Audit committee oversight of ESG fraud risk

Cydney Posner
Cooley LLP
Contact
LinkedIn
Facebook
X
Send
Embed

Cooley LLP

In this article, accounting firm Deloitte observes that boards and managements often experience “denial” when the topic of fraud risk arises—no one wants to feel that the trust they place in their own employees is actually misplaced.  Still, fraud risk is one topic that typically finds its way onto the agendas of audit committees. Deloitte advises that, with the current attention to ESG and in anticipation of new rulemaking from the SEC on disclosure related to climate, human capital and other ESG-related topics (see this PubCo post), “fraud risk in this area should be top of mind for audit committees and a focal point in fraud risk assessments overseen by the audit committee.” While audit committees focus primarily on financial statement fraud risk, Deloitte suggests that audit committees should consider expanding their attention to fraud risk related to ESG, an area that is “not governed by the same types of controls present in financial reporting processes,” and, therefore, may be more susceptible to manipulation. In their oversight capacity, audit committees have a role to play, Deloitte suggests, by engaging with “management, including internal audit, fraud risk specialists, and independent auditors to understand the extent to which fraud risk is being considered and mitigated.”

SideBar

With the increased focus on sustainability reporting, as discussed in this 2020 article in the WSJ, also comes increased scrutiny, especially of ESG hype and  greenwashing. While positive reports and ratings “can attract investments and sales,… along with heightened interest comes heightened scrutiny. Indeed, misleading claims can backfire if they are called out as inaccurate or misleading. Investors are quick to punish companies for transgressions across the landscape of ESG issues.”  “‘The stakes are just much higher,’” according to one commentator, citing a 2019 report from a large bank “that showed 24 major controversies related to ESG topics erased more than $500 billion in market value of S&P 500 companies from 2014 to September 2019.” Another survey of 250 institutional investors showed that over half “believe companies are presenting misleading environmental credentials, and 84% think the practice is becoming more common.”

Deloitte cites the classic fraud triangle theory, which holds that three factors elevate fraud risk: financial pressure, opportunity and rationalization. As an example, some companies are tying ESG metrics to executive compensation, which can represent a source of financial pressure to manipulate data. Companies may also feel pressure to adopt sustainable practices and reflect positive trends in ESG for investors, NGOs and other stakeholders. In addition, companies may provide voluntary sustainability reports, but often the information “has not been gathered, tested, and reported under the kind of internal controls that typically are present with financial reporting.” These controls, if any, tend to be more novel and immature.  As a result, these reports “may suggest a heightened opportunity for people within the organization to manipulate ESG-related information.”

SideBar

What about independent verification or attestation? According to a report from the Center for Audit Quality, just over half of the companies (264) in the S&P 500 had some type of independent verification of their climate data. Around 235 used an engineering or consulting firm; only 31 used an accounting firm.  In addition, the scope of assurance varied. The vast majority of assurance from engineering or consulting firms related solely to GHG or a narrow range of other metrics; assurance provided by public company auditors was generally somewhat broader. The standards employed also varied. Among audit firms, 27 applied the AICPA attestation standards, and four referenced the International Standard on Assurance Engagements 3000.  Among engineers and consultants, 162 applied ISO 14064-3 for greenhouse gases and 72 applied their own methodology, which they often indicated was based on ISAE 3000. 

