Navigating COSO’s Updated Sustainability Reporting Guidance

Companies are experiencing increasing pressure from investors, regulators, and other stakeholders to report sustainability-related information about their business. As companies seek to disclose this information, it is important that they develop and maintain systems and controls to safeguard the quality and accuracy of such information. In March 2023, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) issued an interpretive publication, revising its landmark framework for managing internal controls over financial reporting (ICFR) to include guidance for internal controls over sustainability reporting (ICSR). 

COSO’s report introduces a straightforward approach to the integration of the respective ICFR principles and components to design an effective ICSR and management of sustainability issues. Without systems and controls, companies may face risks relating to the disclosures reported, such as regulatory actions and greenwashing claims.

Below, we’ve analyzed COSO’s newest update and the implications for organizations, starting with an overview of the reporting ecosystem to which they may be subject.

Defining Internal Controls:

A process carried out by the board of directors or the administration of an entity, designed to provide reasonable assurance with respect to the achievement of objectives in operations, reporting, and compliance with applicable laws and regulations.

Sustainability Reporting vs. Financial Reporting

Sustainable business information differs from traditional financial data, and regulations have upended the sustainability reporting ecosystem. Unlike financial reporting, sustainability reporting emanates from a myriad of standards that often result in fragmented disclosures. As regulatory authorities like the Securities and Exchange Commission (SEC) increase their oversight, companies need a structured approach to data strategy and data governance to integrate their sustainability information with financial data to produce investor-grade disclosures.

The Differences Between Financial and Sustainability Reporting, According to COSO:

Control vs. Influence

  • There are unresolved differences regarding the setting of organizational boundaries between financial reporting and sustainability frameworks.
  • Financial accounting principles define a “consolidated entity” and detail how to account for minority investees.
  • Depending on the framework or standards, sustainability reporting may be based on different concepts of “control” or “influence” (COSO Principles 3 and 12).

Quantitative vs. Qualitative

  • Sustainability information is inherently more qualitative than traditional financial reporting, and it aims to estimate and assess the ongoing availability of resources and stakeholder willingness to make these resources available.
  • The goal is to produce information so that users may assess short-, medium-, and long-term future performance and expectations that relate to an ultimate enterprise value (or going concern value).

Historical vs. Forward-Looking

  • Sustainability information can be more forward-looking and long-term than financial information.
  • Financial accounting rests on the summarization of past transactions and events and reflects economic expectations and estimates of the future.
  • Sustainability is about the use and preservation of resources over the long-term, and the associated targets that inform business objectives.
  • Communicating long-term goals and targets sets the stage for future reporting on the achievement of targets.
  • The process of estimation is the same, but the time horizon is longer.

Integrating Financial and Sustainability Reporting

As internal control requirements are interwoven with sustainability disclosure regulations, organizations will be required to assess the effectiveness of their process and policies. Regulations like the European Union’s Corporate Sustainability Reporting Directive (CSRD) require companies to disclose how their risk management and internal control systems encompass their sustainability reporting processes. They must outline those processes, their risk assessment and mitigation strategies, the risks they have identified, and how the findings will inform future disclosures and controls.

March 2023 Updates

Below, we highlight the key changes from COSO’s 2013 Internal Control – Integrated Framework (ICIF) to the new supplemental guidance released in March 2023, “Achieving Effective Internal Control Over Sustainability Reporting” (ICSR).

Origins of the COSO Framework

In 1992, COSO published its landmark framework. The guidance provides a process, effected by an entity’s board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives relating to operations, reporting, and compliance. To achieve an effective internal control system, COSO concludes that five components must be present and functioning:

Chart shows five components of a successful internal control system.

A decade later, when Congress passed the Sarbanes-Oxley (SOX) Act, thereby establishing the Public Company Accounting Oversight Board (PCAOB), there was a need to evaluate internal control over financial reporting (ICFR). The COSO framework provided a solid foundation for an effective control environment. In 2013, the framework was modified to encompass changes in the business environment. It is now among the most widely used financial reporting guidance in the U.S. for companies, nonprofits, and government agencies.

