On March 30, 2023, the Committee of Sponsoring Organizations of the Treadway Commission (“COSO”), an organization comprising five private-sector organizations with the goal of helping companies improve their performance by enhancing internal controls, risk management, governance, fraud deterrence and the reliability of financial reporting released new guidance on achieving effective internal controls over sustainability reporting (the “ICSR”). The guidance builds on COSO’s widely adopted financial control framework and provides companies with pathways for implementing trustworthy and confident sustainable business information that can be utilized internally for corporate decision making and externally for public disclosures.

Introduction

Companies are increasingly under pressure to report sustainability-related information about their businesses. These demands come from multiple directions: institutional investors seeking disclosure on certain sustainability-related topics, shareholders making sustainability-related proposals at record numbers,¹ and regulators proposing and adopting new rules requiring companies to disclose sustainability-related information, such as the Security and Exchange Commission’s (“SEC”) proposed climate-related disclosure rules, the European Union’s Corporate Sustainability Reporting Directive (“CSRD”), and the International Sustainability Standards Board’s (“ISSB”) Sustainability Disclosure Standards (which the UK government has signaled that it will adopt as part of its sustainability reporting requirements).

As companies seek to provide ESG and sustainability-related disclosure in their reporting,² it is important that they develop and maintain systems and controls to safeguard the quality and accuracy of such information. Without such systems and controls in place, companies may face risks relating to their ESG and sustainability reporting, such as regulatory enforcement actions and greenwashing claims.³ Though public companies are required to have financial disclosure controls and procedures in place, many companies have yet to begin their journey on developing internal controls over sustainability and ESG reporting,⁴ and COSO has found that ad hoc controls around key sustainability metrics and internal assurance procedures have been largely unsuccessful in creating effective, replicable, and (to the extent appropriate or required) assurable sustainability reporting controls.⁵ With that backdrop, on March 30, COSO released new guidance for implementing effective internal controls over sustainability reporting, which can help companies begin creating the structures and processes necessary to properly navigate this unfamiliar terrain.

Background on Internal Controls Over Sustainability Reporting

Disclosure controls and procedures, which consist of processes used to ensure information required to be disclosed to the SEC (described herein) is recorded, processed, summarized and reported in a timely manner,⁶ are nothing new to most companies. Companies already employ disclosure controls and procedures to prepare their financial reporting as required by auditing requirements, including GAAP. Sustainability reporting, on the other hand, differs from financial reporting in several key respects, and will require companies to rethink the way they approach disclosure controls for sustainability reporting. Many companies who collect and report sustainability information (outside of any mandatory regulated disclosures required under the EPA or similar agencies), do so on a purely voluntary basis, and much of this data is collected, stored and developed for reporting using tools often meant for other purposes. For instance, companies often triangulate greenhouse gas (“GHG”) emissions estimates using supply chain data and materials volumes that have been reverse engineered from enterprise resource planning (“ERP”) systems never designed to track emissions data.

The ISSB sustainability disclosure standards, the CSRD and the SEC’s proposed climate-related disclosure rules (if adopted as proposed) mandate certain disclosure regarding a company’s sustainability in certain respects across short-, medium- and long-term horizons. As it relates to climate information, as a first order of business, Companies need to ensure that the data they have access to is reliable. And secondly, they may need to leverage existing internal personnel or hire individuals with the right expertise to make informed judgments about the significance of certain climate change scenarios and how to extrapolate their climate-related data to assess risk over longer timespans. Furthermore, unlike financial reporting, which relies primarily on historical results data, sustainability data often involves reliance on future exogenous events and setting and reporting against targets premised on highly complex global systems and projecting resiliency scenarios. COSO’s ICSR builds on its internal control integrated framework for financial reporting (“ICFR”) by applying its effective internal control principles to sustainability reporting issues. The ICFR, and by extension the ICSR, focus on internal assurance and data integrity, and can be applied to companies regardless of size and complexity. The bottom line is this – COSO’s ICSR can help companies to develop and improve their sustainability disclosure controls and procedures by leveraging their existing financial disclosure controls and procedures and adapting them for sustainable business information.

