Subscribe
Share
Share
Embed
As highlighted in the recent COSO publication on Internal Controls over Sustainability Reporting, good governance and systems for sustainable business activities and ESG reporting require attention to potential risks around fraud and greenwashing. Reflecting Grant Thornton’s recent report on control activities related to these risks, join us as we take a dive deep into the world of Environmental, Social, and Governance (ESG) in business with our latest episode of the 'Count Me In' podcast. Hosted by a panel of experts, which includes Catie Serex, Douglas Hileman and Dan Mosher, our podcast uncovers the truth behind ESG, its importance in today's business world, the challenges it presents, and importantly, its potential role in fraudulent activities. Tune in for a fascinating conversation on ESG reporting, corporate purpose, sustainability, and the latest trends affecting investors, employees, and stakeholders alike. Don't miss this chance to stay informed and ahead of the curve in the ever-evolving world of business.
Connect with our speakers:
Catie: https://www.linkedin.com/in/ctserex/
Dan: https://www.linkedin.com/in/dan-mosher-8552519/
Doug: https://www.linkedin.com/in/douglas-hileman-fsa-crma-cpea-p-e-6abbb71/
Download the reports mentioned into today's podcast:
Achieving Effective Internal Control Over Sustainability Reporting
Managing Fraud Risks in an Evolving ESG Environment
Full Episode Transcript:
Adam: Hello, and welcome back to another enlightening episode of Count Me In. I'm your host, Adam Larson, and today we're diving deep into the complexities of Environmental, Social, and Governance, ESG, with a distinguished panel of experts. We're joined by Douglas Hileman, an experienced sustainability consultant, with over three decades of experience in environmental management systems, and internal controls.
Connect with our speakers:
Catie: https://www.linkedin.com/in/ctserex/
Dan: https://www.linkedin.com/in/dan-mosher-8552519/
Doug: https://www.linkedin.com/in/douglas-hileman-fsa-crma-cpea-p-e-6abbb71/
Download the reports mentioned into today's podcast:
Achieving Effective Internal Control Over Sustainability Reporting
Managing Fraud Risks in an Evolving ESG Environment
Full Episode Transcript:
Adam: Hello, and welcome back to another enlightening episode of Count Me In. I'm your host, Adam Larson, and today we're diving deep into the complexities of Environmental, Social, and Governance, ESG, with a distinguished panel of experts. We're joined by Douglas Hileman, an experienced sustainability consultant, with over three decades of experience in environmental management systems, and internal controls.
Alongside him, we have Dan Mosher, a seasoned professional who excels in helping businesses navigate the complexities of sustainability and environmental risks. Last but not least, we welcome Catie Serex. A leader in environmental, health, and safety, auditing and management who assists businesses in integrating sustainable and socially responsible practices.
Today's discussion will delve into the importance of ESG, the challenges businesses face in managing ESG data, and the potential risk of fraud in ESG reporting. Here we go, let's listen in together.
[00:01:00] < Music >
Doug: And one of the things that we might kick off is with a very basic question of what is ESG? Dan, when people ask you this, how do you answer?
Dan: Well, it really is a big umbrella, and I'll ask for some help from Catie in this regard. But ESG stands for Environmental, Social, and Governance. And, so, lots of things under that environmental area. Everything from waste management and air quality, climate change. From a social perspective, it could be your human capital management, health and safety matters. Governance, I think of anticorruption, data risks, and the like. So it really is a broad title when we say ESG. Catie, do you have some things you'd like to add to that comment?
Catie: Yes, Dan, you definitely covered the gamut as far as some of the phrasings and the terminology, and really the topics that fall under that ESG umbrella. What I would want to add is that ESG is certainly one of the buzziest words in business today. But you might not know that ESG is, very simply, the newest iteration of concepts you've likely known for a long time. It's been previously known as corporate purpose, sustainability, even philanthropy.
But what differentiates ESG from these previous versions is that it now represents the closest alignment, to date, of business operations, so think about your tangible assets. To those intangible elements of business that drive value. And, in this case, I'm referring to things like customer loyalty, labor environments, community engagement support. And because of this connection, ESG is moving from a nice-to-have to a need-to-have for companies, but also their investors, their customers, and other key stakeholders like their employees.
Doug: I also think of ESG as a convenient taxonomy for all things non-financial. Many people have published those pillars or the word clouds that's in the ACFE report, and what topic goes where. For financial reporting, we know where sales goes and we know where EBITDA goes. We know where those are in a format and how to put the data and information together for clarity
and reporting. For all things non-financial, it's just such a sprawling array of topics that ESG serves for one reason, in one way, as just simply a taxonomy. And there are some issues, such as climate change, like Dan mentioned, that really transcend more than one category, if you will. But for purposes of just where do you find it, and how do you manage it, and it can just serve as a taxonomy. Catie, to your point, on how to organize some processes, some controls, some recordings to understand what the organization is doing.
Dan: And I'd be interested in hearing your thoughts on the various channels in which this information is being put out there in the public. Catie, maybe you have some thoughts around the wide scope of that.
Catie: Yes, so in terms of the reporting side of things and getting to the nuts and bolts of what, I'm sure our listeners are interested in, in terms of, what am I on the hook for? There are a lot of reporting frameworks out there that are guiding folks. And I know that that's been a point of confusion for people is understanding, there are all these different acronyms out there. That I can report to like SASB, or the Global Reporting Initiative, GRI, Task Force for Climate-Related Financial Disclosures or TCFD. There are a lot of frameworks out there, but the field is narrowing.
So some of the communication that we've been seeing from these wider umbrella frameworks, are that they are working together to consolidate. To make things a little bit more straightforward, and to make things a little bit more uniform across the reporting landscape. But that's currently in progress, and this is just a result of this being not in nascent stages, but still in its growth period, and really honing down what are the things that shareholders, regulators, and such need to see when it comes to these ESG disclosures.
Dan: And I know that Doug has been on the front line when things are misreported or omitted, and I'd love to hear some of his worst stories.
Doug: Thank you, Dan. The question about reporting channels is a very good one, and Catie brought up several things that are happening in reporting to general capital markets. I also observe that there are other channels for reporting, including impact investors who may be interested in one particular topic. The general purpose capital reporting takes in one tranche, if you will, of topics that need to come external from an organization, a company.
