< Intro >

– Welcome to another
episode of Count Me In.

In today's episode, joining us
are two guest experts.

Tim Hedley, who is Executive-
in-Residence at Fordham University,

and Shari Littan, Director,
Corporate Reporting,

Research and Thought Leadership at IMA.

Our discussion revolves around
the importance of internal controls

and sustainability reporting.

And how they enhance trust,
accountability, and reliability

of the reported information.

Tim and Shari share insights
from the COSO framework.

Which was developed
to help improve confidence

in all types of data and information.

The landscape of sustainability
reporting is constantly evolving,

with shifting regulatory requirements
and increased stakeholder expectations.

We explore crucial trends;

such as the focus on materiality and risk
assessments, stakeholder engagement,

supply chain transparency,
and evolving reporting metrics.

Let's get started, with this
enlightening conversation.

< Music >

– Shari, Tim, thank you so much
for coming on the podcast.

We're really excited to be talking
about COSO, internal control,

and everything in that whole ESG world.

But just for our listeners,
who may be unfamiliar,

you could've, probably, have
heard the term COSO, or ICSR,

and those things before, but maybe
you're not familiar with those terms.

Maybe, Shari, you could take
a little bit of time and define,

maybe, a high-level overview
of what COSO is,

the significant, internal control framework,
and the purpose of the new documents.

– I'd be happy to, thanks, Adam,
it's great to be here.

So COSO stands for Committee
of Sponsoring Organizations

and it came about in the late 1980s.

It is a collaboration of five accountancy

and auditing organizations.

There's the American
Accounting Association,

which is an academic organization, primarily.

AICPA, everyone is familiar.

IMA, where we sit, and we primarily
focus on the accountants

and finance professionals in business,

the in-house folks are ours.

Institute of Internal Auditors, and FEI,
Financial Executives International.

So those five organizations
make up COSO.

And COSO came about in the late 1980s,

amid what was then the
savings and loans crisis,

and there was concern that the
profession needed to do better.

That we were starting to see major
accounting failures, disclosure,

litigation, regulation, questions.

Are we doing the right
things in the profession?"

So the five accountancy
organizations got together,

and they said, "How are
we going to resolve this?

And how are we going to
promote trust and accountability

in what we do, as a profession?"

The focus became on this concept
of internal controls, which we'll get to.

So in '92, after that, the
COSO, as an organization,

produced its first internal
control framework.

And then we can move forward to 1990s,

late 1990s, 2000, the Enron, Worldcom's
era, which led to Sarbanes-Oxley.

And Sarbanes-Oxley,
rather than looking at

the substance of what a
company needs to disclose,

again, looked at the idea of
governance process, auditing,

and said, "In order to produce
financial reports to the markets,

you need to focus on your
systems and your controls.

You need management to speak
to it, in your reporting system.

You need auditors to address controls."

We had the PCAOP.

So we have this Sarbanes-Oxley,

which created this idea of internal
controls over financial reporting.

And, although, Sarbanes-Oxley
didn't specifically say,

"You must use the COSO framework."

It was considered the best thing around,
and it's become the gold standard

in how to produce reliable financial
or corporate reporting in more general.

Now, in 2013, the
framework was refreshed,

we got a new internal control framework.

And what it did, in the 2013 refresh,

is it added the idea of
non-financial reporting objectives.

That was around the same
time, about 10 years ago,

when we started to see all kinds
of sustainability integrated,

ESG, reporting frameworks.

And, so, though not express,
what the framework did,

in its refresh, was say "Yes,
this is completely applicable

to these types of activities and reporting."

And, so, that leads us
to where we are, today.

Where, earlier, in 2023 we
issued the internal control

over sustainability reporting publication.

And what the authors,
did in that publication,

was we looked at the existing
internal control framework

and said, "Okay, now we're
seeing an acceleration of ESG

or sustainability reporting and
activities, performance and activities.

And that means we
need good information,

and that means we need quality
information and transparency.

Let's look at the COSO
Internal Control Framework,

and see how we can interpret it and
apply it to these new forms of reporting.

