Key Insights: Governance metrics require different audit approaches than environmental or social data because they measure oversight infrastructure rather than operational outputs. Most organizations report under multiple frameworks (GRI, SASB, ISSB, CSRD) with conflicting requirements, yet lack systematic controls across metric definition, data collection, validation, approval, documentation, and reporting stages. The challenge is building audit-ready infrastructure that traces governance metrics from board minutes to external disclosure while managing concurrent engagements at scale.
Clients claim board diversity and oversight commitments, but when audit teams request board meeting minutes, committee charters, and independence determinations, they often receive PowerPoint slides instead of verifiable documentation. This gap between governance claims and auditable evidence matters more than ever as ESG assurance becomes standard practice: 73% of large G20 companies now obtain sustainability assurance, with 70% selecting their financial auditor for this work.
Unlike environmental data like emissions and energy use, or social metrics like workforce diversity and safety incidents, governance metrics measure oversight infrastructure: the board structures, management processes, and control systems that make other ESG commitments credible and auditable. This infrastructure determines whether environmental and social claims have the governance foundation to withstand audit scrutiny.
This article examines which governance metrics matter across major frameworks, how to build control frameworks that support reliable data, and the specific audit procedures practitioners need for testing.
Which Governance Metrics Matter?
No single framework covers all governance metrics, and most organizations report under multiple standards simultaneously. Each framework takes a different approach to governance oversight.
SASB Industry-Specific Requirements
SASB standards embed governance within material topics across 77 industries rather than prescribing universal governance disclosures. A software company's material governance risks center on data privacy oversight and cybersecurity board expertise, while an extractive industry client faces governance requirements around community relations and environmental compliance oversight.
Practitioners must identify which governance topics SASB considers financially material for each client's specific industry classification.
GRI Comprehensive Disclosures
GRI 2: General Disclosures takes a prescriptive approach, requiring 13 mandatory governance disclosures that apply regardless of industry. These span board composition, nomination processes, chair independence, sustainability oversight, delegation structures, conflicts of interest, and remuneration policies (disclosures 2-9 through 2-21).
For audit teams, GRI's specificity creates clear testing targets: each disclosure maps to concrete documentary evidence such as board member CVs for composition claims, independence declarations for chair status, committee minutes for oversight activities, and payroll data for remuneration disclosures.
ISSB Process Emphasis
Where GRI prescribes specific disclosures and SASB varies by industry, IFRS S1 takes a process-oriented approach. It requires entities to disclose "the governance processes, controls and procedures the entity uses to monitor, manage and oversee sustainability-related risks and opportunities."
This shifts the audit focus from verifying static data points to evaluating whether governance processes actually function: how information flows to oversight bodies, how frequently boards review sustainability matters, whether directors have relevant expertise, and how ESG considerations integrate into strategic decisions.
Auditors assess whether governance processes align with ten specific indicators: board ESG committee composition and authority, board diversity metrics, ESG-linked compensation structures, cross-functional steering committees, ESG risk integration into enterprise risk management, internal controls over ESG data, ethics policies implementation, sustainability reporting transparency mechanisms, ESG regulatory compliance frameworks, and stakeholder engagement processes.
CSRD Double Materiality Requirements
The EU's Corporate Sustainability Reporting Directive (CSRD) adds a layer of complexity absent from other frameworks: double materiality. Organizations must assess both impact materiality (how they affect people and the environment) and financial materiality (how sustainability matters affect enterprise value). This creates governance audit requirements that go beyond verifying what the board oversees to examining how the board determined what matters in the first place.
ESRS 2 operationalizes these requirements through specific governance disclosures: administrative, management and supervisory body roles in sustainability oversight (GOV-1), information flows to these bodies (GOV-2), incentive scheme integration (GOV-3), and the materiality assessment process itself (IRO-1). For practitioners, CSRD engagements require testing not just governance structures but the documented methodology, stakeholder engagement, and rationale behind materiality determinations.
Comparing framework requirements
Most organizations subject to ESG assurance requirements report under multiple standards simultaneously, which means practitioners benefit from understanding where governance requirements overlap and where they diverge.
|
Framework |
Governance Emphasis |
Best-Fit Use Cases |
|
GRI |
Board composition and independence, remuneration policies, stakeholder engagement processes, conflict of interest management, performance evaluation procedures |
Multi-stakeholder reporting, comprehensive transparency |
|
SASB |
Financial materiality of governance topics, outcome-based governance metrics (risk exposure, product design features), industry-specific governance risks |
Investor-focused reporting, financial materiality |
|
TCFD |
Climate risk oversight, board climate expertise, governance integration of climate risks into decision-making, management roles in climate risk assessment |
Climate risk governance, TCFD-aligned disclosure |
|
ISSB |
Processes and controls over all sustainability-related risks and opportunities, management responsibilities, information flow to oversight bodies, skills and competencies assessment |
Global baseline, financial integration |
|
CSRD |
Double materiality assessment governance, mandatory independent assurance, administrative/management/supervisory body (AMSB) oversight, stakeholder engagement formalization |
EU operations, regulatory compliance |
Most organizations subject to ESG assurance requirements will need to map their governance disclosures across multiple frameworks, which means practitioners benefit from understanding where requirements overlap and where they diverge.
How to Identify the Right Governance Metrics for Your Organization
Organizations typically can't implement every governance metric across all frameworks. The practical starting point is mapping stakeholder priorities to framework requirements.
Investors prioritize board oversight of climate risks and executive compensation linkage to sustainability metrics. They want evidence that material ESG risks receive board-level attention. Regulators focus on compliance with mandatory disclosure requirements and jurisdiction-specific governance standards. Employees emphasize board diversity, ethics governance, and human capital management oversight.
