Persefoni AI named a leader in Sustainability Management Software
Read the report
All Posts

Exploring COSO's Guidance For Internal Control Over Sustainability Reporting (ICSR)

Article Overview

For over thirty years, publicly traded companies and financial firms have relied on guidance from the Committee of Sponsoring Organizations of the Treadway Commission (COSO) to establish internal controls and ensure ethical and accurate financial accounting. 

Now, COSO has released a new set of recommendations to boost transparency and consistency in the rapidly evolving — and often unruly — world of sustainability reporting. COSO issued supplemental guidance outlining the steps companies can take to achieve effective internal control over sustainability reporting (ICSR) and build trust in their environmental data. 

The report comes at a crucial time: Businesses are facing potential new climate disclosure regulations from the U.S. Securities and Exchange Commission (SEC) that would require calculations of carbon emissions that could be subject to assurance. They must also grapple with growing expectations from investors and consumers, who are increasingly wary of misleading ESG claims.

COSO’s new framework helps leaders achieve confidence in their environmental data so they can navigate these demands. Below, we'll discuss the central elements of the ICSR guidance, how companies can apply it, and its implications for climate disclosure and transparency.

What Is COSO? 

COSO provides guidance to help businesses improve internal controls, meet regulatory requirements, and manage risk. 

COSO was established in 1985 by the five largest private-sector accounting and finance professional associations. After a series of high-profile financial scandals in the 1990s drew attention to the need for better internal controls over financial accounting, COSO introduced the Internal Control-Integrated Framework (ICIF)—a set of principles aimed at helping companies set up systems to address financial reporting risks.

When the Sarbanes-Oxley Act (SOX) passed in 2002, public companies faced new mandates for establishing internal controls over financial statements. The SEC directed organizations to the ICIF as a resource for meeting their control obligations under the law, and COSO’s framework became widely adopted.  

Today, ICIF represents a global gold standard for helping businesses improve internal controls, adhere to legal requirements, and manage risk. 

The COSO Internal Control-Integrated Framework for Sustainability (ICSR)

In March 2023, COSO released a pivotal report showing how organizations can apply the ICIF principles to environmental data. The Internal Control over Sustainability Reporting (ICSR) guidance provides a critical resource to help businesses develop effective oversight systems and build trust in their climate disclosures. By creating a shared understanding of foundational control elements, the framework also promises to enhance internal collaboration within companies — ultimately leading to more reliable reporting. 

Why Does It Matter? 

COSO’s new guidance underscores the need to manage environmental data with the same rigor as financial data. 

COSO’s sustainability guidance has far-reaching implications. 

It provides best practices for how businesses can track and report on their carbon inventory and is expected to rein in the practice of making misleading environmental claims (also known as greenwashing). 

Most importantly, it addresses the widespread lack of trust and consistency in environmental reporting. By encouraging businesses to apply the ICIF principles to their carbon data, COSO has underscored the importance of handling ESG reporting with the same rigor as financial reporting. The organization has sent a clear signal that sustainability objectives are too important to be omitted from the corporate control environment. 

Given COSO’s history of shaping accounting practices, it’s likely that businesses will rapidly embrace the ICSR framework. As climate disclosure regulations take shape, reporting companies should look to COSO once again for guidance on internal controls and governance. 

Flow of the Internal Control Framework 

COSO Internal Control Framework
Source: COSO ICSR Report, p. 11

Who Uses Sustainable Business Information? 

As the demand for environmental, social, and governance (ESG) information grows, various stakeholders in the information value chain seek ESG data. Stock exchanges worldwide, including those in both developed and developing economies, have published guidelines on ESG reporting by listed companies. Rating agencies, data aggregators, and investor service providers have also gained prominence in the ESG space, using proprietary models to assess companies' sustainability performance. They often request additional information through surveys to supplement their analyses. 

Policymakers are pushing for new corporate reporting standards on sustainability issues, leading to proposed regulations. Customers, including large commercial buyers, are increasingly interested in sustainable business information to ensure the goods and services they source are sustainable. Employees are also showing greater interest in their companies' policies and practices regarding environmental and social issues. 

Lastly, an organization's management and board of directors use sustainable business information for internal decision-making purposes, as well as for managing the organization as an ongoing enterprise.

COSO sustainable business information
Source: COSO Report, P. 23

Applying COSO’s Framework to Sustainability

We'll now dive into the key components of ICIF-2013 to sustainability. These components, principals, and points of focus emphasize foundational themes like commitment, authority, and accountability, guiding organizations to continually reassess objectives, address risks, and ensure the delivery of accurate and reliable information for stakeholders' benefit.

ICIF-2013 defines internal control as follows:

Internal control is a process, effected by an entity’s board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives relating to operations, reporting, and compliance.  

Five Components for Establishing Internal Controls

 The ICIF-2013 guidance provides that there are five components of ICSR:

1. Control Environment

A company’s control environment is a fundamental building block for ensuring effective ICSR. The control environment is shaped by factors like organizational structure,  management’s philosophy and operating style, and the integrity of individual staff.  

To create the right control environment and advance sustainability goals, COSO recommends that leaders begin by demonstrating the company’s commitment to integrity and ethics. Management and the board of directors should establish structures clearly defining authority, responsibilities, and standards of conduct related to sustainability reporting. 

A fundamental principle in COSO’s guidance is oversight by an independent board of directors, who can ensure that management decisions align with the company’s ESG commitments. The company should also prioritize human resources to attract, develop, and retain competent staff. Finally, employees should be held accountable for adhering to policies that advance sustainability goals. 

2. Risk Assessment 

Climate risk is not just a growing area of scrutiny from regulators and investors; it is fundamental to effective internal controls. In 2018, COSO issued comprehensive guidance for expanding enterprise risk management to include ESG considerations. The new ICSR framework builds on that guidance. It calls on businesses to set clear sustainability objectives; consider materiality; collaborate across functions; ensure management oversight; and identify incentives and pressures that might lead to fraud. 

COSO encourages organizations to start by making their sustainability objectives explicit — to understand factors that might force them to deviate from their path, companies must first know where they’re going. 

3. Control Activities

Control activities are the procedures, policies, and practices that help a company manage risk and achieve its objectives. Once an organization has identified and assessed the threats that might prevent it from reaching its sustainable business objectives, it can design and implement interventions. 

According to the COSO framework, one crucial risk mitigation measure is the use of reliable technology infrastructure for managing environmental data. To minimize the risk of errors, COSO recommends organizations seek opportunities to automate and digitize processes whenever possible. 

4. Information and Communication 

To measure, collect, and share data in a timely and accurate manner, companies need robust internal and external communication. The COSO framework recommends establishing systems that preserve the integrity of data as it moves through different teams and is shared externally. A good carbon accounting platform can minimize the risk of errors and miscalculations and ensure that teams are using the same reliable data set. 

5. Monitoring Activities 

It’s not enough to set up systems — organizations must also regularly assess how well those systems are working. The ICSR framework calls on businesses to implement ongoing evaluations of internal control systems by competent staff, and to identify processes for reporting weaknesses and deficiencies.

ICIF Components, Principles, and Points of Focus
Source: COSO report p. 19

Information and Communication — Points of Focus 

A system for sharing relevant data is one of the principal components of the ICSR framework. COSO has identified five points of focus for companies setting up information and communication systems:

  1. Identification of information needs. Effective oversight relies on the delivery of information that is both reliable and decision-useful.
  2. Capture of data. Organizations need a solid system for gathering relevant data from internal and external sources. 
  3. Processing of relevant data. Businesses need tools to summarize and analyze data into decision-useful information. 
  4. Maintenance of quality. A sound control system will preserve the integrity of information as it flows from its source to decision-makers. 
  5. Consideration of costs and benefits. In designing oversight and control processes, organizations should weigh the risks of making decisions using potentially unreliable information — and the resources needed to reduce that risk. 

Persefoni’s carbon accounting platform addresses each of these needs and can help businesses build confidence in their climate reporting. 

Key Highlights From COSO’s New Guidance For Sustainability Reporting

As organizations journey towards effective systems of internal control over sustainability reporting, several themes have emerged. Based on these insights, COSO recommends that companies take the following steps:

1. Cultivate a culture of accountability. 

Everyone involved in collecting, validating, managing, and communicating sustainability information should understand its strategic significance and actively support internal controls, so decision-makers can trust that they are working with reliable information. 

