Internal Control Over Sustainability Reporting (ICSR) Update
April 20, 2023DownloadsDownload Article
On March 30th, 2023, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) released supplemental guidance for using the globally recognized 2013 COSO Internal Control-Integrated Framework (ICIF) to achieve effective internal control over sustainability reporting (ICSR).1
In COSO’s press release on the new guidance, COSO Chair Lucia Wind notes that “This new supplemental guidance is significant and extremely timely given upcoming final rules on climate risk from the SEC and ISSB, not to mention the journey organizations are on to build sustainable management principles into their core mission, purpose, governance, and strategies.”2 Douglas Hileman, FSA, CRMA, P.E., a co-author of the new supplemental guidance notes, “Many groups provide data and information for Sustainability reporting – Environmental, HR, Operations, Procurement, Real Estate. The document is designed to foster communication and collaboration between those who know internal controls and those who don’t.”
A Call to Action
COSO acknowledges that while some larger organizations have made progress building controls around ESG reporting, few have developed truly effective integrated systems of internal control over sustainability information. At the same time, COSO believes “There is an expectation among policy makers, investors, and other stakeholder groups that some organizations will be able to achieve reasonable assurance, rather than limited assurance, on their external disclosures relating to climate and other ESG risks.”3 Reasonable assurance is a key component of the SEC’s definition of internal controls over financial reporting (ICFR), and COSO views ICSR as a comparable concept to ICFR.4 In other words, organizations need a systematic, consistent framework to achieve an effective system of internal control over sustainable business activities and reporting, just as they do with financial reporting.
The guidance begins with background on COSO, the 2013 Internal Control-Integrated Framework including its five components depicted in the iconic “COSO cube” and its 17 underlying principles, and its application to non-financial information. It then discusses the goals and users of sustainable business information, highlighting the capital markets as a key user. COSO notes that “By 2022, in the U.S., $8.4 trillion (12.6%) of assets under management reflected sustainability investing (see 2022 Report on US Sustainable Impact Investing Trends).” 5,6 Other stakeholders and consumers of sustainable business information include policy-makers, customers, employees, suppliers, executive management and board directors.
The guidance then discusses ESG regulatory bodies and standards - including the rapidly evolving regulatory developments in Europe, and the anticipated ruling from the SEC - the types of sustainable business information (environmental, social, and governance), the various ways ESG information is reported today, and trends in reporting. Here COSO notes that “The Governance & Accountability Institute, which monitors the pervasiveness of ESG reporting by large public companies, reported that by 2021, 96% of the S&P 500 and 81% of the Russell 1000 published sustainability reports.” 7,8
The guidance also describes the attributes of ESG reporting that differ from financial reporting, and the unique challenges with reporting sustainable business information.
The 17 Principles and 3 Illustrations
COSO devotes much of the publication, over 70 pages, to discussing each of the 17 principles and points of focus from the 2013 ICIF and explaining their applicability to sustainability. Throughout, COSO reiterates the concept that an effective system of controls is achieved when ALL principles are present and functioning.
The guidance also provides three cases to illustrate the application of ICSR at organizations of varying size and maturity: a large publicly held organization subject to disclosure regulations, a privately held supplier beginning its sustainable business journey, and a publicly held organization continuing its journey toward reasonable assurance
COSO’s Key Takeaways
The guidance concludes with a list of 10 key takeaways,9 summarized below:
- Be committed to ensuring your organization has effective ICSR.
- Effective ICSR is achieved when the 17 principles are present and functioning.
- Determine the best organizational structures, roles, and responsibilities to create the desired results, achieve appropriate internal and external efficiencies, and ensure effective internal control.
- Learning about sustainability is now critical.
- Take advantage of other relevant COSO materials on subjects such as ERM and ESG.
- Internal assurance and confidence in sustainability reporting need to exist before external assurance.
- ESG reporting, both internal and external, should not be an “annual and manual” activity. Seek ways to make it automated, efficient, and continuous.
- Monitoring activities are key in terms of evaluating progress and knowing when to make corrections and enhancements.
- COSO is not just for large, private-sector publicly listed companies.
- Meeting the challenges of ICSR will require forming cross-functional teams.
FTI Consulting’s Take
FTI Consulting is helping clients implement the new guidance and address the following recommendations:
- Start using the new guidance now. There is no need to wait for new regulations.
- Use the new guidance to design and implement effective ICSRs. Treat ICSRs like ICFRs under SOX: document them (narratives, flowcharts, Risk/Control Matrices), evaluate their design annually, identify gaps, perform operating effectiveness testing and remediation.
- Focus on having repeatable, continuous, and if possible automated controls. Leverage controls already in place for financial reporting.
- Assure proper focus on data management. Capturing and managing relevant and reliable data in a complete and accurate manner should underlie program strategy.
- Establish the right tone at the top with respect to sustainability reporting activities and controls. Recognize the potential need for change management activities to help ensure sustainability objectives flow downstream, particularly to those unfamiliar with control concepts.
- Understand your ESG and implementation risks (vendor reliance, data, governance, compliance gaps, etc.) via materiality and gap assessments.
- Be wary of greenwashing. Regulators, like the SEC and its ESG-focused Task Force, are monitoring for greenwashing, regardless of regulated reporting.
- Leverage the experience of those most familiar with the 2013 COSO ICIF such as internal auditors, the SOX team, and members of the accounting and financial reporting functions.
- Engage IT as an important stakeholder, and address specific Information Technology General Controls (ITGCs) as a key component of ICSR.
- Use technology to level-up from an “annual and manual” approach to automated sustainability reporting. Establish a ‘general ledger’ for sustainability metrics, and a controlled and auditable path to outputs like corporate reports and regulatory compliance filings.
FTI Consulting provides its clients with experienced-based counsel from integrated teams of experts able to manage multi-stakeholder ESG risks and opportunities from a regulatory, financial, political and commercial perspective.
1: “Achieving Effective Internal Control over Sustainability Reporting (ICSR): Building Trust and Confidence through the COSO Internal Control―Integrated Framework,” Committee of Sponsoring Organizations of the Treadway Commission (last accessed April 4, 2023), https://www.coso.org/Shared%20Documents/COSO-ICSR-Report.pdf.
2: “COSO Releases New (ICSR) Supplemental Guidance,” Press Release, Committee of Sponsoring Organizations of the Treadway Commission (March 30, 2023), https://www.coso.org/SitePages/COSO-Releases-New-(ICSR)-Supplemental-Guidance.aspx?web=1.
3: Committee of Sponsoring Organizations of the Treadway Commission, supra note 1, at 11.
4: Securities and Exchange Commission 17 CFR PART 241 [RELEASE NOS. 33-8810; 34-55929; FR-77; File No. S7-24-06], https://www.sec.gov/rules/interp/2007/33-8810.pdf
5: Committee of Sponsoring Organizations of the Treadway Commission, supra note 1, at 22–23.
6: “US SIF Trends Report,” The Forum for Sustainable and Responsible Investment (last 4-13-23), https://www.ussif.org/trends.
7: Committee of Sponsoring Organizations of the Treadway Commission, supra note 1, at 27.
8: “All-Time High of Sustainability Reports Among U.S. Publicly-Traded Companies: 96% of S&P 500 and 81% of Russell 1000,” Governance & Accountability Institute, Inc. (last accessed April 4, 2023), https://www.ga-institute.com/research/ga-research-directory/sustainability-reporting-trends/2022-sustainability-reporting-in-focus.html.
9: Committee of Sponsoring Organizations of the Treadway Commission, supra note 1, at 105.