Using the COSO Internal Control Framework for Sustainability Reporting

July 20, 2023
Michael R. Littenberg ,
Doug Hileman
Shari Littan

COSO recently released supplemental guidance on achieving effective internal control over sustainability reporting. The guidance is very timely, given recently adopted, pending and proposed sustainability reporting requirements in several jurisdictions. In addition, companies are seeking to bring more rigor to their voluntary ESG disclosures, both to meet market expectations and to mitigate evolving litigation and enforcement risk. On this podcast, three of the principal authors, Doug Hileman, Shari Littan and Jeff Thomson, provide an introduction to the COSO framework and the supplemental guidance. They also provide insights and tips on applying the supplemental guidance and its relevance to specific types of sustainability disclosures. They also provide insights and tips on applying the supplemental guidance and its relevance to specific types of disclosures.

The episode is hosted by Michael Littenberg, Ropes & Gray partner and global head of the ESG, CSR and business and human rights practice. Michael is the only private practice attorney listed as a contributor in the guidance. He also is quoted in the publication.


Click the links below to advance directly to the corresponding sections of the transcript:


Michael Littenberg: Welcome to this Ropes & Gray podcast. I’m Michael Littenberg. I’m a partner in the New York office of Ropes & Gray and Global Head of our ESG, CSR and Business and Human Rights practice. Our topic for today is COSO’s recently released supplemental guidance on “Achieving Effective Internal Control Over Sustainability Reporting.” Since its release at the end of March, there has been tremendous interest in the guidance in the ESG community. The guidance is very timely, given recently adopted, pending and proposed sustainability reporting developments. These include among others the proposed SEC climate risk disclosure rules, the EU Corporate Sustainability Reporting Directive and the related European Sustainability Reporting Standards and also the International Sustainability Standards Board standards. Aside from new regulatory disclosures, companies also are seeking to bring more rigor to their voluntary ESG disclosures, both to meet market expectations and to mitigate evolving litigation and enforcement risk.

To unpack the guidance, I’m joined today by three of its principal authors:

  • Doug Hileman is a consultant with 40-plus years’ experience in ESG, including operations, corporate compliance, and three years on the Volkswagen monitor team. Doug’s experience with COSO dates to his tenure at PwC at the outset of Sarbanes-Oxley. Doug was the ESG specialist on the author team.
  • Shari Littan is director of corporate reporting research and thought leadership at IMA. Her work focuses on financial reporting and sustainable business information in management. Shari is a former practicing litigator in the area of corporate governance and securities fraud.
  • Jeff Thomson is the recently retired CEO of the Institute of Management Accountants and a former COSO board member. He currently serves as a senior strategic advisor to boards and firms, most recently Competent Boards, whose mission is to educate and certify future fit board members around the world.

An Introduction to the COSO Framework (02:08)

First, I want to start off with an introduction to the COSO framework, since many of our listeners may not be that familiar with the framework. Jeff, we’ll start with you: What exactly is COSO? What is the COSO framework, and what is its purpose?

Jeff Thomson: Thank you, Michael—it’s a pleasure and an honor to be here. This is a very important topic for not just businesses around the world but for the entire ecosystem, and we’ll be talking about the nature of that as we go forward. COSO is the Committee of Sponsoring Organizations of the Treadway Commission. It was formed back in the mid-1980s, essentially by the U.S. Congress, to help address the escalating savings and loan scandals and frauds that were occurring in the U.S. at the time.  The five founding or sponsoring organizations are the American Accounting Association (AAA), the American Institute of Certified Public Accountants (AICPA), Financial Executives International (FEI), the Institute of Internal Auditors (IIA), and, last but not least, the Institute of Management Accountants (IMA). Essentially, what these organizations were tasked with initially was to develop a globally usable internal control framework. In 1992, the Internal Control Integrated Framework (ICIF) was developed to improve the application of internal control around the world. By the way, we’ll talk later about financial and non-financial internal control.

