Internal controls are not confined to just accounting and financial reporting; they are also part of ESG reporting requirements. ESG information is becoming equally important and requires an equally robust control structure, and failures in ESG reporting, the endpoint of internal controls, can be costly. If material misstatements are made during ESG reporting, directors can be sued, customers become disenfranchised, and management makes decisions using incorrect information.

In this article, I will review three examples of why ESG internal controls should be adopted by public companies today rather than wait until ESG reporting failures become a crisis.

1. Fiduciary Duty

Many boards of directors of public companies need help understanding the breadth of their fiduciary obligations. Directors understand they are responsible for ensuring that accurate information and reporting systems exist within the corporate structure; however, most directors assume this only applies to financial matters. This misunderstanding may have been true before the Caremark derivative case when it was applied to McDonald’s sexual harassment director litigation [1]. In the McDonald’s case, the courts concluded that the directors owe a fiduciary duty of oversight under Delaware law and that they have an obligation to address “red flags” suggestive of wrongdoing or other internal failures.

So how does this apply to ESG? The court stated that directors are obligated “to make a good faith effort to establish an information system” that allows for adequate controls and reporting to the board of directors. An information system includes material ESG non-financial information. And if one does not exist, the directors are open to a “Caremark claim.”

Simply put, if ESG information is missing, misstated or misleading because of a failure of oversight, the Board of Directors can be sued for breaching their fiduciary duties.

2. Reporting and Messaging

Today, various departments within public companies continuously receive requests for ESG information. B2B customers ask the customer service department for greenhouse gas (GHG) metrics and emission targets. Recruiters and prospective hires are requesting information on diversity initiatives from HR. And ESG rating companies are asking anyone who will respond to complete ESG surveys. As the volume and importance of ESG information increase, so too should the control and oversight over external ESG communications.

Companies need to consider sustainability and ESG reporting as closely as they focus on branding and financial reporting. Companies need to develop internal policies to control and centralize ESG reporting and stop individual departments from writing their own ESG reports. A centralized controlled approach is even more critical for firms with multiple locations or subsidiaries. A clerk in customer services or finance should not decide the content of the ESG information provided to customers or other stakeholders. ESG reporting and messaging are too important to leave to chance. Firms without solid controls over ESG reporting risk providing misleading or materially incorrect information to the marketplace/investors.

Internal controls define roles and responsibilities in ESG reporting and messaging. A policy will state who controls the messaging, what information is reported, and how it is verified and will create formalized RFIs response guidelines. By implementing robust controls over messaging, companies can be assured they have correct, uniform, and authorized ESG information in the marketplace.

3. Prepare for SEC Climate Reporting

The SEC will soon require registrants to disclose certain climate-related information, including GHG emissions metrics and climate-related risks that have a material impact on the financial statements. And until the exact requirements are known, it is advantageous for firms to begin designing systems to enable them to comply with the proposed SEC climate reporting requirements.

And a good first step is establishing SEC climate internal control policies that identify and define the criteria most likely to be included in final climate reporting regulations. For example, greenhouse gas boundaries will need to be defined, sources of emissions identified, and responsible parties assigned. Climate risks should also be identified, and the financial impact evaluated.

Once climate criteria have been identified, a proforma process (workflow) can be created. Then a walk-through to ensure the process of collecting, reviewing, and transmitting climate information to the CFO for inclusion in the annual 10K filings is robust and efficient. Remember, ESG reporting follows financial reporting and must be completed within the first 60 to 90 days after a company’s year-end. The SEC does not allow for practice runs, so getting it right the first time is critical, and this can only be done by doing the groundwork today.


In the past, internal controls were only related to accounting and financial reporting controls. Today’s internal control structures must also include controls over ESG information and reporting. Creating a formal set of ESG internal control policies and procedures that formalize board oversight, allow for consistent, complete, and accurate reporting, and support SEC climate reporting is the basis of a modern ESG control environment. And by developing such controls today, you can avoid tomorrow’s ESG reporting requirements failures and possible litigation.

[1] McDonald’s Corporation Stockholder Derivative Litigation, C.A. No. 2021-0324-JTL (Del. Ch. Jan. 26, 2023)

Contact Us

Misleading ESG information could land you and your business in hot water. If you need help walking the ESG walk (and not just the talk), please get in touch with a member of our ESG Services Team today and get your internal controls in shape!