Ep. 224: Unraveling ESG: Understanding Environmental, Social, and Governance Factors in Business – Part 1

As highlighted in the recent COSO publication on Internal Controls over Sustainability Reporting, good governance and systems for sustainable business activities and ESG reporting require attention to potential risks around fraud and greenwashing.  Reflecting Grant Thornton’s recent report on control activities related to these risks, join us as we take a dive deep into the world of Environmental, Social, and Governance (ESG) in business with our latest episode of the 'Count Me In' podcast. Hosted by a panel of experts, which includes Catie Serex, Douglas Hileman and Dan Mosher, our podcast uncovers the truth behind ESG, its importance in today's business world, the challenges it presents, and importantly, its potential role in fraudulent activities. Tune in for a fascinating conversation on ESG reporting, corporate purpose, sustainability, and the latest trends affecting investors, employees, and stakeholders alike. Don't miss this chance to stay informed and ahead of the curve in the ever-evolving world of business.

Connect with our speakers:
Catie: https://www.linkedin.com/in/ctserex/
Dan: https://www.linkedin.com/in/dan-mosher-8552519/
Doug: https://www.linkedin.com/in/douglas-hileman-fsa-crma-cpea-p-e-6abbb71/

Download the reports mentioned into today's podcast:
Achieving Effective Internal Control Over Sustainability Reporting
Managing Fraud Risks in an Evolving ESG Environment

Full Episode Transcript:
Adam:           
Hello, and welcome back to another enlightening episode of Count Me In. I'm your host, Adam Larson, and today we're diving deep into the complexities of Environmental, Social, and Governance, ESG, with a distinguished panel of experts. We're joined by Douglas Hileman, an experienced sustainability consultant, with over three decades of experience in environmental management systems, and internal controls. 
 
Alongside him, we have Dan Mosher, a seasoned professional who excels in helping businesses navigate the complexities of sustainability and environmental risks. Last but not least, we welcome Catie Serex. A leader in environmental, health, and safety, auditing and management who assists businesses in integrating sustainable and socially responsible practices. 
 
Today's discussion will delve into the importance of ESG, the challenges businesses face in managing ESG data, and the potential risk of fraud in ESG reporting. Here we go, let's listen in together.
 
[00:01:00]       < Music >
 
Doug:              And one of the things that we might kick off is with a very basic question of what is ESG? Dan, when people ask you this, how do you answer?
 
Dan:                Well, it really is a big umbrella, and I'll ask for some help from Catie in this regard. But ESG stands for Environmental, Social, and Governance. And, so, lots of things under that environmental area. Everything from waste management and air quality, climate change. From a social perspective, it could be your human capital management, health and safety matters. Governance, I think of anticorruption, data risks, and the like. So it really is a broad title when we say ESG. Catie, do you have some things you'd like to add to that comment?
 
Catie:              Yes, Dan, you definitely covered the gamut as far as some of the phrasings and the terminology, and really the topics that fall under that ESG umbrella. What I would want to add is that ESG is certainly one of the buzziest words in business today. But you might not know that ESG is, very simply, the newest iteration of concepts you've likely known for a long time. It's been previously known as corporate purpose, sustainability, even philanthropy. 
 
But what differentiates ESG from these previous versions is that it now represents the closest alignment, to date, of business operations, so think about your tangible assets. To those intangible elements of business that drive value. And, in this case, I'm referring to things like customer loyalty, labor environments, community engagement support. And because of this connection, ESG is moving from a nice-to-have to a need-to-have for companies, but also their investors, their customers, and other key stakeholders like their employees.
 
Doug:              I also think of ESG as a convenient taxonomy for all things non-financial. Many people have published those pillars or the word clouds that's in the ACFE report, and what topic goes where. For financial reporting, we know where sales goes and we know where EBITDA goes. We know where those are in a format and how to put the data and information together for clarity 
and reporting. For all things non-financial, it's just such a sprawling array of topics that ESG serves for one reason, in one way, as just simply a taxonomy. And there are some issues, such as climate change, like Dan mentioned, that really transcend more than one category, if you will. But for purposes of just where do you find it, and how do you manage it, and it can just serve as a taxonomy. Catie, to your point, on how to organize some processes, some controls, some recordings to understand what the organization is doing.
 