Component: Control Environment

Just as an entity’s internal control environment provides the foundation for effective ICFR, it is also an essential starting point for designing, implementing, and maintaining an effective system of internal control over decision-useful sustainable business information.

ICFR (2013)
ICSR (2023 Expansion for Sustainability Reporting)Points of Focus

Principle 1: Demonstrate commitment to integrity and ethical values

The organization demonstrates commitment to integrity and ethical values.

An organization furthers its objectives by demonstrating to its stakeholders that it is trustworthy and acts in the public interest. An entity demonstrates its commitment to acting sustainably.

  • Set the tone at the top
  • Establish standards of conduct
  • Evaluate adherence to standards of conduct
  • Address deviations in a timely manner

Principle 2: Exercise board of directors’ oversight responsibilities

The board of directors demonstrates independence from management and exercises oversight of the development and performance of internal control.

Oversight by an independent board of directors serves as a check that management is acting in accordance with the organization’s sustainable business objectives.

  • Establish oversight responsibilities
  • Apply relevant expertise
  • Operate independently
  • Provide oversight for the system of internal control

Principle 3: Establish structures, authority, and responsibilities

Management establishes, with board oversight, structures, reporting lines, and appropriate authorities and responsibilities in the pursuit of objectives.

As it endeavors to meet its sustainable business objectives, an organization’s management, with the oversight of the board of directors, establishes internal structures that set out authority and responsibilities.

  • Consider all structures of the entity
  • Establish reporting lines
  • Define, assign, and limit authorities and responsibilities

Principle 4: Demonstrate commitment to competent human resources

The organization demonstrates a commitment to attract, develop, and retain competent individuals in alignment with objectives.

To meet its sustainable business objectives, an organization depends on its human resources.

  • Establish policies and practices
  • Evaluate competence and address shortcomings
  • Attract, develop, and retain individuals
  • Plan and prepare for succession

Principle 5: Enforce accountability

The organization holds individuals accountable for their internal control responsibilities in the pursuit of objectives.

To meet its sustainable business objectives, an organization needs to establish and implement meaningful ways to support its human resources and, at the same time, monitor performance.

  • Enforce accountability through structures, authorities, and responsibilities
  • Establish performance measures, incentives, and rewards
  • Evaluate performance measures, incentives, rewards, and disciplines
  • Consider excessive pressures
  • Evaluate performance and rewards or disciplines individuals

Component: Risk Assessment

An organization’s risk appetite that is aligned with its strategy and performance can help to ensure it meets the organization’s sustainable business objectives. Determining materiality and assessing risk are key activities to staying focused on what matters to an organization.

Principle 6: Specify suitable objectives

ICFR (2013)ICSR (2023 Expansion for Sustainability Reporting)

The organization specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives.

With clarity, an organization expresses its sustainable business objectives. These objectives are a means to tie the organization’s purpose or mission, values, and corporate social responsibility goals to strategy. An organization’s sustainable business objectives follow from its commitment to integrity and ethical values and are integrally linked to its objectives including operational, external financial reporting, external nonfinancial reporting, internal reporting, and compliance objectives.

Explicit expression of these objectives is a predicate to considering risks, that is, the likelihood that events will occur that may be detrimental to the organization.

Points of Focus

Operations Objectives:

  • Reflect management’s choices
  • Consider tolerances for risk
  • Include operations and financial performance goals
  • Form a basis for committing resources

External Financial Reporting Objectives:

  • Comply with applicable accounting standards
  • Consider materiality
  • Reflect entity activities

External Nonfinancial Reporting Objectives:

  • Comply with externally established standards and frameworks
  • Consider the required level of precision
  • Reflect entity activities

Internal Reporting Objectives:

  • Reflect management’s choices
  • Consider the required level of precision
  • Reflect entity activities

Compliance Objectives:

  • Reflect external laws and regulations
  • Consider tolerance for risk

ICFR (2013)
ICSR (2023 Expansions for Sustainability Reporting)Points of Focus

Principle 7: Identify and analyze risks to meeting sustainable business objectives

The organization identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for determining how the risks should be managed.

