In Brief

Even as corporate reporting of sustainability information continues to gain in popularity, the practice still is not standardized, either domestically or globally. While not a sustainability reporting framework per se, The Internal Control—Integrated Framework of the Committee of Sponsoring Organizations of the Treadway Commission provides a possible roadmap for companies looking to adjust their internal processes to enable useful reporting of sustainability information. The author lays out the benefits of applying the principles of the COSO internal control framework to sustainability reporting, stressing the importance of assembling the right team and giving them the right tools for the job.


Nearly every modern global company issues some form of external reporting on sustainability. Some companies are issuing reports to comply with new EU regulations, while others are responding to the SEC’s updated listing requirements; where not mandated, companies are issuing sustainability reports voluntarily to respond to stakeholder demands. Competing for capital from investors—particularly institutional investors with long-term horizons—companies are producing external reporting that includes environmental, social, and governance (ESG) indicators. This data, along with ratings and rankings, is now common on investor information platforms such as Bloomberg and Eikon.

Organizations and their key stakeholders now recognize that making effective business and investment decisions requires information beyond short-term financial measures. Although market demand for sustainability information continues to rise steadily, internal stakeholders (management, staff, and board members) as well as external stakeholders (asset managers, asset owners, and policymakers) often do not have the same level of confidence in the reliability, utility, and quality of currently available sustainability information that they have in traditional financial data.

Through years of research and refinement, the accounting profession today relies on the Internal Control—Integrated Framework (ICIF) of the Committee of Sponsoring Organizations of the Treadway Commission (COSO) as the gold standard for processes that promote the quality of decision-critical information. Given the growth of and increasing reliance of companies and their stakeholders on sustainability information, the benefits of applying the COSO ICIF to these emerging corporate information processes should be evident. A 2017 paper, “Leveraging the COSO Internal Control—Integrated Framework to Improve Confidence in Sustainability Performance Data” (Robert H. Herz et al., Institute of Managing Accountants,, shows the application of the COSO Internal Control Framework’s 17 principles to an organization’s sustainability information and external reporting and provided several case studies. Since then, based on the concepts raised in the paper, corporate professionals have increasingly recognized that applying these principles and the concepts that underlie the COSO Internal Control Framework enhances the value of sustainability performance information. Given such growing recognition, this article revisits that paper.

Obstacles to Producing Reliable Sustainability Performance Data

Even the briefest review of current thinking on sustainability reporting reveals significant disappointment and frustration about the lack of quality in reported information. As an extreme example, a global car company, through various reports and other information given to the market, touted “clean diesel” vehicles that failed to meet legal emissions limits. More commonly, however, companies are piecing together information based on multiple different sustainability standards, frameworks, and key performance indicators to meet the evolving expectations of investors, rating agencies, and potential partners in requests for proposals.

Several characteristics distinguish a company’s sustainability performance data from traditional financial data. Presentations of sustainability data generally follow guidelines and frameworks from multiple organizations. Therefore, setting the reporting agenda often requires more judgment than conventional financial reports. Although information about a company’s sustainability initiatives is often measurable, many companies produce reports that highlight qualitative milestones. In addition, sustainability information is often more forward-looking and covers a longer-term perspective. Finally, some ESG performance is monetized, showing the effects of activities in financial terms; other data, such as greenhouse gas emissions or management diversity ratios, is reported in nonfinancial terms.

Although these new corporate ESG measures may seem novel, in many ways they follow the traditional information flows of other types of corporate performance information. The process involves gathering data regarding the company’s resources from operational departments as transactions and events occur around the world, categorizing and summarizing this data, and reporting on material information in order to meet users’ decision-making needs. Therefore, an organization can apply the time-honored methods of governance and internal controls (i.e., checks and balances for accountability) to promote the quality of reported sustainability information, regardless of whether it provides this information in a separate report or integrates it with mainstream financial reports.

Applying the COSO Framework to Sustainability Information

The purpose of applying a control framework is not to impose compliance gratuitously, but to enhance the quality and usability of information. Internal controls have value beyond simple compliance and external financial reporting. Effective internal controls can help companies grow on a sustained basis with confidence in the integrity of all types of information.

