SEC Commissioner Caroline Crenshaw offered interesting public comments at a conference yesterday. That may be the first time an SEC Commissioner has directly addressed the applicability of internal controls to ESG matters. While her views are not those of the Commission or Staff, they were insightful. We’ve posted a few blogs about the use of internal controls for ESG data, including from Advisory Board members Dan Goelzer and Mark Trexler. I myself am known to have an opinion on the matter so I was pleased to see Commissioner Crenshaw speak to it.
She set the context well by saying
“… controls broadly include systems designed to ensure transactions are authorized and recorded in a way that maintains accountability for assets and allows for financial statement preparation in conformity with GAAP [generally accepted accounting principles]. They also include procedures that control access to assets and the systems designed to test the effectiveness of internal controls… management is responsible for establishing and maintaining an effective system of internal controls that reasonably safeguards corporate assets from risk. So as you think about and discuss ESG risks during this conference, I encourage you to think about them in the context of your internal accounting controls and audit functions.”
She continued: “internal accounting controls must be dynamic enough to consider and respond to changes in the markets, such as those posed by ESG issues… there are a few specific ESG risks where internal corporate accounting controls play a critical role, and it is particularly important to assess whether these existing corporate internal accounting controls are sufficient to provide reasonable assurances that each business and its assets are, in fact, adequately controlled.”
She then expressed interest in how “public companies are responding to the various types of cybersecurity intrusions and attacks public issuers are facing” which are not just about data privacy but extend to computer controls for operating facilities like refineries, power plants, water treatment operations and gas pipelines. Inadequate cyber security measures at these kinds of operations can result in overriding process safety controls causing fires, explosions and environmental contamination like I wrote about this summer.
Climate risk was next. She mentioned stranded assets and supply chain disruptions due to climate change, then got to the heart of the matter:
“I’m interested in understanding how … [a] company evaluates climate change risk. For example, do companies rely on third party service providers, and if so, do they evaluate the controls that the service providers have in place over information and disclose to investors the identity of the service provider, in the same way you disclose your auditors and underwriters?”
This is strikingly similar to concerns raised by PCAOB in their recent guidance on how auditors should use information from external sources.
Proxy advisor Glass Lewis also voiced views on governance structures for ESG which is part of internal controls and monitoring. As blogged by Liz today:
Beginning in 2022, Glass Lewis will note as a concern when boards of companies in the Russell 1000 index do not provide clear disclosure concerning the board-level oversight afforded to environmental and/or social issues. For shareholder meetings held after January 1, 2022, it will generally recommend voting against the governance committee chair of a company in the S&P 500 index who fails to provide explicit disclosure concerning the board’s role in overseeing these issues.
While Glass Lewis believes that it is important that these issues are overseen at the board level and that shareholders are afforded meaningful disclosure of these oversight responsibilities, it believes that companies should determine the best structure for this oversight.
What This Means for You
Internal controls for publicly reported corporate ESG data are far less robust – generally speaking – than for financial data. But that ESG data informs ratings agencies, investors, asset managers, investment advisors, regulatory authorities and others. It is expected that the SEC will be added to that list next year.
- For companies: Assess your internal controls to determine if they can be applied to ESG risks relevant to your company. If you haven’t formally assessed your ESG risks, doing so is an appropriate starting point since controls should match the risks. Make sure you consider risks that may not be specifically identified by typical ESG risk assessment frameworks. For instance, I don’t recall seeing the process safety risk of cybersecurity failure addressed in those templates/frameworks. Additionally, external information on which you rely presents another risk as Crenshaw indicated. Where gaps in controls are identified, it would be prudent to prioritize closing those gaps as soon as possible. If you are considering engaging external resources, advisors best suited to help are those that provide a combination of controls expertise and technical ESG subject matter knowledge.
- For auditors: Recognize there are likely aspects of ESG matters that are beyond accounting and therefore beyond the expertise of accountants. Sometimes additional education and training on technical ESG subjects will be sufficient in helping auditors/advisors develop an appropriate level of competence to assess ESG topics and controls. However, there will also be times when it is critical to bring subject matter experts to the team. For instance understanding carbon emissions usually requires specific expertise in process/fuel burning equipment, pollution controls design, operation & maintenance and technical assumptions embedded in emissions calculations. Audit teams that provide a combination of controls expertise and technical ESG subject matter knowledge are optimal for servicing clients.