit conversions, and emission factors at least annually.
- Establish a percentage threshold for year over year and month to month changes in consumption activity, and investigate all variances.
- Wherever possible, employ existing financial controls to cover GHG data, especially utilization of internal audit teams.
Improving internal controls now not only prepares a company for regulatory changes, it also mitigates risk and improves resiliency. As demands for accurate, reliable and transparent ESG data continue to increase, companies with quality internal controls are better positioned to thrive in the long term.
The world has no time to waste in addressing the imperatives outlined by the United Nations’ Decade of Action for the Sustainable Development Goals. In ensuring that the actions themselves are impactful and long-lasting, strong internal controls for sustainability factors ensure that sustainability management delivers on its promises.