In fact, as noted in its introductory comments to Internal Control—Integrated Framework, COSO envisions the applicability of its guidelines not only to financial reporting but also to “other important forms of reporting, such as nonfinancial and internal reporting.” In summary, traditionally trained and experienced accountants using professional expertise can look to the COSO principles on effectiveness to assist their organizations in improving the quality and usefulness of sustainability information. Implementing these guidelines to develop and maintain controls that are present, functioning, and integrated can improve the reliability, relevance, and timeliness of various types of data on ESG performance and its connection to long-term value.

Although corporate ESG measures may seem novel, they follow the traditional information flows of other types of corporate performance information.

Integration between Sustainability and Finance

Modern corporations and their stake-holders are more attuned than ever to sustainability issues and the related effects on strategy, performance, and value. Corporations have, however, typically managed these issues separately from core finance and accounting functions. At many companies, these activities are led by marketing, corporate communications, public relations, or investor relations teams that lack any formal connection or coordination with the finance and accounting team. The sustainability information gathered, analyzed, and communicated typically resides in myriad systems outside the traditional enterprise resource planning (ERP) and financial reporting systems that are governed by internal controls.

“Internal controls over nonfinancial reporting are relatively weak,” says Brendan LeBlanc, a partner with Ernst & Young’s climate change and sustainability services practice (Herz et al. 2017). “Specifically, there have been precious little resources—people, processes and systems—put against nonfinancial reporting.” Companies lack the types of internal controls that enable consistent, credible reporting on sustainability. Better integration of sustainability and finance may be a key part of clearing the path forward.

“Sustainability has grown up outside the influence of financial reporting and its robust governance,” says Brigham McNaughton, director of Sustainable Business Solutions at Pricewaterhouse-Coopers (Herz et al. 2017). “Controls around this area have plenty of room for improvement, and we are seeing the conversation between sustainability and financial reporting teams happening more than ever.”

If users can rely on data related to sustainability, that data can support not only external reporting but also internal decision-making. This information, which addresses how a company utilizes a range of resources, can support the following endeavors:

  • Promoting enterprise-level goals
  • Communicating external stakeholder expectations
  • Communicating management expectations
  • Motivating operational units
  • Providing feedback for senior management
  • Setting benchmarks against competitors
  • Setting milestones for progress
  • Highlighting strategic advantages.

None of this is possible, however, unless the sustainability data is reliable, credible, and useful for analysis and action.

Applying the Accounting Team’s Expertise

If a reporting entity includes sustainability information in its statutory filings, the entity becomes subject to the same internal reporting oversight that it applies to financial reporting. Even if a company issues its sustainability report separately, however, the expertise of the CFO team is well suited to lead the design, operation, and maintenance of internal controls and governance over sustainability performance information by applying the same techniques that it utilizes over other operational and financial data.

An organization that is beginning to design its internal controls over key sustainability performance information can apply the same approach that it uses for internal controls over financial reporting:

  • Determine objectives: establish, document, and communicate objectives and accounting principles for specific sustainability factors, with adequate detail to support risk assessment in application.
  • Identify and assess risks: evaluate the relevant qualitative and quantitative risk factors that may result in material misstatement and thereby jeopardize the company’s ability to meet its reporting objectives for sustainability performance information.
  • Identify control activities: after assessment of the processes for measuring, managing, and reporting sustainability information along with the related risks, identify and develop specific control activities to mitigate or manage the risk to keep it at an acceptable level.
  • Evaluate effectiveness: based on the ICIF and its principles, regularly evaluate the design and operation of the control system.

The expertise of the CFO team is well suited to lead the design, operation, and maintenance of internal controls and governance over sustainability performance information.

Applying a systematic, consistent framework and implementing an effective control system over sustainability information can generate many benefits, including the following:

  • Aligning the organization’s data and information technology initiatives with its governance policies
  • Enhancing data quality, utility, comparability, and reliability
  • Strengthening support for operational and compliance objectives
  • Providing decision-useful information for internal management, external investors, resource providers, and other interested stakeholders
  • Enhancing the organization’s understanding of its material risks and opportunities to mitigate them
  • Supporting transparency and efficiency in the capital markets
  • Providing access to capital, particularly to long-term investors, with a lower cost of capital.