The COSO ICSR

COSO has published internal control integrated frameworks since 1992, and the most recent iteration, ICIF-2013, is the most widely used internal control framework for compliance with Section 404 of the Sarbanes-Oxley Act, which requires management to ensure an adequate internal control structure and procedures for financial reporting, and mandates external auditors to attest to the accuracy of management’s assertions.⁷ The ICSR builds on COSO’s ICFR to provide a starting point for companies to integrate internal controls over sustainability reporting into their existing internal financial controls by applying the 17 principles of COSO’s ICFR to internal sustainability controls. According to COSO, a company will have achieved an effective system of internal controls when all 17 of the principles are present and functioning.⁸

COSO’s ICFR, which provides the foundation for the ICSR, organizes the 17 principles into five components: (i) control environment, (ii) risk assessment, (iii) control activities, (iv) information and communication and (v) monitoring activities. Each of the five components consists of several principles that describe certain internal controls and how they can be operationalized. Each component is comprised of several interrelated principles that form a roadmap for companies to follow in achieving internal sustainability reporting controls. These components intersect with three categories of objectives: operations, reporting and compliance. Operations objectives include the role of management in assessing risks; financial reporting objectives include considerations of materiality, precision and presentation of data; and compliance objectives include adherence to applicable laws and regulations. The five components are applied to each of the objectives to form a comprehensive internal control strategy.

I. Control Environment

Under the ICSR, a successful internal control environment first requires a commitment to integrity and ethical values. COSO notes that integrity and ethical values in reporting controls are essential to building trust and accountability in sustainability disclosures.

Notably, the ICSR guidelines reject a bifurcation of stakeholders and shareholders. Instead, in an acknowledgment that sustainability data can be leveraged for multiple interrelated audiences and objectives, it embraces the purpose of a corporation as the maximization of value for all stakeholders, including customers, employees, suppliers and communities, in addition to shareholders. Shareholder primacy is not a required baseline assumption for data quality and internal controls processes under the ICSR.

Successful control environments also involve independent board of director oversight in the development and performance of internal controls according to the ICSR guidance. Independent oversight may take the form of a designated committee overseeing sustainable business activities and the inclusion of one or more board members with knowledge of sustainable business practices. Pursuant to the ICSR guidelines, the board also provides an important check on management in designing and implementing controls for sustainability reporting. In turn, the ICSR guidelines recommend management work with the board to establish operational structures to support sustainable business activities and delegate responsibilities over sustainable business activities through cross-disciplinary approaches. COSO’s framework emphasizes attracting, developing and retaining competent individuals to oversee sustainable business objectives and holding individuals accountable for their internal control responsibilities to support the development of a successful control environment. The ICSR guidelines additionally note that some organizations have gone so far as to create new officer and controller roles for overseeing sustainable business information processes and reporting.

II. Risk Assessment

Risk Assessment comprises the second component of the ICSR guidelines, and begins with clearly identifying and assessing sustainability risks (e.g., climate-related risks). Accordingly, companies can achieve this objective by directing management to consider sustainability risks inherent to the company’s business, the acceptable level of sustainability risks, how those risks align with the company’s operational and financial performance goals and committing appropriate resources to meet such sustainable business goals.

To best align with the ICSR guidelines, companies should also consider the level of materiality required for their reports. While the U.S. definition of materiality is limited to information substantially likely to affect an investment decision (using a reasonable investor standard), other approaches require broader disclosure, such as the double materiality standard favored by European regulators.⁹ The ICSR guidelines also highlight several risks inherent to sustainability reporting, such as failing to meet established emissions targets and increased scrutiny by the SEC concerning the consistency of sustainability disclosures.¹⁰

When identifying and analyzing sustainable business risks, the ICSR guidelines recommend that companies perform risk assessments at all levels of the company and consider multiple risk scenarios.¹¹ Companies performing such risk assessments in compliance with the ICSR would need to consider both the qualitative and quantitative risks from the sustainable business objectives and allow management to determine the appropriate response to accept, avoid, reduce or share the sustainable business risks. Furthermore, pursuant to the ICSR guidelines, companies should incorporate fraud risk into their analyses by identifying the types of potential fraud, incentives and opportunities for individuals to fraudulently impact their company’s sustainable business activities. Potential fraud could range from incomplete reporting attributable to ambitious goal setting to intentional misstatements to secure contracts or green bonds.

