COSO Issues Supplemental Guidance on Internal Control Over Sustainability Reporting

The Committee of Sponsoring Organisations of the Treadway Commission (COSO) has released supplemental guidance on how to effectively apply the 2013 Internal Control — Integrated Framework (ICIF) — which is currently applied to financial reporting — to sustainability reporting. The guidance results from a project approved by the COSO board a year ago with the objective of helping organisations “create and ensure effective internal control by applying the ICIF to sustainability reporting for internal decision-making and external public reporting.” This goal applies to both voluntary reporting and reporting mandated by regulation, which is important to note given the current state of evolution of required reporting and the very high percentage of companies already voluntarily providing sustainability data to their stakeholders in response to market interest.

In COSO’s press release announcing the guidance, COSO Chair Lucia Wind indicated that the global guidance is “extremely timely given upcoming final rules on climate risk from the [Securities and Exchange Commission] SEC and the [International Sustainability Standards Board] ISSB.” Ms. Wind further noted that strong internal controls are “good for business”; support the “learning and growth journey” that organisations are on “to build sustainable management principles into their core mission, purpose, governance and strategies”; and “build trust and confidence in sustainable business information.”

The guidance is likely to become a de facto standard

While the publication indicates that it is “nonauthoritative” and “expresses only the interpretations, opinions, and perspectives of the authors,” we believe the guidance provided will likely serve as suitable criteria and a de facto standard for sustainability reporting, just as the ICIF does for internal control over financial reporting (ICFR) for essentially every publicly traded company. It will help all organisations — public or private, large or small — and do so in a way that is familiar to financial reporting functions who are, or will likely be, tasked with the responsibility for sustainability reporting.

To this point, the guidance includes a preface written by the two COSO Chairs who served during the development and release of the 2013 ICIF. They point out that the latest edition of the ICIF eliminated the word “financial” from the reporting objective to expand its scope to all forms of reporting — internal or external, financial or nonfinancial. Corporate reporting has evolved well beyond financial reporting, including most recently to environmental, social and governance (ESG), reflecting both financial and nonfinancial information through the lens of resource preservation, performance and value creation.

The guidance articulates how the 2013 ICIF can be applied to sustainability activity and reporting. It provides specific examples of internal control principles related to sustainability and ESG reporting, operations and compliance. The authors acknowledge the emergence of internal control over sustainability reporting (ICSR) in the U.S. and in countries around the world as a concept comparable to ICFR, as defined by the SEC.

The project consisted of third-party research and numerous interviews of company executives and advisors. It updates the 2017 study published by the Institute of Management Accountants, Leveraging the COSO Internal Control — Integrated Framework to Improve Confidence in Sustainability Performance Data, which advocated for greater integration between sustainability and finance teams to improve reporting on sustainability both internally and externally and enhance data quality for managing sustainable business issues and providing decision-useful ESG information to investors. Because many companies have not yet begun this journey of integration, an update of the 2017 study was needed.

Growth in ESG reporting

The authors of the guidance and the COSO board jointly agreed that the actual and projected growth in ESG reporting — and more importantly, the reliance being placed on such reporting by major stakeholders — warranted the issuance of additional specific guidance. Over 96% of the S&P 500, over 80% of the Russell 1000 index companies and over 90% of the largest companies in more than 20 countries currently issue voluntary public reports on sustainability and/or ESG factors. In most cases, they report concurrently against multiple standards and frameworks. COSO’s purpose in issuing guidance is to assist organisations in designing, testing and evaluating ICSR, and to improve sustainability and compliance now that regulatory reforms are emerging and imminent. With this update, the authoring team of COSO veterans and the COSO board are providing organisations with much needed clarity and robust advice that would contribute value to the market, consistent with COSO’s mission to develop guidelines for businesses to evaluate internal controls, risk management and fraud deterrence.

Sources of value are primarily intangible

The guidance points out that the sources of enterprise value have shifted significantly over recent decades to the point where currently 90% or even more of a company’s market value is attributed to factors not reflected in traditional financial statements. A measurable, if not significant, portion of enterprise value can be attributed to ESG factors, such as workforce quality, diversity, culture and retention, access to and responsible use of natural resources, supply chain relationships, effective governance and more.

Components of S&P 500 Market Value graph

The 17 principles still apply

The guidance explains how each of the ICIF’s 17 principles apply specifically to sustainability and ESG reporting, providing both actual and illustrative case examples along with insights from the authors. The supporting, explanatory Points of Focus are also included for each principle and have been reworded to show their application to sustainability reporting.

The guidance reiterates the ICIF’s evaluation concept that an organisation has achieved an effective system of internal controls when all principles are present and functioning. At the end of the guidance, three cases are provided to illustrate this concept: a publicly held organisation subject to disclosure regulations considering its reporting agenda, a privately held supplier beginning its sustainable business journey, and a publicly held organisation continuing its evolution toward reasonable assurance.