Dan:                And I'd be interested in hearing your thoughts on the various channels in which this information is being put out there in the public. Catie, maybe you have some thoughts around the wide scope of that.
 
Catie:              Yes, so in terms of the reporting side of things and getting to the nuts and bolts of what, I'm sure our listeners are interested in, in terms of, what am I on the hook for? There are a lot of reporting frameworks out there that are guiding folks. And I know that that's been a point of confusion for people is understanding, there are all these different acronyms out there. That I can report to like SASB, or the Global Reporting Initiative, GRI, Task Force for Climate-Related Financial Disclosures or TCFD. There are a lot of frameworks out there, but the field is narrowing. 
 
So some of the communication that we've been seeing from these wider umbrella frameworks, are that they are working together to consolidate. To make things a little bit more straightforward, and to make things a little bit more uniform across the reporting landscape. But that's currently in progress, and this is just a result of this being not in nascent stages, but still in its growth period, and really honing down what are the things that shareholders, regulators, and such need to see when it comes to these ESG disclosures.
 
Dan:                And I know that Doug has been on the front line when things are misreported or omitted, and I'd love to hear some of his worst stories.
 
Doug:              Thank you, Dan. The question about reporting channels is a very good one, and Catie brought up several things that are happening in reporting to general capital markets. I also observe that there are other channels for reporting, including impact investors who may be interested in one particular topic. The general purpose capital reporting takes in one tranche, if you will, of topics that need to come external from an organization, a company. 
 
There are other investors who are interested, let's say, in human rights, or in product conformity, or in diversity, or in commitment to climate, and they want more information about those topics. So you may get information from investor groups or analyst groups, and that's a type of report. 
 
Another channel of reporting that I see is B2B reporting. The customers, and business partners, and banks, joint venture participants, are looking more into non-financial risk management. Non-financial performance and alignment, which is ESG. So before entering business relationships, and even during business relationships up and down the value chain, there's also ESG reporting that happens there. 
 
It is starting to align in some ways that they're asking questions about the same topics, but the questions themselves can be different. And, in many cases, the reporting, 
the demand for reporting has outpaced companies' abilities to report on the data and information. So that pull has created a bit of a vacuum. And many companies are scrambling to come up with processes, systems, and controls so they can generate the data and information that these stakeholders are expecting in terms of reporting.
 
Catie:              Doug, just to jump in there, from a client perspective, we are seeing that a lot of our clients are getting, especially, those B2B requests from either their suppliers or their downstream supply chain vendors. And the way that we're seeing that manifest is a lot of these larger companies are looking at their supply chain. If you think about greenhouse gas emissions, they're looking at their Scope 3 emissions, which is all value chain. 
 
And, so, they're sending requests to clients like ours that are asking, "What are your Scope 1 and 2 emissions? Because we need to report that." We are seeing clients feeling the pressure to respond to that, to continue to be part of those wider supply chains. 
 
And, so, they're coming to us asking for assistance in figuring out what those ESG metrics are and being able to respond in complete and accurate ways. So that they can continue to have those key customers that are asking for that information.
 
Dan:                Yes, and I'd like to pick up on that point, too, and Catie was just touching on it. I think some of the key challenges are, for businesses today, what is the providence of their ESG data? 
 
What is the confidence they have over the accuracy and completeness of it? 
 
And what is the integrity and quality of that data as it travels along its life cycle, from where it started to where it was reported? And has it maintained that integrity all along? Because bringing this back to our main topic of fraud, there are many pressures and incentives that might have someone misstate or omit information in their ESG reporting.
 
Doug:              I'd like to pick up on a topic that Catie discussed on climate change and greenhouse gas emissions. It does, inherently, involve a complex web of data from different sources, including suppliers. And companies may be asked to produce or report the greenhouse gas emissions for themselves, as a company, on Scope 1 and Scope 2.
 
I hope our listeners know what that means. Or on a part of Scope 3, or their carbon emissions as a company, or their carbon emissions in a particular country or state, or their carbon emissions for the products they manufacture for a certain customer. 
 
So those are different ways to slice and dice much of the same data. And it all goes back, I'll put in a plug here for the COSO report mapping the internal control framework to ESG. That can be applied to anything, any topic, any company, including, for example, greenhouse gas emissions. In terms of fraud, there can be a difference between just sloppy, or just unavailability of data and willful reporting of incorrect or misleading data. 
 
