The U.S. Securities and Exchange Commission (SEC) requires companies to use a “suitable framework” as a basis for evaluating the effectiveness of internal control over financial reporting (ICFR), as required by Section 404 of the Sarbanes-Oxley Act of 2002 (SOX). In 2013, The Committee of Sponsoring Organizations of the Treadway Commission (COSO) issued its updated its Internal Control—Integrated Framework, which was first released in 1992. This revised framework meets the SEC’s criteria for suitability and many companies have accordingly transitioned to this updated version. However, in addition to supporting the evaluation of IFCR, the framework offers other important lessons to boards of directors on the relevance of internal control to their risk oversight.
The control environment is vital to preserving an organization’s reputation and brand image. Since the release of the COSO framework, there have been a number of corporate scandals related to operational, compliance and reporting issues. These companies likely lacked a strong control environment in the areas that contributed to the crisis.
The control environment lays the foundation for a strong culture around the organization’s internal control system. It consists of the policies, standards, processes and structures that provide the basis for carrying out effective internal control across the organization. Through their actions, decisions, and communications, the board and senior management establish the organization’s tone regarding the importance of internal control. Management reinforces expectations at the various levels of the organization in an effort to ensure alignment of the tone in the middle with the tone at the top.
According to the COSO framework, the control environment comprises the
organization’s commitment to integrity and ethical values;
oversight provided by the board in carrying out its governance responsibilities;
organizational structure and assignment of authority and responsibility;
process for attracting, developing, and retaining competent people; and
rigor around performance measures, incentives, and rewards to drive accountability for performance.
Without a supportive boardroom culture and effective support from executive and operating management for internal control, the organization is susceptible to embarrassing control breakdowns that could tarnish its reputation and brand image. This issue is likely a contributing factor at the companies that have been hit recently with headline-grabbing scandals.
The control environment applies to outsourced processes. Organizations typically extend their activities beyond their four walls through strategic partnerships and relationships. The blurred lines of responsibility between the entity’s internal control system and those of outsourced service providers create a need for more rigorous controls over communication between all parties involved. For example, information obtained from outsourced service providers that manage business processes on behalf of the entity, and other external parties on which the entity depends for processing its information, should be subject to the same internal control expectations as information processed internally.
The point is clear: management retains responsibility for controls over outsourced activities. Therefore, these processes should be included in the scope of any evaluation of internal control over operations, compliance, and reporting, to the extent a top-down, risk-based approach determines they are relevant. Controls supporting the organization’s ability to rely on information processed by external parties include:
Vendor due diligence;
Inclusion of right-to-audit clauses in service agreements;
Exercise of right-to-audit clauses;
Obtaining an independent assessment over the service provider’s controls that is sufficiently focused on relevant control objectives (e.g., a service organization controls report); and
Effective input and output controls over information submitted to and received from the service provider.
The potential for fraud should be considered explicitly when conducting periodic risk assessments. Ongoing risk assessments are an integral part of a top-down, risk-based approach to ensuring effective internal control. In these assessments, directors should ensure that management evaluates the potential for fraudulent financial and nonfinancial reporting (e.g., internal control reports, sustainability reports and reports to regulators), misappropriation of assets, and illegal acts. In addition, the potential for third-party fraud is a relevant issue for many organizations. As the COSO Framework points out, fraud risk factors include the possibility of management bias in applying accounting principles; the extent of estimates and judgments in reporting; fraud schemes common to the industry; geographical areas where the organization operates; performance incentives that potentially motivate fraudulent behavior; potential for manipulation of information in sensitive financial and nonfinancial areas; entering into unusual or complex transactions; existence or creation of complex organizational structures that potentially obscure the underlying economics of transactions; and vulnerability to management override of established controls relating to operations, compliance and reporting.
There are important lessons learned in Section 404 compliance. Investors take reporting fairness for granted; however, when public companies restate previously issued financial statements for errors in the application of accounting principles or oversight or misuse of important facts, investors notice. The bottom line is that the markets take quality public reporting at face value. Once a company loses the investing public’s confidence in its reporting, it’s tough to earn it back.