Fast-forward to Sarbanes-Oxley in the United States (2002–2003 timeframe), the COSO Internal Control Integrated Framework (ICIF) is essentially being used by 100% of the U.S. publicly listed companies to comply with Section 404 of the Sarbanes-Oxley Act (essentially the internal control attestation), so the COSO framework became heavily used from that point forward. Then, as national jurisdictions around the world began to incorporate the COSO Internal Control Integrated Framework into their national standards, the COSO framework became even more globalized. We’ll talk a little bit later about the changes in 2013 as they relate to non-financial reporting. There also is one other COSO framework that is separate but related, and that’s a broader, more strategic ERM (Enterprise Risk Management) framework. That framework was delivered to the market in 2004 and subsequently updated in 2017. But the main focus here today is the Internal Control Integrated Framework launched in 1992, updated in 2013.

Michael Littenberg: Specific to sustainability information, why is internal control over sustainability information important?

Shari Littan: It’s also a pleasure to be here with my co-authors. When we think about financial reporting and the rules and regulations, at least in the States, we look to Sarbanes-Oxley, and that instituted a range of governmental rules and the formation of the PCAOB (Public Company Accounting Oversight Board), which emphasized the idea of controls. For those who are not in the accounting or financial reporting world, we use the term “control” as a holdover from the way accountancy used to be described. A more modern term that I often use is “oversight governance processes.” In looking to financial reporting, when Sarbanes-Oxley became the law of the land, a framework or standard was needed. How are we going to determine whether controls are effective? And so, for many practitioners, it became the gold standard to look to the COSO Internal Control Framework. As Jeff has mentioned, as things evolved, and we have this whole new need to report or demands for information on various aspects of corporate sustainability, we are looking to the COSO framework and saying, “This can be adapted. This can be applied to these new types of corporate reporting.”

Two things to think about: One is external regulatory disclosures to investors and the market, and the importance of compliance with rules and regulations as they evolve. Second, the idea of controls oversight is as much about the achieving of corporate purpose and goals as it is about reporting and disclosure. That is to say that good reporting depends on the strength of activities. Sometimes, in speaking to practitioners, we say, “Are you talking about ESG reporting or the actual enterprise-wide activities to bring about sustainability?” I think it’s both. Obviously, the COSO framework is to be used to provide quality information from a corporate entity to the market. But, it also is a framework to guide how we think about achieving corporate purpose, meeting objectives, and doing so in a way that is efficient and meets the interests, demands and expectations of a whole range of corporate stakeholders.

Michael Littenberg: You mentioned investors. Internal control over reporting is often thought of as a public company topic by many people. Is internal control over sustainability reporting only relevant for public companies? I suspect you’re going to say it has much broader applicability based on your prior remarks. But even so, if it is relevant to private companies, is it still only relevant to large companies, or is this something for all companies?

Shari Littan: Yes, this is really important, because we think about reporting by public companies and meeting regulatory demands in compliance, but we are seeing something different happening in the sustainability reporting world. First, there is pressure even outside of regulation for competition and opportunity, and that is for both public and private companies of every size. Whether or not a company comes within regulatory oversight per se, their competitors may be reporting anyway. There may be decisions to be made, so sometimes we talk about materiality, which has an investor focus and a very specific legal terminology, but we also talk about decision usefulness: “What are my competitors doing? Are they changing their business model?” This is important, because not all corporate information goes to the market. In some cases, what we are observing is information sharing in the area of supply chain. A large public company might be making disclosures or statements of expectations or estimations about when they might be net zero, or their goals and progress towards certain sustainability metrics, and who are they going to turn to? Their suppliers, their value chain. That creates a need for good controls and good information. This is a risk area that people are telling us they are concerned about, how sustainability reporting and information—think about Scope 2 or Scope 3 greenhouse gas emissions in particular—relies on information that comes from an outside entity. We need to think about how are we going to be comfortable in reporting, incorporating or relying on this third-party data.

One of the things that we also are hearing about is the competition for capital in the private sector. For example, we are hearing about green lending or ESG-linked loans. That means that lenders, not the equity markets, are saying, “You know what, we’ll give you a lower interest rate.” Or “If you meet certain targets, we’ll lower the interest rate.” It could be a private company, but that creates a compliance responsibility, because meeting those targets can become part of the covenants within the lending agreement, and now you have a new compliance obligation.

We are hearing the same thing in the insurance market, that certain insurers are willing to lower premiums for private companies taking ESG-related steps. I even heard of a directors and officers insurance policy where the insured was given a lower premium due to ESG.