For example, to get preferred treatment at a customer, or to get preferred inclusion in an ESG index fund, or to get a reduction on interest rate from a line of credit, 
from a financial institution that's looking for green investments. So we're still seeing an increase in awareness of the fact where, "Well, we can just report this because nobody cares."
 
Or, "Well, it's not regulatory, so we'll just let it go."
 
And willful deceit in order to get a benefit at the expense of other competitors in these areas, which goes into the fraud bucket. That ACFE and Grant Thornton touched upon in that report.
 
Dan:                Yes, thank you, Doug. The report that Doug is referring to is a joint publication of the Association of Certified Fraud Examiners and Grant Thornton called Managing Fraud Risks in an Evolving ESG Environment. You can get it from our website and from the ACFE, and within that, we did develop an ESG fraud taxonomy. 
 
It encompasses both some of the traditional areas of fraud that have always been there. Corruption, asset misappropriation, and financial statement fraud. And there are certainly ways in which ESG fraud manifests itself under each of those headings. 
 
To that traditional fraud tree we have added an additional area of non-financial reporting fraud, which Doug was alluding to. And the things that might happen under there, there could be false labeling or advertising. Think of things like declarations of saying that it's "Dolphin-free tuna" that has certainly been an area of litigation in the past.
 
I'm thinking about false disclosures or representations, and that might be along the B2B relationships. Where you are omitting information or misstating information to a company that you are a supplier to. Lots of ways that things can be contorted, and misrepresented, and misstated, omitted, and if it is done intentionally, then we're going to consider it fraud.
 
Doug:              Dan, I can't say enough good things about the report that came out and, certainly, my hat is off to you, and Catie, and everybody who contributed to that. I know that was a massive effort. What I think is so elegant about that report is that many of our listeners struggle with how to get their arms around ESG, this sprawling issue is so new, it's so different. 
 
The report begins with a construct that's familiar to everybody who deals with fraud, that famous ACFE fraud tree. And the report adds a leaf, if you will, if you look at that tree at the bottom row, that provides an ESG example for the fraud tree as everybody knows it. And then it was very elegant how you added that branch, if you will, for the ESG, the non-financial reporting with nine different twigs to describe a taxonomy there, and then the leaves with the examples, it was really well done. 
 
So anybody familiar with fraud and the fraud tree. Anybody who has been involved in developing procedures to prevent fraud or to detect fraud on the audit side, you can just use that reference document and get pretty close to how you think about ESG fraud to prevent it and detect it. 
 
Another thing I would observe that the human rights, no product was made with child labor. Non-financial reporting and compliance exists in a lot of places out there, 
and it can be possible, it can be easy for stakeholders to compare information that arises from different reporting channels for consistency. For example, Dan mentioned one of the claims could be, "None of our products use forced labor". 
 
In the U.S. there's a law called the The Uyghur Forced Labor Prevention Act. That has the rebuttable presumption that products made from a certain area, in China, if you cannot prove that those products were made absent forced labor, the assumption is that they were made with forced labor. And the Customs and Border Protection is seizing products at the docks before they come into the country, and waiting on companies to provide evidence that the products are forced-labor-free. 
 
So if you have claims on your website, or on products, or in contract documents that they're forced labor free, and the Customs and Border Protection is reporting that your goods are being held and not allowed into the country. There is an inconsistency there that can be embarrassing, at a minimum, to companies. And it can cost the company sales, customers, and reputational damage if it turns out that those claims cannot be supported.
 
Dan:                Yes, so just picking up on what Doug was talking with The Uyghur Forced Labor Prevention Act, this is a big stick for the government in they have a presumption of guilt, so to say. That if they suspect that a good has any raw material or input within it because it is in whole or in part of your good that's being imported, is suspected of having forced labor in it, and that means every tier of your supply chain down to the raw material or seed, if it's an agricultural product.
 
If there is a suspicion that it is tainted by forced labor, it will not be allowed into the country unless you can prove otherwise. And, I think, it's going to become, increasingly, challenging for companies to know their supply chain inside and out. And from a fraud perspective, whether any part of that supply chain is deceiving the rest of the supply chain on whether or not it's tainted by forced labor. 
 
