What is internal controls over sustainabilityreporting (ICSR)
As noted above, the revised 2013 Internal Control — Integrated Framework (ICIF-2013) provides the basis for the Achieving Effective Internal Control Over Sustainability Reporting (ICSR) application guidance (Guidance), published in March 2023.
ICIF-2013 defines internal control as follows:
Internal control is a process effected by an entity’s board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives relating to operations, reporting, and compliance.7
A major development of the revised ICIF-2013, which is depicted by the accompanying “COSO Cube” (Figure 1.), was to expand the original financial reporting category of objectives to include nonfinancial and internal reporting.
Accordingly, in addition to providing a risk-based approach to designing, assessing, and reporting on internal controls, this more holistic framework also supports the operationalizing of management objectives throughout the organization, including sustainability objectives.
ICIF-2013 comprises 17 principles organized by the five components of the framework. Each of these principles is broken down into points of focus that explain how the principle is applied in practice. These components and principles are summarized in Figure 2.
The section of the ICSR guidance titled “Applying the ICIF-2013 Principles to Sustainability: Building Internal Control Over Sustainability Reporting (ICSR)” is structured along the lines of these components, principles, and points of focus.10
Charles Mario Abela, Senior Strategic Advisor at the Value Balancing Alliance and one of the authors of ICSR guidance, highlights the broad applicability of this guidance, similar to that of the underlying ICIF-2013 framework.
The COSO Framework is ideal and completely applicable for wide use by companies in Europe as the basis for controlling sustainability information. One notable aspect that needs to be continually reinforced is the importance of culture and integrated thinking. It underscores that a control framework is only as good as the understanding people have of the importance of reliable information for decision making. And assurance will only work and be affordable if we have a system of control and digitized data; otherwise, it will degenerate fast into a box-ticking exercise based on price point.
