VALE S.A. In this article, accounting firm Deloitte observes that boards and managements often experience “denial” when the topic of fraud risk arises—no one wants to feel that the trust they place in their own employees is actually misplaced. Still, fraud risk is one topic that typically finds its way onto the agendas of audit committees. Deloitte advises that, with the current attention to ESG and in anticipation of new rulemaking from the
SideBar
With the increased focus on sustainability reporting, as discussed in this 2020 article in the WSJ, also comes increased scrutiny, especially of ESG hype and greenwashing. While positive reports and ratings “can attract investments and sales,… along with heightened interest comes heightened scrutiny. Indeed, misleading claims can backfire if they are called out as inaccurate or misleading. Investors are quick to punish companies for transgressions across the landscape of ESG issues.” “'The stakes are just much higher,'” according to one commentator, citing a 2019 report from a large bank “that showed 24 major controversies related to ESG topics erased more than
Deloitte cites the classic fraud triangle theory, which holds that three factors elevate fraud risk: financial pressure, opportunity and rationalization. As an example, some companies are tying ESG metrics to executive compensation, which can represent a source of financial pressure to manipulate data. Companies may also feel pressure to adopt sustainable practices and reflect positive trends in ESG for investors, NGOs and other stakeholders. In addition, companies may provide voluntary sustainability reports, but often the information “has not been gathered, tested, and reported under the kind of internal controls that typically are present with financial reporting.” These controls, if any, tend to be more novel and immature. As a result, these reports “may suggest a heightened opportunity for people within the organization to manipulate ESG-related information.”
SideBar
What about independent verification or attestation? According to a report from the
Notably, regardless of the provider, the CAQ reported that the levels of assurance were, for the most part, not comparable to the levels provided in a financial statement audit. Among audit firms, 25 provided “limited assurance,” that is, they typically involved limited procedures and included reports that were framed in the negative—e.g., nothing has come to our attention to cause us to believe that the sustainability report has not been prepared, in all material aspects, in accordance with XYZ standards, or we are not aware of any material modifications that should be made to the schedule of sustainability metrics for it to be in accordance with XYZ criteria. Only two provided “reasonable” assurance (a positive opinion) and three were mixed. Similarly, among consultants and engineers, 174 provided “limited” assurance, 17 “reasonable” assurance, 17 “moderate” assurance and 15 were a mix. Why the less rigorous levels of assurance? The engagement may provide only “limited assurance” because of time and cost constraints or, perhaps as explained by the
In its Audit Committee Practices Report, reflecting the results of a 2021 survey by Deloitte and the CAQ, Deloitte found that 42% of audit committee survey respondents reported an increase in fraud risk. And litigation risk related to ESG fraud and greenwashing appears to be growing. (See, e.g., this article.) ESG fraud is a focus of SEC Enforcement as well, the article notes. In 2021, then Acting SEC Chair
SideBar
As discussed in this Bloomberg article, the
Drilling down, Deloitte addresses fraud risk in two areas: climate and human capital. With respect to climate, the article observes that companies may be providing climate-related metrics in voluntary reporting that may not be consistent with periodic reports ad financial statements. According to the article, “the novelty of ESG-related information and the information gathering process, as well as the reliance stakeholders may be placing on such information, can make it susceptible to fraud risk…. Newer or less mature controls over reporting, ineffective controls, and the absence of controls can increase the opportunity for fraud to occur.” Anticipated regulatory developments and demands of various investors, lenders, customers and other stakeholders can “create pressure for management and the board to appear well positioned to meet targets or comply with future regulations.” In addition, any climate-related metrics that are included in key contracts or compensation agreements may also impose pressures. And, to the extent that climate-related disclosures are based on estimates, forecasts and judgments, these are “by their nature subjective and are subject to manipulation or bias.” The article advises that audit committees consider asking management “how reliable data sources are, whether they could be manipulated, and how management could potentially be motivated to intentionally manage these ESG metrics in ways that would serve management or the company's best interests.”
Human capital is another area where fraud risk appears, the article continues, pointing to constant turnover, vacant or hard-to-fill positions and remote or hybrid work as potential factors contributing to heightened fraud risk. These factors raise concerns about control activities, segregation of duties, corporate culture that does not permit error—especially for new employees—and quality management. Deloitte suggests that audit committees challenge management regarding the efficacy of training and management, contingency plans for key personnel absences, corporate culture and management's approach to reporting mistakes or errors, and how management is promoting culture and tone at the top, especially in remote/hybrid work environments. In addition, some companies have amped up their disclosures of human capital metrics, such as health and safety, engagement, culture, development, diversity, equity, and inclusion. Deloitte cautions that these metrics are subject to manipulation; audit committees may want to discuss with management the development of these metrics and the presence of internal controls to promote completeness, accuracy and reliability.
Deloitte also advises that audit committees ensure that ESG-related risks are included as part of companies' fraud-risk assessments, noting that COSO—which has provided the widely recognized framework for internal control over financial reporting—has approved a study to develop supplemental guidance applying its internal control framework in the areas of sustainability and ESG for both internal decision-making and public reporting. As described by Deloitte, fraud risk assessments are “intended to help management understand who could commit fraud, what type of schemes they might devise, where and how these schemes could be carried out, and what controls a company has or does not have in place, which may help identify potential gaps in the internal control framework that is intended to prevent and detect fraud.” Deloitte suggests that audit committees “understand the company's antifraud programs and controls, evaluate management's process, and ask questions about the extent to which the company's fraud risk assessments consider the risk of fraud in emerging or evolving ESG-related reporting activities. Audit committees should also understand the independent auditor's fraud risk assessment process and findings with respect to the antifraud programs and controls as well as the risk of management override of controls.” In addition, Deloitte recommends that audit committees ask management to “share evidence of the risk assessment to understand the level of attention given to evolving ESG fraud risks and what measures are being taken to mitigate risks as ESG-related activities evolve.”
Deloitte recommends the following questions for audit committees to ask in connection with audit-related fraud risks:
- “To what extent has management assessed the risk of fraud with respect to the company's growing focus on ESG strategy and reporting as part of its enterprise-wide fraud risk assessment?
- Is the audit committee primarily responsible for ESG-related fraud risk, or is responsibility shared with other committees and/or the full board? How often does the audit committee discuss fraud risk, including ESG-related fraud risk?
- Which member of management has authority over fraud risk, and does this person have a comprehensive view of the ESG-related fraud risks that could be present? For example, does this person's visibility and authority extend beyond financial reporting?
- How is management developing metrics that are provided to stakeholders related to ESG strategies or initiatives? How is management developing reporting mechanisms and addressing the potential for fraud in these ESG strategies and initiatives?
- What internal controls are in place with respect to the development of metrics and reporting mechanisms, especially those related to ESG? What process has management adopted for promoting completeness, accuracy, and reliability of ESG-related metrics and reporting?
- What fraud risks have been identified? How have they been evaluated and prioritized? What mitigation measures are being implemented?
- To what extent are these metrics and ESG-related reports reviewed by internal auditors and independent auditors?”
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
Ms
1114 Avenue Of The Americas
10036-7798
E-mail: aorzehoski@cooley.com
URL: www.cooley.com
© Mondaq Ltd, 2023 - Tel. +44 (0)20 8544 8300 - http://www.mondaq.com, source