– Shari, I think that's a great overview.

And, as you mentioned, there's
the ever-evolving nature

of this new type of non-financial
reporting, ESG reporting.

There are shifts in regulatory compliance.

We were just speaking before we
started recording how this could change,

or that could change, or this
regulatory body can make a statement,

at this moment, at this time,
how this is constantly changing.

And, Tim, maybe, I'll ask you, how
do you see this landscape changing?

And what should organizations
be, particularly, aware of,

especially, with the ever-evolving
nature and things constantly moving?

– Well, Adam, thank you, and
thank you for having me here.

The sustainability reporting landscape
has rapidly changed, particularly, recently,

to meet stakeholder expectation,
and government regulations.

And, Adam, your question
could be an entire podcast,

or a big section of this podcast
if we had that kind of time,

but I do see some critical trends, just
some of the ones, from my perspective,

I mean, many people are out there,

I'm sure Shari's got all kinds of ideas
of what those trends might be.

But there are some that
just come to mind, for me.

I think the biggest one that I think about a lot,

and certainly what I experience in the
classroom, and then talking to people

who are in the field
of sustainability reporting,

some of the people I work
with in different contexts,

I think the first one is
increasing regulation.

Regulatory bodies, worldwide,

are increasing their focus
on sustainability reporting.

And, personally, I think we should expect

ever more stringent
reporting requirements.

And an interesting case
in point, I think, is under

the new California Climate
Corporate Data Accountability Act.

U.S. companies with annual
revenues of $1 billion or more,

in the State of California,
were to report both their direct

and indirect greenhouse gas
emissions, in the next few years.

I think that's a huge change and
really indicative of the kinds of things

that we can expect going forward.

I think next is, probably,
increased investor pressure,

I have no doubt about that.

Institutional investors are placing more

emphasis on sustainability factors,
while making investment decisions.

And, actually, I just saw an actual run
of this, recently, last month, actually,

they are employing very
structured analysis

using very detailed sustainability factors.

So I think there's going to
be more and more demand

for increased disclosures, and that's
not going to go away anytime soon.

I think we're going to see more focus on

meaningful materiality
and risk assessments.

People are paying a lot of attention

to ensuring there are robust
materiality and risk assessments,

that identify and prioritize issues

that are most relevant to
businesses and to stakeholders.

Stakeholder engagement will
increasingly be more important.

Engaging with stakeholders now

is critical, but, I think, it's only
going to become ever more so,

as we move through this process.

There appears to be a much
keener focus on greenwashing,

and I, personally, think this
is a huge problem for us.

I think it's actually gotten to the point,

where it seems that the
perception of greenwashing

is causing some pushback in this space

and actually almost threatening
the integrity of the effort.

I think we're going to have to think a lot

about honest transparency, in this process.

Do we want people to, actually,
buy into this and trust the process,

and the kinds of things, this year,
I was just talking about,

I think I'm leaning directly toward that
notion of more honest transparency.

I think there's going to be a greater
focus on supply chain transparency.

Particularly around human rights,
DEI, environmental impact,

all these kinds of things.

I think, we've only seen the tip
of the iceberg in this space.

I think reporting, metrics
will continue to change.

The metrics that investors
and stakeholders focus on

are changing really fast.

We are seeing a great deal of
movement in the EU, in particular.

For example, the Corporate
Sustainability Reporting Directive,

which went into effect this past January,

is extending the requirement to
report on sustainability management

from a select number of companies in
the EU to nearly all companies in the EU,

except these little micro
companies, I guess.

So, again, a lot of movement
here, a lot of stuff is changing.

My bottom line, I mean, I could
keep listing these things.

But my bottom line is that sustainable
reporting is dynamic, it's always changing,

and, as professionals, we must stay
informed about changes in regulations,

investor perceptions,
and societal expectations.

– Can I add just one thing to what
Tim said, and that is we tend to focus,

or we have tended to focus,

when we think about corporate
reporting on public companies.

Because naturally there
are securities regulations

both in the U.S. and in various
jurisdictions around the world.

