Here's an example of a parametrized dynamic query using sp_executesql. Note that I'm using the DelimitedSplitN4K to split the values because you can't use IN for a single variable with delimited values.

DECLARE @Param nvarchar(4000)

SET @Param = '12,15,32'

--SELECT @Param = @Param + '''' + ParameterValue + ''''+ N', '

--FROM ScriptParams WHERE scripttype='TestParam'

--select @Param = substring( @Param, 1, (LEN( @Param)-1))

DECLARE @sql nvarchar(max)

set @SQL = 'SELECT Company_NO,

'''' as CompanyName,

CASE isNull(post_date, 0)

WHEN 0 THEN DATEPART(yyyy, DATEADD(mm, - 6, create_date))

ELSE DATEPART(yyyy, DATEADD(mm, - 6, post_date)) END AS Year

FROM CompanyOrder

CROSS APPLY dbo.DelimitedSplitN4K( @paramIN, '','')

WHERE Item = CompanyType'

EXECUTE sp_executesql @SQL, N'@paramIN nvarchar(4000)', @ParamIN = @Param;

Even better would be to eliminate the dynamic code:

SELECT Company_NO,

'' as CompanyName,

CASE isNull(post_date, 0)

WHEN 0 THEN DATEPART(yyyy, DATEADD(mm, - 6, create_date))

ELSE DATEPART(yyyy, DATEADD(mm, - 6, post_date)) END AS Year

FROM CompanyOrder c

WHERE c.CompanyType IN ( SELECT ParameterValue FROM ScriptParams s WHERE scripttype='TestParam')