There are other investors who are interested, let's say, in human rights, or in product conformity, or in diversity, or in commitment to climate, and they want more information about those topics. So you may get information from investor groups or analyst groups, and that's a type of report.
Another channel of reporting that I see is B2B reporting. The customers, and business partners, and banks, joint venture participants, are looking more into non-financial risk management. Non-financial performance and alignment, which is ESG. So before entering business relationships, and even during business relationships up and down the value chain, there's also ESG reporting that happens there.
It is starting to align in some ways that they're asking questions about the same topics, but the questions themselves can be different. And, in many cases, the reporting,
the demand for reporting has outpaced companies' abilities to report on the data and information. So that pull has created a bit of a vacuum. And many companies are scrambling to come up with processes, systems, and controls so they can generate the data and information that these stakeholders are expecting in terms of reporting.
Catie: Doug, just to jump in there, from a client perspective, we are seeing that a lot of our clients are getting, especially, those B2B requests from either their suppliers or their downstream supply chain vendors. And the way that we're seeing that manifest is a lot of these larger companies are looking at their supply chain. If you think about greenhouse gas emissions, they're looking at their Scope 3 emissions, which is all value chain.
And, so, they're sending requests to clients like ours that are asking, "What are your Scope 1 and 2 emissions? Because we need to report that." We are seeing clients feeling the pressure to respond to that, to continue to be part of those wider supply chains.
And, so, they're coming to us asking for assistance in figuring out what those ESG metrics are and being able to respond in complete and accurate ways. So that they can continue to have those key customers that are asking for that information.
Dan: Yes, and I'd like to pick up on that point, too, and Catie was just touching on it. I think some of the key challenges are, for businesses today, what is the providence of their ESG data?
What is the confidence they have over the accuracy and completeness of it?
And what is the integrity and quality of that data as it travels along its life cycle, from where it started to where it was reported? And has it maintained that integrity all along? Because bringing this back to our main topic of fraud, there are many pressures and incentives that might have someone misstate or omit information in their ESG reporting.
Doug: I'd like to pick up on a topic that Catie discussed on climate change and greenhouse gas emissions. It does, inherently, involve a complex web of data from different sources, including suppliers. And companies may be asked to produce or report the greenhouse gas emissions for themselves, as a company, on Scope 1 and Scope 2.
I hope our listeners know what that means. Or on a part of Scope 3, or their carbon emissions as a company, or their carbon emissions in a particular country or state, or their carbon emissions for the products they manufacture for a certain customer.
So those are different ways to slice and dice much of the same data. And it all goes back, I'll put in a plug here for the COSO report mapping the internal control framework to ESG. That can be applied to anything, any topic, any company, including, for example, greenhouse gas emissions. In terms of fraud, there can be a difference between just sloppy, or just unavailability of data and willful reporting of incorrect or misleading data.
For example, to get preferred treatment at a customer, or to get preferred inclusion in an ESG index fund, or to get a reduction on interest rate from a line of credit,
from a financial institution that's looking for green investments. So we're still seeing an increase in awareness of the fact where, "Well, we can just report this because nobody cares."
Or, "Well, it's not regulatory, so we'll just let it go."
And willful deceit in order to get a benefit at the expense of other competitors in these areas, which goes into the fraud bucket. That ACFE and Grant Thornton touched upon in that report.
Dan: Yes, thank you, Doug. The report that Doug is referring to is a joint publication of the Association of Certified Fraud Examiners and Grant Thornton called Managing Fraud Risks in an Evolving ESG Environment. You can get it from our website and from the ACFE, and within that, we did develop an ESG fraud taxonomy.
It encompasses both some of the traditional areas of fraud that have always been there. Corruption, asset misappropriation, and financial statement fraud. And there are certainly ways in which ESG fraud manifests itself under each of those headings.
To that traditional fraud tree we have added an additional area of non-financial reporting fraud, which Doug was alluding to. And the things that might happen under there, there could be false labeling or advertising. Think of things like declarations of saying that it's "Dolphin-free tuna" that has certainly been an area of litigation in the past.
I'm thinking about false disclosures or representations, and that might be along the B2B relationships. Where you are omitting information or misstating information to a company that you are a supplier to. Lots of ways that things can be contorted, and misrepresented, and misstated, omitted, and if it is done intentionally, then we're going to consider it fraud.
Doug: Dan, I can't say enough good things about the report that came out and, certainly, my hat is off to you, and Catie, and everybody who contributed to that. I know that was a massive effort. What I think is so elegant about that report is that many of our listeners struggle with how to get their arms around ESG, this sprawling issue is so new, it's so different.
The report begins with a construct that's familiar to everybody who deals with fraud, that famous ACFE fraud tree. And the report adds a leaf, if you will, if you look at that tree at the bottom row, that provides an ESG example for the fraud tree as everybody knows it. And then it was very elegant how you added that branch, if you will, for the ESG, the non-financial reporting with nine different twigs to describe a taxonomy there, and then the leaves with the examples, it was really well done.
So anybody familiar with fraud and the fraud tree. Anybody who has been involved in developing procedures to prevent fraud or to detect fraud on the audit side, you can just use that reference document and get pretty close to how you think about ESG fraud to prevent it and detect it.
Another thing I would observe that the human rights, no product was made with child labor. Non-financial reporting and compliance exists in a lot of places out there,
and it can be possible, it can be easy for stakeholders to compare information that arises from different reporting channels for consistency. For example, Dan mentioned one of the claims could be, "None of our products use forced labor".
In the U.S. there's a law called the The Uyghur Forced Labor Prevention Act. That has the rebuttable presumption that products made from a certain area, in China, if you cannot prove that those products were made absent forced labor, the assumption is that they were made with forced labor. And the Customs and Border Protection is seizing products at the docks before they come into the country, and waiting on companies to provide evidence that the products are forced-labor-free.
So if you have claims on your website, or on products, or in contract documents that they're forced labor free, and the Customs and Border Protection is reporting that your goods are being held and not allowed into the country. There is an inconsistency there that can be embarrassing, at a minimum, to companies. And it can cost the company sales, customers, and reputational damage if it turns out that those claims cannot be supported.
Dan: Yes, so just picking up on what Doug was talking with The Uyghur Forced Labor Prevention Act, this is a big stick for the government in they have a presumption of guilt, so to say. That if they suspect that a good has any raw material or input within it because it is in whole or in part of your good that's being imported, is suspected of having forced labor in it, and that means every tier of your supply chain down to the raw material or seed, if it's an agricultural product.