But one thing that we are seeing
in the world of sustainability,

or ESG information, is that
it is going to affect small

and medium-sized companies.

Maybe not direct corporate disclosure,

but to their commercial
customers into supply chain.

We're actually seeing where a
large public company, for example,

has made net-zero commitments
or other kind of commitments.

And they talk about that
in their public materials,

and it goes into their ratings, et cetera.

Well, they turn around
and turn to their suppliers

and say, "If you want to sell to us,
we want your carbon footprint data.

We want your modern slavery DE&I data.

And we're seeing, in a
positive way, in certain places,

where the large commercial buyer is
working along with the smaller suppliers,

the component, the agricultural companies,

to say, "Let's find ways that
we can work together."

And it has become a competitive
advantage for non-public companies

to be able to say, "Not only
can I deliver your components,

but I can deliver your components
along with quality information."

We're seeing supplier audits
in this area starting to come up,

or industry collaborations
where they're setting standards.

So it's not only public
companies to think about.

– It's not just the public companies,

because I've had conversations
with a lot of organizations,

they're asking for my help in
responding to their customers.

And if they're part of the supply chain,

they will, certainly, have to disclose
Scope 1, 2, & 3 emissions.

– Exactly.
– And one

of the problems they
have is they have no clue,

what in the world that
company is talking about.

They don't even know
what the starting point is.

We're talking about internal controls

over sustainability reporting,
this is wonderful stuff.

But if you're a small organization,

that's never even heard of this space,
that has no idea how to report.

A lot more education is
going to be necessary

for that upstream and downstream
indirect emissions providers.

I've had people call me up
and say, "They're asking, now,

my employees, how far
do they drive to work?

What kind of a car do they drive?"

And all of these kinds of things,
and it's very confusing for,

in particular Scope 1, Scope 3,
emissions information providers.

Like "How in the world do
I capture this stuff?"

And, Shari, you're absolutely right,

large organizations can't get where
they want to get to with their reporting,

unless the entire value
chain comes on board.

– That makes a lot of sense, and
there's going to be so much pressure

from the consumers
and regulatory bodies.

And I can imagine it's
overwhelming for any organization.

Maybe somebody is listening to this and
saying, "I know I need to do something."

And, so, maybe, we can define
what some of the benefits are

to organizations and some advantages, if
they can apply the sustainability business,

the internal control integrated
framework, to their organization.

– Well, I will say that, first of all,

one of the great benefits of
looking to the COSO framework,

or ICSR as we're referring to it in
shorthand, is that we already know

how to do a lot of this.

We have the ability to leverage what
we already know about building

good governance systems,
and controls, and processes,

and oversight into our company systems,

and looking at the information flow.

We can train, think about training
our board, and our members,

but we already have a lot of the tools, and
the know-how to address the concerns.

It's not as esoteric or new, it really
can be rooted in what we already do.

Second, another great benefit is that,

although, we think about
COSO Internal Control

with respect to external
financial reporting.

When you actually get into the framework,

it is enterprise wide, it is holistic.

If you want good reporting, well,
then, you need good information,

and that means you are
tracking your activities,

and what your company is doing.

And if the company is taking steps

to actually become more
sustainable in their performance.

Of how they source energy,
and how they human resources,

and take care of waste,
and all of those things.

So it runs throughout
an entire organization.

And the thing that I find is that
when you think about it holistically,

you start with the concept of purpose.

So if you look at the publication,

you look at the framework,
you look at principle one,

a commitment to ethical behavior,
of being a good corporate citizen.

And what is your purpose?

Why does your company or
organization exist in the world?

What are you aiming to achieve?

Why should all of your
investors, and stakeholders,

and employees, stay with you?

What are they going to get out of this;

with respect to performance,
and activities, and returns?

So it leverages reexamination, it leads
to a reexamination, I should say.

Why does our organization exist?

What are we doing, and are we
doing these things efficiently?

Are we doing them effectively?

When I first started writing this
publication, when I was tapped

to become part of the authorship team.

I said, "Internal controls and sustainability,

well, that feels a little
apples and oranges, to me."

