The control environment is an interconnected internal control system, internal audit function, risk governance, and a compliance function, E&S risk management, subsidiary governance, and related elements of external audit controls involving a company’s board of directors, management, and other personnel. It provides reasonable assurance regarding the achievement of objectives relating to operations, reporting, and compliance and spans the company and its subsidiaries.
Reporting should follow globally accepted disclosure standards (such as the forthcoming International Financial Reporting Standards [IFRS] Sustainability Disclosure Standards by the International Sustainability Standards Board and European Sustainability Reporting Standards, and the Global Reporting Initiative), and demonstrate the strength of the company’s sustainability-related disclosures on internal control, risk governance and management, internal audit, and compliance. The IFC Corporate Governance Matrix also contains elements that are relevant to reporting on the control environment.
Internal Control System
The Committee of Sponsoring Organizations of the Treadway Commission (COSO) defines internal control as a process, effected by an entity's board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories:
- Effectiveness and efficiency of operations
- Reliability of financial reporting
- Compliance with applicable laws and regulations
Internal Control systems are the means by which:
- Operations are conducted in accord with prescribed policies and procedures.
- The enterprise is in compliance with applicable laws and regulations.
- The enterprises assets and information are protected from improper use.
Internal Audit Function
Internal audit is a function set up to provide independent and objective reasonable assurance to the board and management that adequate internal controls are established. In best practices, the internal audit function has its own charter and reports directly to the board’s audit committee. An external audit provides reasonable assurance that the financial statements are prepared according to generally accepted accounting principles and that the financial statements represent a true and fair view of the company’s financial position and results of operations. Additionally, an external audit should include a management letter that highlights internal control system deficiencies discovered during the audit.
Risk Governance
Risk governance is the company-wide system and structure for identifying and managing current and emerging risks, including the board’s role in overseeing the establishment of the company’s risk appetite and overseeing the risk management framework and function. Recently, risk governance has expanded to oversee and monitor sustainability-related risks.
Compliance
Compliance is a function that establishes a compliance framework, within which companies demonstrate that they have conformed to specific requirements in laws, regulations, contracts, strategies, and internal policies and procedures.
Subsidiary Governance
Subsidiary governance is critical because subsidiaries may pose financial, operational, and reputational risks to the parent company and to other companies in a group. Several high-profile corporate scandals have originated in subsidiary companies. Good subsidiary governance becomes particularly important when some group subsidiaries have minority investors.
Adequate disclosure on subsidiary governance would address the following:
- A parent company’s ability to identify and monitor all of its subsidiaries
- Established policies and procedures to control the creation and dissolution of subsidiaries
- A centralized subsidiary governance function and categorization of subsidiaries based on complexity and an appropriate governance framework applied to each category
- The board of directors of the parent company exercising oversight over the organizational structure and the activities of its subsidiaries while achieving balance and respecting the roles of the subsidiary and its directors
-
International Good Practice
The 2013 Committee of Sponsoring Organizations of the Treadway Commission’s (COSO) Internal Control—Integrated Framework helps companies design and implement internal controls that adapt to changing business and operating environments, mitigate risks to acceptable levels, and support sound decision-making and governance.
Each of the five components contains three to five principles, totaling 17 principles. These make up the framework’s core and describe how to operationalize effective internal controls. A company achieves an effective system of internal controls when all principles are present and functioning. As shown in the following figure, each principle is subdivided into points of focus that explain how the principle works in practice.
-
Internal Control over Sustainability Reporting
COSO released a groundbreaking study in March 2023 with supplemental guidance for companies to achieve effective internal control over sustainability reporting, using the globally recognized COSO Internal Control—Integrated Framework. COSO believes its use will build trust and confidence in environmental and social governance (ESG) and sustainability reporting, public disclosures, and enterprise decision-making.
Leveraging the significant knowledge gained in the application of the COSO Internal Control—Integrated Framework to financial reporting over the past two decades, Achieving Effective Internal Control over Sustainability Reporting (ICSR): Building Trust and Confidence through the COSO Internal Control―Integrated Framework introduces the term “internal control over sustainability reporting” into the internal control lexicon.
Consultant Douglas Hileman summarizes three attributes of ESG reporting that differ from financial reporting: control versus influence, quantitative versus qualitative, and historical versus forward-looking. Read the full post here
Internal Control Systems
Describe the roles of the board, audit committee, and senior management in the company’s internal control systems, including the following:
- Financial accounting and reporting controls;
- Nonfinancial accounting and reporting controls, including controls over data pertaining to sustainability activities;
- Operational controls, including sustainability and stakeholder risks;
- Compliance controls, including ethics and compliance: code of ethics, whistleblower systems, anticorruption measures.
Internal Audit Function
Describe how the board is carrying out its responsibility to ensure the company’s financial integrity and the integrity of its operations, including:
- Internal auditor reporting to the audit committee and relationship with management;
- Main activities, challenges, and findings of the internal audit;
- How the internal audit function is carried out, including if by a third party provider if relevant;
- Assessment of sustainability policies and practices and information technology and security systems.
- How the board ensures corrective action on control deficiencies, including those highlighted in the external auditor’s letter.
International Good Practice
The internal audit function should:
- Be independent, objective, risk-based, and empowered with an unlimited scope of activities and competent personnel;
- Be subject to periodic quality assessment by a third party;
- Report directly to the audit committee and administratively to management.
The audit committee should approve the annual internal audit plan.
