Emerging fraud risks to consider: ESG has been saved
Emerging fraud risks to consider: ESG
On the audit committee’s agenda, July 2022
Many audit committees are highly focused on the risk of financial statement fraud, but a case is growing for audit committees to expand their discussion of fraud risk to encompass a growing variety of environmental, social, and governance (ESG) issues. ESG-related topics increasingly appear on audit committee agendas and factor into financial reporting discussions, but they tend to arise less often in the context of discussions about fraud risk.
Investors continue to demonstrate interest in understanding risks related to ESG issues, which is helping fuel regulatory focus on reporting and disclosures. The SEC has already issued proposals to expand disclosures related to cybersecurity and climate issues, and further proposals are expected in areas such as human capital. These proposals are likely to significantly increase the scope of information that will be included in regulatory filings in the coming years.
In preparation for expected new reporting requirements, many companies are in the process of developing more robust ESG-related disclosure controls and procedures as well as internal control over financial reporting (ICFR). Some companies are developing ESG-related metrics for financial reporting and for incorporation into incentive compensation.
Ahead of these possible rule changes, fraud risk in this area should be top of mind for audit committees and a focal point in fraud risk assessments overseen by the audit committee. Many companies are currently providing information to investors that is not governed by the same types of controls present in financial reporting processes.
As an example, companies may voluntarily provide information on carbon emissions that has not been gathered, tested, and reported under the kind of internal controls that typically are present with financial reporting. This may suggest a heightened opportunity for people within the organization to manipulate ESG-related information.
Many companies are also developing or considering provisions that link ESG-related metrics to compensation or incentives. This is a factor that may elevate fraud risk. According to the classic fraud triangle theory developed by Donald Cressey, fraud risk is often escalated in an environment where three factors are present: financial pressure, opportunity, and rationalization. Compensation or financial incentives related to ESG can represent a source of financial pressure to commit fraud.
Escalating fraud risks
As reporting processes develop and mature in anticipation of regulatory requirements, audit committees can engage with management, including internal audit, fraud risk specialists, and independent auditors to understand the extent to which fraud risk is being considered and mitigated.
The Audit Committee Practices Report, which describes findings from a 2021 survey by Deloitte and the Center for Audit Quality, indicates audit committee members already see indications of increasing fraud risk. Nearly half (42%) of survey respondents indicated fraud risk had increased. Approximately three-fourths of respondents (74%) said their companies updated internal controls to address the remote work environment that sprang up quickly in the early stages of the pandemic, with larger companies more apt to have instituted fraud deterrent measures than smaller companies.
Risk related to occupational fraud, or instances of fraud committed from within the organization, is an important consideration for audit committees as they evaluate their companies’ ESG risks. Organizations lose 5% of revenue each year to occupational fraud according to the Association of Certified Fraud Examiners (ACFE).1 Although financial statement fraud schemes are the least common form of occupational fraud, they are the costliest for companies, with median losses of $590,000, according to the ACFE.
ESG fraud risk is a growing area of focus for SEC enforcement as well. The SEC’s Division of Enforcement formed a Climate and ESG Task Force in 2021, and the SEC recently issued an enforcement action for alleged misstatements and omissions in fund disclosures regarding a mutual fund investment adviser’s incorporation of ESG factors into its investment process. Earlier in 2022, the SEC charged a mining company and an ore producer with making false and misleading claims about safety.
In addition, the SEC has proposed amendments to rules and disclosures that are intended to promote consistent, comparable, and reliable information for investment funds’ and advisers’ incorporation of ESG factors into investment practices. In a published statement with the proposal, SEC Chair Gary Gensler said investors may find it difficult to understand what some funds mean when they say they are an ESG fund. “There also is a risk that funds and investment advisers mislead investors by overstating their ESG focus,” he added.
Examples to consider: Climate and talent
ESG encompasses a wide variety of matters that vary by company based on its industry, stakeholders, and other facts and circumstances. Given the heightened focus on climate issues that many companies are facing, it may be useful to consider the potential fraud risks related to some specific aspects of ESG, such as climate and talent.
Climate factors driving ESG risk
In the area of climate, many companies are already voluntarily reporting certain climate-related metrics using a variety of frameworks available to them. Some of these metrics could be subject to regulatory requirements, including independent audits.
Such metrics can include greenhouse gas emissions, which may be segregated by scope,2 and metrics related to a company’s use of renewable energy in its effort to reduce fossil fuel consumption. Many companies are also reporting various metrics expressed as percentages or ratios to describe what portion of their energy consumption is derived from renewable sources. Similarly, some companies are developing or reporting metrics related to water consumption or water conservation.