But, in fact, it's really about
focusing on goals.

It's focusing on purpose, and objectives,

and how the company achieves those,

and the information that it uses to decide
how it's going to use these resources.

– And I think I'll add
something because I thought

that was a great explanation by Shari.

The bottom line is, from my perspective,

I think the framework we're
dancing or advocating

and what has been put together
with respect to internal control

and sustainable reporting,
it's comprehensive.

It has widespread acceptance,

it focuses correctly, in my
belief, on risk management.

It's very adaptable.

When I read the publication that Shari
co-authored, it's absolutely adaptable.

We had with the internal control, the
Internal Control Integrated Framework,

absolutely adaptable, and
it works perfectly here.

And, really, most importantly,
it has absolute global applicability

– Yes, when I hear Tim say
that global applicability

is that there are so many regulators,
and policymakers, and standard setters,

and all sorts of organizations that are
saying, "Here's what you need to report."

It's a lot on the what to report, but this
gives a framework of method of how.

– Yes, and it does a good job with that.

– I think you've given a great explanation

about all the advantages
and how it benefits.

But I can't imagine that
it's an easy process,

and there are got to be challenges that
people can encounter along the way.

Maybe we can discuss a
few of those challenges,

to help people feel at ease.

– When I was thinking through this, you
can talk about some of the challenges.

But, I think, it might make sense to talk
about what some of the benefits are

before we got to the challenges,
perhaps, because I found that significant.

I think the first, at least,
from my perspective,

the first benefit is enhanced reputation.

A commitment to a purpose-driven business

can enhance an organization's reputation,

there's very little doubt about that.

And there's a fair amount to
thought leadership research,

and surveys, and what have you,
that support what I just said.

If you look at GM, if you
look at Procter & Gamble,

those are great examples of companies,

in their sustainability report that
have detailed their corporate purpose

in very explicit ways, and easy
to read, and make a lot of sense.

And really I tell you in this space,
there's been a paradigm shift.

From just being a
shareholder-first mentality,

to say, "Hey, well, you know what,
there are a lot of stakeholders."

I think through this process you
can gain a competitive advantage.

Gain in business practices, it can
help recruit, and retain talent,

just for one example.

They can foster innovation.

They can lead to development
of new products and services.

Think about electric vehicles, think
about solar, think about power storage.

These are all kinds of industries, that we
were not even really thinking much about

not that many years ago,
at least, not in a serious way.

They can provide access to
new markets and opportunities.

And one thing I found
very important, certainly,

as my work over the last 25 years in the
governance space and what have you,

I can go a long way to increasing
stakeholder trust and engagements.

It can also have significant cost savings.

Case in point is 3M's, 3Ps
Pollution Prevention Pays.

And if you look at a sustainability report

you'll see that, "Hey, this has saved
billions of dollars since its inception."

And they do a good job of highlighting it,

even though this was before we were
really talking about sustainability,

and ESG, and these things, and they
were on top of some of the stuff.

Risk mitigation, sustainable
practice if well executed,

it can mitigate environmental, social,
and governance risk, ESG risks.

It can help avoid costly reputational
damage, integrity breakdowns,

governmental scrutiny, fines and
penalties, all kinds of benefits.

Help provide access to capital,

companies that demonstrate
strong sustainable performance.

Can often find it easier to access capital
from socially responsible investors

and from institutions that
prioritize sustainable investments.

Can lead to long-term value creation

by producing a more stable and
sustainable business model,

less risk, and what I would
say are higher valuations.

And I think that's the greatest selling point

for, actually, doing this
stuff in a very serious way.

It really is all about
long-term value creation.

And, of course, finally, I would say
it can differentiate your brand.

If you embrace sustainability
and corporate purpose,

you can distinguish yourself from
competitors and build a brand

that resonates with your consumers.

Remember, it's all about
the consumers in the end.

There are some challenges
which you had mentioned earlier,

when we talked about it earlier.

I think one of the biggest ones,
the initial investment costs

for sustainable products and
efforts can be very expensive.

Perhaps beyond the grasp of some,
but well worth the investment for many.

