Anyone who has kept up with our blogs here knows that I am huge proponent of establishing a system of internal controls for ESG data/disclosure similar to those for financial reporting. Internal controls help to ensure the validity, accuracy and – ultimately – the credibility of ESG information reported by companies. This is critical not only for the company but also for the entire “ecosystem” that has developed around ESG disclosures including investors, rating organizations and the media.
Last month COSO – the Committee of Sponsoring Organizations – published its framework for internal controls over sustainability reporting (ICSR). COSO dates back to the 1980s and created a framework for internal controls for financial reporting (ICFR) known as Internal Control – Integrated Framework (ICIF) that became popular when the Sarbanes-Oxley Act went into effect in 2002. That framework was revised in 2013 which formed the basis of the new ICSR. The authors explain the importance of controls for ESG information in light of not only growing regulations for disclosures, but also the “ecosystem” I mentioned above:
“Rating agencies, data aggregators, data platforms, and similar investor service providers have grown in prominence in the ESG world. Partly because there is a lack of generally accepted reporting standards and regulations, these companies’ business models depend on delivering ratings, rankings, and assessments of publicly listed companies. Many have developed their own proprietary models to create these ratings. Perceiving a lack of uniform reporting by corporate entities under voluntary guidelines, these data providers and financial services firms often seek to supplement their modeling by requesting information via survey or questionnaire from individual companies.”
The document also discusses three attributes of ESG reporting that differ from financial reporting and form a basis as to why a different controls structure is necessary:
“• Control vs. influence: There are unresolved differences regarding the setting of organizational boundaries between financial reporting and sustainability frameworks. Financial accounting principles define a ‘consolidated entity’ and detail how to account for minority investees. Depending on the framework or standards, however, sustainability reporting may be based on different concepts of ‘control’ or ‘influence’ (Principle 3 and Principle 12). As rules and standards evolve, alignment may follow.
• Quantitative vs. qualitative: Because the goal is to estimate and assess expectations of ongoing availability of resources and stakeholder willingness to make these resources available, sustainability information is inherently more qualitative than traditional financial reporting. The goal is to produce information so that users may assess short-, medium-, and long-term future performance and expectations that relate to an ultimate enterprise value (or going concern value).
• Historical vs. forward-looking: Sustainability information can be more forward-looking and long-term than financial information as organizations set goals and targets. Traditionally, financial accounting rested on the summarization of past transactions and events. Over time, however, reporting evolved to reflect economic expectations and estimates of the future. At its heart, sustainability is about wise use and preservation of resources over the long term. Long-term sustainability targets and goals inform business objectives. Further, communicating long-term goals and targets sets the stage for future reporting on the achievement of targets. The process of estimation is the same, but the time horizon is longer.”
Acknowledging these attributes of reporting as well as meaningful differences between the fundamental data, the ICSR builds on ICIF’s five components:
- Control environment. This refers to the company’s commitment to integrity and ethics; board of directors’ oversight responsibilities; internal structures, authority and responsibilities; commitment to maintaining competent staffing; and enforcing accountability.
- Risk assessment. This refers to specifying suitable objectives (which includes determining “materiality”); identifying and analyzing risks to meeting sustainable business objectives; assessing fraud risk (one of my favorite topics!); and identifying and analyzing significant changes and trends – especially those that may impact the system of controls.
- Control activities. This involves selecting and developing control activities, including those over technology and third party service providers; and deploying oversight through policies and procedures.
- Information and communication. This component refers to using relevant information from multiple sources/departments and considering data availability; communicating internally including to employees and the board; and communicating externally on how internal controls are functioning (the report touches on third party assurance of sustainability data and reporting here).
- Monitoring activities. The final component involves conducting evaluations of the presence and function of ISCR; and evaluating and communicating deficiencies.
I am very pleased to see this document. It is unquestionably credible and directly rooted in a long-established and time-tested framework. Although it was borne mainly out of the US regulatory, reporting and controls context, it has equal use and applicability for non-US companies. This is reading time that I think is well worth it.