How does a solid Internal Controls System help you build bridges with ESG Reporting?

1. A bit of History

Since its inception at the end of the last century, the Internal Control Framework developed by the Committee of the Sponsoring Organizations of the Treadway Commission (COSO) has regularly been associated with fraud scandals. As highlighted by the COSO’s chairs, Mr. D. Landsittel and R. Hirth[1], “COSO was focused on trying to resolve unprecedented, unexpected, and embarrassing fraudulent corporate financial reporting. Tarnished by these events, the sponsoring organizations banded together to try to heal their bruised reputations, mitigate these events, and develop a solution so that corporate fraudulent financial reporting would never reoccur”.

The framework developed by the COSO in the early 90s became the reference for organizations worldwide and a source of the best practices to follow. Laws such as the Sarbanes Oxley Act of 2002 (SOX) helped widen the impact of the COSO’s framework in the US and globally, making it the most trusted framework for building a reliable Internal Control System (ICS).

To better answer SOX implementation challenges, particularly Section 404, Management Assessment of Internal Controls, and reporting on the Internal Controls over Financial Reporting (ICFR), the COSO issued a new revised edition of its framework in 2013. In addition to bringing major changes in clarifying and formalizing the principles for an effective internal control system, the update expanded the reporting scope beyond financial reporting to include non-financial reporting of any kind. Thanks to a clarified framework, boards of directors, executives, and management have explicit references against which they can benchmark the effectiveness of their systems. With 17 principles (5-4-3-3-2), the framework made one more step toward practicability. Yet, its implementation strongly depends on the Tone at the Top and the Control Environment to which most principles were allocated. A poor commitment to ethics or integrity, poor board independence from management, unclear responsibilities and structure, or insufficient commitment toward people’s competence and accountability constitute all perfect bases for failure despite anything else functioning. Additionally, it remains vital that clear objectives are set to reflect the organization’s statement in a balanced, harmonized, and understood manner, that risks are identified and assessed, and that control activities are implemented as a result of the assessment. The overall processes should be regularly monitored for effectiveness.

2. An evolving ecosystem

However, today’s world is changing much faster than in the time the first framework was issued or adjusted, with new risks (and opportunities) emerging due (or thanks) to much higher awareness of our communities (Generation Z in particular) about, not only, the risks that affect how business actors are internally managed but also, how these businesses interact with their ecosystem. New topics such as sustainability or the Environment, Social, and Governance (ESG) are quickly overcoming other more traditional risks. Also, the rise of technology, particularly in connectivity, digitization, and data analysis fields, exposed organizations to higher risks related to Cybersecurity, fraud, and abuse.

Today’s companies should fight on multiple fronts to keep their stakeholders confident in their ability to build viable business prospects so they can continue creating and monetizing value in the short, medium, and long terms. As this was not enough, global organizations should navigate geopolitical tensions between the world's most influencing powers, creating heightened instabilities in almost every region, affecting trade, and exposing breaches to strict sanctions.

3. Sustainability reporting challenges

COSO defines Internal Control as a “process, effected by an entity’s board of directors, management, and other personnel to provide reasonable assurance regarding the achievement of objectives relating to operations, reporting and compliance.” Operational objectives pertain to effectiveness and efficiency. Reporting objectives relate to internal and external financial and non-financial reporting, while compliance covers adherence to laws and regulations to which the entity is subject. In this regard, multiple laws have been enacted or are in the process of being passed with challenging requirements, particularly in Europe. These include, for instance, the following Directives:

• EU’s Climate Benchmarks Regulation (EU 2019/2089)[2]

• EU’s Sustainable Finance Disclosure Regulation (EU 2019/2088)[3]

• EU’s Taxonomy Regulation or Climate Delegated Act (EU 2020/852)[4]

• EU’s Corporate Sustainability Reporting Regulation (EU 2022/2464)[5]

• EU’s Corporate Sustainability Due Diligence and amending Directive (EU 2019/1937)[6][7]

Moreover, in November 2021, the International Financial Reporting Standards (IFRS) Foundation announced the formation of the International Sustainability Standards Board[8] (ISSB). The ISSB is developing, in the public interest, standards that should result in a high-quality, comprehensive global baseline of sustainability disclosures focused on the needs of investors and the financial markets. In June 2023, the ISSB issued two International Financial Reporting Standard on Sustainability (IFRS S) standards:

• The IFRS S 1 “General Requirements for Disclosure of Sustainability-Related Financial Information”

• The IFRS S 2 “Climate-related Disclosures”

These Standards help to improve trust and confidence in company disclosures about sustainability to inform investment decisions and create a common language for disclosing the effect of climate-related risks and opportunities on a company’s prospects. Other standards will be expected in the upcoming years.

In August 2022, the ISSB assumed responsibility for the standards issued by the Sustainability Accounting Standard Board[9] (SASB), an organization developing sustainability frameworks by industry since 2011. The SASB’s standards, now issued as part of the IFRS Foundation’s structure, identify the sustainability-related risks and opportunities most likely to affect an entity’s cash flows, access to finance, and cost of capital over the short, medium, or long-term and the disclosure topics and metrics that are most likely to be useful to investors.

These come beside other evolving frameworks such as the Climate Disclosure Standard Board (CDSB) Framework and Guidance, which the IFRS S standards identify as one of the sources of guidance for reporting companies.

Within all these continuously evolving changes, organizations face the challenges of how to create, collect, measure, manage, vehiculate, and report reliable data and useful information related to their ESG, such as their Green House Gas (GHG) emission, Social Inclusion, and diversity to name a few. This may become a challenging task for organizations with multiple divisions and reporting Business Units (BU) that operate and report under different industries and reporting to various stakeholders.