If there is a suspicion that it is tainted by forced labor, it will not be allowed into the country unless you can prove otherwise. And, I think, it's going to become, increasingly, challenging for companies to know their supply chain inside and out. And from a fraud perspective, whether any part of that supply chain is deceiving the rest of the supply chain on whether or not it's tainted by forced labor.
I was just reading over the holidays, there is a tremendous report that came out from Sheffield Hallam University, in the UK, around the various risks in the auto industry for being tainted by forced labor in the production of raw materials. it's really a very difficult area, and it is something that our clients are coming to us, asking for help around.
Dan: Catie, do you have some other thoughts around the regulatory environment in which this is probably just one small piece?
Catie: Yes, Dan and Doug, you both brought up a great point of there are current existing regulations that apply to certain areas of ESG. But what we're seeing is a global movement towards more overarching regulations across different jurisdictions. So, for instance, last year, the European Union approved the Corporate Sustainability Reporting Directive Regulation, also called CSRD, and that sets reporting standards for entities that meet certain EU reporting thresholds.
In the UK, there IS BEIS, which is focused on climate-related disclosures for entities that operate in the UK. And then, of course, for our U.S. listeners, I'm sure you all have heard about the coming SEC final rule when it comes to climate disclosures.
We anticipate that being finalized as early as April of this year. But all that to say that the regulatory environment, itself, from an ESG perspective, there is a growing recognition that there needs to be standards that companies adhere to. So that there is comparability across the landscape when it comes to ESG data. Because it is hard for whoever is looking at this data to discern what certain data points may mean because they may be defined differently.
So these standards are helping to create an environment that is more accountable and more comparable which, hopefully, will help clarify some things and clarify the way that you go about reporting. That said, even though some of those regulations are very early stage or haven't been released, yet, there are already consequences for misreporting.
So we saw last year, or in the past couple of years, that Goldman Sachs was fined $4 million and BNY Mellon was fined $1.5 million for what were considering material misstatements. And in the future, we see that more frequent consequences could be around the corner. But I can't speak to what that looks like just, yet. Dan, do you have any experience, or Doug, in terms of any additional consequences that you're seeing for misreporting of ESG data?
Dan: Yes, well, for me, as you said, there are consequences from misstating, publicly, the information. There are just a ton of business consequences of misstating the information. So, for example, I myself was involved in an investigation in which there was a licensor of images for the front of T-shirts and the like. There was a requirement that none of the production would take place in Bangladesh after the tragedy in 2013, in which a building collapsed, killing more than 1000 apparel workers.
And, so, there was a requirement that no production take place in Bangladesh, and there was wide-scale deception on that point. Such that there was a lot of production going on in Bangladesh, but it was being misreported to the licensor as being produced in India or in other jurisdictions throughout Asia. That finding, in the investigation that we carried out, was the subject of whether or not a billion-dollar license would go forward or not.
Doug: I can see several potential risks or consequences for misreporting or misleading content and reporting, and they vary according to the reporting channel. For example, there is ESG content in financial statements, in income statements and balance sheets. There are reserve estimates for contingent environmental liabilities.
Something that's a little newer is asset values for Emission Reduction Credits or expected costs in the future for Emission Reduction Credits, if that's part of a company's strategy for reducing greenhouse gas emissions. Those have a vintage and the value depends on the vintage. If those are, knowingly, misstated, you're subject to all the things that come with that in financial reporting, disclosure controls, and procedures, and the like.
For misrepresentation and misreporting in the Form 10-K, the analysts and the investors are using this to make investment decisions. There are shareholders who are quite happy to file proxy filings or to file suit by claiming to be misled for the content in there. Some of those are starting to see the light of day or to get quietly settled.
There was an instance of a major European bank, an employee blowing a whistle, publicly, saying that their screening process for companies to include in an ESG index fund was just not very good or, maybe, a sham.
So there's the reputational damage that can be a hit to a company and the market cap for many companies, the reputation, the intangible value, exceeds the value of PP and E - Plant Property and Equipment. So intangible value and brand value is something to watch out for too and that can take a hit, with misrepresentation or loss of reputation in ESG and non-financial matters.
Catie: And, Doug, just to piggyback on that point, there's the financial disclosure side of that, but there's also, as we talked about, the intangible side of that. So customers are increasingly wanting to purchase sustainably made goods, and engage with companies that align with their own personal moral values and beliefs.
And, so, when they learn that whether it's a good that's claiming to be sustainably made is actually unsustainable, you could lose members of your customer base. At times it inspires boycotts and protests and, especially, in the age of digital media, just imagine someone telling their community about their experience, and that going on Twitter, or TikTok, or something of that nature.
Those are some of the risks that we're seeing from not a regulatory penalty approach. But also there are consequences when it comes to your customer base, the value of your brand, and your brand reputation.
Doug: We've discussed a lot of different data, a lot of different stakeholders, a lot of different needs. So how do companies manage this kind of reporting. When everybody wants something different. There are different ways to slice and dice. How does a company get their arms around this and make sure that it's right?
Catie: Yes, that's a great question, Doug. So as I said before, there are a lot of different frameworks out there. But they are working to consolidate the frameworks and to consolidate the data expectations of those frameworks.
From what I'm seeing, it appears that SASB, GRI, and TCFD, all of which I previously mentioned, are emerging as the big three of ESG data disclosure frameworks. And it's important that our listeners understand that while these frameworks are not required for disclosure, they can help guide your reporting. And, ultimately, they can help your company be more aware of any potential fraud risks and avoid being susceptible to associated fraud with those activities and reporting.
Of course, the frameworks, themselves, are not mandatory for disclosure. They are, as I said, guidelines and we talked, previously, about the different regulations that are emerging. I think the thing that's important to know here is that some of these frameworks are being utilized to inform those regulations. So we know that the SEC climate disclosure draws heavily from TCFD reporting framework.
And, so, some of our clients are asking us to conduct TCFD reporting gap analysis to help them prepare for those upcoming SEC-required disclosures. We have clients who are asking us to do assurance readiness services because they know that they will fall in that year one reporting group, the large accelerated filers for the SEC.
And, so, having us test their existing processes, internal controls, things of that nature, and validate that their data is complete and accurate is something that they're doing to prepare for the upcoming regulatory framework. So the way to think about those frameworks is that it's a helpful way for you to organize your disclosures in anticipation of future reporting requirements.
