Welcome to Count Me In, with your host, Adam Larson. In this episode, Adam is joined by Tim Hedley, the Executive in Residence at Fordham University and Shari Littan, Director, Corporate Reporting Research & Thought Leadership at IMA.  Join this thought-provoking discussion as they delve into the importance of internal controls, the evolving landscape of sustainability reporting, and the challenges and benefits organizations face in adopting sustainable business practices.

Discover how the COSO framework, the gold standard for reliable reporting, has been adapted to include non-financial reporting objectives, aligning with the rise of sustainability and ESG reporting. Explore critical trends in the world of ESG reporting, from increasing regulations to stakeholder engagement and supply chain transparency.

Learn from Tim and Shari as they share their insights on the challenges organizations face in implementing sustainable practices and balancing short-term profits with long-term sustainability goals. Understand the significance of internal controls in providing a basis for external assurance and building stakeholder trust in reported information.

 

Adam:            Welcome to another episode of Count Me In. In today's episode, joining us are two guest experts. Tim Hedley, who is Executive-in-Residence at Fordham University, and Shari Littan, Director, Corporate Reporting, Research and Thought Leadership at IMA. Our discussion revolves around the importance of internal controls and sustainability reporting. And how they enhance trust, accountability, and reliability of the reported information. 

 

Tim and Shari share insights from the COSO framework. Which was developed to help improve confidence in all types of data and information. The landscape of sustainability reporting is constantly evolving, with shifting regulatory requirements and increased stakeholder expectations. We explore crucial trends; such as the focus on materiality and risk assessments, stakeholder engagement, supply chain transparency, and evolving reporting metrics. Let's get started, with this enlightening conversation.

 

 

Adam:            Shari, Tim, thank you so much for coming on the podcast. We're really excited to be talking about COSO, internal control, and everything in that whole ESG world. But just for our listeners, who may be unfamiliar, you could've, probably, have heard the term COSO, or ICSR, and those things before, but maybe you're not familiar with those terms. Maybe, Shari, you could take a little bit of time and define, maybe, a high-level overview of what COSO is, the significant, internal control framework, and the purpose of the new documents.

 

Shari:             I'd be happy to, thanks, Adam, it's great to be here. So COSO stands for Committee of Sponsoring Organizations and it came about in the late 1980s. It is a collaboration of five accountancy and auditing organizations. There's the American Accounting Association, which is an academic organization, primarily. AICPA, everyone is familiar.

 

IMA, where we sit, and we primarily focus on the accountants and finance professionals in business, the in-house folks are ours. Institute of Internal Auditors, and FEI, Financial Executives International. So those five organizations make up COSO.

 

COSO came about in the late 1980s, amid what was then the savings and loans crisis, and there was concern that the profession needed to do better. That we were starting to see major accounting failures, disclosure, litigation, regulation, questions. Are we doing the right things in the profession?" So the five accountancy organizations got together, and they said, "How are we going to resolve this? How are we going to promote trust and accountability in what we do, as a profession?" The focus became on this concept of internal controls, which we'll get to. 

 

So in '92, after that, the COSO, as an organization, produced its first internal control framework. And then we can move forward to 1990s, late 1990s, 2000, the Enron, WorldCom's era, which led to Sarbanes-Oxley. And Sarbanes-Oxley, rather than looking at the substance of what a company needs to disclose, again, looked at the idea of governance process, auditing, and said, "In order to produce financial reports to the markets, 

you need to focus on your systems and your controls. You need management to speak to it, in your reporting system. You need auditors to address controls." We had the PCAOP.

 

So we have this Sarbanes-Oxley, which created this idea of internal controls over financial reporting. And, although, Sarbanes Oxley didn't specifically say, "You must use the COSO framework." It was considered the best thing around, and it's become the gold standard in how to produce reliable financial or corporate reporting in more general.

 

Now, in 2013, the framework was refreshed, we got a new internal control framework. And what it did, in the 2013 refresh, is it added the idea of non-financial reporting objectives. That was around the same time, about 10 years ago, when we started to see all kinds of sustainability integrated, ESG, reporting frameworks.

