ESG is a broad discipline and the opportunities for fraud are widespread. Lawrence blogged last month about guidance from the Association of Certified Fraud Examiners that explains how anti-fraud practitioners are identifying and protecting against schemes and bad data. He’s also written about whether anti-fraud technology is ready for prime time in the ESG space and lessons from Theranos in Net Zero commitments. According to a recent Deloitte memo, audit committees also need to play a role in overseeing controls that can flag – or prevent – ESG fraud. It cites 2021 survey results that found 42% of respondents felt fraud risk had increased at their company.
The article goes on to break down specific climate and talent factors that are contributing to the rising fraud risk. Additionally, Deloitte provides six overarching principles for audit committees to consider in their fraud risk assessments. Here’s an abbreviated excerpt:
- Time and resources. A robust fraud risk assessment is a part of an entity’s overall enterprise risk management program. It is typically performed by a cross-functional working group with the technical knowledge of fraud and fraud risk as well as the time, staff, and tools to perform a thorough assessment. A working group made up of broad stakeholders may include members of finance, operations, technology, human resources, procurement, compliance, legal, and internal audit, with a particular focus on any operational or functional areas that may be working with or producing ESG-related information. The group should have assigned roles and responsibilities to address the various components of the risk assessment.
- Control environments. While brainstorming about potential fraud schemes, the working group should set aside any consideration of the existing control environment. Fraudsters may not be aware of fraud prevention controls that may be in place or may work to circumvent them. When existing controls are not factored into the brainstorming, stakeholders can more easily envision potential incentives, opportunities, and rationalizations for committing fraud.
- Specificity. The risk assessment should identify not only potential schemes, but potential methods to commit fraud and possible perpetrators as well. The more specific the identification of potential fraud risks, the more effectively the company can evaluate potential likelihood, impact, and mitigation strategies.
- Consideration of risk. Once the group has identified fraud schemes, assessed the likelihood and impact of each, and prioritized them, then the group can evaluate controls and processes associated with each. The highest-risk scenarios should receive the highest level of attention. It is not uncommon for companies to allocate time and resources to potential fraud schemes that are not commensurate with the risk.
- Consideration of emerging risks. This is an aspect of the risk assessment that is particularly relevant to ESG-related fraud risk. The assessment must consider emerging risks based on changes in the internal or external environment. These may include changes in the economy, new ways of doing business, new products or services, new technologies, increasing expectations from internal and external stakeholders, and other changes that may be relevant to the company.
- Documentation and follow-up. Audit committees should ask management to share evidence of the risk assessment to understand the level of attention given to evolving ESG fraud risks and what measures are being taken to mitigate risks as ESG-related activities evolve.
What This Means
Fraud risk is rising in ESG. This is consistent with the overall pattern of fraudsters throughout history. Fraud has always flourished in emerging fields and industries – especially those that are complex and require specific knowledge to understand. From railroads to cryptocurrency, they prey on the enthusiasm of those who want to be a part of something new, but don’t have the technical knowledge to protect themselves. Additionally, as Deloitte points out, powerful incentives are emerging in ESG which apply additional pressure to the “fraud triangle” – thereby increasing the risk of internal fraud.
One of the best ways to protect against fraud is to train you personnel on fraud identification and fraud prevention. Our recent podcast episode – “Fraud Detection in ESG” – can help you understand and mitigate that risk. If you aren’t already a member of PracticalESG.com with access to this resource and other filtered, practical content on ESG Disclosures & Board Oversight, then sign up online, call 800-737-1271 or email sales@ccrcorp.com and take advantage of our “100 Day Promise” – During the first 100 days as an activated member, you may cancel for any reason and receive a full refund!