Section 404 compliance is important in the United States because material weaknesses in ICFR provide investors early warning signs of financial reporting issues. We have gleaned many lessons in our work successfully transitioning numerous companies to the 2013 COSO framework. The most important of these lessons is that a top-down, risk-based approach is vital to Section 404 compliance. Some companies forgot to apply this approach when setting the scope and objectives for using the updated framework; as a result, they went overboard with their controls testing and documentation. We can’t stress strongly enough that the 2013 COSO Framework did not change the essence of and need for a top-down, risk-based approach to comply with Section 404.
Other lessons include:
Meet with your external auditor early and often to ensure that the company is fully aligned with the auditor on the appropriate process for transitioning to the updated framework.
Establish an effective and relevant mapping approach to link established key controls to the principles outlined in the COSO framework by leveraging the points of focus provided by the framework; start with existing controls documentation, and consider the nature of the framework’s components.
Manage the level of depth when testing indirect controls (often referred to as entity-level controls) by focusing on the specific objectives germane to ICFR; for example, for the indirect control emphasizing background checks, management should scope the application of this activity to the appropriate people designated with financial reporting responsibilities rather than all employees throughout the organization (unless management wishes to expand scope beyond financial reporting).
Focus on understanding and documenting control precision by understanding the control’s track record in detecting and correcting errors and omissions to support an assertion that the control effectively meets the prescribed level of precision.
Evaluate the completeness and accuracy of information produced by the entity to support the execution of key controls; the Public Company Accounting Oversight Board inspection reports are driving auditors to place more audit emphasis on validating system reports, queries and spreadsheets.
Applying the 2013 COSO framework to operational, compliance and other reporting objectives is virgin territory. In applying the updated COSO framework, most organizations have limited their focus to ICFR. Some organizations even believe that the framework was designed exclusively for Section 404 compliance. Such is not the case. There are benefits to using the framework for other objectives relating to operations, compliance, and other reporting. However, these efforts should be segregated from Section 404 compliance. Progressive organizations are applying the COSO Framework to other areas, such as sustainability reporting, regulatory compliance and controls over federal grants, to name a few.
Questions for Boards
The board may want to consider asking the following questions, based on the risks inherent in the entity’s operations:
Have directors paid close attention to whether the organization’s control environment is functioning effectively?
Does the organization periodically consider fraud risk in its risk assessments? Is the board satisfied that the risk of third-party fraud is reduced to an acceptable level?
Does the company’s process for complying with Section 404 apply a top-down, risk-based approach, and is the process cost-effective?
Has management considered applying the COSO framework to improve internal control in areas other than financial reporting?
Jim DeLoach is a managing director with Protiviti, a global consulting firm.
Speaking at NACD was a highlight of my year, as the audience was forward-thinking, eager to learn, and willing to grapple with tough questions in order to reach good answers. The discussions after my talk were almost as much fun as the talk itself, and there was significant appetite for a reference sheet to some of the bigger ideas I’d outlined. I hope that the summary pulled together here will prove helpful, and I welcome remarks, insights, or questions about any of it!
Disruptive trends in technology, culture, and business are converging. That convergence is an opportunity for businesses that recognize how to proceed.
Code: Technology is cheaper, faster, and better than ever before.
From software toolkits to education outlets, cloud computing to open-source big-data structures, there have never been so many ways for a motivated player to exert so much leverage so rapidly. Competitive advantages and resources that once belonged exclusively to large companies are increasingly not just accessible but freely available. In many cases, these platforms even invert such advantages—meaning that individuals who are part of porous, open groups are able to deploy better solutions faster than corporate counterparts by leveraging their communities. And all at low to no cost.
President Obama’s first campaign for the White House is a prime example of this phenomenon: he hired data specialists who used a simple method to computationally test different versions of his website in order to see which ones were generating more donations. Using this approach, he exceeded his projections by an additional 4 million e-mail addresses, a click-through rate of 140 percent, and $75 million more than was expected.
Culture: Transparency, meritocracy, and a willingness to disrupt anything characterize the new technology (and business) marketplace.
