Skip to main content

COSO ICIF-2013 For Sustainability Teams

Internal Controls
What sustainability teams should know about COSO's new guidance
7 min read
Grant Ostler
Industry Principal
Published: April 20, 2023
Last Updated: September 5, 2023

There’s certainly no shortage of information being shared around ESG reporting. Trying to navigate it all, especially as stakeholder demands increase and sustainability regulations evolve, can be challenging.

Even for those of us familiar with COSO, there is a lot to consider with its new guidance. That’s why in part two of our COSO blog series, we’re sharing why sustainability teams and ESG professionals should care about the COSO Internal Control—Integrated Framework—2013 (ICIF-2013)—and how it can help your sustainability team meet stakeholder expectations. And in case you missed part one that shares a brief history of COSO and key takeaways from the guidance, you can check it out here!

In ICIF-2013, COSO defines internal control as:

A process, effected by an entity’s board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives relating to operations, reporting, and compliance.

To help members of management and boards determine how to implement internal controls processes, COSO developed ICIF-2013 to provide—as the name indicates—an internal control  framework that can be applied universally across organizations of all sizes, structures, industries, and more.

Can you repeat that in non-accountant terms?

An organization’s governing board and management are responsible for ensuring the organization achieves its objectives in three specific areas: operations, reporting, and compliance.

To effectively and reliably achieve those objectives, management and the board will perform internal audits to identify and assess risks and implement policies, processes, control activities, etc. to guide the actions of employees and others. All of this can help the organization stay on track to meet objectives.

Something to keep in mind is that even when this is done well, there will always be some risk (whether new or evolving) related to a company’s objectives in these three specific areas.

In addition, ICIF-2013 is the standard that both internal and external auditors will use in evaluating the adequacy of internal controls in both financial and non-financial sustainability reporting.

Emerging ESG regulations are raising the bar for organizations and how they build processes to improve the integrity of the information and analysis sourced for external sustainability reporting. ICIF-2013 will probably be the standard applied, and that could create some challenges for those individuals who have not had their work evaluated using this COSO internal control framework.

If you’re collecting and sharing sustainability data as a part of your role, this process will more than likely be subjected to multiple internal audits each year. That means you’ll need to:

  • Document sources for sustainability reporting data and demonstrate that it is relevant, complete, and accurate
  • Prove the accuracy of assumptions and assertions used in developing forward-looking statements
  • Remain flexible—between multiple frameworks, a rapidly changing regulatory environment, and a lack of global standardization, you may need to adapt to frequent changes in the internal control frameworks that your organization uses

If this sounds overwhelming, don’t fret! You can start now using guidance like COSO’s to unite GRC, ESG reporting, and financial reporting. This unification will allow the right people to establish processes using effective reporting software, minimizing the lack of integration across teams.  That way you’re prepared for what’s next. Speaking of using the guidance, let’s walk through ICIF-2013 and explain the different elements of the COSO internal control framework.

COSO uses a cube to depict how all five components of the framework (Control Environment, Risk Assessment, Control Activities, Information & Communication, and Monitoring Activities) fit together:

2013 COSO cube

Source: COSO's Internal Control Integrated Framework

Okay, nice graphic but how does this work in the real world you ask?

ICIF-2013 is comprised of the five interrelated components noted above, including the principles that make up each component, forming the structural elements of the framework. The components are essential to create and implement effective internal controls. Here’s a short summary of each of the five components, proving a clear path for internal auditing against the internal control framework:

  1. Control environment 
    • Our culture (integrity, tone from the top, etc.)
    • The capabilities of our people (employees and third parties)
    • Accountability for our actions (achieving results the right way!)
  2. Risk assessment
    • Clarify our organizational objectives
    • Identify obstacles in achieving our objectives (what are our biggest risks?). In other words, it’s about answering these key questions:
      • Where are we going (objectives)?
      • How do we get there (strategy)? 
      • What do we have to excel at to meet our objectives?
      • What will or could stand in our way (obstacles)? 
      • What obstacles would keep us from reaching our goals?
    • Develop sustainability mitigation strategies and tactics to address those obstacles
    • Consider sustainability risk factors and the expectations of a broad array of stakeholders, which will create new challenges (risks) for the organization that will likely require additional strategies and tactics to manage them effectively
    • Understand the materiality of the sustainability risk factors and integrate their potential impacts into the existing strategy and risk processes—this is key to successfully addressing those risk factors
  3. Control activities
    • Implement the strategies and tactics to address sustainability risks. It comes down to answering these questions:
      • How might things go wrong in this key area?
      • What can we do to prevent that from happening?
      • If we can’t prevent it, how do we detect it early so we can fix it quickly?
      • How can we keep it from happening again?
    • Create policies, processes, and specific internal control activities that reduce the obstacles that could prevent the organization from achieving its objectives
    • A key point here—critical processes must be consistent and repeatable, measured, and improved
  4. Information and communication
    • Ensure expectations, results, and other important data flows as needed throughout the organization
    • Maintain constant feedback in all directions to allow for continuous improvement of the process and all components
  5. Monitoring activities 
    • Determine what’s working and what’s not, taking remedial actions where needed
    • Monitor at all levels of the organization through KPIs, regular management reporting, as well as independent verification via internal audits

There are a lot of reasons why COSO’s internal control framework has been widely adopted globally, and will be a prevalent part of many organization’s processes in ensuring the integrity of sustainability information sourced for ESG reporting.
In summary, the COSO ICIF-2013: 

  • Provides a consistent internal control framework for thinking about risks, including sustainability reporting risks and how to manage them
  • Focuses on improving organizational performance by achieving strategic ESG goals and objectives
  • Gives a foundation to develop effective processes that result in improved efficiency and mitigated sustainability reporting risks
  • Empowers ESG leaders and teams to focus on how to effectively operate an organization—it’s not just about financial internal controls
  • Results in increased trust, transparency, and compliance with ESG governance and standards
  • Encourages collaboration among different functions to enhance strategy and influence outcomes via quality reporting disclosures

And there you have it. Between working with multiple teams and stakeholders and the additional effort needed to meet the demand for assured, integrated reporting, sustainability teams can benefit from understanding and using the COSO ICIF-2013 framework.

And as mentioned—this truly is a team effort. In part three of the blog series, we’ll explore just how critical it is to establish cross-functional collaboration between audit, risk, sustainability, and accounting and finance teams to ensure the integrity of your organization’s sustainability information. Missed the first part unpacking COSO’s guidance with a summary of top takeaways? You can read that here! You can also read part three here, which discusses the importance of bringing key teams together to meet your ESG goals.

Take a break from reading about ESG and join the discussion IRL at Amplify 2023, Sept. 19-21, in Nashville. 60+ sessions, 13 CPE credits, live entertainment, and inspiring keynotes from Indra Nooyi and Reese Witherspoon. Register now.

About the Author
Grant Ostler headshot
Grant Ostler

Industry Principal

Grant Ostler, Industry Principal at Workiva, has more than 30 years of finance and operations experience, primarily in internal audit, enterprise risk management, and process improvement. Ostler served as the chief audit executive over almost two decades for entities ranging from Fortune 500 companies to a pre-IPO technology company, including building internal audit programs from scratch and leading the implementation of SOX 404 compliance programs for three companies. He is an active member of the Twin Cities Chapter of the IIA where he’s held numerous leadership positions, including Chapter President, over the past 20-plus years.

Online registration is currently unavailable.

Please email events@workiva to register for this event.

Our forms are currently down.

Please contact us at

Our forms are currently down.

Please contact us at