 

And, so, though not express, what the framework did, in its refresh, was say "Yes, this is completely applicable to these types of activities and reporting." And, so, that leads us to where we are, today. Where, earlier, in 2023 we issued the internal control over sustainability reporting publication. And what the authors did, in that publication, was we looked at the existing internal control framework and said, "Okay, now we're seeing an acceleration of ESG or sustainability reporting and activities, performance and activities. 

 

And that means we need good information, and that means we need quality information and transparency. Let's look at the COSO Internal Control Framework, and see how we can interpret it and apply it to these new forms of reporting.

 

Adam:            Shari, I think that's a great overview. And, as you mentioned, there's the ever evolving nature of this new type of non-financial reporting, ESG reporting. There are shifts in regulatory compliance. We were just speaking before we started recording how this could change, or that could change, or this regulatory body can make a statement, at this moment, at this time, how this is constantly changing. 

 

And, Tim, maybe, I'll ask you, how do you see this landscape changing? And what should organizations be, particularly, aware of, especially, with the ever evolving nature and things constantly moving?

 

Tim:               Well, Adam, thank you, and thank you for having me here. The sustainability reporting landscape has rapidly changed, particularly, recently, to meet stakeholder expectation, and government regulations. And, Adam, your question could be an entire podcast, or a big section of this podcast if we had that kind of time, but I do see some critical trends, just some of the ones, from my perspective. 

 

I mean, many people are out there, I'm sure Shari's got all kinds of ideas of what those trends might be. But there are some that just come to mind, for me. I think the biggest one that I think about a lot, and certainly what I experience in the classroom, and then talking to people who are in the field of sustainability reporting, some of the people I work with in different contexts, I think the first one is increasing regulation.

Regulatory bodies, worldwide, are increasing their focus on sustainability reporting. And, personally, I think we should expect ever more stringent reporting requirements. And an interesting case in point, I think, is under the new California Climate Corporate Data Accountability Act.

 

U.S. companies with annual revenues of $1 billion or more, in the State of California, for report both their direct and indirect greenhouse gas emissions, in the next few years. I think that's a huge change and really indicative of the kinds of things that we can expect going forward. 

 

I think next is, probably, increased investor pressure, I have no doubt about that. Institutional investors are placing more emphasis on sustainability factors, while making investment decisions. And, actually, I just saw an actual run of this, recently, last month, actually, they are employing very structured analysis using very detailed sustainability factors. So I think there's going to be more and more demand for increased disclosures, and that's not going to go away anytime soon.

 

I think we're going to see more focus on meaningful materiality and risk assessments. People are paying a lot of attention to ensuring there are robust materiality and risk assessments, that identify and prioritize issues that are most relevant to businesses and to stakeholders. Stakeholder engagement will increasingly be more important. 

 

Engaging with stakeholders now is critical, but, I think, it's only going to become ever more so, as we move through this process. There appears to be a much keener focus on greenwashing, and I, personally, think this is a huge problem for us.

 

I think it's actually gotten to the point, where it seems that the perception of greenwashing is causing some pushback in this space and, actually, almost threatening the integrity of the effort. I think we're going to have to think a lot more about honest transparency, in this process.

 

Do we want people to actually buy into this and trust the process, and the kinds of things, this year, I was just talking about? I think I'm leaning directly toward that notion of more honest transparency. I think there's going to be a greater focus on supply chain transparency. Particularly around human rights, DEI, environmental impact, all these kinds of things. I think we've only seen the tip of the iceberg in this space.

 

I think reporting, metrics will continue to change. The metrics that investors and stakeholders focus on are changing really fast. We are seeing a great deal of movement in the EU, in particular. For example, the Corporate Sustainability Reporting Directive, which went into effect this past January, it's extending the requirement to report on sustainability management from a select number of companies in the EU to nearly all companies in the EU. Except these little micro companies, I guess. So, again, a lot of movement here, a lot of stuff is changing.

