Auditing climate data and reporting

Stakeholder expectations that organisations report on their Environmental, Social and Governance (ESG) performance and risks are increasing. Understanding of corporate sustainability performance enables organisations and investors to make informed choices that drive value and improve sustainability outcomes.

Regulators, investors, consumers, governments and the general public all have an interest. Climate change is at the heart of this and is becoming a core component of most non-financial reporting. This guidance focuses on auditing both external and internal climate-related reporting and the data underlying such reports. The principles and suggested approach can equally be applied to other ESG elements. 

The reporting and assurance landscape

There has been a proliferation of overlapping reporting standards in the past 20 years. Some of the most common initiatives are the Global Reporting Initiative (GRI), Integrated Reporting disclosures relating to the UN’s Sustainable Development Goals (SDGs) and, importantly for climate change specifically, the Task Force on Climate-related Financial Disclosures (TCFD). Many organisations take their own approach, often drawing from one or more initiatives. Published reports may be integrated within the annual report or a separate sustainability report, corporate responsible report, or a series of specific publications, to name but a few.

The EU introduced a requirement (‘Non-Financial Reporting Directive’) that from 2017 some large entities must include limited non-financial information in their strategic reports; this includes Environment and Social Reporting (ESR) and thus climate-related information. This has been implemented in all EU countries, including the UK and Ireland, although some details differ.

Certain large UK businesses also need to report under the Streamlined Energy and Carbon Reporting (SECR) requirements for financial years starting on or after 1 April 2019. And the UK government’s Green Finance Strategy sets an expectation that all listed companies and large asset owners will disclose in line with the TCFD recommendations by 2022. While some organisations are moving towards this, reporting remains inconsistent. And many organisations will not have to comply with any specific requirement.

External assurance of published non-financial reports is also variable, and rarely as comprehensive as for financial information. There is a very limited requirement under the EU Non-Financial Reporting Directive, which mirrors the existing requirement that information in the strategic report is consistent with information presented in the financial statements or knowledge gained in the (external) audit. External assurance of SECR reports is suggested but not mandated. In practice, many larger organisations do have additional external assurance of non-financial information, based on the International Standard on Assurance Engagements (ISAE 3000) or the AA1000 Assurance Standard

Role of internal audit

IIA Performance Standards 2120 and 2130 require internal audit to evaluate risk exposures and internal controls regarding the reliability and integrity of financial and operational information. In addition, the Internal Audit Code of Practice and the Financial Services Code specifically state that the scope of internal audit should include information presented to the board and executive management for strategic and operational decision-making. Given the importance of climate and other ESR issues in decision-making, this is clearly a relevant part of this scope.

The internal auditor will need to understand the climate-related impacts of the organisation (and the industry in which it operates) and the potential impacts of climate change on the organisation in order to define the scope appropriate for the organisation. This will drive the extent and precise nature of the work.

Internal audit could usefully consider four broad areas in defining the scope of relevant engagements in this area:

  • published reports and data, whether part of the annual report, a separate report, or a section on the website
  • any reports and/or data provided to regulators, industry groups, or other interested parties
  • reports provided to the board, committees or management which is used directly or indirectly in decision-making
  • underlying data used in the production of these reports.

The internal auditor should consider any external assurance and the extent to which reliance can be placed on it, bearing in mind the scope of such engagements and extent of the assurance provided. This may impact both the priorities for internal audit and the timing of the work, particularly for assurance over published information. Unlike external assurance, some internal audit assurance can be year-round, not simply at the time of reporting, although part of the work may need to link into the reporting cycle.

Key risks and controls

The main overriding risks for an organisation are:

  • inability to comply with current or future climate or ESG-related regulatory requirements, resulting in censure, financial penalties and reputation damage
  • inadequate or misleading reporting, resulting in reputational damage
  • strategic or key operational decisions based on inaccurate data, resulting in poor investment returns, lost opportunities, reduced profitability and/or reputational damage.

In order to address these, the internal auditor should consider the following operational-level risks.

1. Reports provide incomplete or inaccurate information due to incomplete or unreliable data sources.

Potential controls/mitigants

  • Each line in a report is fully mapped to accurate, reliable data sources.
  • There are robust processes to collate and validate source data.


