Group of business people have a discussion in conference room. Formal business team brainstorming over new project. Mature businessman and businesswoman talking and working while sitting in modern conference room with business partners.

How new COSO guidance will help with internal control over ESG reporting

Authors

  • Marie Johnson

    Partner, Sustainability Governance, Risk and Compliance Consulting, Ernst & Young LLP

  • Simon Wong

    Senior Manager, Business Consulting, Ernst & Young LLP

10 minute read 28 Jun 2023
Related topics
Consulting
Risk

New guidance from COSO helps organizations apply the Internal Control – Integrated Framework to ESG reporting (including discussion guide)

In brief

  • In March 2023, COSO issued guidance to help companies establish effective internal control over reporting on environmental, social and governance (ESG) topics.
  • While internal control over sustainability reporting (ICSR) may be a new concept, existing processes and controls may be modified to incorporate sustainability.
  • There are numerous benefits of establishing ICSR, including preparedness for regulations and more trusted information for sustainability decision-making.

Two decades ago, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) published the Internal Control – Integrated Framework¹, which it subsequently updated in 2013. Today, the Integrated Framework remains the gold standard for evaluating internal controls, governance and oversight, and it is the only generally accepted framework to operationalize the requirements of the Sarbanes-Oxley Act of 2002 (SOX).

Although the Integrated Framework was originally developed for internal control over financial reporting (ICFR), the revision in 2013 acknowledged the value of internal controls beyond financial reporting and expanded the scope of the Framework to all forms of reporting, including nonfinancial reporting.

Today, with the sharp rise in the breadth and frequency of reporting on environmental, social and governance (ESG) factors driven by various market and regulatory forces, organizations are once again turning to the proven principles of the COSO Integrated Framework – this time to enhance the accuracy of their ESG and sustainability reporting.

Although market demand for sustainable business information continues to rise steadily, internal stakeholders (management, employees and board members), as well as external stakeholders (investors, customers and regulators) often do not have the same level of confidence in the reliability, utility and quality of currently available information that they have in traditional financial data. Some examples of these concerns arise from the somewhat different qualities of sustainable business information and reporting compared with conventional financial reporting and include:

It is therefore timely that COSO released supplemental guidance² to help organizations achieve effective internal control over sustainability reporting (ICSR) and introduce ICSR into the control lexicon. While the Integrated Framework from 2013 remains unchanged, the new guidance provides practical insights and examples to apply the Framework to ESG and sustainability reporting.

Overview of the Integrated Framework

The Internal Control – Integrated Framework (ICIF) is comprised of five components, each of which contains three to five principles, for a total of 17 principles. This framework is most frequently presented as the COSO Cube³ and provides organizations with a roadmap for implementing and executing effective internal controls.

Applying the Integrated Framework to ESG

Only when internal controls that address all 17 principles are present and functioning can the control environment be deemed effective; this same approach applies to ICSR. Leveraging the tried and tested Integrated Framework, which organizations generally have deep experience using, will provide a strong foundation for the design and implementation of an effective control environment over sustainability reporting.

Benefits of using the Integrated Framework for Internal Control

The Integrated Framework provides a systematic, consistent and holistic approach to designing, implementing and overseeing an effective system of internal control over sustainability reporting and business activities. For organizations that are early in their ICSR journey, the Integrated Framework is a comprehensive blueprint to get started. Meanwhile, organizations further along the process can use the Framework to assess potential internal control gaps and adopt additional practices provided in the new COSO guidance to enhance their ICSR maturity for both performance measurement and external reporting resulting from decision useful and reliable information.

The Framework also supports organizations with the development of sustainability governance structures and alignment of roles and responsibilities across management, operational teams, internal audit, audit committee and the board. This is an area of particular complexity due to the multidisciplinary nature of sustainability and ESG topics, which means business activities, data, reporting platforms and people often span across many functions within the organization.

By applying the principles of the Integrated Framework, organizations can enhance the quality and reliability of their sustainability data and reporting. This allows for more informed decision-making by management, investors and other stakeholders and contributes to measuring progress toward sustainability goals.

It also puts in place the conditions to enable assurance. In the coming years, market forces will raise the demand for robust, independent external assurance over sustainability information. For example, the recently adopted Corporate Sustainability Reporting Directive (CSRD) in the EU, and the Securities and Exchange Commission (SEC) proposed climate disclosure rules in the US, have mandatory assurance requirements for sustainability disclosure. Companies should take action today to start preparing for assurance over external ESG disclosures by leveraging the principles in the Integrated Framework, which are already referenced by assurance providers to evaluate financial reporting.

Who should use the Integrated Framework for sustainability?

While all organizations can benefit from using the Integrated Framework for their ESG and sustainability reporting, the approach to applying it varies depending on an individual's role or function within the organization. For example:

Numerous other stakeholders across the organization with sustainability and ESG roles can similarly benefit from applying the COSO guidance to bring a higher level of rigor to their processes and internal controls.

Discussion guide for ICSR

No matter where a company sits in its maturity in establishing internal control over sustainability reporting, the points of focus and insights within the COSO guidance provide actionable tips to enhance the design and operating effectiveness of controls.

Download our PDF to identify key questions organizations and auditors (internal and external) can ask to assess the extent to which the existing controls address each of the five components and 17 principles of the Integrated Framework:

Discussion guide for internal control over financial reporting

PDF (1 MB)

How EY can help

Key takeaways for practitioners

  1. Set the tone at the top. Leadership's commitment to acting with integrity is an essential element for an organization to achieve an effective system of internal control over sustainability reporting.
  2. Engage a cross-functional team. Collaboration and input from various teams across the organization are important to develop the right structures, authority, responsibilities and accountability so that sustainability objectives can be achieved.
  3. Leverage existing expertise and controls. With suitable adjustment and modification, current processes and controls within the organization (such as those around financial reporting) can be applied to sustainability information.
  4. Perform periodic risk assessments. Identifying and analyzing sustainability-related risks on an ongoing basis will help organizations stay focused on what matters most, while keeping abreast of emerging regulations and changes in economic drivers.
  5. Use digital technologies. Implementing technology systems will help standardize sustainability processes, resulting in improved efficiency, integrity and traceability of information flows, and better confidence in sustainability decision-making.

Summary 

As sustainability becomes a top focus area for internal and external stakeholders, many companies are implementing internal control over sustainability reporting (ICSR) to help articulate their values and purpose, set their objectives and strategy, and provide confidence in their performance data.

While organizations are at different stages in this process, there is a need to bring people with experience and expertise in the many dimensions of sustainable business and reporting together to enhance reliability. Guidance from COSO helps companies accelerate achievement of an effective system of internal control and sustainable business information.

About this article

Authors

  • Marie Johnson
    Partner, Sustainability Governance, Risk and Compliance Consulting, Ernst & Young LLP
  • Simon Wong
    Senior Manager, Business Consulting, Ernst & Young LLP
Related topics
Consulting
Risk

Related articles

How can corporate reporting bridge the ESG trust gap?

The EY Global Corporate Reporting and Institutional Investor Survey finds a significant reporting disconnect with investors on ESG disclosures. Learn more.

Myles Corson + 1

Five priorities to build trust in ESG

ESG investing is at a critical moment. As historical levels of capital are fed into ESG funds, questions emerge on how useful ESG data is. Find out more.

Katie Kummer + 1

Building out the finance function role in ESG reporting

Building out the finance function role in ESG reporting. Watch the on-demand version of the webcast.

EY Americas

    EY refers to the global organization, and may refer to one or more, of the member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients.