10 action items for companies from COSO’s ICSR framework
Sustainability reporting is an increasingly critical focus for many companies. As more organizations disclose sustainability data across their global operations, they face a lack of standardized guidance on internal controls to ensure consistent, verifiable and reliable reporting.
To address this, the Committee of Sponsoring Organizations of the Treadway Commission, or COSO, which is responsible for creating a widely adopted framework for internal control over financial reporting, introduced in March 2023 the concept of “internal control over sustainability reporting,” or ICSR, into its new report, Achieving Effective Internal Control Over Sustainability Reporting (ICSR): Building Trust and Confidence through the COSO Internal Control—Integrated Framework. The report breaks down each of the principles in COSO’s Internal Control-Integrated Framework, or ICIF, and provides guidance on their applicability to ICSR. Implementation of ICSR is expected to increase the overall effectiveness, accuracy, and efficiency of sustainability reporting.
This alert summarizes five core action items proposed by COSO and recommends five additional action considerations for companies looking to bolster their ICSR.
The ICIF framework addresses both financial and non-financial reporting
COSO, a partnership of five global accountancy and auditing organizations, was founded in 1985 to foster reforms in response to concerns about the quality of financial reporting. The organization published its initial iteration of ICIF in 1992, as further updated in 2013. This framework is widely adopted by public companies in meeting the requirements of the Sarbanes-Oxley Act of 2002 for implementation of internal controls over financial reporting, or ICFR.
While ICIF was primarily born out of the necessity to achieve a high quality of financial reporting, COSO emphasizes that the ICIF framework is also applicable to non-financial reporting.
The ICIF framework consists of 17 principles. The report describes each principle, explains how each principle applies to sustainability reporting, and distills the framework into five core action items.
COSO action items
- Commit to integrity by stating your purpose: Articulation of an organization’s purpose is an integral step in establishing and building a sustainable business program. Companies can leverage their existing mission and values statements in determining and articulating their purpose.
- Determine objectives: Companies should develop and communicate specific and measurable internal and external sustainability business objectives, and for each such objective establish reporting principles with sufficient detail such that such information may be applied properly and considered in assessing potential risks in the process of preparing sustainable business data.
- Identify and assess risks (and consider opportunities): Companies should undertake a comprehensive evaluation of both the qualitative and quantitative risks associated with a company’s sustainability objectives. Often, this analysis will uncover ways that companies can turn risks into potential opportunities.
- Identify control activities: Once a comprehensive understanding of a company’s sustainability objectives and the risks associated with these objectives is reached, specific activities should be identified to manage or mitigate the risks identified in the prior step.
- Evaluate effectiveness: Once control activities are implemented, the effectiveness of the design and operation should be evaluated and optimized on an ongoing basis.
Recommended additional action items
- Identify any limitations in the scope of your cross-functional team. Because the reach of sustainability reporting is generally multi-disciplinary compared to that of traditional financial reporting, companies should assess their cross-functional Environmental, Social and Governance (ESG) teams with that end goal in mind. For example, because emissions reporting often encompasses entities upstream and downstream in a company’s value chain, cross-functional teams may need to include representatives that may have not before played a significant role in the company’s ICFR or ESG strategy. Additionally, a company should consider not only its product and services value chain, but all of the company’s structures when establishing teams and reporting frameworks, including whether equity investments, subsidiaries, joint ventures, and other third parties should be included. Companies should also assess the cross-functional teams' skill sets and knowledge relevant to the sustainability reporting. For example, members of the financial and internal audit teams could likely leverage the resources and expertise gained through their ICFR experience in developing and implementing an ICSR program.
- Mitigate risks of ICSR implementation. As companies are implementing new control procedures on their ICSR journeys, new or immature processes can create organizational risks. COSO’s third ICSR action item recommends that companies undertake an individualized assessment of the risks of ICSR implementation and consider the unique aspects of their company and its operations. One of the most common risks associated with implementation of ICSR relates to information governance and integrity. Companies are leveraging new technology to help them closely track trends in sustainability metrics, create more precise environmental and sustainability data estimates, and develop more decision-useful information for management in assessing sustainability risks among other things, but new technology can also introduce risks if the integrity of the sustainability data is not closely monitored and validated. Many companies already have in place ICFR related to financial data governance, and they can likely leverage those processes to create similar controls over governance of sustainability data. Data due diligence and validation processes should focus on internal data as well as sustainability data from third parties and should establish and maintain a traceable audit trail to verify such data. By establishing these new policies and processes, companies may be able to mitigate not only risks associated with information governance and integrity but other identified ICSR-related risks.
- Analyze control activities through multiple lenses. The control activities identified in COSO’s fourth ICSR action item should be informed not only by risks as discussed above, and other activities tailored for the operations of the business, but also by the expectations of multiple stakeholders and the purposes for which these stakeholders, such as various regulators, investors, customers, key business partners, and employees, intend to use the data. COSO’s report highlights the fact that companies are increasingly disseminating sustainable business information “to multiple parties, in multiple formats, via multiple channels.” ICSR control activities should be designed to ensure consistent and cohesive sustainability reporting among these different venues and with the goal of presenting useful and actionable data to differing stakeholders who may use the data for different purposes. Where key stakeholders or regulators have conflicting ESG expectations or concerns, ESG teams should be guided by the company’s purpose as an organization and the mission of its sustainability and ESG strategy recommended by COSO’s first ICSR action item; they may use tools like materiality assessments and competitive studies for balancing these multiple interests. See our alert “The ‘anti-ESG movement’: Balancing conflicting stakeholder concerns and inconsistent regulatory regimes” for more information.
- Deploy oversight through robust policies and procedures and set the tone at the top. When developing ICSR policies and procedures, companies should consider evaluating which level of the business each ICSR control activity should be implemented, ensuring that responsibility for each activity is clearly delegated, and addressing segregation of duties. Companies should review their existing policies and implement any necessary updates, in addition to developing new sustainability control policies where appropriate. ICSR policies should be designed not only with data verification in mind, but should be harmonized with the company’s existing ICFR and designed to effectively identify and raise potentially material risks and developments to the company’s legal and financial reporting team in a timely manner. Importantly, companies should evaluate the effectiveness of the controls, including, in particular, ensuring a “tone at the top” that is understood and effectively implemented by each reporting channel. As processes and policies are implemented, companies should consider performing a readiness assessment to identify areas of focus, either by an internal audit team or an external professional service firm. This is an ongoing iterative process and should be frequently revisited to respond to a company’s evolving circumstances, objectives, and risks both internally and externally.
- Evaluate significant changes and emerging trends on an ongoing basis. Companies should continually work to stay abreast of new developments in sustainability reporting, both internally and externally. External developments can include new or updated regulatory proposals, expectations of customers, suppliers, employees, shareholders and other stakeholders, economic trends, geopolitical events, or environmental changes. Internal developments can include updates to the company’s business model, changes in leadership, changes in the company’s operations. Companies should consider performing periodic reviews of their sustainable business efforts and benchmarking them against leading practices of peer companies to ensure that their practices are on par with industry expectations and best practices.
You may also enjoy our prior alert, “10 considerations for companies on the path to sustainability.” Learn more about ICSR by contacting any of the authors or your DLA Piper relationship lawyer, and visit our Sustainability and Environmental, Social, and Governance portal for the latest information on ESG developments.