I was just reading over the holidays, there is a tremendous report that came out from Sheffield Hallam University, in the UK, around the various risks in the auto industry for being tainted by forced labor in the production of raw materials. it's really a very difficult area, and it is something that our clients are coming to us, asking for help around. 
 
Dan:                Catie, do you have some other thoughts around the regulatory environment in which this is probably just one small piece?
 
Catie:              Yes, Dan and Doug, you both brought up a great point of there are current existing regulations that apply to certain areas of ESG. But what we're seeing is a global movement towards more overarching regulations across different jurisdictions. So, for instance, last year, the European Union approved the Corporate Sustainability Reporting Directive Regulation, also called CSRD, and that sets reporting standards for entities that meet certain EU reporting thresholds. 
 
In the UK, there IS BEIS, which is focused on climate-related disclosures for entities that operate in the UK. And then, of course, for our U.S. listeners, I'm sure you all have heard about the coming SEC final rule when it comes to climate disclosures. 
We anticipate that being finalized as early as April of this year. But all that to say that the regulatory environment, itself, from an ESG perspective, there is a growing recognition that there needs to be standards that companies adhere to. So that there is comparability across the landscape when it comes to ESG data. Because it is hard for whoever is looking at this data to discern what certain data points may mean because they may be defined differently. 
 
So these standards are helping to create an environment that is more accountable and more comparable which, hopefully, will help clarify some things and clarify the way that you go about reporting. That said, even though some of those regulations are very early stage or haven't been released, yet, there are already consequences for misreporting. 
 
So we saw last year, or in the past couple of years, that Goldman Sachs was fined $4 million and BNY Mellon was fined $1.5 million for what were considering material misstatements. And in the future, we see that more frequent consequences could be around the corner. But I can't speak to what that looks like just, yet. Dan, do you have any experience, or Doug, in terms of any additional consequences that you're seeing for misreporting of ESG data?
 
Dan:                Yes, well, for me, as you said, there are consequences from misstating, publicly, the information. There are just a ton of business consequences of misstating the information. So, for example, I myself was involved in an investigation in which there was a licensor of images for the front of T-shirts and the like. There was a requirement that none of the production would take place in Bangladesh after the tragedy in 2013, in which a building collapsed, killing more than 1000 apparel workers. 
 
And, so, there was a requirement that no production take place in Bangladesh, and there was wide-scale deception on that point. Such that there was a lot of production going on in Bangladesh, but it was being misreported to the licensor as being produced in India or in other jurisdictions throughout Asia. That finding, in the investigation that we carried out, was the subject of whether or not a billion-dollar license would go forward or not.
 
Doug:              I can see several potential risks or consequences for misreporting or misleading content and reporting, and they vary according to the reporting channel. For example, there is ESG content in financial statements, in income statements and balance sheets. There are reserve estimates for contingent environmental liabilities. 
 
Something that's a little newer is asset values for Emission Reduction Credits or expected costs in the future for Emission Reduction Credits, if that's part of a company's strategy for reducing greenhouse gas emissions. Those have a vintage and the value depends on the vintage. If those are, knowingly, misstated, you're subject to all the things that come with that in financial reporting, disclosure controls, and procedures, and the like.
 
For misrepresentation and misreporting in the Form 10-K, the analysts and the investors are using this to make investment decisions. There are shareholders who are quite happy to file proxy filings or to file suit by claiming to be misled for the content in there. Some of those are starting to see the light of day or to get quietly settled. 
There was an instance of a major European bank, an employee blowing a whistle, publicly, saying that their screening process for companies to include in an ESG index fund was just not very good or, maybe, a sham. 
 
So there's the reputational damage that can be a hit to a company and the market cap for many companies, the reputation, the intangible value, exceeds the value of PP and E - Plant Property and Equipment. So intangible value and brand value is something to watch out for too and that can take a hit, with misrepresentation or loss of reputation in ESG and non-financial matters.
 
Catie:              And, Doug, just to piggyback on that point, there's the financial disclosure side of that, but there's also, as we talked about, the intangible side of that. So customers are increasingly wanting to purchase sustainably made goods, and engage with companies that align with their own personal moral values and beliefs. 
 
