ESG Reporting Has a Controls Problem: Why Sustainability Data Needs the Same Rigour as Financial Data

Organisations have spent twenty years building rigorous controls around financial data — mapping risks, documenting procedures, testing operating effectiveness and producing auditable evidence trails. The same discipline has not followed sustainability data into regulatory disclosures. Internal Control over Sustainability Reporting is now the critical gap that audit functions are positioned — and increasingly expected — to close.

What Is Internal Control over Sustainability Reporting?

Internal Control over Sustainability Reporting, commonly abbreviated ICSR, applies the same structured control logic to non-financial data that integrated audit standards apply to financial data. It asks a simple question: how does a carbon emissions figure, a water consumption metric or a supplier labour practice move from an operational system into a published sustainability report — and what controls ensure that figure is complete, accurate and consistent?

COSO has published supplemental guidance mapping all seventeen principles of its Internal Control–Integrated Framework directly to sustainability data. The principles themselves do not change. What changes is the data source, the process owner and the evidence required.

Why Has ESG Data Not Been Subject to the Same Controls as Financial Data?

Sustainability reporting grew out of voluntary disclosure, not regulatory obligation. For most of the 2010s, organisations produced ESG reports with the same teams that managed corporate communications, not internal audit or finance. Controls were not designed in because assurance was not required.

As sustainability data moved from voluntary disclosure to regulated reporting, the underlying processes were not rebuilt. Many organisations are now making binding regulatory disclosures using data flows that have no documented control owner, no design-effectiveness test and no audit trail.

What Does the Regulatory Picture Look Like in 2026?

Two developments have significantly changed the pressure on sustainability data controls this year.

The UK published SRS S1 and SRS S2 in February 2026, its domestic sustainability reporting standards aligned with the ISSB framework. CSRD's second wave is in scope for large EU and US multinational entities reporting on FY 2026 and FY 2027 data. For organisations subject to either framework, limited assurance on climate-related disclosures is already required in some jurisdictions, with a transition to reasonable assurance on the horizon.

Reasonable assurance cannot be obtained over data that has no documented controls.

What Does Poor Control over ESG Data Look Like in Practice?

The pattern is recognisable to anyone who worked in financial controls before SOX normalised discipline around financial data:

• Emissions and resource data held in departmental spreadsheets with no version control or access restriction
• No documented ownership of who is responsible for data accuracy at the point of collection
• No validation steps between data collection, consolidation and publication
• Multiple versions of figures circulating across teams without a single source of truth
• Evidence produced at year-end to satisfy an audit request, rather than maintained as controls operate

This is not a data quality problem. It is a control design problem.

How Do Internal Control Principles Apply to Sustainability Data?

The core requirements are the same as for any material reporting process: clear ownership, consistent execution, testable procedures and documentary evidence that maps to the risk being controlled.

Control owners must be assigned at the point where data is generated, not only where it is reported. For most sustainability metrics, this means embedding controls in operational departments — facilities, procurement, HR — rather than centralising accountability in a sustainability team with limited operational reach.

The control activities themselves are also familiar: completeness checks, reconciliations, approval workflows, access restrictions and exception reporting. These are not new disciplines. They are financial control disciplines applied to a different data domain.

How Is CovaCtrl Different?

CovaCtrl is built around the principle that controls must be documented, owned and continuously monitored — not reconstructed for an audit. For sustainability data, this means the same structured evidence approach that supports financial control monitoring can be applied to the operational data flows feeding into ESG disclosures.

Internal audit and control teams gain documented evidence of how sustainability data was produced and reviewed throughout the reporting period, rather than assembling that evidence retrospectively under time pressure.

Why This Matters Now

The window to build sustainability data controls is 2026. Organisations entering FY 2027 under expanded CSRD scope or UK SRS obligations will face auditor scrutiny of controls — not just outputs — for the first time. Building that discipline this year, rather than the year it is tested, is what separates a sustainable control programme from a retrospective scramble.

ESG reporting is already a financial-grade regulatory obligation. Its controls need to match.