The selection framework works through three steps:
- Identify mandatory requirements: CSRD for EU operations, securities regulator requirements for public companies, and industry-specific regulations.
- Map stakeholders to frameworks: investors to ISSB, regulators to jurisdiction requirements, broader stakeholders to GRI.
- Prioritize voluntary frameworks: ISSB for investor focus, GRI for stakeholder transparency, TCFD for climate governance.
Once organizations identify their priority governance metrics, the next challenge is ensuring the data supporting those metrics can withstand audit scrutiny. This requires implementing systematic controls across the entire data lifecycle.
Six Control Stages Every Governance Metrics Framework Needs
Reliable governance metrics require controls at each data lifecycle stage, from initial metric definition through final reporting. Organizations that control only one or two stages often struggle during assurance engagements when auditors can't trace metrics back to source documents or find multiple versions of the same data.
- Metric definition controls: Document precise scope, measurement methodologies, inclusion/exclusion criteria, and calculation formulas. Control activities include formal definition documents with version control and board-level approval of material metrics.
- Data collection controls: Secure systems with appropriate access controls house governance data. Control activities include segregation of duties between data entry and validation, automated data validation rules preventing invalid entries, and audit trails capturing who entered data and when.
- Validation controls: Multi-level review processes check data against source documents. Control activities include first-line review by data preparers reconciling to source documents, second-line compliance review, and exception reporting for items requiring investigation.
- Approval workflow controls: Defined approval hierarchies require sign-off at appropriate levels based on disclosure significance. Control activities include documented approval matrices, electronic approval systems capturing dates and approvers, and escalation procedures.
- Documentation controls: Retained source documents, calculation worksheets, and change logs maintain audit trails. Control activities include centralized repositories with access controls and retention policies ensuring availability during audit periods.
- Reporting controls: Template controls maintain consistent presentation, data extraction controls pull only approved data, and formula controls prevent calculation errors. Control activities include legal review of disclosure language and final executive review before publication.
Organizations that implement controls across all six stages create the audit-ready infrastructure that governance metrics assurance requires.
How Internal Auditors Can Test Governance Metrics in Practice
Testing governance metrics requires treating them as evidence of how oversight functions in practice, not just checking reported numbers. The IIA guidance recommends specific testing procedures for ESG governance audits.
Design Review
Design review validates that governance structures exist as claimed. Auditors examine executive committee meeting minutes, board policy manuals, and committee charters to assess whether the governance policy framework aligns with applicable standards. Board agendas provide evidence of whether ESG topics receive adequate oversight attention.
Data Integrity Testing
Data integrity testing traces reported metrics back to their source. When a company discloses board diversity percentages, auditors verify calculations against director biographical information, test completeness against board policy requirements, and validate mathematical accuracy. Governance disclosures in ESG reports should reconcile to board meeting minutes and resolutions.
Control Effectiveness Testing
Control effectiveness testing determines whether review and approval controls actually function as designed. This includes testing legal review over governance disclosures, verifying management review controls, and examining segregation of duties. Professional standards don't explicitly require control testing over governance metrics like board diversity percentages or independence determinations, so auditors typically evaluate these areas based on risk assessment and engagement scope.
Governance Process Walkthroughs
Process walkthroughs document end-to-end information flow from board minutes through governance committees to external disclosure. Practitioners identify key control points, validate data lineage, and create process narratives showing complete data movement.
Risk-based sampling guides testing intensity: material governance determinations and first-year ESG disclosures warrant more extensive procedures, while static unchanged information may permit analytical procedures and inquiry. Key evidence types span board meeting minutes, committee charters, independence determinations, director biographical information, board skills matrices, attendance records, and conflict of interest disclosures.
How Engagement Automation Helps Scale Governance Metrics Testing
Multiple concurrent ESG assurance engagements strain audit capacity. Firms manage dozens of governance metrics assessments simultaneously, each requiring board minutes analysis, committee charter reviews, and independence determinations with limited specialized staff.
Modern engagement automation platforms address these scaling challenges through systematic workflow capabilities:
- Centralized document repositories: Organized evidence libraries with version control replace scattered folders, reducing time spent searching for documents and ensuring teams work from current, approved evidence.
- Workflow automation: Standardized review and approval processes apply consistent procedures regardless of client size or industry. Automated routing ensures appropriate reviewers examine each governance metric disclosure, while digital approval trails provide the documentation auditors need.
- Evidence linking: Source documents connect directly to specific test procedures and audit conclusions, maintaining complete audit trails from original governance documents through testing to final conclusions.
- AI-assisted document analysis: Within practitioner-directed workflows, AI helps auditors surface potentially relevant passages from board minutes and flag apparent inconsistencies between documents for human review. Senior staff maintain responsibility for governance assessment, while AI assistance reduces time spent on initial document processing.
These capabilities allow firms to take on more ESG governance engagements without proportional increases in specialized headcount.
Scale Your ESG Governance Assurance Practice
ESG governance assurance demand is growing faster than firms can build specialized capacity. The control frameworks and testing procedures outlined in this article require substantial partner and manager expertise for framework mapping, materiality determinations, and governance process evaluation that cannot be delegated to junior staff or automated away.
Engagement automation platforms create this capacity by streamlining routine audit execution. With Fieldguide, managers and partners reclaim time for strategic work when evidence collection, control testing, and workpaper management happen efficiently: advising clients on governance structure design, positioning for multi-framework ESG engagements, and building the advisory relationships that transform one-time attestations into ongoing governance consulting.
To see how Fieldguide frees capacity for high-value ESG governance advisory work, schedule a demo.
Amanda Waldmann
Increasing trust with AI for audit and advisory firms.