 

My bottom line, I mean, I could keep listing these things. But my bottom line is that sustainable reporting is dynamic, it's always changing, and, as professionals, we must stay informed about changes in regulations, investor perceptions, and societal expectations.

Shari:             Can I add just one thing to what Tim said, and that is we tend to focus, or we have tended to focus, when we think about corporate reporting on public companies. Because naturally there are securities regulations both in the U.S. and in various jurisdictions around the world. But one thing that we are seeing in the world of sustainability, or ESG information, is that it is going to affect small and medium-sized companies. Maybe not direct corporate disclosure, but to their commercial customers into supply chain.

 

We're actually seeing where a large public company, for example, has made net-zero commitments or other kind of commitments. And they talk about that in their public materials, and it goes into their ratings, et cetera.

 

Well, they turn around and turn to their suppliers and say, "If you want to sell to us, we want your carbon footprint data. We want your modern slavery DE&I data. And we're seeing, in a positive way, in certain places, where the large commercial buyer is working along with the smaller suppliers. The component, the agricultural companies, to say, "Let's find ways that we can work together." 

 

And it has become a competitive advantage for non-public companies to be able to say, "Not only can I deliver your components, but I can deliver your components along with quality information." We're seeing supplier audits in this area starting to come up, or industry collaborations where they're setting standards. So it's not only public companies to think about.

 

Tim:               It's not just the public companies, because I've had conversations with a lot of organizations, they're asking for my help in responding to their customers. And if they're part of the supply chain, they will, certainly, have to disclose Scope 1, 2, & 3 emissions.

 

Shari:             Exactly.

 

Tim:               And one of the problems they have is they have no clue, what in the world that company is talking about. They don't even know what the starting point is. We're talking about internal controls over sustainability reporting, this is wonderful stuff. But if you're a small organization, that's never even heard of this space, that has no idea how to report. A lot more education is going to be necessary for that upstream and downstream indirect emissions providers.

 

I've had people call me up and say, "They're asking, now, my employees, how far do they drive to work? What kind of a car do they drive?" And all of these kinds of things, and it's very confusing for, in particular Scope 1, Scope 3, emissions information providers. Like "How in the world do I capture this stuff?" And, Shari, you're absolutely right, large organizations can't get where they want to get to with their reporting, unless the entire value chain comes on board.

 

Adam:            That makes a lot of sense, and there's going to be so much pressure from the consumers and regulatory bodies. And I can imagine it's overwhelming for any organization. Maybe somebody is listening to this and saying, "I know I need to do something." And, so, maybe, we can define what some of the benefits are to organizations and some advantages, if they can apply the sustainability business, the internal control integrated framework, to their organization.

Shari:             Well, I will say that, first of all, one of the great benefits of looking to the COSO framework, or ICSR as we're referring to it in shorthand, is that we already know how to do a lot of this. We have the ability to leverage what we already know about building good governance systems, and controls, and processes, and oversight into our company systems, and looking at the information flow.

 

We can train, think about training our board, and our members, but we already have a lot of the tools, and the know-how to address the concerns. It's not as esoteric or new, it really can be rooted in what we already do.

 

Second, another great benefit is that, although, we think about COSO Internal Control with respect to external financial reporting. When you actually get into the framework, it is enterprise wide, it is holistic. 

 

If you want good reporting, well, then, you need good information, and that means you are tracking your activities, and what your company is doing. And if the company is taking steps to actually become more sustainable in their performance. Of how they source energy, and how they human resources, and take care of waste, and all of those things. So it runs throughout an entire organization. 

 

And the thing that I find is that when you think about it holistically, you start with the concept of purpose. So if you look at the publication, you look at the framework, you look at principle one, a commitment to ethical behavior, of being a good corporate citizen. And what is your purpose? 

 

Why does your company or organization exist in the world? 

 

What are you aiming to achieve?

 

Why should all of your investors, and stakeholders, and employees, stay with you? 

