COSO’s New “Internal Control Over Sustainability Reporting” Guidance

One of the biggest struggles for companies when they start out collecting the data they need for climate and other sustainability disclosures is developing the disclosure and internal controls necessary to help ensure the accuracy of that data. Unlike financial reporting, there is a lack of well-known, well-worn practices to help with the information's integrity.

Fortunately, COSO recently released new guidance, which follows up on a 2017 study. The executive summary describes "a sea change in attitudes since 2017" with respect to sustainability reporting, which I know will ring true for readers of this blog. Beyond the important fact that COSO's standards for internal control over financial reporting is well-accepted and well-known, the new guidance is definitely worth reading even if your company already has an established sustainability reporting flow.

In the guidance, COSO spends the bulk of the 114 pages explaining how each of the 17 principles for its existing internal control over financial reporting framework applies to sustainable business information and activities. Analysis of each of the 17 principles references the financial reporting focus regarding that principle and gives insight about how that principle can be implemented for sustainability, based on a mix of factors (such as regulations, professional standards, existing corporate practices and even interviews with well-known professionals).

A critical piece of the report starts on page 28 - an analysis of the differences between conventional financial reporting and sustainable business information. There are these three primary areas of difference:

1. Control vs. influence: sustainability reporting lacks the focus of financial reporting on using "control" to define the "consolidated entity" boundaries of what is reported.
2. Quantitative vs. qualitative: sustainability information is inherently more qualitative than financial reporting.
3. Historical vs. forward-looking: with a focus on long-termism, sustainability reporting is inherently more forward-looking than financial reporting.

In addition to these inherent differences, the drivers around sustainable business information raise these eight additional challenges:

1. Voluntary reporting ecosystem
2. Acceleration toward regulation
3. Novel data streams
4. Talent availability and competence
5. Immature systems and unstructured data
6. Proliferation of reporting platforms and software services
7. Sustainability reporting relies on third-party data
8. Demands for external assurance

The report provides useful examples of actual applications of internal controls to sustainability reporting. The discussion of Principle 2, "Exercises board of directors' oversight responsibilities," includes examples of audit committee oversight activities:

1. Revising charters to include oversight of external reporting of sustainability information and oversight of disclosures regarding the effectiveness of the organization's system of ICSR.
2. Conducting educational sessions on recent developments regarding sustainable business.
3. Overseeing the internal audit function and review of sustainable business information.
4. Developing processes to operationalize oversight of external reporting, such as determining the frameworks, standards, and guidelines to follow for external ESG reporting.
5. Reviewing external ESG reports before issuance.
6. Determining the extent to which ESG information is subject to independent assurance or verification and determining the appropriate outside firm to perform independent assurance or verification.