Unlock sustainability in facilities management ESG; Internal Control Over Sustainability Reporting; coso framework examples
Unlock sustainability in facilities management ESG; Internal Control Over Sustainability Reporting; coso framework examples

ESG Reporting Is Already Required: Here’s What You Need to Know

Jim DeLoach, Managing Director Host, The Protiviti View

The big picture: Mandatory ESG reporting will soon be a reality for more than 3,000 U.S. companies, thanks to the EU’s Corporate Sustainability Reporting Directive (CSRD) that took effect last January.

Why it matters: CSRD compliance requires substantial data collection, cross-functional collaboration, and, potentially, new reporting infrastructure — a massive undertaking.

Who is responsible? The burden will fall squarely on the shoulders of CFOs and finance groups, thanks to their expertise and their areas of responsibility. To comply, they will need to collaborate and coordinate with multiple stakeholders in the company.

What’s next? CFOs, especially those in the U.S., need to close several common CSRD knowledge gaps quickly to be prepared for the magnitude of challenges ahead. Organizations should begin crucial preparatory work immediately to improve the sophistication and rigor of their internal controls and governance oversight related to data collection.

Is your finance group prepared for the new era of ESG reporting? Because guess what — it’s here.

If your first thought turns to the U.S. Securities and Exchange Commission’s (SEC) final rules on climate disclosures that are anticipated by the end of this year, your team may not be as prepared as it should be. ESG’s so-called 2.0 era, which places new and substantial demands on finance groups, actually began last January. That’s when the European Union’s (EU) game-changing Corporate Sustainability Reporting Directive (CSRD) took effect, joining an expanding array of global ESG compliance rules that require standardized and, in most cases, verifiable reporting on ESG performance.

More than 50,000 EU-based companies and approximately 10,400 non-EU enterprises will be subject to CSRD compliance, according to a Wall Street Journal article that cites research from financial data firm Refinitiv. Nearly one in three of those non-EU companies (31%) are based in the United States. Whether we like it or not, mandatory ESG reporting will soon become a reality for these companies.

While CSRD reporting requirements will be phased in over time starting in January 2024, building a CSRD compliance capability is a massive undertaking that requires substantial data collection and verification, cross-functional collaboration, and, potentially, new reporting infrastructure. Some companies will need to disclose as many as 1,000 discrete items, depending on their materiality determinations (more on that in a moment). All companies within the scope of CSRD will need to report on ESG performance based on their adherence to 12 European Sustainability Reporting Standards — which consist of two overarching standards, five environmental standards, four social standards and one governance standard.

CSRD compliance and other global ESG 2.0 requirements fall squarely within the CFO’s wheelhouse of expertise, and, being attached to in-country statutory filings once they are required, these compliance activities will fall squarely within the CFO’s area of responsibility as well. One purpose of CSRD is to elevate sustainability reporting to the level of rigor associated with financial reporting from a reliability, accuracy, accountability and auditability perspective. This makes it vital for CFOs, especially those based in the United States, to close several common CSRD knowledge gaps.

To get a feel for the magnitude of CSRD compliance, imagine transitioning your financial reporting framework from U.S. GAAP to IFRS without being able to access a single byte of accounting data from an ERP system. And if your organization is not subject to complying with CSRD, you likely are not off the hook. Beyond the SEC’s pending final rule on climate impact reporting, companies that are not subject to CSRD but operate in other global regions will need to inject more rigor into their sustainability reporting to comply with less sweeping but equally stringent new ESG-related disclosure laws in a growing number of countries, including the UK, Switzerland, Japan, Singapore and Australia. The point is clear: Mandatory ESG disclosures are on the rise and need to be identified, understood and addressed.

Close Three CSRD Knowledge Gaps

CSRD and other ESG 2.0 rules require major strategic and procedural considerations. Materiality — and, crucially for CSRD, “double materiality” — analyses must be designed. Reporting responsibilities must be assigned. New reporting engines must be designed and assembled. New internal controls must be established. In most cases, the CFO will lead these comprehensive efforts.

A prudent way to get started on this work is recognizing and closing three common CSRD knowledge gaps:

Double materiality analyses: A new game in town

CSRD requires companies to complete a double materiality analysis for every legal entity in scope or for every report if a single global (or EU regional) report is issued. Traditional materiality determinations are straightforward: Compare a risk quantification to a predetermined threshold and you’re finished. However, the double materiality analyses CSRD requires are far more involved. They also mark a foundational building block of CSRD compliance, so it is important to get these determinations right.

One materiality analysis CSRD calls for reflects an outside-in assessment of external ESG-related risks that may affect the organization’s operations and enterprise value. For example, a traditional publisher would assess its ability to access production inputs needed to print magazines given climate-related stresses on forests and trees that are harvested for paper. CSRD’s second materiality analysis mandates an inside-out assessment of a company’s environmental and social impact on the world. These impacts must be assessed throughout the value chain, from sourcing and manufacturing processes to the delivery of services and the use and disposal of products. While single materiality analyses are commonplace for CFO organizations, and largely mathematical, double materiality analyses will require more subjective qualitative assessments of what matters and needs to be reported (and will test not only spreadsheet skills but also collaborative whiteboarding and design thinking skills).

Level and scope of reporting: An important decision

While companies subject to CSRD compliance eventually will be required to produce a single, consolidated global report, that is not the case for most companies for the next few years, during which individual reports can be issued for each legal entity that is “in scope.” Some companies may elect to bypass the intermediate step of issuing reports only for in-scope legal entities and instead issue a comprehensive global report. Other organizations will choose to disclose at the (in-scope) entity level and wait to produce a global report until that is required. Still others may opt to issue a regional report, e.g., an EU regional report. Each approach has pros and cons that must be considered in conjunction with each company’s unique ESG performance and double materiality assessments. For example, if only one of a company’s 20 EU legal entities is in scope, it likely makes sense to hold off on the global report.

Data collection and management rigor: A significant challenge

The data that feeds the CSRD disclosures must be trusted, accurate, complete and well-defined. Satisfying this need represents a massive challenge for most companies given that ESG data is predominantly unstructured, stored in many different formats, and pulled from numerous systems, applications and sources throughout the company and its third parties. The range of data sources used in CSRD reporting is considerably broader than the collection of data used in financial reporting — nearly all of which flows from tidy rows and columns in the general ledger and related accounting systems that have been subject to internal controls and governance oversight for decades. To put it simply, for most organizations, financial data governance and management likely is far more sophisticated than their current ESG-related data governance and management processes. This needs to change, and fast. The Committee of Sponsoring Organizations (COSO) has weighed in regarding the applicability of its 2013 internal control framework to internal control over sustainability reporting, so the good news is there is ample muscle memory available to CFO organizations. However, the data itself will still be coming from unfamiliar sources as well as from sources who are unfamiliar with the rigors of internal controls and reporting to the public.

The nature and magnitude of the challenges related to double materiality analyses, reporting decisions, and data collection and management rigor make two points crystal clear. First, CFOs and finance groups should play a leading role in complying with CSRD and other ESG 2.0 disclosure requirements. Second, the necessary preparatory work needs to start immediately.

This article originally appeared on Forbes CFO Network.

Read additional posts on The Protiviti View related to ESG Reporting.

Add comment