Jeanette Hill, CPA, CMA, MSc Candidate

In my years chatting with corporations and stakeholders regarding sustainability reporting, one of the biggest areas that was always mentioned as a challenge was internal controls over sustainability information. I see a ton of posts about standards updates but not a lot of practical advice on how to implement internal controls and governance over this information which is the foundation of good reporting.

I decided to create practical, simple, audit-ready internal control examples that organizations commonly put in place to govern sustainability information for reporting. Hopefully some of these are helpful tips in improving your internal controls over sustainability information, especially for those that don’t have an accounting background or training and might not know where to begin.

So much sustainability information resides on spreadsheets outside of traditional financial systems with built-in controls. Data is aggregated from various sources and different facilities creating room for errors in completeness and accuracy.

Creating and documenting a clear chain of data ownership and accountability for each material sustainability metric is key. For example, scope 1 emissions accountability in a trucking company might look something like this:

Fleet Manager : Data owner for fuel consumption

• Not the owner of emissions math.
• Not the owner of emission factors.
• Just the owner of integrity of the fuel and mileage data.

Sustainability Manager: Data Calculator/ Preparer

• The Data Calculator is the keeper of methodological integrity
• Data Calculators make the math right.

Finance:  Reviewer, validates results

• In mature organization the CFO or other executive such as the VP of Sustainability Reporting would approve the information.

Board Committee: Oversight

We will now go through the ideal responsibilities in each of these roles/areas of responsibility.

While this may seem easy enough, imagine the fleet owner manages 50 cross Canada vehicle hubs. Each hub has a fleet coordinator that sends the information to the fleet manager who simply records what the coordinators send. The fleet manager is confident the information is correct as they provide e mail instructions on what information to send over for the report.

However, by simply making the fleet manager the data owner, they now understand they are responsible for the overall accuracy, management and maintenance of the data. To ensure accountability this responsibility should be formally part of their job performance requirement. It would be useful to understand workloads as well to ensure the additional workloads are manageable. Here are examples of the data a fleet manager would typically own:

Fuel consumption

• Gasoline, diesel, propane, LNG, etc.
• By vehicle, region, or cost center
• From: fuel cards, ERP purchases, invoices

Mileage / usage (if used for cross-checks or estimates)

• Odometer readings
• Engine hours
• Telematics logs

Fleet inventory completeness

• Active vehicles list
• Additions and disposals during the year

• Leased vs owned vehicles (could have an impact on the final emissions calculations so it is important to point this out)

As the data owner the fleet manager now has incentive to ensure processes and procedures are in place and followed for data collection. Ideally the data owner is only responsible for raw data collection. Here are some of the typical control responsibilities for the fleet manager:

A. Completeness controls

Fleet Manager must ensure:

• All vehicles are included in the reporting population
• All fuel sources are captured (no missing cards, regions, vendors)
• No months are missing

Typical evidence:

• Fleet inventory reconciliation to fuel records
• Monthly completeness checklist

B. Accuracy controls

The fleet manager confirms:

• Fuel volumes align with invoices or system totals
• No duplicate or miscoded transactions
• Units are consistent (litres, gallons, etc.)

Typical evidence:

• Reconciliations
• Exception reports
• Corrections log

C. Cut-off & period controls

They ensure:

• Fuel is recorded in the correct month/quarter
• Late invoices are accrued
• Disposals stop being counted when vehicles leave service

Typical evidence:

• Accrual methodology
• Period close sign-off

D. Detective Controls (Variance explanation)

When fuel spikes or drops the Fleet Manager should be able to explain for exmaple:

• Route changes
• New vehicles
• Retirements
• Seasonal effects
• Business growth/contraction

Not “emissions factors changed” would be the Calculator’s role.

The Fleet Manager is treated just like a financial subledger owner: Own the inputs. Prove they’re right. Explain what changed. Certify them. This is what makes GHG data defensible.

Segregation of duties is added by having the sustainability manager transform complete and accurate activity data into GHG emissions results using approved methodology, emission factors, and assumptions. This role is the consolidation, calculation, and close function and not the transaction owner. This role would own:

• Emissions calculation logic
• Emission factor selection & application
• Estimation methodologies
• Consolidation rules
• Methodology consistency year-over-year
• Restatement assessments

Here is a list of what typical responsibilities of this role would look like

A. Methodology governance (preventive control)

• Apply methodology ( most likely aligned to Greenhouse Gas Protocol)
• Maintain a GHG Methodology Document, including:
  •  Organizational boundary
  • Operational boundary
  • Scope 1 / 2 / 3 treatment
  • Estimation hierarchy

B. Emission factor management

• Maintaining a controlled emission factor register (update emissions factors annually lock for the reporting period).
• Documenting:
  • source
  • version
  • effective year

