The importance of the tone from the top

This holds true for reporting, which is part of the accountability mechanisms in an organisation.

Governance: roles and responsibilites

The board and senior management: setting objectives and overall governance structure

Strong governance should start with the expectations and ambitions set by the board (or trustees, or any other form of highest governing body within an organisation). In the case of investment managers that do not have a board, this role would be filled by the CEO or other C-level staff, such as the CIO. The expectations and ambitions set should reflect the board’s culture and thinking. This culture and top-level demand sets the tone for the rest of the organisation and creates a mandate for management and others to implement the appropriate steps, such as for CBMs and ESG reporting.

The top-level of an organisation can set expectations for high-quality reporting to support governance, which can help create more efficient reporting processes with better quality information. This creates a positive feedback loop. There is no ‘one size fits all’ model for this principle, as every organisation should tailor its governance structure according to its specific needs. The PRI has picked up the need for clear roles in terms of oversight and implementation responsibilities of RI in its minimum requirements for signatories.

However, organisations often first need to realise and agree on the value-add of implementing CBMs, followed by clear delineation of roles and areas of responsibility. This provides the best conditions for reaching organisational objectives, including ESG reporting. Setting a strong basis is a step in the right direction towards enhancing credibility of information provided in external reports. Clear responsibility for outputs and processes enables tracing and verification of those outputs and processes.

Systems of internal control: a prerequisite for internal audit and third-party assurance

Key steps	Example of actions
Understand the culture	Examine what the tone at the top is regarding responsible investment, risk identification and ESG reporting. Is there a top-level demand and is the value add of implementing CBMs clear? Try and get an overall picture of how the issues have been prioritised so far by management and staff
Understand the organisational structure	Map out the organisational structure to understand how internal controls can fit into your unique context Think about how a segregation of responsibilities for ESG reporting can be implemented within that context. Use the three lines of defence model as a guide to understand how you can separate responsibilities
Establish the current risk maturity of the organisation	Examine what control processes you might already have in place and what risk identification you have already conducted. These processes can be built on as part of the next step.
Formalise the system of internal controls and culture	Develop documents on policies, procedures, responsibility areas (use the three lines of defence as a guide) and workflows to manage expectations and create clarity internally. Engage staff in the process to embed thinking across organisation. Ensure sign-off and endorsement by board and C-level staff Communicate across organisation to normalise process and create culture around it Ensure documents are readily accessible by all staff
Perform risk assessment	Ongoing assessment of risks that might impact data quality for ESG reporting Make whistle blower functions available Segregate duties for approval of ESG reporting to mitigate fraud risks
Implement control activities to ensure data accuracy, validity and completeness	Implement a tracking system and/or record-keeping for ESG data Compliance officers, internal controls specialist or similar functions can help to implement control activities Document sources of information for ESG information Enlist the help of automated checks and validation to help identify risks of inaccuracy in information
Inform and communicate about the process internally	Inform employees about the findings from the ESG reporting process in a timely way
Implement monitoring activities	Perform ongoing monitoring to ensure that control activities are functioning as intended. Detect and correct errors in the control activities through regular management and supervisory activities that are built into routine operations This step may include internal audit or external assurance activities

Systems of internal control generally aim to ensure that the agreed upon strategy, roles and responsibilities in an organisation work as intended and mitigate risks. Having internal control systems in place helps organisations achieve their objectives more efficiently and are a necessary building block for more advanced CBMs such as internal audit and external third-party assurance. As with the UNGC recommendations on corporate ESG reporting, the PRI recommends that investors and service establish and strengthen their systems of internal control related to their responsible investment processes before seeking more advanced CBMs. In fact, an inadequate internal control environment runs the risk of adding to the workload of the external assurance provider and may result in increased fees as well as an “unfavourable assurance conclusion”. An organisation’s confidence in its reporting, including ESG information, is a direct result of the quality of its internal control environment.

The PRI recognises this is a key area of focus for PRI signatories as the International Internal Audit Standards Board (IIASB) has identified there is a general lack of internal controls over emerging forms of reporting processes, such as ESG reporting processes8. In the absence of guidance on internal controls over ESG information specific to the investment industry, the WBCSD internal control framework for non-financial reporting can serve as a helpful guide for PRI signatories that wish to improve their internal control systems for preparing their PRI reports.

