ESG Reporting: Reliably Mapping Data Using Internal Control Systems

How can internal control systems strengthen the implementation of sustainability reporting? The development of the European framework for ESG reporting, revolving around the EU Taxonomy, remains dynamic and presents significant challenges for companies. The framework not only ensures the reliability of data, but also identifies potential risks. The appropriate design of internal control systems can thus enhance trust in sustainability reporting, information disclosure, and the quality of reporting by companies. In this article, Jasmin Franken and Nidal Sultana demonstrate how to reliably integrate ESG data with internal control systems.

With the European Green Deal, the 27 EU member states aim to become climate-neutral by 2050. In a first step, greenhouse gas emissions are to be reduced by at least 55% by 2030 compared to the 1990 level. To achieve this goal, the economy and society need to be reoriented in many areas.

The European Green Deal gets things started: Climate neutrality by 2050

The "Fit for 55" package encompasses a range of proposals for revising and updating EU legislation. It also includes proposals for new initiatives aimed at ensuring that EU actions align with the climate goals agreed upon by the Council and the European Parliament.1

An essential component of the European Green Deal is the EU Taxonomy Regulation, which uniformly classifies all economic activities within the European Union based on their sustainability. This classification aims to provide companies, investors, and policymakers with relevant information regarding which economic activities can be considered environmentally sustainable.

A classification system is intended to establish a unified understanding of the sustainability of economic activities in the EU for the first time. Activities are considered "taxonomy-eligible" if they can be assigned to taxonomy criteria, regardless of whether the criteria are met. Activities are deemed "taxonomy-aligned" when the taxonomy-conform activities also meet the criteria. According to the Taxonomy Regulation, an economic activity is considered taxonomy-aligned when it:

(1) contributes significantly to at least one of the six environmental objectives

(2) does not impair the remaining environmental objectives (Do No Significant Harm)

(3) meets certain minimum requirements such as technical assessment criteria, social standards, human rights, among others.2 

The six environmental goals3 of the taxonomy include:

Environmental objective 1: Climate Protection

Environmental objective 2: Adaptation to Climate Change

Environmental objective 3: Sustainable Use of Water Resources

Environmental objective 4: Transition to a Circular Economy

Environmental objective 5: Pollution Prevention

Environmental objective 6: Protection of Ecosystems and Biodiversity

In 2021, for environmental objectives (1) and (2), general disclosure requirements4 In 2021, for environmental objectives (1) and (2), general disclosure requirementswere already published. After the formulation of the technical assessment criteria for the environmental objectives (1) and (2), a first addition was made with regard to gas and nuclear energy.6

On April 5, 2023, the European Commission published draft consultation documents for two delegated regulations under the EU Taxonomy Regulation (Regulation (EU) 2020/852) on the "Platform for Sustainable Finance" The consultation period will end after a deadline of four weeks on May 3, 2023.7

The first four annexes of the consultation draft contain 35 new technical assessment criteria for environmental objectives (3) to (6). The new assessment criteria apply to both economic activities already covered by the EU Taxonomy and those not yet covered. The fifth annex includes 33 modifications and 13 additional technical assessment criteria to the existing delegated regulations on general disclosure requirements and technical assessment criteria for environmental objectives (1) and (2). Specifically, the drafts include the following changes:

Figure 1: Table left: Overview of environmental objectives; Table right: Overview of disclosure requirements

Comments can be submitted online under the "Published Initiatives" of the European Commission until May 3, 2023. The final publication of the delegated regulations is scheduled for June 30, 2023. Starting from January 1, 2024, all affected companies will be required to fulfill the complete disclosure obligations of the EU Taxonomy Regulation for all six environmental objectives.

Internal control systems and sustainability information

To improve the reliability and credibility of sustainability information, effective internal control systems (ICS) are required. The same level of rigor and care applied to the measurement and reporting of financial information should also be applied to sustainability reporting. This diligence leads to increased trust in non-financial reporting. The development of regulations for sustainability information reporting remains dynamic. The assessment criteria for environmental objectives (1) and (2) from 2021 will be reported for the first time in 2023, following the first complete reporting on taxonomy capability and conformity for the fiscal year 2022, and as indicated above, they are currently being expanded with new criteria and existing criteria are being revised. 