To meet its sustainable business objectives, an organization needs to establish and implement meaningful ways to support its human resources and, at the same time, monitor performance.

  • Include entity, subsidiary, division, operating unit, and functional levels
  • Analyze internal and external factors
  • Involve appropriate levels of management
  • Estimate significance of risks identified
  • Determine how to respond to risks

Principle 8: Assess fraud risk

The organization considers the potential for fraud in assessing risks to the achievement of objectives.

In identifying and assessing the risks to achieving its sustainable business objectives and developing an effective response, an organization considers the risk that actors will engage in fraudulent activities such as intentional misstatements or misappropriation of valuable resources.

  • Consider various types of fraud
  • Assess incentives and pressures
  • Assess opportunities
  • Assess attitudes and rationalizations

Principle 9: Identify and analyze significant changes and emerging trends

The organization identifies and assesses changes that could significantly impact the system of internal control.

As part of identifying and assessing risks to achieving its sustainable business objectives, an organization considers emerging trends. Sustainability-related risks are evaluated in an ongoing manner or periodically to respond to regulatory trends and economic drivers.

  • Assess changes in the external environment
  • Assess changes in the business model
  • Assess changes in leadership

Component: Control Activities

ICSR activities establish responsibility and accountability for executing policies and procedures that mirror the techniques used for mainstream financial reporting, and they help to produce the disclosures that investors expect. These activities characterize the organization’s governance of sustainability objectives and help to monitor progress against performance.

ICFR (2013)
ICSR (2023 Expansion for Sustainability Reporting)Points of Focus

Principle 10. Select and develop control activities

The organization selects and develops control activities that contribute to the mitigation of risks to the achievement of objectives to acceptable levels.

Once an organization has identified and assessed risks to achieving its sustainable business objectives, it designs, develops, and implements means to counter these risks, partly or completely. This helps ensure that oversight activities are responsive to sustainable business objectives, including reporting, and related risks.

  • Integrate with risk assessment
  • Consider entity-specific factors
  • Determine relevant business processes
  • Evaluate a mix of control activity types
  • Consider at what level activities are applied
  • Address segregation of duties

Principle 11: Select and develop general controls over technology

The organization selects and develops general control activities over technology to support the achievement of objectives.

An organization designs its control activities to respond to risks to achieving its sustainable business objectives. In doing so, it considers the extent to which it will rely on technology. This includes leveraging existing IT systems for the collection, processing, reporting, and security of sustainable business information, such as GHG emissions, energy usage, water usage, waste management, supply chain management, and diversity.

  • Determine dependency between the use of technology in business processes and technology general controls
  • Establish relevant technology infrastructure control activities
  • Establish relevant security management process control activities
  • Establish relevant technology acquisition, development, and maintenance processes control activities

Principle 12: Deploy oversight through policies and procedures

The organization deploys control activities through policies that establish what is expected and procedures that put policies into action.

An organization uses various means of oversight to direct its sustainable business objectives. Primary among these means is established policies and procedures. These policies and procedures promote clarity in how the organization will meet its sustainable business objectives. 

  • Establish policies and procedures to support deployment of management’s directives
  • Establish responsibility and accountability for executing policies and procedures
  • Perform in a timely manner
  • Take corrective action
  • Perform using competent personnel
  • Reassess policies and procedures

Component: Information and Communication

As more sustainable business information becomes integrated or connected with financial reporting, organizations must ensure that they are communicating relevant information and the effectiveness of their processes to their internal and external stakeholders.

ICFR (2013)
ICSR (2023 Expansion for Sustainability Reporting)Points of Focus

Principle 13: Use relevant information

The organization obtains or generates and uses relevant, quality information to support the functioning of internal control.

