COSO and Trust in Sustainability Reporting

With the shifting of focus from value for shareholders to value for a broader set of stakeholders, including suppliers, employees, and customers, sustainability has emerged as a crucial indicator of organizational success. Internal stakeholders require trustworthy, decision-useful information to inform their strategy and operations. External stakeholders are trying to make well-informed decisions about whether to engage in business dealings with an organization. All demand strong corporate governance that aligns with an organization’s stated purpose and values, as well as management that strategizes around sustainable business risks and opportunities with the goal of enhancing value. These stakeholders need relevant, reliable information, and it’s up to the organizations reporting the data to imbue their disclosures with trust and quality (see Figure 1).

Until now, organizations have faced an overlapping, seemingly competitive collection of frameworks, standards, best practices, and tools with which they can build trust and confidence in sustainability reporting. From the voluntary standards like those from the Global Reporting Initiative (GRI), the Integrated Reporting Framework (IRF), and the Sustainability Accounting Standards Board (SASB) to those of the Task Force on Climate-Related Financial Disclosures (TCFD) and the new International Sustainability Standards Board (ISSB), the choices have been overwhelming to some and paralyzing to others. (SASB merged with the International Integrated Reporting Council in 2021 to become the Value Reporting Foundation (VRF). Subsequently, in 2022, the International Financial Reporting Standards (IFRS) Foundation acquired the VRF, along with the Climate Disclosure Standards Board, as it organized the ISSB; see Figure 2).

Throughout it all, there remains a stalwart tool to build confidence in both financial and sustainability information: the Internal Control—Integrated Framework (ICIF) from the Committee of Sponsoring Organizations of the Treadway Commission (COSO).

ICIF was the basis for a study published in 2017, Leveraging the COSO Internal Control—Integrated Framework to Improve Confidence in Sustainability Performance Data, which was slightly ahead of its time in looking at how organizations could build the trust needed in their sustainability reports. Fast-forward to 2023, and we see a rapid increase in voluntary reporting of environmental, social, and governance (ESG) disclosures in company reports. While one might applaud the efforts of organizations to report this information, the rapidly evolving regulatory and standard-setting landscape has made it difficult to draw conclusions about the quality and consistency of reported data. One can’t simply look to the compliance process to ensure the integrity and reliability of the data and reports. Finally, internal assurance (provided by the internal audit function) and trust in sustainability reporting must exist before external assurance can be provided.

The CFO and members of the accounting and finance team are well-versed in designing and implementing governance and oversight structures that are effective and appropriate for the organization. To this end, organizations must have an effective system of internal control to efficiently address sustainability-related issues, including operations, compliance, and reporting. But many accounting and finance professionals may not feel they’re prepared to apply the knowledge and experience they have from internal control over financial reporting (ICFR) to sustainability information. To help improve the quality, timeliness, and reliability of sustainability-related information, COSO released new supplemental guidance, Achieving Effective Internal Control over Sustainability Reporting (ICSR): Building Trust and Confidence through the COSO Internal Control—Integrated Framework, in March 2023. ICSR was introduced in the guidance as a companion to ICFR.

TRUSTWORTHY DATA AND THE ROLE OF THE COSO ICIF

With the advent of the Sarbanes-Oxley Act of 2002 (SOX) requirements in the United States more than 20 years ago, there was a general perception that ICIF only applied to financial reporting and to publicly traded companies. But all businesses, including those in the commercial, not-for-profit, and public sectors, require effective internal control to achieve their goals, manage risk, adapt, and succeed in all aspects of their organization and operations. ICIF can be used effectively to build confidence across the comprehensive data set.

ICIF can also drive the appropriate tone at the top and organizational culture. Simply put, ICIF applies to all sizes and types of organizations and their financial and sustainability information. Updated in 2013, ICIF presents a set of five components and 17 principles that businesses may use to design effective internal control over sustainability operations and reporting (see Table 1). Through use of this framework, the CFO and accounting and finance team provide leadership to ensure the relevance and integrity of sustainability data and the translation of it into meaningful decision-useful information. Accomplishing these objectives means an organization must commit to establishing the proper control environment and utilizing its knowledge to begin developing ICSR.

