Internal Control Organization Issues Guidance on Sustainability Controls
By Thomas W. White, Retired Partner, WilmerHale
“COSO,” an organization sponsored by several major associations of accountants, financial executives, and internal auditors, promulgates the leading framework for designing, implementing, and assessing internal control over a company’s operations, reporting, and compliance. COSO’s Internal Control—Integrated Framework (2013) is used by most US public companies to perform the management assessments and external audits of internal control over financial reporting required by section 404 of the Sarbanes-Oxley Act. (Notably, the COSO Framework is broader than just financial reporting, covering also operational controls and legal and regulatory compliance controls.) The COSO Framework consists of five components of internal control, each of which contains three to five principles, for a total of seventeen principles.
In late March, COSO released a report providing supplementary guidance on the application of the COSO Framework to sustainability (or ESG [environment, social, and governance]) reporting. Using the term “internal control over sustainability reporting,” or ICSR, the new guidance responds to the increased emphasis on disclosure of sustainability/ESG information among companies, regulators, investors, and other stakeholders. According to COSO, “there is a need among all stakeholder groups for effective controls and oversight so that this information is high-quality and fit for purpose: decision making in this changing world.” COSO presents the existing internal control Framework as a “good starting point” for implementing ICSR, with the addition of “the concept of organizational commitment to integrity and purpose, which is an important aspect of sustainability.” The ICSR guidance explains and interprets each of the seventeen principles and related “points of focus” in the COSO Framework as it may apply to sustainability.
In a press release, COSO says that it believes use of the COSO Framework for ICSR “will build trust and confidence in ESG/sustainability reporting, public disclosures, and enterprise decision-making.” The report emphasizes, however, that the report is a “nonauthoritative, interpretative publication” representing only the views of its authors.