New sustainability reporting law in Australia should prompt fresh look at COSO’s internal control framework By Rich TurleySustainability reporting is now law. On 9 September 2024, the Australian Parliament passed The Australian sustainability reporting regulation into law. The first reports by the largest in-scope entities are due in 2026, for reporting periods beginning 1 January 2025.Assurance is expected. The regulation stipulates limited assurance over the reports for the next five years, and reasonable assurance beginning with FY 2030 reporting periods.Use COSO’s Internal Control – Integrated Framework. CFOs, who are likely to take on the sustainability reporting duties, and internal auditors who will be expected to provide the required level of assurance, should consider COSO’s recently updated internal control over sustainability reporting (ICSR) framework as the standard for internal control in this new reporting area. Topics Internal Audit and Corporate Governance Risk Management and Regulatory Compliance Business Performance ESG/Sustainability Learn moreMany companies that issue financial reporting are familiar with the Committee of Sponsoring Organizations of the Treadway Commission’s (COSO’s) Internal Control – Integrated Framework (ICIF), now in its third decade of application. The COSO 2013 ICIF is the most widely used internal control framework around the world on a voluntary basis and is the specified criteria for internal control over financial reporting (ICFR) regulations in the U.S., China, Canada and Japan. Other countries have adopted or adapted it in different ways, utilising it as a key reference to consider, evaluate, design and report on the effectiveness of internal control over financial operations, reporting and compliance.Mandatory sustainability reporting, like the just-passed Australian regulation, is increasingly viewed as an extension of financial reporting due to its rigorous requirements, with similar processes of collecting and reporting verifiable and auditable data that serves to inform investors of the health and prospects of a company. In line with that view, the responsibility for sustainability reporting has been placed on the chief financial officer (CFO), and there’s no doubt that CFOs (and internal auditors) will be looking for proven tools and methodologies to ensure the integrity of their reports — the COSO framework being one of these proven tools.Background: Why did COSO update its internal control framework?The COSO board anticipated the need to broaden its control framework beyond financial reporting and focus it on corporate reporting generally, recognising that both financial and non-financial information — including environmental, social and governance (ESG) information — is indicative of a company’s performance and value. Further, the authors of the updated guidance and the COSO board jointly agreed that the actual and projected growth in ESG reporting — and more importantly, the reliance being placed on such reporting by major stakeholders — warranted the issuance of additional specific guidance. Over 96% of the S&P 500, over 80% of the Russell 1000 index companies and over 90% of the largest companies in more than 20 countries currently issue public reports on sustainability and/or ESG factors. COSO’s purpose in issuing the guidance is to assist organisations in designing, testing and evaluating internal controls over sustainability reporting (ICSR), and to improve sustainability and compliance now that regulatory reporting requirements are becoming prevalent. The guidance articulates how the 2013 ICIF can be applied to sustainability activity and reporting. It provides specific examples of internal control principles related to sustainability and ESG reporting, operations and compliance. The authors acknowledge the emergence of ICSR in countries around the world as a concept comparable to internal control over financial reporting.At the release of the guidance, COSO Chair Lucia Wind noted that strong internal controls are good for business; support the learning and growth journey that organisations are on to build sustainable management principles into their core mission, purpose, governance and strategies; and build trust and confidence in sustainable business information. These objectives are fully applicable to Australian companies on their compliance path with the new Australian standards.What are some key points in COSO’s guidance?In the 100-plus-page updated document, the authors provide a capstone listing of 10 key points in the report. Those most relevant to ICSR include:Focus on the end game of effective ICSR, which is achieved when all 17 principles are present and functioning. Customisation and adaptation may vary for each organisation based on maturity, industry, resources and requirements.Under this point, COSO advises, in part:Start using the COSO ICIF-2013 now. There is no need to wait for new regulations.Most, if not all, of the 17 principles apply to sustainability in a way that is comparable to traditional financial accounting and reporting. It may be possible to leverage control activities and documentation from financial transactions and reporting.Risk assessment and materiality determination are key activities to sharpen the focus on what matters.Be sure to address IT general controls, which are a critical consideration in the design and evaluation of any system of internal control covering sustainability information and ESG reporting.Don’t forget operations and compliance objectives, the related risks and the activities required to achieve effective internal control in these areas.Achieve internal assurance and confidence in sustainability reporting before progressing the organisation to external assurance. Leverage your internal audit function in this regard to provide objective assurance and other advice.Make ESG reporting, both internal and external, an automated, efficient and continuous activity — not an “annual and manual” exercise.How can organisations best leverage the COSO guidance?This guidance is of value to all organisations — from mature ESG reporters to those just starting out — as they all can benefit from effective ICSR. As the market gravitates toward obtaining third-party assurance, public companies will find the guidance instrumental in preparing for the attestation process and communicating with assurance providers.The use of technology and procurement of specific software applications for ESG reporting or the modification of existing IT systems can also be beneficial to organisations as they seek to automate processes and controls, as well as transition from an “annual and manual” activity to one that is automated, continuous, secure and assured.Currently, there is no requirement or proposal stipulating that