 

What are they going to get out of this; with respect to performance, and activities, and returns? So it leverages a reexamination, it leads to a reexamination, I should say. Why does our organization exist? 

 

What are we doing, and are we doing these things efficiently?

 

Are we doing them effectively?

 

When I first started writing this publication, when I was tapped to become part of the authorship team. I said, "Internal controls and sustainability, well, that feels a little apples and oranges, to me." But, in fact, it's really about focusing on goals. It's focusing on purpose, and objectives, and how the company achieves those, and the information that it uses to decide how it's going to use these resources.

 

Tim:               And I think I'll add something because I thought that was a great explanation by Shari. The bottom line is, from my perspective, I think the framework we're dancing or advocating and what has been put together with respect to internal control and sustainable reporting, it's comprehensive. It has widespread acceptance, it focuses correctly, in my belief, on risk management. It's very adaptable.

 

When I read the publication that Shari co-authored, it's absolutely adaptable. We had with the internal control, the Internal Control Integrated Framework, absolutely adaptable, and it works perfectly here. And, really, most importantly, it has absolute global applicability

 

Shari:             Yes, when I hear Tim say that global applicability is that there are so many regulators, and policymakers, and standard setters, and all sorts of organizations that are saying, "Here's what you need to report." It's a lot on the what to report, but this gives a framework of method of how.

 

Tim:               Yes, and it does a good job with that.

 

Adam:            I think you've given a great explanation about all the advantages and how it benefits. But I can't imagine that it's an easy process, and there are got to be challenges that people can encounter along the way. Maybe we can discuss a few of those challenges, to help people feel at ease.

 

Tim:               When I was thinking through this, you can talk about some of the challenges. But, I think, it might make sense to talk about what some of the benefits are before we got to the challenges, perhaps, because I found that significant.

 

I think the first, at least, from my perspective, the first benefit is enhanced reputation. A commitment to a purpose-driven business can enhance an organization's reputation, there's very little doubt about that. And there's a fair amount to thought leadership research, and surveys, and what have you, that support what I just said.

 

If you look at GM, you look at Procter & Gamble, those are great examples of companies, in their sustainability report that have detailed their corporate purpose in very explicit ways, and easy to read, and make a lot of sense. And really I tell you in this space, there's been a paradigm shift. From just being a shareholder-first mentality, to say, "Hey, well, you know what, there are a lot of stakeholders."

 

I think through this process you can gain a competitive advantage. Gain business practices, it can help recruit, and retain talent, just for one example. They can foster innovation. They can lead to development of new products and services. Think about electric vehicles, think about solar, think about power storage. These are all kinds of industries that we were not even really thinking much about not that many years ago, at least, not in a serious way.

 

They can provide access to new markets and opportunities. And one thing I found very important, certainly, as my work over the last 25 years in the governance space and what have you, I can go a long way to increasing stakeholder trust and engagements. It can also have significant cost savings. Case in point is 3M's, 3Ps-Pollution Prevention Pays.

And if you look at a sustainability report you'll see that, "Hey, this has saved billions of dollars since its inception." And they do a good job now of highlighting it, even though this was before we were really talking about sustainability, and ESG, and these things, and they were on top of some of the stuff.

 

Risk mitigation, sustainable practice if well executed, it can mitigate environmental, social, and governance risk, ESG risks. It can help avoid costly reputational damage, integrity breakdowns, governmental scrutiny, fines and penalties, all kinds of benefits.

 

Help provide access to capital, companies that demonstrate strong sustainable performance. Can often find it easier to access capital from socially responsible investors and from institutions that prioritize sustainable investments. Can lead to long-term value creation by producing a more stable and sustainable business model, less risk, and what I would say are higher valuations.

 

And I think that's the greatest selling point for, actually, doing this stuff in a very serious way. It really is all about long-term value creation. And, of course, finally, I would say it can differentiate your brand. If you embrace sustainability and corporate purpose, you can distinguish yourself from competitors and build a brand that resonates with your consumers. Remember, it's all about the consumers in the end.

