Becoming CSRD assurance-ready through ESG controls - Lessons Learned

COPENHAGEN, 02.04.2024

Throughout the past year, we have assisted companies in Denmark and abroad in preparing for the Corporate Sustainability Reporting Directive (CSRD) reporting requirements that came into effect from the 2024 financial year. Our projects range from Double Materiality Assessments (DMA), gap analyses, and implementations, to designing and implementing controls over sustainability reporting and assurance services. Based on these projects, we have identified some key challenges faced by many organizations.

On March 19, 2024, we held a webinar discussing these challenges and how governance, controls, and automation can address them. This article provides a written summary of that webinar.

If you want to watch the full webinar, you can follow this LINK.

Note that we use the terms Sustainability and ESG (Environmental, Social and Governance) interchangeably in this article.

What issues can we see so far with sustainability reporting?

Throughout 2023, Deloitte has been engaged on multidisciplinary projects ranging from CSRD implementation, ESG control design and implementation, ESG data management and governance, and assurance on CSRD reporting assurance preparation. Below are some observations gathered from Deloitte’s Sustainability, Internal Controls, and Audit Professionals.

Governance: The sustainability reporting process presents challenges related to governance, processes and controls, and technology. Vaguely defined structures or silos can lead to data owners being mobilized too late, unclear roles and responsibilities, errors in data collection or calculation, and missed deadlines. A reporting manual with clearly written accounting principles is needed to address this and ensure that all sustainability reporting is underpinned by standardized metrics and indicators from recognized global standards such as the Global Reporting Initiative (GRI).

Home-made KPIs, which could be related to e.g. employee training hours or community donations, can be challenging to provide assurance on, if they lack a clear, measurable definition. Therefore, it is highly advisable to use standardized metrics and indicators.

Processes & Audit Trail: From a processes and controls perspective, incomplete or inaccurate data capture on the front end, manual adjustments without an audit trail, and insufficient control measures over third-party data can all lead to inaccurate reporting. To address these challenges, companies need to ensure that all source data is identified and included in the data set, that manual adjustments are supported by documentation, and that there is a clear audit trail and reconciliation with source data.

Technology & Automation: Calculation errors and issues with data transfers can lead to inaccurate reporting on the technology side. Companies need to ensure that Excel formulas are error-free and that data transfer processes are automated to minimize the risk of errors.

Overall, addressing these challenges requires companies to establish a structured assurance process for sustainability reporting that is as rigorous as the assurance process for financial reporting. Companies need to ensure that they have sufficient awareness within the business around what is required, by whom, why and when, and that there are sufficient control measures in place to ensure the accuracy and completeness of reported information.

Top 3 takeaways from working with companies in FY23

Governance

Firstly, to ensure accurate and complete sustainability reporting, it is essential to rethink – or refresh – ESG governance around data management and communication. This involves establishing clear roles and responsibilities for sustainability reporting, onboarding the business, and integrating ESG reporting into existing risk management and reporting processes. By doing so, companies can better identify and mitigate the risk of misstatements and potential greenwashing claims, and avoid associated costs. They can also better structure ESG data for more regular reporting to Management beyond the annual reporting that is common today.

When setting up sustainability reporting lines and organizational structures, two main operating models appear to be emerging in large companies (see image 1). In the first option, the sustainability team takes responsibility for most ESG activities, including DMA, ESG strategy, policy implementation and reporting. In the second option, the finance department, sometimes called 'sustainable finance,' takes responsibility for the reporting and quality control, while the sustainability team handles the DMA, ESG strategy, and policy implementation.

However, there is no one-size-fits-all option that works for every company. The best option depends on factors such as where the company's knowledge sits, current practices, complexity, and historical setup.

We have also observed that more and more Internal Control and Internal Audit functions are getting involved in sustainability reporting. This trend highlights the importance of having robust controls in place to ensure accurate and reliable sustainability reporting. Ultimately, the most effective option for setting up sustainability reporting lines and organizational structures will depend on the unique needs and circumstances of each company.

Image 1: Two ways emerging for how organisations are structuring themselves to manage sustainability reporting.

Controls over ESG data and related processes

Secondly, building controls around ESG data is also critical to ensure accurate and reliable reporting. Companies should focus on the highest risks of inaccurate and unreliable data, and standardize processes to ensure accurate, complete, and valid data. Streamlining ESG data collection, consolidation, and reporting can also help to improve the accuracy and efficiency of sustainability reporting.

To implement sustainability reporting, it is important to follow a structured approach that starts with the DMA. During this phase, companies identify their most material sustainability impacts on society and the environment as well as the financial implications for the business – both risks and opportunities.

Once the DMA is in place, companies can move quickly into the identification of the disclosure requirements and individual data points that will need to be reported on. From there they can draw up relevant processes (see image 2) and initiate the identification of risks and controls. This is similar to what many companies typically do for financial reporting risks. 

