Blog Viewer

In a forthcoming issue of SF Magazine, Jeffrey Thomson, CEO of the Institute of Management Accountants (IMA), and I co-authored an article about how to build trust in non-financial information by using the COSO Internal Control – Integrated Framework (COSO ICIF) and technology effectively.  The article is the continuation of a journey we began in late 2017 to help raise awareness among management accountants that:

• COSO’s global internal controls framework was designed and intended for financial and non-financial information (i.e., despite perceptions that it was intended primarily for financial disclosures as seen with SOX 404)
• Although nascent among most companies at the moment, forward progress is being made by organizations to design and implement effective internal controls around environmental, social and governance (ESG) and other sustainability information and their related data lifecycle processes (e.g., data authoring, data access, data validation, data analytics and reporting); and
• Technology plays a central role in designing, implementing and monitoring effective internal controls around non-financial data in an organization’s broader information supply chain.

Our goal was to help management accountants and finance professionals understand how they can help their own organizations build greater trust in non-financial information, while simultaneously bringing it up to similar confidence levels expected of financial data.

In September 2017, Jeff and I collaborated with visionary Robert Herz (former chair of the FASB, a board member of SASB, and a well-known investor advocate), to author a thought paper entitled, “Leveraging the COSO Internal Control—Integrated Framework to Improve Confidence in Sustainability Performance Data.”  The paper tackled some of the key challenges and opportunities for the profession as members begin their own journeys towards trusting their data that is typically found ‘off the balance sheet’ in intangibles and other capitals like natural, human, intellectual, manufactured and social/relationship capitals.  This paper was intended to stimulate discussion among our members about how to begin this process and to spur them to action. 

Two months later, Thomson, Herz and I conducted a webinar audience of over 1,600 IMA members spanning more than 60 countries – such strong attendance and questions indicated a that interest among management accountants was piqued and the journey was beginning.   

However, simply understanding the COSO ICIF and how to implement it is not enough – it is missing a key ingredient to make the recipe complete: technology.  CFOs are responsible for both managing the mix of information across their companies ultimately ensuring that this information is trustworthy.  Important decisions are being made using the data that affect the organization’s ability to create value over the longer term and be sustainable.  So the data has to be correct.  Technology is a tool to help them achieve this.

Ernst & Young’s 2015 “GRC Survey” studied risk strategy, coordination of functions, internal audit, and technology, finding that only 46% of companies used any type of integrated governance, risk and compliance (GRC) solution to have better visibility of the risks associated with their various sources of data. When seen through the lens of a highly complex IT environment, data flows and risks to that data are more challenging to manage.  Data lineage traced to a ‘single source of truth’ becomes more difficult to ensure, particularly when non-financial data is found outside of traditional or legacy ERP systems that lack the same rigor of effective controls as financial data. 

Companies need technology to help them manage multiple data sets from multiple sources in order to achieve a single source of truth. Recent advances in continuous monitoring and controls in the cloud, as well as predictive and prescriptive analytics, cognitive machine learning and artificial intelligence have greatly enhanced the capabilities available to CFOs and accounting professionals to better manage the mix of information, the controls around that information and overarching data governance policies (another area that is somewhat nascent but growing among companies). In addition, XBRL, the structured digital information standard, and newer technologies like Blockchain, distributed ledgers, robotic process automation (RPA) and smart contracts, help drive innovative solutions for CFOs to use in their quest for trust in all of their information. 

In our paper, Ernst & Young Climate Change and Sustainability Partner, Brendan LeBlanc, painted a bleak picture of where the market is with respect to internal controls around non-financial information: “ “Internal controls over non-financial reporting are relatively weak,” said LeBlanc. “Specifically, there have been precious little resources—people, processes, and systems—put against non-financial reporting, nor these basic types of internal controls which serve to enable consistent, credible non-financial reporting.”  With the advent of new technologies and capabilities to complement legacy solutions, I believe this picture becomes a more vibrant tableau in the near term.

I encourage IMA members and management accountants to review the case studies in our thought paper from leading organizations around the world to gain more insight into how companies are designing and using controls for sustainability data.  Jeff Thomson and I will be leading an interactive session on this same topic at the upcoming IMA Annual Conference and Exhibition on June 19^th in Indianapolis – for those of you attending the conference, please stop by and share your ideas and ask questions about this increasingly important topic!

-------------------