May 29, 2024

How to Leverage SOX Internal Controls for Successful ESG Reporting

ESG Advisory


Minutes to read

Organizations can use what they already know about Sarbanes-Oxley to implement similar internal controls tailored specifically to ESG reporting, ultimately leading them to sustainability success.

As the significance of environmental, social, and governance (ESG) factors continues to rise, so do the associated reporting expectations, demands, and requirements. The performance and reliability of ESG data are now crucial concerns for organizations, influencing their financial stability and overall value to stakeholders.

According to KPMG’s Survey of Sustainability Reporting 2022, 96% of the world’s top 250 businesses and all of the top 100 U.S. companies were producing voluntary annual sustainability reports.

However, beyond the leading group, most organizations are not prepared to address the increased scrutiny, higher levels of transparency required by stakeholders, and increasing regulations.

Some internal audit leaders are drawing parallels between ESG's impact on organizations and the transformative effect Sarbanes-Oxley had in 2002, referring to it as ESG's "SOXification."

Organizations are feeling the pressure to focus on the robustness of processes and controls to meet these higher ESG expectations and communicate their strategies. And these expectations are not just that anymore; they’re becoming challenging reporting realities.

ESG Reporting Challenges

As investors press for more thorough and verifiable voluntary reporting, organizations now face a growing list of ESG reporting requirements from regulators. Here are some examples of notable advancements in ESG reporting regulations:

European Union (EU)

In January 2023, the EU finalized the Corporate Sustainability Reporting Directive (CSRD), which requires in-scope companies to disclose data on a broad set of sustainability topics.

In July 2023, the EU adopted the European Sustainability Reporting Standards (ESRS), which provide specific guidelines for companies complying with the CSRD.

U.S. Securities and Exchange Commission (SEC)

The SEC issued proposed sustainability reporting rules in 2022, which were finalized in 2024. However, these rules are currently on hold. With the increasing focus on ESG reporting, these regulations are expected to significantly impact how U.S. companies disclose their ESG practices.

State-Level Initiatives

With SEC rules on hold, some states have taken regulations into their own hands. For example, in October 2023, California became one of the first states to implement new greenhouse gas emission reporting laws. These laws require large public and private companies to publicly disclose climate-related financial risks and GHG emissions.

Leveraging Internal Controls for ESG Reporting

To combat the various levels of requirements, organizations can implement internal controls they’re already utilizing for SOX to meet ESG reporting requirements and expectations and effectively carry out their ESG strategies.

“The parallels between SOX and ESG reporting are becoming increasingly evident,” said Mike York, Senior Manager in ESG Advisory at Clearview Group. “Both require internal controls and a commitment to transparency. Companies are realizing they can no longer put out reporting on unverified data. The era of ‘creative’ ESG reporting is over.”

"The era of ‘creative’ ESG reporting is over.”

Best practices for implementing robust internal controls tailored explicitly to ESG data include:

  • Entity-level controls
  • Certification and sub-certification process
  • Fraud prevention controls

Additionally, organizations can leverage reporting software to streamline data collection and reporting, enhancing efficiency and reducing the risk of errors.

These best practices help organizations meet ESG reporting requirements and drive meaningful progress toward sustainable and responsible business practices.

Entity-Level Controls (ELCs)

Consider leveraging your financial reporting infrastructure to formalize entity-level controls (ELCs) over ESG reporting.

ELCs govern the organization at a macro level and include the policies and procedures that drive how management behaves and conducts control activities. They lay the foundation for obtaining reliable data and improving the overall effectiveness, efficiency, and accuracy of underlying processes and reporting.

In SOX reporting, ELCs play a crucial role in ensuring the integrity of financial reporting. Similarly, in ESG reporting, they serve as a critical mechanism for ensuring the reliability and accuracy of sustainability disclosure.

Certification and Sub-Certification Process

Certification is the process where top executives, such as the CEO and CFO, attest to the accuracy of the financial statements and the effectiveness of the internal controls. Sub-certification is when lower-level managers familiar with day-to-day operations sign certification statements.

As ESG reporting becomes more established and potentially regulated, having a robust certification and sub-certification process can help organizations meet these new requirements and enhance their commitment to sustainability.

In SOX reporting, certification and sub-certification play a key role in ensuring the integrity of financial reporting. Similarly, in ESG reporting, they can help to serve as a critical mechanism for ensuring the reliability and accuracy of sustainability disclosures.

Fraud Prevention Controls

By segregating duties, organizations can create checks and balances to prevent any potential manipulation or misrepresentation of information.

Additionally, establishing a whistleblower protection program encourages employees to come forward with any concerns or suspicions of fraudulent activity, ultimately promoting transparency and accountability within the company's ESG reporting practices.

In SOX reporting, a robust set of fraud prevention measures is crucial to safeguard financial data from manipulation. Similarly, in ESG reporting, comprehensive fraud prevention controls are essential to deter and detect misrepresentation of sustainability metrics.

Reporting Software

Consider implementing a tool to facilitate the ESG reporting process. Many tools today can manage data requests, submittals, source documents, and the review and approval process.

For example, the Workiva ESG reporting platform is an end-to-end solution that enables cross-team collaboration. An end-to-end reporting system allows organizations to track data sources, ensure accountability, and document review and approval steps, giving your organization audit-ready ESG reports you can trust.

With mandatory ESG reporting regulations and deadlines fast approaching, organizations must prepare by assessing their existing internal controls and ensuring a compliant design. Internal processes must adhere to current regulations and be flexible enough to satisfy future ESG reporting requirements.

“Just as the Sarbanes-Oxley Act revolutionized financial reporting, we’re witnessing a similar transformation in ESG reporting,” said York. “The increasing regulatory scrutiny and the demand for transparency are driving the SOXification of ESG, making it an integral part of corporate accountability.”

“The increasing regulatory scrutiny and the demand for transparency are driving the SOXification of ESG, making it an integral part of corporate accountability.”

Does your organization need help navigating the complexities of ESG reporting?

Our expertise in internal controls, sustainability, and financial reporting can help ensure your ESG reporting is accurate, transparent, and aligned with regulatory expectations. Get started on your ESG journey today.

Mike York
Senior Manager
Latest Articles

Your Business Tax Return Has Been Extended; Now What?


How Do Hackers Use AI?


How to Leverage SOX Internal Controls for Successful ESG Reporting


See what a relationship with Clearview can do for your business.

We are a full-service management consulting and CPA firm covering all aspects of audit, compliance, risk management, accounting, finance, tax, IT risk, and more. Just let us know what you need help with and an expert will be in touch!

Request Your Consultation