Skip to main content

Unpacking COSO’s New Guidance on Internal Control Over Sustainability Reporting (ICSR)

Internal Controls
How to Improve ESG Ratings
5 min read
Grant Ostler
Industry Principal
Published: 12 April 2023
Last Updated: 26 April 2023

As you may have seen, the US-based Committee of Sponsoring Organisations of the Treadway Commission (COSO) recently published new guidance on internal controls for ESG reporting. 

In case you’re new to COSO, or haven’t had time to fully review the 114 pages of “Achieving Effective Internal Control Over Sustainability Reporting: Building Trust and Confidence through the COSO Internal Control—Integrated Framework,” here’s what you need to know. 

  • 1985: COSO was founded in response to the collapse of the U.S. savings and loan industry, with the intent to resolve fraudulent corporate financial reporting. 
  • 1992: COSO issued their Internal Control—Integrated Framework to define internal controls (which surprisingly hadn’t been well-defined previously) and to lay out a model for all organisations, regardless of industry, to use for developing and evaluating internal controls
  • 2002: After corporate financial reporting fraud became prevalent again in the early 2000s, both Congress and the Securities and Exchange Commission (SEC) moved quickly to enact the Sarbanes-Oxley Act (SOX). COSO’s Internal Control—Integrated Framework became the de facto framework used to evaluate the adequacy of internal controls over financial reporting (ICFR)
  • 2013: COSO’s framework underwent a major revision to become the 2013 Internal Control—Integrated Framework (ICIF-2013). The updates identified 17 Principles and 87 Points of Focus within the Principles that are core to establishing effective internal controls
  • 2017: COSO updated the Enterprise Risk Management—Integrated Framework, which was originally released in 2004, to address the evolution of enterprise risk management (ERM) and highlight the importance of risk in both strategy-setting and in driving business results
  • 2020s: With ESG rising in prominence, COSO issued guidance on how to apply ICIF-2013 to establish appropriate internal control over sustainability reporting (ICSR) in preparation for upcoming regulatory requirements in Europe and pending regulations in the U.S.

COSO included eight key takeaways in its guidance that provide solid insights for organisations as they consider how to approach ICSR. Here’s a short summary of those main points:

  1. Create accountability: Everyone involved from collection to communication of sustainability information needs to understand the importance of establishing effective controls and meeting key targets
  2. Identify how your mission drives objectives: How does your organisation’s mission or purpose tie into your objectives? Whether objectives are financial, non-financial, compliance, etc., they need to be balanced and understood throughout the organisation to create effective controls
  3. Collaborate cross-functionally: Establishing a multidisciplinary team with members from across your organisation—accounting and finance, sustainability, legal, investor relations, and more—is crucial to align on goals and assess sustainability-related issues, metrics, and controls
  4. Tap into existing expertise: While ICSR is a new application, there is already a solid foundation to start from with internal control over financial reporting (ICFR). The CFO team has expertise in applying these concepts and can help guide the process
  5. Modify existing controls: Your organisation will likely need to create new processes and new controls, but you don’t need to start from scratch! You can look to modify and apply processes that already exist as a part of ICFR
  6. Adapt existing or adopt new technology: Leveraging existing or utilising emerging technologies to establish and maintain an effective system of internal control over sustainable business information can help improve processes and decision-maker confidence in data
  7. Focus on what’s material: Organisations can prioritise efforts by assessing their materiality. By viewing sustainability through the lens of decision usefulness, organisations can hone in on metrics that are most important
  8. Start now: With all of the data and systems coming into scope with sustainability information, it’s going to take a lot of effort to design and refine a system of controls to support your program. It’s important to start having those conversations with other teams and stakeholders early

Each of these lessons will likely prove more valuable to an organisation that has integrated its sustainability practices and business strategy. Just as an entity’s control environment provides the foundation for effective ICFR, it is also an essential starting point for designing, implementing, and maintaining an effective system of internal controls over decision-useful sustainable business information.

This new guidance does three key things to help organisations and individuals understand how to apply the ICIF-2013 to sustainability topics:

  • Highlights common challenges that are unique to the sustainability area when compared to the more familiar financial reporting process
  • Articulates practical recommendations for applying each of the 87 Points of Focus to those challenges
  • Provides illustrative examples to help readers see how the individual points of focus have been met by other organisations

While this new guidance doesn’t provide a “paint by numbers” checklist for readers, it does stay true to ICIF-2013’s principle-based approach that your organisation can use.

I hope you have a better understanding of what the new guidance includes and how you can start to apply it. Stay tuned for parts two and three of this blog series, where we’ll explore more about how the new COSO guidance can help you and your organisation meet stakeholder expectations for your sustainability reporting.

In the meantime, check out our ESG and internal controls datasheet for everything you need to find out more about how Workiva can help you on your ESG assurance journey. 

About the Author
Grant Ostler headshot
Grant Ostler

Industry Principal

Grant Ostler, Industry Principal at Workiva, has more than 30 years of finance and operations experience, primarily in internal audit, enterprise risk management, and process improvement. Ostler served as the chief audit executive over almost two decades for entities ranging from Fortune 500 companies to a pre-IPO technology company, including building internal audit programs from scratch and leading the implementation of SOX 404 compliance programs for three companies. He is an active member of the Twin Cities Chapter of the IIA where he’s held numerous leadership positions, including Chapter President, over the past 20-plus years.

Online registration is currently unavailable.

Please email events@workiva to register for this event.

Our forms are currently down.

Please contact us at

Our forms are currently down.

Please contact us at