Audit Committee
Describe the audit committee’s role and deliberations, including oversight of the following:
- Accurate financial statements;
- Internal and external audit functions;
- Related-party transactions;
- Quality of sustainability information;
- Risk oversight and management (if there is no risk committee).
Publication
The European Commission Corporate Sustainability Reporting Directive assigns a range of tasks for company sustainability reporting and assurance to audit committees.
Accountancy Europe’s ESG Governance: Recommendations for Audit Committees provides an overview of audit committees’ expected role and responsibilities considering relevant EU legislation and stakeholder demands. It includes recommendations for audit committees in relation to their ESG responsibilities with a focus on audit committee’s competencies and composition and responsibilities for ESG reporting and assurance.
Learn more: Accountancy Europe’s ESG Governance: Recommendations for Audit Committees, 2022; International Federation of Accountants (IFAC): Key Questions for Audit Committees Overseeing Sustainability-Related Disclosure, 2023.
External Auditor
Describe the following regarding the external auditor:
- Tenure, qualifications, and independence and the effect of any long association on independence;
- The external auditor’s non-audit work and its impact, if any, on the independence of the audit, plus a breakdown of audit and non-audit fees;
- Periodic assessment of the external audit’s quality;
- Corrective actions taken on issues raised in the external auditor management letter;
- Any audit quality indicators used in monitoring the external auditor’s effectiveness;
- The role of the audit committee in overseeing the external auditor and reviewing the external auditor’s independence.
Risk Appetite
Risk appetite is the aggregate level and type of risk that the company is prepared to accept in pursuit of its strategy. Your report should address the following:
- Overall risk appetite, risk capacity, and the company’s risk profile;
- How the risk appetite is determined;
- Quantitative and qualitative measures used;
- Maximum risk tolerance for each material risk;
- Whether the organization’s board approved the company’s risk appetite.
International Good Practice
Include both qualitative and quantitative information. Risk appetite should cascade down to business operations.
Integrate sustainability risks, including climate-related risks, into risk management and risk reporting.
The International Financial Reporting Standards (IFRS) Sustainability Disclosure Standards have a separate pillar on risk management. “43. The objective of sustainability-related financial disclosures on risk management is to enable users of general purpose financial reports:
(a) to understand an entity’s processes to identify, assess, prioritise and monitor sustainability-related risks and opportunities, including whether and how those processes are integrated into and inform the entity’s overall risk management process; and
(b) to assess the entity’s overall risk profile and its overall risk management process.” (IFRS S1 General Requirements for Disclosure of Sustainability-Related Financial Information)
Risk Assessment and Risk Management
Describe the methodology for identifying, monitoring, and controlling risk, including determination of response to risk events. Address how the company evaluates the effectiveness of its risk controls to determine whether the risk level is within the company’s risk appetite.
Integrating Sustainability
Address how sustainability risks have been integrated into the risk management framework, including how climate-related risks are incorporated at all levels of the company.
Risk Oversight
Describe the board’s responsibility for oversight and control of risk management either through a formal risk management committee or through the audit committee.
The Institute of Internal Auditors’ Three Lines Model is an international standard for risk governance, emphasizing the relationships between people involved in risk management to ensure effectiveness of risk management and the control system and accountability for its oversight.
Describe the role of compliance in managing sustainability and climate-related risks and opportunities in the following ways:
- Stating the environmental and social laws, regulations, and industry or company policies and commitments with which it must comply;
- Reporting how it ensures compliance with these stated laws, regulations, policies, and commitments;
- Respecting internal codes of conduct or ethics, including in the supply chain;
- Complying with rules and regulations associated with environmental and social issues, including pollution, corruption and bribery, and treatment of workers;
- Supply chain compliance program which enables better control and visibility into the supply chain and are critical for climate disclosure of Scope 3 emissions.
Provide the company’s organizational charts, including its subsidiaries and the degree of control, along with information on subsidiaries’ jurisdiction, line of business, assets, and revenue.
Include a description of the subsidiary governance framework as part of the control environment, covering the following:
- Creation and dissolution of legal entities;
- Structure and composition of subsidiary boards;
- Subsidiary categorization based on its strategic importance and complexity;
- Subsidiary oversight at the board level;
- Application of the parent company’s audit and internal control processes to the subsidiary;
- Escalation procedures for transactions that require approval by the parent company.
International Good Practice
A parent company should use its internal audit function to evaluate the robustness and compliance of its subsidiaries’ governance practices.
The board should ensure that the company’s financial and nonfinancial disclosures are a relevant, faithful, and timely representation of material events to shareholders and other stakeholders. Integrated disclosure and transparency, including ESG information, is critical for the company’s internal management and governance. Stakeholders, investors, and regulators increasingly require this disclosure and transparency.
Dividend Disclosure
Leadership practices suggest that companies disclose their dividend policy as part of the annual report. A dividend policy typically sets the percentage of earnings that will be distributed to shareholders, in proportion to their holdings. Companies in growth mode often choose not to distribute dividends, whereas more stable and established companies use dividends as a feature to attract income-focused investors.
Tax Disclosure
Leadership practices suggest that companies disclose tax transparency statements, which typically contain a description of the company’s strategy and policy regarding corporate tax and the actual amount of tax paid in different jurisdictions and segments where it operates.
Consistency between a company's activities related to lobbying and its publicly stated purpose and strategy is a core component of alignment on long-term objectives, which is essential for long-term value creation. Monitoring this consistency is critical for overall transparency and the pursuit of the company's goals.
The Global Reporting Initiative and the European Sustainability Reporting Standards have metrics for lobbying and financial and in-kind political contributions.