Dan, do you have any thoughts from the fraud risk perspective of how those frameworks can usually help you. In terms of guarding against any potential misreporting or intentional or unintentional?
Dan: Yes, so when I think about this, I usually do go back to the ACFE's Fraud Triangle, thinking about incentives and pressures, the opportunities for fraud, and the rationalizations one might apply to committing those frauds. So when I think about reporting what is the role of that report?
Is it going to a regulator?
Is it going into a corporate social responsibility or a marketing publication? All of those bear different kinds of risks. So in terms of on this reporting topic, that people and companies should be thinking about taking an inventory of all the ways in which that ESG information is going out to the public, across those different channels. And ensuring that as they're building up their capabilities and infrastructure to maintain good data quality, that it is also ensuring consistency across all of those reporting channels.
What I anticipate, and I think we're starting to see it, is that there will be cases where the same information is reported in one channel, but is inconsistent with how it was reported in another channel, and that will be held against the company. You should not be finding yourself saying one thing to the government and something else in a publication.
Doug: Dan, I absolutely agree with that. I would say to this question, it comes back to a familiar trilogy that we hear as the answer to so many questions, and that is people, process, and technology. And I'll start at the end and work my way back, there are many vendors offering technology fixes and even companies, in-house, building technology fixes to gather and report data.
But the data and the information is only as good as the process it took to come up with the data. You can automate the wrong process and just get the wrong answer faster. So you back up to the process and say, "Well, since this non-financial information originates in so many parts of the company, and even from other companies, suppliers, customers, business partners, and the like. What is the process to get them?"
There are also challenges I see on reporting periods. Governments, like EPA, may have an annual reporting process. There are companies with a non-calendar fiscal year, who need to report some of this on a fiscal year basis. So where are the reporting periods?
What is the process to collect information and report to a state agency, to a stakeholder, to a customer? So those processes need to be nailed down, and that's where that wonderful COSO internal controls framework comes in. Just follow that and apply it as it's appropriate. And because that data and information comes from so many different sources, I encourage people to have the right people involved.
If companies establish a cross-functional team and get folks from all the places who provide this information. Real estate, operations, safety, procurement, R&D if they understand their roles and responsibilities in collecting this information to enable the kind of reporting that Catie has mentioned and others, then that goes a long way to making the process more effective and more efficient.
Dan: Yes, and I would like to add on to what Doug was saying. That in terms of the fact that this information is coming from different parts of organizations, that haven't necessarily undergone third-party assurance procedures. That this is a transition period here where, I think, a broader spectrum of people, within an organization, are going to be changing their mindset around the accuracy and completeness of the data because they know that they are subject to that third-party assurance.
Catie: And, Doug, you had mentioned, I think, very rightly, that having the right team in place is critical to being able to have the right processes and technology also in place, to ensure that your reporting is complete and accurate. And we're seeing on the client side that a lot of our clients don't, necessarily, have the resources in place to start to organize that.
So I wanted to ask, in your opinion, and Dan, feel free to jump in. How important is it to not just assign one person to do all of your ESG reporting? But how important is it to have that cross-functional team approach to these non-financial disclosures?
Doug: I think it is absolutely essential. One structure that I see work a lot is to have a steering committee. To set strategy and to be plugged into those reporting frameworks that you've mentioned, Catie, and some of the customer demands and organizational strategy and where things are going. And a more tactical working group that's closer to operations, and the systems, and controls to really modify those systems and controls and talk to each other.
A couple of things I've seen work really well. I've seen those committees be assembled, and people show up, and they don't know why they're in the room. And it really helps to have a coach or an external resource to help facilitate all that. To make sure that people are talking the right language and not talking past each other. So you get everybody on the same page to take actions in ways that are aligned with the company objectives, that helps a lot.
A couple of functions that I don't see on those teams but, I think, should be there a lot more than they are IT, for sure. And many of our listeners are from accounting, I would say accounting. I don't see on those cross-functional teams as much as I think they should be. Much of what is required for the sustainability reporting, it comes from accounting. You get utility bills from accounting. Get a list of assets from accounting. Get a list of our ten largest customers from accounting.
Accounting has the master key to a lot of this information. But the information that's in company systems, in my experience, was not designed for the way the information needs to be reclaimed and used now. So there are some changes that need to be made in accounting to enable this reporting and to enable the systems and controls. To, then, ensure accurate reporting, verifiable reporting, and the fact that we tighten down the controls so that we can prevent the possibility of fraud.
Dan: Yes, great points, Doug. I really appreciate you bringing up the steering committee. Someone at the top of an organization that is there to set strategy. And I think that it is common, and it will become more commonplace, to have that steering committee require that any fraud risk assessments, that are being done within an organization, include ESG fraud as part of what they're doing.
And in conducting a fraud risk assessment that is a stress test, that's looking for ways in which various kinds of scenarios. Such as the scenarios we brought up in our report with the ACFE, of ways in which ESG fraud could be committed. And then looking at whether the controls in place within the organization, are sufficient to prevent and detect or detect those occurrences.
So, Doug, I know that you've been contributing to an exciting report, that's been recently released from the IMA. Could you give us a few highlights in that regard?
Doug: Sure, I'd be happy to. I was one of the primary authors of this document, the only non-CPA on the team. I provided the ESG specialist input for this very important report. It's a COSO report and IMA is, of course, a member of COSO and their leadership had a terrific role in pulling this together. And it will resemble a lot kind of the report you've had major involvement with from the ACFE, on fraud, ESG fraud. In that it begins with a framework that everybody knows and is very familiar with, the COSO Internal Controls Framework, and there's something old and something new.
There is a summary of some of the key points of the COSO Internal Controls Framework, the components, and the points of focus. And on each of the components there's some information demonstrating how the internal controls framework can be applied to ESG.
So that in terms of non-financial management of information, and of reporting, and of communications, and of control environment. It can be applied and it points you in the right direction on how it can be adopted to improve the effectiveness, and the efficiency of company organization, management, and reporting. I encourage everyone to read it and use it.
[00:36:50] < Outro >
Announcer: This has been Count Me In, IMA's podcast. Providing you with the latest perspectives of thought leaders from the accounting and finance profession. If you like what you heard and you'd like to be counted in for more relevant accounting and finance education, visit IMA's website at www.imanet.org.