To have effective ICSR, risk and materiality assessments are crucial to the process. ICSR must build trust that’s ultimately equivalent to that of financial reporting and transactions. Organizations should address IT general controls, operations, and compliance objectives; the consequent risks produced; and the actions necessary to ensure effective internal control in these areas. ICIF is intended for virtually any field, function, or activity. The 17 principles should be tailored to an organization’s specific requirements, resources, industry, and maturity level.

It should be implemented immediately rather than waiting for new regulations or legislation (see Dudley Brun­dige’s “Climate Risk Disclosures and Your Supply Chain” on p. 52 for more on solutions that organizations can explore now). The U.S. Securities & Exchange Commission (SEC) is expected to release its final rule for climate disclosures as early as the second quarter of 2023; the ISSB is expected to release its final S1, General Requirements for Disclosure of Sustainability-related Financial Information, and S2, Climate-related Disclosures, standards in the second quarter as well. As the supplemental guidance from COSO suggests, organizations interviewed indicated that they began the process of designing effective controls over sustainability information by starting with their financial controls as a model.

One of the most important advantages of ICSR is that it promotes sustainable business practices, which are crucial for long-term success. By utilizing the principles in ICIF for sustainability reporting, organizations can ensure that their sustainability performance is reported accurately and transparently to stakeholders. For these and other reasons, the CFO function can’t and shouldn’t implement ICSR in a silo. Collaboration is essential for identifying the optimal organizational structures, roles, and duties to obtain the desired results and effective internal control.

Organizations may consider establishing a cross-functional working group of experts from across the business (e.g., corporate social responsibility, integrated reporting, legal, marketing, operations, public relations, human resources, and finance and accounting) to achieve ICSR. Effective internal controls are beneficial beyond compliance or required external disclosures to improve communication, roles and accountabilities, and governance.

Organizations should utilize their internal audit function to provide not only internal assurance independent of management but also strategic insight and advice on how to design effective controls as well as meaningful performance metrics for the business. 

Internal and external sustainability and ESG reporting shouldn’t be an “annual and manual” effort. Instead, they should be continuous, efficient, and automated. Also, organizations should comprehend that sustainability reporting is a dynamic field that will evolve significantly in the coming years. Continuous monitoring activities are essential for assessing progress and determining whether to make adjustments and improvements. 

To remain aware of new advances in sustainability reporting, organizations must educate themselves on new themes; use seminars, recent publications, and certificate programs; and cooperate with sustainability specialists and learn from them. Additional COSO resources, such as enterprise risk management and ESG, cloud computing, and others, can help.

THE OPPORTUNITY FOR MANAGEMENT ACCOUNTANTS

In recent years, the significance of ESG issues for companies, investors, and other stakeholders has increased, necessitating ESG reporting that provides accurate, relevant, and timely information on a company’s sustainability performance. Organizations must implement robust internal controls to ensure that accuracy and reliability. The supplemental guidance released by COSO in March 2023 provides guidance for designing, implementing, and evaluating internal controls, which are essential for ensuring the accuracy and dependability of ESG reporting.

To evaluate a company’s impact on the environment, society, and economy, stakeholders need timely and accurate information on its sustainability performance. Therefore, companies must ensure that their ESG reporting is accurate, trustworthy, and transparent. Integration of the finance and sustainability teams is required for effective ESG reporting. The ICIF approach to internal controls can assist organizations in integrating their sustainability and finance teams, resulting in improved data quality for internal and external sustainability reporting. By collaborating, sustainability and finance teams can ensure that sustainability risks and opportunities are identified, evaluated, and reported accurately.

Much of sustainability reporting is principles-based. In a principles-based environment, what’s reported is a matter of judgment to a certain degree. Such subjectivity creates an opportunity to be second-guessed and creates the risk that superiors wanting to meet targets and make the results look good exert pressure on those responsible for reporting and disclosure to make questionable or flat-out unethical decisions and misleading disclosures. This likely leads to what’s predicted to be one of the new frontiers of fraud: ESG fraud (as we saw with the Volkswagen environmental fraud; see Curtis C. Verschoor, “The Volkswagen Problem,” Strategic Finance, February 2016).