Notably, regardless of the provider, the CAQ reported that the levels of assurance were, for the most part, not comparable to the levels provided in a financial statement audit. Among audit firms, 25 provided “limited assurance,” that is, they typically involved limited procedures and included reports that were framed in the negative—e.g., nothing has come to our attention to cause us to believe that the sustainability report has not been prepared, in all material aspects, in accordance with XYZ standards, or we are not aware of any material modifications that should be made to the schedule of sustainability metrics for it to be in accordance with XYZ criteria. Only two provided “reasonable” assurance (a positive opinion) and three were mixed. Similarly, among consultants and engineers, 174 provided “limited” assurance, 17 “reasonable” assurance, 17 “moderate” assurance and 15 were a mix.  Why the less rigorous levels of assurance? The engagement may provide only “limited assurance” because of time and cost constraints or, perhaps as explained by the Institute of Chartered Accountants in England and Wales, it may be because, in contrast to financial statements that are “extracted from a double entry bookkeeping system,” a non-financial assurance engagement may address a subject that is “less well defined and for which the control environment is far less mature and robust. For example, the calculation of a company’s carbon footprint may have been performed by an individual and the results collected on a spreadsheet and supported by files of memorandum information.” Nevertheless, limited assurances are sought and provided in other contexts, and, in this context, investors may well find that even limited assurances provide basic comfort. Under the SEC’s climate proposal, accelerated filers and large accelerated filers would need to provide assurance for Scopes 1 and 2 GHG emissions and would have one fiscal year to phase-in limited assurance and two additional fiscal years to transition to providing reasonable assurance. (See this PubCo post.)

In its Audit Committee Practices Report, reflecting the results of a 2021 survey by Deloitte and the CAQ, Deloitte found that 42% of audit committee survey respondents reported an increase in fraud risk. And litigation risk related to ESG fraud and greenwashing appears to be growing. (See, e.g., this article.) ESG fraud is a focus of SEC Enforcement as well, the article notes.  In 2021, then Acting SEC Chair Allison Herren Lee established a new Climate and ESG Task Force in the Division of Enforcement, which sought to identify ESG-related misconduct. (See this PubCo post.)  Last year, the Task Force played a role in the SEC’s complaint against Vale S.A., a publicly traded (NYSE) Brazilian mining company and one of the world’s largest iron ore producers, charging that it made “false and misleading claims about the safety of its dams” prior to the collapse of a major dam that killed 270 people. The SEC alleged that Vale “intentionally concealed alarming signs of the dam’s instability from the investing public and Brazilian authorities. Vale also deliberately manipulated multiple dam safety audits; obtained numerous fraudulent stability declarations; and regularly and intentionally misled local governments, communities, and investors about the dam’s integrity.” (See this PubCo post.)

SideBar

As discussed in this Bloomberg article, the SEC’s ESG Task Force has been devoted to examining corporate and fund ESG disclosures to combat greenwashing, securities fraud and other ESG-related misconduct.  According to the SEC’s press release, the initial focus of the Task Force was to identify any material gaps or misstatements in issuers’ disclosure of climate risks under existing rules, including the staff’s 2010 interpretive guidance regarding climate change. (You may recall that the guidance addressed in some detail how existing disclosure obligations, such as the Reg S-K requirements for business narrative and risk factors, could apply to climate change. See this PubCo post.) The press release indicated that the Task Force would “develop initiatives to proactively identify ESG-related misconduct,” and “coordinate the effective use of Division resources, including through the use of sophisticated data analysis to mine and assess information across registrants, to identify potential violations.” In addition, the Task Force would “evaluate and pursue tips, referrals, and whistleblower complaints on ESG-related issues, and provide expertise and insight to teams working on ESG-related matters across the Division.” (See this PubCo post.) According to the article, the Task Force has recently had a major hand in at least three enforcement actions, including the action against Vale S.A. referred to above. According to Bloomberg, the Task Force’s recent actions “are likely just the beginning, with more cases expected soon.”