In Germany, the sustainability report has been mandatory and integrated into the management report as the "non-financial statement" (cf. § 289c HGB "Content of the non-financial statement" and § 315c "Content of the non-financial group statement").

Figure 2: Non-financial performance indicators in management reporting

The management report is to be prepared and disclosed as a separate presentation, distinct from the financial statements and other published information, under the heading 'Management Report.' The balance sheet, income statement, notes, and other components of the financial statements may be summarized in an informal annual report.

This represents a distinct task for the management report, which aims to present all transactions in a way that enables an overall economic assessment of the company, particularly in conjunction with the financial statements. While the principles of proper accounting are relevant for reporting in the financial statements and determining the numerical data, these principles do not apply to the management report. The overriding objective of management reporting is to convey the actual circumstances.8

For the external design, structure, and scope of the management report, there is generally freedom of design. However, the statements in the management report must adhere to the following principles9:

  • Completeness and comprehensibility
  • Reliability and balance
  • Clarity and clarity
  • Conveyance of the view of the Executive Board
  • Information gradation

For the preparation of the non-financial statement in the management report, the reporting company can use national, European, or international frameworks10In the disclosure, it must be stated whether the corporation utilized a framework for the preparation of the non-financial statement, and if so, which framework was used. Alternatively, if no framework was used, the reason for not utilizing a framework should be provided.

The management report is a component of the statutory annual financial statement audit (§ 317 (2) HGB), along with the balance sheet, income statement (profit and loss statement), and notes. The task of the final examination is to verify whether the management report is consistent with the financial statements and the findings obtained during the audit, and whether the management report provides an accurate overall representation of the company's situation. It also involves assessing whether the opportunities and risks of future developments are accurately presented.

Audit of non-financial disclosures in the management report

The Institute of Public Auditors (IDW) developed an auditing standard for non-financial reporting on August 17, 2022. On December 8, 2022, the main committee (MTC) of the IDW formulated and published two additional standards for the audit of non-financial reporting.:

  • IDW EPS 352 (08.2022 from 17 Aug 2022): Substantive review of the non-financial (group) statement within the scope of the audit
  • IDW EPS 990 (11.2022 from 8 Dec 2022): Content review with sufficient assurance of the non-financial (group) reporting outside the audit
  • IDW EPS 991 (11.2022 from 8 Dec 2022): Content review with limited assurance of non-financial (group) reporting outside the audit

The standard drafts include a professional understanding of the IDW that has not yet been finally coordinated.

In terms of legal requirements, the scope of the audit currently focuses on whether the non-financial reporting has been submitted.11 This does not exclude a voluntary substantive examination of the non-financial statement. Deviating from the previous practice, IDW EPS 352 requires a separate audit opinion for the voluntary substantive examination.

Further development of the audit requirement for non-financial disclosures in the management report

The Corporate Sustainability Reporting Directive (CSRD)12came into effect on January 5, 2023, and is to be transposed into German law within 18 months. It replaces the existing EU directive on non-financial reporting, the „Non-Financial Reporting Directive“13

and gradually expands the scope of sustainability reporting to all large companies and groups, regardless of their capital market orientation:

(Group A) Corporates, financial institutions and insurance companies, which are already subject to reporting requirements within the meaning of the CSR Directive Implementation Act:14 Companies must meet the following criteria A.1 to A.3 cumulatively. Financial institutions and insurance companies, provided that criteria A.1 and A.3 are met:

A.1 Large and limited liability companies, if at least two of the following three criteria are met as of the reference date:

  1. Total assets: At least EUR 20 million
  2. Net revenue for the financial year: At least EUR 40 million
  3. Average number of employees during the year: More than 250 employees

A.2 Capital market orientation

A.3 Annual average of more than 500 employees in employment

(Group B) Corporates, financial institutions and insurance companies, that have not been subject to reporting obligations according to the CSR Directive Implementation Act. This applies to limited liability companies if at least two of the following three criteria are met as of the reference date:

  1. Total assets: At least EUR 20 million
  2. Net revenue for the financial year: At least EUR 40 million
  3. Average number of employees during the year: More than 250 employees

(Group C) Listed small and medium-sized enterprises (SMEs), small and non-complex financial institutions, as well as company-owned (re)insurance companies. Exempted from the reporting obligation for listed SMEs are so-called micro-enterprises that meet at least two of the following three criteria as of the reporting date:

  1. Total assets: Maximum EUR 350,000
  2. Net sales revenue: Maximum 700,000
  3. Average number of employees during the year: Maximum 10 employees

(Group D) Non-EU companies with subsidiaries or branches within the EU, if the following criteria are cumulatively met as of the reference date:

  1. Net revenues of the fiscal year within the EU: More than EUR 150 million
  2. At least one subsidiary or branch within the EU

Figure 3: Timeline of Fiscal Year and Publication per Group

Unified EU Reporting Standard

The sustainability reporting within the EU will be regulated by the CSR Directive using a unified EU reporting standard in the future. The initial standards will be issued by the European Financial Reporting Advisory Group (EFRAG) as delegated acts in a first package by June 30, 2023. These acts will have direct legal effects on the reporting companies. The draft standards encompass not only ESG factors but also overarching topics:

Figure 4: Classification of Reporting Standards

The standard drafts, along with additional information, can be accessed on the EFRAG website.

A second package, which also includes provisions for sector-specific reporting requirements, small and medium-sized enterprises, as well as non-EU companies, is expected to be adopted by June 30, 2024. The standards will expand and specify the content to be reported. They are intended to include not only retrospective but also forward-looking, as well as quantitative and qualitative information.

The sustainability report is to be published in the future in a standardized, digital, and machine-readable format. The publication will take place on the European Single Access Point (ESAP) platform. The Committee's statement on ESAP and further information can be accessed on the website of the European Economic and Social Committee.

Audit requirement

As part of the integration into the management report, sustainability reporting becomes subject to an audit requirement. The legal requirements in Germany currently limit the scope of the audit to verifying whether the non-financial reporting has been presented (cf. § 317 paragraph 2 sentence 4 HGB). The CSR Directive introduces a mandatory substantive audit of the non-financial reporting. The audit is initially performed with limited assurance. Within this framework, the audit field covers the conformity of the non-financial disclosures with the standards, as well as the company's due diligence processes used to identify relevant sustainability factors. Over time, the audit evolves into reasonable assurance and thus aligns with financial reporting. A specific timeline for the implementation of the complete audit is not currently available.

Internal control systems and sustainability information

The internal control system and risk management system should, to the extent not already required by law, also encompass sustainability-related objectives. This should include processes and systems for the collection and processing of sustainability-related data.15

The integration of sustainability reporting into the internal control system (ICS) is an effective step towards ensuring reporting quality and meeting the information needs of various stakeholders within and outside the company. For example, for joint-stock companies, there is a legal obligation to review and approve the non-financial statement by the supervisory board.16 

The design of the ICS is subject not only to ensuring effectiveness and adequacy but also to the consideration of cost-benefit analysis. Furthermore, the management responsible for it can make more informed statements regarding the implementation of the pursued concept, the management of significant sustainability risks, and the achievement of significant sustainability goals based on the effective internal control environment. Corrective measures, such as target adjustments or changing legal requirements, can be implemented promptly and in a structured manner based on this foundation.

Internal control systems for corporate reporting

Effective internal controls for corporate reporting are fundamentally essential to ensure the accuracy and reliability of a company's financial statements. The key components of an effective internal control system typically include:

1. Segregation of duties: Assigning different responsibilities to different individuals can help prevent errors and fraud. For example, the person responsible for determining the CO2 consumption at a location should not be the same person who reports the calculated values and analyzes them against the planned and benchmark values.

