Skip to Content

Measuring Up

Articles Ali Rehman, PHD, CIA, CRMA Apr 10, 2023

Today’s organizations are expected to be sustainable in terms of operations and corporate governance. Sustainability requires leaders to look into the future of their organizations and plan for long-term operations, discouraging short-term strategies.

The COVID-19 pandemic only reinforced the issue of sustainability. Many organizations that were short-sighted were forced to shut down operations permanently, whereas long-term and visionary organizations were able to sustain themselves during the pandemic.

With the introduction of the United Nations Sustainable Development Goals in 2016, the notion of sustainability has grown beyond the expectation of sustainable corporate governance. The UN’s 17 goals target problems such as poverty, health, hunger, pollution, and inequality, and 140 nations are now working toward the attainment of these goals by 2030.

Organizations also began to recognize their impact on wider environmental, social, and governance issues, and now ESG has taken the lead over sustainable corporate governance. In the current business environment, many institutional investors recognize the importance of ESG information when assessing the corporate purpose, strategy, and management of companies. ESG is now big business, quite literally.

However, ESG objectives cannot be achieved without maintaining a strong control environment, and internal audit is key in helping the organization do just that. By focusing on the control environment, internal auditors can identify systemic issues related to organizational behavior, the organization’s ethical culture, and management’s commitment to integrity. In turn, this focus can help mitigate the risks of fraud, waste, and abuse in the areas of ESG.

Compliance Versus Control

Simply providing assurance over compliance is not enough when it comes to achieving ESG goals. There also needs to be a strong system of controls and an ethical culture in place. Compliance for compliance’s sake will not achieve the desired results and may pave the way for organizations to look for ways to circumvent the rules.

Take, for example, the Volkswagen emissions scandal. The company was long considered a leader in environmental sustainability, touting its commitment to reduce carbon emissions and meet environmental standards. However, in 2015, it was discovered that the car maker had installed software in its diesel vehicles that could cheat emissions tests by providing false readings.

While this deception was clearly a violation of environmental regulations, it also highlighted weaknesses in Volkswagen’s control environment. The company had inadequate systems and controls in place to detect and prevent fraud, and there was a lack of oversight and accountability throughout the organization. As a result, the emissions cheating went undetected for years.

As this case shows, even companies that appear to be in compliance with ESG laws and regulations can be vulnerable to risks associated with a weak control environment. Rather than simply focusing on compliance, a better role for internal audit is providing assurance and advice on the control environment.

Five Principles of a Control Environment

The control environment is the set of values, attitudes, policies, and procedures that an organization has in place to provide a framework for achieving its objectives, managing risks, and complying with laws and regulations. An organization’s control environment is a key component of its overall system of internal control, and it is largely determined by the tone set by executive management and the board of directors.

Strong control environments can oblige organizations to follow the best ethical practices and become good social citizens. The control environment can be broken down into five principles that are necessary to mitigate the risk of fraud or ethics missteps.

1. Commitment to ethics and integrity. This principle obliges organizations to develop a tone at the top where the board and executive management demonstrate from their own behavior that they follow the best ethical principles and expect integrity in their operations. This can be achieved through frequent communication between the board and executive management and the organization’s employees. Standards of ethics and integrity should be understood at all levels, and processes should be in place to evaluate these standards. Ethics and integrity cannot be measured quantitatively but rather through qualitative means, such as through anonymous surveys, focus groups, employee-led committees, and exit interviews.

2. Board independence. For an effective control environment, the board should be separate from executive management and members should have the independence to perform their oversight responsibilities. They also should have the knowledge to competently monitor the control environment of the organization.

3. Organizational governance structure. The organization should establish reporting lines with defined roles and responsibilities to prevent duplication of duties, confusion over reporting relationships, and unchecked management decision-making and control. Internal audit can ensure that such risks are addressed..

An effective organizational governance structure from an ESG perspective should be designed to ensure that the organization is managing ESG risks and opportunities in a responsible and sustainable way and that it is meeting the expectations of stakeholders. The board sets the tone for the organization’s approach to ESG issues and should establish policies and procedures that reflect its commitment to these issues. The organization should also be transparent and accountable in its reporting on ESG issues.