In addition, companies that may be private now may be headed for the public markets in the near future. It’s therefore good to get this started now. We’ve also heard private equity investors saying that, even if a portfolio company is private, paying attention to ESG or sustainability activities and information, and having good information, gives them more trust and confidence in this company.

Michael Littenberg: It sounds like from everything you are saying, this is not just a topic for accountants and auditors. Is that a fair characterization?

Shari Littan: I would absolutely agree, and I’ll hand this to Doug, who’s not from the accounting world, but we’re observing that in order for sustainability and the quality information that goes into reporting, it takes the breaking of silos within a company. We hear this all the time, where everyone is involved: investor relations and human resources for the human capital disclosures, operations, facilities, and of course, the information sharing with investors and with rating agencies. Doug, you might have some more to add to that.

Doug Hileman: Thanks for the ability to participate here today. Michael, you mentioned the topic of private companies. Private companies have important stakeholders called customers, and they have important stakeholders called employees and prospective employees. As Shari mentioned, they may eventually wish to go public, or they may be acquired by a public company. Regardless of whether companies are publicly traded or privately held, these stakeholders expect private companies to have sustainability reporting and sustainability programs on relevant topics and issues. If they ignore it completely, by the time it is required to meet SEC and public investor requirements, for example, there just isn’t time to put a program together. The COSO framework offers a handy way to organize and structure the program.

And, absolutely, as someone who has grown up on the ESG side of things and for 20-some years been very involved with the accounting industry, the Framework really is for everybody. This guidance is especially useful for people who do not come from accounting and finance. There are people who know internal controls as COSO sets it forth. There are people who don’t. But all these other groups, whether it is environmental, safety, operations, utilities, HR or procurement, there is some kind of management framework, whether it is ISO or something else, they all follow the “plan, do, check, act” cycle, but they just use different terms. We often hear the term “silos,” as Shari mentioned—I prefer to think of them as “areas of competence.” People get hired into operations or HR because that is their distinctive competence, and that’s their job. For many of these folks, sustainability is an add-on or a hobby; they’re overwhelmed. They need effective mechanisms or tools to show up and participate in things like cross-functional teams and to do things to improve sustainability performance and sustainability reporting, and COSO offers an ideal framework to foster that collaboration.

Michael Littenberg: Jeff, you briefly hit on this in your remarks before, but before we dive into the 2023 supplemental guidance, for context here, what are the major frameworks and guidance that have been put out by COSO over the years?

Jeff Thomson: From an internal control perspective, the COSO Internal Control Integrated Framework was launched to the global marketplace in 1992 and updated in 2013. Then, the related but separate COSO enterprise risk management framework launched in 2004 and was updated in 2017. In the meantime, COSO, over the years, has put out either supplemental or interpretive guidance, as well as thought leadership papers. For example, just a few weeks after we put out the COSO guidance we’re talking about here on sustainability reporting, COSO, along with the ACFE (Association of Certified Fraud Examiners), put out an update to their broad risk management guide—that was COSO in conjunction with the ACFE. That was a significant body of work, of course, focused on fraud risk management. COSO has also put out thought leader papers relating to AI, blockchain, integrated reporting, and the list goes on and on. Quite frankly, if an organization is interested in a connected, integrated ecosystem approach to business, or if the organization is interested in a forward-looking view of business from an integrated perspective, then COSO has an awful lot to offer.

[back to top]

An Introduction to the 2023 Supplemental Guidance (17:53)

Michael Littenberg: We’re now going to shift over to the supplemental guidance. As I noted earlier, the supplemental guidance was released at the end of March. Jeff, did the COSO framework apply to sustainability reporting before then or is that something that is new for 2023?

Jeff Thomson: One could argue that the original COSO framework actually applied to all forms of objectives. However, it was made very clear in the 2013 update to the original 1992 framework that essentially the COSO framework applied to all forms of objectives and all forms of reporting—so, financial reporting and non-financial reporting, operations, compliance, etc. For example, if an organization were using the balanced scorecard to holistically manage its business, keep it in control, manage risk and create long-term value, the COSO framework certainly, as of 2013, had a role to play, but it was broadly captured as non-financial objectives. And that’s why—fast-forward beyond 2013—we decided to go beyond that broad category of COSO applying to non-financial performance and non-financial objectives.

Michael Littenberg: There was a 2017 study I know that discussed the COSO framework in the context of sustainability reporting. How does the 2023 guidance differ from or expand on that earlier study?