2. Authorization and approval: Establishing policies and procedures for the authorization and approval of transactions, such as on-site analyses to determine power consumption and regular reconciliation with the values recorded in the electricity supplier's invoices in the accounting system, can help prevent reporting irregularities and ensure compliance with company policies and regulations.

3. Physical and logical access controls: Controlling access to physical and electronic resources such as measurement instruments, energy monitoring software, and ERP systems can help prevent unauthorized access and ensure the confidentiality, integrity, and availability of information.

4. Recording and documentation: Establishing policies and procedures for recording transactions and retaining supporting documents such as receipts and invoices can help ensure the accuracy and completeness of corporate information.

5. Monitoring and review: Regular monitoring and review of corporate information, transactions, and controls can help identify errors, fraud, or other issues and enable timely corrective actions.

6. Training and communication: Providing training and disseminating policies and procedures to all relevant employees can help ensure that all employees understand their roles and responsibilities in maintaining an effective internal control system.

Overall, an effective ICS requires a strong control environment, risk assessment, control activities, monitoring, and communication. By implementing these components, an organization can contribute to ensuring the accuracy and reliability of its financial statements.

Designing internal control systems for sustainability reporting

The successful design of an ICS is a crucial step for safety, effectiveness, and meaningfulness. In practical terms, it is also important for the acceptance and actual utilization of the ICS by the company's relevant employees.

Internal controls have inherent limitations. They are a process that relies on human care and compliance, making them susceptible to human errors and mistakes. Internal controls can also be bypassed through covert agreements or improper management influence. Due to these constraints, there is a risk that significant misrepresentations may not be prevented or timely detected through internal controls. Recognizing these known inherent risks and uncertainties allows for the incorporation of security measures into the control process to reduce, though not eliminate, this risk.

In addition to inherent risks, there are also control risks. These are defined as risks of errors and inaccuracies that can arise despite existing controls. Inherent and control risks are fundamental factors to consider when designing internal control systems.

The design of adequate and effective internal controls requires a systematic approach that encompasses the following steps:

1. Identification and assessment of risks:

The identification and assessment of significant risks that the company faces is the first step. An important aspect is the consideration of the principle of double materiality. Accordingly, companies are obligated to report on both the impacts of their activities on people and the environment and the impacts of sustainability aspects on the company.17 The second step involves evaluating and assessing the potential effects on business operations, financial and non-financial reporting, and compliance with regulations.

2. Establishment of control measures:

The establishment of control measures is another step to minimize the identified risks and their impacts on the company. This includes developing policies and procedures that ensure compliance with laws and regulations, protection of assets, and accurate and comprehensive financial and non-financial reporting.

3. Assignment of responsibilities:

Clear assignment of responsibilities for each control activity, including employees and system owners who carry out the activities. It is also recommended to define the management levels responsible for monitoring the activities.

4. Monitoring of controls:

 Regular monitoring and continuous improvement are essential for an effective control environment. This includes, among other things, the sampling review of transactions, activities, processes, policies, as well as financial and non-financial results. In practice, regular training on corporate processes and policies, effective control self-assessments, timed rotation of control documentation, and successful collaboration with internal audit as an additional monitoring body have proven to be effective implementation measures. The review and documentation ensure that the control is adequate and effective, and in line with the guidelines and company processes. In addition, monitoring serves to identify and eliminate weaknesses in the controls.

5. Continuous improvement of controls: 

Continuously improving controls by addressing identified weaknesses or deficiencies. This may involve changing policies and procedures, rotating responsibilities, or providing additional training for staff.

A prudent corporate governance structure focused on sustainable and responsible value creation is particularly important for companies, especially those with numerous subsidiaries and affiliated companies domestically and internationally. The responsible management of risks and opportunities within the governance structure should be a central part of corporate leadership. The various systems implemented by corporate management to identify and limit risks should interact within a complementary control and monitoring system and be subject to routine examination by internal audit.