 

There are some challenges which you had mentioned earlier, when we talked about it earlier. I think one of the biggest ones, the initial investment costs for sustainable products and efforts can be very expensive. Perhaps beyond the grasp of some, but well worth the investment for many. Understanding shifting consumer preferences is not always straightforward. Encouraging consumers to choose sustainable options over conventional ones can be slow and a challenging journey.

 

Sometimes these sustainable options are perceived, sometimes, as being more expensive. Regulatory compliance can be demanding. It may require continuous adjustments to business operations. Clients with changing environmental regulations and standards can require continuous adjustments to your business operations. Which may pose significant operational challenges.

 

Another big one is balancing short-term and long-term objectives it's often tricky. Organizations may, counter a lot of pressure to prioritize immediate profits over long-term sustainability, creating both internal and external pressure. And some may, I'm afraid, think you have to sacrifice one for the other. And, Adam, I don't buy into that, I don't believe that. But a lot of people do believe that, it's an either/or kind of thing.

 

There are significant resource limitations above and beyond the budget I mentioned earlier. Things like renewable energy sources, sometimes, are hard to find. Sourcing sustainable materials can be really difficult, not to mention human resources and talent acquisition can be very difficult.

 

Complex global operations are challenging. Multinationals might face headwinds in implementing uniform sustainability standards across diverse regulatory environments, cultural norms, socio-economic situations. Further global supply chains are incredibly complex. Much more so than domestic organizations, and requires a great deal of collaboration to make this work.

 

And, then, finally, in this area, I would say the greenwashing concerns, we kind of touched upon it earlier. But with the focus on sustainability, there is a risk of an organization engaging in greenwashing. Where they make misleading claims about the environmental benefits of their products or operations. Such practices can lead to reputational damage and loss of trust among stakeholders. 

 

I know I've talked twice about greenwashing, but it is a huge problem. And it really is undermining a lot of the good efforts taking place in this area. So to help ensure long-term viability and success, I think it's important to develop a comprehensive strategy that aligns sustainability goals with the overall corporate purpose.

 

Shari:             Listening to Tim, I'm reminded of a story that was shared with me a few years ago, now. It was my colleague in an agricultural company. And, of course, the questions came to them about carbon footprint, "Are you measuring greenhouse gases, et cetera?" 

 

And, so, they started to do that measurement, the inventory, instituting their processes. And in doing that what they discovered is a huge waste of water because they were looking at how they produce and operate in a more holistic, as you say, totality. 

 

And, so, in trying to quantify and measure their carbon footprint they ended up changing their entire system of water and reduced it by a lot. So they ended up having gains, by extension, to new streams of information, that they hadn't been looking at before.

 

Tim:               It really is an exercise in navel-gazing, looking deep inside yourself, to actually do this stuff. And it's not an easy process, but that's a great example of where there are all kinds of benefits, well, and it's unintended benefits, from actually going through this process, and a lot of discovery takes place. You learn a lot about yourself.

 

Adam:            It really sounds like you can learn a lot. And I think you've kind of illustrated, my last question was going to be around, how does this framework play a crucial role in ensuring effective governance, and rules, and internal control systems. Especially, concerning sustainable business practices, and what you just displayed there, Shari, for us, was a great example of that. And if there are any other examples you guys can share, I think that would be really helpful, and encouraging as people are thinking about this and looking at it. Because it's inevitable that it will be affecting every organization.

 

Shari:             Yes, here's another example that I thought of, when you're getting more into the risk and the overall reasons, to think about sustainable business. But I do remember if you drive along highways now, how often do you see charging stations. 

In fact, I saw, not far from where I live, a former gas station had completely changed into an electric vehicle station. And I thought somebody else in that supply chain, if you create fuel pumps, you might want to think about changing that business model, and that's what the information can bring forward.

 

Tim:               Yes, earlier I had mentioned that notion of a robust, risk, and materiality assessment. And just adding on to what Shari was saying, I had a conversation not long ago with a tire manufacturer. So they were doing deep dives and taking it very seriously. But they started understanding things that were hugely important and material, they'd never thought about before.