Jeff Thomson: Yes, you’re right. In 2017, I co-authored a somewhat similar but perhaps first attempt, if you will, at applying the COSO framework to this type of data. One thing is consistent between 2017 and 2023—Shari hit on the key words. The key words in the guidance are not “COSO” or even “internal control”—I would argue they are “trust” and “confidence.” Given that we’re in a multi-stakeholder environment beyond shareholders, it is critically important, given the nature of this data and the number of people, organizations and the value chain that touch it, that we provide a level of assurance, trust, and confidence in this type of data.

In 2017, Bob Herz, myself and Brad Monterio—who are also authors of the 2023 guidance—took an attempt at that point in time to apply the COSO framework to the various levels of non-financial reporting. We had many cases where we applied the COSO components and principles to sustainability reporting. I’m proud to say, with the additional leadership and diversity on our author team from Shari and Doug, in particular, who brought so much more to the table in terms of this multi-stakeholder environment. We really raised our game. Maybe that guidance in 2017 was a little bit before its time, given where we were with standards and the alphabet soup of organizations and standards, and even focus and attention by the regulators, especially in the U.S.—so, I’m proud of the original work, but this latest work in 2023, we really think will make a difference.

Michael Littenberg: How does internal control over sustainability reporting differ, or how is it the same as internal control over financial reporting?

Jeff Thomson: Let me start with the differences, and I think we’ve touched on them just a little bit. For one thing, the value chain, one could argue, is expanded with sustainability reporting and sustainable business management relative to financial reporting—Doug and Shari just described some of that. This is actually a good thing for a multi-stakeholder environment, where internal control is not just a finance and accounting thing; it also is a business thing. Internal control, simply put, is good for business. Everyone in the organization has a role to play. In fact, the regulators are suggesting that even your customers and suppliers have a role to play with Scope 3 emissions. So, the opportunity to create an interconnected system here is great, but also, it’s a bit of a challenge. Now, the CFO team, the accountants and the finance professionals can certainly be the facilitators (or the conveners), but everyone in the value chain has a role in good internal control and good enterprise risk management.

Another primary difference, which we’ll be hitting on a little bit later, is that the nature of the data is different. It tends to be more qualitative. It tends to be more unstructured. It tends to be measured and modeled differently because of that qualitative, unstructured, estimated nature, which also raises the bar and the expectation on internal control.

In terms of similarities, the core competencies are very similar and could be leveraged from the finance and accounting world and even the governance world. Build in these competencies—don’t bolt them on—whether it’s strategic planning, governance risk and compliance, monitoring, etc. Competencies can certainly be leveraged, but as Doug likes to say, we have an opportunity here to teach internal control to those who are outside of finance and accounting, and we have the opportunity to teach ESG, the climate and the science to those who are in finance and accounting, so they can be more effective business partners and have that broader environmental context.

[back to top]

Using the Supplemental Guidance (24:10)

Michael Littenberg: The COSO framework consists of five components encompassing 17 principles. That sounds complicated and daunting to implement. Is that the case? How should a user get started?

Shari Littan: I suggested that one thing we do in the introductory section of the publication is show the framework working as a cycle. It always comes back to purpose and objectives, why the organization exists for its stakeholders, what it is attempting to do, and what is the information flow that relates to meeting those purposes and objectives. If you think about it that way, those five components are extremely logical, and they connect to each other, and then they break down into those 17 principles. For example, we start with a commitment to ethics and purpose; that gets everything in motion.

Jeff referenced the enterprise risk management (ERM) framework, and that’s where it connects into internal control. So, we look at the world from the point of view of an organization. We look at our risks, where we’re headed, why our stakeholders are on board contributing to our organization. That translates into objectives – financial objectives, operational objectives, and now, sustainable business objectives as part of that. What are the risks to meeting those objectives, and what control processes can we put in place to mitigate those risks? And then, how we communicate and evaluate that system, it is a cycle. If you start looking at those principles, one thing that will become clear is how much they are interrelated—how your objectives relate to your risks, to the things that a company does to mitigate them. As Jeff said, it is enterprise-wide—it gets everyone speaking and moving efficiently with good information towards those results. I would say that one of the key words in the title of the framework itself is “integrated,” and that is absolutely the case in working with them.

Doug Hileman: To your point, the document does look long and intimidating, but it’s really not. The way it is structured facilitates bite-sized pieces that can be very digestible.

There are three main sections. The first section is an introduction to ESG and an introduction to COSO and the Internal Control Integrated Framework. The structure of that speaks to people who know internal controls and those who don’t, who come at it from the ESG side. So, that’s helpful context, and when I encouraged people to read it, I say, “Begin with that, but don’t get bogged down in it.”

The middle section is really where the magic happens, where we dutifully march right through all the 17 principles with the points of focus and perspectives. The structure of that I think is also elegant, that the people who know internal controls will recognize the principles and points of focus, and then move into things that are sustainability relevant and see how it applies. For those who come at it from the sustainability side of the equation, I encourage in that middle section to start at the bottom and read up. For each principle, start at the things that are sustainability relevant and look familiar. When you go back to the top of the section and look at the principles and points of focus, you’ll know, “That’s what we’re talking about.” It’s a really good bridge between folks who know sustainability and folks who know internal controls.

The final section consists of pointers, tips, takeaways and suggestions, and that should really get everybody onto the same page figuratively and literally.

So, it’s really full of bite-sized chunks, and there is something in it for everyone.

Michael Littenberg: You mentioned bite-size chunks. Shari mentioned this is a cycle and thinking of the pieces as being interrelated. Is the framework’s use for sustainability reporting all-or-nothing? In other words, does a user need to address all five components and 17 principles at the same time, or can a user take a phased approach?

Jeff Thomson: It’s hard to avoid the notion that, because there are these five components and 17 principles (and we haven’t even talked about the points of focus), it could appear to be a compliance checklist as opposed to, as Shari and Doug said, part of a broader ecosystem, governance risk and compliance, strategic planning, purpose, etc., which is really—as Shari keyed on the word—”integrated.”

COSO does define what it means to have an effective system of internal control over financial reporting, but essentially COSO gives a lot of opportunity for organizations to apply and scale the principles for purposes. Basically, COSO says you have an effective system of internal control when the principles are present and functioning. That sounds like a low bar, but it’s actually a pretty high bar. It also allows for flexibility in applicability, including especially for smaller private companies who want to be credible in competing for capital and obtain a premium for being sustainable, as Shari indicated, but perhaps cannot create the super sophisticated and costly systems. But no, it really is not an all-or-nothing approach; it is principles-based.

Michael Littenberg: Principles-based—so, it sounds like then the framework and the guidance are not prescriptive in their approach to sustainability reporting, providing flexibility in that regard?

Jeff Thomson: Right.

Shari Littan: Yes, I would agree with that. In the publication, what we do, as Doug has said, we look at the structure and the language of the 2013 internal control framework, and we indeed interpret it. What we do is say, “How does this principle, how do these points of focus, as they were expressed in the 2013 framework, apply to this new, accelerating, changing world of sustainability or ESG?” Those are key, because if we’re in a changing, accelerating world, it’s not a place for prescriptive guidance.

What we really aim to do here, as Doug has mentioned, is after looking at the original language and interpreting it, we added a lot of what we called “insights” in the publication. Those are based on our research, our interviews, a review of live sustainability reports that companies have issued, and what’s happening in proxy statements with respect to boards and board charters.

We looked to the world and said, “Here’s how we make it relevant.” In saying that to a broad audience, as Doug said, with a sustainability background, finance and accounting, legal or operations background, we made it accessible to everyone. They will see their roles. We also set out intentionally to make it a document for further collaboration and a meeting of different disciplines, so they can effectively communicate with each other to go forward.

It’s very much principles-based, interpretive and flexible, so that companies at every level of maturity can pick this up and say, “I hadn’t thought about that,” or “Yes, that’s where we’re going,” or “This is most relevant to what’s happening in our organization and what our stakeholders are asking.”

Michael Littenberg: Are the framework and the guidance only relevant for reporting? For example, what if a user only wants to use the control environment and risk assessment components?

Jeff Thomson: No, it’s not only applicable for external reporting. That is where COSO might be best known, certainly in external financial reporting with Sarbanes-Oxley, and now, with the regulations coming down from the SEC and the ISSB on climate. Sometimes, you get “typecast,” to use a Hollywood term, as being only usable for one particular purpose. But the COSO frameworks in general are applicable to internal and external—like a 2x2 matrix—financial and non-financial reporting and decision-making.

For example, if you are developing a strategy and trying to track that strategy with internal metrics—customer data, financial data, partner data—you want to control that data. You want to make sure the decisions you are making for your investors and customers are smart decisions. COSO absolutely applies not only to reporting but also to decision-making, and not only to financial business information but to sustainable business information as well.

Doug Hileman: The author group used the term “porous” a lot. I think that’s a really good term. The components are interactive with each other.

We have seen in the press the dangers of companies making grand pronouncements: “We stand for integrity,” or “We’re committed to our employees,” or “We’re committed to the environment.” Whatever it is, if you set that tone, you have to follow through on it. In my experience, coming from the sustainability side, if an environmental group, procurement group, operations group or whatever, starts looking at the control framework, once they really dig into it and apply the framework, they will see gaps and inefficiencies. They might see different business units or departments using five different approaches to technology for putting things together—so, there’s opportunity for consolidation. Besides applying this for more robust and reliable data and information for external reporting, a lot of the real value of applying the internal control framework is to get a holistic view and improve the effectiveness and efficiency of how the organization operates, and, as Shari mentioned, to align all of that to the organization’s objectives.

Michael Littenberg: Sustainability is evolving rapidly. Is more guidance expected or forthcoming?

Shari Littan: There are so many different disciplines and professionals coming from different perspectives, so we at IMA are so excited to be taking this even further.

First, we’re considering some deeper dive workshops into the publication itself, including executive education. As I like to say, we all came from some other discipline—people who are involved in sustainability—it’s rather young and new, so we’re coming from different perspectives and different functions. Focusing on management accountants or corporate accounting and finance professionals as we do at IMA, we are looking at the publication and taking a little bit deeper dive at some of the aspects that the report raises that speak to the specific competencies of our constituents.

As Jeff had mentioned earlier, the process of estimating and expectations of future scenarios and modeling—that is what we would call for our constituents “FP&A” (financial planning and analysis). So, that’s one. Controls itself is another: building processes and systems and whether they are effective. That’s our folks—they are absolutely experts in that, and how you apply that to the question of third-party data and getting comfort with systems or using technology as data flows from one organization to another entity, up and down the supply chain, and how we capture and use that. So, as I say, we’re taking a little bit closer look into that.

Academics: We’re hearing from professors who are saying to us, “We never incorporated this kind of material into our curriculum. It’s time for us to become educated ourselves so we can do so.” Another thing that IMA is doing that I’m really excited about is to start building bridges and information sharing on direction with people in other professions and other disciplines, and, as I said, breaking those silos and having that multi-talent community to move forward.

This report is indeed leading us to much further and exciting opportunities.

[back to top]

Applying the COSO Framework and Guidance to Specific Types of Disclosures (38:25)

Michael Littenberg: We have talked about the application of the guidance generally. For the last major component of our discussion today, I want to spend some time discussing the application of the COSO framework and the guidance to some specific types of sustainability disclosures.

First, do the framework and the guidance apply equally to mandatory and voluntary sustainability disclosures, or are those addressed differently?

Doug Hileman: That is one of my favorite questions, and the short answer is, yes, it applies to everything. It is intended, as Jeff said, to be topic neutral, so it’s elegant in that way that you can apply the principles to everything. There are different types of sustainability reporting. There are different channels for sustainability reporting.

External reporting includes garden variety compliance that many of us have grown up with. Think about how the typical compliance obligation has traditionally come about, there’s a new law or regulation, and there is an internal process of what is required and how to do it. A lot of compliance involves external reporting to regulatory authorities. Many compliance requirements over the years have expanded in scope and gone outside the part of the organization that controls information from a financial perspective. We have seen that, for example, in EU RoHS and REACH and with respect to conflict minerals. Also, Scope 3 greenhouse gas emissions is getting a lot of press right now.

Several other reporting channels are not getting, in my view, enough airtime. There’s external reporting that is public, but not directly to the capital markets, such as CDP, which is one example for carbon reporting. CDP also has modules for water and supply chain.

Another reporting channel that does not get nearly enough press is B2B reporting. This data leaves the company and other stakeholders are using it, but it is not necessarily public reporting. I would suggest there are two groups of stakeholders that use that type of data. First there are the analysts who obtain data and information and scour what is public and produce output that the capital markets use. That’s not compliance necessarily, but I would suggest that the analyst community exerts considerable soft power in terms of what is expected regarding sustainability reporting and the fact that data and information must be “decision useful.” Second there are other users of garden variety B2B reporting. Business partners, notably customers, are asking for sustainability data and information, and they are using that information to determine who is in their supply chain.

When it comes to risk, we think of compliance, i.e., what is the risk of a fine or penalty or enforcement? If sustainability reporting is not complete, is not correct, is not responsive to a customer request, often the risk there is you can lose top-line sales—organizations have invested a lot of energy into getting those customers, and you hate to lose them. Requests from B2B users come in with different scopes, different topics and maybe different reporting periods.

But, it all goes back to the same data and information: “How do organizations map the right data to be fit for purpose?” It all comes back to internal controls. And that’s where I really think this document will help organizations that are confronted with this increasingly dizzying array of requests for sustainability reporting.

Michael Littenberg: You noted that the guidance is topic neutral, so that means it applies equally to climate, diversity, equity and inclusion, supply chain, governance, and other sorts of disclosures.

Doug Hileman: That’s right. It can be adapted and applied to be fit for any purpose.

Michael Littenberg: What about double materiality? Do the framework and guidance apply to impact materiality, or only to financial materiality?

Shari Littan: When we drafted this, and indeed looking at the framework itself, we do not prescribe or suggest any part of an organization’s reporting agenda. We say, “The goal is to consider what your reporting agenda should be.” I was at an event I was presenting on the paper recently, and someone from the audience raised her hand and said, “Can we use this with GRI?” And I said, “Of course you can use it with GRI, TCFD and ISSB, because we don’t make that decision for you. We say, think about your purpose, your mission, your objectives, and then you come up with your reporting agenda and follow from there.” So, it can work with single materiality, double materiality or financial materiality, as well as one that I’d like to add to this, which is decision usefulness—it gets lost in that whole discussion of single versus double materiality—management and boards of directors are stakeholders, and they are users, so it helps with that part of the process as well.

Michael Littenberg: Forward-looking information, such as net-zero or other sustainability targets: are the framework and guidance fit for that purpose as well?

Shari Littan: Absolutely. This is another key area that has a lot of risk to it. If you’re going to report on forward-looking information, that has always been a bit of a conundrum in the regulatory reporting world, but also thinking about how we estimate, how far in the future we estimate. Financial reporting doesn’t look quite as far into the future as sustainability inherently does. It’s about the future. We have a lot of tools for estimation, expectation and measurement around those things—they need to become more sophisticated. That really comes up within the framework in considering risks and how we mitigate them. So, that’s where you’ll see risk to quality information, the assumptions that are going into making those estimations. Are we relying, for example, on government data in making those estimations? We know a storm is going to hit in the next five years, 10 years, 50 years, so what we do in our publication is say, “These are things you need to consider: good governance, controls and oversight. Consider changes that are occurring and how we’re going to consider that as part of our risk assessment in the information we’re producing.”

Doug Hileman: As a non-attorney, I’m aware there is a safe harbor provision for SEC disclosures on forward-looking information, but SEC filings are not the only place that organizations publish sustainability data, and other stakeholders may rely upon that information to an extent to make decisions that are meaningful and can affect an organization’s financial performance, their strategy and their ability to meet objectives.

There’s a graphic in a section of the document that I especially like on the three attributes of sustainability reporting, and forward-looking information is one of them. The other two are that sustainability reporting compared to financial reporting includes much more narrative, and it includes areas where the organization is expected to influence, and just like the rest of COSO, that is porous.

Picking on climate for a second, companies may say, “We aim to be carbon neutral by 2040 or 2030,” or “We aim to develop products that are useful and amenable for a circular economy or make use of reusable resources.” These statements cannot just be high-level, fluff promises. Stakeholders are making decisions based on these statements, such as whether to partner with your business, whether to come to work for you, whether to invest seed capital, or whether to buy green bonds.

So, what’s behind the forward-looking statements? Look at the rest of the COSO Internal Control Framework. Do you have a cross-functional team? Do you have some procedures? Do you have some resources? Are you monitoring progress towards the goals? It can be scalable to use the elements of the COSO Control Framework as it applies for that particular situation.

Shari Littan: I want to add one thing in listening to the conversation and some of the points that Michael and Doug have been raising. We are hearing that the SEC has started to issue comment letters on company filings where the Form 10-K or financial reports are not aligned with sustainability or ESG information in other non-SEC reporting. One good thing about a good control system, governance and oversight, is to make sure that information aligns, so that internal groups are speaking cohesively and working to make sure the company is not saying two or three different things in different places. The analysts also will pick up on that.

[back to top]

Parting Thoughts (48:59)

Michael Littenberg: We have covered a lot of ground today. You have all been tremendously informative. Do you have any parting thoughts for our listeners?

Jeff Thomson:. When I think back to 2017 and look at some of our recommendations now, they’re actually quite similar at a broad strategic perspective, and that’s this: Yes, we need and must comply with regulation, arguably even for private and smaller companies that are outside the regulatory boundaries, because we want to be credible. We want to be good citizens. We want to be compliant. We want to maintain and enhance our reputation. Likewise, we want to create long-term value for multiple stakeholders. Simply put, we think the COSO frameworks and their integrated interconnected approach can help. We suggest not keying in on the regulatory ebbs and flows, meaning the SEC final rules on climate—who knows, since they are delayed relative to original timelines—do not use that as your trigger. Begin to build in the capability now to report responsibly and with long-term value creation in mind, which includes competency in internal control from an enterprise-wide and not just a financial perspective. So, that’s our encouragement and call to action. There’s an opportunity to learn together on this journey, and we suggest that you use the COSO frameworks as part of that journey toward effective compliance to protect reputation and enhance long-term value for multiple stakeholders.

Shari Littan: I’m going to go back to that notion of trust, accountability, transparency, and how much that endures, the commitment to ethics, the commitment to being good citizens, and giving information that is indeed reliable. When we say, “Trust me,” how incredibly important that is today, as always, but particularly in today’s environment. Allegations, whether legal or just reputational, on green-washing and what that means and how we want to get this right, and that means good information and reliability. I would add to that, it ties into thinking about the next generation, which is really what sustainability to a large extent is about. One thing that I’m hearing from professors is that sustainability and business education, in particular, are attracting the next generation. It’s getting them excited that they could be part of the solution. A few years ago, I heard someone say, “How could we get anyone from this generation to work, for example, in the energy industry?” It’s a competition for talent and, as I say, exciting the next generation, who has a lot of doubts about capitalism. You can see the surveys, results and uneasiness, yet this incorporating and using all of our tools toward building a trustworthy and more sustainable world is such a brilliant way to go.

Doug Hileman: I have three comments I would offer. One is just to back up to the beginning of this process, I think it’s impressive that the COSO board saw fit to authorize this effort. When I think about the extent of influence and the reach that the COSO organizations, the members organizations that Jeff noted earlier, the fact that they saw this as a business issue and a business imperative, and authorized the effort, I think that says a lot. The second tip, and maybe the most important tip is, encourage people to read it, use it and share it with your colleagues. Have a book club at your organization. Go through it together. Start using the same language and communicate with each other on how to use internal controls and have the ESG folks, sustainability folks, and the accountant finance folks learn the common language. My final tip is that this is a journey—this is not a list of tick boxes, as Jeff mentioned. Programs will mature over time. Don’t underestimate how much effort or how long this will take, but the journey will be worth it. You can have some fun with it. You can achieve some value. You can do things to add non-financial value to the environment, to the communities you work with and to your customers, and look for the value and celebrate those accomplishments. I find every place I go, all of my clients, I find pockets of excellence where that can be elevated and expanded across the organization. Look for the heroes and celebrate your accomplishments—it will happen.

Michael Littenberg: That concludes our discussion for today. I would like to thank Doug, Jeff and Shari for sharing their thoughts. I would also like to thank you, our listeners, for joining us today. We look forward to continuing to bring you updates on important ESG, CSR and business and human rights topics, and also to working with many of you. You can subscribe and listen to Ropes & Gray podcasts wherever you regularly listen to podcasts, including on Apple and Spotify. Thank you again for listening.

Doug Hileman
Doug Hileman
President, Douglas Hileman Consulting
Shari Littan
Shari Littan
Director, Corporate Reporting Research & Policy, Institute of Management Accountants (IMA)
Subscribe to RopesTalk Podcast