The ESG data challenge: Internal audit’s role in maturing ESG data quality and governance

ESG data– why is it unique?

The simple answer is that it is not. ESG data has many of the same characteristics as any other data that an organization may have, and in this respect, internal audit can apply the same approach to auditing data collection, governance, and management. However, ESG data quality is often lower than other (notably, financial) data, and there are some important characteristics affecting the risks and controls which may be relevant:

• ESG is immature. It has typically developed to meet ad hoc needs across and outside the organization, rather than being structured in a planned way.
• For similar reasons, ESG data is generally distributed across the organization, with different owners, systems, and collection processes. In some cases, there may be multiple instances of the same datatype.
• ESG data is new. Reporting requirements are fast evolving, and organizations may struggle to keep up. New ESG reporting frameworks, such as those from ISSB and the EU’s CSRD, amplify this challenge.
• Systems are often informal and end-user developed, built using tools such as spreadsheets. As a result, controls may be weak.
• Independent assurance requirements for reporting are evolving and have been voluntary so far. As a result, assurance is often limited in scope and may include little or no validation of source data.
• There is a reliance on data from third parties to present a full picture of an organization’s impacts.

COSO’s report on “Achieving effective internal control over sustainability reporting (ICSR)” gives further detail on these and other characteristics of ESG data and provides useful background and support on this topic. 

Of course, many of us will have seen data sets with similar characteristics elsewhere. For example, 20 years ago, regulatory reporting data was often immature, dispersed, poorly controlled, and spreadsheet based. In most financial services organizations it has evolved significantly, although this isn’t always the case in other sectors.

What controls should we expect?

As you would expect from the characteristics above, the control environment may not be ideal. But we need a starting point, and that starting point is the controls we would typically expect in a mature data environment. This can help us with planning our audits.

Some of the control objectives we should consider are as follows:

Governance

• A sound governance framework, where data requirements are cascaded from senior leaders throughout the organization and the board, or when senior leadership teams take overall responsibility for the data framework. A steering committee and an ESG data controller may help achieve this.
• Clear ownership for each data category at appropriate levels in the organization is also needed.

Security

• Sound, general IT controls supporting the systems holding relevant data (clearly this requires a high level of systematization rather than user-defined solutions).
• Policies and procedures around the collection, storage, and processing of data.

Quality

• Clear definition/structure of data, supported by established policies and procedures.
• Appropriate consistency between data held for different purposes – including different external reporting requirements as well as internal reporting and data used in decision-making. The COSO report mentioned above provides useful insight into aligning external reporting and internal benefits. This links to the obvious objective that data must be relevant and reliable.
• Completeness of data. This links to reliability but worth a specific mention given the often-distributed nature of ESG data sources which means that multiple sources will need to be identified (in some cases multiple sources of the same data).
• Data must be traceable to original sources.
• The data must be available on a timely basis, so it is of use to the user.
• Controls over third parties are key – both contractually and operationally – to ensure the right data is provided, assured, and processed.

PwC expand on this and highlight the reasons for needing sound controls over data in its report “Building a sustainable path to cleaner ESG data.”

The role of internal audit

As with many areas of risk, in particular emerging risk, there is potential for internal audit to get involved in many ways. 

At one level we can consider an audit of ESG data in the same way as any other data. An outline specific to what is data auditing can be found here. This provides an excellent starting point, particularly in a mature environment, but also helps us to perform a gap analysis in a less mature environment, which may add value. These are really what we would term General IT Controls, but with a specific focus on data. Without these, our ability to place reliance on controls specific to the data applications is limited and we will likely need to take a more substantive approach to any audit.

At another level, we need to consider the characteristics of ESG data as described above and the purpose(s) for which ESG data is used. Potential approaches include the following:

Data may be considered as part of a wider audit. For example:

• An audit of an ESG-related report (external or internal) – this will be covered in detail in the next article.
• A supplier, procurement, or similar audit, where the contractual requirements are considered along with monitoring and assurance processes and the handling of the data once provided by the supplier.
• EDI data that could be audited as part of an HR audit.

Internal audit could perform a data maturity assessment to establish the extent to which the governance framework, processes around ESG data, and control environment are established. This can be an advisory piece of work to support the business, or an assessment of the control environment around data to support an audit of reporting (or help to determine whether a control-based or substantive approach to such an audit of reporting is most appropriate). There is no standard ESG data maturity model and more generic data maturity models do not seem to provide the level of insight required.

An assessment may address the control objectives described earlier, considering questions such as:

Governance

• Is there a governance structure for ESG with senior cross-functional oversight (such as a steering committee)?
• Is there sufficient senior leadership at executive and/or board level?
• Does each data component have an owner?

Security

• Is data held on established systems or spreadsheets/similar end-user solutions?
• Are general IT controls established and effective?
• If amendments are made to the data, is there a clear process and appropriate controls?

Quality

• How are ESG data requirements defined? Are data structures planned to reflect these requirements?
• Is there a single source for each data component? If there needs to be multiple sources, are the structures aligned and are there controls to prevent duplication?
• Are data sources clearly defined (internal or third party) and are there controls over the collection and capture into systems to ensure it is accurate, reliable, complete, and timely? To what extent is data capture automated from existing internal or third-party systems?

Although this is not a complete list, it will help to define where gaps are and the extent to which internal audit and the business can rely on the data.

Internal audit could assess models that are used to provide or estimate certain data. Probably the most common example of this are models to estimate emissions of greenhouse gasses (GHGs) but there may be others where data is incomplete. The auditing of models is familiar to internal audit, and we should consider the following:

• The assumptions implicit in the model. Do they make sense? For GHGs, this will generally follow the Greenhouse Gas Protocol and so are established and defined. (GHG models are also often provided, or executed by, third parties).
• Inputs into the model. How reliable is the source data?
• Security over the model, particularly over algorithms.
• Any subsequent amendments to the model outputs.
• Any available, independent model validation.

Some closing thoughts

In this article, I have given some suggestions about how internal audit can begin to look at the risks and control environment around ESG data as it matures. This can help add value to the business by recommending stronger governance and control processes and provides a basis for the level of reliance which internal audit and others can place on the data.

In the next article, I will focus on reporting. This will introduce some specific audit approaches and will inevitably link back to data, as the reliance that can be placed on data will affect the approach to auditing any type of reporting.