COSO issues supplemental guidance on internal control over sustainability reporting – With examples

This blog post was authored by Steve Wang, Managing Director, U.S. ESG Engagement Leader on The Protiviti View.

In March 2023, the Committee of Sponsoring Organisations of the Treadway Commission (COSO) released interpretive guidance on how to effectively apply the 2013 Internal Control — Integrated Framework (ICIF) — which is currently applied to financial reporting — to sustainability reporting. The guidance results from a project approved by the COSO board a year ago with the objective of helping organisations “create and ensure effective internal control by applying the ICIF to sustainability reporting for internal decision-making and external public reporting.” This goal applies to both voluntary reporting as well as reporting mandated by regulation. Given the current state of evolution of required reporting and the very high percentage of companies voluntarily providing sustainability data to their stakeholders in response to market interest, the guidance couldn’t be more timely.

Protiviti issued a Flash Report about the guidance, COSO’s purpose in issuing it at this time and the value it is expected to deliver to companies. Our expectation is that the guidance will become the de facto standard for sustainability reporting, similar to the ICIF for internal control over financial reporting.

The 17 principles still apply

The guidance explains how each of the ICIF’s 17 principles apply specifically to sustainability and ESG reporting, providing both actual and illustrative case examples along with insights from the authors. The supporting, explanatory Points of Focus are also included for each principle and have been reworded to show their application to sustainability.

The 17 principles still apply

Example principle and points of focus

To illustrate, the guidance states Principle 10 from the 2013 ICIF on selecting and developing control activities without change, but rewords the related Points of Focus to apply them to sustainability:

Component: Control Activities[i]

10. Selects and develops control activities: The organisation selects and develops control activities that contribute to the mitigation of risks to the achievement of objectives to acceptable levels.

Once an organisation has identified and assessed risks to achieving sustainable business objectives, it designs, develops and implements means to counter these risks, partly or completely. This helps ensure that oversight activities are responsive to sustainable business objectives, including reporting, and related risks.


Integrates with risk assessment: The selection and development of oversight activities regarding an organisation’s sustainable business activities flows from its risk assessment processes.

Considers entity-specific factors: There are no one-size-fits-all means to develop and implement oversight activities that respond to identified and assessed risks regarding an organisation’s sustainable business, which may reflect its specialised or unique business model and strategy.

Determines relevant business processes: An organisation considers the structures, policies, procedures, and assigned authorities and responsibilities over its sustainable business activities to respond to identified and assessed risks to meeting its sustainable business objectives.

Evaluates a mix of control activity types: To respond to the risks of meeting sustainable business objectives, an organisation carefully considers the nature of the risk and the types of individual actions or combination of actions that will be effective in responding to these risks.

Considers at what level activities are applied: Effective responses to risks on meeting an organisation’s sustainable business objectives require the assignment of activities at different levels within the organisation.

Addresses segregation of duties: The concept of “segregation of duties” means processes are designed for internal checks and balances that help ensure the veracity, accuracy and completeness of sustainable business information. This means evaluating how transactions that affect the organisation’s ability to meet its sustainable business objectives are initiated, approved, processed, reported and reconciled to other financial and sustainable business information.

The rest of the principles and Points of Focus have been similarly reworded to accommodate internal control over sustainability reporting (ICSR). The guidance reiterates the ICIF’s evaluation concept that an organisation has achieved an effective system of internal controls when all principles are present and functioning. At the end of the guidance, three cases are provided to illustrate this concept: a publicly held organisation subject to disclosure regulations considering its reporting agenda, a privately held supplier beginning its sustainable business journey and a publicly held organisation continuing its evolution toward reasonable assurance. Those examples are also worth reviewing.

Who should take action, and how

This guidance is of value to all organisations, as they all can benefit from effective ICSR. Both mature ESG reporters on the one end and organisations just beginning their sustainability journey on the other will find the guidance useful. Most importantly, as the market gravitates to obtaining third-party assurance, public companies and other organisations will find the guidance instrumental in preparing for the attestation process and communicating with assurance providers.

Organisations should use the guidance now to design and operationalise effective control activities and assist in preparing for third–party assurance of sustainability disclosures and ESG reporting. Executive sponsors should ensure that there is effective collaboration across the organisation among relevant functions in operations, compliance, risk management, internal audit, legal, technology and sustainability, among others, with regard to executing appropriate control activities. Executive management and the board should be educated on the status of ICSR-related activities and results of evaluations. Directors and senior management should ensure that the right tone at and from the top exists on the importance of sustainability activities, ESG reporting and the related internal controls.

[i] Example from Achieving Effective Internal Control Over Sustainability Reporting (ICSR): Building Trust and Confidence Through the COSO Internal Control ― Integrated Framework.


Ann Chi Koh
Ann Chi is a managing director who leads the internal audit and financial advisory services solution. She has a proven track record managing and leading multi-location and multi-year consultancy projects at top tiered global MNCs, particularly in the Asia-Pacific region ...