  • In this engagement, assessing the completeness and accuracy of each data source is unlikely to be within the scope, given the number of related processes and data sources. However, it is important to identify the relevant sources, so that the internal audit plan can address these in relevant engagements, and that the overall level of assurance provided is sufficient. In this engagement, it would be reasonable to expect internal audit to identify and test first and/or second line controls over the completeness and accuracy of data sources.

2. Reports provide incomplete or inaccurate information due to errors in compilation from source data.

Potential controls/mitigants

  • There are robust processes to produce reports from accurate, reliable source data.
  • Detailed checking and review of reports to ensure accuracy, completeness and reasonableness.
  • Staff with appropriate knowledge and experience are involved in the production of reports.


  • As climate (and ESG) reporting is still in its relative infancy for most organisations, the systems, and processes to collate the reports are likely to be more manual than for more established reporting. For example, there may be more reliance on end user developed spreadsheets and ad hoc processes to import and process data.

3. Reports fail to provide relevant data or are inconsistent year-on-year, thus failing to provide a fair view of the organisation’s climate performance and impacts.

Potential controls/mitigants

  • There is a clear strategy for reporting, which leverages one or more relevant standard.
  • Reference is made to TCFD for climate data.
  • The strategy sets out developments to be made over time as data becomes available and reliability improves, and this is backed-up by a plan to improve data quality.


  • This is a key reputational risk, as organisations can be accused of “greenwashing” (greenwashing is the process of conveying a false impression or providing misleading information about how a company's products are more environmentally sound) if they change disclosures year-on-year to present an overly positive message, or if they omit important information about their climate performance or impact.

4. The narrative in published reports does not provide a balanced or fair view of the organisation’s climate performance or impacts, or assertions are made that cannot be substantiated.

Potential controls/mitigants

  • There is independent review of the narrative by senior management and the board.


  • Internal audit work should focus on the consistency between data disclosed in the reports and the narrative accompanying it, along with the reliability of any assertions made about current or future performance.
  • Evidence to support such assertions should be sought.
  • This is a sensitive area and will require a senior member of the internal audit team. In practice, the people reviewing the narrative (management and the board) have an interest in it presenting a positive picture, and so an independent challenge from internal audit can make a real, timely difference.

5. Data is unavailable due to system error or data breach.

 Potential controls/mitigants

  • Continuity arrangements are in place for critical data if there is a system breach during the production of the annual report.
  • There is a freeze on system changes during the report production period to minimise the risk of issues.


  • These controls are common for financial reporting. The internal auditor should ensure they extend to systems necessary for non-financial information.

6. For organisations required to make specific disclosures, non-availability of data over required timeframes (for example, organisations which are subject to the requirement to disclose in line with TCFD recommendations).

 Potential controls/mitigants

  • The organisation has a robust process to identify existing and future requirements.
  • The reporting strategy sets out how the organisation will evolve data capture and reporting processes to meet identified future requirements.
  • There is a project plan which is actively managed and tracked.
  • Checklists or other supporting documents to show how disclosures meets requirements.


  • Some requirements will require processes to be developed and data captured over a number of years to be fully effective and so forward planning is essential.


Reporting on climate performance and impacts is an evolving activity which is of increasing interest to a wide range of stakeholders.

External assurance is far more limited than for financial reporting, and so there is an opportunity for internal audit to add value by providing assurance on the reliability of data and the effectiveness of reporting processes. But the role should also include providing a challenge to the relevance, consistency and balance in the narrative accompanying quantitative information, giving internal audit the opportunity to raise its profile at the top levels of an organisation.   

Further reading

Performance Standards

2120 Risk Management

2130 Control

Codes of Practice

Internal Audit Code of Practice

Financial Services Code


Climate strategy

Climate change and environmental impact

Research report

The role of internal audit in non-financial and integrated reporting


Audit and Risk Jan/Feb 2020 - Climate change for internal auditors: Project Zero

External reading - Environmental Reporting Guidelines: Including streamlined energy and carbon reporting guidance

Financial Reporting Council – Non-Financial Reporting Factsheet

Global Reporting Initiative (GRI) - Standards

Accountability - AA1000 Assurance Standard

Task Force on Climate related Financial Disclosures (TFCFD)

Final TCFD Recommendations Report, June 2017

Implementation Guide 2019

Content reviewed: 17 March 2021