Creators & Guests
What is Count Me In®?
IMA® (Institute of Management Accountants) brings you the latest perspectives and learnings on all things affecting the accounting and finance world, as told by the experts working in the field and the thought leaders shaping the profession. Listen in to gain valuable insight and be included in the future of accounting and finance!
< Intro >
– Hello, and welcome back
to another enlightening
episode of Count Me In.
I'm your host, Adam Larson,
and today we're diving deep into the complexities
of Environmental, Social,
and Governance, ESG,
with a distinguished panel of experts.
We're joined by Douglas Hileman, an
experienced sustainability consultant,
with over three decades of experience
in environmental management
systems, and internal controls.
Alongside him, we have Dan Mosher,
a seasoned professional who excels
in helping businesses navigate
the complexities of sustainability
and environmental risks.
Last but not least, we welcome Catie Serex.
A leader in environmental,
health, and safety, auditing
and management who assists businesses
in integrating sustainable and
socially responsible practices.
Today's discussion will delve
into the importance of ESG,
the challenges businesses face
in managing ESG data,
and the potential risk of fraud in ESG reporting.
Here we go, let's listen in together.
< Music >
– And one of the things that
we might kick-off
is with a very basic question of what is ESG?
Dan, when people ask you this,
how do you answer?
– Well, it really is a big umbrella,
and I'll ask for some help
from Catie in this regard.
But ESG stands for Environmental,
Social, and Governance.
And, so, lots of things under
that environmental area.
Everything from waste management
and air quality, climate change.
From a social perspective, it could be
your human capital management,
health and safety matters.
Governance, I think of anticorruption,
data risks, and the like.
So it really is a broad title
when we say ESG.
Catie, do you have some things
you'd like to add to that comment?
– Yes, Dan, you definitely covered the gamut
as far as some of the phrasings and the terminology,
and really the topics that fall
under that ESG umbrella.
What I would want to add is that ESG
is certainly one of the buzziest
words in business today.
But you might not know that ESG is, very simply,
the newest iteration of concepts
you've likely known for a long time.
It's been previously known
as corporate purpose,
sustainability, even philanthropy.
But what differentiates ESG
from these previous versions
is that it now represents the
closest alignment, to date,
of business operations, so think
about your tangible assets.
To those intangible elements of
business that drive value.
And, in this case, I'm referring
to things like customer loyalty,
labor environments, community engagement support.
And because of this connection,
ESG is moving from a nice-to-have
to a need-to-have for companies,
but also their investors, their customers,
and other key stakeholders like their employees.
– I also think of ESG as a convenient
taxonomy for all things non-financial.
Many people have published those pillars
or the word clouds that's in the ACFE
report, and what topic goes where.
For financial reporting, we know where sales goes
and we know where EBITDA goes.
We know where those are in
a format and how to put the data
and information together for clarity and reporting.
For all things non-financial, it's just
such a sprawling array of topics
that ESG serves for one reason,
in one way, as just simply a taxonomy.
And there are some issues,
such as climate change,
like Dan mentioned, that really transcend
more than one category, if you will.
But for purposes of just where do you
find it, and how do you manage it,
and it can just serve as a taxonomy.
Catie, to your point, on how to
organize some processes,
some controls, some recordings to understand
what the organization is doing.
– And I'd be interested in hearing
your thoughts on the various channels
in which this information is being
put out there in the public.
Catie, maybe you have some thoughts
around the wide scope of that.
– Yes, so in terms of the
reporting side of things
and getting to the nuts and bolts of what,
I'm sure our listeners are interested in,
in terms of, what am I on the hook for?
There are a lot of reporting frameworks
out there that are guiding folks.
And I know that that's been
a point of confusion for people
is understanding, there are all these
different acronyms out there.
That I can report to like SASB,
or the Global Reporting Initiative, GRI.
Task Force for Climate-Related
Financial Disclosures or TCFD.
There are a lot of frameworks out
there, but the field is narrowing.
So some of the communication
that we've been seeing
from these wider umbrella frameworks,
are that they are working together to consolidate.
To make things a little bit more straightforward,
and to make things a little bit more
uniform across the reporting landscape.
But that's currently in progress,
and this is just a result of this
being not in nascent stages,
but still in its growth period,
and really honing down
what are the things that
shareholders, regulators, and such
need to see when it comes to these ESG disclosures.
– And I know that Doug
has been on the front line
when things are misreported or omitted,
and I'd love to hear some of his worst stories.
– Thank you, Dan.
The question about reporting
channels is a very good one,
and Catie brought up several
things that are happening
in reporting to general capital markets.
I also observe that there are
other channels for reporting,
including impact investors who may be
interested in one particular topic.
The general purpose capital reporting
takes in one tranche, if you will,
of topics that need to come external
from an organization, a company.
There are other investors who
are interested, let's say, in human rights,
or in product conformity, or in diversity,
or in commitment to climate,
and they want more information
about those topics.
So you may get information from investor group
or analyst groups, and that's a type of report.
Another channel of reporting
that I see is B2B reporting.
The customers, and business partners,
and banks, joint venture participants,
are looking more into non-financial risk management.
Non-financial performance
and alignment, which is ESG.
So before entering business relationships,
and even during business relationships
up and down the value chain,
there's also ESG reporting that happens there.
It is starting to align in some ways
that they're asking questions
about the same topics, but the
questions themselves can be different.
And, in many cases, the reporting,
the demand for reporting
has outpaced companies' abilities
to report on the data and information.
So that pull has created a bit of a vacuum.
And many companies are scrambling
to come up with processes, systems,
and controls so they can generate
the data and information
that these stakeholders are
expecting in terms of reporting.
– Doug, just to jump in there,
from a client perspective,
we are seeing that a lot of
our clients are getting,
especially, those B2B requests
from either their suppliers
or their downstream supply chain vendors.
And the way that we're seeing that manifest
is a lot of these larger companies
are looking at their supply chain.
If you think about greenhouse gas emissions,
they're looking at their Scope 3
emissions, which is all value chain.
And, so, they're sending
requests to clients like ours
that are asking, "Well, what are your
Scope 1 and 2 emissions?
Because we need to report that."
We are seeing clients feeling
the pressure to respond to that,
to continue to be part of
those wider supply chains.
And, so, they're coming to us
asking for assistance in figuring out
what those ESG metrics are
and being able to respond
in complete and accurate ways.
