Quick Read

SPK CSMS1000:2026 Clause 10.4 requires organisations to embed sustainability controls across six distinct categories—financial, operational, procurement, supply chain, ICSR, and people—recognising that sustainability risks arise throughout organisational activity, not just in dedicated sustainability functions. Most sustainability programmes fail because they lack controls in financial and procurement decisions that shape the organisation's actual sustainability footprint, rather than because they lack environmental procedures. The six-category framework forces systematic integration of sustainability considerations into budget allocation, capital expenditure, supplier selection, data governance, and people management.

Executive Summary

The controls framework clause (10.4) is the most operationally significant requirement in SPK CSMS1000:2026. It requires organisations to establish, document, and operate controls across six distinct categories: financial, operational, procurement, supply chain, ICSR, and people. Most sustainability programmes have some controls in some categories — but few have systematically thought about sustainability controls across all six.

This paper explains what each control category requires, why the category structure matters, the most common gaps in each, and what Speeki assessors test when evaluating the controls framework.

Controls are the mechanism by which the CSMS is embedded into the organisation rather than sitting alongside it. A sustainability programme without a functioning controls framework is a reporting programme with aspirations.

1. Why Six Categories?

The six-category structure reflects a deliberate recognition that sustainability risks and obligations arise across all dimensions of organisational activity — not just in operational processes managed by the sustainability team. Financial decisions determine which sustainability risks are resourced. Procurement decisions determine which suppliers create sustainability exposure. The quality of sustainability data depends on data governance controls. The culture depends on people controls.

Most sustainability programmes that fail do so not because they lack environmental controls or energy management procedures, but because sustainability is not embedded in the financial, procurement, and people decisions that actually shape the organisation's sustainability footprint. The six-category framework forces organisations to address all of these dimensions.

2. Financial Controls

Financial controls for sustainability address how sustainability considerations are embedded in the organisation's financial management processes.

2.1 Budget allocation and approval

The CSMS cannot function without dedicated resources. Financial controls must include: a sustainability budget allocation process that ensures dedicated funding for material CSMS actions and objectives; budget approval processes that involve the sustainability function in decisions with material sustainability implications; and financial authorisation controls ensuring that material sustainability expenditure and commitments are approved at appropriate authority levels.

2.2 Capital expenditure evaluation

CapEx decisions often determine the organisation's sustainability footprint for decades. A decision to install gas boilers rather than heat pumps, or diesel vehicles rather than electric ones, locks in emissions and energy costs for the life of the asset. Financial controls must include CapEx evaluation criteria that incorporate sustainability risk, lifecycle environmental cost, and ESG considerations in investment decisions.

This does not mean sustainability must always prevail over financial considerations in CapEx decisions. It means sustainability must appear in the evaluation — that the decision-maker can demonstrate that the sustainability implications of the investment were considered alongside the financial return.

2.3 Cost tracking and authorisation

Organisations must be able to demonstrate that resources are being deployed against sustainability objectives. Cost tracking for sustainability initiatives — sufficient to show resource deployment against each material objective — is a financial control requirement. The absence of cost tracking makes it impossible to evaluate whether the CSMS is adequately resourced.

3. Operational Controls

Operational controls are the process-level controls that govern sustainability performance in day-to-day operations. They address each material sustainability domain: environmental management (Clause 10.5), GHG emissions (Clause 10.6), energy (Clause 10.7), OHS (Clause 10.8), compliance (Clause 10.9), social responsibility (Clause 10.10), circular economy (Clause 10.12), and AI governance (Clause 10.11).

For each material domain, operational controls must include: documented procedures governing the relevant processes; engineering controls where applicable (process containment, emission controls, safety systems); administrative controls (permits, licences, authorisation processes); and monitoring mechanisms that detect control failures before they become incidents.

The standard explicitly states that where ISO management system standards apply to a domain — ISO 14001 for environment, ISO 45001 for OHS, ISO 50001 for energy — the controls for that domain must meet the requirements of the applicable standard. This creates a minimum control specification for each domain that is defined by the relevant ISO standard rather than left to organisational discretion.

4. Procurement Controls

Procurement controls embed sustainability requirements into the organisation's purchasing and supplier selection processes. This is one of the most significant and most commonly underdeveloped control categories.

Required procurement controls include: sustainability qualification criteria incorporated into supplier onboarding and approval processes for all material spend categories; a supplier code of conduct communicated to all material suppliers and incorporated into material contracts; sustainability-specific clauses in contracts with high-risk suppliers covering human rights, environmental standards, anti-bribery, and compliance; and procurement approval controls that require sustainability criteria to be assessed before committing material expenditure.

The common failure mode: a supplier code of conduct exists as a document but is not systematically communicated to suppliers, not incorporated into contracts, and not assessed in supplier qualification processes. The code is a statement of intent, not a control.

5. Supply Chain Controls

Supply chain controls extend beyond procurement to encompass the ongoing management of sustainability risks across the organisation's upstream and downstream value chain. While procurement controls govern the selection and contracting of suppliers, supply chain controls govern the ongoing monitoring and management of those relationships.