The age of playing by the rules—any rules—has largely gone by the wayside. When it’s possible to conduct corporate inversion online in under 20 minutes using a digital toolkit provided by a foreign nation state, it’s clear the playing field has changed. This is exactly what Estonia’s new “E-Estonia” initiative—which grants corporations a type of citizenship supported by cryptographically backed authentication—has been accused of enabling.
The people developing new solutions and creating new technologies take for granted an entirely different set of social (and moral) norms, which have no respect for the way your business is currently structured.
Competition: An exploding black market and a global tipping point that will occur when the remaining two-thirds of the planet come online over the next five years herald an incipient tidal wave of strange new competitors.
If you think the Internet has been disruptive during the past 20 years, you haven’t seen anything yet. The motivations and expectations of people completely new to technology differ from those of people who have already internalized it. Much like the toddler who doesn’t know what to do with a computer mouse and thinks a computer screen is broken when he can’t swipe it, new users of innovative technologies will have different expectations for what your company should provide. When you mix in a booming black market and a surging cascade of disruptive technologies—everything from drones to 3-D printing to dial-your-own genomics—you have a strange new world indeed…and one coming at you very, very quickly.
ACTION ITEMS: There’s good news in all this. You can compete just as well—if not better—by recognizing that the game has changed and adapting to the new rules.
1) Experiment, experiment, experiment.
It’s faster, cheaper, and easier than ever before to invent, test, and iterate. It’s what your competitors (and they are legion) are doing—especially the outlier startups that you so fear will flip your market as Uber did the medallion cab industry’s. The good news? You can do exactly the same thing. Even better, once you do, you already have a supply chain, established market, and deep resources to drive these new industries ahead of smaller first-time players.
What to ask your senior management: How are you implementing more agile and iterative development methodologies, and why?
2) Systematize culture change.
Empower your employees to act on your behalf. Legitimize risk. Reward insight. While this strategy looks good on paper, it is nearly impossible to execute, especially in highly efficient, competitive, and well-established organizations. Do it anyway, and you will find yourself at the helm of one of the most powerful entities in today’s market: A company that effectively innovates as a matter of course and knows how to build businesses and deploy products accordingly.
What to ask your senior management: How are we empowering our employees, at every level, to change the way our company operates? What evidence are we measuring that indicates this strategy is working?
3) Risk everything.
All business is about risk. But many companies have lost sight of the fact that this means not just mitigating risk but also embracing it. The emergence of new technology is confronting every industry with massive shifts that entail plenty of risk in the most negative sense. But the opposite is equally true, and it’s only by seizing the opportunities this time of change represents that you’ll emerge victorious. And who knows…you might even make the world a better place while you’re doing it.
What to ask your senior management: If you had to increase revenue by 25 percent this quarter, what would you try? Why aren’t we trying that?
I live every day in the future, metabolizing the new technologies that are slipping over our event horizon and into daily life. It’s a scary place to be, but it’s also one that offers boundless hope. Times of change are enormous opportunities for advancement. Those of us who experiment voraciously, learn quickly, and adapt effectively will chart the course for how human commerce unfolds over the next two decades. Our way will become the “new normal” and possibly set standards that will shape lives for generations to come. It’s not a time without risk, but it’s also a chance to change the world. What more could you want?
Josh Klein advises, writes, and hacks systems. He wants to know what you think.
The twenty-first session of the Conference of Parties (COP) convened in Paris Nov. 30-Dec. 11 last year to negotiate a legally binding international agreement on mitigating the effects of climate change. Known as both COP21 and the 2015 Paris Climate Conference, this historic meeting of parties to the United Nations Framework Convention on Climate Change (UNFCCC) resulted in the first-ever unanimous accord, with 187 countries pledging collective action to cut carbon emissions. Despite a U.S. Supreme Court setback to environmental regulations on February 10, this deal will have significant consequences for business worldwide—consequences that will unfold as governments establish regulations that enact their support for and compliance with the Paris agreement.
(Photo: Climate Action/The Sustainable Innovation Forum 2015)
What are the key elements of the agreement?
The COP21 accord seeks to accomplish specific major goals:
To restrict the increase of global temperatures to “well below” 2.0°C beyond those of the pre-industrial era, and to endeavor to limit their rise to a maximum of 1.5°C above pre-industrial averages.
