COSO Issues Guidance on Internal Control Over Sustainability Reporting
The Committee of Sponsoring Organizations of the Treadway Commission (COSO) has published guidance on the application of its internal control framework to sustainability reporting. Achieving Effective Internal Control Over Sustainability Reporting (ICSR): Building Trust and Confidence through the COSO Internal Control—Integrated Framework states that “akin to internal control over financial reporting (ICFR), we are now seeing the emergence of what we call internal control over sustainability reporting (ICSR).” The paper explains in detail how the 17 principles in COSO’s Internal Control—Integrated Framework, as revised in 2013 (ICIF-2013), apply to sustainability reporting.
COSO, which is a group of five global accounting and auditing organizations, was founded in 1985 in response to concerns about the quality of financial reporting. In 1992, COSO published Internal Control—Integrated Framework to define internal control and provide a common framework for evaluating and improving internal control systems. In 2002, the Sarbanes-Oxley Act required public companies to report on the effectiveness of their ICFR and, for larger companies, required the auditor to attest to management’s report. This reporting must be based on a suitable internal control framework that meets certain criteria. The SEC has indicated that the COSO framework satisfies those criteria and, as a practical matter, virtually all ICFR reporting is based on COSO.
In 2013, COSO updated its framework to incorporate a risk-based approach to designing, assessing, and reporting on internal controls and to expand the objectives to include other important forms of reporting, such as nonfinancial and internal reporting. ICIF-2013 defines internal control as “a process, effected by an entity’s board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives relating to operations, reporting, and compliance.” ICIF-2013 is comprised of five components:
Information and Communication
Each of the five components contains three to five principles, for a total of 17 principles. Each principle is subdivided into “points of focus” that explain how the principle works in practice. An organization has an effective system of internal controls when all 17 principles are present and functioning.
Applying ICIF-2013 to Nonfinancial Information
The bulk of the COSO paper consists of explanation and interpretation of how the 17 ICIF-2013 principles apply to sustainability. The discussion of each principle includes the ICIF-2013 points of focus regarding that principle and provides “insights” on how the principle can be implemented with regard to sustainability information. These insights are based on proposed regulations, evolving professional standards, organizational practices, “authoritative and thought leadership materials” and the authors’ interviews with professionals with a variety of relevant backgrounds. In addition, the principles discussion references publicly available corporate ESG reports that illustrate the application of the various principles to sustainability.
To illustrate the paper’s approach: The first of the five ICIF-2013 components is the control environment. The second control environment principle is “The board of directors demonstrates independence from management and exercises oversight of the development and performance of internal control.” There are four ICIF-2013 points of focus for that principle. The COSO paper relates them to sustainability reporting as follows:
Establishes oversight responsibilities. A board of directors executes its responsibilities over sustainable business management through a system of oversight that facilitates the organization’s satisfaction of mandates and expectations. Often, the organization’s board of directors establishes structures, such as a designated committee or subcommittee, to oversee the organization’s sustainable business activities and reporting. This may necessitate amending existing organizational documents such as the articles of incorporation, bylaws, or charters.
Applies relevant expertise. A board of directors identifies requisite skills and areas of expertise for its own membership. Therefore, it ensures that board members charged with oversight responsibilities regarding sustainable business have the knowledge base and skill set to be effective.
Operates independently. A board of directors operates independently from management with respect to oversight and responsibilities for decision making on sustainable business issues. This point of focus operates in the same way with respect to sustainable business activities as it does for all other organizational activities.
Provides oversight of the system of internal control. The board oversees an organization’s design, implementation, and performance of controls, systems, and processes related to sustainable business activities and reporting. Often, this is a check on management and an oversight of how the organization is utilizing its resources and processes to achieve sustainable business activities, such as programs around energy, waste, GHG emissions, supply chain, cybersecurity, and diversity, equity, and inclusion.
As an insight with respect to this principle, the COSO paper lists actions that an organization might take to enhance audit committee oversight of sustainability business information that is released to external stakeholders. Examples of these audit committee actions include:
Revising charters to include oversight of external reporting of sustainability information and to include oversight of disclosures regarding the effectiveness of the organization’s system of ICSR.
Conducting educational sessions on recent developments regarding sustainable business.
Overseeing the internal audit function and review of sustainable business information.
Developing processes to operationalize oversight of external reporting, such as determining the frameworks, standards, and guidelines to follow for external ESG reporting.
Reviewing external ESG reports before issuance.
Determining the extent to which ESG information is subject to independent assurance or verification and determining the appropriate outside firm to perform independent assurance or verification.
As an example of the application of this principle to sustainability reporting, the COSO paper quotes from Travelers description of the roles of its various board committees.
Top 10 Takeaways
The COSO paper concludes with a list of ten takeaways. Those that appear most relevant to audit committees are:
“Be committed to ensuring your organization has effective internal control over sustainability-related matters, including operations, compliance, and various types of reporting (external, internal, nonfinancial, and compliance).”
“Work with others to determine the best organizational structures, roles, and responsibilities to create the desired results, achieve appropriate internal and external efficiencies, and achieve effective internal control. This includes the board and board committees, management, operations, compliance, and internal audit.”
“Educating yourself on new topics like sustainability is critical. Take advantage of seminars, new publications, and certificate programs.”
“Internal assurance and confidence in sustainability reporting need to exist before external assurance. Take advantage of your internal audit function in this regard to provide objective assurance and other advice.”
“This is a fast-moving area, and there is bound to be lots of change over the next several years. So, monitoring activities are key in terms of evaluating progress and knowing when to make corrections and enhancements.”
Comment: As discussed in prior Updates, in many cases public company sustainability reporting has developed without the kinds of controls over accuracy and completeness that are routine with respect to traditional financial disclosures. As investors rely more heavily on sustainability information in their decision-making and as regulators become more focused on these disclosures, it is imperative that companies create appropriate controls. See, e.g., ESG Meets Disclosure Controls in an SEC Enforcement Action, February-March 2023 Update and SEC is Serious About ESG Disclosure Enforcement, April-May 2022 Update. COSO’s ICIF-2013 is the gold standard for controls over financial reporting and, as such, is familiar to public company reporting personnel, internal audit, auditors, and audit committees. Audit committees may want to consider how COSO’s framework can be extended to their company’s sustainability reporting.