New sustainability reporting law in Australia should prompt fresh look at COSO’s internal control framework

Learn more

Many companies that issue financial reporting are familiar with the Committee of Sponsoring Organizations of the Treadway Commission’s (COSO’s) Internal Control – Integrated Framework (ICIF), now in its third decade of application. The COSO 2013 ICIF is the most widely used internal control framework around the world on a voluntary basis and is the specified criteria for internal control over financial reporting (ICFR) regulations in the U.S., China, Canada and Japan. Other countries have adopted or adapted it in different ways, utilising it as a key reference to consider, evaluate, design and report on the effectiveness of internal control over financial operations, reporting and compliance.

Mandatory sustainability reporting, like the just-passed Australian regulation, is increasingly viewed as an extension of financial reporting due to its rigorous requirements, with similar processes of collecting and reporting verifiable and auditable data that serves to inform investors of the health and prospects of a company. In line with that view, the responsibility for sustainability reporting has been placed on the chief financial officer (CFO), and there’s no doubt that CFOs (and internal auditors) will be looking for proven tools and methodologies to ensure the integrity of their reports — the COSO framework being one of these proven tools.

Background: Why did COSO update its internal control framework?

The COSO board anticipated the need to broaden its control framework beyond financial reporting and focus it on corporate reporting generally, recognising that both financial and non-financial information —  including environmental, social and governance (ESG) information —  is indicative of a company’s performance and value. Further, the authors of the updated guidance and the COSO board jointly agreed that the actual and projected growth in ESG reporting — and more importantly, the reliance being placed on such reporting by major stakeholders — warranted the issuance of additional specific guidance. Over 96% of the S&P 500, over 80% of the Russell 1000 index companies and over 90% of the largest companies in more than 20 countries currently issue public reports on sustainability and/or ESG factors. COSO’s purpose in issuing the guidance is to assist organisations in designing, testing and evaluating internal controls over sustainability reporting (ICSR), and to improve sustainability and compliance now that regulatory reporting requirements are becoming prevalent. 

The guidance articulates how the 2013 ICIF can be applied to sustainability activity and reporting. It provides specific examples of internal control principles related to sustainability and ESG reporting, operations and compliance. The authors acknowledge the emergence of ICSR in countries around the world as a concept comparable to internal control over financial reporting.

At the release of the guidance, COSO Chair Lucia Wind noted that strong internal controls are good for business; support the learning and growth journey that organisations are on to build sustainable management principles into their core mission, purpose, governance and strategies; and build trust and confidence in sustainable business information. These objectives are fully applicable to Australian companies on their compliance path with the new Australian standards.

What are some key points in COSO’s guidance?

In the 100-plus-page updated document, the authors provide a capstone listing of 10 key points in the report. Those most relevant to ICSR include:

• Focus on the end game of effective ICSR, which is achieved when all 17 principles are present and functioning. Customisation and adaptation may vary for each organisation based on maturity, industry, resources and requirements.
  Under this point, COSO advises, in part:
  • Start using the COSO ICIF-2013 now. There is no need to wait for new regulations.
  • Most, if not all, of the 17 principles apply to sustainability in a way that is comparable to traditional financial accounting and reporting. It may be possible to leverage control activities and documentation from financial transactions and reporting.
  • Risk assessment and materiality determination are key activities to sharpen the focus on what matters.
  • Be sure to address IT general controls, which are a critical consideration in the design and evaluation of any system of internal control covering sustainability information and ESG reporting.
  • Don’t forget operations and compliance objectives, the related risks and the activities required to achieve effective internal control in these areas.
• Achieve internal assurance and confidence in sustainability reporting before progressing the organisation to external assurance. Leverage your internal audit function in this regard to provide objective assurance and other advice.
• Make ESG reporting, both internal and external, an automated, efficient and continuous activity — not an “annual and manual” exercise.

How can organisations best leverage the COSO guidance?

This guidance is of value to all organisations — from mature ESG reporters to those just starting out — as they all can benefit from effective ICSR. As the market gravitates toward obtaining third-party assurance, public companies will find the guidance instrumental in preparing for the attestation process and communicating with assurance providers.

The use of technology and procurement of specific software applications for ESG reporting or the modification of existing IT systems can also be beneficial to organisations as they seek to automate processes and controls, as well as transition from an “annual and manual” activity to one that is automated, continuous, secure and assured.

Currently, there is no requirement or proposal stipulating that the process used to evaluate the effectiveness of ICFR (e.g., for purposes of complying with Section 404 of the Sarbanes-Oxley Act of 2002 (SOX) in the U.S., C-SOX in Canada or J-SOX in Japan) be applied to the evaluation of ICSR. That said, certain elements of this process could be applied to ESG reporting as follows:

• Scoping for material, significant items
• Determining sustainability/ESG reporting objectives
• Identifying supporting processes and metrics and their related controls to ensure reliability, completeness and consistency
• Evaluating and remediating controls design
• Testing operating effectiveness, and remediating and retesting as needed
• Concluding on overall effectiveness of ICSR
• Reporting publicly on ICSR effectiveness, if desired voluntarily or as required by mandate, or reporting privately to internal or external stakeholders in need of ESG data
• Monitoring and evaluating the effects of change on ICSR

In addition, and as noted earlier, the 2013 ICIF can be used as suitable criteria for ICSR, consistent with the approach to evaluating ICFR, including emphasising that all 17 principles are present and functioning effectively.

Our take

• Australian companies should strongly consider use of the COSO ICSR as they prepare to issue their first sustainability reports in 2026, for all the reasons discussed above. 
• We agree with the guidance that there is no reason to wait — and there are a lot of reasons to get started. Organisations should use the guidance now to design and operationalise effective control activities and prepare for third-party assurance of sustainability disclosures and ESG reporting.
• Executive sponsors should ensure that there is effective collaboration across the organisation among relevant functions in operations, compliance, risk management, internal audit, legal, technology and sustainability, among others, with regard to executing appropriate control activities. 
• Executive management and the board should be educated on the status of ICSR-related activities and results of periodic evaluations. Directors and senior management should ensure the right tone at and from the top exists on the importance of sustainability activities, ESG reporting and the related internal controls.

The COSO chair has noted that most companies are now in “various stages of implementing controls and governance processes over the collection, review and reporting of sustainability information, including creating multifunctional teams. In many ways, sustainable business reporting is still subject to evolution and innovation.” These comments underpin why all organisations, regardless of size, industry, ownership and geography, can benefit from this COSO-sponsored guidance as they build out, mature, and continue to evolve and expand their sustainability operations, reporting and compliance activities.