06-04-2023
Using secure, robust data and technology for sustainability or ESG reporting.
Making sustainability reporting reliable
Increasing the level of assurance
We’re seeing that sustainability or ESG (Environmental, Social, and Governance) reporting requirements are increasing for companies. Hand in hand with this trend also come requirements to increase the level of assurance as shown by a recent KPMG study.
The importance of being robust
Companies need to start implementing a robust internal control framework over sustainability reports - think of Internal Control over Financial Reporting (ICoFR) with the F switched for S as in sustainability. One aspect of this control framework that does not (yet) get much attention is the technological one: as companies execute their ESG strategy, they need to build the right level of controls to ensure that the data that supports their reporting is reliable. This includes controls over the technology used to produce those numbers. Indeed, as "reasonable assurance" requirements start to kick in – as early as 2025 – technology will also play a central role in the operation of controls.
We imagine that Chief Sustainability Officers coming from Finance functions are used to such requirements. They also know how to work with their IT counterparts in developing a sound technology-based control framework. Nevertheless, the road there is not as simple as one might think.
More automated data processing is needed
Currently, most systems and applications used to generate sustainability numbers are manual. They often rely on spreadsheet-based calculations, with manual data input. However, as processes mature over time and requirements widen to other metrics, systems will need to be more automated and handle the volume and frequency of data processing. Organizations therefore need to ask themselves the following questions:
- Data origination: where is the data coming from and who has had access to it? It is important to understand the reliability of incoming data, no matter where it comes from.
- Data input: how is data entered into the system? Very often data is entered manually, but do controls exist to make sure these inputs are reviewed for appropriateness?
- Data integrity: how do you make sure we can apply the least-privilege principle, especially if the finance ERP system is not very mature? One of the fundamental aspects of reliability is the fact that only people who need to access the data have access to the data.
- Data processing: automated does not necessarily mean secure, so how can you make sure you remain in control? Errors and failures in automated processes are quite frequent, so there needs to be a proper monitoring management.
- Data completeness and accuracy: how stringent do the controls over the completeness and accuracy of the data output have to be? These are the numbers that everyone will be looking at, so they need to be rock solid.
What needs to be done
Companies need to act now if they don’t want their sustainability reporting to be on shaky ground. This includes:
- Assessing the current and future technology landscape supporting your sustainability reporting, from internally developed end-user computing tools to cloud-based external solutions.
- Developing an IT control framework, aligned with your current control framework, focusing on access and change management. The goal is to ensure that data is stored securely, that access is given on a need-to-know basis, and that changes are only made by authorized individuals. You could go as far as including operations control to ensure that systems are properly monitored, and data is backed up regularly and restoration is possible.
- Setting up and communicating requirements for service providers when cloud solutions are being used. Service providers need to give assurance over their own internal controls, just like cloud providers of financial reporting solutions do nowadays with SOC 1 and ISAE 3402 reports. This is – for all involved companies – a journey to compliance. The earlier providers are onboarded, the easier it will be to meet upcoming requirements.
- Initiating independent assurance for IT controls already now. Even if this is not yet required, it might be worthwhile to be ahead of the pack.
In summary, a lot can be done to demonstrate the robustness of your commitment to a sustainable world already today. Sturdy ESG controls are a great start for dependable ESG reports.