Understanding shifting consumer
preferences is not always straightforward.

Encouraging consumers to
choose sustainable options

over conventional ones can be
slow and a challenging journey.

Sometimes these sustainable
options are perceived,

sometimes, as being more expensive.

Regulatory compliance can be demanding.

It may require continuous
adjustments to business operations.

Clients with changing environmental
regulations and standards can require

continuous adjustments to
your business operations.

Which may pose significant
operational challenges.

Another big one is balancing short-term
and long-term objectives it's often tricky.

Organizations may, counter a lot of
pressure to prioritize immediate profits

over long-term sustainability, creating
both internal and external pressure.

And some may, I'm afraid, think you
have to sacrifice one for the other.

And, Adam, I don't buy into
that, I don't believe that.

But a lot of people do believe that,
it's an either/or kind of thing.

There are significant resource limitations

above and beyond the
budget I mentioned earlier.

Things like renewable energy sources,
sometimes, are hard to find.

Sourcing sustainable
materials can be really difficult,

not to mention human resources and
talent acquisition can be very difficult.

Complex global operations are challenging.

Multinationals might face headwinds

in implementing uniform
sustainability standards

across diverse regulatory environments,
cultural norms, socio-economic situations.

Further global supply chains
are incredibly complex.

Much more so than domestic organizations,

and requires a great deal of
collaboration to make this work.

And, then, finally, in this area, I would
say the greenwashing concerns,

we kind of touched upon it earlier.

But with the focus on sustainability,

there is a risk of an organization
engaging in greenwashing.

Where they make misleading claims

about the environmental benefits
of their products or operations.

Such practices can lead
to reputational damage

and loss of trust among stakeholders.

I know I've talked twice about
greenwashing, but it is a huge problem.

And it really is undermining a lot of the
good efforts taking place in this area.

So to help ensure long-term
sustainability and success,

I think it's important to develop
a comprehensive strategy

that aligns the sustainability goals
with the overall corporate purpose.

– Listening to Tim, I'm reminded of a story

that was shared with me
a few years ago, now.

It was my colleague in
an agricultural company.

And, of course, the questions came
to them about carbon footprint,

"Are you measuring
greenhouse gases, et cetera?"

And, so, they started to do that
measurement, the inventory,

instituting their processes.

And in doing that what they discovered

is a huge waste of water because they
were looking at how they produce

and operate, in a more
holistic, as you say, totality.

And, so, in trying to quantify and
measure their carbon footprint

they ended up changing their entire
system of water and reduced it by a lot.

So they ended up having gains, by
extension, to new streams of information,

that they hadn't been looking at before.

– It really is an exercise in navel-gazing,

looking deep inside yourself,
to actually do this stuff.

And it's not an easy process, but that's
a great example of where there are

all kinds of benefits, well,
and it's unintended benefits,

from actually going through this process,
and a lot of discovery takes place.

You learn a lot about yourself.

– It really sounds like
you can learn a lot.

And I think you've kind of illustrated, my
last question was going to be around,

how does this framework play a crucial
role in ensuring effective governance,

and rules, and internal control systems.

Especially, concerning
sustainable business practices,

and what you just displayed there, Shari,
for us, was a great example of that.

And if there are any other
examples you guys can share,

I think that would be really helpful,
and encouraging as people

are thinking about this and looking at it.

Because it's inevitable that it will
be affecting every organization.

– Yes, here's another example that I
thought of, when you're getting more

into the risk and the overall reasons,
to think about sustainable business.

But I do remember if you
drive along highways now,

how often do you see charging stations.

In fact, I saw, not far from where I live,

a former gas station had completely
changed into an electric vehicle station.

And I thought somebody else in that
supply chain, if you create fuel pumps,

you might want to think about
changing that business model,

and that's what the
information can bring forward.

– Yes, earlier I had mentioned
that notion of a robust, risk,

and materiality assessment.

And just adding on to
what Shari was saying,

I had a conversation not long
ago with a tire manufacturer.

So they were doing deep dives
and taking it very seriously.

But they started understanding things
that were hugely important and material,

they'd never thought about before.