Model „Three lines of defense“

With this integrated system, the model of the "Three lines of defense" is pursued. The first line of defense is composed of the operational units and their operational management, known as "risk owners." They are responsible for the identification, assessment, and continuous monitoring of risks. The second line of defense mainly encompasses the internal control system, the risk management system, and serves to control and monitor the first line of defense. This includes defining responsibilities, policies, and processes, monitoring risks, as well as reporting to the company's management and supervisory bodies. The third line of defense is the internal audit, which ensures that the first and second lines of defense are objectively and independently examined and advised.

Figure 5: The "Three lines of defense" model for ensuring complementary control and monitoring systems
Figure 6: Internal control systems and their interactions under the aspect of ESG
  • Business processes are a sequence of value-adding activities with one or more inputs. These activities generate value (such as products or services) for customers. 
  • Assumptions: · Completeness and comprehensibility   · Reliability and balance   · Clarity and transparency  · Conveying the perspective of the corporate management  · Gradation of information

  • Inherent risk: Inherent risk (IR) is the probability of significant errors occurring assuming no internal controls are in place.
  • Possible errors / What could go wrong: What potential errors can arise within a business process?
  • Controls / IT General Controls: Regulations for monitoring business processes.

What should companies do now?

The dynamics of ESG reporting requirements and frameworks by the European Union demonstrate that establishing internal controls around sustainability reporting is essential. This can make a significant contribution to ensuring the reporting quality of companies. The establishment of internal control systems for reporting significant environmental risks can help cover the expected dynamics in the future development of EU regulations with a practical and risk-oriented design.


1 Cf. European Green Deal at European Green Deal ( (Retrieved May 2, 2023)

2 Cf. Article 3 of the Regulation (EU) 2020/852 of the European Parliament and of the Council of 18 June 2020. Define and publish metrics for classifying sustainable economic activities. Definition of the six environmental targets (31 pages). On June 22, 2020, the regulation was published in the Official Journal of the EU and has been in force since July 12, 2022.

3 Cf. Article 9 of the Regulation (EU) 2020/852 of the European Parliament and of the Council of 18 June 2020. Define and publish metrics for classifying sustainable economic activities. Definition of the six environmental targets (31 pages). On June 22, 2020, the regulation was published in the Official Journal of the EU and has been in force since July 12, 2022.

4 Cf. Commission delegated regulation (EU) 2021/2178 of 6 July 2021 - General disclosure requirements (59 pages). On Dec 10, 2021, the regulation was published in the EU Official Journal and has been in force since Jan 1, 2022.

5 Cf. Commission delegated regulation (EU) 2021/2139 of 4 June 2021 - Technical assessment criteria for contribution to climate change mitigation and adaptation (349 pages). On Dec 9, 2021, the regulation was published in the EU Official Journal and has been in force since Jan 1, 2022.

Cf. Commission delegated regulation (EU) 2022/1214 of 9 March 2022 - gas and nuclear energy (45 pages). On July 15, 2022, the regulation was published in the Official Journal of the EU and entered into force on Jan 1, 2022.

7 Sustainable investment – EU environmental taxonomy (

8 Cf. § 289 (1) HGB „Content of the management report and § 315 (1) HGB „Content of the consolidated management report

9 Cf. German Accounting Standard No. 20.12 et seq. (DE); Summary of The German Accounting Standards (GAS) 20

10 Cf. § 289d HGB „Use of frameworks 

11 Cf. § 317 (2) Sentence 4 HGB "Subject matter and scope of the audit"

12 Cf. Directive (EU) 2022/2464 of the European Parliament and of the Council of 14 December 2022

13 Cf. Directive (EU) 2014/95 f the European Parliament and of the Council of 22 Oct 2014

14 Cf. BGBl - Law on strengthening non-financial reporting in their management and consolidated management reports of April 11, 2017 (DE)

15 Cf. German Corporate Govenance Code 2022, Principle 4

16 Cf. § 171 para. 1 of the German Stock Corporation Act (AktG)

17 Cf. the Corporate Sustainability Directive, which came into force on Jan 5, 2023- Directive (EU) 2022/2464 of the European Parliament and of the Council of 14  December 2022 Paragraph 29 in conjunction with paragraph 37 and 39