So that they can continue
to have those key customers
that are asking for that information.
– Yes, and I'd like to pick up on that point, too,
and Catie was just touching on it.
I think some of the key challenges
are, for businesses today,
what is the providence of their ESG data?
What is the confidence they have over
the accuracy and completeness of it?
And what is the integrity and quality of
that data as it travels along its life cycle,
from where it started to where it was reported?
And has it maintained that integrity all along?
Because bringing this back
to our main topic of fraud,
there are many pressures and incentives
that might have someone misstate
or omit information in their ESG reporting.
– I'd like to pick up on a topic that
Catie discussed on climate change
and greenhouse gas emissions.
It does, inherently, involve a
complex web of data
from different sources, including suppliers.
And companies may be asked to produce
or report the greenhouse gas
emissions for themselves,
as a company, on Scope 1 and Scope 2,
I hope our listeners know what that means.
Or on a part of Scope 3, or their
carbon emissions as a company,
or their carbon emissions
in a particular country or state,
or their carbon emissions for the products
they manufacture for a certain customer.
So those are different ways to slice
and dice much of the same data.
And it all goes back, I'll put in a plug here
for the COSO report mapping the
internal control framework to ESG.
That can be applied to anything,
any topic, any company,
including, for example, greenhouse gas emissions.
In terms of fraud, there can be
a difference between just sloppy,
or just unavailability of data
and willful reporting
of incorrect or misleading data.
For example, to get preferred
treatment at a customer,
or to get preferred inclusion
in an ESG index fund,
or to get a reduction on interest
rate from a line of credit,
from a financial institution that's
looking for green investments.
So we're still seeing an increase
in awareness of the fact
where, "Well, we can just report
this because nobody cares."
Or, "Well, it's not regulatory,
so we'll just let it go."
And willful deceit in order to get a benefit
at the expense of other
competitors in these areas,
which goes into the fraud bucket.
That ACFE and Grant Thornton
touched upon in that report.
– Yes, thank you, Doug.
The report that Doug is referring
to is a joint publication
of the Association of Certified Fraud
examiners and Grant Thornton
called Managing Fraud Risks in
an Evolving ESG Environment.
You can get it from our website
and from the ACFE,
and within that, we did develop
an ESG fraud taxonomy.
It encompasses both some of
the traditional areas of fraud
that have always been there.
Corruption, asset misappropriation,
and financial statement fraud.
And there are certainly ways
in which ESG fraud
manifests itself under each of those headings.
To that traditional fraud tree
we have added an additional area
of non-financial reporting fraud,
which Doug was alluding to.
And the things that might happen under there,
there could be false labeling or advertising.
Think of things like declarations of saying
that it's "Dolphin-free tuna" that has certainly
been an area of litigation in the past.
I'm thinking about false
disclosures or representations,
and that might be along the B2B relationships.
Where you are omitting information
or misstating information
to a company that you are a supplier to.
Lots of ways that things can be
contorted, and misrepresented,
and misstated, omitted, and if
it is done intentionally,
then we're going to consider it fraud.
– Dan, I can't say enough good
things about the report
that came out and, certainly, my hat
is off to you, and Catie,
and everybody who contributed to that.
I know that was a massive effort.
What I think is so elegant about
that report is that
many of our listeners struggle with
how to get their arms around ESG,
this sprawling issue is so new, it's so different.
The report begins with a construct
that's familiar to everybody
who deals with fraud, that
famous ACFE fraud tree.
And the report adds a leaf, if you will,
if you look at that tree at the bottom row,
that provides an ESG example for
the fraud tree as everybody knows it.
And then it was very elegant how
you added that branch, if you will,
for the ESG, the non-financial
reporting with nine different twigs
to describe a taxonomy there,
and then the leaves with the examples,
it was really well done.
So anybody familiar with
fraud and the fraud tree.
Anybody who has been involved
in developing procedures
to prevent fraud or to detect
fraud on the audit side,
you can just use that reference document
and get pretty close to how
you think about ESG fraud
to prevent it and detect it.
Another thing I would observe
that the human rights,
no product was made with child labor.
Non-financial reporting and compliance
exists in a lot of places out there
and it can be possible, it can be easy
for stakeholders to compare information
that arises from different reporting channels for consistency.
For example, Dan mentioned
one of the claims could be,
"None of our products use forced labor".
In the U.S. there's a law called
The Uyghur Forced Labor Prevention Act.
That has the rebuttable presumption
that products made
from a certain area, in China, if you
cannot prove that those products
were made absent forced labor,
the assumption is that
they were made with forced labor.
And the Customs and Border Protection
is seizing products at the docks
before they come into the country,
and waiting on companies to provide evidence
that the products are forced-labor-free.
So if you have claims on
your website, or on products,
or in contract documents that
they're forced labor free,
and the Customs and Border Protection
is reporting that your goods are being held
and not allowed into the country.
There is an inconsistency there
that can be embarrassing,
at a minimum, to companies.
And it can cost the company sales, customers,
and reputational damage if it turns out
that those claims cannot be supported.
– Yes, so just picking up on
what Doug was talking with
The Uyghur Forced Labor Prevention Act,
this is a big stick for the government,
in they have a presumption
of guilt, so to say.
That if they suspect that a good has
any raw material or input within it,
because it is in whole or in part
of your good that's being imported,
is suspected of having forced labor in it,
and that means every tier of your supply chain
down to the raw material or seed,
if it's an agricultural product.
If there is a suspicion that it
is tainted by forced labor,
it will not be allowed into the country
unless you can prove otherwise.
And, I think, it's going to become, increasingly, challenging
for companies to know their
supply chain inside and out.
And from a fraud perspective,
whether any part of that supply chain
is deceiving the rest of the
supply chain on whether
or not it's tainted by forced labor.
I was just reading over the holidays,
there is a tremendous report
that came out from Sheffield
Hallam University, in the UK,
around the various risks in the auto industry
for being tainted by forced labor
in the production of raw materials.
it's really a very difficult area, and it
is something that our clients
are coming to us, asking for help around.
– Catie, do you have some other thoughts around
the regulatory environment in which
this is probably just one small piece?
– Yes, Dan and Doug, you both
brought up a great point
of there are current existing regulations
that apply to certain areas of ESG.
But what we're seeing is a global movement
towards more overarching regulations
across different jurisdictions.