Required supply chain controls include: a supply chain risk assessment identifying high-risk supplier categories, geographies, and commodities; a supplier due diligence programme proportionate to identified risk, covering human rights, forced labour, environmental compliance, and anti-bribery; a supplier audit or assessment programme for material high-risk suppliers; and a documented process for addressing supplier non-compliance — including escalation, remediation timelines, and, where remediation is not achieved, exit processes.

The risk assessment is the foundation. Without a systematic assessment of which parts of the supply chain carry the highest sustainability risk, the due diligence and audit programme cannot be appropriately targeted. A due diligence programme that applies the same scrutiny to a stationery supplier and a garment manufacturer in a high-risk jurisdiction is not proportionate and is not an effective control.

6. ICSR — Internal Controls over Sustainability Reporting

ICSR is the data governance controls category — and arguably the most technically demanding. It is the sustainability equivalent of internal controls over financial reporting, and most organisations have never applied this framework to their sustainability data.

ICSR controls must address the full data lifecycle: collection (documented procedures for how each KPI is collected, with defined responsibilities); calculation (documented methodology including emission factors, conversion factors, and any assumptions, with version control); validation (independent review of data before it is used in reporting, with evidence of the review); reconciliation (connecting reported figures to source systems and records); and change control (a documented process for updating methodologies, with impact assessment and sign-off).

The ICSR requirement reflects a regulatory direction of travel. As sustainability assurance moves from limited to reasonable assurance, assurance providers will test the design and operating effectiveness of ICSR controls — not just sample reported figures. Organisations that have not built ICSR controls will find reasonable assurance engagements significantly more difficult, more expensive, and more likely to produce findings.

7. People Controls

People controls govern sustainability-relevant human behaviour across the organisation. They are the controls that determine whether the sustainability culture (Clause 7.4) has a structural foundation — because culture cannot be sustained by values statements alone; it requires systems and processes that reinforce it.

Required people controls include: induction processes that communicate sustainability values, conduct standards, and individual responsibilities from the first day of employment; performance management processes that assess and hold accountable individuals at all levels for their sustainability conduct and outcomes; training and competency controls ensuring personnel with material sustainability responsibilities have the required knowledge and skills; and speak-up controls ensuring all personnel have access to a confidential reporting channel for sustainability-related concerns.

The performance management element is critical. An organisation whose executive performance reviews do not include sustainability objectives, or whose operational managers are not held accountable for the sustainability performance of their operations, does not have effective people controls regardless of what the sustainability policy says.

8. Testing and Review

The controls framework must be tested at intervals not exceeding 12 months. Testing must assess both design adequacy (are the controls designed to address the identified risks?) and operating effectiveness (are the controls actually working?). Both are necessary. A well-designed control that is not operating is not a control.

Control failures — instances where a control did not operate as designed — and control gaps — material risks not adequately addressed by existing controls — must be addressed through the corrective action process under Clause 14.2. The results of control testing must be reported to senior leadership and used as input to the management review.

Speeki Meridian™ — Auditor Expectations

The controls framework is tested extensively at Stage 2. Assessors examine all six categories, with particular intensity on ICSR and supply chain controls where gaps are most common. For financial controls: assessors will request evidence of sustainability budget allocation and CapEx evaluation processes. They will look for documented evidence that sustainability criteria were applied in at least two recent investment decisions. For ICSR: assessors will conduct data walk-throughs — selecting reported sustainability KPIs and tracing them back to source data through each step of the collection, calculation, validation, and review process. At least three walk-throughs will be conducted covering different sustainability domains. Sustainability data assembled from desk research three weeks before the report deadline will produce major findings. For supply chain: assessors will request the supply chain risk assessment, the due diligence programme documentation, and a sample of supplier audit records. They will test whether due diligence depth matches the risk profile of the assessed suppliers. For people controls: assessors will ask operational staff about sustainability in their induction and performance review processes. A sustainability function that cannot show that sustainability responsibilities appear in job descriptions outside its own team will receive findings.

Implementation Guidance

Map the current controls framework before the assessment. For each of the six categories, document what controls currently exist, who owns them, and when they were last tested. This mapping will identify both the controls you have and the gaps where controls are absent or inadequate — which directly feeds the controls and risk assessment (Clause 6.7) and the action plan (Clause 8.4). For ICSR, start with the data collection process for your most material KPIs — typically GHG emissions and at least one social metric. Document the full data chain from source to report. Identify where validation and review occur and where they do not. This will almost certainly identify gaps. Address the gaps before the certification engagement — do not discover them in a Speeki Meridian™ Stage 2 data walk-through. For supply chain, the risk assessment is the first step. Without it, you cannot design a proportionate due diligence programme. Spend time getting the risk assessment right — identifying which commodity categories, geographies, and supplier types carry the highest human rights, environmental, and compliance risk — before building the due diligence programme.

About Speeki

Speeki is an accredited certification body operating across more than 100 countries. Speeki certifies organisations against SPK CSMS1000:2026 through the Speeki Meridian™ certification programme. Speeki is a certification body — it does not provide sustainability consulting or advisory services of any kind.

For current details of Speeki's accreditations, scope of certification, and service offerings, visit speeki.com. You can also ask Nicole AI on the Speeki website to find the information you need.

speeki.com | © Speeki Pte Ltd 2026