The Board’s Responsibility for Internal Control of Non-Financial Reporting

By Tim Bovy and Ian Hodges

It is only a matter of time before the SEC’s proposed rules for environmental, Social, and Governance (ESG) reporting evolve into Sarbanes-Oxley style legislation, providing welcomed guidelines and coherence to the current “alphabet soup” of over 600 reporting standards. Boards need the clarification that this coherence will bring, but, like Sarbanes Oxley, it also means that they will have the burden of responsibility and accountability for guaranteeing the accuracy of the information they provide to the investment community.  This responsibility will require developing internal processes for the internal control of non-financial reporting (ICNFR) comparable to the internal control of financial reporting (ICFR), at the same time that it will amplify board-level oversight.

The SEC has already indicated why codifying ESG reporting is necessary.  In a speech on March 15, 2021, then commissioner Allison Herren Lee said: “There is really no historical precedent for the magnitude of the shift in investor focus that we’ve witnessed over the last decade toward the analysis and use of climate and other ESG risks and impacts in investment decision-making.  That’s not to say that investor focus on issues that also have social or ethical significance is new.”  Neither, however, is it that old.

Until very recently, the Friedmanite model dominated the discussions of most investors, led, for example, by the Koch brothers, among others, who expected businesses to follow a neoliberal creed.  It is instructive to remind ourselves of its main themes.  Writing in 1970, Friedman said that businessmen who “declaim that business is not concerned ‘merely’ with profit but also with promoting desirable ‘social’ ends; that business has a ‘social conscience’ and takes seriously its responsibilities for providing employment, eliminating discrimination, avoiding pollution and whatever else may be the catchwords of the contemporary crop of reformers” were living in a kind of cloud cuckoo land of “pure and unadulterated socialism,” and were the “unwitting puppets of the intellectual forces that have been undermining the basis of a free society these past decades.” 

Klaus Schwab, founder of the World Economic Forum (WEF), declared only a few years ago, in 2019, that “this form of [shareholder] capitalism is no longer sustainable.”  The WEF is proposing that we shift to stakeholder capitalism. In shareholder capitalism, “the responsibility of business is to increase its profits”; in stakeholder capitalism, “society’s goal is to increase the well being of people and the planet.” Shareholder capitalism emphasizes “short-term profit maximization as the highest good”; stakeholder capitalism focuses upon “long-term value creation and ESG measures.” Investors have added their voices to the stakeholder capitalism chorus, putting huge pressure on boards to include ESG as a main component of their long-term strategy. 

If the SEC’s ESG rules roughly follow SOX, organizations will need to have internal controls that ensure the legality of their non-financial ESG reporting, and to verify that the information contained in the reports is accurate.  Beyond this, as the lawyer Martin Lipton has recently noted, “the Caremark doctrine recommends that companies have in place information and reporting systems reasonably designed to provide timely, accurate information to allow management and the board to reach informed judgments about the corporation’s compliance with law and its business performance.”  Companies normally think of such systems in the context of financial information and reporting.  ESG has changed that, giving non-financial information and reporting systems equal parity.

As Robert Eccles has commented, however, “few firms have reliable systems for measuring ESG performance. The result is untimely and poor-quality ESG data, which presents challenges not only to investors but to corporate managers themselves.”  Indeed, “for many organisations…their ESG information is rarely available at the same time and in a comparable format as financial information.”  Were financial information in such disarray, the board would be in breach of its fiduciary duty to its shareholders, as well as being in violation of Section 404 of SOX.

To nudge organizations into getting their non-financial ESG information in order, SEC Commissioner Jaime Lizarraga has recently said: “My hope is that the Commission’s rules will help move market participants forward in producing high-quality data that will allow for more rigorous due diligence, enable investors to more easily differentiate between market participants on ESG-related claims, and ultimately, help investors make more informed investment decisions.”

Going forward, organizations will need to develop records and information management systems for reporting non-financial data that are as accurate and timely as the systems they use for reporting financial data.  Implementing such systems will, however, be much more complex.  “As difficult as it was to implement Sarbanes-Oxley (SOX) controls over financial reporting,” notes Sue King of KPMG, ” implementing controls over ESG reporting will be infinitely more challenging.”  It will require gathering information from disparate sources in a complex array of formats, and then verifying its accuracy and provenance.  