So, for instance, last year,
the European Union
approved the Corporate Sustainability
Reporting Directive Regulation,
also called CSRD, and that
sets reporting standards
for entities that meet certain
EU reporting thresholds.
In the UK, there is BEIS, which is
focused on climate-related disclosures
for entities that operate in the UK.
And then, of course, for our U.S.
listeners, I'm sure you all have heard
about the coming SEC final rule when
it comes to climate disclosures.
We anticipate that being finalized
as early as April of this year.
But all that to say that the
regulatory environment, itself,
from an ESG perspective, there is
a growing recognition that
there needs to be standards
that companies adhere to.
So that there is comparability
across the landscape
when it comes to ESG data.
Because it is hard for whoever
is looking at this data
to discern what certain data points may mean
because they may be defined differently.
So these standards are helping
to create an environment
that is more accountable and more
comparable which, hopefully,
will help clarify some things and clarify
the way that you go about reporting.
That said, even though some of those regulations
are very early stage or
haven't been released, yet,
there are already consequences for misreporting.
So we saw last year, or in
the past couple of years,
that Goldman Sachs was fined $4 million
and BNY Mellon was fined $1.5 million
for what were considering material misstatements.
And in the future, we see that
more frequent consequences
could be around the corner.
But I can't speak to what
that looks like just, yet.
Dan, do you have any experience, or Doug,
in terms of any additional consequences
that you're seeing for
misreporting of ESG data?
– Yes, well, for me, as you said,
there are consequences from
misstating, publicly, the information.
There are just a ton of business consequences
of misstating the information.
So, for example, I myself was
involved in an investigation
in which there was a licensor of images
for the front of T-shirts and the like.
There was a requirement that
none of the production
would take place in Bangladesh
after the tragedy in 2013,
in which a building collapsed, killing
more than 1000 apparel workers.
And, so, there was a requirement
that no production take place
in Bangladesh, and there was wide-scale deception on that point.
Such that there was a lot of
production going on in Bangladesh,
but it was being misreported to
the licensor as being produced in India
or in other jurisdictions throughout Asia.
That finding, in the investigation
that we carried out,
was the subject of whether or not
a billion-dollar license
would go forward or not.
– I can see several potential risks
or consequences for misreporting
or misleading content and reporting,
and they vary according to the reporting channel.
For example, there is ESG
content in financial statements,
in income statements and balance sheets.
There are reserve estimates for
contingent environmental liabilities.
Something that's a little newer is asset values
for Emission Reduction Credits
or expected costs in the future
for Emission Reduction Credits,
if that's part of a company's strategy
for reducing greenhouse gas emissions.
Those have a vintage and the
value depends on the vintage.
If those are, knowingly, misstated,
you're subject to all the things
that come with that in financial reporting,
disclosure controls, and
procedures, and the like.
For misrepresentation and
misreporting in the Form 10-K
the analysts and the investors are using
this to make investment decisions.
There are shareholders who are
quite happy to file proxy filings
or to file suit by claiming to be
misled for the content in there.
Some of those are starting
to see the light of day
or to get quietly settled.
There was an instance of
a major European bank,
an employee blowing a whistle, publicly,
saying that their screening process for companies
to include in an ESG index fund was
just not very good or, maybe, a sham.
So there's the reputational damage
that can be a hit to a company
and the market cap for many companies,
the reputation, the intangible value,
exceeds the value of PP and E,
Plant Property and Equipment.
So intangible value and brand value
is something to watch out for, too,
and that can take a hit with misrepresentation
or loss of reputation in ESG
and non-financial matters.
– And, Doug, just to piggyback on that point,
there's the financial disclosure side of that,
but there's also, as we talked about,
the intangible side of that.
So customers are increasingly wanting
to purchase sustainably made goods,
and engage with companies that align
with their own, personal, moral values and
beliefs.
And, so, when they learn that whether it's
a good
that's claiming to be sustainably
made is actually unsustainable,
you could lose members of your customer base.
At times it inspires boycotts and protests
and, especially, in the age of digital media,
just imagine someone telling their
community about their experience,
and that going on Twitter, or TikTok,
or something of that nature.
Those are some of the risks that we're seeing
from not a regulatory penalty approach.
But also there are consequences
when it comes to your customer base,
the value of your brand, and your brand reputation.
– We've discussed a lot of different data,
a lot of different stakeholders,
a lot of different needs.
So how do companies manage
this kind of reporting.
When everybody wants something different.
There are different ways to slice and dice.
How does a company get their arms around this
and make sure that it's right?
– Yes, that's a great question, Doug.
So as I said before, there are a lot
of different frameworks out there.
But they are working to
consolidate the frameworks
and to consolidate the data
expectations of those frameworks.
From what I'm seeing, it appears
that SASB, GRI, and TCFD,
all of which I previously mentioned,
are emerging as the big three of
ESG data disclosure frameworks.
And it's important that our
listeners understand that
while these frameworks are
not required for disclosure,
they can help guide your reporting.
And, ultimately, they can help your company
be more aware of any potential fraud risks
and avoid being susceptible
to associated fraud
with those activities and reporting.
Of course, the frameworks, themselves,
are not mandatory for disclosure.
They are, as I said, guidelines
and we talked, previously,
about the different regulations that are emerging.
I think the thing that's important to know
here is that some of these frameworks
are being utilized to inform those regulations.
So we know that the SEC climate disclosure
draws heavily from TCFD reporting framework.
And, so, some of our clients are asking us
to conduct TCFD reporting gap analysis
to help them prepare for those
upcoming SEC-required disclosures.
We have clients who are asking us
to do assurance readiness services
because they know that they will fall
in that year one reporting group,
the large accelerated filers for the SEC.
And, so, having us test their existing processes,
internal controls, things of that nature,
and validate that their data is complete
and accurate is something
that they're doing to prepare
for the upcoming regulatory framework.
So the way to think about those frameworks
is that it's a helpful way for you
to organize your disclosures
in anticipation of future reporting requirements.
Dan, do you have any thoughts from
the fraud risk perspective of how
those frameworks can usually help you.
In terms of guarding against
any potential misreporting
or intentional or unintentional?
– Yes, so when I think about this,
I usually do go back to the
ACFE's Fraud Triangle,
thinking about incentives and pressures,
the opportunities for fraud, and the rationalizations
one might apply to committing those frauds.
So when I think about reporting
what is the role of that report?
