How to implement ICSR guidance
In the application section of the ICSR guidance, each principle and each point of focus is cited directly from ICIF-2013, accompanied by explanations of how these might be applied to sustainability. Insights are also provided that capture relevant information about new and proposed standards or regulations, organizational practices, thought leadership materials, and extensive interviews conducted by the authors of the ICSR guidance. As the components of an effective system of internal control are highly interrelated, many of the insights provided include references to other related principles.
As summarized in the ICSR guidance, the framework creates five action points12:
Commit to integrity by stating your purpose — An initial step in the sustainability journey is stating a purpose, demonstrating the commitment to act sustainably. Stating a purpose provides a guidepost for setting specific objectives that align with that purpose. It also provides the point of reference for the other elements of the control environment including the establishment of structures, authority, and responsibilities, including human resource capabilities and compensation. Making this commitment can also serve to promote trust, transparency, and reliability.
Determine objectives — In addition to being aligned with purpose, sustainability objectives need to be sufficiently specific, well-documented, and communicated to enable risk assessment, accountability, performance monitoring, and board oversight. This includes the identification of measurements and establishment of necessary data requirements.
Identify and assess risks (and consider opportunities) — The sustainability objectives of the organization are linked integrally to each of the five categories of risk identified by ICIF-2013: operations, external financial reporting, external nonfinancial reporting, internal reporting, and compliance. These categories also require explicit expression as a predicate to considering risks. One of the insights provided in connection with Principle 6 under the Risk Assessment component of the framework is a discussion of materiality and the aforementioned concepts of dynamic materiality and impact accounting. The accompanying diagram from the ICSR guidance (Figure 3) was sourced from the “Statement of Intent to Work Together Towards More Comprehensive Corporate Reporting” to illustrate this discussion.13 It captures the “building blocks” approach to sustainability, reflecting the different materiality considerations for sustainability reporting and the potential movement of sustainability topics from one “block” to another. Additional risk identification issues include the consideration of immature information processes, risks related to estimates and expectations, risks related to third-party information, the impact of emerging trends, and fraud.
Identify control activities — The identification of controls encompasses the policies, procedures, and infrastructure that will enable the oversight necessary to ensure the achievement of sustainability objectives. Especially critical, considering the noted immature information processes and third-party data, are controls over technology. The ICSR guidance provides a list of highlighted activities that may serve to achieve the overarching goal of providing “decision-useful information that facilitates setting strategy to improve performance goals and preserve and create value” as follows:15
Assigning responsibilities with specificity (Principle 3).
Communicating duties to employees (and outside actors) with clarity and adequate background information (Principle 4 and Principle 14).
Providing informal knowledge-sharing opportunities or formal training to familiarize employees (and other actors) with sustainable business concepts (Principle 4).
Establishing roles and internal organizational structures that are aimed at meeting specified objectives (Principle 6).
Evaluating information sources for reliability with internal control techniques such as inquiry, walk-through, document inspection, recalculation, and reconciliation (Principle 10).
Managing data from outside parties, such as vendors (Principle 7 and Principle 12).
Leveraging existing technology (Principle 11).
Modernizing and investing in innovative technology solutions (Principle 11).
Formalizing existing ad hoc processes (Principle 12).
Documenting and simplifying a myriad of processes (Principle 12 and Principle 13).
Enhancing cross-disciplinary communications among departments (Principle 3 and Principle 14).
Working with internal audit to reevaluate and respond to risks (Principle 7 and Principle 14).
Utilizing insights raised by external auditors (Principle 15).
Considering insights raised by external stakeholders regarding the organization’s effectiveness in achieving its purpose in a responsible manner (Principle 15).
Evaluate effectiveness — Having established a system of internal control over sustainability enables the necessary ongoing monitoring, along with the internal and external communication about the organization’s ability to meet its sustainability objectives. Key components of the ongoing evaluation process include internal audit and verification of specialized information by nonaccounting firms.
As noted previously, external assurance has become an expectation of users of sustainability information and has been incorporated into the relevant standards and regulations. The determination of auditors’ responsibilities in this arena is complex, and as with the evolving standards for disclosure, the standards for providing assurance are also evolving. Essentially, however, regardless of jurisdiction, there is also the expectation of a transition from “limited assurance” to reasonable assurance”16:
Reasonable assurance, or “audit-level” assurance — Means the auditor can express a conclusion about whether the subject report or information is in compliance with specific regulations or standards.
Limited assurance, or “review-level” assurance — Means the auditor has collected less evidence than would be required in a reasonable assurance engagement. The auditor’s expression is limited to their conclusion about whether any matter has come to their attention that the information is materially misstated.