For example, when you drive down the
road, your tread wears out of your tire.

You don't think about,
"Where does that rubber go?"

Maybe it goes in the
atmosphere, it goes on the street,

it goes on the side of the road.

And suddenly, wow, they're
materiality mapping

and that process is hugely dynamic.

The risk assessment is dynamic,
and I think people are looking

for that dynamic approach
to these kinds of things.

You can be an energy company just
delivering electricity for a municipality,

and, suddenly, you start
getting into solar panels.

And, suddenly, "Wow, we got
a new risk, where are they sourced?

Where is this stuff coming from?

What does that supply chain look like?"

So a lot of interesting things that actually
pop out of going through this process.

And a lot of it leads to much better decisions

and also uncovering important
things and cost savings, it's all there.

– Tim, Shari, do you have any
final thoughts for our audience?

– Well, as we wrap up,
I want to just bring it back

to why the internal control,
and the COSO framework,

and that publication, in thinking
about all these new types of activities

and new types of information,
that has risk associated with it.

And there are business risks, but
there are also risks in the information.

For example, we talk about supply chain,

so in order to account for Scope 1,
not Scope 1 because that's your data.

But Scope 2 and Scope 3, you, by
definition, need to get information

that doesn't come from your
system that you're responsible for,

it has to come from a third party.

So there's risk in that information.

So we need to think about other controls.

We need to think about affiliates,
or other investees, or companies

that we outsource to, that we
used to consider immaterial

for financial reporting purposes,
but now we need their information.

Green Bonds, is another, where
we're affirming to our lender

that we are in compliance
with certain ESG metrics

and then they lower our interest
rate, that's informational risk.

We also have the risk of
estimation and expectations,

and how we measure prospective assumptions

and leads to that kind of reporting.

I think that's really huge because
so much of sustainability reporting,

including some of the mandatory
disclosure requirements

coming out of Europe, double
materiality, impact accounting,

it means estimating the future.

That's what sustainability is all about.

Do we have the resources made
available to us in the future?

Can we count on that?

Are stakeholders willing
to make those available?

So, anyway, it goes to the
question of estimating the future,

which makes many, in traditional
accounting, uncomfortable.

They don't like to disclose and report
on the future and our assumptions.

But that's a necessary part of creating
the measurement techniques,

in order to effectuate all these new
demands, for reporting all these new KPIs.

What I'm saying is that by following
what we already know how to do,

by leveraging the frameworks
that we already have,

it can highlight and help direct us address
the innovative areas, the information,

the use of digital technology, perhaps,
to bring this about in a reliable way,

and avoid the greenwashing
that Tim has highlighted for us.

– Yes, I think the things
that you talked about

resonate with a lot of things
we talked about earlier.

Those things are all about
long-term value creation.

– Agreed, absolutely.
– You got to be

thinking about the future.

And, also, one of the things that I see
from the work you've done here

and the internal controls
of sustainability reporting.

I think it's going to go
a long way to helping

with the notion of external
assurance of this information.

Because now we'll have internal
controls in place that make some sense,

that can be tested in and of themselves

it gives a lot more confidence
in what's being reported.

Because stakeholders are going to take
some of this stuff with a grain of salt.

Unless someone actually opines it, "Hey,
wow, you know what they're telling you

it seems accurate enough.

It's doing what it's supposed to do."

I think that's going to be a huge
underpinning for the document

we've been discussing here.

Because I think it's going to go
a long way to enabling that.

And unless you have that
third-party attestation,

the trust may not be there
until we get to that point.

I don't know, that's just my prediction.

– Well, I appreciate you guys
sharing your final thoughts

and sharing all your insights
with our audience, today.

And thanks so much, again,
for coming on the podcast.

– Thanks so much, Adam.
Tim, it's been a pleasure.

< Outro >

– This has been Count Me In,

IMA's podcast, providing you with the
latest perspectives of thought leaders,

from the accounting
and finance profession.

If you like what you heard,
and you'd like to be counted in

for more relevant accounting
and finance education,

visit IMA's website at www.imanet.org.