Is it going to a regulator?
Is it going into a corporate social responsibility
or a marketing publication?
All of those bear different kinds of risks.
So in terms of, on this reporting topic,
that people and companies
should be thinking about
taking an inventory of all the ways in which
that ESG information is going out
to the public, across those different channels.
And ensuring that as they're
building up their capabilities
and infrastructure to maintain good data quality,
that it is also ensuring consistency
across all of those reporting channels.
What I anticipate, and I think
we're starting to see it,
is that there will be cases
where the same information
is reported in one channel, but is inconsistent
with how it was reported in another channel,
and that will be held against the company.
You should not be finding yourself
saying one thing to the government
and something else in a publication.
– Dan, I absolutely agree with that.
I would say to this question,
it comes back to a familiar trilogy
that we hear as the answer
to so many questions,
and that is people, process, and technology.
And I'll start at the end and work
my way back, there are many vendors
offering technology fixes
and even companies, in-house,
building technology fixes to
gather and report data.
But the data and the information
is only as good as the process
it took to come up with the data.
You can automate the wrong process
and just get the wrong answer faster.
So you back up to the process
and say, "Well, since this non-financial information
originates in so many parts of the company,
and even from other companies, suppliers,
customers, business partners, and the like.
What is the process to get them?"
There are also challenges
I see on reporting periods.
Governments, like EPA may have
an annual reporting process.
There are companies with
a non-calendar fiscal year,
who need to report some of this
on a fiscal year basis.
So where are the reporting periods?
What is the process to collect information
and report to a state agency,
to a stakeholder, to a customer?
So those processes need to be nailed down,
and that's where that wonderful COSO
internal controls framework comes in.
Just follow that and apply it as it's appropriate.
And because that data and information
comes from so many different sources,
I encourage people to have
the right people involved.
If companies establish
a cross-functional team
and get folks from all the places
who provide this information.
Real estate, operations, safety,
procurement, R&D,
if they understand their roles and responsibilities
in collecting this information
to enable the kind of reporting
that Catie has mentioned and others,
then that goes a long way to making the process
more effective and more efficient.
– Yes, and I would like to add on
to what Doug was saying
That in terms of the fact that this information
is coming from different parts of organizations,
that haven't necessarily undergone
third-party assurance procedures.
That this is a transition period here where,
I think, a broader spectrum of people,
within an organization, are going
to be changing their mindset
around the accuracy and
completeness of the data
because they know that they are
subject to that third-party assurance.
– And, Doug, you had mentioned,
I think, very rightly,
that having the right team in place is critical
to being able to have the right processes
and technology also in place,
to ensure that your reporting
is complete and accurate.
And we're seeing on the client side
that a lot of our clients don't, necessarily,
have the resources in place
to start to organize that.
So I wanted to ask, in your opinion,
and Dan, feel free to jump in.
How important is it to not
just assign one person
to do all of your ESG reporting.
But how important is it to have that
cross-functional team approach
to these non-financial disclosures?
– I think it is absolutely essential.
One structure that I see work a lot
is to have a steering committee.
To set strategy and to be plugged
into those reporting frameworks
that you've mentioned, Catie,
and some of the customer demands
and organizational strategy
and where things are going.
And a more tactical working
group that's closer to operations,
and the systems, and controls
to really modify those systems
and controls and talk to each other.
A couple of things I've seen work really well.
I've seen those committees be assembled,
and people show up, and they don't
know why they're in the room.
And it really helps to have a coach
or an external resource to
help facilitate all that.
To make sure that people
are talking the right language
and not talking past each other.
So you get everybody on the same page
to take actions in ways that are aligned
with the company objectives,
that helps a lot.
A couple of functions that
I don't see on those teams
but, I think, should be there a lot
more than they are IT, for sure.
And many of our listeners are from accounting,
I would say accounting.
I don't see on those cross-functional teams
as much as I think they should be.
Much of what is required for
the sustainability reporting,
it comes from accounting.
You get utility bills from accounting.
Get a list of assets from accounting.
Get a list of our ten largest
customers from accounting.
Accounting has the master
key to a lot of this information.
But the information that's in company systems,
in my experience, was not
designed for the way
the information needs to
be reclaimed and used now.
So there are some changes that
need to be made in accounting
to enable this reporting and to
enable the systems and controls.
To, then, ensure accurate
reporting, verifiable reporting,
and the fact that we tighten down the controls
so that we can prevent
the possibility of fraud.
– Yes, great points, Doug.
I really appreciate you bringing
up the steering committee.
Someone at the top of an organization
that is there to set strategy.
And I think that it is common, and
it will become more commonplace,
to have that steering committee require
that any fraud risk assessments,
that are being done within an organization,
include ESG fraud as part of
what they're doing.
And in conducting a fraud risk
assessment that is a stress test,
that's looking for ways in which
various kinds of scenarios.
Such as the scenarios we brought
up in our report with the ACFE,
of ways in which ESG fraud could be committed.
And then looking at whether
the controls in place,
within the organization,
are sufficient to prevent
and detect or detect those occurrences.
So, Doug, I know that you've been
contributing to an exciting report,
that's been recently released from the IMA.
Could you give us a few
highlights in that regard?
– Sure, I'd be happy to.
I was one of the primary authors of this document,
the only non-CPA on the team,
I provided the ESG specialist input
for this very important report.
It's a COSO report and IMA is,
of course, a member of COSO
and their leadership had a terrific
role in pulling this together
And it will resemble a lot kind of the report
you've had major involvement with
from the ACFE, on fraud, ESG fraud.
In that it begins with a
framework that everybody knows
and is very familiar with the COSO
Internal Controls Framework,
and there's something old and something new.
There is a summary of some of the key points
of the COSO Internal Controls Framework,
the components, and the points of focus.
And on each of the components
there's some information
demonstrating how the internal controls
framework can be applied to ESG.
So that in terms of non-financial
management of information,
and of reporting, and of communications,
and of control environment.
It can be applied and it points
you in the right direction
on how it can be adopted to improve
the effectiveness, and the efficiency
of company organization,
management, and reporting.
I encourage everyone to read it and use it.
< Outro >
– This has been Count Me In,
IMA's podcast.
Providing you with the latest
perspectives of thought leaders
from the accounting and finance profession.
If you like what you heard and
you'd like to be counted in
for more relevant accounting and finance education,
visit IMA's website at www.imanet.org.