COSO for non-financial reporting: more transparency, more trust

The COSO Framework

COSO’s principal objective is to improve the quality of financial reporting by promoting good corporate governance, ethical conduct and effective internal controls. Since its publication by COSO in 1992, the ‘Internal Control – Integrated Framework’ has become the de facto global standard. Since its last revision, it can be applied to areas beyond the traditional scope of financial reporting.

Such non-financial reporting includes operational aspects, such as Corporate Social Responsibility. Increasingly, companies are being evaluated (and they measure themselves) in terms of how successfully they pursue the goals of sustainable development. To this end, they prepare information on their social, economic, tax and environmental impact, which they make available to interested stakeholders.

The COSO Framework provides a comprehensive basis for a company to develop and implement an internal control system relating to non-financial reporting. They can also use the COSO Framework to extend and improve existing operational controls. In this way, companies can meet internal and external stakeholders’ demands for better quality non-financial reporting.

Applying COSO to non-financial reporting

The COSO Framework comprises seventeen principles divided into five main groups:

• Control environment 
• Risk assessment
• Control activities 
• Information and communication
• Monitoring activities

The application of these principles in non-financial reporting can be a major challenge in practice. We illustrate this in the following by taking the example of Corporate Social Responsibility reporting.

Control environment

The control environment forms the basis of a comprehensive internal control system. Among other things, it establishes the ‘tone at the top’, influencing awareness of the controls and, thus, intrinsic factors such as ethical values, integrity or the competences of employees involved in reporting. How the Board of Directors and the executive management design the internal control system has a significant impact on the definition and implementation of the system.

In our experience, the Board and Senior Management don’t support non-financial reporting sufficiently – if at all. Accordingly, the existing framework for the reporting of Corporate Social Responsibility indicators is inadequate; the organisation, processes and controls aren’t as mature as those for financial reporting. Frequently, employees lack incentives, meaning that the quality of the reported information suffers.

Risk assessment

According to COSO, a company should set up a systematic and continuous process to identify, analyse and evaluate its key risks relating to non-financial reporting, just as it does for its financial reporting.

In practice, however, risk assessment and risk management in the area of Corporate Social Responsibility usually isn’t part of the company-wide processes. Consequently, it is either very informal or it doesn’t exist at all. In addition, experience shows that the employees responsible have little or no direct involvement in risk assessment and risk management. Furthermore, they have only limited awareness of the risks associated with corporate responsibility reporting. Such risks are usually difficult to identify and assess. Their direct financial impact is limited because often it’s a question of reputational risks. 

Control activities

According to COSO, a company has to define and implement processes and internal controls, perform them consistently and document them. In this way, it can ensure it achieves the operational objectives of its controls and manage the key risks identified by the risk assessment. 

Also here, experience shows that processes and controls aren’t executed consistently. This is because the Board and Senior Management don’t issue mandatory requirements and there is no systematic identification of the risks relating to Corporate Social Responsibility reporting. For example, a manufacturing company’s technicians may be unaware of the need to report local water consumption data correctly and completely. Failure to do so can directly affect the accuracy of non-financial reporting. Moreover, reliance on people rather than system-based processes and controls means that the quality of the recorded data varies depending on the individual employee involved.

Information and communication

Non-financial reporting enables a company to support its business decisions and provide internal and external stakeholders with important information. But this assumes the relevant information is complete, accurate and communicated in a timely manner to the individuals responsible.

In our experience, the informal processes in the area of Corporate Social Responsibility often can’t assure adequate communication and the employees involved don’t grasp completely the extent of their work. The technicians mentioned, for instance, are usually unaware of their key role within the internal control system. They may consider collecting data as just an extra burden, which might have a negative effect on the quality of the data they provide.

Monitoring activities

A company should regularly monitor its internal control system to ensure that all processes and controls are operating effectively. The line organisation, internal audit or an external auditor could manage this assurance activity.

Unlike financial reporting, non-financial reporting – such as in the area of Corporate Social Responsibility – is often neglected. The managers responsible often fail to adequately address the control activities and internal audit usually treats the subject selectively.