And, so, when they learn that whether it's a good that's claiming to be sustainably made is actually unsustainable, you could lose members of your customer base. At times it inspires boycotts and protests and, especially, in the age of digital media, just imagine someone telling their community about their experience, and that going on Twitter, or TikTok, or something of that nature. 
 
Those are some of the risks that we're seeing from not a regulatory penalty approach. But also there are consequences when it comes to your customer base, the value of your brand, and your brand reputation.
 
Doug:              We've discussed a lot of different data, a lot of different stakeholders, a lot of different needs. So how do companies manage this kind of reporting. When everybody wants something different. There are different ways to slice and dice. How does a company get their arms around this and make sure that it's right?
 
Catie:              Yes, that's a great question, Doug. So as I said before, there are a lot of different frameworks out there. But they are working to consolidate the frameworks and to consolidate the data expectations of those frameworks. 
 
From what I'm seeing, it appears that SASB, GRI, and TCFD, all of which I previously mentioned, are emerging as the big three of ESG data disclosure frameworks. And it's important that our listeners understand that while these frameworks are not required for disclosure, they can help guide your reporting. And, ultimately, they can help your company be more aware of any potential fraud risks and avoid being susceptible to associated fraud with those activities and reporting. 
 
Of course, the frameworks, themselves, are not mandatory for disclosure. They are, as I said, guidelines and we talked, previously, about the different regulations that are emerging. I think the thing that's important to know here is that some of these frameworks are being utilized to inform those regulations. So we know that the SEC climate disclosure draws heavily from TCFD reporting framework. 
 
And, so, some of our clients are asking us to conduct TCFD reporting gap analysis to help them prepare for those upcoming SEC-required disclosures. We have clients who are asking us to do assurance readiness services because they know that they will fall in that year one reporting group, the large accelerated filers for the SEC. 
 
And, so, having us test their existing processes, internal controls, things of that nature, and validate that their data is complete and accurate is something that they're doing to prepare for the upcoming regulatory framework. So the way to think about those frameworks is that it's a helpful way for you to organize your disclosures in anticipation of future reporting requirements. 
 
Dan, do you have any thoughts from the fraud risk perspective of how those frameworks can usually help you. In terms of guarding against any potential misreporting or intentional or unintentional?
 
Dan:                Yes, so when I think about this, I usually do go back to the ACFE's Fraud Triangle, thinking about incentives and pressures, the opportunities for fraud, and the rationalizations one might apply to committing those frauds. So when I think about reporting what is the role of that report? 
 
Is it going to a regulator? 
 
Is it going into a corporate social responsibility or a marketing publication? All of those bear different kinds of risks. So in terms of on this reporting topic, that people and companies should be thinking about taking an inventory of all the ways in which that ESG information is going out to the public, across those different channels. And ensuring that as they're building up their capabilities and infrastructure to maintain good data quality, that it is also ensuring consistency across all of those reporting channels. 
 
What I anticipate, and I think we're starting to see it, is that there will be cases where the same information is reported in one channel, but is inconsistent with how it was reported in another channel, and that will be held against the company. You should not be finding yourself saying one thing to the government and something else in a publication.
 
Doug:              Dan, I absolutely agree with that. I would say to this question, it comes back to a familiar trilogy that we hear as the answer to so many questions, and that is people, process, and technology. And I'll start at the end and work my way back, there are many vendors offering technology fixes and even companies, in-house, building technology fixes to gather and report data. 
 
But the data and the information is only as good as the process it took to come up with the data. You can automate the wrong process and just get the wrong answer faster. So you back up to the process and say, "Well, since this non-financial information originates in so many parts of the company, and even from other companies, suppliers, customers, business partners, and the like. What is the process to get them?"
 
There are also challenges I see on reporting periods. Governments, like EPA, may have an annual reporting process. There are companies with a non-calendar fiscal year, who need to report some of this on a fiscal year basis. So where are the reporting periods? 
What is the process to collect information and report to a state agency, to a stakeholder, to a customer? So those processes need to be nailed down, and that's where that wonderful COSO internal controls framework comes in. Just follow that and apply it as it's appropriate. And because that data and information comes from so many different sources, I encourage people to have the right people involved. 
 
If companies establish a cross-functional team and get folks from all the places who provide this information. Real estate, operations, safety, procurement, R&D if they understand their roles and responsibilities in collecting this information to enable the kind of reporting that Catie has mentioned and others, then that goes a long way to making the process more effective and more efficient.
 
