Internal controls help ensure the validity, accuracy, and ultimate reliability of companies’ ESG information. This is important for companies and the entire “ecosystem” that has developed around ESG disclosure, including investors, rating agencies, and the media.
Last month COSO – Organizing Committee published the internal control framework for sustainability reporting (ICSR). In the 1980s, COSO created a framework for internal controls in financial reporting (ICFR) known as the Internal Control Integration Framework (ICIF), which became popular when the Sarbanes-Oxley Act was enacted in 2002. That framework was revised in 2013. This formed the basis of the new ICSR. The authors explain the importance of managing ESG information in light of the aforementioned ‘ecosystem’ and tightening disclosure regulations.
“Rating agencies, data aggregators, data platforms and similar investor service providers are gaining traction in the ESG world. The companies’ business models rely on the provision of ratings, rankings, and ratings for publicly traded companies, and many have developed their own proprietary models to produce these ratings, under voluntary guidelines. Recognizing the lack of uniform reporting by corporate entities in the United States, these data providers and financial services firms seek to complement modeling by soliciting information through surveys or questionnaires from individual companies. is often found.”
This document also describes three attributes of ESG reporting that differ from financial reporting, forming the basis for why a different management structure is needed.
• Control and influence: There are unresolved differences regarding the setting of organizational boundaries between financial reporting and sustainability frameworks. Financial Accounting Principles define a “consolidated entity” and detail how minority shareholders are accounted for. However, depending on the framework or standard, sustainability reporting may be based on different concepts of ‘control’ or ‘impact’ (Principle 3 and Principle 12). Adjustments may continue as rules and standards evolve.
• Quantitative vs Qualitative: Since the goal is to estimate and assess expectations of the continued availability of resources and the willingness of stakeholders to make these resources available, sustainability information is inherently It is more qualitative than reporting. The goal is to produce information to enable users to assess short-, medium-, and long-term future performance and expectations related to ultimate corporate value (or going concern value).
• Past and Future Outlook: Sustainability information can be more forward-looking and long-term than financial information, as organizations set goals and targets. Traditionally, financial accounting was based on summarizing past transactions and events. However, over time, the report has evolved to reflect economic expectations and future estimates. At its core, sustainability is about using resources wisely and protecting them over the long term. Long-term sustainability goals and objectives inform business objectives. Additionally, communicating your long-term goals and objectives will set you up for future reporting on your achievements. The quoting process is the same, but the time period covered is longer. “
Recognizing the meaningful differences between these reporting attributes and the underlying data, the ICSR builds on the five elements of ICIF.
- Controlled environment. It represents the company’s commitment to integrity and ethics. Board oversight responsibilities. Internal Structure, Authority, and Responsibilities. A commitment to retaining competent staff. Enforcing Accountability.
- Risk assessmentThis refers to identifying appropriate purposes (including determining “materiality”). Identify and analyze risks to achieve sustainable business goals. Fraud risk assessment (one of my favorite topics!); identify and analyze significant changes and trends, especially those that can affect your control system;
- Manage activities. This includes selecting and developing control activities, including those relating to technology and third-party service providers. Deployment of monitoring through policies and procedures.
- Telecommunications. This component refers to using relevant information from multiple sources/departments and considering data availability. Internal communications, including with employees and the board of directors. Communicate externally about how internal controls work (the report refers to third-party assurance of sustainability data and reporting here).
- Surveillance activities. The final component involves assessing the existence and functioning of ISCRs. Deficiency Assessment and Communication.
It is undoubtedly reliable and rooted directly in a long-established and proven framework. Although it arose primarily from the US regulatory, reporting, and control context, it has similar uses and applicability to non-US companies.