Internal Controls and Sustainability Data: Closing the Confidence Gap in the Quest for Value

Jeffrey C. Thomson | November 20, 2017 |

It’s time to admit it. The calls for increased use of sustainability data to drive and communicate enterprise value are not going away [enterprise value can also be loosely referred to as non-financial, balanced scorecard, performance dashboard, environmental, social, and governance (ESG), and/or integrated reporting].

What started as a grassroots movement among sustainability advocates has now entered the mainstream with large institutional investors taking up the cause. Recently, Vanguard Chairman and CEO, Bill McNabb, published an open letter to boards asking them to embrace the disclosure of sustainability risks. Similarly, BlackRock, the world’s largest asset manager, recommended that, “Policy makers should focus on establishing a framework that enables stakeholders and market participants to develop detailed ESG standards and best-practice guidelines.”

Sustainability performance management more fully integrated with traditional financial analysis and reporting benefits investors and corporations alike. Reporting on sustainability data enables organizations to create, sustain, and communicate their value generation capacity and capability for stakeholders, helping strengthen global capital markets and serve the public interest. A recent Harvard Business School study corroborates this: “firms with good performance on 'material sustainability issues' enjoy enhanced market returns (6% annualized alpha) over firms that perform poorly on material factors."

Sustainability performance (or related non-financial data) has unique characteristics. It is less tangible and more qualitative than financial performance data—although sustainability data is often quantifiable, as reported by companies in sustainability and corporate social responsibility reports. It is also more forward-looking, covering multiple time periods, and often more manually sourced.

For those reasons my coauthors—Robert Herz, Former Chairman of the US Financial Accounting Stability Board, and Brad Monterio, Managing Director of Colcomgroup, Inc.—and I assert in a new paper that a tangible step must be taken to improve confidence in sustainability performance data. The Committee of Sponsoring Organizations of the Treadway Commission (COSO) Internal Control - Integrated Framework is that tangible step.

The COSO Framework, originally issued in 1992 and refreshed in 2013, was developed as guidance to help improve confidence in all types of data and information. The forward from the 2013 update reads:

  • “The Framework will enable organizations to effectively and efficiently develop and maintain systems of internal control that can enhance the likelihood of achieving the entity’s objectives and adapt to changes in the business and operating environments.”
  • “The Framework continues to emphasize the importance of management judgment in designing, implementing, and conducting internal control, and in assessing the effectiveness of a system of internal control.”
  • “The Framework has been enhanced by expanding the financial reporting category of objectives to include other important forms of reporting, such as non-financial and internal reporting.”

We believe this expansion is inclusive of sustainability performance measures and that the COSO principles on effectiveness—controls that are present, functioning, and integrated—could apply to all types of performance data, including sustainability, using professional judgment.

In the paper, we painstakingly apply the 17 COSO principles to the content domains used by the Sustainability Accounting Standards Board: environment, social capital, human capital, business model and innovation, and leadership and governance. To improve confidence in non-financial or sustainability performance data, we assert that integrated governance, strategy, and controls design are keys to success, with the CFO in a unique leadership position to leverage well-established financial processes (sourcing, reporting, analyzing, and assuring).

We took a practical approach, leveraging many third-party resources, conducting interviews, and soliciting corporate case studies from first-movers like Novo Nordisk, CalSTRS, and US Steel to support our thoughts and observations. Our goal is to help move the reporting ecosystem further along in the journey toward better utilizing, assuring, and communicating this type of data—with an emphasis on professional judgment and stakeholder learning.

The Institute of Management Accountants believes in a culture of challenge, which is why my coauthors and I decided to take on this topic. We encourage all IFAC members, including partners like the International Integrated Reporting Council, to embrace this culture of challenge and remember that the end in mind is not a standard, a control, or a report: nothing less than the strength of our global capital markets for business and societal value is at stake.


Jeffrey C. Thomson

CMA, CSCA, CAE, IMA President and CEO

Jeffrey C. Thomson is president and CEO of IMA® (Institute of Management Accountants). Since assuming this position in 2008, Thomson led the development of a strategy resulting in IMA becoming one of the fastest growing accounting associations in the world, with double-digit growth in its CMA (Certified Management Accountant) program for the past five years. Prior to joining IMA, Thomson worked at AT&T for more than two decades where he served in various financial, strategic, and operational roles, including CFO of an $18 billion dollar business unit. Thomson served as COSO board member from 2006 to December, 2011, during a period when COSO experienced growth in influential thought leader pieces and launched the internal controls refresh initiative.  See more by Jeffrey C. Thomson


Explore More On...


Join the Conversation

To leave a comment below, login or register with


Thank you for your interest in our publications. These valuable works are the product of substantial time, effort and resources, which you acknowledge by accepting the following terms of use. You may not reproduce, store, transmit in any form or by any means, with the exception of non-commercial use (e.g., professional and personal reference and research work), translate, modify or create derivative works or adaptations based on such publications, or any part thereof, without the prior written permission of IFAC.

Our reproduction and translation policies, as well as our online permission request and inquiry system, are accessible on the Permissions Information web page.

For additional information, please read our website Terms of Use. ALL RIGHTS RESERVED.