Building Internal Controls for CSRD: Lessons from a Wave 1 Company

An expert interview with Seraphina Kim, Global Risk and Internal Audit for ESG at Randstad Global, on what it takes to make sustainability data auditable.

Seraphina Kim is an ESG expert within the global risk and internal audit function at Randstad (world's leadingHR/talent services provider). As a Dutch-listed, Wave 1 CSRD company operating in 39 markets with €23 billion in revenue, Randstad was among the first EU entities required to comply, having recently published its sustainability statement for the second time (See FY2025 Report here).

Seraphina has led sustainability assurance projects across that disclosure journey, working at the intersection of finance, sustainability, legal, HR and material topic owners.

We spoke with her about where to start, which metrics are hardest to control, how internal and external audits can work together and more. This Q&A is aimed to educate issuers on how they should think about internal controls on their own sustainability reporting journey to get sustainability data over the line.

“An important starting point is having clear accountability structures to manage and steer sustainability KPIs for informed decision making.”

Q  Can you introduce yourself and your work on sustainability reporting and internal controls?

As an ESG expert within Randstad Global’s risk and audit function, I lead sustainability related assurance, internal controls and risk management projects. My role bridges finance, legal, HR, and material topic owners to assess controls in place to support sustainability data, performance and reporting. Recently, my work has focused on CSRD readiness, as well as ourDutch Corporate Governance Code "in-control statement," and integrating ESG into our enterprise risk management framework. I also led our first TCFD-aligned climate risk assessment, proactively strengthening our organizational resilience (and preparing for emerging global standards likeIFRS S1 and S2).

Q  Where do you see the value of assurance and having control systems in place to reach reliable reporting?

Internal and external audits do much more than just verify compliance—they actively drive sustainability performance. By assessing control systems and executing substantive procedures, our work forces the organization to treat ESG data with the exact same rigor as financial accounting. It also shifts sustainability from a"marketing" exercise to the core of business strategy—it's how a company truly walks the talk.

Q  Do you have an example of this collaboration?

Just last week, I met with our external assurer who mentioned that they are going to schedule interviews to understand the roles and responsibilities of Sustainability strategy setting and governance (requirement under *CSRD). Shortly after the request from the external auditor to Sustainability for a meeting, I was approached by theSustainability team to reconnect on our recommendations for good practice controls. As an internal audit function, we have been meeting with theSustainability Steerco and management regularly to provide our observations and recommendations on control improvements around sustainability governance and performance management.

Therefore, I see the value of the internal audit function, already playing a role in strengthening the company’s sustainability governance framework. By proactively identifying risks and control gaps through our independent observations, we are helping the sustainability team to be alert and see the value of risk management and implementing controls systems (before the external auditor comes). An important one is having clear accountability structures to manage and steer performance of sustainability KPIs for informed decision making.

*Under the ESRS 2 (General Disclosures) framework of the CSRD, the Governance pillar is broken down into five specific disclosure requirements (GOV-1 to GOV-5). The regulations demand a granular, auditable breakdown of exactly who is responsible for sustainability and how those processes are managed.

Q  A lot of companies are farther behind on this journey than you are. What steps should they be taking around internal controls?

After defining clear data ownership roles and setting the tone at the top for ESG accountability, take steps to understand your end-to-end data flow.

This matters because, unlike structured financial data that lives in centralised systems, sustainability data can be notoriously fragmented. It’s scattered across spreadsheets, third-party supplier platforms, and very often stored in manual folders.

So map your data lineage: trace each KPI or metric from its raw source all the way through to the final reported figure, including any manual aggregations or conversions along the way. Pinpoint exactly where data is being manipulated, isolate the handoff points between teams, and identify what could go wrong in terms of key audit assertions such as completeness and accuracy. Getting that understanding in place first helps mitigate the potential risk of misstatements.

“Understand your end-to-end data flow. This matters because, unlike structured financial data that lives in centralised systems, sustainability data can be notoriously fragmented.”

Q  You were a Wave 1 company and have now published two Sustainability Statements. What did you learn the first year, andwhat changed the second time around?

