This information is typically included in sustainability; corporate social responsibility (CSR); integrated reports; and environmental, social, and governance (ESG) disclosures to the markets. In part, the intent of the paper was to catalyze discussion among accounting and finance professionals about how to design and use effective controls over nonfinancial data in a manner similar to those they already use for financial information. We presented the paper in November 2017 to a webinar audience of more than 1,600 IMA® (Institute of Management Accountants) members spanning more than 60 countries, which indicated a strong global interest in the evolution of corporate reporting.

As nonfinancial data increasingly becomes part of the mix of information used by both internal management and external stakeholders—such as investors, analysts, regulators, or community groups—the need for confidence in that data also grows. Integrated reporting, arguably one of the more evolved forms of corporate reporting to date, is centered around a multicapital model that looks at the changes in stocks and flows of six capitals: financial, human, natural, manufactured, intellectual, and social/relationship.

The premise behind integrated reporting and the multicapital model is that it’s a more comprehensive approach to showing how an organization creates value over the short and long term. The thinking behind this approach is that more indicators of value are found outside the financial statements, off the balance sheet rather than on. It follows that confidence in the integrity of performance data associated with the five nonfinancial capitals is needed for them to be useful in internal decision making and external disclosures to investors and other stakeholders.

When asked what lies ahead on the road toward integrated reporting (of which sustainability performance information is part), John White, former director of the U.S. Securities & Exchange Commission’s (SEC) Division of Corporation Finance, responded simply, “Controls, controls, controls” (“Panel Discussion on Integrated Reporting: A Practical Perspective from Preparers and Practitioners,” The CPA Journal, July 2017). COSO’s Internal Control—Integrated Framework was always designed and intended to cover financial and nonfinancial information.

But it had been somewhat perceived as a framework for controls solely over external reporting of financial information to satisfy Sarbanes-Oxley Section 404 requirements in the United States. Given global reporting and disclosure trends like integrated reporting (and thinking), along with the use of balanced scorecards and strategy maps to help organizations understand where and how value is created, companies need to ensure their sourcing, reporting, and use of nonfinancial performance data for internal and external purposes carry with them a high level of confidence. COSO’s Framework helps them accomplish this goal.

An overall data governance strategy and set of policies must also be in place to help companies manage data effectively and efficiently through the data life cycle—from data creation, access, and aggregation to validation, analysis, and disclosure for decision making. Effective internal controls are foundational to good data governance. Enabling technologies are critically important as well, as we’ll describe below.

Often, nonfinancial data comes from myriad sources within an organization and across its supply chains, often outside the enterprise resource planning system. CFOs managing the mix of information worry about controls around, and risks to, the various financial and nonfinancial information sets, which can be challenging to face without leveraging technology.

According to a 2015 GRC Survey by EY that looked at risk strategy, coordination of functions, internal audit, and technology, only 46% of companies used any type of integrated governance, risk, and compliance (GRC) solution to have better visibility of the risks associated with myriad data sources. Overlay this challenge with complex IT environments, and it becomes more difficult to track risks within business processes and data flows, weakening trust in them as a single source of truth. Multiple sources of information and multiple views of associated risks may erode understanding of those risks. One version of the truth within the organization is critically important.

Technology can help bring order to chaos in the world of controls and risk if used strategically. Recent advances in cloud-computing capabilities (e.g., for continuous monitoring and controls) as well as predictive and prescriptive analytics, cognitive machine learning, and artificial intelligence have greatly enhanced the capabilities available to CFOs and accounting professionals to better manage the mix of information, the controls around that information, and overarching data governance policies. The use of structured digital information standards like XBRL throughout a supply chain and new technologies like blockchain and smart contracts serve to enhance the power of solutions at CFOs’ and controllers’ fingertips. And the market is watching as the number of use cases inside the audit function and finance supply chain grows around the world.

The institutional investor community has been one of the biggest drivers of reliable nonfinancial information. As quoted in our thought paper, Chris Ailman, chief investment officer of the $200 billion California State Teachers’ Retirement System (CalSTRS), told us that, “In a time where alternative facts and fake news have heightened investor skepticism, we need material, durable, verified ESG data to use in our investment decisions.” A June 2015 ESG Survey by the CFA Institute found that 73% of institutional investors said they take ESG issues into account in their investment analyses and decisions.

Despite this increased scrutiny and demand, the practice of effective internal controls over nonfinancial information is still in its infancy. “Internal controls over nonfinancial reporting are relatively weak,” said Brendan LeBlanc, a partner with EY’s Climate Change and Sustainability Services practice, in our paper. “Specifically, there have been precious little resources—people, processes, and systems—put against nonfinancial reporting, nor these basic types of internal controls which serve to enable consistent, credible nonfinancial reporting.” New technologies and capabilities to enable effective controls and integrated GRC have certainly advanced at an exponential rate, but we need the other important foundational elements (e.g., use of frameworks like the Internal Control—Integrated Framework) to be in wider use if we’re to reach true equilibrium in the confidence in financial and nonfinancial information.

Ask yourself what you’re doing to help your organization build more confidence in your nonfinancial data sets. More importantly, take action to:

  • Understand the types of nonfinancial information your internal and external stakeholders need;
  • Determine the sources of information across your organization and supply chains;
  • Establish a sound data governance strategy;
  • Design effective controls over nonfinancial information that complement the robustness of your financial controls; and
  • Design and implement a technology environment around your nonfinancial information that matches your stakeholders’ information needs, provides a single source of truth, and gives clarity around associated risks.

What is at stake if we take on these challenges? We believe that if we (the reporting ecosystem) advance in the journey to better utilize, assure, and communicate nonfinancial performance data, we will have done our part to improve organizational capability, better satisfy investor needs, improve the effectiveness of capital markets, and, ultimately, serve the public interest.

About the Authors