Branches of ESG

While the “E” receives the most focus from investors and regulators, social and governance factors impact all levels of the organization and all stakeholders, including employees, customers, suppliers, and communities. Below are examples of considerations within the three factors of ESG.


  • Climate Change
  • Carbon Emissions
  • Pollution
  • Material Disposal
  • Resource Management
  • Biodiversity
  • Social


  • Labor Management
  • Public Safety
  • Privacy and Data Security
  • Quality Control
  • Ethical Sourcing
  • Equal Opportunity
  • Governance


  • Executive Compensation
  • Corporate Oversight
  • Board Diversity
  • Transparency
  • Accountability
  • Policies and Procedures

4. Qualified people. To maintain an effective system of internal control and carry out a company’s ESG strategy, it is important to monitor staff competence, in addition to the hiring process. The organization should hire qualified people, strive to retain them, and develop staff competencies, including around ESG efforts. Employee development and training should be geared toward nurturing and reinforcing competence. Organizations should strive to ensure diversity and inclusion in their ESG teams, which can help to engage effectively with stakeholders. Organizations may also consider working with reputable external partners to address ESG risks and opportunities. 

5. Accountability. Besides setting clear roles, responsibilities, and decision-making powers for the board and executive management, it is important to develop accountability mechanisms to ensure that these individuals are held responsible for their actions and decisions. Organizations should establish clear ESG goals and targets, assign ESG responsibilities, implement ESG performance metrics, conduct ESG audits and assessments, and engage with stakeholders on ESG issues. By establishing clear expectations, measuring performance, and providing incentives, accountability can be reinforced. Based on internal audit’s evaluation, corrective actions can be taken when necessary.

Combining Control Environment And ESG

Integrating the control environment into an organization’s approach to ESG issues requires a commitment to responsible and sustainable business practices. Organizations should establish ESG policies and procedures, conduct regular ESG assessments, establish ESG risk management systems, provide ESG training to employees, and engage with stakeholders on ESG issues.

The control environment can be tied to ESG by:

Embedding control environment considerations into ESG policies and procedures. To manage ESG risks, organizations can establish controls over corporate use of pollutants and chemicals, renewable energy sources, carbon and sustainability reports, inclusion and diversity approaches, pay and rewards policies, impact on local communities, board diversity, supply chain risk mitigation, and transparency in corporate reporting on governance, risk, and compliance strategies. 

Developing metrics to measure the effectiveness of the control environment. For example, metrics could be established to measure the number of control-related incidents or the percentage of control-related findings from internal audits.

Integrating ESG into control environment assessments. When assessing the control environment, organizations can evaluate how well controls are designed and implemented to address ESG risks. For instance, controls can be designed to prevent environmental incidents or to ensure that social and ethical factors are considered in decision-making.

Integrating the control environment with ESG can make ESG efforts more effective by:

Improving risk management. The control environment helps to identify and mitigate risks, which is essential for ESG management.

Enhancing compliance. ESG regulations are becoming more widespread. A strong control environment can help ensure
that an organization meets regulatory requirements.

Building trust and credibility. A strong control environment is critical for building trust and credibility with stakeholders such as investors, customers, and employees. By integrating the control environment with ESG, organizations can demonstrate their commitment to responsible and sustainable business practices.

Putting it All Together

ESG is becoming a buzzword. ESG investing has grown rapidly over the past decade, and organizations are eager to reap the benefits of ESG reporting. However, without the appropriate control environment, it is impossible to achieve ESG objectives.

To serve the present and to prevent an unsustainable future, organizations should focus on integrating the control environment with ESG. When an organization is committed to ethics and integrity, board independence, a strong governance structure, hiring and retaining talented staff, and developing accountability, it can be assured it has a strong control environment.

Ali Rehman, PHD, CIA, CRMA

Ali Rehman, PHD, CIA, CRMA, is internal audit director, A’Sharqiyah University, based in Oman.