The Protiviti View  | Insights From Our Experts on Trends, Risks and Opportunities

The Protiviti View

Insights From Our Experts on Trends, Risks and Opportunities
Search

POST

4 mins to read

COSO Issues Supplemental Guidance on Internal Control Over Sustainability Reporting — With Examples

Steve Wang

Managing Director

Views
Unlock sustainability in facilities management ESG
Larger Font
4 minutes to read

Last Thursday, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) released interpretive guidance on how to effectively apply the 2013 Internal Control — Integrated Framework (ICIF) — which is currently applied to financial reporting to sustainability reporting. The guidance results from a project approved by the COSO board a year ago with the objective of helping organizations “create and ensure effective internal control by applying the ICIF to sustainability reporting for internal decision-making and external public reporting.” This goal applies to both voluntary reporting as well as reporting mandated by regulation. Given the current state of evolution of required reporting and the very high percentage of companies voluntarily providing sustainability data to their stakeholders in response to market interest, the guidance couldn’t be more timely.

Protiviti issued a Flash Report about the guidance, COSO’s purpose in issuing it at this time and the value it is expected to deliver to companies. Our expectation is that the guidance will become the de facto standard for sustainability reporting, similar to the ICIF for internal control over financial reporting.

The 17 principles still apply

The guidance explains how each of the ICIF’s 17 principles apply specifically to sustainability and ESG reporting, providing both actual and illustrative case examples along with insights from the authors. The supporting, explanatory Points of Focus are also included for each principle and have been reworded to show their application to sustainability.

Example principle and points of focus

To illustrate, the guidance states Principle 10 from the 2013 ICIF on selecting and developing control activities without change, but rewords the related Points of Focus to apply them to sustainability:

Component: Control Activities[i]

    1. Selects and develops control activities: The organization selects and develops control activities that contribute to the mitigation of risks to the achievement of objectives to acceptable levels.

Once an organization has identified and assessed risks to achieving sustainable business objectives, it designs, develops and implements means to counter these risks, partly or completely. This helps ensure that oversight activities are responsive to sustainable business objectives, including reporting, and related risks.

POINTS OF FOCUS

Integrates with risk assessment: The selection and development of oversight activities regarding an organization’s sustainable business activities flows from its risk assessment processes.

Considers entity-specific factors: There are no one-size-fits-all means to develop and implement oversight activities that respond to identified and assessed risks regarding an organization’s sustainable business, which may reflect its specialized or unique business model and strategy.

Determines relevant business processes: An organization considers the structures, policies, procedures, and assigned authorities and responsibilities over its sustainable business activities to respond to identified and assessed risks to meeting its sustainable business objectives.

Evaluates a mix of control activity types: To respond to the risks of meeting sustainable business objectives, an organization carefully considers the nature of the risk and the types of individual actions or combination of actions that will be effective in responding to these risks.

Considers at what level activities are applied: Effective responses to risks on meeting an organization’s sustainable business objectives require the assignment of activities at different levels within the organization.

Addresses segregation of duties: The concept of “segregation of duties” means processes are designed for internal checks and balances that help ensure the veracity, accuracy and completeness of sustainable business information. This means evaluating how transactions that affect the organization’s ability to meet its sustainable business objectives are initiated, approved, processed, reported and reconciled to other financial and sustainable business information.

The rest of the principles and Points of Focus have been similarly reworded to accommodate internal control over sustainability reporting (ICSR). The guidance reiterates the ICIF’s evaluation concept that an organization has achieved an effective system of internal controls when all principles are present and functioning. At the end of the guidance, three cases are provided to illustrate this concept: a publicly held organization subject to disclosure regulations considering its reporting agenda, a privately held supplier beginning its sustainable business journey and a publicly held organization continuing its evolution toward reasonable assurance. Those examples are also worth reviewing.

Who should take action, and how

This guidance is of value to all organizations, as they all can benefit from effective ICSR. Both mature ESG reporters on the one end and organizations just beginning their sustainability journey on the other will find the guidance useful. Most importantly, as the market gravitates to obtaining third-party assurance, public companies and other organizations will find the guidance instrumental in preparing for the attestation process and communicating with assurance providers.

Organizations should use the guidance now to design and operationalize effective control activities and assist in preparing for thirdparty assurance of sustainability disclosures and ESG reporting. Executive sponsors should ensure that there is effective collaboration across the organization among relevant functions in operations, compliance, risk management, internal audit, legal, technology and sustainability, among others, with regard to executing appropriate control activities. Executive management and the board should be educated on the status of ICSR-related activities and results of evaluations. Directors and senior management should ensure that the right tone at and from the top exists on the importance of sustainability activities, ESG reporting and the related internal controls.

[i] Example from Achieving Effective Internal Control Over Sustainability Reporting (ICSR): Building Trust and Confidence Through the COSO Internal Control ― Integrated Framework.

Was this post helpful to you?

Thanks for your feedback!

Subscribe to The Protiviti View Blog

To face the future confidently, you need to be equipped with valuable insights that align with your interests and business goals.

In this Article

Authors

Steve Wang

By Steve Wang

Verified Expert at Protiviti

Steve is a Managing Director with over 2 decades of experience in internal audit and sustainability reporting across...

EXPERTISE

No noise.
Just insights.

Subscribe now

Related posts

Article

What is it about

While the return-to-office decision is often framed in a straightforward manner — we believe collaboration, productivity and innovation flourish more...

Article

What is it about

What you need to know: Aging systems, data silos, regulatory pressures and talent gaps complicate enterprise transformation for public utilities....

Article

What is it about

The top priority for healthcare internal auditors this year is cybersecurity, according to a survey by Protiviti and the Association...

Search