Adopt finance-grade segregation of duties to reduce error and fraud risk. Core roles:
- Data Providers: facility ops, procurement, logistics submit activity data and evidence.
- Calculators: sustainability analysts configure factors, methods, and run posting jobs.
- Reviewers/Approvers: controllers or ESG leads perform QA/QC, variance reviews, and sign-off.
- Administrators: manage master data, reference data (GWPs, emission factors), and access.
- Auditors: read-only access with lineage to sources and calculations.
Enforce maker-checker on postings and factor updates; no single user should both configure factors and approve postings. Apply least-privilege access tied to legal entities/sites and maintain change logs for calculation methods. COSO-aligned controls help standardize risk assessments and control activities. Map roles to disclosure responsibilities (ISSB/ESRS) to ensure completeness and accuracy, and align with ISO 14064-1’s requirements for competence, documentation, and verification readiness. Regularly train users and test control effectiveness as part of internal audit.
Citations: COSO Internal Control—Integrated Framework; ISO 14064-1 (requirements for quantification and reporting); ISSB S2 (governance and controls for climate-related disclosures).
Key Takeaway: Separate data entry, calculation, approval, and administration; log every change and enforce maker-checker for finance-grade integrity.