the process used to evaluate the effectiveness of ICFR (e.g., for purposes of complying with Section 404 of the Sarbanes-Oxley Act of 2002 (SOX) in the U.S., C-SOX in Canada or J-SOX in Japan) be applied to the evaluation of ICSR. That said, certain elements of this process could be applied to ESG reporting as follows:Scoping for material, significant itemsDetermining sustainability/ESG reporting objectivesIdentifying supporting processes and metrics and their related controls to ensure reliability, completeness and consistencyEvaluating and remediating controls designTesting operating effectiveness, and remediating and retesting as neededConcluding on overall effectiveness of ICSRReporting publicly on ICSR effectiveness, if desired voluntarily or as required by mandate, or reporting privately to internal or external stakeholders in need of ESG dataMonitoring and evaluating the effects of change on ICSRIn addition, and as noted earlier, the 2013 ICIF can be used as suitable criteria for ICSR, consistent with the approach to evaluating ICFR, including emphasising that all 17 principles are present and functioning effectively.Our takeAustralian companies should strongly consider use of the COSO ICSR as they prepare to issue their first sustainability reports in 2026, for all the reasons discussed above. We agree with the guidance that there is no reason to wait — and there are a lot of reasons to get started. Organisations should use the guidance now to design and operationalise effective control activities and prepare for third-party assurance of sustainability disclosures and ESG reporting.Executive sponsors should ensure that there is effective collaboration across the organisation among relevant functions in operations, compliance, risk management, internal audit, legal, technology and sustainability, among others, with regard to executing appropriate control activities. Executive management and the board should be educated on the status of ICSR-related activities and results of periodic evaluations. Directors and senior management should ensure the right tone at and from the top exists on the importance of sustainability activities, ESG reporting and the related internal controls.The COSO chair has noted that most companies are now in “various stages of implementing controls and governance processes over the collection, review and reporting of sustainability information, including creating multifunctional teams. In many ways, sustainable business reporting is still subject to evolution and innovation.” These comments underpin why all organisations, regardless of size, industry, ownership and geography, can benefit from this COSO-sponsored guidance as they build out, mature, and continue to evolve and expand their sustainability operations, reporting and compliance activities. Find out more about our solutions: Sustainability consulting We believe sustainability is a continuous journey, presenting risks and opportunities. There are no blueprints or out-of-the-box solutions, and each company needs an individualized approach to ESG reporting and operations. Sustainability governance and reporting Gain transparency and accountability by controlling the programme and its implementation. We enable better decision-making and focus on regulatory requirements, including the timeliness and accuracy of reporting and external communication with regulators. ESG strategy and planning Future-proof organisations. We help identify key stakeholder expectations and assess major impact areas, define your ambition level, then set targets and measures to reach them. Regulatory compliance Protiviti’s regulatory compliance team brings a blend of experience and fresh thinking through a unique mix of consulting talent combined with former industry professionals, including risk and technology executives, commercial and consumer lenders, compliance professionals, and financial regulators. Leadership Rich Turley Rich is a managing director with over 20 years’ experience in assurance, audit, risk, and compliance management. He leads major internal audit, risk and compliance management engagements for various ASX-listed companies and major government agencies. He is a leader in ... Learn More Ranadip Datta Rana is a commercially focused and highly driven risk professional specialising in multi-channel complex solution consulting in APAC. A long career in institutional banking , solution sales and consulting with global clients in several industry verticals ... Learn More Lauren Brown Lauren is the country lead for Australia. With over 14 years' experience in governance, risk, and internal control, she specialises across multiple industries including health, higher education, government, consumer products, and energy. She is an active member and ... Learn More Featured insights BLOGS COSO issues supplemental guidance on internal control over sustainability reporting – With examples Last Thursday, the Committee of Sponsoring Organisations of the Treadway Commission (COSO) released interpretive guidance on how to effectively apply the 2013Internal Control — Integrated Framework (ICIF)— which is currently applied to... BLOGS ISSB sets new IFRS sustainability disclosure standards: Jurisdictions must act The ISSB has released the first sustainability disclosure standards. They’re voluntary, but wide adoption is expected among IFRS reporters around the globe.The standards focus on climate disclosures, targets and metrics, initially through ISSB S2... WHITEPAPER Sustainability regulation: ESG disclosures and demand for accountability set the tone for the future In recent years, increasing pressures from a variety of stakeholders have combined to drive companies toward more sustainable practices in their business operations and greater transparency. The real game-changer, however, has been the proliferation... BLOGS ESG Data Management and Reporting Are the CFO’s Responsibility — Period In a global survey of CFOs and finance leaders conducted by Protiviti, ESG metrics and measurement stand out as the highest priority for the finance organisation to address over the next 12 months. WHITEPAPER What Role Should Compliance Play in ESG? By Bernadine Reese and Jackie Sanz Regulators and many other stakeholders are intently focused on how financial institutions address environmental, social and governance (ESG) matters. Within financial institutions, boards of directors, executive... BLOGS The Golden Threads of ESG: The Role of Compliance in Embedding an ESG Framework in Financial Institutions A firm’s governance, purpose and culture are central to its values as an organisation; to how its people conduct themselves; and to how it embeds ESG considerations in the design and delivery of its products and services for the benefit of clients... Button Button