Being Wave 1 meant Randstad was in the very first year of large EU-listed entities legally required to comply with CSRD. The transition from voluntary ESG metrics to more financially rigorous, auditable data was not a journey without challenges. Internal audit, financial reporting, sustainability, material topic owners and data providers all had to step up and work closely together to support the reliability of the reporting.

As a global company operating in 39 markets, there’s an extra layer: a lot of coordination with the local operating companies to gather the data and meet the data points CSRD requires. So it’s not just navigating different systems and processes, but different time zones too!

Consistency in the data can be compromised when local operating companies are not aligned about what data needs to be reported. So there were lessons learnt to establish stronger controls in the establishment and awareness of local procedures that meet Global requirements and consistent definitions of data points.

In the second year the focus shifted to comparability. Now that the data points are set up, we need to consistently provide data that’s comparable to last year and be able to justify any analytical trends. With ESG data, trends can be genuinely hard to explain.

Our external auditors, one of the Big Four, will also be stricter this year. They’ll look beyond numbers, and also look at how we establish performance management of the KPIs, how meaningful those KPIs are, and how we’re narrating them in the annual report so they’re truly reliable.They don’t just want the numbers on paper — they want to see the controls behind them: the performance management, the monitoring, the steering.

“They don’t just want the numbers on paper — they want to see the controls behind them.”

Q  Which teams need to be involved in establishing the right internal workflows?

At Randstad we have a sustainability steer co at the global level composed of executive board members — our CHRO, COO and CFO. Each of them also holds accountability for certain material topics: health and safety sits under the COO, for example, and equity, diversity and inclusion(ED&I) under the CHRO. The steerco also includes representatives from sustainability, finance, legal and various global topic owners.

The accountable topic owners delegate the execution and operationalization to the local operating companies (“markets”). For example, each of our 39 countries manages health and safety in its local market (supported by a Global forum) — making sure injuries are reported correctly, and that targets like 50:50 women in leadership positions are tracked — and all of that local data has to be aggregated up to the global level. So the teams involved range from HR through to many other functions (including business managers)responsible for the relevant sustainability topic.

Q  What types of controls are important for CSRD data collection and validation?

I established an audit work programme that categorises our internal controls into four areas: governance (e.g. clarity in roles and responsibilities and policies and procedures), data management (e.g.segregation of duties, formula controls), systems and technology (e.g. access controls), and review and reporting (e.g. 4 eyes principles).

Data collection falls under data management, and we have a number of key controls there. The four-category structure helped us to remain focused on the key controls — it helps us assess, for any given metric, whether appropriate controls exist across governance, the data itself, the systems it flows through, and the review and reporting at the end.

Establish and structure internal controls to gain coverage across key areas: governance, data management, systems & technology, and review & reporting.

Q  Which data points or metrics have been hardest to build a system around?

Training hours is an example that is challenging. We have aKPI for how many training hours we provide to our talent, but we don’t have one system that captures all of it. There might be five different teams within a business unit, each with different managers delivering different training, and they’re often trained on site by the client too (where our talent is placed). i.e.If someone is placed at a hospital, the hospital may train them as well.

When I audited training hours, the challenges came down to incompleteness and, underneath that, data ownership — people didn’t know who owned the data. In practice it was often one coordinator running around manually asking what training was in place. Some local markets use an online platform, so that training is captured in one system. But face-to-face session send up in manual spreadsheets, or sometimes aren’t captured at all.

One market was even using financial data — training invoices —to estimate training hours, working backwards from what providers billed them.From an audit perspective it’s very difficult to rely on estimates that aren’t documented. So the control there, if you can’t yet achieve completeness, is at minimum to document the rationale for how you’re estimating, because that’s exactly what auditors look for.

Q  How do you educate teams about what you need for an internal audit?

A big part of the job is helping people understand what a control actually is, as opposed to a process. In an audit, people often say,“Yes, we have a procedure” — and they’ve documented everything they do in great detail. That’s useful, but it’s not the same as a control. Take a health and safety example:

Process: Health and safety specialist exports the list of injuries and uploads into the global ESG reporting system.

