New COSO Help on Sustainability Reporting

COSO dropped extensive new guidance this week on how companies can build effective internal control over sustainability reporting, to assure that the ESG disclosures your company might make have the same accuracy and reliability that exists for financial reporting.

COSO published the guidance on Thursday — 114 pages of it, walking the reader through every principle and point of focus in the famed COSO internal control framework and showing how that material can be applied to sustainability. The document also includes three examples of how organizations might use the material, a long disquisition on the history of ESG reporting, and other points that ESG enthusiasts could use to build the business case for stronger “ICSR” (internal control over sustainability reporting).

Like, there’s a lot in here. Any internal control team trying to tackle ESG disclosures should sit down and give this guidance a close read.

COSO first published ESG guidance in 2017. Why update that document? Because “we perceive a sea change in attitudes since 2017,” COSO said in the executive summary. Specifically… 

We find that many more companies are now in various stages of implementing controls and governance processes over the collection, review, and reporting of sustainability information, including creating multifunctional teams that bring together a company’s sustainability, finance and accounting, risk management, legal, and internal audit professionals.

So in the same way that those finance, accounting, risk, legal, and audit professionals have worked together over the last 20 years to build systems of effective internal control over financial reporting (ICFR), those groups and sustainability professionals must now build systems of internal control over sustainability reporting.

Besides, who in this line of work doesn’t love another good acronym? ICSR, welcome to the club.

What’s in the ICSR Guidance

Foremost, this piece of guidance is a mapping exercise. It goes through each of the COSO internal control framework’s 17 principles and dozens of points of focus and places them in a sustainability context. For example, on Page 69 we find COSO internal control Principle 10: 

The organization selects and develops control activities that contribute to the mitigation of risks to the achievement of objectives to acceptable levels.

That’s the same principle internal control teams have been using for years to govern your ICFR and Sarbanes-Oxley compliance programs. The new COSO guidance, however, then puts some sustainability English on the ball:

Once an organization has identified and assessed risks to achieving its sustainable business objectives, it designs, develops, and implements means to counter these risks, partly or completely. This helps ensure that oversight activities are responsive to sustainable business objectives, including reporting, and related risks.

Honestly, you swap in the words “compliance” or “financial” wherever you see the word “sustainable” in the above paragraph, and the text would make just as much sense. That’s the point, really: the COSO internal control framework is versatile, able to help organizations achieve all sorts of goals — if you approach it with the right bit of imagination. This guidance is meant to push your imagination down the sustainability path.

The document offers that same treatment to all of the framework’s principles and their more precise “points of focus,” too. I wouldn’t call most of the material intellectually groundbreaking, but it is reassuring. For any corporate controller or compliance team suddenly tasked with taming ESG disclosures, you’ll read these examples and find yourself thinking, “Oh, yeah. Of course it works that way. We can do this.” 

The guidance also includes plenty of “Insights,” which are snippets of advice about how the COSO internal control principles should work in practice; and three examples of ICSR might work at both public and private companies.

Important Points About Data

First, we need to remember that ESG data is somewhat like financial data, but not identical to financial data. So the controls, processes, and technologies that your company uses for ICFR can help you manage sustainability reporting, but they won’t necessarily solve all your problems. The COSO guidance puts things this way:

Today, much financial reporting data is likely to be structured, housed in the general ledger systems, and flowed through enterprise resource planning (ERP) processes. ESG and sustainable business information, on the other hand, tends to be longer term and more qualitative, with data sources both within and outside of the organization’s systems, and considerable estimation and data modeling are required.

This is an excellent point, and one with many implications you’ll need to consider. For example, if you’re going to report your company’s carbon emissions, you may well need to include emissions generated by your supply chain. So you’ll need stronger vendor management processes to wring that information out of your suppliers. 

Isn’t that similar to how a company might oversee its resellers and distributors, so the company can compile accurate revenue disclosures? Well, kinda sorta — but carbon emissions are a very different type of data, and the audit practices to provide assurance over carbon emissions are still in their infancy. Anyone who thinks you can easily graft existing supply chain management procedures onto your ESG disclosure needs is delusional. It can be done, but it won’t be easy. 

Second, the importance of data governance cannot be overstated here. With so many sources of data, in so many formats, you’re going to need IT systems that can enforce consistency as each piece of ESG data moves through the collection and reporting process. 

This isn’t news to financial reporting professionals; they’ve been sweating data governance and data “linkage” (assuring that when you change a piece of data in one place, that change updates across all other places the data might appear) for years. An army of software providers, large and small, exist to help corporations with those tasks. Some of those software vendors even have products that actually, ya know, work.

One question now is whether those financial reporting and audit management vendors can successfully incorporate ICSR into their product lines. That may not be easy. Financial reporting processes are well-developed, and financial disclosures are governed by accounting rules; sustainability reporting processes are all over the map. (Or, as the COSO guidance puts it, “Some preparers find that these standardized approaches are inadequate for their organizations’ unique data and information streams.”)

So as corporate controllers and sustainability teams grapple with how to develop an effective system of internal control over sustainability reporting, they’ll need to retro-fit their financial reporting controls and figure out whether their existing IT providers are up to the ICSR challenge. 

It’s going to be a brave new world. Give this new COSO guidance a read as you enter it.

Leave a Comment

You must be logged in to post a comment.