Using The COSO Framework For Sustainability Reporting

Using the COSO Framework
for sustainability reporting

Financial Reporting| July 13, 2023
Outline of Today’s Session
ESG Landscape COSO Framework ESG Examples Main Takeaways

Disclosure Expectations Internal Controls over Illustrative ESG Recommended Next Steps
and Potential Challenges Sustainability Reporting Governance, Processes
and Controls
Copyright © 2023 Deloitte Development LLC. All rights reserved. Using the COSO Framework for sustainability reporting 2
Environmental, Social and Governance
(ESG) Landscape
The ESG Landscape | ESG Reporting Standards and Frameworks are Evolving
Historically, there have been a variety of organizations that set voluntary ESG standards and frameworks. Over the last few years,
regulators in the US and EU, among others, have released proposals to mandate disclosures.
2000’s 2021
• CDP7 (2000) • ISSB1
• CDSB8 (2007) • VRF9
1990’s 2010’s 2022

• GRI5 (1997) • SASB4 (2011) • US SEC climate
• GHG Protocol 2 • TCFD3 (2015) disclosure rule
(1998) • SBTi10 (2015) • EU CSRD6
Voluntary Jurisdictionally mandated Mandatory
1. International Sustainability Standards Board (ISSB) 4. Sustainability Accounting Standards Board (SASB) 8. Climate Disclosure Standards Board (CDSB)
2. Greenhouse Gas Protocol (GHG Protocol) 5. Global Reporting Initiative (GRI) 9. Value Reporting Foundation (VRF)
3. Task Force on Climate—related Financial Disclosure 6. Corporate Sustainability Reporting Directive (CSRD) 10. Science Based Targets Initiative (SBTi)
(TCFD) 7. Carbon Disclosure Project (CDP)
ESG Data and Potential Reporting Challenges
Insights from Deloitte’s 2022 Sustainability Action Report survey reveal executives are facing challenges related to ESG data disclosure
and taking steps to prepare for increased reporting expectations.
Quality & availability Governance & management Assurance readiness
• 35% of executives list ensuring quality • 81% report that new roles and • 37% or 1 in 3 executives
as the top data challenge; another responsibilities have been say their companies are
25% cite access to and quality of ESG created to accommodate starting to apply the COSO
data as the greatest challenge additional disclosure framework to their ESG
requirements reporting process, and
• 61% are prepared to disclose Scope 1 have begun to identify a
emissions, 76% Scope 2 emissions (up • 99% expressed willingness to path towards a
from 58% and 47%, respectively, last invest in new technologies reasonable level of
year), however, just 37% of and tools to meet stakeholder assurance
respondents stated they are prepared expectations and future
for Scope 3 emissions reporting regulatory requirements
Source: Deloitte’s Sustainability Action Report
The Nature of ESG Data
Although market demand for sustainable business information continues to rise, stakeholders often do not have the same level of
confidence in the reliability, utility, and quality of currently available information that they have in traditional financial data.
Conventional Financial Reporting Sustainable Business Information
Control vs. Influence

Depending on the framework or standards, sustainability reporting may be based on different concepts
of “control” or “influence” than the idea of a “consolidated entity” which is often used of understand
control in the realm of conventional financial reporting.
Quantitative vs. Qualitative

Sustainability information is inherently more qualitative than traditional financial reporting because the
goal of such information is to allow users to estimate and assess ongoing enterprise value from a variety
non-monetary measures.
Historical vs. Forward-Looking

Sustainability information can be more forward-looking and long-term in nature than financial
information as organizations set goals and targets. Traditionally, financial accounting rested on the
summarization of past transactions and events.
Source: COSO—ICSR—Report.pdf
COSO Framework
Internal Controls over Sustainability Reporting (ICSR)
The 2013 COSO Internal Control – Integrated Framework (ICIF-2013)
The Committee of Sponsoring Organizations of the Treadway Commission (COSO) Framework is a group of five1 global accountancy and
auditing member organizations created in reaction to regulatory and market concerns regarding the quality of financial reporting.
Consists of five components (encompassing 17 principles)

