Last updated:
Control Environment

The control environment is an interconnected internal control system, internal audit function, risk governance, and a compliance function, E&S risk management, subsidiary governance, and related elements of external audit controls involving a company’s board of directors, management, and other personnel. It provides reasonable assurance regarding the achievement of objectives relating to operations, reporting, and compliance and spans the company and its subsidiaries.

Reporting should follow globally accepted disclosure standards (such as the forthcoming International Financial Reporting Standards [IFRS] Sustainability Disclosure Standards by the International Sustainability Standards Board and European Sustainability Reporting Standards, and the Global Reporting Initiative), and demonstrate the strength of the company’s sustainability-related disclosures on internal control, risk governance and management, internal audit, and compliance. The IFC Corporate Governance Matrix also contains elements that are relevant to reporting on the control environment.

Reporting Elements for the Control Environment

Internal Control System 


The Committee of Sponsoring Organizations of the Treadway Commission (COSO) defines internal control as a process, effected by an entity's board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories:


  • Effectiveness and efficiency of operations
  • Reliability of financial reporting
  • Compliance with applicable laws and regulations


Internal Control systems are the means by which: 


  • Operations are conducted in accord with  prescribed policies and procedures.
  • The enterprise is in compliance with applicable laws and regulations.
  • The enterprises assets and information are protected from improper use.

Internal Audit Function


Internal audit is a function set up to provide independent and objective reasonable assurance to the board and management that adequate internal controls are established. In best practices, the internal audit function has its own charter and reports directly to the board’s audit committee. An external audit provides reasonable assurance that the financial statements are prepared according to generally accepted accounting principles and that the financial statements represent a true and fair view of the company’s financial position and results of operations. Additionally, an external audit should include a management letter that highlights internal control system deficiencies discovered during the audit.


Risk Governance


Risk governance is the company-wide system and structure for identifying and managing current and emerging risks, including the board’s role in overseeing the establishment of the company’s risk appetite and overseeing the risk management framework and function. Recently, risk governance has expanded to oversee and monitor sustainability-related risks.




Compliance is a function that establishes a compliance framework, within which companies demonstrate that they have conformed to specific requirements in laws, regulations, contracts, strategies, and internal policies and procedures.


Subsidiary Governance


Subsidiary governance is critical because subsidiaries may pose financial, operational, and reputational risks to the parent company and to other companies in a group. Several high-profile corporate scandals have originated in subsidiary companies. Good subsidiary governance becomes particularly important when some group subsidiaries have minority investors. 


Adequate disclosure on subsidiary governance would address the following:


  • A parent company’s ability to identify and monitor all of its subsidiaries
  • Established policies and procedures to control the creation and dissolution of subsidiaries
  • A centralized subsidiary governance function and categorization of subsidiaries based on complexity and an appropriate governance framework applied to each category
  • The board of directors of the parent company exercising oversight over the organizational structure and the activities of its subsidiaries while achieving balance and respecting the roles of the subsidiary and its directors
Internal Control Systems and Internal Audit Function

Internal Control Systems

Describe the roles of the board, audit committee, and senior management in the company’s internal control systems, including the following:

  • Financial accounting and reporting controls;
  • Nonfinancial accounting and reporting controls, including controls over data pertaining to sustainability activities;
  • Operational controls, including sustainability and stakeholder risks; 
  • Compliance controls, including ethics and compliance: code of ethics, whistleblower systems, anticorruption measures.

Internal Audit Function

Describe how the board is carrying out its responsibility to ensure the company’s financial integrity and the integrity of its operations, including:

  • Internal auditor reporting to the audit committee and relationship with management;
  • Main activities, challenges, and findings of the internal audit;
  • How the internal audit function is carried out, including if by a third party provider if relevant;
  • Assessment of sustainability policies and practices and information technology and security systems.
  • How the board ensures corrective action on control deficiencies, including those highlighted in the external auditor’s letter.

International Good Practice

The internal audit function should:

  • Be independent, objective, risk-based, and empowered with an unlimited scope of activities and competent personnel;
  • Be subject to periodic quality assessment by a third party;
  • Report directly to the audit committee and administratively to management.

The audit committee should approve the annual internal audit plan.

Audit Committee

Describe the audit committee’s role and deliberations, including oversight of the following:

  • Accurate financial statements; 
  • Internal and external audit functions;
  • Related-party transactions;
  • Quality of sustainability information;
  • Risk oversight and management (if there is no risk committee).


The European Commission Corporate Sustainability Reporting Directive assigns a range of tasks for company sustainability reporting and assurance to audit committees. 

Accountancy Europe’s ESG Governance: Recommendations for Audit Committees provides an overview of audit committees’ expected role and responsibilities considering relevant EU legislation and stakeholder demands. It includes recommendations for audit committees in relation to their ESG responsibilities with a focus on audit committee’s competencies and composition and responsibilities for ESG reporting and assurance.


Learn more:  Accountancy Europe’s ESG Governance: Recommendations for Audit Committees, 2022; International Federation of Accountants (IFAC): Key Questions for Audit Committees Overseeing Sustainability-Related Disclosure, 2023.