Top takeaways

To wrap up the 100-plus-page document, the authors provide a capstone listing of 10 key points in the report. Those most relevant to ICSR include:

  • Focus on the end game of effective ICSR, which is achieved when all 17 principles are present and functioning. Customisation and adaptation may vary for each organisation based on maturity, industry, resources and requirements.
    • Start using the COSO ICIF-2013 now. There is no need to wait for new regulations.
    • Most, if not all, of the 17 principles apply to sustainability in a way that is comparable to traditional financial accounting and reporting. It may be possible to leverage control activities and documentation from financial transactions and reporting.
    • Risk assessment and materiality determination are key activities to sharpen the focus on what matters.
    • Be sure to address IT general controls, which are a critical consideration in the design and evaluation of any system of internal control covering sustainability information and ESG reporting.
    • Don’t forget operations and compliance objectives, the related risks and the activities required to achieve effective internal control in these areas.
    • The ICIF-2013 is designed to be used in essentially any area, function, location or activity (e.g., payroll, safety and sourcing). Use it for more than just financial reporting and sustainability.
  • Achieve internal assurance and confidence in sustainability reporting before progressing the organisation to external assurance. Leverage your internal audit function in this regard to provide objective assurance and other advice.
  • Make ESG reporting, both internal and external, an automated, efficient and continuous activity — not an “annual and manual” exercise.

Protiviti commentary

This guidance is of value to all organisations, as they all can benefit from effective ICSR. Both mature ESG reporters on the one end and organisations just beginning their sustainability journey on the other will find the guidance useful. Most important, as the market gravitates toward obtaining third-party assurance, public companies and other organisations will find the guidance instrumental in preparing for the attestation process and communicating with assurance providers.

The use of technology and procurement of specific software applications for ESG reporting or the modification of existing IT systems can also be beneficial to organisations as they seek to automate processes and controls, as well as transition from an “annual and manual” activity to one that is automated, continuous, secure and assured.

At the time of issuing this Flash Report, there is no requirement or proposal stipulating that the process used to evaluate the effectiveness of ICFR (e.g., for purposes of complying with Section 404 of the Sarbanes-Oxley Act of 2002 in the U.S.) be applied to the evaluation of ICSR. That said, certain elements of this process could be applied to ESG reporting as follows:

  • Scoping for material, significant items
  • Determining sustainability/ESG reporting objectives
  • Identifying supporting processes and metrics and their related controls to ensure reliability, completeness and consistency
  • Evaluating and remediating controls design
  • Testing operating effectiveness, and remediating and retesting as needed
  • Concluding on overall effectiveness of ICSR
  • Reporting publicly on ICSR effectiveness, if desired voluntarily or as required by mandate, or reporting privately to internal or external stakeholders in need of ESG data
  • Monitoring and evaluating the effects of change on ICSR

In addition, and as noted earlier, the 2013 ICIF can be used as suitable criteria for ICSR, consistent with the approach to evaluating ICFR, including emphasising that all 17 principles are present and functioning effectively.

We agree with the guidance that there is no reason to wait — and there are a lot of reasons to get started. Organisations should use the guidance now to design and operationalise effective control activities and prepare for third-party assurance of sustainability disclosures and ESG reporting. Executive sponsors should ensure that there is effective collaboration across the organisation among relevant functions in operations, compliance, risk management, internal audit, legal, technology and sustainability, among others, with regard to executing appropriate control activities. Executive management and the board should be educated on the status of ICSR-related activities and results of periodic evaluations. Directors and senior management should ensure the right tone at and from the top exists on the importance of sustainability activities, ESG reporting and the related internal controls.

In summary, the COSO chair noted that most companies are now in “various stages of implementing controls and governance processes over the collection, review and reporting of sustainability information, including creating multifunctional teams. In many ways, sustainable business reporting is still subject to evolution and innovation.” These comments underpin why all organisations, regardless of size, industry, ownership and geography, can benefit from this COSO-sponsored guidance as they build out, mature, and continue to evolve and expand their sustainability operations, reporting and compliance activities.

About Protiviti
Protiviti ( is a global consulting firm that delivers deep expertise, objective insights, a tailored approach, and unparalleled collaboration to help leaders confidently face the future. Protiviti and our independent and locally owned Member Firms provide clients with consulting and managed solutions in finance, technology, operations, data, digital, legal, governance, risk and internal audit through our network of more than 85 offices in over 25 countries.

Named to the 2022 Fortune 100 Best Companies to Work For® list, Protiviti has served more than 80 percent of Fortune 100 and nearly 80 percent of Fortune 500 companies. The firm also works with smaller, growing companies, including those looking to go public, as well as with government agencies. Protiviti is a wholly owned subsidiary of Robert Half (NYSE: RHI). Founded in 1948, Robert Half is a member of the S&P 500 index.

How Protiviti can help
Protiviti believes that sustainability is a continuous journey, presenting new risks and opportunities. There are no blueprints or out-of-the-box solutions, and each company needs an individualised and holistic approach to ESG reporting and operations in order to manage the high level of complexity and to position the organisation for continued, long-term success.

We leverage our reporting and regulatory expertise and our strategic partnerships to help clients define and build a seamless ESG reporting process. We can define and align ESG metrics to strategy and regulatory expectations, support the reporting process with innovative data and analytics solutions, and assist with audit and assurance readiness to help companies face a sustainable future with confidence.