How to build an effective ESG control framework for CSRD reporting?

With the right approach to internal controls and data validation, reliable CSRD reporting becomes both achievable and sustainably executable.

In brief:

• The CSRD mandates companies to report on their ESG performance, promoting transparency and accountability within the EU.
• An effective internal control ESG framework is crucial for ensuring the reliability, accountability and transparency of non-financial reporting.
• Continuous improvement and benchmarking against industry peers help companies optimize their ESG performance and promote sustainable business practices.

With the introduction of the Corporate Sustainability Reporting Directive (CSRD) by the European Commission, many companies are shifting from voluntary to mandatory non-financial reporting. For investors and other stakeholders, it is essential that the disclosed information is transparent and reliable. By establishing a robust internal control ESG framework focused on data collection, performance monitoring and reporting, companies can enhance the reliability of their disclosures to the public. Establishing an effective CSRD reporting process and controls framework is a crucial factor to reach transparency through sustainability reporting.

CSRD in a nutshell

The Corporate Sustainability Reporting Directive (CSRD) imposes stringent requirements on companies to report on their environmental, social, and governance (ESG) performance. Companies must disclose detailed information about their ESG impacts, risks, and opportunities (IROs). This includes reporting on climate change, other nature -related issues, social issues, human rights, and governance practices. The directive aims to increase transparency and accountability, thereby promoting sustainable business practices within the European Union.

Even though the EU Omnibus Bill proposes significant reforms to the CSRD, aiming to reduce reporting requirements and ease compliance for businesses, CSRD reporting remains mandatory for many companies and will become mandatory for others in the coming years.

The Omnibus proposal gives smaller companies more time to comply, allowing them to better align with the new regulations. This extension will also help these companies refine their sustainability practices and develop effective transition plans, which should lead to higher quality and adherence to standards as well as provides opportunities to access benchmarks and comparatives.

Key reporting areas under the CSRD:

• Environmental-related disclosures: Information on greenhouse gas emissions, climate risks, and mitigation strategies.
• Social disclosures: Data on workforce diversity, labor practices, and community engagement.
• Governance disclosures: Details about board composition, executive compensation, and anti-corruption measures.

A double materiality assessment helps identify the most significant ESG issues for the company and its stakeholders. This process involves engaging stakeholders, analyzing industry trends, and assessing the company's impact on the environment and society. Companies then set clear and measurable ESG objectives and targets aligned with their strategic goals. The outcome of the double materiality assessment and the identified goals should guide the development of the ESG framework.

Establishing the ESG control framework

To ensure the reliability and accountability of non-financial reporting, it is crucial for companies to establish a solid internal control ESG framework. This includes several key steps:

1. Developing policies and procedures and creating accountability: Policies and procedures refer to the formal guidelines and established processes that govern how ESG is managed within the organization. These ensure that  employees understand the organization’s approach to managing ESGaspects and are aware of their related roles and responsibilities. These policies provide also a structured and consistent way to identify, assess, respond to and monitor ESG risks. Procedures may involve specific methods for conducting ESG risk assessments or developing mitigation plans, such as the internal control ESG framework. Since many involved resources may not be familiar with establishing a control framework, targeted training and coaching are key success factors in promoting the effectiveness of the ESG control framework.

2.  Risk Identification and Assessment: Risk Identification is the process of identifying ESG risks that could affect the organization’s ability to achieve its objectives. After identifying the risks, an assessment is performed with the goal of understanding the likelihood of each risk occurring and its potential impact to the organization. This assessment will enable the organization to determine which risks require immediate attention and which can be managed or mitigated over a longer period of time.

3. Implementing internal controls: Internal controls are established to reduce the likelihood and/or impact of risks while also ensuring compliance with internal policies and procedures as well as laws and regulations. An effective internal controls framework is crucial for ensuring the accountability and reliability of ESG non-financial reporting. There are various levels of internal controls:

• Entity-level controls: governance structures, ethical standards, and risk management frameworks.
• Process-level controls: procedures for data collection, validation and reporting.
• System level controls: mechanisms that ensure the integrity, confidentiality and availability of information.
• Monitoring controls: Regular audits, assessments, and performance evaluations.

Conducting risk analysis activities on the identified disclosures can help to prioritize activities and design the control framework.

When designing controls, it is important to determine the scope of the procedures to be performed for each metric, as well as the expected control documentation to be generated by the responsible owners. Consolidating information within the same data management systems promotes standardization and traceability of data collection and processing. For controls that involve higher risks or judgment areas, documentation of the data used and assumptions made is essential for understanding the resulting outcomes and disclosures.

4. Monitoring and continuous improvement: Building a solid ESG framework is an ongoing process that requires continuous monitoring and improvement activities. Companies are encouraged to establish mechanisms for regular assessment and evaluation of their ESG risks and controls, communicating identified deficiencies in the design or execution of control activities to management and those responsible for governance as input for further improvements.
 

Additionally, companies can use the collected ESG data to monitor broader ESG performance. This may include conducting internal audits, tracking progress against objectives, and soliciting feedback from stakeholders to understand their expectations and address their concerns.

Continuous improvement should be a core principle, with companies striving to enhance their ESG practices over time. Benchmarking against industry peers and adopting best practices can further help companies improve their ESG performance. Companies should stay informed about industry trends and emerging practices. Participation in industry initiatives and collaboration with other organizations can provide valuable insights and opportunities for improvement.

Tips for providing reliable non-financial information:

• Improve data quality: Address data issues by establishing robust processes and controls to ensure data is complete, accurate, and timely.
• Transparency and verification: Ensure sustainability disclosures are transparent and verifiable to build credibility.
• Consistency and completeness: Avoid repetitions and check for consistency of information in the provided information. Ensure statements are provided with substantiation the external reader understands its source.  reader
• Stakeholder engagement: Engage investors to understand their expectations and provide clear guidance on material priorities.
• Training and skills: Build the capabilities of financial teams in non-financial reporting through targeted training and development programs.
• Verification readiness: Conduct exercises to prepare for independent assessments of the provided non-financial data.
• Automation: Implement technology for data collection and reporting purposes to standardize the way of working and minimize the risk of inconsistencies and human error.
   

How do you build trust in CSRD reporting?

Register for our webcast on June 23, 2025, featuring Mustapha Abdellati and Michael Schut, as they discuss governance of non-financial information and strengthening stakeholder trust.