In a series of blogs, that is likely to be an ongoing topic for the foreseeable future, I have been discussing the barrage of environmental, social and governance (ESG) related activity and focus by capital markets regulators and participants. Climate change initiatives and disclosures have been singled out in the ESG discussions and as a particular SEC focus, and as such was the topic of the first blog in this series (see HERE). The second blog talked more generally about ESG investing and ratings systems and discussed the role of a Chief Sustainability Officer (see HERE). The last blog on the topic focused on current and prospective ESG disclosure requirements and initiatives, including the Nasdaq ESG Reporting Guide (see HERE).
ESG is not just a topic impacting social position disclosures but can go directly to the financial condition of a reporting company, and as such its financial statements. Accordingly, ESG reporting requires auditor and audit committee engagement.
Board of Directors, Audit Committees and ESG Disclosures
The “G” in ESG generally refers to the governing structure, policies, and practices employed by a company related to responsibilities and decision-making rights that provide the foundation for overall accountability and credibility. In other words, the “G” goes directly to corporate governance and internal controls, the oversight of which rests with the board of directors and its audit committee. Although not a completely new topic, ESG has gained momentum following the Covid-19 pandemic and social justice movement, prompting many companies to take a proactive instead of reactive approach to the matter.
A company that is either merely reacting to the ESG disclosure pressure or that simply has not developed an ESG thought process as of yet, generally does not have a system in place that integrates ESG considerations into its management decision ecosystem, nor does it have active board oversight on the topic. These companies are now developing controls and procedures that include reporting to and updating board members, creating accountability, often hiring a Chief Sustainability Officer and creating a reporting regime within the company that abides by specific standards. Although I am still skeptical on ESG-driven management decisions as a whole (my thoughts align more with Jay Clayton and Hester Peirce), the train has left the station and I wouldn’t be surprised if, in the near future, it goes so far as to include executive compensation tied to ESG performance.
Board oversight of an entity’s ESG reporting is critical for establishing and maintaining good governance, policies, and controls over the ESG reporting process. The board of directors’ responsibilities extend beyond simply reviewing past disclosures or current systems, but also include being proactive and ready for future implementation of new processes. Where ESG matters impact financial statements, oversight clearly lies with the audit committee of the board of directors, but the nominating and governance committee clearly has a role, and many boards are forming a separate ESG/Sustainability committee.
Where a board of directors is considering hiring a third party, such as its audit firm, to provide ESG attestation (and thus give assurances), it should be informed about (i) the purpose and objectives of the ESG information (SEC reports; separate sustainability reporting; future planning; investigation of potential deficiencies, etc..); (ii) the intended users of the ESG information (internal; public filings; investors; ratings organizations); (iii) why the intended users want or need the information; (iv) the potential risks associated with misstatements or omissions; (iv) the type of ESG information intended users are expecting; and (v) the level of ESG attestation service that will achieve the goals (full audit, review, etc.).
Regardless, all boards of directors should be considering (i) what are the company’s policies and processes with respect to the gathering and reporting of ESG information; (ii) how old or dated is the current available information; (iii) who in the company has responsibility for the oversight of ESG information; (iv) is ESG information material to or included in financial statement reporting; (v) what are the company’s internal controls vis-a-vis ESG information gathering and reporting; (vi) have ESG-related internal controls been tested; and (vii) what disclosure controls and procedures and related documentation are available for ESG information.
Auditor Role in ESG Disclosures
Generally, an auditor is only responsible for information contained in an SEC registration statement or report. However, under PCAOB auditing standards, an auditor must at least read the balance of a filing, including ESG information to ensure that such information is consistent with, and at least not materially inconsistent with, the financial statements and notes thereto. Where sustainability reports are presented by a company, either on its website or as an exhibit to a SEC filing, an auditor would have no responsibility for the information contained in those reports.
However, in today’s ESG-centric environment, some companies are seeking third-party assurance on its ESG information. Third-party assurance can (i) assist the board of directors in assessing the quality of ESG disclosures and in overall company oversight; (ii) enhance the reliability of ESG information for investor analysis; (iii) enhance management’s confidence in the integrity of the company’s disclosed ESG information; (iv) assist stakeholders such as customers, suppliers and prospective employees in making ESG based relationship decisions; and (v) impact a company’s ESG rankings and rating on sustainability indices (such as the Dow Jones Sustainability Index).
Public company auditors have stepped up to fill this role and are now regularly being engaged by their public company clients to provide ESG-related assurances. Other third parties, such as engineering or consulting firms, are also competing for this business. Where a public company audit firm is retained, they are guided by the American Institute of CPAs (AICPA) Statements on Standards for Attestation Engagements. That is, where an auditor is engaged to provide ESG attestations, they must comply with standards involving data and systems testing and evaluating evidence and procedures. Accordingly, there is a belief that auditor ESG assurances are reliable.
As when engaged to perform an audit, the auditor engaged for ESG matters must: (i) be independent of the company; (ii) be skilled in understanding the company including its business and processes; (iii) have the resources, such as specific expertise, to provide the requested services (think expert on greenhouse gas emissions); (iv) are required to plan and perform attestations with professional skepticism; (v) are experienced in reporting on compliance matters (not just standard audits); (vi) are required to maintain a system of quality controls; and (vii) are required to maintain continuing professional education and other licensing requirements. A company will often retain the same firm that is performing its regular audit work as that auditor will have a depth of knowledge about the company making the ESG attestation more economical and efficient.
Generally, an auditor’s ESG attestation is made more reliable because of their requirement to test against specific standards. Those standards must be recognized as reliable, such as those published by the Sustainability Accounting Standards Board or the Global Reporting Initiative. Where a company makes a broad statement related to ESG matters not supported by evidence or capable of being measured against a specific metric, the auditor would not be able to provide assurance.
Moreover, just like the difference between an annual audit and quarterly review of financial statements, an auditor can be retained to provide a full independent report and opinion on ESG information or a more limited review such as for material deficiencies with no separate report. An auditor may also provide consulting services helping a company determine its ESG reporting systems, internal controls and best metrics and standards.