Page 639 - COSO Guidance
P. 639
5. Information, communication and reporting for ESG-related risks
Table 5.4: Data governance considerations to support quality ESG information
22
Internal External
In reviewing management of key sustainability information for internal In reviewing data management practices for
reporting, an organization may wish to consider the following factors sustainability-related KPIs specific to external sustainability
related to its data governance and management practices: reporting objectives, an organization may wish to consider
the following factors:
• Does the organization’s creation, collection, validation, storage, use,
archiving and deletion of sustainability-related data assets adhere • Is key sustainability information integrated into existing
to its data governance policy or strategy to support responsible reporting systems and/or ERP platforms? If not, can it be
management? readily incorporated? Or can effective controls be built
• Is relevant, reliable sustainability information integrated into existing around current or other reliable systems and platforms?
management reporting systems, processes and reports? If so, is • Have consistent, formal policies been established
management actively using this information to run its operations? across the organization to help ensure reliable
If not, why not? sustainability data collection, validation, analysis and
reporting/communication?
• Is data lineage (the connection to its original sources) maintained
throughout the information systems and supply chain? • Has the organization established and communicated
• Does the organization leverage technology to establish and maintain clear ownership of and accountability for the collection,
data lineage, access information and connect to source data? If not, validation and reporting/communication of key
can it readily do so? sustainability information?
• Are the organization’s sustainability reporting and
• Are relevant connections and dependencies maintained/preserved communication processes well documented, including
between sustainability information and other types of information? controls to prevent or detect misstatements?
• How often is key sustainability data collected? Can it be collected and
reported internally in a timely and cost-effective manner? • Have internal audit, the compliance team, the CFO team
and/or relevant third parties such as the external
• When appropriate, is material sustainability information integrated assurance provider been engaged to review the quality
into the key analyses supporting management decisions, such as of key sustainability information, supporting processes
those related to resource allocation, product development, mergers and the system of internal control?
and acquisitions, compliance and risk management? • Is there confidence in data quality?
• Are employee and supply chain partner incentives aligned with the
organization’s sustainability reporting objectives?
Extract from: Leveraging the COSO Internal Control – Integrated Framework to Improve Confidence in Sustainability Performance Data
An increasing number of entities are obtaining independent, third-party assurance statements on their ESG
information under the AICPA Attestation Standards or the International Standard on Assurance Engagements
(ISAE) 3000. Of the top 250 global entities, more than two-thirds (67%) obtain assurance on ESG information.
23
Entities obtaining assurance on ESG information can choose between two levels of assurance:
• Reasonable assurance that consists of a rigorous examination indicating whether the information is free from
material misstatement (considered investor-grade information)
• Limited assurance that consists of more limited procedures that result in a meaningful but lower level of
assurance than reasonable assurance
While most entities that seek assurance on their reported ESG information do so on a voluntary basis,
requirements for verification and/or assurance are expanding. For example, some regulations involve
independent verification of greenhouse gas reporting (e.g., the Accreditation and Verification Regulation of
24
the EU Emissions Trading System (EU ETS) and British Columbia’s Greenhouse Gas Emission Reporting
25
Regulation). Others apply to ESG information more broadly. For example, the International Council on Mining
& Metals (ICMM) requires its members to obtain assurance on their sustainability reports. Some countries,
26
such as Italy and France, are starting to require assurance with the adoption of the EU’s Directive on
Non-financial Reporting.
27
92 Enterprise Risk Management | Applying enterprise risk management to environmental, social and governance-related risks • October 2018