Curtailing the amount of greenhouse gases (GHGs) generated by human activity to levels that trees, soil, and oceans can absorb naturally by sometime within the latter half of this century.
To review each country’s contribution to emissions reduction every five years so they can scale up to the challenge.
For wealthy countries to provide “climate financing” that will enable poorer countries to adapt to climate change and switch from fossil fuels to renewable energy sources.
How can countries understand and manage their own emissions?
Like any business goal, understanding and managing emissions requires three basic steps: measurement—determining where you are and where you need to go; management—determining opportunities, challenges and actions; and reporting—monitoring and disclosing performance over time.
Among the most significant outcomes of COP21 are action plans for the ten largest CO2 emitters by country. These countries include (in order of the size of their emissions) China, the United States, the European Union (28 member states), India, Russia, Japan, South Korea, Canada, Iran, and Saudi Arabia. The major global economic sectors emitting the highest amounts of GHGs are establishing mitigation objectives (i.e., emission reduction targets) referred to as Intended Nationally Determined Contributions (INDCs). For instance, the European Union has set a target of at least a 40% reduction by 2030, and the United States is aiming for a 26%–28% reduction by 2025.
Such a global effort will have credibility only if these INDCs are made publicly available. The five-page United States INDC published on the UNFCCC site outlines how the country is planning to measure, manage, and report its performance; it also references existing U.S. laws and standards and draws on the EPA’s Greenhouse Gas Inventory Report: 1990–2013. This report breaks down responsibility for sources of GHG emissions over time and by major industry sector.
A significant amount of research went into the target of a 26%–28% reduction by 2025. The U.S. federal government is already taking steps to reduce emissions, and public-private collaborations have developed that will enable these sectors to leverage high-efficiency, low-missions solutions and incentivize market and technology innovations in response to the challenge.
What kind of impact will climate change and the Paris Agreement have on a company’s valuation?
In an update to the Annual Study of Intangible Asset Market Value, Ocean Tomo LLC reveals that the intangible asset value of the S&P 500 grew to an average of 84% by January 1, 2015, which represents an increase of four percentage points over 10 years. As management of intangible assets has become increasingly critical to a company’s valuation, expectations for transparency about how these ‘intangible’ risks are managed have risen. These risks now extend to climate change and the costs and benefits of reducing GHG emissions.
Companies can show that they are actively managing climate-change risks and reducing their GHG emissions through research surveys like the CDP (formerly known as the Carbon Disclosure Project). The CDP was founded in 2000 in order to collect data related to carbon emissions and distribute it to interested investors. What began as a small group of activists has grown to include more than 800 institutional investors representing assets in excess of US $95 trillion.
Interested investors (asset owners and managers) have demonstrated their support of the CDP by becoming CDP signatories and being involved in a range of investment-related projects. The list of CDP Signatories and Members includes some of the largest institutional investors, such as Bank of America, BlackRock, BNY Mellon, CalPERS & CalSTRS, Goldman Sachs, Morgan Stanley, Northern Trust, Oppenheimer Funds, State Street, TIAA-CREF, T. Rowe Price, and Wells Fargo. The CDP is by far the most influential organization specializing in this area, and it maintains a comprehensive public collection of corporate performance information.
Data posted on the CDP website can be organized by country, index, industry, or company, and is also presented in reports such as the following:
These reports can be helpful to any company seeking to establish its own GHG emissions strategy. Drawing from public sources also allows a company to see the commitments and disclosures of industry peers, what customers may expect, and how suppliers are improving their own efficiency. In addition, GHG-specific data such as that reported through the CDP is now being integrated into specialized research tools, for example, analyses on Bloomberg’s Sustainable Business & Finance website. Any company (or investor) with a Bloomberg subscription can quickly compare and contrast a range of GHG-related factors, ranging from policies (i.e., climate change policy, energy efficiency policy, environmental supply chain policy) to specific GHG metrics (i.e., energy consumption per revenue, total GHG emissions per revenue, percentage of renewable energy consumption).
Do corporate and institutional customers care?