With respect to climate-related initiatives and emerging metrics, audit committees can challenge management and auditors to consider numerous areas where fraud risk could be increasing:
Approach to climate. ESG-related reports and other information made available to investors may differ from information contained in financial statements and disclosures. Companies can evaluate whether information they are providing in regulatory filings is consistent with sustainability reports, press releases, websites, other regulatory filings, and industry reports. The novelty of ESG-related information and the information gathering process, as well as the reliance stakeholders may be placing on such information, can make it susceptible to fraud risk.
Impact on controls. Corporate culture, ownership, and governance structures often affect business practices and controls. The company’s focus on tone, training, and sensitivity to potential indicators of fraud can be expanded to include evolving or emerging ESG-related activities. Newer or less mature controls over reporting, ineffective controls, and the absence of controls can increase the opportunity for fraud to occur.
External risk factors. Evolving regulatory and stakeholder expectations on ESG matters may create pressure for management and the board to appear well positioned to meet targets or comply with future regulations. Pressures may be compounded by factors such as the company’s legal and regulatory environment; pressure from investors, lenders, customers, the media, and other interested third parties; changes to the profitability or nature of products and services as a result of ESG objectives; and changes in the business arising from environmental targets.
Internal risk factors. The development of key performance indicators (KPIs) that drive ESG-related programs may become relevant to the fraud risk analysis, including whether the KPIs are relevant and accurate and whether they are incorporated into key contracts or internal compensation programs.
Estimates. Some data or information that flows into ESG-reporting may involve estimates, judgments, or forecasts. Estimates and forecasts are by their nature subjective and are subject to manipulation or bias. Audit committees can ask management how reliable data sources are, whether they could be manipulated, and how management could potentially be motivated to intentionally manage these ESG metrics in ways that would serve management or the company’s best interests.
Talent factors driving ESG risk
Companies may also be facing increasing ESG-related fraud risk as a result of shifts in talent. Continual turnover, vacant or hard-to-fill positions, and ongoing remote work or hybrid work arrangements are factors that could contribute to heightened fraud risk. Consider some common talent-related scenarios that many companies are facing and how they may heighten fraud risk:
Turnover. Continual turnover or vacant positions could lead to questions about whether control activities are being executed and managed consistently, or whether duties are properly segregated. System access may be shifting frequently to address staffing challenges as well. Audit committees can challenge management regarding how people are properly trained and managed, whether contingency plans are in place for key personnel absences, and how access management is continually evaluated to mitigate fraud risk.
New responsibilities. Risks may arise as people assume responsibilities for ESG-related practices and reporting initiatives that are novel or unfamiliar to them. People may make mistakes. If the company’s culture does not permit people to make mistakes and correct them, some people may be tempted to cover or hide errors with fraudulent activity. The audit committee should understand corporate culture and management’s approach to reporting mistakes or errors.
Hybrid work. Enduring remote work or hybrid work arrangements can also prompt questions about how quality is managed and how disciplinary matters are handled. The audit committee can challenge how management is promoting culture and tone at the top in these types of environments.
Talent-related metrics. As part of their ESG strategies, some companies are developing talent-related metrics to report to stakeholders. For example, many companies are developing metrics that are meant to convey information about health and safety, engagement, culture, development, diversity, equity, and inclusion, among others. These are additional metrics that could be manipulated, so audit committees can challenge management regarding how the metrics are developed and what internal controls are in place to promote completeness, accuracy, and reliability of the metrics.
Call to action: Consider ESG in fraud assessments
Fraud risk assessments provide an important means of evaluating fraud risk that may be emerging with the company’s enterprisewide strategies and objectives, including ESG. Fraud risk assessments are intended to help management understand who could commit fraud, what type of schemes they might devise, where and how these schemes could be carried out, and what controls a company has or does not have in place, which may help identify potential gaps in the internal control framework that is intended to prevent and detect fraud.
COSO’s Internal Control—Integrated Framework, which most US public companies use as a guide to develop internal controls over financial reporting, includes a principle specifically focused on the importance of fraud risk. In an effort to help companies develop effective internal control with respect to sustainability reporting, COSO has launched a study to develop supplemental guidance and insights to its 2013 framework focusing on ESG.
Audit committees have an important role to play in promoting effective fraud risk assessments that include consideration of risk arising from ESG-related activities. It is the audit committee’s responsibility to receive and review disclosures from the CEO and CFO made in connection with the certification of the company’s quarterly and annual reports filed with the SEC in two critical areas. The first area includes significant deficiencies and material weaknesses in the design or operation of ICFR that may affect reporting; the second area is fraud, whether or not material, that involves management or other employees with a significant role in internal controls.
Audit committees should understand the company’s antifraud programs and controls, evaluate management’s process, and ask questions about the extent to which the company’s fraud risk assessments consider the risk of fraud in emerging or evolving ESG-related reporting activities.
Audit committees should also understand the independent auditor’s fraud risk assessment process and findings with respect to the antifraud programs and controls as well as the risk of management override of controls.
Some overarching principles for an effective fraud risk assessment typically include:
Time and resources. A robust fraud risk assessment is a part of an entity’s overall enterprise risk management program. It is typically performed by a cross-functional working group with the technical knowledge of fraud and fraud risk as well as the time, staff, and tools to perform a thorough assessment.
A working group made up of broad stakeholders may include members of finance, operations, technology, human resources, procurement, compliance, legal, and internal audit, with a particular focus on any operational or functional areas that may be working with or producing ESG-related information. The group should have assigned roles and responsibilities to address the various components of the risk assessment.
Control environments. While brainstorming about potential fraud schemes, the working group should set aside any consideration of the existing control environment. Fraudsters may not be aware of fraud prevention controls that may be in place or may work to circumvent them. When existing controls are not factored into the brainstorming, stakeholders can more easily envision potential incentives, opportunities, and rationalizations for committing fraud.
Specificity. The risk assessment should identify not only potential schemes, but potential methods to commit fraud and possible perpetrators as well. The more specific the identification of potential fraud risks, the more effectively the company can evaluate potential likelihood, impact, and mitigation strategies.
Consideration of risk. Once the group has identified fraud schemes, assessed the likelihood and impact of each, and prioritized them, then the group can evaluate controls and processes associated with each. The highest-risk scenarios should receive the highest level of attention. It is not uncommon for companies to allocate time and resources to potential fraud schemes that are not commensurate with the risk.
Consideration of emerging risks. This is an aspect of the risk assessment that is particularly relevant to ESG-related fraud risk. The assessment must consider emerging risks based on changes in the internal or external environment. These may include changes in the economy, new ways of doing business, new products or services, new technologies, increasing expectations from internal and external stakeholders, and other changes that may be relevant to the company.
Documentation and follow-up. Audit committees should ask management to share evidence of the risk assessment to understand the level of attention given to evolving ESG fraud risks and what measures are being taken to mitigate risks as ESG-related activities evolve.
The topic of fraud risk is one that often makes people feel uncomfortable, especially when considering the possibility of fraud from within the company. It is common for management and audit committees to have faith and place trust in their people. This sense of confidence can translate to a sense of denial about the possibility that fraud could occur. It may be difficult for some management and audit committees to consider the possibility that the trust they have placed in people may have been misplaced.
In addition to internal fraud risks associated with ESG, audit committees can also be aware of possible external fraud risks that may arise resulting from ESG, such as cybersecurity.
Audit committees should understand who among senior management has responsibility for fraud risk management, understand what antifraud programs are in place, and evaluate whether there is sufficient visibility across the enterprise to promote a comprehensive approach. It is the audit committee’s responsibility ultimately to understand how effectively management has considered the risk of fraud and taken measures to mitigate it.
Assessing for fraud risk is not a prescriptive, check-box exercise. It is an ongoing, bespoke exercise that must be tailored to the specific facts and circumstances of each company, and it takes time and effort. As new fraud risks likely develop resulting from emerging or evolving ESG-related strategies and activities, a vigilant audit committee can help the company reduce its risk.
Questions for audit committees to consider:
As audit committees consider ESG-related fraud risks, they can ask management several questions to understand the company’s approach to mitigating these evolving risks:
- To what extent has management assessed the risk of fraud with respect to the company’s growing focus on ESG strategy and reporting as part of its enterprisewide fraud risk assessment?
- Is the audit committee primarily responsible for ESG-related fraud risk, or is responsibility shared with other committees and/or the full board? How often does the audit committee discuss fraud risk, including ESG-related fraud risk?
- Which member of management has authority over fraud risk, and does this person have a comprehensive view of the ESG-related fraud risks that could be present? For example, does this person’s visibility and authority extend beyond financial reporting?
- How is management developing metrics that are provided to stakeholders related to ESG strategies or initiatives? How is management developing reporting mechanisms and addressing the potential for fraud in these ESG strategies and initiatives?
- What internal controls are in place with respect to the development of metrics and reporting mechanisms, especially those related to ESG? What process has management adopted for promoting completeness, accuracy, and reliability of ESG-related metrics and reporting?
- What fraud risks have been identified? How have they been evaluated and prioritized? What mitigation measures are being implemented?
- To what extent are these metrics and ESG-related reports reviewed by internal auditors and independent auditors?
1 Occupational Fraud 2022: A Report to the Nations, Copyright 2022 by the Association of Certified Fraud Examiners, Inc.
2 Scope 1 emissions are those directly attributable to a company. Scope 2 emissions represent indirect emissions resulting from, for example, energy a company purchases. Scope 3 emissions are indirect emissions deeper into a company’s value chain, such as those of a supplier.