top of page

Guest Article: Managing Internal Controls in Complex Regulatory Environments


In the first of a three part series, guest writer and ESG Governance and Reporting expert Deepa Rao explains how managing internal controls requires a proactive approach from organisations - and how this ensures the integrity, reliability and auditability of ESG data.


In today's rapidly changing regulatory landscape, sustainability reporting has shifted from being a voluntary initiative or marketing strategy to a mandatory legal obligation in many regions around the world. For instance, France has taken significant steps by being one of the first EU countries to incorporate the Corporate Sustainability Reporting Directive (CSRD) into national law. This early adoption sets an example for other member states and countries, likely prompting them to adopt similar legislation to standardize sustainability reporting across the region. This shift is pushing companies to prioritize transparency and accountability in their environmental, social, and governance (ESG) practices.


Investors, clients, regulators, and even employees now scrutinize these ESG disclosures as they do financial statements. And for good reason. A company’s ESG performance can directly influence its reputation, customer loyalty, and long-term viability. However, managing these disclosures presents a unique set of challenges that organisations must address to maintain trust and ensure compliance.


The Growing Complexity of ESG/Sustainability Data


The data points and metrics required for ESG disclosures are vast and growing. These datasets originate from a multitude of functions such as HR, procurement, IT (data privacy and security), ethics and compliance, and more. What’s unique about ESG data is that many of these datasets are being scrutinized publicly for the first time, and the teams responsible for producing them may have limited experience in handling audits or ensuring compliance.

This reality introduces significant risks. Will organisations be comfortable sharing this information if it hasn't been thoroughly vetted? Are they prepared for the potential fallout from inaccurate or incomplete disclosures? In an era where misinformation and greenwashing can tarnish corporate reputations, these are critical questions.


Can You Check Everything?


The challenge of verifying all ESG data points is considerable:


  1. Volume of Data: ESG metrics span across various departments and functional areas, making it nearly impossible to check every detail (qualitative and quantitative disclosures).

  2. Diverse Stakeholders: ESG reporting involves inputs from multiple stakeholders, many of whom may have competing priorities or limited experience with independent audits.

  3. Time Constraints: Regulatory deadlines are often tight, leaving little time for exhaustive data validation.

  4. Consequences of Errors: Any misinformation—intentional or accidental—can result in serious reputational damage, loss of investor trust, and potential legal repercussions. This raises the stakes of getting it right the first time.


Given these challenges, how can organisations ensure the accuracy, completeness, and reliability of their ESG data? The answer lies in building a robust framework of internal controls.


The Case for Strong Internal Controls


Much like financial reporting, ESG data must undergo a rigorous process of validation, review, and assurance to ensure its integrity. Implementing a network of internal controls is critical for organisations looking to build trust with stakeholders and comply with regulatory mandates.

To manage this complexity, organisations need to establish a "funnel of controls" where information passes through various stages of scrutiny. Each stage provides a filter that increases confidence in the data, ensuring that by the time it is disclosed, it has been thoroughly vetted by multiple independent teams.


Building Trust through the ESG Data Controls Funnel


A successful ESG control framework typically involves multiple layers of review and expertise:


  1. Functional Teams: The teams that generate the data—such as HR, procurement, or IT—are responsible for ensuring the data's initial accuracy. This is where the first layer of control lies.

  2. ESG Reporting Team: This team reviews the data, ensuring it aligns with reporting standards and is consistent across the organisation. They act as the first checkpoint for validating the data before it goes into formal reporting processes.

  3. Leadership Review: Senior leadership plays a crucial role in reviewing and approving ESG disclosures, ensuring the accuracy and integrity of the information presented. This responsibility may lie with functional leaders who oversee specific areas, such as finance or sustainability, or with dedicated disclosure committees that are formed to review externally reported information. These committees include senior executives and experts who assess data quality and consistency, ensuring it meets regulatory requirements and aligns with the organization’s goals before disclosure. This structured approach reinforces accountability and builds stakeholder trust in the company’s sustainability reporting.

  4. Internal Audit: Internal auditors assess whether the internal controls over ESG reporting are functioning effectively. They ensure that the processes behind data collection, validation, and reporting are robust and can withstand external scrutiny.

  5. External Assurance Providers: An independent assurance provider conducts an external review of key ESG metrics, offering an additional layer of validation that enhances the credibility of the information being disclosed.

Source: The ESG Data Review Funnel, system for ensuring trustworthy data for ESG reporting, developed by Deepa Rao


Building Trust Through Transparency


By putting ESG data through these multiple layers of review and assurance, organisations can demonstrate a commitment to transparency, accuracy, and accountability. Each stage of review builds confidence in the data, ensuring that investors, regulators, and other stakeholders have faith in the reliability of the disclosures.


Moreover, establishing a robust internal control framework allows organisations to mitigate the risks of non-compliance, greenwashing, or reputational damage. In an environment where regulations are becoming more stringent and stakeholders are increasingly vigilant, the need for such controls has never been more pressing.


Leveraging Technology for ESG Data Management


Another crucial aspect of managing ESG disclosures is the strategic use of technology to collect, analyze, and validate data. Given the complexity and volume of ESG information, traditional manual processes can be inefficient and prone to errors. Modern technology solutions can streamline these processes, facilitating greater accuracy and compliance. Additionally, integrating these solutions enhances data integrity and traceability by ensuring that each data point is sourced, verified, and documented appropriately.


The concept of a "single source of truth" for ESG data is essential. By centralizing information in a unified platform, organizations can integrate multiple upstream and downstream applications to consolidate data flows across departments such as HR, procurement, finance, and IT. This centralized approach enables seamless data collection, reduces redundancies, and supports real-time monitoring of ESG metrics.


What does it all mean?


Managing internal controls in a complex regulatory environment requires a proactive approach, one that places as much emphasis on non-financial ESG data as on traditional financial reporting. By building a funnel of controls and reviews, organizations can filter ESG information through a process that ensures its integrity, reliability, and auditability. The integration of advanced technology solutions not only enhances data collection and analysis but also streamlines validation processes, further safeguarding against legal and reputational risks while fostering trust among investors and other key stakeholders. The future of corporate reporting lies in the seamless integration of financial and non-financial metrics, and only through rigorous internal controls can organizations navigate this new terrain successfully.


Deepa Rao is a Chartered Accountant and seasoned internal audit professional who transitioned into the ESG field. She leads Global ESG Reporting and Controls at Cognizant, focusing on strong processes and governance for ESG reporting. Based in the UK, she brings expertise from consulting roles at KPMG and PwC, with a background in corporate risk management, internal controls, and ESG reporting.


An advisor to startups and recognized Subject Matter Expert, Deepa speaks at forums like the World Economic Forum, IIA, and FinTech Global Summit. She was nominated as a “Rising Star for ESG Governance” at the 2023 Corporate Governance Awards, and her team at Cognizant has won awards for ESG innovation and management excellence.


You can find Deepa on LinkedIn here.

bottom of page