A Closer Look at ICSR Reporting
Today I want to revisit sustainability reporting, and the recent guidance from COSO on designing effective internal control for sustainability reporting. Compliance officers, auditors, and corporate sustainability teams have much more to consider here to get “ICSR” at your company right.
We can begin with the most basic question of all: Why is any of this even necessary? That’s easy. It’s necessary because more and more companies are disclosing sustainability data, and those new disclosures bring more risk.
Specifically, publicly traded companies are subject to Rule 10b-5 of the Exchange Act, which holds a company liable for all information it releases, even if that information is released for some purpose other than a securities filing. So if a company makes a false statement about ESG data in a sustainability report, that can lead to an enforcement action from the Securities and Exchange Commission even though that sustainability report itself isn’t filed to the SEC.
For example, just the other week Brazilian mining company Vale agreed to pay $55.9 million to settle charges that it made misleading statements about the safety of its dams prior to a dam collapse in 2019 that killed hundreds of people. When the SEC filed its complaint against Vale last year, the agency pointed to disclosures Vale made in its corporate sustainability reports as examples of misleading information.
Vale is only one example of the disclosure risk afoot here. When you look at the larger corporate landscape, you see that almost all large companies now publish sustainability reports: 96 percent of them in 2021, according to the Governance & Accountability Institute. See Figure 1, below.
With so many companies now publishing sustainability data, this means the risk of misleading ESG disclosure is everywhere. No wonder COSO decided to publish some guidance on the subject.
Challenges With ESG Data
The ICSR guidance spends a fair bit of time exploring how sustainability data is and isn’t like financial data. That’s an important distinction to understand, because it is not automatically true that your processes for collecting and reporting financial data will work just as well for sustainability data. Some of those processes might; others might not.
So what are those differences? Figure 2, below, shows three identified in the ICSR guidance (with a heap of credit due to Doug Hileman, a principal author of the guidance, who first articulated all this).
Control vs. influence. The financial reporting world has clear principles to define a “consolidated entity” and how that entity might account for minority interests — say, a global corporation that owns only 30 percent of an overseas joint venture. Time-tested, well-understood accounting rules dictate how the corporation can report the revenue, expense, and earnings from that minority interest on the corporation’s balance sheet.
We don’t yet have similar principles sustainability reporting. For example, would that corporation also be responsible for 30 percent of the joint venture’s carbon emissions? If a corporation can influence decisions about operations without actually controlling the business (“we provide the critical intellectual property, so we say the JV lowers its carbon emissions”), how do you reflect that in a sustainability report? Right now, sustainability standards are still unclear on those points.
Quantitative vs. qualitative. Financial disclosures are all about numbers, so they are inherently quantitative; sustainability disclosures are much less so. Moreover, qualitative disclosures inherently depend on judgment, which means you’ll need more narrative disclosure and non-financial evidence to defend those judgments. How do you collect that evidence? How do you assure consistent judgment over time or across operating segments? Again, we’re not sure.
Historical vs. forward-looking. Financial reporting is a reflection of prior transactions and events, with a layer of expectations and estimates on future business as icing on that historical cake. Sustainability, as COSO says, “is about wise use and preservation of resources over the long term.” So what data will you collect about future ESG goals and your plans to achieve those targets? I’m not sure, but it’s very different data than sales, expenses, or earnings.
Who Runs This ICSR Stuff, Anyway?
The ICSR guidance doesn’t offer any clear advice on that question, but I keep coming back to the anti-fraud obligations that companies have under Rule 10b-5. That tells me that internal audit has an important role to play.
After all, internal audit teams are responsible for developing controls against fraudulent financial reporting. Shouldn’t they play a similar role for sustainability reporting? Don’t they already do that, kinda sorta, when they audit the environmental, health & safety function or hiring practices in the HR department?
That said, internal audit is only one participant in sustainability reporting. You also need the legal team (or a dedicated sustainability team, if your company is large enough to have one) to decide what metrics your company will actually report. This would be the team that performs your company’s ESG materiality assessment, and that should come first. Then internal audit can swoop in to review the processes that collect data relevant to those ESG disclosures, and assure that those processes are solid.
We should also remember that many companies already collect and report lots of ESG data. For example, large employers already collect and report extensive data about their workforce to the Equal Employment Opportunity Commission. Industrial concerns also already report their greenhouse gas emissions to the Environmental Protection Agency. Other businesses need to submit reports to various agencies on product safety, labor standards, and more.
Those are all ESG issues, but companies are collecting that data for regulatory compliance — which is not the same as collecting it for disclosure to the public. Your sustainability reporting effort needs to appreciate that distinction. The legal team or corporate secretary, already well acquainted with the liability concerns that arise from Rule 10b-5, would be the ones to educate internal audit (and others) on the importance of getting this all correct.