COSO launches guidance on internal control over sustainability reporting

The global guidance provides insight on effective and efficient tools to enhance reporting and decision making.

The new guidance, Achieving Effective Internal Control over Sustainability Reporting (ICSR), aims to build trust and confidence in ESG and sustainability reporting, public disclosures, and enterprise decision-making.

It has been issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO), using the globally recognized COSO Internal Control-Integrated Framework (ICIF) and building on the 2017 study Leveraging the COSO Internal Control – Integrated Framework to Improve Confidence in Sustainability Performance Data. While internal controls and reporting used to be linked mainly with finance, this guidance covers all sustainability factors.

“This new supplemental guidance is significant and extremely timely given upcoming final rules on climate risk from the SEC and ISSB, not to mention the journey organizations are on to build sustainable management principles into their core mission, purpose, governance, and strategies.”

Lucia Wind, Chair, COSO

COSO says there has been a significant change in attitude since 2017, with the focus now on sustainability and ESG reporting.

“More companies are now in various stages of implementing controls and governance processes over the collection, review, and reporting of sustainability information, including creating multifunctional teams that bring together a company’s sustainability, finance and accounting, risk management, legal, and internal audit professionals,” said COSO Chair Lucia Wind. “In many ways, sustainable business reporting is still subject to evolution and innovation. As a result, it will be a process of continuous improvement including building internal capacity and relevant assurance.”

ESG reporting

The ICIF framework was originally issued in 1992 and updated in 2013, with the intent to improve confidence in all types of data and information.

In this updated COSO ICSR guidance, the former COSO Chairs David L Landsittel and Robert B Hirth Jr. say: “We are both thoroughly convinced that the use of the 2013 framework for sustainability and ESG reporting will greatly enhance the overall effectiveness, efficiency, and accuracy of the underlying processes and internal controls as well as the accuracy of this reporting.”

“Effective internal control is good for business and applies well beyond external financial reporting, as COSO’s ICIF points out.”

Lucia Wind, Chair, COSO

“This new supplemental guidance is significant and extremely timely given upcoming final rules on climate risk from the SEC and ISSB, not to mention the journey organizations are on to build sustainable management principles into their core mission, purpose, governance, and strategies. The guidance is global, and transcends accounting, reporting, and assurance,” said Wind.

“Effective internal control is good for business and applies well beyond external financial reporting, as COSO’s ICIF points out. All organizations are on a learning and growth journey to enhance and build trust and confidence in sustainable business information for internal and external decision making.”

Practical insights

The new guidance points to several main themes that organizations and firms can use to start or maintain their journeys to a more effective system of internal control over financial and sustainable business information. It also lays out all 17 principles in ICIF-2013, and gives practical insights and application guidance.

Within the framework, these five action points have been set out:

  1. Commit to integrity by stating your purpose – Set the organization’s purpose and commitment to acting with integrity.
  2. Determine objectives – Both internally and externally, and establish measurement and reporting principles with sufficient detail for specific sustainable business factors.
  3. Identify and assess risks (and consider opportunities) – Evaluate the relevant qualitative and quantitative risk factors, identify how they can be managed and see if they can be turned into strategic opportunities, reduce waste, enhance stakeholder engagement, and improve resource deployment.
  4. Identify control activities – To manage a risk or mitigate it to an acceptable level.
  5. Evaluate effectiveness – Regularly evaluate set framework and controls to determine which elements are functioning and what to update.

Leverage internal expertise

Other key takeaways from the guidance include:

  • Cultivate a culture of accountability – Where it’s essential that everyone involved understands the strategic significance of the organizational performance on key issues, including having effective controls to ensure that decision makers have access to reliable performance information.
  • Revisit the interrelationship of purpose and various objectives – To use sustainable business concepts and practices strategically to drive objectives. It’s important that the objectives are balanced, harmonized, and understood throughout the organization.
  • Establish a cross-functional team – Put together a cross-functional team to get diverse perspectives and subject matter expertise positively from varied departments, and educate them early to start the integration process.
  • Leverage expertise, existing controls and enable technologies and platforms – Use the expertise of CFO knowledge in similar concepts, and collect valuable insights from operations teams that know how the organization is operating. Make use of already existing processes and controls, and modify where necessary. By incorporating sustainable business information into IT platforms with well-established controls, it’s possible to improve decision-maker confidence in data that has previously been measured, validated, managed, and reported outside the formal financial control environment.
  • Focus on decision usefulness – View sustainability through the lens of the organization’s decision usefulness, and the metrics that are most important to success. Which, over time, can reduce risk and contribute to growth and value creation.
  • Start early – This type of work takes time, so it’s important to start early and let the work grow.

Read the report Achieving Effective Internal Control over Sustainability Reporting (ICSR): Building Trust and Confidence through the COSO Internal Control―Integrated Framework here.