As ESG Becomes More Mainstream, Consider COSO’s Guidance on Internal Controls Over Sustainability Reporting

Companies now have a “clear roadmap” for applying internal controls to ESG reporting

COSO, a financial standards-setting organization, is a joint initiative of five private sector organizations, and it has historically provided thought leadership and direction for internal controls, risk management, governance, and fraud deterrence through its Internal Control–Integrated Framework (ICIF). ICIF’s five components and 17 guiding principles serve as the leading internal control framework used in financial reporting by public companies. The framework supports compliance with Section 404 of the Sarbanes-Oxley Act as mandated by the US Securities and Exchange Commission. While COSO’s study does not compel legal action or regulatory compliance, the status and credibility of COSO means its framework sets norms and expectations for internal controls over sustainability reporting.

COSO’s recently released study, Achieving Effective Internal Control over Sustainability Reporting (ICSR): Building Trust and Confidence through the COSO Internal Control-Integrated Framework, seeks to bring structure to processes that underpin ESG reporting, applying the same internal financial reporting control principles to ESG and sustainability reporting. The American Institute of Certified Public Accountants (AICPA) Chief Auditor and COSO board member Jennifer Burns calls the study “a clear roadmap for applying COSO’s internal control principles to sustainability reporting, facilitating the disclosure of high-quality sustainability information.”

Formalized internal controls deliver multiple benefits

As highlighted in the ICSR study, the benefits of applying ICSR include:

• improved understanding and evaluation of consumer data use and cybersecurity;
• more effective collection, updating, and use of relevant ESG information;
• development of better sustainability metrics to inform business decisions;
• increased data integrity to build trust and confidence in ESG reporting;
• easier comparability of ESG reporting across companies;
• more auditable data for third-party verification;
• better understanding of an organization’s sustainability risks; and,
• increased transparency and enhanced ability to inform shareholders of company sustainability risks.

The ICSR study addresses how formalized internal controls for ESG reporting could help companies more fully integrate ESG reporting into the overall business and organizational structure. Applying the framework will also help organizations craft better answers to high-level questions, such as how sustainability data is relevant to business operations, how effective the data gathering process is, and whether operations are adequality aligned with sustainability goals.

Applying the ICSR principles to improve ESG disclosures

As the SEC moves closer to publishing official ESG disclosure requirements for public companies, ICSR will likely play a similar role in sustainability to what the Internal Control Over Financial Reporting (ICFR) did for financial reporting. There is momentum —and quite frankly, a desire— for it to become the accepted framework companies apply when structuring ESG reporting compliance with current and emerging regulations. As companies await the final SEC rulings on climate and cybersecurity, they can begin proactively applying the COSO framework to improve the quality of their sustainability data reporting.

Here are three ways to get started:

1. Define sustainability reporting goals

Through a cross-functional leadership team, engage with a range of stakeholders —investors, customers, employees, and others— to understand their sustainability reporting expectations and integrate their input into your corporate goals. While climate risk disclosures and greenhouse gas emissions are top of mind in the United States due to the SEC proposal, emerging topics such as water security, biodiversity, diversity, equity and inclusion, and cybersecurity will also require cross-functional collaboration for data collection and sustainability reporting.

COSO’s five components, corresponding principles, and points of focus —when applied together and within the context of these requirements— provide a flexible framework for establishing a customized and effective system of internal control. This approach can help link disparate teams and functions and standardize the process for aggregating source data into investor-grade, audit-ready disclosures.

Keep in mind that sustainability reporting is relevant and applicable to private companies in addition to publicly traded companies. Private companies can also apply COSO’s principles to enhance sustainability data management and reporting processes. Simply put, effective ICSR implementation will help all companies meet their sustainability reporting objectives, regardless of the ownership structure.

2. Consider the role of the ESG Controller

Achieving effective ICSR will not happen overnight. Leadership should familiarize themselves with the concepts included in COSO’s ICSR study, paying particular attention to any principles that can be borrowed from existing financial reporting controls. Examine the current skillset of the existing finance team and identify instances where upskilling may be required to enhance the team’s understanding of ESG principles, regulations, and reporting requirements.

As ESG reporting continues to mature, companies will find themselves integrating reporting processes and internal control activities across the finance and sustainability functions. This interplay is giving rise to a new and critical role – the ESG Controller. This individual is responsible for establishing business requirements for sustainability reporting that are aligned with stakeholder expectations. The ESG Controller is the driver behind measuring ESG initiatives and reporting on policies. He or she is familiar with financial data and serves as the critical link to applying COSO’s ICSR framework and achieving investor grade sustainability reporting.

3. Remain informed of new developments and make adjustments as needed

The path to effective ICSR is not linear. As ESG reporting requirements and stakeholder expectations evolve, organizations will need to adjust their ICSR program to realign their control environment. It will be important for organizations to implement monitoring activities to evaluate current practices and make adjustments and enhancements to their ESG reporting practices as appropriate.

To facilitate this process, organizations will need to implement robust monitoring controls – this concept can be borrowed from ICFR – to assess the current state of their progress toward established ESG goals. As organizations monitor the effectiveness of their sustainability data collection, tracking, and reporting, it is important to maintain the connection to the organization’s primary business and related operations. As the business changes —for example by releasing a new product line or expanding operations into other countries— the organization will need to monitor the scope of sustainability reporting to ensure continued alignment with company needs and stakeholder expectations.

Opt-in to formalize sustainability reporting now before it’s no longer optional

The future of mandated ESG reporting is becoming more and more difficult to deny. The development of the ICSR by COSO provides perhaps the strongest indicator yet that formalizing and institutionalizing ESG reporting will soon be a requirement. Adopting COSO’s ICSR framework for internal controls now will help companies develop internal capacities and prepare the necessary resources to collect and report high-quality ESG data and information before the pressure to do so increases even further.