Skip to main content

Attestation and Internal Control Considerations for ESG Programs

ESG risks can impact an entire organization. SEC’s proposed rules around attestation are explained here. Internal controls suggestions are offered. 
banner background

In recent years, environmental, social, and governance (ESG) considerations, and climate, in particular, have become prominent areas of both regulation and industry-led guidance, as the understanding of the related risks (and opportunities) continues to evolve.

The Security and Exchange Commissions (SEC) Proposed Rule published on March 21, 2022—The Enhancement and Standardization of Climate-Related Disclosures for Investors (SEC Proposed Rule)—summarized here provides further clarity on the latest regulatory thinking.

One of the most impactful among the newly proposed requirements relates to attestation. The relevant information to consider in relation to that is as follows:

What Is Required
  • Disclose direct and indirect greenhouse gas emissions, known as Scope 1 and Scope 2 emissions
  • Disclose greenhouse gases generated by suppliers and partners, known as Scope 3 emissions, if material or included in any emissions targets the company has set
  • The proposed financial statement metrics would consist of information on climate-related impacts on existing financial statement line items
Reporting TimelinesThe proposed transition periods would provide existing accelerated filers and large accelerated filers with a transition period of one fiscal year of limited assurance and two additional fiscal years of reasonable assurance, starting with the following compliance dates for Scopes 1 and 2 disclosures:
  • For large, accelerated filers1, fiscal year 2023 (filed in 2024)
  • For accelerated and non-accelerated filers, fiscal year 2024 (filed in 2025)
  • For small reporting companies (SRC), fiscal year 2025 (filed in 2026)
Assurance RequirementsThe Proposed Rule would require:
  • Limited assurance for Scopes 1 and 2 emissions disclosure, scaling up to reasonable assurance after a specified transition period
  • No assurance for Scope 3 emissions
  • Reasonable assurance for financial statement metrics considered to be part of overall financial reporting and therefore covered by internal controls over financial reporting (ICFR)
Assurance Definitions
  • Limited assurance refers to the service provider expressing a conclusion on its awareness of any material modifications that should be made to the subject matter for it to be stated fairly or in accordance with the relevant criteria
    • The conclusion is expressed in the form of negative assurance on whether any material misstatements have been identified
  • Reasonable assurance refers to the same level of assurance provided in an audit of a registrant’s consolidated financial statements. It expresses an opinion on whether the subject matter is in accordance with the relevant criteria, in all material respects. A reasonable assurance opinion provides positive assurance that the subject matter is free from material misstatements.
Who Can Provide AssuranceThe Proposed Rule defines a greenhouse gas (GHG) emissions attestation provider to be a person or firm that has all of the following characteristics:
  • Is an expert in GHG emissions by virtue of having significant experience in measuring, analyzing, reporting, or attesting to GHG emissions
  • Performs engagements in accordance with professional standards and applicable legal and regulatory requirements
  • Is independent with respect to the registrant and any of its affiliates

As highlighted above, the Proposed Rule requires the application of ICFR for ESG-related financial statement metrics and contemplates the application of internal controls for Scope 1 and 2 emissions’ reasonable assurance.

Beyond the Rule itself, companies that provide ESG reporting should consider adopting equivalent internal controls over ESG reporting (ICER) to enhance the reliability and credibility of their ESG reporting. The ability to validate ESG elements through substantive testing may be limited, due to the reliance on supplier-provided information and the immaturity of ESG monitoring and reporting processes. Therefore, it is important to develop a long-term view of ICER to create reliable ESG reporting.

Framework Reporting Considerations

The SEC requires management to base its assessment of the effectiveness of the company’s ICFR on a suitable, recognized control framework. Both the SEC and the Public Company Accounting Oversight Board (PCAOB) specifically endorse the Committee of Sponsoring Organizations of the Treadway Commission (COSO) framework as a suitable framework. As such, one should consider adopting COSO or similar frameworks for ICER.

According to COSO, internal control consists of five interrelated components needed to achieve its objectives. The five components (and their 17 related principles) are as adapted for ESG by FORVIS is as follows:

Components of an ESG Controls Framework

The specific considerations for ESG across all five components are as follows:

Control Environment

The control environment ensures that an appropriate framework and tone are in place towards the adequacy, reliability, and appropriateness of ESG information. The control environment should be appropriately developed including governance and oversight of ESG data and reporting. ESG governance may be embedded within an existing committee structure e.g., as a subcommittee to the enterprise risk management (ERM) committee, and companies should consider the cascading of entity-level controls to cover ESG overall. Additionally, ESG-specific policies and their related implementation should be considered. Organizations should plan on having formalized oversight roles and responsibilities for ESG processes, as part of their overall control environment development. The ESG control environment may take time to evolve from ad-hoc to fully integrated, but the end goal should be reflected in development plans.

Risk Assessment

Appropriately identifying key risks is critical to risk mitigation. In developing an ESG risk assessment process, the focus should be on processes and activities, rather than individual controls. Each business process identified and evaluated within an ICER compliance program should be risk assessed to determine the appropriate level of review and testing required.

Control Activities

Effective internal controls consist of (1) design effectiveness and (2) effective control implementation and operation. The design effectiveness should be evaluated prior to operational effectiveness.

Design effectiveness considerations:

The processes for ESG and its related control activities are expected to be newer for organizations’ financial reporting framework. Specifically, the following processes could be in scope and should be assessed:

  • ESG governance (policies in place, executive compensation linked to ESG) 
  • HR (diversity, equity, and inclusion)
  • Sales and marketing (business relationships with customers involved in human rights violations, for example)
  • Supply chain
  • Products (energy efficiency, recyclability, green bonds, affordable housing, etc.)
  • ESG financial reporting (revenue, company-level data, etc.)
  • Environmental scanning (carbon footprint, waste, water, electricity, etc.)

Additionally, unique ESG considerations should include third-party information and the related processes, since their controls around ESG information will be prominent to ensure accuracy and completeness of the organization’s reported ESG data.

ESG risks are transverse risks impacting the entire organization. As such, controls around data privacy will be critical given the sensitivity around some of the metrics that may be required to be reported (including HR metrics and value chain activities).

Operational effectiveness considerations:

Companies should carefully consider the operational effectiveness of their controls since the processes and risks might be new to them. Key operational effectiveness considerations would include validation of data against benchmarks, analytics to evaluate adequacy and appropriateness of emissions information, and precision of controls to evaluate information at the right level of granularity. Control owners might need to be trained or upskilled to appropriately review and challenge ESG information. Automation of controls could be implemented over the long term to enhance operational effectiveness.

Information and Communication

Appropriate information and communication processes should be developed to drive engagement throughout. This includes the development of processes for internal reporting to management and the relevant governance committee, as well as the development of external reporting processes to address third parties and regulators. Effective and timely conveyance of information is key to the success of an ESG program.

Monitoring Activities

Monitoring activities should be developed as part of the existing risk management (2nd line of defense) and internal audit (3rd line of defense) functions. This should include the scoping of ESG processes for independent evaluations, as well as identification, management, and reporting of deficiencies in internal controls.

The development of a robust ICER will be critical for the long-term viability and reliability of ESG programs for companies. Regardless of regulatory requirements, a meaningful ICER will enable and enhance an ESG program driving reliability and consistency and, even more importantly, the ability to take appropriate actions to mitigate ESG risks for strategic success.

For more information about ESG internal controls and how proposed rules may impact your organization, reach out to a professional at FORVIS or submit the Contact Us form below.

  • 1The new smaller reporting company definition enables a company with less than $250 million of public float to provide scaled disclosures, as compared to the $75 million threshold under the prior definition. The final rules also expand the definition to include companies with less than $100 million in annual revenues if they also have either no public float or a public float that is less than $700 million.

Related FORsights

Like what you see?
Subscribe to receive tailored insights directly to your inbox.