ESG Data Quality Under the Microscope: What Auditors Want to See

With the ongoing evolution of the ESG data landscape and the increasing expectation for assurance in sustainability reporting, the scrutiny on data quality control measures is more intense than ever. What steps should ESG data users take to effectively prepare for audits? Additionally, how can ESG data providers maintain a competitive edge by instituting comprehensive and reliable control procedures? 

Introduction 

ESG data of counterparties forms the basis of many sustainability statements made by financial institutions: EU Taxonomy KPIs, financed emissions, impacts and dependencies on nature, principal adverse impacts (PAI) – the calculation of all these KPIs requires information from counterparties such as investees or borrowers. With the introduction of the EU’s Corporate Sustainability Reporting Directive (CSRD), sustainability disclosures are increasingly subject to assurance, leading to a heightened focus on data quality as auditors require documentation of quality control measures conducted to verify the reliability and accuracy of the data used for KPI calculations. 

The ESG data value chain – what can possibly go wrong?! 

Typically, ESG data is sourced from counterparties’ disclosures, collected and processed either by an ESG data provider or an in-house data team, integrated into the financial institution’s data warehouse and aggregated into KPIs. In case a certain datapoint is not disclosed by all counterparties, it may also be necessary to use alternative sources of information, such as sector or location-based data, to fill the gaps with estimates. This is frequently the case with scope 3 GHG emissions. Moreover, for some ESG KPIs judgement needs to be applied to determine if a counterparty fulfills a certain requirement. One such example is PAI indicator 10 (Violations of UNGC Principles and OECD Guidelines for Multinational Enterprises). Deciding whether a company violates the UNGC principles or OECD Guidelines often requires scanning multiple sources and setting thresholds for what constitutes a violation.  

Whether a datapoint can be directly sourced from the counterparty, is estimated or must be derived from various sources of information applying own judgement - potential quality issues may arise throughout the data value chain. 

What an auditor will look for 

Whether the data is collected in-house or purchased from a third party, the auditor will demand evidence that data validations have been conducted. Even where a reputable data vendor is used, the ultimate responsibility for the accuracy of the data used in the calculation of reported KPIs remains with the reporting entity.  

As a minimum, two types of controls should be in place to ensure the quality of input data: 

Particularly for bulk validations, software solutions such as Q-THOR can help automate processes and save resources. 

Moreover, whenever data needs to be manipulated or aggregated for the purpose of KPI calculation, the four-eyes principle should be applied. Both the implementation of calculations and the outcomes should be reviewed and checked for plausibility by another person. 

Auditors focus on the robustness of data validation processes, whether data is collected internally or sourced externally. Even when working with reputable vendors, reporting entities remain ultimately responsible for the accuracy of their KPIs. Implementing both sample checks and bulk validations, along with the four-eyes principle for calculations, is essential to ensure data integrity and demonstrate control effectiveness during an audit.

4 steps to audit-readiness 

Where an organization relies on ESG data in its reports, it can follow the steps below to facilitate a smooth audit process and avoid unpleasant surprises at the last hour. 

1. Select data vendors with care 

Buying ESG data from a vendor is often easier than gathering it in-house. When choosing a provider, data quality should be a decisive factor along with price, portfolio coverage, and the availability of required data points. 

2. Design a robust data collection process with built-in quality control measures 

When collecting data in-house, use a clear, documented process with quality controls. Include defined rules for handling disclosures, peer reviews, and rule-based checks during collection. 

3. Implement and document data validations and control measures 

Regardless of whether data is purchased externally or gathered internally, independent validation is required. Alongside the previously mentioned validations, technical checks may be necessary to confirm that data piping functions as intended. These controls should be both implemented and documented. 

4- Consider external verification 

If the calculated KPIs are used in the reporting of another entity, it may be useful to obtain external assurance of the control mechanisms applied (see next section). For example, when an investment management company provides EU Taxonomy ratios to its customers, those customers might use these figures in their own reports and therefore require documentation of the controls implemented to maintain the accuracy and validity of the KPIs. 

How data vendors can support audit-readiness of their clients - and thereby become a more attractive business partner 

When ESG data vendors offer comprehensive documentation of the quality control measures they have implemented internally, these controls do not need to be duplicated by users. This can significantly reduce the workload and complexity for ESG data consumers, making the choice of a well-documented and quality-focused vendor a decisive factor in vendor selection. 

Further credibility and assurance can be achieved through recognized third-party audits such as ISAE 3402 or SOC 1, which validate the adequacy and operational effectiveness of a vendor’s internal control environment. Vendors that have successfully undergone such audits can provide the resulting report to clients as tangible proof of their commitment to quality assurance. ESG data users, in turn, can present the vendor’s audit report to their own auditors as verified evidence of established controls, potentially streamlining and facilitating their own audit process. 

In the asset & wealth management space, where large volumes of ESG-related data are purchased, we see confidence in a data provider’s processes and controls to ensure data quality becoming an increasingly critical success factor. An ISAE 3402 controls report offers clear value here: it demonstrates the effectiveness of controls, provides transparency, and significantly reduces the audit burden for data users. For data providers, this can translate into a decisive competitive advantage.

Where to from here? 

Although external assurance is still voluntary in some EU jurisdictions due to the delayed transposition of the CSRD, the year 2025 is the first year of CSRD implementation, signaling a shift toward greater trustworthiness of company-reported ESG data as more companies begin publishing reports that have undergone verification. The availability of data from counterparties is also steadily increasing, thanks to a growing number of companies opting to disclose their information and as additional countries worldwide introduce reporting obligations. While assurance in the ESG space remains relatively new, requirements for data quality and verification are likely to become increasingly stringent over time. 

ESG data is coming under heightened scrutiny not only from auditors but also from regulators. For instance, the European Union has introduced a regulation for ESG rating providers, which, although focused on the transparency of rating methodologies rather than data provision, establishes among other things new requirements for quality control.  

Despite these advancements, there is still a considerable journey ahead before ESG data can be considered aligned with financial data in terms of availability and quality. 

Further Links: