Environmental, social, and governance issues appear with increasing frequency on board agendas. Emerging fraud risks to consider: ESG, an article in On the audit committee’s agenda, a publication of the Deloitte Center for Board Effectiveness (Deloitte Center), points out that these issues may entail fraud risks that audit committees should recognize and consider. ESG-related fraud risks “should be top of mind for audit committees and a focal point in fraud risk assessments overseen by the audit committee.” For example, many companies provide ESG information to investors that is not governed by the same types of controls as those that apply to financial reporting processes; this may present opportunities to manipulate the ESG-related information. Similarly, linking compensation to ESG metrics may elevate fraud risk by creating incentives to misstate ESG data.
The Deloitte Center article discusses some of these ESG risks, issues a “call to action” for audit committees to consider ESG in fraud risk assessments, and suggests questions audit committees should be asking in this area.
Climate factors driving ESG risk
Voluntary disclosure of climate-related information is one potential source of ESG-related fraud risk. Such information may include greenhouse gas emissions and metrics related to energy consumption or use of renewable energy. Audit committees may therefore want to challenge management and auditors to consider areas where fraud risk could be increasing. Specifically --
Approach to climate. One risk is that ESG-related information provided to investors may differ from information in financial statements or other disclosures. “Companies can evaluate whether information they are providing in regulatory filings is consistent with sustainability reports, press releases, websites, other regulatory filings, and industry reports.”
Impact on controls. Consideration of the control environment should include ESG activities. Less mature controls – or no controls at all – over evolving or emerging ESG-related activities can increase opportunities for fraud.
External risk factors. “Evolving regulatory and stakeholder expectations on ESG matters may create pressure for management and the board to appear well positioned to meet targets or comply with future regulations.”
Internal risk factors. ESG-related key performance indicators may be relevant to fraud risk analysis. This is especially true when ESG KPIs are incorporated into contracts or compensation programs.
Estimates. ESG reporting may involve estimates, judgments, or forecasts that are subject to manipulation or bias. Audit committees may want to ask “how reliable data sources are, whether they could be manipulated, and how management could potentially be motivated to intentionally manage these ESG metrics.”
Talent factors driving ESG risk
Companies may incur ESG-related fraud risk as a result of personnel challenges, such as vacancies and remote work. Talent-related scenarios that may heighten ESG-related fraud risk include:
Turnover. Turnover or vacant positions raise questions about the consistency of control activities and proper segregation of duties. Audit committees may want to ask management how these issues are being addressed – for example, through training and contingency plans for key personnel absences.
New responsibilities. When company personnel assume new or unfamiliar ESG-related responsibilities, mistakes may occur, and some employees may be tempted to hide errors with fraudulent activity. “The audit committee should understand corporate culture and management’s approach to reporting mistakes or errors.”
Hybrid work. Remote or hybrid work arrangements may raise questions about how quality is managed and how disciplinary matters are handled. “The audit committee can challenge how management is promoting culture and tone at the top in these types of environments.”
Talent-related metrics. Many companies are developing ESG metrics about such matters as employee health and safety, engagement, or diversity, equity, and inclusion. Audit committees may want to ask management what controls are in place to promote completeness, accuracy, and reliability of these metrics.
Call to action: Consider ESG in fraud risks assessments
Both management and the auditor perform risk assessments to identify and address potential sources of fraud. As part of their oversight of the company’s antifraud programs, processes, and controls, the audit committee should ask questions about the extent to which the company’s fraud risk assessments consider the risk of fraud in ESG-related reporting activities. Audit committees should also understand the auditor’s fraud risk assessment process and findings, including the auditor’s assessment of the risk of management override of controls.
The Deloitte Center discusses six overarching principles for an effective fraud risk assessment. The discussion concludes with a recommendation concerning documentation: “Audit committees should ask management to share evidence of the risk assessment to understand the level of attention given to evolving ESG fraud risks and what measures are being taken to mitigate risks as ESG-related activities evolve.”
Questions for audit committees to consider
The Deloitte Center lists seven questions audit committees may want to ask management in order to understand the company’s approach to mitigating ESG-related fraud risks:
To what extent has management assessed the risk of fraud with respect to the company’s growing focus on ESG strategy and reporting as part of its enterprise-wide fraud risk assessment?
Is the audit committee primarily responsible for ESG-related fraud risk, or is responsibility shared with other committees and/or the full board? How often does the audit committee discuss fraud risk, including ESG-related fraud risk? [This question seems more appropriate for board discussion, rather than discussion with management.]
Which member of management has authority over fraud risk, and does this person have a comprehensive view of the ESG-related fraud risks that could be present? For example, does this person’s visibility and authority extend beyond financial reporting?
How is management developing metrics that are provided to stakeholders related to ESG strategies or initiatives? How is management developing reporting mechanisms and addressing the potential for fraud in these ESG strategies and initiatives?
What internal controls are in place with respect to the development of metrics and reporting mechanisms, especially those related to ESG? What process has management adopted for promoting completeness, accuracy, and reliability of ESG-related metrics and reporting?
What fraud risks have been identified? How have they been evaluated and prioritized? What mitigation measures are being implemented?
To what extent are these metrics and ESG-related reports reviewed by internal auditors and independent auditors?
Comment: As ESG reporting becomes more extensive and more heavily relied on by investors, the risks and consequences of intentional (and unintentional) ESG material misstatements are also growing. As discussed in prior Updates, many companies began their ESG disclosure efforts outside the control framework of traditional financial disclosures. As a result, the accuracy and reliability of these disclosures may be subject to under-appreciated risks. This could have both adverse reputational and legal consequences. The SEC has formed a task force in the Division of Enforcement “to proactively identify ESG-related misconduct.” This unit, which recently brought a case against a public company alleging inaccurate material ESG disclosures, is likely to be aggressive in pursuing similar actions. See SEC is Serious About ESG Disclosure Enforcement, April-May 2022 Update. For these reasons, audit committees should be actively considering the risks of ESG disclosure fraud and misstatement. The Deloitte Center’s article provides some useful ideas regarding how to begin that process.
Comments