The WBCSD framework is based on five components of the 2013 COSO Internal Control-Integrated Framework:

• control environment;
• risk assessment;
• control activities;
• information and communication;
• monitoring activities.

The five components have 17 underlying principles that explain in more detail how they can be implemented. Signatories could implement these components and principles to achieve two overarching benefits:

• It can help signatories develop robust internal controls for ESG reporting, to achieve higher internal and external confidence in their PRI reports.
• It can improve internal reporting so that the signatory has higher quality information to make investment decisions and better understand what their RI approach should be.

The control environment

The control environment is dependent on the senior leadership and management setting the tone and communicating values about the relevance of ESG reporting for long-term strategic decision making. While financial reporting might be subjected to regulatory requirements (such as mandatory internal audit and external thirdparty assurance) for the production of accurate data, ESG reporting will often rely more on the control environment, ethical values and the culture of an organisation.

Practical measures include, but are not limited to:

• Clarifying and formalising the commitment towards ESG reporting in guidelines and policies.
• Ensuring internal transparency about the reporting process to create internal user trust.
• Clearly documenting the organisational structure and reporting lines for ESG reporting, including targets/ action plans and incentives/rewards for how reporting should be conducted for the relevant organisational departments.

Risk assessment

An organisation’s regular risk assessment should include an assessment of risks or opportunities that might impact the data quality for ESG reporting.

Practical measures include but are not limited to:

• ongoing risk and quality assessment processes;
• whistle blower functions;
• a segregation of duties for approval of ESG reporting to mitigate fraud risks related to ESG reporting.

Control activities 

Control activities support risk management, and their type and application will vary according to organisation. Risk and control functions, such as compliance officers, internal control specialists and other control/risk functions for ensuring quality of data will play an important part in enhancing the control environment and lowering risks. Internal verification or review of ESG data by senior staff, the board or a particular department can also apply. Practical measures include, but are not limited to:

• defined and documented data collection processes;
• tracking systems and record keeping;
• documentation of sources of information for ESG data;
• automated checks, validation and secure access to data bases.

The above measures should be automated where practical.

It should be clearly defined how these activities add value to the ESG information with respect to data accuracy, validity and completeness13. If senior staff, the board or a particular department reviews the ESG information produced for a report, it is particularly important to consider whether this individual or group is/are independent of the ESG data collection process.

Information and communication

The reporting process should facilitate the identification of relevant and reliable information and its timely, accurate communication. The first step is to decide what type of ESG information is material and a priority for the organisation to report on, and how this ties in with the board objectives on ESG reporting14. This should take into account what external stakeholders, such as the PRI, treat as material, the approach of which is based on the questions asked in the Reporting Framework and described in subsequent sections.

Monitoring activities

Monitoring activities ensure that control activities are functioning as intended.

Practical measures include, but are not limited to:

• Basic and ongoing monitoring activities through regular management and supervisory activities that are built into routine operations.
• Self-assessments of the organisation fs internal controls that will also identify opportunities for improvement.

While doing this, organisations should be vigilant of potential deficiencies in the control system and communicate those to individuals responsible for ESG reporting and to management, so that this can be incorporated into improvement action plans. These monitoring activities may include separate evaluations such as internal audit and/or external third-party assurance, which will be addressed below.

The five components of the COSO and WBCSD framework present a strong case for internal controls and how it helps organisations meet their objectives and enhance the credibility and quality of information for ESG reports. While an emerging concept, applying effective internal controls to the collection of ESG information is increasingly being picked up on the agenda of various reporting frameworks and standards bodies such as GRI, IIRC, IFAC and IAASB. 

The three lines of defence: allocating responsibilities for internal controls

The previous section identified the internal control measures that can substantially mitigate risks in achieving organisational objectives, and that can make a positive difference in reporting accurate and trustworthy ESG information in external reports. Underpinning the effective management of risk and control is the need for separation of responsibilities.

The Three Lines of Defence model (the model) serves as a guide to identify those roles. The model is widely used by organisations of different sizes across the globe and enables groups to understand what their role is in addressing risk and control, and also how they might organise their work to eliminate gaps. The model identifies three roles and the overall process should be under the oversight of the board, trustees or senior management (see below).