Internal control: On a quarterly basis, the Health and safety manager reviews the list of injuries for the local market to ensure completeness and accuracy. Formal sign off is evidenced which confirms the approval for the Health and safety specialist to upload the file into the Global ESG reporting system.

So the procedure is not always a control. I.e health and safety specialist exports the list of injuries and uploads it into the globalESG reporting system. That describes what they do and which system they use —fine, but what is this step explicitly trying to achieve in terms of the risk?

A control is: an action designed to reduce the likelihood/impact of a risk event — in our case, a material misstatement of theKPI. Notice the who, what and when — and the evidence.

That distinction was eye-opening for colleagues who don’t come from an audit background. They initially thought that because they’ve detailed every step, they’re done.  

“A procedural step is not always a control. A control is an action designed to reduce the likelihood/impact of a risk event.”

Q  Could you give a second example, from a different data point?

Sure, let’s do training.

The procedure / process is: a training manager deliver straining and records the attendee list in an Excel spreadsheet — name, employeeID and hours — then sends it to the non-financial reporting coordinator and the finance team, and finance manually enters the figures into the ESG reporting system.

The control is different: On a quarterly basis, the non-financial reporting coordinator reviews the training hours provided by the training team and confirms with the training manager that the hours are complete, that all hours have been included, and that they fall in the correct period. The coordinator also checks, each quarter, that the definition of training for talent is in line with the local definition of talent. It’s about completeness, accuracy and cut-off — the right timing of the data reported.

Another control using an access-based example: The training records in the system are only editable by the training manager. The non-financial reporting coordinator has restricted access (view only) and cannot change the hours the training manager has recorded.

The first example describes which system the data came from and who is involved, but it didn’t specify the frequency of review, the evidence, or how roles and responsibilities are segregated. That’s what turns a process into a control.

“A valuable exercise is to walk through the whole data flow and identify where things could go wrong and what you’re doing to mitigate that risk — that’s where controls should be implemented.”

Q  What is the relationship like between the internal and external audit functions?

As the internal auditor leading the ESG audits, I align regularly with our external auditors. We agreed on our work programme early in the year, in advance. Internal audit looked at the Q2 data for our deep dives into the internal controls, and in Q3 we performed analytical procedures.External auditors do a large amount of their work in Q3 and Q4, so we discussed our Q2 work with them, and towards year-end we met more frequently to talk through the internal control gaps we’d identified.

Based on that, the external auditor needed to understand the nature of those observations, the root causes, and how they’d been rectified.The key difference is that internal audit focused on the control systems throughout the year — which controls were in place and whether they were implemented— whereas external audit performed their procedures to sign off on limited assurance at year-end. It’s very much a teamwork exercise, and the work we do supports the external auditors.

Q  What has been the most challenging aspect of building internal controls around CSRD?

I should be precise here: as the third line of defense, I don’t build the internal controls myself — I assess internal controls via internal audits. I also play a second line role at times (with safeguards),facilitating risk and control assessments. Building the controls really sits with the first line, at the level of, say, the HR manager who owns the ED&I data.

But from the many conversations I’ve had with them, the answer is consistent: it often comes back to data ownership. People aren’t always sure where the data is sitting or who owns it — again, especially for something like training data, where so many people are involved. Other types of data are easier because the information will sit in one centralised system. Time and again, when I interview the first line, the challenge I hear is data ownership.

Q  Any final advice for a company considering this work?

Start with gaining an understanding of the governance and the end-to-end view before you reach for controls — you can’t control a data flow you don’t fully understand. Invest early in clear data ownership, because that’s the issue that surfaces most often and slows everything else down.

And bring your non-financial teams along on the language of control. Documenting what you do is a great start, but the value comes from asking, at every handoff, what could go wrong and what mitigates it. Done well, that’s not just an audit exercise — it’s what makes your sustainability data more reliable, enabling informed decision making to better achieve your sustainability objectives.

Invest early in clear data ownership.

Bring your non-financial teams along on the language of control.

It’s not only helpful for auditors, but what makes your sustainability data more reliable to better achieve your sustainability objectives.