4. Importance of leveraging an effective Internal Control System

Organizations must build reporting lines related to their non-financial disclosures and ensure that data vehiculated is observing the management’s reporting assertions. They must design, implement, and effectively operate internal controls to ensure validity, accuracy, completeness, and a good presentation of the information that must be issued timely for internal or external users.

In such unprecedented challenges at all levels, organizations can still leverage their existing internal control system to navigate turbulent times by learning from the experience of implementing ICFR.

Organizations that have already established a present and functioning ICS around their existing processes will be more effective when expanding their compliance to the new requirements as a continuation of their existing framework towards building effective Internal Controls over Sustainability Reporting (ICSR). A new set of competencies[10], a risk assessment that considers new emerging risks[11], an upgraded Information system capturing and compiling data at a sufficient level and with a desired quality[12], and finally, a continuously relevant monitoring of the overall ICS[13], are all already existing and applicable principles in the COSO 2013 framework. The natural expansion in the scope of these principles to emerging risks, such as ESG compliance, must be included for the effective and efficient allocation of resources and interdisciplinary teams within the cost-benefit balance.

5. Associated fraud risk considerations

All these changes naturally increase the risks of non-compliance and fraud. A new environment, characterized by new requirements, new objectives, new metrics, and new evaluations, disturbs people and processes and creates pressures and incentives to meet announced targets. New topics of interest often need adaptation and go through a learning process during which controls are not yet mature and follow an iterative approach.

All these aspects affect the fraud factors (Opportunities, Pressure, and Rationalization) known in the classic fraud triangle theory developed by Donald Cressey[14].

6. Final word

The ESG topic, and many other present and future emerging topics of interest, will undoubtedly be one step in a continuously transforming business environment. Such a trend will continue beyond the ESG, and organizations should expect new topics of interest, new government requirements, more scrutiny from civil society, or pronounced limitations of the natural resources needed to support their current business model in a politically turbulent world.

To succeed, organizations must be prepared and able to reinvent themselves and have systems in place to detect, capture, assimilate, and use the changes as they occur. The COSO’s Framework will continue to represent a good reference for organizations of all sizes and sectors for the years to come. The framework will continue to provide guidance built around principles allowing companies to cope and adapt to changes sustainably.

At BAK Global Risk Management, we help our clients create value through a robust and resilient risk management system, mitigating risks and creating opportunities. We provide advisory, assurance, and fraud investigation services to organizations in the private, public, and non-profit sectors. We can support you in designing and implementing effective Internal Control Systems or have an independent opinion about your systems, particularly when operating in high-risk markets.

For more information about how we can help, give us a call at +49 152 51 04 19 81 or +1 (954) 496-0464 or visit our website and book your free consultation directly online at www.bak-grm.com

[1] “Call to action” preface of issuing “Achieving Effective Internal Control over Sustainability Reporting (ICSR): Building Trust and Confidence through the COSO Internal Control-Integrated Framework” in 2023. https://www.coso.org/internal-control [2] Regulation (EU) 2019/2089 of the European Parliament and of the Council of 27 November 2019 amending Regulation (EU) 2016/1011 as regards EU Climate Transition Benchmarks, EU Paris-aligned Benchmarks and sustainability-related disclosures for benchmarks (EUR-Lex - 32019R2089 - EN - EUR-Lex (Europa.eu)). [3] Consolidated text: Regulation (EU) 2019/2088 of the European Parliament and of the Council of 27 November 2019 on sustainability‐related disclosures in the financial services sector (EUR-Lex - 02019R2088-20200712 - EN - EUR-Lex (Europa.eu)). [4] Regulation (EU) 2020/852 of the European Parliament and of the Council of 18 June 2020 on the establishment of a framework to facilitate sustainable investment, and amending Regulation (EU) 2019/2088 (EUR-Lex - 32020R0852 - EN - EUR-Lex (Europa.eu)). [5] Directive (EU) 2022/2464 of the European Parliament and of the Council of 14 December 2022 amending Regulation (EU) No 537/2014, Directive 2004/109/EC, Directive 2006/43/EC, and Directive 2013/34/EU, as regards corporate sustainability reporting (EUR-Lex - 32022L2464 - EN - EUR-Lex (Europa.eu)). [6] At the date of this article, the proposed directive has not yet been enacted. [7] Proposal for a Directive of the European Parliament and of the Council on Corporate Sustainability Due Diligence and amending Directive (EU) 2019/1937 (EUR-Lex - 52022PC0071 - EN - EUR-Lex (Europa.eu)). [8] https://www.ifrs.org/groups/international-sustainability-standards-board/ [9] https://sasb.org/ [10] COSO IC Principle 4 “The organization demonstrates a commitment to attract, develop, and retain competent individuals in alignment with objectives.” [11] COSO IC Principles 9 “The organization identifies and addresses changes that significantly impact the system of internal control.” [12] COSO IC principle 13 “The organization obtains or generates and uses relevant, quality information to support the functioning of other components of internal controls.” [13] COSO IC principle 16 “The organization selects, develops, and performs ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning.” [14] Other People's Money: A Study in the Social Psychology of Embezzlement. Montclair, N.J.: Patterson Smith, 1953.

Disclaimer:

This communication contains general information only and should not considered or relied on as professional, legal, or financial advice or service. By using or viewing the attached document, you agree that BAK Global Risk Management, or any of its related individuals or entities, cannot be held liable for the use of this document made open and how it may circulate.