Finally, the ICSR guidelines provide that companies should factor in the risk of external and internal changes that could affect their sustainable business activities. In addition to the ICSR guidelines, COSO publishes an enterprise risk management framework for sustainable business matters to help companies decide whether sustainable business risks should be analyzed alone or integrated with other sustainable business risks.

III. Control Activities

After identifying and analyzing sustainable business risks, the ICSR recommends implementing control activities to mitigate those risks to an acceptable level. This may include engaging a third party to conduct sustainability metric verification and clearly establishing internal oversight roles over sustainability controls. In designing control activities, the ICSR guidelines recommend companies determine the extent to which they rely on technology to meet their sustainability data collection, processing and reporting needs. In assessing reliance on such technologies, companies may need to consider gaps in their technology infrastructure. Pursuant to the ICSR guidelines, companies still building their sustainable reporting infrastructure should be careful to preserve the integrity of information from collection through disclosure. Similarly, the ICSR guidelines provide that companies outsourcing sustainable information collection and processing to third parties must ensure proper oversight and verifiability is in place, as the company is still ultimately responsible for the accuracy and reliability of the sustainability data.

To establish oversight controls, the ICSR guidelines recommend that companies develop policies and procedures establishing how the control environment will be used to respond to sustainable business risks, designate persons responsible and accountable for responding to risks to its sustainable business objectives and, as applicable, take corrective actions and (re)assess policies on sustainable business activities. Since reporting requirements for voluntary standards, such as the GHG Protocol,¹² inherently differ in scope from the company’s mandatory financial reporting requirements, companies may benefit from implementing policies around reporting boundaries. Similarly, establishing procedures to align the timing of the company’s sustainability report with its timeline for regulatory filings can help the company bring additional oversight to and harmonize its sustainability disclosures with its financial disclosures.

IV. Information and Communication

According to the ICSR guidelines, obtaining relevant and quality data is essential for companies to further their sustainability objectives. Implementing oversight controls allows companies to use gathered data to enable accurate and reliable decision making. ICSR’s guidelines also note that a company’s internal audit function may be an appropriate source for sustainability reporting assurance. To generate quality information, the ICSR guidelines recommend companies explore digital solutions for creating traceable audit trails and implementing data visualization tools for sustainability data.

Importantly, COSO notes that companies may need to establish realistically achievable goals with initially limited sustainability data, while improving both their goals and sophistication of data models as they generate more data over time. As part of their internal controls, the ICSR guidelines provide that companies should also consider how they intend to communicate both internally to their own personnel, and externally to other stakeholders.

Accordingly, the guidelines state that, for internal purposes, companies should put in place controls to inform personnel about expectations on sustainable business objectives. Externally, companies should establish processes for communicating the oversight of sustainable business activities and the effectiveness of such oversight with regulators, investors and other external parties. CEOs, CFOs and registered, independent accounting firms of public companies should also be apprised of any processes around internal controls for sustainable reporting, as compliance with Section 404 of the Sarbanes-Oxley Act requires companies to certify or provide an opinion on the effectiveness of the company’s internal controls over financial reporting, which the ICSR guidelines note may involve significant overlap with sustainability reporting. Under Regulation FD, public companies may also be required to communicate with investors on the effectiveness of their internal controls when responding to requests for sustainability information.

V. Monitoring Activities

Even after a company implements internal controls over sustainability reporting, it should consider regular assessment of those controls. The ICSR guidelines recommend using a combination of regular and targeted reviews of oversight controls, and adapting the monitoring of internal controls to changes in sustainable reporting needs. Over time, the company should also reassess its internal controls for sustainable reporting to better integrate them with other business processes. As provided by the ICSR guidelines, if the company identifies deficiencies in its policies and procedures related to its sustainable business activities, those deficiencies should be communicated to management, and the company should continue to reassess its internal controls over sustainability reporting.

