Skip to main content
Hot air balloon flying over a Turkish mountain range.

Five Critical Insights in Applying COSO’s Guidance for ICSR

Through their recent report, COSO has provided direction on how to integrate sustainability into an organization with effective internal control. Read more.
banner background

Through their recent report, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) has provided direction on how to integrate sustainability into an organization with effective internal control.1

COSO developed the Internal Control-Integrated Framework (ICIF), which is commonly used for achieving effective internal control over financial reporting. The latest report from COSO doesn’t change the ICIF; instead, it shows how organizations should apply the existing ICIF to sustainable business activities and information.

COSO states that “effective internal controls can help an organization articulate its purpose, set its objectives and strategy, and grow on a sustained basis with confidence and integrity in all types of information.”2 Organizations should align their ESG program to COSO’s ICIF to improve the quality of data and embed sustainability into the organization. 

The ICIF contains 17 principles broken down into five components: 

  • Control Environment
  • Risk Assessment
  • Control Activities
  • Information and Communication
  • Monitoring Activities

As you think about your organization’s internal controls, be sure to keep the following insights in mind:

  1. Control Environment – Organizations need to have a culture of internal control for ESG.

    More corporations are now reporting on sustainability or ESG topics compared to prior years. However, in some organizations, the ESG reporting function may be siloed and may not be integrated with the rest of the organization. Establishing clear responsibilities through the board of directors, committing to competent human resources, and enforcing accountability are ways to establish an enduring, integrated ESG function.

    The first action under the ICIF framework is committing to integrity and purpose. An organization’s mission statement and values often contain an organization’s purpose and discuss the importance of integrity. The reason why stakeholders contribute their resources to an organization and what they expect in return can also help articulate an organization’s purpose. Having an organization’s ESG efforts driven by this purpose can produce powerful results. 

    Governance of the ESG reporting function is one of the first things that should be established when starting ESG reporting. Some questions to consider include: 

    • As the organization releases more ESG information externally, should the audit committee provide more oversight?
    • Are charters revised to include oversight of external ESG reporting and disclosures regarding the effectiveness of the organization’s system of Internal Controls on Sustainability Reporting (ICSR)?
    • What is the extent of independent assurance of ESG information and what firm should be engaged to perform assurance?
    • Does internal control for ESG information align with the Three Lines of Defense model from the Institute of Internal Audit?3 

    Organizations should also hold individuals accountable for their internal control responsibilities. Accountability questions to ask within your organization include:

    • Do managers and others understand the organizational commitments, so that they can properly prioritize ESG? 
    • Does the organization have incentive compensation tied to sustainable business objectives? 
    • Setting sustainable business targets externally and for incentive compensation can drive performance; however, it may also cause pressure to meet targets. Is there proper organization, structure, resource commitments, and controls to effectively monitor progress for sustainability targets? 
  2. Risk Assessment – Organizations need to specify objectives and identify risks to both their ESG initiatives and ESG reporting.

    Sustainable business objectives are a means to tie the organization’s purpose or mission, values, and corporate social responsibility goals to strategy. It's critical to take the time to determine and map out these objectives as a first step. Once determined, organizations can then clearly identify the risks to achieving these objectives across the entity. Only then can an organization draft control activities to address the identified risks.

    Figure R-1: Flow of Internal Control Framework

    Source: COSO: Achieving Effective Internal Controls over Sustainability Reporting (ICSR): Building Trust and Confidence through the COSO Internal Control-Integrated Framework

    Organizations should identify risks to achieving objectives across the entity, then use the analysis of those risks as a basis for determining how to manage the risks. Emerging trends should also be taken into consideration, especially as the expectations for sustainability reporting change frequently. Risks related to sustainability should be at least periodically evaluated to respond to economic drivers and regulatory changes.

  3. Control Activities – ESG controls need to be implemented to address identified risks.

    Control activities should be designed, developed, and implemented from the risk assessment. An ESG reporting readiness assessment can assist to identify areas where internal controls need to be implemented. 

    Policies and procedures are a means of oversight to direct sustainable business objectives. These documents should establish who is responsible for executing items in the policy or procedure. An inventory management plan (IMP) is commonly used to formalize a process for collecting, calculating, and maintaining greenhouse gas (GHG) emissions data.

  4. Information & Communication – Organizations need to communicate to stakeholders why they can trust the accuracy of ESG data.

    Investors and other stakeholders rely on accurate and complete sustainable business information. Communications should describe oversight systems used for sustainable business activities and the effectiveness of these systems. Similarly, the extent and level of assurance should be communicated.

  5. Monitoring Activities – Organizations need to continuously monitor the performance of ESG controls.

    Organizations should have readiness assessments or gap assessments completed to identify deficiencies in the ESG reporting cycle. Management should communicate deficiencies to responsible parties to facilitate improvement and progress. Organizations should follow up on corrective action to determine whether improvements are operating as expected.

Key Takeaways

Sustainability continues to be an evolving area, and changes will always be on the horizon. Organizations that align their sustainability reporting to COSO’s ICIF are better able to efficiently manage these changes.

If you have questions or need assistance, please reach out to a professional at Forvis Mazars or submit the Contact Us form below.

  • 1Guidance on Internal Control (
  • 2Guidance on Internal Control (
  • 3Three Lines of Defense Model (

Related FORsights

Like what you see?
Subscribe to receive tailored insights directly to your inbox.