Why is internal control over sustainability reporting needed?
The AICPA & CIMA update Sustainability Frameworks and Standards: Evolution Overview summarizes factors contributing to the increasingly rapid evolution of sustainability reporting in recent years.4 This evolution has reflected a shift in the point of view about the responsibility of business from a traditional shareholder perspective to a broader stakeholder perspective. This shift in perspective has been accompanied by intensified interest in more disclosure about risks and opportunities related to climate change and other environmental, social, and governance (ESG) components.
Key components in this evolution of sustainability reporting include:
International Sustainability Standards Board (ISSB) — The creation of the ISSB in November 2021 by the International Financial Reporting Standards (IFRS) Foundation included the incorporation of previously existing sustainability standards and frameworks organizations, including the Sustainability Accounting Standards Board (SASB), Climate Disclosure Standards Board (CDSB), and International Integrated Reporting Council (IIRC). These organizations were instrumental, along with CDP and the Global Reporting Initiative (GRI), in issuing the “Statement of Intent to Work Together Towards Comprehensive Corporate Reporting” in September 2020.5 In June 2023 the ISSB launched the first two of an anticipated series of standards — IFRS S1 General Requirements for Disclosure of Sustainability-related Financial Information and IFRS S2 Climate-related Disclosures.
European Sustainability Reporting Standards (ESRS) — Following the mandate of the EU Corporate Sustainability Reporting Directive (CSRD) in April 2021, the European Financial Reporting Advisory Group (EFRAG) has developed a comprehensive set of sustainability standards.6 The ESRS are “impact accounting”-based, embracing the double, or dynamic, materiality concept. This requires not only consideration of the effect of sustainability issues on the enterprise, often referred to as the “outside in” view; but it also requires that companies take an “inside-out” view, assessing the impact that the organization has on the environment, society, and the economy. The ESRS standards include:
Two cross-cutting standards — general requirements and general disclosures.
Five environmental standards — climate, pollution, water and marine resources, biodiversity and ecosystems, and resource use and circular economy.
Four social standards — own employees, workers value chain, affected communities, and consumers and end users.
One governance standard — business conduct.
The European Commission adopted the 12 ESRS for use by all companies, subject to the CSRD in July 2023.
Regulatory requirements — In the United Kingdom, a host of reporting requirements are in place, including the Financial Conduct Authority (FCA) rule for climate disclosure by large listed companies. In the United States, the SEC has developed an extensive plan titled, “The Enhancement and Standardization of Climate-Related Disclosures for Investors.“ Similar disclosure requirements have been, or are being, imposed in other major capital markets around the world.
In addition to the evolution of expectations and the response of the reporting and regulatory environment, the ICSR guidance highlights some of the characteristics or attributes of sustainability information that present reporting challenges:
Qualitative vs. quantitative data — The goal of enabling users to assess the longer-term value creation potential of an enterprise inherently results in the use of more qualitative data for sustainability reporting than for financial reporting.
Forward-looking data vs. historical — Similar to the need for more qualitative data, the longer-term nature of sustainability targets and goals, and reporting on the achievement of those goals in relation to business objectives, can significantly extend the time horizon beyond the traditional financial reporting timeline.
Reporting boundaries — In addition to some unresolved differences regarding the setting of organizational boundaries for reporting based on concepts of “control” vs. “influence”, much sustainability reporting relies on third-party data. In particular, Scope 3 greenhouse gas (GHG) emissions encompass both upstream and downstream activities as part of the organizational “carbon footprint.”
Immature systems — The evolution of requirements for internal controls over financial information has been accompanied by a maturation of comprehensive IT solutions for this data, along with well-defined and consistent processes that support independent audit requirements. In addition to the challenges presented by the nature of sustainability information, much of the information needed for sustainability reporting comes from widely disparate sources, both inside and outside of the organization. While there is a proliferation of sustainability reporting platforms and software services entering the market, for the most part, these systems and related processes remain immature.
External assurance — Users of sustainability information have similar expectations for independent assurance, including assessment of process effectiveness, that they have become accustomed to financial information. Accordingly, emerging standards and regulatory requirements reflect this expectation, including provisions for transitioning from limited to reasonable assurance.
