When you\'re ready for an audit, you\'re ready for anything!
FAQS
What’s COSO ICSR? Why is it relevant for Sustainability reporting assurance?

COSO’s ICIF provided a principles-based model for compliance, reporting and operations.  The ICIF was always “reporting agnostic” – it didn’t matter whether financial or non-financial, external or internal, or whatever.   If you wanted to control “reporting”, here is your framework.  There has been a groundswell in Sustainability reporting.  There has been a concurrent chorus demanding that the information in the reports is accurate, and decision-useful.  Gee, what would that look like?  COSO’s ICIF was there for the taking, but stakeholders didn’t know how to apply it.  In 2002, the COSO Board authorized supplemental guidance.  COSO’s “Achieving Effective Internal Controls over Sustainability Reporting (ICSR)” was released to wide acclaim in 2023.  Douglas Hileman is an author – one of only six, and the only non-CPA on the author team. 

What’s COSO? Aren’t they about financial reporting?

COSO is the most important organization you’ve never heard of.  Perhaps you (or parents?) remember Lincoln Savings & Loan, Charles Keating, and the collapse of this segment of the economy in 1988-89.  Taxpayers shelled out $3.4 billion.  Many parties were astonished that there was no common framework for what would constitute a well-run organization.   COSO stands for “Committee of Sponsoring Organizations”.  They released the Internal Controls Integrated Framework (ICIF) in 1992 as [optional] principles-based guidance.  Only a decade later, Enron and WorldCom outraged the government (and capital markets) again.  Congress passed Sarbanes-Oxley, which required internal controls over financial reporting (ICFR), and that these be subject to the financial audit.  What does ICFR look like?  COSO’s ICIF had been there for the taking all along.  Although not required by statute, the COSO ICIF became the de facto model for all ICIF.  There’s much more at www.coso.org

 

Is there a checklist for DHC’s assurance/ audit readiness?

No.  There are too many variables to write a recipe.  The drivers of assurance vary, as does the level of desired assurance, scope, criteria, method for performing the audit, and the output.  Auditors call many of the shots, and are free to use professional judgment to gain comfort that they have sufficient data and information to reach conclusions.  None of this is predictable in advance, but with a sense of how it works, auditees can rise to the challenge.

What are the types of assurance?

You’ll see “limited assurance” and “reasonable assurance.”  The accounting firms (and Google) can explain; my “lay” (non-CPA) oversimplification:  With limited assurance (sometimes referred to “negative assurance”), you end up with something like this:  “Nothing came to our attention that was materially deficient.”  In other words, we looked, we didn’t find anything massively wrong.  With reasonable assurance:  “We performed procedures and have comfort that things conform in all material respects ….”  In other words, we looked, we may have found some gaps – but we didn’t determine that any of them were ‘material’.  If they did identify material weaknesses, these may be called out in the assurance report.   Note: Internal Audit also uses “assurance.”  The IIA published new Global Internal Audit Standards, effective January 1, 2024.  Definitions may not be identical.  These insights may be a good starting point, but don’t take it from DHC:  as you consider Sustainability assurance providers, ask them to explain it.  In plain English, please.

Can you help us prepare for assurance done by technical or management firms?

Again – yes.  DHC has experience in ISO management systems, including readiness for one high-profile audit certification audit mandated by a consent decree.  The VW Monitorship effort involved oversight of another ISO 14001 audit as a provision of settlement with the U.S. Department of Justice.  ISO systems are processes.  DHC also has experience with garden-variety compliance audits for environmental, safety, contractor management, insurance reviews, and others.  What’s the criteria, and can you demonstrate that you meet it?

Can you help us prepare for assurance done by accounting firms?

Yes.  Mr. Hileman supported dozens of financial audit procedures, revieing processes, systems, internal controls for estimating contingent environmental liabilities.  Also evaluated the reasonableness of the estimates themselves, and whether the amount in reserves was sufficient.  This effort involved planning, risk assessment, detailed procedures, applying both technical and business knowledge – and always some degree of judgment.  This experience from six annual audit cycles helps me hold my own with accounting firms.

Is DHC an accounting firm?

DHC is not an accounting firm.  Mr. Hileman worked at a Big 4 firm for six years, beginning just at the outset of Sarbanes-Oxley.  He supported [CPA] audit partners and teams for financial audits, internal audits, agreed-upon procedures, and other reviews.  Mr. Hileman led audits pursuant to an SEC consent decree, and a readiness exercise for a client seeking to exist another consent decree. 

What’s the difference between “assurance” and “audit”?

I’m not a CPA, and there are many answers on the internet.  There are distinctions between data and narrative, backwards-looking and comfort for forward-looking.  From where I sit, accounting firms and Internal Audit tend to use “assurance”.  Technical and management auditors (ISO, environmental compliance, etc.) do not.   If you are entertaining proposals for firms to review your Sustainability reporting, ask them to explain the difference.  In plain English, and in five sentences or less.  Let me know how that goes.

Can assurance/ audit readiness help with GHG emissions disclosures – qualitative?

Yes, readiness can help organizations feel more confident about their qualitative disclosures.  In general, Sustainability reporting includes more qualitative content than financial reporting – as well as retrospective and prospective content.  [These are two of the three aspects described in DHC’s “Three Attributes of Sustainability Reporting …” white paper, which was referenced in COSO’s ICSR supplemental guidance.]   Users must be able to trust descriptions, claims and assertions in narrative disclosures. 

Is assurance/ audit readiness applicable for GHG emissions inventories?

Yes, assurance/ audit readiness helps companies achieve greater success if their greenhouse gas (GHG) emissions inventories will be audited.  This is the “metrics” piece of the familiar “Governance/ Strategy/ Risk/ Metrics and Targets” that is common for climate-related regulations and disclosures.  These headings appear in the SEC final climate disclosure rule, as well as California’s climate disclosure laws.  This grouping of disclosure topics really took off with publication of TCFD (Task Force on Climate-related Financial Disclosures) guidelines in 2017.