How Else Can Companies Prepare Their Internal Controls For Sustainable Reporting?

COSO provides several best practices for companies seeking to implement effective sustainability controls using the ICSR guidelines:

First, companies should consider how they can leverage existing talent, controls and platforms when developing sustainability disclosure controls and procedures. Companies already following the ICFR likely have experts in place familiar with designing, establishing and maintaining internal controls, as well as data collection and monitoring processes that provide a foundation for sustainability disclosure controls and procedures.

Second, companies may benefit from establishing cross-functional teams comprised of members from not only their financial and accounting departments, but also representatives from their sustainability, risk management, investor relations, corporate communications, internal audit, supply chain, human resources, information technology, legal and other departments. A diverse range of perspectives – including those who are closely involved in operationalizing the company’s sustainability or other ESG related efforts – allows for a more holistic, cohesive, enterprise-level approach to disclosures.

Finally, companies may also benefit from conducting gap analyses and integrating sustainability disclosure controls and procedures proactively, rather than waiting until the release of the final CSRD and SEC proposed climate-related disclosure rules and ISSB standards. Internal controls around sustainability reporting may take significant time to develop, and taking steps to implement such controls and procedures now will make for a smoother transition when the new rules arrive.

With increasing demands for sustainability disclosures – and resulting scrutiny – it’s never been more critical to develop robust controls for the collection, processing and reporting of sustainability information for your company. Contact your V&E team if you would like more information about COSO, the ICSR, and implementing internal controls over your sustainability reporting.

¹ Ross Kerber, U.S. ESG shareholder resolutions up 22% to record level for 2022, study finds, Reuters, https://www.reuters.com/business/sustainable-business/us-esg-shareholder-resolutions-up-22-record-level-2022-study-finds-2022-03-17/ (last updated Mar. 17, 2022).

² Although often used interchangeably, the concepts of “sustainability” and “ESG” are distinct. COSO defines “sustainability” as meeting the needs of the present without compromising the ability of future generations to meet their own needs and “ESG” as categories of external disclosures used to describe sustainable business information to investors and other stakeholders. See COSO ICSR Report, p. 8.

³ See Vale S.A. (2022) (in which the SEC charged a Vale S.A. with making false and misleading claims about the safety of its dams, the failure of which caused environmental and social harms); BNY Mellon (2022) (in which the SEC charged BNY Mellon with making misstatements and omissions about performing ESG quality reviews in investment decisions); Compass Minerals (2022) (in which the SEC charged Compass Minerals with deficient disclosure controls that resulted in the company failing to properly assess the financial risks of mercury contamination in one of its former facilities)

⁴ COSO ICSR Report, pp. 6-7.

5 Id. at 11.

⁶17 CFR § 240.13a-15(e).

⁷ Sarbanes-Oxley Act, Section 404(a)(1)-(2).

⁸ COSO ICSR Report, p. 19.

⁹ Double materiality refers to the concept in which companies report on both (1) how sustainability issues create financial risks to the company and (2) how the company impacts people and the environment. European Commission, Sustainable Finance, https://ec.europa.eu/newsroom/fisma/items/754701/en (last updated July 26, 2022). The EU’s CSRD incorporates the double materiality standard to assess reporting disclosure triggers.

¹⁰ COSO ICSR Report, p. 55.

¹¹ Note that, pursuant to the SEC’s proposed climate-related disclosure rules, companies that use scenario analysis to assess the impacts of climate-related risks on their business would be subject to additional disclosure requirements. See proposed 17 CFR 229.1502(f).

¹² The GHG Protocol is currently in the process of updating its guidance on how companies must report Scope 1, 2 and 3 emissions. This may include harmonizing guidance with SEC and European disclosure initiatives.

Mollie Freeman, Next steps on process to update existing corporate standards, Greenhouse Gas Protocol (August 26, 2022), https://ghgprotocol.org/blog/next-steps-process-update-existing-corporate-standards.