Consider the manner in which new market demands ripple through supply chains: ISO 9000, Y2K, Dodd–Frank/Conflict Minerals, etc. That same dynamic is playing out around GHG emissions. Once an organization makes a commitment to understand its own GHG footprint, it soon recognizes the degree to which its purchasing decisions influence its overall GHG footprint.
In 2010, Wal-Mart Stores Inc. announced its goal to eliminate 20 million metric tons of GHG emissions from its global supply chain by the end of 2015. The company actually exceeded its commitment by eliminating 28.2 million metric tons, which is the equivalent of taking more than 5.9 million cars off the road for an entire year. Wal-Mart achieved this reduction by implementing innovative measures across both its global operations and those of its suppliers: enhancing energy efficiency, executing numerous renewable energy projects, and collaborating with suppliers on the Sustainability Index to track progress toward reducing products’ overall carbon footprint. By 2017, Wal-Mart will buy 70% of the goods its sells in U.S. stores from suppliers that participate in this Index.
Then, of course, there is the world’s largest single procurement agency, the United States’ General Services Administration (GSA), which spends more than $600 billion annually. The GSA and the U.S. Department of Defense (DoD) are both actively involved in the management of GHGs in their supply chains. These and other federal agencies are working closely with the White House Council on Environmental Quality to understand the GHG footprint of the government’s purchasing decisions and to engage and educate suppliers on GHG reduction strategies. The Federal Supplier Greenhouse Gas Management Scorecard lists the largest suppliers to the US government by spend and identifies whether the supplier discloses its emissions and whether it has set emissions targets. This information is drawn from public sources, and, like the CDP, this scorecard creates added market pressure on public and private companies to measure, manage, and report on GHG-related activities.
Do consumers care?
In 2015, Cone Communications partnered with Ebiquity to field its third survey of global attitudes, perceptions, and behaviors around sustainability and corporate responsibility. They conducted an online survey of more than 9,500 consumers in nine of the largest countries as measured by GDP: the United States, Canada, Brazil, the United Kingdom, Germany, France, China, India, and Japan. The survey broadly described corporate social responsibility (CSR) to respondents as “companies changing their business practices and giving their support to help address the social and environmental issues the world faces today.” Respondents were then asked whether in the preceding 12 months they had:
What does the agreement mean for your business?
Awareness about fossil fuel use, carbon and GHG emissions, and climate change impact is proliferating in all segments of the economy—public and private companies; federal, state, and local governments; employees, customers, and shareholders; etc. Today’s management teams and directors need to understand where their company stands on the risk/opportunity spectrum. To begin or advance the boardroom conversation on climate-change risks and strategies for reducing GHG emissions, consider the following:
Look across the company’s value chain. Where is the company most vulnerable geographically? Which facilities are purchasing power from the highest and lowest carbon emitting electric utilities? Are their GHG reduction opportunities through our electric utility or through other energy providers in our region?
Have we taken a public position on reducing GHG emissions? Have we set goals and targets? If not, why not? If so, how are we performing? Do we have quantifiable and verifiable information?
What positions have our largest customers taken on the issue of GHG emissions? What are their expectations of us as a supplier?
Is our industry sector a leader or a laggard? How is our organization doing in comparison with our peers?
As part of the lead-up to COP21, the Science Based Targets (SBT) initiative was formed to actively engage companies in setting GHG emission reduction targets. A collaboration among the CDP, the UN Global Compact, the World Resources Institute, and the World Wildlife Fund, the SBT initiative publishes the emission reduction targets set by more than 100 of the world’s largest companies. Here are just a few examples:
Coca-Cola Enterprises has committed to a 50% reduction of absolute GHG emissions from their core business operations by 2020, using 2007 as the base year. Coca-Cola Enterprises also commits to a 33% reduction of the GHG emissions associated with manufacturing of their products by 2020, using 2007 as the base year.
General Mills has committed to reducing absolute emissions by 28% across their entire value chain from farm to fork to landfill by 2025, using a 2010 base-year. These reductions include total GHG emissions across all relevant categories, with a focus on purchased goods and services (dairy, row crops, and packaging) as well as delivery and distribution.
Procter & Gamble has committed to cutting emissions from operations by 30% from 2010 levels by 2020.
