Skip to content

COSO Publishes Guidance for Internal Control Over Sustainability Reporting

Soyoung Ho  Senior Editor, Accounting and Compliance Alert

· 6 minute read

Soyoung Ho  Senior Editor, Accounting and Compliance Alert

· 6 minute read

The Committee of Sponsoring Organizations of the Treadway Commission (COSO) on March 30, 2023, published a study along with supplemental guidance intended to help companies to have in place an effective internal control over sustainability reporting (ICSR) using COSO Internal Control—Integrated Framework (ICIF).

The new study and supplemental guidance is called Achieving Effective Internal Control over Sustainability Reporting (ICSR): Building Trust and Confidence through the COSO Internal Control―Integrated Framework.

Today, COSO’s ICIF is widely used. For public companies, they must comply with Section 404 of Sarbanes-Oxley Act of 2002. It requires public companies to have and evaluate internal controls over financial reporting (ICFR). And larger public companies are required to have their external auditors to attest to management’s internal controls. Market regulators have said that companies that have adopted the framework are more likely to simplify their financial reporting and their efforts to comply with the SEC and PCAOB control requirements.

COSO’s latest guidance comes amid increased reporting on environmental, social and governance (ESG) matters. While it is currently voluntary, the SEC is close to adopting a set of mandatory reporting requirements related to climate change disclosures for public companies. Moreover, globally, the International Sustainability Standards Board will issue sustainability standards in the coming months.

“COSO believes its use will build trust and confidence in ESG/sustainability reporting, public disclosures, and enterprise decision-making,” said the organization, a joint initiative of five private sector organizations that develop frameworks and guidance on enterprise risk management, internal control and fraud deterrence.

The five organizations are the American Accounting Association (AAA), the AICPA, Financial Executives International (FEI), the Institute of Internal Auditors (IIA) and the Institute of Management Accountants (IMA).

COSO said that ICSR leverages knowledge gained in the application of ICIF to financial reporting over the past two decades. The supplemental guidance introduces ICSR into the internal control lexicon.

“More companies are now in various stages of implementing controls and governance processes over the collection, review, and reporting of sustainability information, including creating multifunctional teams that bring together a company’s sustainability, finance and accounting, risk management, legal, and internal audit professionals,” said COSO Chair Lucia Wind in a statement. “In many ways, sustainable business reporting is still subject to evolution and innovation. As a result, it will be a process of continuous improvement including building internal capacity and relevant assurance.”

COSO said that ICSR is not yet well established in practice today, but the report said that each of the 17 principles that are in ICIF—which was updated in 2013—is explained and interpreted for application to sustainability.

“Companies will now have a clear roadmap for applying COSO’s internal control principles to sustainability reporting, facilitating the disclosure of high-quality sustainability information,” AICPA Chief Auditor and COSO board member Jennifer Burns said in an emailed statement. “Taking a familiar control framework and applying it to sustainability reporting will be beneficial not only to companies, but to their stakeholders as well.”

Jeffrey Thomson, former IMA president and chief executive officer, said the new report is more relevant than ever for finance teams today because ESG and sustainable business management (SBM) are becoming mainstream around the world. He cited not only regulatory actions but also the increasing call for sustainability reporting by investors, rating agencies, insurance companies and even employees who place a premium on companies that achieve “profits with purpose.”

“Likewise, the CFO or Finance team over time has become increasingly responsible, supported by their independent internal and external auditors as appropriate, for the overall performance of the enterprise integrating financial and non-financial information for external reporting, decision-making and value creation,” Thomson said. “But ESG reporting and sustainable business management are early in the journey to produce cost effective, assured, and comparable external reports while also supporting internal enterprise decision making, and resource allocation and optimization.”

He explained ESG data is generally different from financial information because it is more qualitative, includes more estimates and is not structured.

“This new guidance will help organizations achieve effective ICSR and support enterprise decision-making and value creation leveraging the COSO ICIF components and principles and ‘how to’ application points of focus,” Thomson said. “In many ways, ICSR becomes the companion to finance teams successfully leading and facilitating effective ICFR for SOX 404 and regulatory regimes around the world.”

Thomson explained that the 2013 ICIF was expanded to include control related to non-financial reporting. The supplementary sustainability framework also includes examples, cases, insights and third-party research to better illustrate lessons learned so far.

“As appropriate, the management team and board can utilize independent internal auditors and external auditors to achieve desired outcomes,” Thomson said.

At the end of the day, he said that the supplemental guidance to COSO ICIF is about promoting confidence in ESG information and creation of value.

“Finance teams have experience in integrating financial and non-financial performance in developing balanced scorecards, strategy maps and more recently, concepts of integrated thinking,” Thomson said. “Enterprise performance management is increasingly convened or facilitated by the CFO team working with many internal business partners including IT, CSR, internal audit and others across the value chain who also need to understand and apply sound principles of internal control and enterprise risk management. So, for ESG or sustainable business information to be decision-useful, it needs to be of sufficient quality. An end to end data governance plan with clear owners is critical, along with competencies in data architecture, data acquisition, data cleansing, analysis, modelling and visualization enabling the organization to make smart choices in its transitory or transformational initiatives.”

COSO noted that the following are the principal authors of the guidance:

  • Robert Herz, former FASB chair, founding member of the IASB and former SASB Foundation board member;
  • Robert Hirth, senior managing director at Protiviti, former COSO chair and former vice chair of the SASB;
  • Douglas Hileman, consultant, ESG specialist, and member of former ESG Leadership Knowledge Group;
  • Shari Littan, IMA director, Corporate Reporting Research and Thought Leadership;
  • Brad Monterio, IIA executive vice president of member Competency and Learning and member of the IFRS Foundation’s Integrated Reporting and Connectivity Council; and
  • Jeffrey Thomson, President and CEO of IMA until March 31, 2023, and former COSO board member/lead director.


This article originally appeared in the April 3, 2023 edition of Accounting & Compliance Alert, available on Checkpoint.

Get all the latest tax, accounting, audit, and corporate finance news with Checkpoint Edge. Sign up for a free 7-day trial today.

More answers