2. Consider the balance between purpose and objectives. 

Business objectives must be balanced, harmonized, and understood throughout the organization. That applies to all objectives — financial, nonfinancial, operational, internal, and those related to compliance or sustainability. 

3. Establish a cross-functional team. 

As an initial step, COSO recommends forming a cross-functional team to assess sustainability-related issues, metrics, and controls. This team might include functions like finance, accounting, investor relations, operations, legal, and more — as well as value chain partners, when appropriate.

4. Tap into existing expertise. 

The ICSR guidance is simply a new application of tried-and-true concepts from control over financial information — and CFO teams have already developed considerable expertise in applying these concepts. Finance teams can help train other organizational functions to ensure that sustainability data achieves the same level of credibility as financial data. 

5. Leverage existing controls. 

COSO’s report shows that the processes that already exist as part of internal control over financial reporting can be modified and applied to sustainability information. As businesses design systems for managing sustainability data, they can utilize automated controls built into IT platforms, data governance policies, or established monitoring techniques.

6. Harness enabling technologies and platforms. 

Until now, many systems used to manage climate data have been immature — relying on spreadsheets with few internal controls. Incorporating sustainability information into tech platforms with well-established controls can improve confidence in reporting. 

7. Use a lens of “decision usefulness.”

One of the biggest challenges in sustainability reporting is the sheer volume of data. Sorting through this data can require significant time, effort, and resources. By viewing information through the lens of decision-usefulness, leaders can focus on the small subset of metrics most important to the company’s success over time. 

8. Start early. 

Designing a system of controls takes time, and it’s never too early to begin — especially with SEC regulations on the horizon (read more about how to prepare for SEC climate disclosure here). Addressing the control environment is a good starting point for both financial and sustainability objectives. 

Persefoni’s Take

Organizations should start implementing the ICSR framework now.

COSO’s new ICSR guidance reflects a sea change in sustainability reporting. 

Proposed disclosure regulations, such as the SEC Climate Proposed Rule, are forcing companies to take a closer look at how they manage information about their carbon emissions. Meanwhile, businesses face mounting pressure from investors and consumers to provide trustworthy pictures of how they’re meeting their sustainability objectives. In this regulatory and cultural atmosphere, questions of governance and internal controls are top of mind. 

With its ICSR guidance, COSO has sent an unmistakable signal that climate data is too important to be left out of the control environment. To manage climate-related risks and build trust with shareholders and investors, companies must have strong oversight. 

COSO’s framework for financial accounting remains the tried and true approach to developing effective internal control systems. It’s likely that the ICSR guidance will become just as widely adopted, and it could be pivotal in the face of new reporting requirements. The SEC has counted on COSO in the past to help businesses meet their control obligations, and it may do so once again as it rolls out its climate disclosure regulations. 


The ICSR framework could shape sustainability decisions for years to come. It has never been more clear that climate data needs to be managed with the same care and diligence as financial data. 

Businesses shouldn’t wait to begin following COSO’s recommendations. Setting up governance and control structures takes time, and reporting pressures are only growing. The ICSR report underscores that – as with financial reporting — sustainability reporting should not be an isolated annual event, but instead needs to be thoroughly integrated into the company’s operations and strategy throughout the year. 

Organizations can start today, by drawing on their existing internal expertise and developing reliable carbon accounting systems.

Learn how Persefoni can help you build auditable, transparent, and accurate climate disclosures. 

Get the latest updates straight to your inbox.

Sign up for our newsletter and stay ahead of the curve.
With every edition, you'll receive the latest news, updates, and insights from our experts, straight to your inbox.

Related Articles


The Global Convergence of Climate Change Disclosures

Explore the evolving landscape of climate disclosure and discover key frameworks and regulations shaping the future of sustainability reporting.

CSRD: A Guide to the Corporate Sustainability Reporting Directive

What Is the CSRD? It is a new EU legislation that will expand sustainability reporting requirements and increase the number of companies mandated to report.

Transitioning From TCFD to ISSB: What you need to know

Learn more about the transformative shift from TCFD to ISSB standards in climate reporting, shaping global disclosure practices for businesses.