1 that are interrelated with operational, reporting, and
compliance objectives
1) Control environment
Function
Operating unit
The interaction of the objectives and the components is
Division
2 demonstrated as a cube. The cube is further subdivided to 2) Risk assessment
Entity level
correspond to the way entities are typically organized
3) Control activities
When all 17 principles are present and functioning, an 4) Information and communication
3 effective system of internal control is achieved
5) Monitoring activities
1COSO’s supporting organizations are the American Accounting Association (AAA), the American Institute
of Certified Public Accountants (AICPA), Financial Executives International (FEI), the Institute of
Management Accountants (IMA), and The Institute of Internal Auditors (IIA)
History of the COSO Internal Control – Integrated Framework
COSO released an updated edition of Internal Control – Integrated Framework in 2013 (ICIF-2013) to address changes in business and
operating environments since the original framework’s release in 1992.
Original Framework COSO’s Internal Control – Integrated Framework (1992 Edition)
Articulate principles
Refresh Objectives Reflect changes in business Expand operations and
to facilitate effective internal
and operating environments reporting objectives
control
Enhancements Updates context Broadens application Clarifies requirements
Updated Framework COSO’s Internal Control – Integrated Framework (2013 Edition)
On March 30, 2023, COSO released a landmark interpretive report on how ICIF-2013 can apply to
Sustainability Application
sustainable business activities and information to establish or enhance ICSR
Callout: COSO has also delivered two publications with respect to applying its Enterprise Risk Management (ERM) Framework to ESG:
• Demystifying Sustainability Risk: Integrating the triple bottom line into an enterprise risk management program
• Enterprise Risk Management—Applying enterprise risk management to environmental, social and governance-related risks
ICIF-2013: Components and Principles
A deeper look: a call out to the 5 components and 17 principles of ICIF-2013 to be applied to ICSR.
CONTROL ENVIRONMENT
1. Commit to 2. Have an 3. Clearly outline 4. Work to attract, 5. Hold personnel

organizational independent board structures, develop and retain accountable for
integrity and ethical perform oversight of authority and personnel that align internal control
values ICSR responsibilities with organization responsibilities
values
INFORMATION &
RISK ASSESSMENT CONTROL ACTIVITIES MONITORING
COMMUNICATION
6. Identify objectives with clarity 10. Identify and develop control 13. Use information to support the 16. Perform periodic
to enable the identification and activities that contribute to risk function of internal controls evaluations to ensure internal
assessment of risks mitigation and the furthering of 14. Internally communicate key controls are present
7. Incorporate how risks should be organization objectives control information and operating
managed into risk analysis 11. Identify and develop control 15. Externally communicate key 17. Communicate internal
8. Evaluate potential of fraud as activities related to technology control information control inefficiencies to
risks to objectives that contribute to the furthering personnel responsible for
of organization objectives corrective action
9. Prepare for changes and trends
that could impact internal controls 12. Position oversight through
policies and procedures
The Five COSO Components
Applying the components to sustainable
business information
Component 1—Control Environment
An organization’s control environment is important to a sustainable infrastructure that supports effective ICSR.
Principle COSO’s Sustainability Application

