Unpacking COSO’s New Guidance on Internal Control Over Sustainability Reporting (ICSR)

In case you haven’t had time to fully review the 114 pages of new guidance published by the Committee of Sponsoring Organizations of the Treadway Commission (COSO), we’re here to help. 

We’ll share a series of blog posts with insights and ways to apply the new guidance, “Achieving Effective Internal Control Over Sustainability Reporting: Building Trust and Confidence through the COSO Internal Control—Integrated Framework.” First up, an introduction with some background for any ESG, sustainability, audit, or internal controls professionals who many not be as familiar with COSO, plus key takeaways from the guidance. Let’s dive in.

What is COSO and what does it do?

In response to the collapse of the U.S. savings and loan industry, COSO was formed in 1985 with the intent to resolve fraudulent corporate financial reporting. Here’s a quick overview of COSO’s history from there:

• 1992: COSO issued their Internal Control—Integrated Framework to define internal controls (which surprisingly hadn’t been well-defined previously) and to lay out a model for all organizations, regardless of industry, to use for developing and evaluating internal controls
• 2002: After corporate financial reporting fraud became prevalent again in the early 2000s, both Congress and the Securities and Exchange Commission (SEC) moved quickly to enact the Sarbanes-Oxley Act (SOX). COSO’s Internal Control—Integrated Framework became the de facto framework used to evaluate the adequacy of internal controls over financial reporting (ICFR)
• 2013: COSO’s framework underwent a major revision to become the 2013 Internal Control—Integrated Framework (ICIF-2013). The updates identified 17 Principles and 87 Points of Focus within the Principles that are core to establishing effective internal controls
• 2017: COSO updated the Enterprise Risk Management—Integrated Framework, which was originally released in 2004, to address the evolution of enterprise risk management (ERM) and highlight the importance of risk in both strategy-setting and in driving business results
• 2020s: With ESG rising in prominence, COSO issued guidance on how to apply ICIF-2013 to establish appropriate internal control over sustainability reporting (ICSR) in preparation for upcoming regulatory requirements in Europe and pending regulations in the U.S.

What changes did COSO make to the Internal Control—Integrated Framework?

So you might be wondering—what exactly did COSO change in ICIF-2013 to accommodate the unique needs of sustainability reporting? The short answer is that COSO made no changes.

While there were no actual changes, COSO did add explanations throughout the new guidance on how the 5 Components, 17 Principles, and 87 Points of Focus of ICIF-2013 are applicable to the challenges involved with establishing and maintaining effective ICSR.

What are some key call outs from COSO’s new ESG guidance?

COSO included eight key takeaways in its guidance that provide solid insights for organizations as they consider how to approach ICSR. Here’s a short summary of those main points:

1. Create accountability: Everyone involved from collection to communication of sustainability information needs to understand the importance of establishing effective controls and meeting key targets
2. Identify how your mission drives objectives: How does your organization’s mission or purpose tie into your objectives? Whether objectives are financial, non-financial, compliance, etc., they need to be balanced and understood throughout the organization to create effective controls
3. Collaborate cross-functionally: Establishing a multidisciplinary team with members from across your organization—accounting and finance, sustainability, legal, investor relations, and more—is crucial to align on goals and assess sustainability-related issues, metrics, and controls
4. Tap into existing expertise: While ICSR is a new application, there is already a solid foundation to start from with internal control over financial reporting (ICFR). The CFO team has expertise in applying these concepts and can help guide the process
5. Modify existing controls: Your organization will likely need to create new processes and new controls, but you don’t need to start from scratch! You can look to modify and apply processes that already exist as a part of ICFR
6. Adapt existing or adopt new technology: Leveraging existing or utilizing emerging technologies to establish and maintain an effective system of internal control over sustainable business information can help improve processes and decision-maker confidence in data
7. Focus on what’s material: Organizations can prioritize efforts through the concept known as materiality. By viewing sustainability through the lens of decision usefulness, organizations can hone in on metrics that are most important
8. Start now: With all of the data and systems coming into scope with sustainability information, it’s going to take a lot of effort to design and refine a system of controls to support your program. It’s important to start having those conversations with other teams and stakeholders early

Each of these lessons will likely prove more valuable to an organization that has integrated its sustainability practices and business strategy. Just as an entity’s control environment provides the foundation for effective ICFR, it is also an essential starting point for designing, implementing, and maintaining an effective system of internal controls over decision-useful sustainable business information.

Applying ICIF-2013 to sustainability topics

This new guidance does three key things to help organizations and individuals understand how to apply the ICIF-2013 to sustainability topics:

• Highlights common challenges that are unique to the sustainability area when compared to the more familiar financial reporting process
• Articulates practical recommendations for applying each of the 87 Points of Focus to those challenges
• Provides illustrative examples to help readers see how the individual points of focus have been met by other organizations

While this new guidance doesn’t provide a “paint by numbers” checklist for readers, it does stay true to ICIF-2013’s principle-based approach that your organization can use.

I hope you have a better understanding of what the new guidance includes and how you can start to apply it. In the next two blogs in this series, we’ll explore more about how the new COSO guidance can help you and your organization meet stakeholder expectations for your sustainability reporting. Part two is available here (and is a great piece to share with your sustainability team!) and you can find part three here.

In addition, check out our infographic series The Intersection of ESG and GRC to learn how to integrate ESG into overall risk management plans, and see how you can jump-start your ESG assurance journey with the Workiva platform, which unites your teams, data, and processes across GRC, ESG, and financial reporting.

We will also continue to share more in our monthly Risk Resilience newsletter, so be sure to sign up here to keep up to date with the latest!