Sony has committed to reducing GHG emissions from its operations by 42% below fiscal year 2000 levels by fiscal year 2020. The company also has a long-term plan for reducing its environmental footprint to zero by 2050, requiring a 90% reduction in emissions over 2008 levels by 2050.
In October 2015, more than 80 major U.S. corporations signed the American Business Act on Climate Pledge, among them such companies as Alcoa, American Express, Apple, AT&T, Berkshire Hathaway Energy, Dell, GE, General Motors, Goldman Sachs, Google, Johnson & Johnson, McDonald’s, Nike, Pepsi, Pacific Gas & Electric, Salesforce, Starbucks, UPS, etc. A range of quantitative GHG-emission reduction goals and targets are available for public review on the SBT website.
In addition, entire industries—such as the fashion and hospitality industries—are working together to set their own targets. These types of voluntary public commitments are setting precedents and thus expectations for others within and across industries and economic sectors.
Given the pending presidential election in the United States and the existing regulations referenced in the United States’ own INDC, it is unlikely that significant regulatory changes will impact business in 2016. It is likely, however, that existing standards and Executive Orders will shape the conduct and actions of specific industries.
Growing interest in the federal government’s own footprint and those of its suppliers may constitute the most significant impetus for change. As the GSA and the DoD increasingly seek suppliers with the lowest GHG emissions, these suppliers (public and private) will be incentivized to measure, manage, disclose, and verify their GHG emissions.
(Photo: Climate Action/The Sustainable Innovation Forum 2015)
What do directors need to do now?
First and foremost, become familiar with your company’s carbon profile and sustainability image. You need to know the carbon footprint of your company, the company’s plans to reduce that footprint, and the company’s messaging about those plans.
Whether your company is public or private, make sure that its customers know the company’s story. Business-to-business customers expect suppliers to measure, manage, and report on carbon emissions. Directors can ensure that a credible and compelling message is communicated to customers.
Conversely, directors can ensure that the company exhibits GHG consciousness when choosing major suppliers. In a choice between two qualified vendors, why not pick the one that is also better for the sustainability of your business and the planet?
If you serve on the board of a public company, look for the names of your largest investors on the list of CDP signatories, realizing that more and more of these investors are conducting due diligence on carbon emissions in their portfolio companies. Urge your CEO to announce carbon reductions in any communications with your company’s climate-oriented investors.
Develop your business case for carbon reduction and other sustainability measures. Reducing carbon emissions means the reduction in the use of fossil fuels, which translates to cost savings. Diversifying the firm’s energy portfolio to include lower emission sources is also a strategic move in today’s market. Seeking out and procuring lower-emissions goods and services has become commonplace. Leverage your procurement spend to help reduce your overall GHG footprint.
Urge management to reach out to sources knowledgeable about climate change in order to learn more from them or even to consider them as possible business partners. Wall Street firms, private equity investors, lenders, insurers, rating agencies, and stock exchanges are all becoming involved in climate issues and can be valuable partners in identifying future risks and opportunities, as well as crafting new strategies.
Ensure your investors understand and appreciate the value of investments your company makes to reduce its carbon footprint and improve the sustainability of its operations.
BrownFlynn is a corporate sustainability and governance consulting firm with 20 years of experience supporting public and private corporations in the development and implementation of strategic corporate responsibility and sustainability programs. www.brownflynn.com
Barb Brown, co-founder and principal, has led the firm since 1996, when it was established to address the growing demand from shareholders on intangible issues such as corporate responsibility; sustainability; environmental, social, and governance topics. Recognized as a pioneer in the industry, Brown is a sought-after speaker, author, and thought leader and has contributed her expertise to a range of professional and industry groups, as well as numerous multinational corporations.
Mike Wallace is managing director at BrownFlynn. An NACD member, he has been a regular contributor to NACD programs and publications. He has worked in the field of corporate responsibility/sustainability for more than 20 years and has presented on these topics to audiences at NACD Master Classes, the NACD Global Board Leaders’ Summit, and meetings of the Society of Corporate Secretaries, and the National Investor Relations Institute. He advises public and private companies as well as boards and board committees on these issues.