1. Demonstrates commitment to integrity and An organization furthers its objectives by demonstrating to its stakeholders that it
ethical values is trustworthy and acts in the public interest. An entity demonstrates
its commitment to acting sustainably.
2. Exercises board of directors’ oversight Oversight by an independent board of directors serves as a check that
responsibilities management is acting in accordance with the organization’s sustainable business
objectives.
3. Establishes structures, authority, and As it endeavors to meet its sustainable business objectives, an organization’s
responsibilities management, with the oversight of the board of directors, establishes internal
structures that set out authority and responsibilities.
4. Demonstrates commitment to competent To meet its sustainable business objectives, an organization depends on its human
human resources resources.
5. Enforces accountability To meet its sustainable business objectives, an organization needs to establish and
implement meaningful ways to support its human resources and, at the same
time, monitor performance.
Component 2—Risk Assessment
Incorporating ESG-related risks into an existing enterprise risk management (ERM) framework is becoming increasingly common.
6 Specifies suitable objectives With clarity, an organization expresses its sustainable business objectives. These objectives
are a means to tie the organization’s purpose or mission, values, and sustainability goals to
strategy. An organization’s sustainable business objectives follow from its commitment to
integrity and ethical values and are integrally linked to its operations, external financial and
nonfinancial reporting, internal reporting, and compliance objectives. Explicit expression of
these objectives is a predicate to considering risks.
7 Identifies and analyzes risks to meeting To meet its sustainable business objectives, an organization considers all subunits, analyzes
sustainable business objectives internal and external factors, and involves appropriate levels of management to support
sustainability-related risk prioritization and response1.
8 Assesses fraud risk In identifying and assessing the risks to achieving its sustainable business objectives and
developing an effective response, an organization considers the risk that actors will engage
in fraudulent activities such as intentional misstatements or misappropriation of valuable
resources.
9 Identifies and analyzes significant changes As part of identifying and assessing risks to the achievement of its sustainable business
and emerging trends objectives, an organization considers emerging trends. Sustainability-related risks are
evaluated in an ongoing manner or periodically to respond to regulatory trends and
economic drivers.
1 Interpretative language derived from COSO ICSR report
Component 3—Control Activities
Tailored, documented, and tested business processes and IT control activities applied at the appropriate level can help
organizations develop the necessary layers of oversight to meet business objectives.
10 Selects and develops control activities Once an organization has identified and assessed risks to achieving its
sustainable business objectives, it designs, develops, and implements means to
counter these risks, partly or completely.
11 Selects and develops general controls over An organization designs its control activities to respond to risks to achieving its
technology sustainable business objectives. In doing so, it considers the extent to which it
will rely on technology.
12 Deploys oversight through policies and An organization uses various means of oversight to direct its sustainable
procedures business objectives. Primary among these means is established policies and
procedures.
Component 4—Information and Communication
Measure, collect, and report informative, timely, and high-quality data.
13 Uses relevant information An organization needs high-quality data indicating whether its processes are
facilitating its ability to meet its sustainable business objectives.
14 Communicates internally Once an organization establishes oversight structures and expresses policies and
procedures, it communicates these structures and policies throughout the
organization
15 Communicates externally Once an organization establishes oversight structures and expresses policies and
procedures, it communicates these structures and processes to external parties,
such as debt and equity investors and other stakeholders.
Component 5—Monitoring Activities
Implementing ongoing and/or separate evaluations by competent personnel to detect and remediate internal control
deficiencies will demonstrate a commitment to transparency and accountability.

16 Conducts ongoing and/or separate Once implemented, an organization revisits its oversight structures and
evaluations processes to ensure that they are effective in facilitating its ability to meet its
sustainable business objectives.
17 Evaluates and communicates deficiencies As an organization reassesses its structures, policies, and procedures related to its
sustainable business activities, it communicates its findings so that actors better
align their activities with the organization’s sustainable business objectives.
ESG Examples
Illustrative ESG Governance, Processes
and Controls
ESG Cross-Functionality
The below demonstrates how your organizational stakeholders across a multitude of departments can come together, manage, and
incorporate ESG into their existing functions.
Strategy Risk
Integrate ESG factors to drive innovative and Identify, manage and respond to latent and emerging
brand-enhancing strategies, including strategic choices ESG risks; integrate ESG risk capabilities into existing
across the value chain risk and control frameworks
Communication Finance
Optimize strategic communications to stakeholders to Incorporate ESG-related risks into annual reporting and
navigate changing expectations and credibly demonstrate regulatory filings, investor engagement, pricing,
prioritization and management of ESG risks and forecasting and budgeting, capital-allocation and
opportunities annual reporting
Chief
Human resources Sustainability Legal
Invest in leading practices around employee health and Officer Understand and manage risk and liability
safety, diversity, equity, and inclusion, and development to considerations related to ESG performance – e.g.,
attract, retain and incentivize talent to innovate, drive inadequate, or inaccurate disclosure of material
productivity and deliver on the business strategy financial risks
Compliance
Sustainability function
Broaden the integration of ESG performance into the
Design and activate strategies to deliver on the corporate existing management control frameworks to support
strategy, Purpose and ESG objectives to drive performance compliance around ESG risk
Operations Internal audit
Prioritize and measure opportunities for cost savings, risk Integrate ESG risk and compliance considerations into
mitigation, and reputation enhancement and implement the internal audit plan to instill discipline and enhance
solutions to reduce resource inputs and wasteful outputs controls related to material ESG risks
ESG Process and Controls Considerations
Steps to consider as you begin customizing and adapting your internal controls system to meet your unique sustainable business
reporting objectives as well as stakeholders’ growing expectations.
Internal Controls over ESG-Related Data
1. Define disclosure objectives 2. Assess disclosure risks 3. Identify controls 4. Evaluate effectiveness
• Establish, document and • Identify potential risks that • Evaluate maturity of existing • Regularly assess design,
communicate sustainability- could impact sustainability- controls to enhance data implementation, and
related data timelines, related accuracy and completeness effectiveness of controls
aligned with financial reporting objectives • Define internal process • Remediate control gaps and
reporting • Determine relevant data controls and general IT deficiencies and implement
• Review current-state of sources, systems and process controls (GITCs) to mitigate ongoing process
processes and controls owners identified sustainability- improvements
around existing ESG • Document end-to-end ESG related risks • Integrate controls over ESG
disclosure processes through narratives • Document methodologies for disclosure into ERM
• Understand existing data and flowcharts data collection, processes and Internal Audit
governance structures, to • Identify and document measurement plans
identify gaps and meet data/IT system limitations, and/ or estimation • Assess readiness for
reporting requirements assumptions and estimates assurance
Conclusion
Main Takeaways and Recommended
Next Steps
Main Takeaways and Recommended Next Steps
COSO’s nonauthoritative report marks an important development in the ESG landscape to inform and enhance organizational ESG
capacity, leadership, and disclosure.
Takeaways Potential Next Steps

Governance is central to the framework: ESG—related education,
change management, collaboration across stakeholder groups and • Encourage cross-functionality and communication to
1. cross—disciplinary team structures is an important step to bring diverse perspectives, delegate, and plan ahead
transformation
17 guiding principles: Organizations should follow the framework’s

outlined principles aligned to existing categories: control • Consider conducting or refreshing your ESG materiality
2. environment, risk assessment, control activities, information and assessment to focus efforts on what matters most
communication and monitoring activities when implementing ICSR
Prioritize ICSR: Designing and implementing effective controls • Consider incorporating ESG risks and opportunities into
3. over sustainability related information information can result in your existing ERM process and develop sound ICSR in
more complete, accurate and reliable disclosure. response
Obtain internal & external assurance: Internal evaluation of

• Use ICIF-2013 to prepare for upcoming ESG regulation,
4. controls is an important first step prior to engaging in external
assurance, and increasing stakeholder reporting demands
assurance
The message is clear: governance is at the core, customization and adaptation are important, and the time for ESG is now.
Question
and answer
Join us July 18 at 1 p.m. ET
as our Financial Reporting series presents:
Defining nature: The emerging
landscape of standards and
regulations: Dbriefs webcast |
Deloitte US
Copyright © 2023 Deloitte Development LLC. All rights reserved. Using

Usingthe
theCOSO
COSOFramework
Frameworkfor
forsustainability
sustainabilityreporting
reporting 23
Eligible viewers may now
CPE
download CPE certificates.
Click the CPE icon to the left of your screen.
Contact information
Jenny Lynch Kajal Shah

Audit & Assurance Partner Audit & Assurance Partner
Deloitte & Touche LLP Deloitte & Touche LLP
jelynch@deloitte.com kajshah@deloitte.com
Connect on LinkedIn Connect on LinkedIn
Stefan Ozer Meadow Rutenbar

