Last Thursday, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) released interpretive guidance on how to effectively apply the 2013 Internal Control — Integrated Framework (ICIF) — which is currently applied to financial reporting — to sustainability reporting. The guidance results from a project approved by the COSO board a year ago with the objective of helping organizations “create and ensure effective internal control by applying the ICIF to sustainability reporting for internal decision-making and external public reporting.” This goal applies to both voluntary reporting as well as reporting mandated by regulation. Given the current state of evolution of required reporting and the very high percentage of companies voluntarily providing sustainability data to their stakeholders in response to market interest, the guidance couldn’t be more timely.
Protiviti issued a Flash Report about the guidance, COSO’s purpose in issuing it at this time and the value it is expected to deliver to companies. Our expectation is that the guidance will become the de facto standard for sustainability reporting, similar to the ICIF for internal control over financial reporting.
The 17 principles still apply
The guidance explains how each of the ICIF’s 17 principles apply specifically to sustainability and ESG reporting, providing both actual and illustrative case examples along with insights from the authors. The supporting, explanatory Points of Focus are also included for each principle and have been reworded to show their application to sustainability.
Example principle and points of focus
To illustrate, the guidance states Principle 10 from the 2013 ICIF on selecting and developing control activities without change, but rewords the related Points of Focus to apply them to sustainability:
Component: Control Activities[i]
- Selects and develops control activities: The organization selects and develops control activities that contribute to the mitigation of risks to the achievement of objectives to acceptable levels.
Once an organization has identified and assessed risks to achieving sustainable business objectives, it designs, develops and implements means to counter these risks, partly or completely. This helps ensure that oversight activities are responsive to sustainable business objectives, including reporting, and related risks.
POINTS OF FOCUS
Integrates with risk assessment: The selection and development of oversight activities regarding an organization’s sustainable business activities flows from its risk assessment processes.
Considers entity-specific factors: There are no one-size-fits-all means to develop and implement oversight activities that respond to identified and assessed risks regarding an organization’s sustainable business, which may reflect its specialized or unique business model and strategy.
Determines relevant business processes: An organization considers the structures, policies, procedures, and assigned authorities and responsibilities over its sustainable business activities to respond to identified and assessed risks to meeting its sustainable business objectives.
Evaluates a mix of control activity types: To respond to the risks of meeting sustainable business objectives, an organization carefully considers the nature of the risk and the types of individual actions or combination of actions that will be effective in responding to these risks.
Considers at what level activities are applied: Effective responses to risks on meeting an organization’s sustainable business objectives require the assignment of activities at different levels within the organization.
Addresses segregation of duties: The concept of “segregation of duties” means processes are designed for internal checks and balances that help ensure the veracity, accuracy and completeness of sustainable business information. This means evaluating how transactions that affect the organization’s ability to meet its sustainable business objectives are initiated, approved, processed, reported and reconciled to other financial and sustainable business information.
The rest of the principles and Points of Focus have been similarly reworded to accommodate internal control over sustainability reporting (ICSR). The guidance reiterates the ICIF’s evaluation concept that an organization has achieved an effective system of internal controls when all principles are present and functioning. At the end of the guidance, three cases are provided to illustrate this concept: a publicly held organization subject to disclosure regulations considering its reporting agenda, a privately held supplier beginning its sustainable business journey and a publicly held organization continuing its evolution toward reasonable assurance. Those examples are also worth reviewing.
Who should take action, and how
This guidance is of value to all organizations, as they all can benefit from effective ICSR. Both mature ESG reporters on the one end and organizations just beginning their sustainability journey on the other will find the guidance useful. Most importantly, as the market gravitates to obtaining third-party assurance, public companies and other organizations will find the guidance instrumental in preparing for the attestation process and communicating with assurance providers.
Organizations should use the guidance now to design and operationalize effective control activities and assist in preparing for third–party assurance of sustainability disclosures and ESG reporting. Executive sponsors should ensure that there is effective collaboration across the organization among relevant functions in operations, compliance, risk management, internal audit, legal, technology and sustainability, among others, with regard to executing appropriate control activities. Executive management and the board should be educated on the status of ICSR-related activities and results of evaluations. Directors and senior management should ensure that the right tone at and from the top exists on the importance of sustainability activities, ESG reporting and the related internal controls.
[i] Example from Achieving Effective Internal Control Over Sustainability Reporting (ICSR): Building Trust and Confidence Through the COSO Internal Control ― Integrated Framework.