Summary information risk management papers
Recommendations: Building trust and confidence in sustainable business information
Applying effective internal controls to sustainability information for internal and external
purposes constitutes a rapidly growing use of existing risk and control concepts. Few best
practices have been established.
A good starting point for implementing internal control over sustainability reporting (ICSR) is the
process and ecosystem of the Committee of Sponsoring Organizations of the Treadway
Commission (COSO) Internal Control—Integrated Framework—originally issued in 1992 and
refreshed in 2013 (ICIF-2013 or Framework)—with a key addition, the concept of organizational
commitment to integrity and purpose, which is an important aspect of sustainability.
This framework creates five action
points:
1. Commit to integrity by stating
your purpose.
2. Determine objectives.
3. Identify and assess risks (and
consider opportunities).
4. Identify control activities to
manage a risk or mitigate the
risk to an acceptable level.
5. Evaluate effectiveness to
determine whether the
framework components and principles are present and functioning.
Implementing results in a variety of benefits.
Delivering internal benefits: metrics related to key sustainability issues can provide
organizations with business intelligence to support internal decision making and the
management of performance and impacts.
Delivering external benefits: meanwhile, the same information can provide decision-useful
disclosures for external users, such as investors.
To realize both internal and external benefits of an effective system of internal controls over
sustainable business reporting for both internal and external users, data lineage and governance
is critical. It is extremely valuable to translate and connect financial information, operational
data, and sustainable business information. This integration supports not only ESG reporting but
also internal decision making.
Key takeaways: Stakeholder goals around sustainability
- Cultivate a culture of accountability.
- Revisit the interrelationship of purpose and various objectives.
- Establish a cross-functional team.
- Leverage existing expertise.
, - Leverage existing controls.
- Leveraging enabling technologies and platforms.
- Focus on decision usefulness.
By viewing sustainability through the lens of decision usefulness, an organization can
focus on covering a small subset of metrics that are most important to its success
over time by reducing risk and contributing to growth and value creation.
- Start early.
Sustainability is multidisciplinary. Further, sustainability means the involvement of participants
from a range of other areas, such as legal, human resources, facilities, operations, and investor
relations, all of whom may lack understanding of COSO and reporting systems. Nearly every
modern global company issues some form of external reporting on sustainability. Sustainable
business information from these reports, as well as from individualized questionnaires and
commercial ratings, are
readily delivered to
investors, policy
makers, and a range of
stakeholders through
modern software
applications and
platforms.
However, significant concerns remain regarding the nascent systems that are producing
this decision-critical information.
COSO refers to the Committee of Sponsoring Organizations of the Treadway Commission, which
is made up of five global accountancy and auditing organizations. Ultimately, in 1992 (with some
revisions through 1994), COSO published its first framework, called the Internal Control -
Integrated Framework. The publication made two giant steps forward. First, it provided a
definition of “internal control.” Second, it provided a common framework for evaluating and
improving internal control systems.
Support various professionals in financial reporting with common language and
concepts.
Later, ICIF became a premier tool for operationalizing and implementing the Sarbanes-Oxley Act
of 2002 (SOX).
With respect to annual report filings, these new requirements for public companies under the
SEC’s authority included:
- A report by management that assesses how well ICFR is functioning, commonly known
as SOX Section 404(a), and
- An auditor’s report attesting to management’s report, commonly known as SOX Section
404(b).4
Framework is not mandatory but it is generally accepted.
, ICIF-2013 defines internal control as follows: Internal control is a process, effected by an entity’s
board of directors, management, and other personnel, designed to provide reasonable
assurance regarding the achievement of objectives relating to operations, reporting, and
compliance.
An organization has achieved an effective system of internal controls when all principles
are present and functioning.
As various stakeholders showed increased interest in sustainable business information, COSO
responded by issuing materials that expressly endorsed the use of ICIF-2013. COSO
incorporated the term “nonfinancial” directly into the 2013 Framework.
The ERM framework can be interpreted and applied to support an organization’s sustainable
business strategy that it carries out through its internal control system (principle 7). A key goal is
to provide information that utilizes a broader perspective of resources and resource
contributors than under traditional financial accounting and reporting. Groups other than
investors are relying on corporate information to understand how a reporting entity’s
transactions, operations, and activities impact external stakeholders, such as policy makers
that speak for communities—both local and global—and the people and natural resources that
they represent.
Within the ESG world, it has been recognized that not all users can be considered the same. As
long-term, committed investors seek ESG information as part of their decision making, other
Recommendations: Building trust and confidence in sustainable business information
Applying effective internal controls to sustainability information for internal and external
purposes constitutes a rapidly growing use of existing risk and control concepts. Few best
practices have been established.
A good starting point for implementing internal control over sustainability reporting (ICSR) is the
process and ecosystem of the Committee of Sponsoring Organizations of the Treadway
Commission (COSO) Internal Control—Integrated Framework—originally issued in 1992 and
refreshed in 2013 (ICIF-2013 or Framework)—with a key addition, the concept of organizational
commitment to integrity and purpose, which is an important aspect of sustainability.
This framework creates five action
points:
1. Commit to integrity by stating
your purpose.
2. Determine objectives.
3. Identify and assess risks (and
consider opportunities).
4. Identify control activities to
manage a risk or mitigate the
risk to an acceptable level.
5. Evaluate effectiveness to
determine whether the
framework components and principles are present and functioning.
Implementing results in a variety of benefits.
Delivering internal benefits: metrics related to key sustainability issues can provide
organizations with business intelligence to support internal decision making and the
management of performance and impacts.
Delivering external benefits: meanwhile, the same information can provide decision-useful
disclosures for external users, such as investors.
To realize both internal and external benefits of an effective system of internal controls over
sustainable business reporting for both internal and external users, data lineage and governance
is critical. It is extremely valuable to translate and connect financial information, operational
data, and sustainable business information. This integration supports not only ESG reporting but
also internal decision making.
Key takeaways: Stakeholder goals around sustainability
- Cultivate a culture of accountability.
- Revisit the interrelationship of purpose and various objectives.
- Establish a cross-functional team.
- Leverage existing expertise.
, - Leverage existing controls.
- Leveraging enabling technologies and platforms.
- Focus on decision usefulness.
By viewing sustainability through the lens of decision usefulness, an organization can
focus on covering a small subset of metrics that are most important to its success
over time by reducing risk and contributing to growth and value creation.
- Start early.
Sustainability is multidisciplinary. Further, sustainability means the involvement of participants
from a range of other areas, such as legal, human resources, facilities, operations, and investor
relations, all of whom may lack understanding of COSO and reporting systems. Nearly every
modern global company issues some form of external reporting on sustainability. Sustainable
business information from these reports, as well as from individualized questionnaires and
commercial ratings, are
readily delivered to
investors, policy
makers, and a range of
stakeholders through
modern software
applications and
platforms.
However, significant concerns remain regarding the nascent systems that are producing
this decision-critical information.
COSO refers to the Committee of Sponsoring Organizations of the Treadway Commission, which
is made up of five global accountancy and auditing organizations. Ultimately, in 1992 (with some
revisions through 1994), COSO published its first framework, called the Internal Control -
Integrated Framework. The publication made two giant steps forward. First, it provided a
definition of “internal control.” Second, it provided a common framework for evaluating and
improving internal control systems.
Support various professionals in financial reporting with common language and
concepts.
Later, ICIF became a premier tool for operationalizing and implementing the Sarbanes-Oxley Act
of 2002 (SOX).
With respect to annual report filings, these new requirements for public companies under the
SEC’s authority included:
- A report by management that assesses how well ICFR is functioning, commonly known
as SOX Section 404(a), and
- An auditor’s report attesting to management’s report, commonly known as SOX Section
404(b).4
Framework is not mandatory but it is generally accepted.
, ICIF-2013 defines internal control as follows: Internal control is a process, effected by an entity’s
board of directors, management, and other personnel, designed to provide reasonable
assurance regarding the achievement of objectives relating to operations, reporting, and
compliance.
An organization has achieved an effective system of internal controls when all principles
are present and functioning.
As various stakeholders showed increased interest in sustainable business information, COSO
responded by issuing materials that expressly endorsed the use of ICIF-2013. COSO
incorporated the term “nonfinancial” directly into the 2013 Framework.
The ERM framework can be interpreted and applied to support an organization’s sustainable
business strategy that it carries out through its internal control system (principle 7). A key goal is
to provide information that utilizes a broader perspective of resources and resource
contributors than under traditional financial accounting and reporting. Groups other than
investors are relying on corporate information to understand how a reporting entity’s
transactions, operations, and activities impact external stakeholders, such as policy makers
that speak for communities—both local and global—and the people and natural resources that
they represent.
Within the ESG world, it has been recognized that not all users can be considered the same. As
long-term, committed investors seek ESG information as part of their decision making, other
