Skip to main content

What Sustainability Teams Need to Know About COSO ICIF-2013—And Why They Should Care

Internal Controls
What sustainability teams should know about COSO's new guidance
6 min read
Grant Ostler
Industry Principal
Published: 20 April 2023
Last Updated: 15 September 2023

There’s certainly no shortage of information being shared around ESG reporting. Trying to navigate it all, especially as stakeholder demands increase and regulations evolve, can be challenging.

Even for those of us familiar with COSO, there is a lot to consider with its new guidance. That’s why in part two of our COSO blog series, I’m sharing why sustainability teams and professionals should care about the COSO Internal Control—Integrated Framework—2013 (ICIF-2013)—and how it can help your team meet stakeholder expectations. And in case you missed part one that shares a brief history of COSO and key takeaways from the guidance, you can check it out here!

In ICIF-2013, COSO defines internal control as:
A process, effected by an entity’s board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives relating to operations, reporting, and compliance.

To help members of management and boards determine how to implement internal controls processes, COSO developed ICIF-2013 to provide—as the name indicates—a framework that can be applied universally across organizations of all sizes, structures, industries, and more.

Can you repeat that in non-accountant terms?

An organization’s governing board and management are responsible for ensuring the organization achieves its objectives in three specific areas: operations, reporting, and compliance.

To effectively and reliably achieve those objectives, management and the board will identify and assess risks and implement policies, processes, control activities, etc. to guide the actions of employees and others. All of this can help the organization stay on track to meet objectives.

Something to keep in mind is that even when this is done well, there will always be some risk (whether new or evolving) related to a company’s objectives in these three specific areas.

In addition, ICIF-2013 is the standard that both internal and external auditors will use in evaluating the adequacy of internal controls in both financial and non-financial reporting of sustainability information.

Emerging ESG regulations are raising the bar for organizations and how they build processes to improve the integrity of the sustainability information they report externally. ICIF-2013 will probably be the standard applied, and that could create some challenges for those individuals who have not had their work evaluated using this framework. 

If you’re collecting and sharing sustainability data as a part of your role, this process will more than likely be subjected to multiple audits each year. That means you’ll need to:

  • Document sources for sustainability data and demonstrate that it is relevant, complete, and accurate
  • Prove the accuracy of assumptions and assertions used in developing forward-looking statements
  • Remain flexible—between multiple frameworks, a rapidly changing regulatory environment, and a lack of global standardization, you may need to adapt to frequent changes in the frameworks that your organization uses

If this sounds overwhelming, don’t fret! You can start now using guidance like COSO’s to unite your teams and establish processes with the right people and technology. That way you’re prepared for what’s next. Speaking of using the guidance, let’s walk through ICIF-2013 and explain the different elements of the framework.

COSO uses a cube to depict how all the pieces of the framework fit together:

2013 COSO cube

Source: COSO's Internal Control Integrated Framework

Okay, nice graphic but how does this work in the real world you ask?

ICIF-2013 is comprised of the five interrelated components noted above, including the principles that make up each component, forming the structural elements of the framework. The components are essential to create and implement effective internal controls. Here’s a short summary of each of the five components:

  1. Control environment 
    • Our culture (integrity, tone from the top, etc.)
    • The capabilities of our people (employees and third parties)
    • Accountability for our actions (achieving results the right way!)
  2. Risk assessment
    • Clarify our organizational objectives
    • Identify obstacles in achieving our objectives (what are our biggest risks?). In other words, it’s about answering these key questions:
      • Where are we going (objectives)?
      • How do we get there (strategy)? 
      • What do we have to excel at to meet our objectives?
      • What will or could stand in our way (obstacles)? 
      • What obstacles would keep us from reaching our goals?
    • Develop mitigation strategies and tactics to address those obstacles
    • Consider sustainability risk factors and the expectations of a broad array of stakeholders, which will create new challenges (risks) for the organization that will likely require additional strategies and tactics to manage them effectively
    • Understand the materiality of the sustainability risk factors and integrate their potential impacts into the existing strategy and risk processes—this is key to successfully addressing those risk factors
  3. Control activities
    • Implement the strategies and tactics to address risks. It comes down to answering these questions:
      • How might things go wrong in this key area?
      • What can we do to prevent that from happening?
      • If we can’t prevent it, how do we detect it early so we can fix it quickly?
      • How can we keep it from happening again?
    • Create policies, processes, and specific control activities that reduce the obstacles that could prevent the organization from achieving its objectives
    • A key point here—critical processes must be consistent and repeatable, measured, and improved
  4. Information and communication
    • Ensure expectations, results, and other important data flows as needed throughout the organization
    • Maintain constant feedback in all directions to allow for continuous improvement of the process and all components
  5. Monitoring activities 
    • Determine what’s working and what’s not, taking remedial actions where needed
    • Monitor at all levels of the organization through KPIs, regular management reporting, as well as independent verification via audits

There are a lot of reasons why COSO’s framework has been widely adopted globally, and will be a prevalent part of many organization’s processes in ensuring the integrity of sustainability information.
In summary, the COSO ICIF-2013: 

  • Provides a consistent framework for thinking about risks, including sustainability reporting risks and how to manage them
  • Focuses on improving organizational performance by achieving strategic goals and objectives
  • Gives a foundation to develop effective processes that result in improved efficiency and mitigated risks
  • Empowers leaders and teams to focus on how to effectively operate an organization—it’s not just about financial controls
  • Results in increased trust, transparency, and compliance with standards
  • Encourages collaboration among different functions to enhance strategy and influence outcomes via quality reporting disclosures

And there you have it. Between working with multiple teams and stakeholders and the additional effort needed to build transparent, audit-ready ESG reports, sustainability teams can benefit from understanding and using the COSO ICIF-2013 framework.

And as I mentioned—this truly is a team effort. In part three of the blog series, we’ll explore just how critical it is to establish cross-functional collaboration between audit, risk, sustainability, and accounting and finance teams to ensure the integrity of your organization’s sustainability information. Missed the first part unpacking COSO’s guidance with a summary of top takeaways? You can read that here! You can also read part three here, which discusses the importance of bringing key teams together to meet your ESG goals.

Take a break from reading about ESG and join the discussion virtually at Amplify 2023 on Sept. 21st. Access 13 sessions, and get the chance to earn up to 8 CPE credits! Register now.

About the Author
Grant Ostler headshot
Grant Ostler

Industry Principal

Grant Ostler, Industry Principal at Workiva, has more than 30 years of finance and operations experience, primarily in internal audit, enterprise risk management, and process improvement. Ostler served as the chief audit executive over almost two decades for entities ranging from Fortune 500 companies to a pre-IPO technology company, including building internal audit programs from scratch and leading the implementation of SOX 404 compliance programs for three companies. He is an active member of the Twin Cities Chapter of the IIA where he’s held numerous leadership positions, including Chapter President, over the past 20-plus years.

Online registration is currently unavailable.

Please email events@workiva to register for this event.

Our forms are currently down.

Please contact us at

Our forms are currently down.

Please contact us at