Sustainability and Business:
Achieving Effective Internal Control OverSustainability Reporting (ICSR): Building Trust and Confidence Through the COSO Internal Control — Integrated FrameworkAugust 2023
As highlighted in the Sustainability and business — The call to action: build back better report, AICPA® & CIMA® started a program of thought leadership to explore accountancy and sustainability.1 This is part of a series of briefs exploring the...
Why is internal control over sustainability reporting needed?
What is internal controls over sustainabilityreporting (ICSR)
How to implement ICSR guidance
Who will encounter achieving internal control over sustainability information?
What next from AICPA & CIMA?
Introduction
As highlighted in the Sustainability and business — The call to action: build back better report, AICPA® & CIMA® started a program of thought leadership to explore accountancy and sustainability.1 This is part of a series of briefs exploring the topic of sustainability, business, and the finance professional’s key role. These briefs will help organizations consider the sustainability issues, how to integrate them into their long-term decision-making, and how to incorporate these issues into internal and external reporting.
This paper has been designed as a summary of a specific standard or framework. While it has been written from the management accounting perspective, attest and assurance issues in the evolving world of sustainability reporting are paramount and will also be considered.
A framework or a set of standards? The difference
A framework is a set of principles-based guidance for how information can be structured and prepared, and what broad topics should be covered. A set of standards are specific, replicable, and detailed requirements for what should be reported for each topic. They are rules-based requirements.
Background
The Committee of Sponsoring Organizations of the Treadway Commission (COSO), founded in 1985, comprises five major accounting and finance professional associations headquartered in the United States: the American Accounting Association (AAA), the American Institute of Certified Public Accountants (AICPA), Financial Executives International (FEI), the Institute of Internal Auditors (IIA), and the Institute of Management Accountants (IMA) (formerly the National Association of Accountants). The goal of COSO is to provide thought leadership on fraud, enterprise risk management, and internal control.
The initial COSO report developed in 1992, Internal Control — Integrated Framework, addressed fraudulent corporate reporting.
In response to another wave of reporting incidents, the U.S. Congress and U.S. Securities and Exchange Commission (SEC) enacted the Sarbanes-Oxley Act of 2002 (SOX) and formed the Public Company Accounting Oversight Board (PCAOB). SOX required an evaluation of internal control over financial reporting by using a “suitable framework,” which the 1992 COSO framework qualified. Management certification of that evaluation, and for large companies, external auditor assurance of internal control over financial reporting (ICFR), is also required.
The revised 2013 Internal Control — Integrated Framework (ICIF-2013) is the most prevalent framework meeting the SOX 404 requirement, and is also used widely in jurisdictions around the world with similar internal control mandates.2
COSO also developed the original COSO Enterprise Risk Management — Integrated Framework, issued in 2004, and updated in 2017. In addition to their internal control and enterprise risk management integrated frameworks, specific guidance has been provided on a range of related risk and internal control topics, including board oversight and governance, cloud, cybersecurity, blockchain, and previous papers on sustainability.
Published in March 2023, Achieving Effective Internal Control Over Sustainability Reporting (ICSR): Building Trust and Confidence Through the COSO Internal Control — Integrated Framework provides supplementary for organizations using 2013 Internal Control — Integrated Framework (ICIF-2013).3