C. Calculation execution

• Calculations occur in:
  • a controlled spreadsheet or approved GHG software

D. Estimation & judgment

When data is missing or incomplete:

• Applies pre-approved estimation methods
• Documents:
• assumptions
• rationale
• uncertainty
• Escalates material estimates
• Ensures estimates are:
• reasonable
• consistent
• conservative (where appropriate)

E. Analytical review & sense-checking (detective control – anomalies go back to fleet manager/data owner to explain)

Before results go to Finance:

• YoY trend analysis
• Intensity metric checks
• Scope-to-scope consistency checks
• Outlier identification

Finance provides the independent review layer that transforms GHG data from a sustainability metric into a decision-grade, disclosure-ready figure. By performing analytical reviews, sample recalculations, and assumption challenges, Finance ensures emissions data is complete, accurate, and defensible in the same way financial results are governed. Here are some functions finance can perform:

1. Completeness check (population integrity, ensuring nothing is missing)

Are all required scopes are included and material data sources present? Are any months/quarters missing? Are acquisitions/disposals of our vehicles reflected properly?

Typical control evidence

• Completeness checklist
• Scope coverage reconciliation
• Period close confirmation

2. Reperformance & calculation validation (accuracy)

It is useful for finance to recalculates a sample of emissions to check formula logic, ceritify unit conversions and confirm emission factor application.

Being able to independently reproduce data is key for successful assurance.

3. Analytical review (reasonableness)

It is useful for finance to examine year-over-year comparisons, intensity metric analysis, conduct variance threshold reviews (e.g., ±10–15%) and complete cross-checks against operational drivers.

For example, if fuel consumption is increasing but overall emissions are down, this should be investigated.

Finance is looking for whether the numbers make business sense.

4. Assumption & estimate challenge

Lastly, finance can also assess materiality judgements, restatements or any missing data estimates. Checking assumption logs etc.. preserves data defensibility in the event of an audit.

Finance can also check that the published numbers in the sustainability report the sustainability reporting team prepared matched what was approved.

Most GHG errors are math and process errors. Finance is what catches them before disclosure risk. This is another example of segregation of duties and a step in having good controls over data.

In mature organizations the CFO signs off ( or potentially another executive responsible for sustainability reporting). This review signals that GHG disclosures are treated as other management disclosures in that executives are approving the integrity of the data collection processes:

• Finance has independently reviewed completeness, accuracy, and reasonableness

• material assumptions and estimates are appropriate

• any methodology changes are documented and justified

• results are ready for disclosure and decision-making

It is the sustainability equivalent of certifying the financial close.

Strong Board oversight is essential to GHG data integrity. It signals that emissions metrics matter, and that accuracy and controls are non-negotiable.

The Board sets expectations and the control environment tone that echoes through the organization. Their involvement confirms that GHG data is treated as governance-critical information. The board endorses alignment with recognized standards of the GHG Protocol and will signal intolerance for unsupported estimates and inconsistent methodologies.

Often via the Audit Committee the Board will review the GHG governance framework (full system of roles, responsibilities, controls, and accountability you’ve just walked through). They will confirm clear segregation of duties in each of the defined roles we discussed and ensure controls exist completeness and accuracy, many of which were discussed above.

The board will look for what changed this year and clear explanations for these changes (think of the variance analysis we talked about above). They will also confirm CFO and management sign-off exists and through all their questions, challenge whether emissions data is fit for disclosure, and if applicable targets and executive compensation.

The Board should also be made aware of significant methodology changes, restatements or recalculations, use of material estimates (especially Scope 3), control deficiencies or assurance findings

They don’t approve formulas; they approve the risk posture.

How much scrutiny is on this information will depend on your organization and the risk tolerance in the information. How much risk of error, inconsistency, or challenge are you willing to live with in your emissions data? This depends; many organizations are just getting started and will see different level of the above controls and governance procedures.

The important thing is to understand what good governance looks like to be able to work towards it for a few key disclosure metrics. If you are in a voluntary reporting environment you have time to work towards maturity in this space.

Internal controls are really policies, procedures, structures that help an organization achieve objects for accurate, complete and reliable information and reduce risks.

These help organizations operate in an efficient and effective manner and the reporting to be reliable for stakeholders.

The key would be not to overwhelm yourself, per COSO, start with your top 3-5 metrics and work through the process.

Another tip is to work with accounting and compliance teams to understand what controls are already in place at the organization. This makes it easier to align what is happening with sustainability information with the rigor of financial information. Keep in mind this is fairly simple stuff, the policies and procedures are there to allow information to be re-produced by internal and/or external auditors and provide consistency in the information over time.

Keep an eye out for my next article on other important parts of the governance and control over sustainability information.