Drilling down, Deloitte addresses fraud risk in two areas: climate and human capital. With respect to climate, the article observes that companies may be providing climate-related metrics in voluntary reporting that may not be consistent with periodic reports ad financial statements. According to the article, “the novelty of ESG-related information and the information gathering process, as well as the reliance stakeholders may be placing on such information, can make it susceptible to fraud risk…. Newer or less mature controls over reporting, ineffective controls, and the absence of controls can increase the opportunity for fraud to occur.” Anticipated regulatory developments and  demands of various investors, lenders, customers and other stakeholders can “create pressure for management and the board to appear well positioned to meet targets or comply with future regulations.” In addition, any climate-related metrics that are included in key contracts or compensation agreements may also impose pressures.  And, to the extent that climate-related disclosures are based on estimates, forecasts and judgments, these are “by their nature subjective and are subject to manipulation or bias.” The article advises that audit committees consider asking management “how reliable data sources are, whether they could be manipulated, and how management could potentially be motivated to intentionally manage these ESG metrics in ways that would serve management or the company’s best interests.”

Human capital is another area where fraud risk appears, the article continues, pointing to constant turnover, vacant or hard-to-fill positions and  remote or hybrid work as potential factors contributing to heightened fraud risk. These factors raise concerns about control activities, segregation of duties, corporate culture that does not permit error—especially for new employees—and quality management.  Deloitte suggests that audit committees challenge management regarding the efficacy of training and management, contingency plans for key personnel absences, corporate culture and management’s approach to reporting mistakes or errors, and how management is promoting culture and tone at the top, especially in remote/hybrid work environments. In addition, some companies have amped up their disclosures of human capital metrics, such as health and safety, engagement, culture, development, diversity, equity, and inclusion.  Deloitte cautions that these metrics are subject to manipulation; audit committees may want to discuss with management the development of these metrics and the presence of internal controls to promote completeness, accuracy and reliability.

Deloitte also advises that audit committees ensure that ESG-related risks are included as part of companies’ fraud-risk assessments, noting that COSO—which has provided the widely recognized framework for internal control over financial reporting—has approved a study to develop supplemental guidance applying its internal control framework in the areas of sustainability and ESG for both internal decision-making and public reporting. As described by Deloitte, fraud risk assessments are “intended to help management understand who could commit fraud, what type of schemes they might devise, where and how these schemes could be carried out, and what controls a company has or does not have in place, which may help identify potential gaps in the internal control framework that is intended to prevent and detect fraud.” Deloitte suggests that audit committees “understand the company’s antifraud programs and controls, evaluate management’s process, and ask questions about the extent to which the company’s fraud risk assessments consider the risk of fraud in emerging or evolving ESG-related reporting activities. Audit committees should also understand the independent auditor’s fraud risk assessment process and findings with respect to the antifraud programs and controls as well as the risk of management override of controls.”  In addition, Deloitte recommends that audit committees ask management to “share evidence of the risk assessment to understand the level of attention given to evolving ESG fraud risks and what measures are being taken to mitigate risks as ESG-related activities evolve.”

Deloitte recommends the following questions for audit committees to ask in connection with audit-related fraud risks:

  • “To what extent has management assessed the risk of fraud with respect to the company’s growing focus on ESG strategy and reporting as part of its enterprise-wide fraud risk assessment?
  • Is the audit committee primarily responsible for ESG-related fraud risk, or is responsibility shared with other committees and/or the full board? How often does the audit committee discuss fraud risk, including ESG-related fraud risk?
  • Which member of management has authority over fraud risk, and does this person have a comprehensive view of the ESG-related fraud risks that could be present? For example, does this person’s visibility and authority extend beyond financial reporting?
  • How is management developing metrics that are provided to stakeholders related to ESG strategies or initiatives? How is management developing reporting mechanisms and addressing the potential for fraud in these ESG strategies and initiatives?
  • What internal controls are in place with respect to the development of metrics and reporting mechanisms, especially those related to ESG? What process has management adopted for promoting completeness, accuracy, and reliability of ESG-related metrics and reporting?
  • What fraud risks have been identified? How have they been evaluated and prioritized? What mitigation measures are being implemented?
  • To what extent are these metrics and ESG-related reports reviewed by internal auditors and independent auditors?”

[View source.]

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Cooley LLP | Attorney Advertising

Written by:

Cooley LLP
Cooley LLP
Contact
more
less

Cooley LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide