Attestation and Internal Control Considerations for ESG Programs
In recent years, environmental, social, and governance (ESG) considerations, and climate, in particular, have become prominent areas of both regulation and industry-led guidance, as the understanding of the related risks (and opportunities) continues to evolve.
The Security and Exchange Commissions (SEC) Proposed Rule published on March 21, 2022—The Enhancement and Standardization of Climate-Related Disclosures for Investors (SEC Proposed Rule)—summarized here provides further clarity on the latest regulatory thinking.
One of the most impactful among the newly proposed requirements relates to attestation. The relevant information to consider in relation to that is as follows:
|What Is Required||
|Reporting Timelines||The proposed transition periods would provide existing accelerated filers and large accelerated filers with a transition period of one fiscal year of limited assurance and two additional fiscal years of reasonable assurance, starting with the following compliance dates for Scopes 1 and 2 disclosures:
|Assurance Requirements||The Proposed Rule would require:
|Who Can Provide Assurance||The Proposed Rule defines a greenhouse gas (GHG) emissions attestation provider to be a person or firm that has all of the following characteristics:
As highlighted above, the Proposed Rule requires the application of ICFR for ESG-related financial statement metrics and contemplates the application of internal controls for Scope 1 and 2 emissions’ reasonable assurance.
Beyond the Rule itself, companies that provide ESG reporting should consider adopting equivalent internal controls over ESG reporting (ICER) to enhance the reliability and credibility of their ESG reporting. The ability to validate ESG elements through substantive testing may be limited, due to the reliance on supplier-provided information and the immaturity of ESG monitoring and reporting processes. Therefore, it is important to develop a long-term view of ICER to create reliable ESG reporting.
Framework Reporting Considerations
The SEC requires management to base its assessment of the effectiveness of the company’s ICFR on a suitable, recognized control framework. Both the SEC and the Public Company Accounting Oversight Board (PCAOB) specifically endorse the Committee of Sponsoring Organizations of the Treadway Commission (COSO) framework as a suitable framework. As such, one should consider adopting COSO or similar frameworks for ICER.
According to COSO, internal control consists of five interrelated components needed to achieve its objectives. The five components (and their 17 related principles) are as adapted for ESG by FORVIS is as follows:
The specific considerations for ESG across all five components are as follows:
The control environment ensures that an appropriate framework and tone are in place towards the adequacy, reliability, and appropriateness of ESG information. The control environment should be appropriately developed including governance and oversight of ESG data and reporting. ESG governance may be embedded within an existing committee structure e.g., as a subcommittee to the enterprise risk management (ERM) committee, and companies should consider the cascading of entity-level controls to cover ESG overall. Additionally, ESG-specific policies and their related implementation should be considered. Organizations should plan on having formalized oversight roles and responsibilities for ESG processes, as part of their overall control environment development. The ESG control environment may take time to evolve from ad-hoc to fully integrated, but the end goal should be reflected in development plans.
Appropriately identifying key risks is critical to risk mitigation. In developing an ESG risk assessment process, the focus should be on processes and activities, rather than individual controls. Each business process identified and evaluated within an ICER compliance program should be risk assessed to determine the appropriate level of review and testing required.
Effective internal controls consist of (1) design effectiveness and (2) effective control implementation and operation. The design effectiveness should be evaluated prior to operational effectiveness.
Design effectiveness considerations:
The processes for ESG and its related control activities are expected to be newer for organizations’ financial reporting framework. Specifically, the following processes could be in scope and should be assessed:
- ESG governance (policies in place, executive compensation linked to ESG)
- HR (diversity, equity, and inclusion)
- Sales and marketing (business relationships with customers involved in human rights violations, for example)
- Supply chain
- Products (energy efficiency, recyclability, green bonds, affordable housing, etc.)
- ESG financial reporting (revenue, company-level data, etc.)
- Environmental scanning (carbon footprint, waste, water, electricity, etc.)
Additionally, unique ESG considerations should include third-party information and the related processes, since their controls around ESG information will be prominent to ensure accuracy and completeness of the organization’s reported ESG data.
ESG risks are transverse risks impacting the entire organization. As such, controls around data privacy will be critical given the sensitivity around some of the metrics that may be required to be reported (including HR metrics and value chain activities).
Operational effectiveness considerations:
Companies should carefully consider the operational effectiveness of their controls since the processes and risks might be new to them. Key operational effectiveness considerations would include validation of data against benchmarks, analytics to evaluate adequacy and appropriateness of emissions information, and precision of controls to evaluate information at the right level of granularity. Control owners might need to be trained or upskilled to appropriately review and challenge ESG information. Automation of controls could be implemented over the long term to enhance operational effectiveness.
Information and Communication
Appropriate information and communication processes should be developed to drive engagement throughout. This includes the development of processes for internal reporting to management and the relevant governance committee, as well as the development of external reporting processes to address third parties and regulators. Effective and timely conveyance of information is key to the success of an ESG program.
Monitoring activities should be developed as part of the existing risk management (2nd line of defense) and internal audit (3rd line of defense) functions. This should include the scoping of ESG processes for independent evaluations, as well as identification, management, and reporting of deficiencies in internal controls.
The development of a robust ICER will be critical for the long-term viability and reliability of ESG programs for companies. Regardless of regulatory requirements, a meaningful ICER will enable and enhance an ESG program driving reliability and consistency and, even more importantly, the ability to take appropriate actions to mitigate ESG risks for strategic success.
For more information about ESG internal controls and how proposed rules may impact your organization, reach out to a professional at FORVIS or submit the Contact Us form below.
- 1The new smaller reporting company definition enables a company with less than $250 million of public float to provide scaled disclosures, as compared to the $75 million threshold under the prior definition. The final rules also expand the definition to include companies with less than $100 million in annual revenues if they also have either no public float or a public float that is less than $700 million.