We also recommend that companies simultaneously start 'dry-run' reporting. This allows companies to gain insights into their processes and identify weak spots that require controls. By thinking about processes, data points, and internal controls early in the process, companies can simplify and standardize their processes and make the reporting cycle easier. 

Having effective and efficient processes with the right controls ultimately ensures that companies can report faster, spend less time on rechecking and double-checking, and avoid spending significant time and resources on resolving errors. By following a structured and well-designed process, companies can achieve accurate and reliable sustainability reporting while minimizing risk of errors and maximizing efficiency of resources involved.

Image 2: A generic high-level process for implementing sustainability reporting.

A Practical example

In order to demonstrate how having good insights into processes, risks and controls can help you drive quality sustainability reporting, we have visualized a typical process flow for energy consumption reporting (see image 3), which can provide a starting point for companies to think about process flows and controls. At a high level, the key processes for data capturing and reporting include processes over a) source data, b) data collection, c) calculation, and d) consolidation.

Let us take a deeper dive into each of these processes. Note that processes a) source data, b) data collection, and c) calculation are all subject to the risk of metering data / source data being inaccurate, incomplete, or untimely registered/processed.

Source data: The source data process (which is often more complex than described in the example below and often ‘overlooked’) involves the risk of incomplete metering points, in addition to the general data risks mentioned above. To mitigate these risks, companies can implement controls such as periodic review of meter databases or registers, approval of third-party invoices, and rechecking of correct recording of metering data.

Data collection: The data collection process involves the risk of inaccurate allocation of metering data, in addition to the general data risks mentioned above. To mitigate these risks, companies can implement controls such as variance analysis and reconciliation of metering data with third-party invoice data.

Data consolidation: The data consolidation process involves the general data risks mentioned above. To mitigate this risk, companies can implement controls such as reconciliation of data collection with consolidated data and variance analysis.

Metrics calculation: Finally, the metrics calculation process involves the risk of calculation errors. To mitigate this risk, companies can implement controls such as rechecking of applied emission factors and review of calculations.

Image 3: a typical energy consumption data collection and reporting process.

A high-level walk-through of this process, risks, and controls can help address the key issues that external auditors often look at to perform their assurance procedures. Organisations that implement targeted controls can reduce their risk of errors and improve the accuracy and reliability of their sustainability reporting.

It is important to note that there is no single, magic solution for sustainability reporting, and companies must consider their own collection, calculation, and consolidation processes. Internal control experts and ESG subject matter experts must work together to ensure that all nuances are considered, such as the data already available, allocation risks, and data completeness, and that no blind spots are overlooked. Organisations where these teams work together and follow a structured, transparent process, can achieve high levels of accurate, complete, reliable and credible sustainability reporting while minimizing risk of errors and maximizing efficiency of resources involved.

Technology

Finally, companies should consider how technology can support their sustainability reporting efforts. This includes building tools and technology to enable data in supporting new sustainable enterprise capabilities and decision-making. This can range from stronger spreadsheet controls to embedding data collection and consolidation tools or embedding controls in new system designs. By leveraging technology, companies can improve the accuracy, efficiency, and reliability of their sustainability reporting.

As highlighted in the previous section, errors and risks in sustainability reporting can arise in areas such as data transfers, calculations, or late identification of missing data. While manual controls can help mitigate these risks – and we can see that in many companies, these controls are very often still manual – they may not always be the most efficient or effective solution.

Automation efforts can make controls smarter, more focused, and easier to manage. By automating controls, companies can reduce the risk of errors and improve the accuracy, completeness, and credibility of their reported sustainability information. 

Next, we look at how automation can be applied to the same data flow in the energy consumption reporting process example above (see and 4) to create smarter and more effective controls. By leveraging technology and automation, companies can improve their sustainability reporting processes and ensure that their reported information is accurate, reliable, and compliant with regulatory requirements.

Looking at the typical collection and reporting process, there are multiple elements that can be automated. On a high level, these are:

1. At a minimum, ensure you have good controls over spreadsheets.
2. Embed access controls to your systems and data platforms.
3. Consider acquiring or developing data collection, consolidation, and reporting systems that ensure you have everything in one place.
4. Embed approval flows.
5. In your data collection and consolidation systems, embed automated controls such as input controls, automated calculations, and automated checks and balances that indicate when something is showing an unusual registration or development. Gain a clear overview over your data interfaces and find possibilities to automate those.Embed a Governance, Risk and Compliance (GRC) system that helps you with control execution in a consistent and structured manner.Over the longer term, consider if Artificial Intelligence (AI) could help with the execution of variance analysis.

Image 4: Elements in a typical collection and reporting process that can be automated (numbers corresponding to list above the image).