Audit & Assurance Partner Audit & Assurance Senior Manager
Deloitte & Touche LLP Deloitte & Touche LLP
sozer@deloitte.com mrutenbar@deloitte.com
Connect on LinkedIn Connect on LinkedIn
This presentation contains general information only and
Deloitte is not, by means of this presentation, rendering
accounting, business, financial, investment, legal, tax, or other
professional advice or services. This presentation is not a
substitute for such professional advice or services, nor should
it be used as a basis for any decision or action that may affect
your business. Before making any decision or taking any action
that may affect your business, you should consult a qualified
professional adviser. Deloitte shall not be responsible for any
loss sustained by any person who relies on this presentation.
About Deloitte
Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee (“DTTL”), its network of member firms, and their related entities. DTTL and each of its member
firms are legally separate and independent entities. DTTL (also referred to as “Deloitte Global”) does not provide services to clients. In the United States, Deloitte refers to one or more of the US member firms
of DTTL, their related entities that operate using the “Deloitte” name in the United States and their respective affiliates. Certain services may not be available to attest clients under the rules and regulations
of public accounting. Please see www.deloitte.com/about to learn more about our global network of member firms.
Copyright © 2023 Deloitte Development LLC. All rights reserved.
Polling Question #1
To what extent has your company, organization, or client already been

applying COSO ICIF-2013 principles to sustainability and ESG
information?
a) High degree of application
b) Moderate degree
c) Low degree
d) None
e) Don’t Know/Not applicable
Polling Question #2
What is the primary challenge your organization, company, or client is facing

regarding sustainability and ESG reporting?
a) Data availability & accuracy

b) Building understanding and technical competency across human resources
c) Establishing governance and oversight mechanisms
d) Evolving regulations and reporting expectations
e) All the above
f) Don’t know/Not applicable
Polling Question #3
Which of the following is NOT one of the five components of the 2013
COSO Internal Control – Integrated Framework?
a) Control Environment
b) Risk Assessment
c) Control Activities
d) Information and Communication
e) Strategy and Governance
f) Monitoring Activities
Polling Question #4
What is the primary next step you’d like to see your company,
organization, or client take in your ESG journey?
a) ESG materiality assessment

b) Improve ESG governance structure
c) Current state ESG data process and controls assessment
d) ESG/climate risk assessment
e) Assurance readiness
f) Don’t know/Not applicable

Using The COSO Framework For Sustainability Reporting

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Using The COSO Framework For Sustainability Reporting

Uploaded by

Copyright:

Available Formats

Using the COSO Framework

for sustainability reporting

ESG Landscape COSO Framework ESG Examples Main Takeaways

1990’s 2010’s 2022

Voluntary Jurisdictionally mandated Mandatory

Quality & availability Governance & management Assurance readiness

Source: Deloitte’s Sustainability Action Report

Conventional Financial Reporting Sustainable Business Information

Control vs. Influence

Quantitative vs. Qualitative

Historical vs. Forward-Looking

Consists of five components (encompassing 17 principles)

Original Framework COSO’s Internal Control – Integrated Framework (1992 Edition)

Enhancements Updates context Broadens application Clarifies requirements

Updated Framework COSO’s Internal Control – Integrated Framework (2013 Edition)

1. Commit to 2. Have an 3. Clearly outline 4. Work to attract, 5. Hold personnel

Principle COSO’s Sustainability Application

Principle COSO’s Sustainability Application

Principle COSO’s Sustainability Application

Principle COSO’s Sustainability Application

Principle COSO’s Sustainability Application

Internal Controls over ESG-Related Data

Takeaways Potential Next Steps

17 guiding principles: Organizations should follow the framework’s

Obtain internal & external assurance: Internal evaluation of

Copyright © 2023 Deloitte Development LLC. All rights reserved. Using

Jenny Lynch Kajal Shah

Connect on LinkedIn Connect on LinkedIn

Stefan Ozer Meadow Rutenbar

To what extent has your company, organization, or client already been

What is the primary challenge your organization, company, or client is facing

a) Data availability & accuracy

a) ESG materiality assessment

You might also like