Since the path to a sound ESG reporting structure is tortuous, it must be clearly mapped from the outset. This requires a reporting strategy that contextualizes and synthesizes the activities and purposes of the organization, the sector, territories and regulatory environment in which it operates, and the supply chains it engages. Frameworks and standards should be assessed next. Broadly, frameworks offer guidance in developing a reporting structure while standards offer a complete methodology and set a benchmark. Standards should be preferred if there is widespread adoption within the sector or territories in which the organization operates. They offer more accurate comparators that are already widely understood and readily accepted.

The major global standards are currently the Global Reporting Initiative (GRI), the International Sustainability Standards Board (ISSB), the Sustainability Accounting Standards Board (SASB) and the Task Force on Climate-Related Financial Disclosure (TCFD).  They are widely used and have broad applicability, although the ISSB is more focussed on capital markets. Since March, GRI and ISSB have been working together to achieve greater alignment and, unless there is a specific and compelling reason to use one of the more niche standards, larger global standards such as these should be the board’s first choice.  This is especially true in light of the movement towards the adoption of double materiality. 

Irrespective of the standards chosen, the greatest challenge remains that of gathering complete, accurate and timely data and doing so in such a way that those data can be collected from various disparate sources and aggregated without compromising the integrity of the reporting. This is an information management challenge on a considerable scale for any medium to large enterprise, although addressing this challenge can reveal valuable insights, such as unearthing corporate cultural problems, supply chain issues, and process weaknesses that have otherwise gone unnoticed or unreported.  In other words, investors are not the only benefactors.

Taking on this challenge also means that the board will be well prepared for the SEC’s inevitable integration of the best of the above ESG standards into a comprehensive set of rules that will have the same impact on non-financial reporting that Sarbanes-Oxley has had on an organisation’s financial reporting.

About the Authors

TRBTim Bovy has over 35 years of experience in designing and implementing various types of information and risk management systems for major law firms such as Clifford Chance; and for international accountancy firms such as Deloitte. He has also developed solutions for organizations such as BT, Imperial Tobacco, Rio Tinto, the Kuwaiti government, The Royal Household, and the US House of Representatives. Tim is an elected member of The Royal Institute of International Affairs, Chatham House, an Independent Think Tank based in Central London.  Tim holds a BA degree, magna cum laude, from the University of Notre Dame, and MA and C.Phil degrees from the University of California, Davis.

Ian Hodges has worked in a variety of information management roles over a twenty-year career. He has designed and implemented records and information management systems at a national scale, developing parts of the digital archive at The National Archives (UK). At a corporate level he’s undertaken information management projects with The Royal Household and Her Majesty’s Treasury.  Ian also has information rights expertise developing policies and procedures for Freedom of Information and Data Protection compliance and working as a Data Protection Officer.  In addition to CISM, CIPP/E and CIPM certifications, Ian holds a BA degree from the University of Southern Queensland, a postgraduate diploma from Deakin University, Melbourne and an MA from Birkbeck, University of London.


  1. Commissioner Allison Herren Lee, “A Climate for Change: Meeting Investor Demand for Climate and ESG Information at the SEC”, March 15, 2001, available at
  2.  Milton Friedman
  3. Klaus Schwab, “Why we need the ‘Davos Manifesto’ for a better kind of capitalism,” World Economic Forum, 1 December 2019, available at
  4. Klaus Schwab and Peter Vanham, “What is the difference between stakeholder capitalism, shareholder capitalism and state capitalism?”, World Economic Forum, The Davos Agenda 2021, 26 January 2021, available at
  5.  Martin Lipton,
  6. Robert G. Eccles and Svetlana Klimenko, “The Investor Revolution,” Harvard Business Review, From the May–June 2019 Issue, available at
  7. Nasdaq ESG Reporting Guide, available at
  8. Speech of SEC Commissioner Jaime Lizarraga, “Meeting Investor Demand for High-Quality ESG Data”, October 17, 2022, available at
  9.  Steve Estes, “The  Soxification of ESG Reporting”, KPMG, 2021, available at


Please enter your comment!
Please enter your name here