These benefits will accrue to organizations that align their sustainability objectives with their business strategies, because alignment focuses attention on matters that have the most material effects.

Metrics that relate to key sustainability matters provide companies with business intelligence to support decision-making, manage performance, and allocate resources. At the same time, the information provides external disclosures to investors and other resource contributors that enable them to make informed allocation decisions.

Leading Examples

Sustainability reporting teams are content experts in ESG data, but they may lack expertise in the development of information reporting systems and controls. For example, in implementing its sustainability programs, Novo Nordisk applied the Internal Control—Integrated Framework’s objectives and relied heavily on its Sarbanes-Oxley Act of 2002 (SOX) specialists to align, to the extent feasible, internal controls over sustainability performance data with its internal controls over financial reporting. The project lead, Cora Olsen, observes that breaking down walls between sustainability and finance was key to their success (Herz et al. 2017). To alleviate scope and cost, the company used a top-down, risk-based approach and materiality assessment to identify the most crucial areas.

The California State Teachers’ Retirement System (CalSTRS), the eleventh largest U.S. pension fund, voluntarily reports on certain material risks identified in the Sustainability Accounting Standards Board’s (SASB) industry standard for asset management. To help ensure that its reported indicators on enterprise risk, human resources, compensation policies, and performance are complete, accurate, and timely, the company uses data that it prepares and vets through its existing internal control processes.

Importantly, these processes include oversight by CalSTRS senior leadership and its board of directors. Moreover, as SASB issued final voluntary reporting standards for 77 industries in late 2018, many other companies are adopting or planning to adopt these standards in reporting on their material sustainability issues and activities to investors and other stakeholders.

Although establishing effective internal controls over sustainability performance data remains a nascent practice, the experience of leading companies provides crucial insights into the evolution of best practices:

Cultivate a culture of accountability.

Each person involved in the collection, validation, management, and reporting of sustainability information should understand the significance of company performance and effective controls.

Establish a cross-functional team.

A cross-functional team provides diverse subject matter expertise and perspectives. Establishing these teams enhances employee collaboration, information sharing, and accountability. Cross-functional teams typically include members from finance and accounting; environmental, health, and safety; risk management; internal audit; investor relations; strategy; operations; information technology; compliance; and human resources. A cross-functional team can also include representatives from key suppliers or customers.

Leverage existing expertise.

The typical CFO team has considerable and well-developed know-how in applying internal control concepts. This professional team can drive the design, establishment, and maintenance of internal controls over sustainability information. Over time, the team’s involvement educates other functions, ensuring that sustainability information achieves the same quality and credibility as financial information.

Applying a systematic, consistent framework and implementing an effective control system over sustainability information can generate many benefits.

Leverage existing controls.

An organization can leverage many existing controls over financial reporting functions, such as automated controls on information platforms, data governance policies, or established monitoring techniques.

Leverage technologies and platforms.

An organization can adapt existing or emerging technologies to establish and maintain a system of controls over sustainability performance data. Using these platforms can raise different risks, but these risks can be mitigated by using platforms and electronic tools that contain established control features.

Focus on materiality.

Although establishing controls over sustainability performance information may involve significant time, effort, and cost, targeting the most important factors relating to the company’s growth and long-term value can reduce the burden significantly.

Start early.

Designing and refining a system of controls that supports a company’s reporting objectives regarding sustainability information takes time. An organization can get ahead by initiating cross-disciplinary interaction that enhances the timeliness of oversight and accountability.

Start at the Top

Corporate leaders, who set the tone at any organization by supporting new initiatives, are realizing that ESG factors are integral to an entity’s ability to allocate resources, manage risk, and innovate, as well as to achieve competitive advantages with customers, employees, investors, policy-makers, and other resource contributors. Leveraging the existing knowledge and skills of experienced accounting professionals in the CFO and internal audit teams helps ensure these decisions rest on reliable, high-quality information. These approaches, resting on ethically sound practices, help businesses create sustainable value over the short, medium, and long term.

Shari Littan, JD, CPA is the manager of corporate reporting technical activities at the Institute of Management Accountants, Montvale, N.J.