Unpacking COSO’s New Guidance on Internal Control Over Sustainability Reporting (ICSR)

As you may have seen, the US-based Committee of Sponsoring Organisations of the Treadway Commission (COSO) recently published new guidance on internal controls for ESG reporting. 

In case you’re new to COSO, or haven’t had time to fully review the 114 pages of “Achieving Effective Internal Control Over Sustainability Reporting: Building Trust and Confidence through the COSO Internal Control—Integrated Framework,” here’s what you need to know. 

What is COSO and what does it do?

As an organisation, COSO develops an internationally-recognised framework to help companies evaluate their internal controls, risk management and anti fraud processes. This framework is widely followed, not only across the United States but by businesses all over the world. Here’s a quick overview of COSO’s history:

• 1985: COSO was founded in response to the collapse of the U.S. savings and loan industry, with the intent to resolve fraudulent corporate financial reporting. 
• 1992: COSO issued their Internal Control—Integrated Framework to define internal controls (which surprisingly hadn’t been well-defined previously) and to lay out a model for all organisations, regardless of industry, to use for developing and evaluating internal controls
• 2002: After corporate financial reporting fraud became prevalent again in the early 2000s, both Congress and the Securities and Exchange Commission (SEC) moved quickly to enact the Sarbanes-Oxley Act (SOX). COSO’s Internal Control—Integrated Framework became the de facto framework used to evaluate the adequacy of internal controls over financial reporting (ICFR)
• 2013: COSO’s framework underwent a major revision to become the 2013 Internal Control—Integrated Framework (ICIF-2013). The updates identified 17 Principles and 87 Points of Focus within the Principles that are core to establishing effective internal controls
• 2017: COSO updated the Enterprise Risk Management—Integrated Framework, which was originally released in 2004, to address the evolution of enterprise risk management (ERM) and highlight the importance of risk in both strategy-setting and in driving business results
• 2020s: With ESG rising in prominence, COSO issued guidance on how to apply ICIF-2013 to establish appropriate internal control over sustainability reporting (ICSR) in preparation for upcoming regulatory requirements in Europe and pending regulations in the U.S.

What changes did COSO make to the Internal Control—Integrated Framework?

So you might be wondering—what exactly did COSO change in ICIF-2013 to accommodate the unique needs of sustainability reporting? The short answer is that COSO made no changes.

While there were no actual changes, COSO did add explanations throughout the new guidance on how the 5 Components, 17 Principles, and 87 Points of Focus of ICIF-2013 are applicable to the challenges involved with establishing and maintaining effective ICSR.

What are some key call outs from COSO’s new ESG guidance?

COSO included eight key takeaways in its guidance that provide solid insights for organisations as they consider how to approach ICSR. Here’s a short summary of those main points:

1. Create accountability: Everyone involved from collection to communication of sustainability information needs to understand the importance of establishing effective controls and meeting key targets
2. Identify how your mission drives objectives: How does your organisation’s mission or purpose tie into your objectives? Whether objectives are financial, non-financial, compliance, etc., they need to be balanced and understood throughout the organisation to create effective controls
3. Collaborate cross-functionally: Establishing a multidisciplinary team with members from across your organisation—accounting and finance, sustainability, legal, investor relations, and more—is crucial to align on goals and assess sustainability-related issues, metrics, and controls
4. Tap into existing expertise: While ICSR is a new application, there is already a solid foundation to start from with internal control over financial reporting (ICFR). The CFO team has expertise in applying these concepts and can help guide the process
5. Modify existing controls: Your organisation will likely need to create new processes and new controls, but you don’t need to start from scratch! You can look to modify and apply processes that already exist as a part of ICFR
6. Adapt existing or adopt new technology: Leveraging existing or utilising emerging technologies to establish and maintain an effective system of internal control over sustainable business information can help improve processes and decision-maker confidence in data
7. Focus on what’s material: Organisations can prioritise efforts by assessing their materiality. By viewing sustainability through the lens of decision usefulness, organisations can hone in on metrics that are most important
8. Start now: With all of the data and systems coming into scope with sustainability information, it’s going to take a lot of effort to design and refine a system of controls to support your program. It’s important to start having those conversations with other teams and stakeholders early

Each of these lessons will likely prove more valuable to an organisation that has integrated its sustainability practices and business strategy. Just as an entity’s control environment provides the foundation for effective ICFR, it is also an essential starting point for designing, implementing, and maintaining an effective system of internal controls over decision-useful sustainable business information.

Applying ICIF-2013 to sustainability topics

This new guidance does three key things to help organisations and individuals understand how to apply the ICIF-2013 to sustainability topics:

• Highlights common challenges that are unique to the sustainability area when compared to the more familiar financial reporting process
• Articulates practical recommendations for applying each of the 87 Points of Focus to those challenges
• Provides illustrative examples to help readers see how the individual points of focus have been met by other organisations

While this new guidance doesn’t provide a “paint by numbers” checklist for readers, it does stay true to ICIF-2013’s principle-based approach that your organisation can use.

I hope you have a better understanding of what the new guidance includes and how you can start to apply it. Stay tuned for parts two and three of this blog series, where we’ll explore more about how the new COSO guidance can help you and your organisation meet stakeholder expectations for your sustainability reporting.

In the meantime, check out our ESG and internal controls datasheet for everything you need to find out more about how Workiva can help you on your ESG assurance journey.