An organization needs quality data that informs whether its processes are facilitating its ability to meet its sustainable business objectives.

  • Identify information requirements
  • Capture internal and external sources of data
  • Process relevant data into information
  • Maintain quality throughout processing
  • Consider costs and benefits

Principle 14: Communicate internally

The organization internally communicates information, including objectives and responsibilities for internal control, necessary to support the functioning of internal control.

Once an organization establishes oversight structures and expresses policies and procedures, it communicates these structures and policies throughout the organization. This communication facilitates the understanding of all actors regarding their responsibilities for meeting the organization’s sustainable business objectives. 

  • Communicate internal control information
  • Communicate with the board of directors
  • Provide separate communication lines
  • Select relevant methods of communication

Principle 15: Communicate externally

The organization communicates with external parties regarding matters affecting the functioning of internal control.

Once an organization establishes oversight structures and expresses policies and procedures, it communicates these structures and processes to external parties, such as debt and equity investors and other stakeholders, that are relying on these processes for the delivery of reliable sustainable business information.

  • Communicate to external parties
  • Enable inbound communications
  • Communicate with the board of directors
  • Provide separate communication lines
  • Select relevant methods of communication

Component: Monitoring Activities

Monitoring processes and data collection systems for effectiveness enables organizations to evaluate progress and know when to make corrections and enhancements.

ICFR (2013)
ICSR (2023 Expansion for Sustainability Reporting)Points of Focus

Principle 16: Conduct ongoing and/or separate evaluations

The organization selects, develops, and performs ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning.

Once implemented, an organization revisits its oversight structures and processes to ensure that they are effective in facilitating its ability to meet its objectives around sustainable business. These reassessments may be scheduled and ongoing, or they may be performed as specific needs arise.

  • Consider a mix of ongoing and separate evaluations
  • Consider rate of change
  • Establish baseline understanding
  • Use knowledgeable personnel
  • Integrate with business processes
  • Adjust scope and frequency
  • Objectively evaluate

Principle 17: Evaluate and communicate deficiencies

The organization evaluates and communicates internal control deficiencies in a timely manner to those parties responsible for taking corrective action, including senior management and the board of directors, as appropriate.

As an organization reassesses its structures, policies, and procedures regarding its sustainable business activities, it communicates its findings so that actors better align their activities in accordance with the organization’s sustainable business objectives.

  • Assess results
  • Communicate deficiencies
  • Monitor corrective actions

Acting on the New Guidance

The integration of sustainability and financial reporting will require strong data governance practices to help create decision useful information that supports an organization’s long-term strategy. Once an organization establishes the key controls over ESG reporting, management should identify ownership of data and the functions that will implement controls, document monitoring procedures throughout the relevant levels of the organization, and educate data owners on ESG-related ICFR elements. For some enterprises, enhanced technology may be helpful when managing ESG data. Tools with capabilities that include workflow and reporting support a coordinated effort across risk, compliance, and the sustainability and internal audit functions.

Applying ICFR concepts to non-financial data is critical for accurate ESG reporting. Companies should also consider the core elements of an effective ICFR program and how they will apply to strong controls over ESG reporting, including:

Chart shows core elements of an effective ICFR program.

The proposed SEC Climate Disclosure rule will require registrants to expand their processes and system of ICFR to adequately collect and report financial data and the impacts of climate-related events and/or transition activities. Incremental controls will likely be required to monitor items such as external weather events, transition activities, and the cost differentials between the choice of maintaining currently acceptable operations versus the cost of transitioning to green alternatives.

How We Can Help

In this period of regulatory upheaval, resilient internal controls on sustainability data and processes will become even more imperative. Organizations should leverage these controls to maintain data and process quality in their endeavor to adapt to these rapid changes. Closely monitored internal controls, consistency across processes, well-governed disclosures, and trusted third-party assistance can help. No matter the stage of an enterprise’s ESG journey or program, a readiness assessment or sustainability roadmap can be a helpful place to start. Contact BDO USA’s ESG Center of Excellence to learn more.