 

For example, when you drive down the road, your tread wears out of your tire. You don't think about, "Where does that rubber go?" Maybe it goes in the atmosphere, it goes on the street, it goes on the side of the road. And suddenly, wow, they're materiality mapping and that process is hugely dynamic. The risk assessment is dynamic, and I think people are looking for that dynamic approach to these kinds of things.

 

You can be an energy company just delivering electricity for a municipality, and suddenly you start getting into solar panels. And, suddenly, "Wow, we got new risk, where are they sourced? Where is this stuff coming from? What does that supply chain look like?"

 

So a lot of interesting things that actually pop out of going through this process. And a lot of it leads to much better decisions and also uncovering important things and cost savings, it's all there.

 

Adam:            Tim, Shari, do you have any final thoughts for our audience?

 

Shari:             Well, as we wrap up, I want to just bring it back to why the internal control, and the COSO framework, and that publication, in thinking about all these new types of activities and new types of information, that has risk associated with it. And there are business risks, but there are also risks in the information.

 

For example, we talk about supply chain, so in order to account for Scope 1, not Scope 1 because that's your data. But Scope 2 and Scope 3, you, by definition, need to get information that doesn't come from your system that you're responsible for, it has to come from a third party.

 

So there's risk in that information. So we need to think about other controls. We need to think about affiliates, or other investees, or companies that we outsource to, that we used to consider immaterial for financial reporting purposes, but now we need their information. Green Bonds, is another, where we're affirming to our lender that we are in compliance with certain ESG metrics and then they lower our interest rate, that's informational risk. 

 

We also have the risk of estimation and expectations, and how we measure prospective assumptions and leads to that kind of reporting. I think that's really huge because so much of sustainability reporting, including some of the mandatory disclosure requirements coming out of Europe, double materiality, impact accounting, it means estimating the future. That's what sustainability is all about. Do we have the resources made available to us in the future?

 

Can we count on that? 

 

Are stakeholders willing to make those available? So, anyway, it goes to the question of estimating the future, which makes many, in traditional accounting, uncomfortable. They don't like to disclose and report on the future and our assumptions. But that's a necessary part of creating the measurement techniques in order to effectuate all these new demands, for reporting all these new KPIs.

 

What I'm saying is that by following what we already know how to do, By leveraging the frameworks that we already have, it can highlight and help direct us address the innovative areas, the information, the use of digital technology, perhaps, to bring this about in a reliable way, and avoid the greenwashing that Tim has highlighted for us.

 

Tim:               Yes, I think the things that you talked about resonate with a lot of things we talked about earlier. Those things are all about long-term value creation.

 

Shari:             Agreed, absolutely.

 

Tim:               You got to be thinking about the future. And, also, one of the things that I see from the work you've done here and the internal controls of sustainability reporting. I think it's going to go a long way to helping with the notion of external assurance of this information.

 

Because now we'll have internal controls in place that make some sense, that can be tested in and of themselves, it gives a lot more confidence in what's being reported. Because stakeholders are going to take some of this stuff with a grain of salt. Unless someone actually opines it, "Hey, wow, you know what they're telling you it seems accurate enough. It's doing what it's supposed to do." 

 

I think that's going to be a huge underpinning for the document we've been discussing here. Because I think it's going to go a long way to enabling that. And unless you have that third-party attestation, the trust may not be there until we get to that point. I don't know, that's just my prediction.

 

Adam:            Well, I appreciate you guys sharing your final thoughts and sharing all your insights with our audience, today. And thanks so much, again, for coming on the podcast.

 

Shari:             Thanks so much, Adam. Tim, it's been a pleasure. 

 

 

Announcer:    This has been Count Me In, IMA's podcast, providing you with the latest perspectives of thought leaders, from the accounting and finance profession. If you like what you heard and you'd like to be counted in for more relevant accounting in finance education, visit IMA's website at www.imainet.org.