Dan:                Yes, and I would like to add on to what Doug was saying. That in terms of the fact that this information is coming from different parts of organizations, that haven't necessarily undergone third-party assurance procedures. That this is a transition period here where, I think, a broader spectrum of people, within an organization, are going to be changing their mindset around the accuracy and completeness of the data because they know that they are subject to that third-party assurance.
 
Catie:              And, Doug, you had mentioned, I think, very rightly, that having the right team in place is critical to being able to have the right processes and technology also in place, to ensure that your reporting is complete and accurate. And we're seeing on the client side that a lot of our clients don't, necessarily, have the resources in place to start to organize that. 
 
So I wanted to ask, in your opinion, and Dan, feel free to jump in. How important is it to not just assign one person to do all of your ESG reporting? But how important is it to have that cross-functional team approach to these non-financial disclosures?
 
Doug:              I think it is absolutely essential. One structure that I see work a lot is to have a steering committee. To set strategy and to be plugged into those reporting frameworks that you've mentioned, Catie, and some of the customer demands and organizational strategy and where things are going. And a more tactical working group that's closer to operations, and the systems, and controls to really modify those systems and controls and talk to each other. 
 
A couple of things I've seen work really well. I've seen those committees be assembled, and people show up, and they don't know why they're in the room. And it really helps to have a coach or an external resource to help facilitate all that. To make sure that people are talking the right language and not talking past each other. So you get everybody on the same page to take actions in ways that are aligned with the company objectives, that helps a lot. 
 
A couple of functions that I don't see on those teams but, I think, should be there a lot more than they are IT, for sure. And many of our listeners are from accounting, I would say accounting. I don't see on those cross-functional teams as much as I think they should be. Much of what is required for the sustainability reporting, it comes from accounting. You get utility bills from accounting. Get a list of assets from accounting. Get a list of our ten largest customers from accounting. 
Accounting has the master key to a lot of this information. But the information that's in company systems, in my experience, was not designed for the way the information needs to be reclaimed and used now. So there are some changes that need to be made in accounting to enable this reporting and to enable the systems and controls. To, then, ensure accurate reporting, verifiable reporting, and the fact that we tighten down the controls so that we can prevent the possibility of fraud.
 
Dan:                Yes, great points, Doug. I really appreciate you bringing up the steering committee. Someone at the top of an organization that is there to set strategy. And I think that it is common, and it will become more commonplace, to have that steering committee require that any fraud risk assessments, that are being done within an organization, include ESG fraud as part of what they're doing. 
 
And in conducting a fraud risk assessment that is a stress test, that's looking for ways in which various kinds of scenarios. Such as the scenarios we brought up in our report with the ACFE, of ways in which ESG fraud could be committed. And then looking at whether the controls in place within the organization, are sufficient to prevent and detect or detect those occurrences. 
 
So, Doug, I know that you've been contributing to an exciting report, that's been recently released from the IMA. Could you give us a few highlights in that regard?
 
Doug:              Sure, I'd be happy to. I was one of the primary authors of this document, the only non-CPA on the team. I provided the ESG specialist input for this very important report. It's a COSO report and IMA is, of course, a member of COSO and their leadership had a terrific role in pulling this together. And it will resemble a lot kind of the report you've had major involvement with from the ACFE, on fraud, ESG fraud. In that it begins with a framework that everybody knows and is very familiar with, the COSO Internal Controls Framework, and there's something old and something new. 
 
There is a summary of some of the key points of the COSO Internal Controls Framework, the components, and the points of focus. And on each of the components there's some information demonstrating how the internal controls framework can be applied to ESG. 
 
So that in terms of non-financial management of information, and of reporting, and of communications, and of control environment. It can be applied and it points you in the right direction on how it can be adopted to improve the effectiveness, and the efficiency of company organization, management, and reporting. I encourage everyone to read it and use it.
 
[00:36:50]       < Outro >
 
Announcer:    This has been Count Me In, IMA's podcast. Providing you with the latest perspectives of thought leaders from the accounting and finance profession. If you like what you heard and you'd like to be counted in for more relevant accounting and finance education, visit IMA's website at www.imanet.org.
©Copyright 2019-2023 Institute of Management Accountants. All rights reserved.