External Auditor

Describe the following regarding the external auditor: 

  • Tenure, qualifications, and independence and the effect of any long association on independence;
  • The external auditor’s non-audit work and its impact, if any, on the independence of the audit, plus a breakdown of audit and non-audit fees;
  • Periodic assessment of the external audit’s quality;
  • Corrective actions taken on issues raised in the external auditor management letter;
  • Any audit quality indicators used in monitoring the external auditor’s effectiveness;
  • The role of the audit committee in overseeing the external auditor and reviewing the external auditor’s independence.
Examples of Reporting
Risk Governance

Risk Appetite

Risk appetite is the aggregate level and type of risk that the company is prepared to accept in pursuit of its strategy. Your report should address the following:

  • Overall risk appetite, risk capacity, and the company’s risk profile;
  • How the risk appetite is determined;
  • Quantitative and qualitative measures used;
  • Maximum risk tolerance for each material risk;
  • Whether the organization’s board approved the company’s risk appetite.

International Good Practice

Include both qualitative and quantitative information. Risk appetite should cascade down to business operations.

Integrate sustainability risks, including climate-related risks, into risk management and risk reporting.

The International Financial Reporting Standards (IFRS) Sustainability Disclosure Standards have a separate pillar on risk management. “43. The objective of sustainability-related financial disclosures on risk management is to enable users of general purpose financial reports:

(a) to understand an entity’s processes to identify, assess, prioritise and monitor sustainability-related risks and opportunities, including whether and how those processes are integrated into and inform the entity’s overall risk management process; and

(b) to assess the entity’s overall risk profile and its overall risk management process.” (IFRS S1 General Requirements for Disclosure of Sustainability-Related Financial Information)

Risk Assessment and Risk Management

Describe the methodology for identifying, monitoring, and controlling risk, including determination of response to risk events. Address how the company evaluates the effectiveness of its risk controls to determine whether the risk level is within the company’s risk appetite. 

Integrating Sustainability

Address how sustainability risks have been integrated into the risk management framework, including how climate-related risks are incorporated at all levels of the company.

Risk Oversight

Describe the board’s responsibility for oversight and control of risk management either through a formal risk management committee or through the audit committee. 

The Institute of Internal Auditors’ Three Lines Model is an international standard for risk governance, emphasizing the relationships between people involved in risk management to ensure effectiveness of risk management and the control system and accountability for its oversight.

Source: The IIA’s Three Lines Model: An Update of the Three Lines of Defense, page 4.
Source: The IIA’s Three Lines Model: An Update of the Three Lines of Defense, page 4.

Examples of Reporting
Compliance Function

Describe the role of compliance in managing sustainability and climate-related risks and opportunities in the following ways:

  • Stating the environmental and social laws, regulations, and industry or company policies and commitments with which it must comply;
  • Reporting how it ensures compliance with these stated laws, regulations, policies, and commitments;
  • Respecting internal codes of conduct or ethics, including in the supply chain;
  • Complying with rules and regulations associated with environmental and social issues, including pollution, corruption and bribery, and treatment of workers;
  • Supply chain compliance program which enables better control and visibility into the supply chain and are critical for climate disclosure of Scope 3 emissions. 
Examples of Reporting
Subsidiary Governance

Provide the company’s organizational charts, including its subsidiaries and the degree of control, along with information on subsidiaries’ jurisdiction, line of business, assets, and revenue. 

Include a description of the subsidiary governance framework as part of the control environment, covering the following: 

  • Creation and dissolution of legal entities;
  • Structure and composition of subsidiary boards;
  • Subsidiary categorization based on its strategic importance and complexity;
  • Subsidiary oversight at the board level;
  • Application of the parent company’s audit and internal control processes to the subsidiary;
  • Escalation procedures for transactions that require approval by the parent company.

International Good Practice

A parent company should use its internal audit function to evaluate the robustness and compliance of its subsidiaries’ governance practices.

Examples of Reporting
Dividend and Tax Disclosure

The board should ensure that the company’s financial and nonfinancial disclosures are a relevant, faithful, and timely representation of material events to shareholders and other stakeholders. Integrated disclosure and transparency, including ESG information, is critical for the company’s internal management and governance. Stakeholders, investors, and regulators increasingly require this disclosure and transparency. 

Dividend Disclosure

Leadership practices suggest that companies disclose their dividend policy as part of the annual report. A dividend policy typically sets the percentage of earnings that will be distributed to shareholders, in proportion to their holdings. Companies in growth mode often choose not to distribute dividends, whereas more stable and established companies use dividends as a feature to attract income-focused investors.

Tax Disclosure 

Leadership practices suggest that companies disclose tax transparency statements, which typically contain a description of the company’s strategy and policy regarding corporate tax and the actual amount of tax paid in different jurisdictions and segments where it operates.

Examples of Reporting
Lobbying and Political Contributions

Consistency between a company's activities related to lobbying and its publicly stated purpose and strategy is a core component of alignment on long-term objectives, which is essential for long-term value creation. Monitoring this consistency is critical for overall transparency and the pursuit of the company's goals.

The Global Reporting Initiative and the European Sustainability Reporting Standards have metrics for lobbying and financial and in-kind political contributions.