By Ernest Anunciacion, Senior Director of Product Marketing, and Grant Ostler, Director and Industry Principal at Workiva
The Securities and Exchange Commission’s proposals on environmental, social, and governance (ESG) disclosures represent one of the most significant changes by the SEC since the Sarbanes-Oxley Act (SOX) became law in 2002. In short, having ESG reporting systems, processes and controls that are audit-ready is now an imperative. Under the SEC’s climate risk disclosure proposal, most SEC filers will be required to disclose greenhouse gas emissions data that will become subject to assurance and basically pull them under the umbrella of internal controls over financial reporting, or ICFR.
Traceability will be key in the face of the increased volumes of data that are likely to emerge, particularly because ESG opens a Pandora’s box of systems and sources from which data will be pulled—many of which may never previously have been audited.
So, how can organizations get their ESG reporting structures ready for the coming changes?
ESG: Even Bigger Than SOX?
When SOX was enacted in 2002, most of the data subject to assurance came from a few accounting systems and sources. And that data was highly structured. Under the SEC’s new proposals, however, both structured and unstructured data will be drawn from a multiplicity of sources and systems.
What’s more, in the case of SOX, most data was provided by accountants already familiar with the financial reporting rigors of audits and best practices therein. ESG data, on the other hand, is just as likely to have been entered into spreadsheets by individuals with little experience of being audited. (Talk about culture shock!)
Ultimately, leveraging the available technology to make this transition as seamless as possible is going to be critical.
Policy and Practice: Aligning ESG with Existing Audit and Controls
In all audits, it is critical to understand the data being relied upon. This involves easily following the data from source to report, including identifying any alterations to the data from its original state.
Some alterations, such as aggregating data from multiple locations, are appropriate. However, the key is having a platform that provides a full audit trail: It should show what ESG data was changed, when, and by whom.
The answers to these questions are critical to being able to attest to the accuracy, completeness, and timeliness of the data included in ESG reports. As more ESG data comes under increasing investor scrutiny, you will need increased data governance controls to create consistent, comparable and decision-useful disclosures.
So, how can you scale these controls?
This can be incredibly difficult, given that ESG introduces a relatively new set of data brought in under audit purview, but with the right technology, tackling this challenge can be easier than it first may appear. Having developed an outline of what financial reporting controls are in place, the organization must establish an understanding of the risk universe as it pertains to ESG and identify the overlaps between what already exists and what is needed. For example, new policies will need to be developed, and a gap analysis and risk assessment evaluation should be conducted in tandem with a review of those already in place. All of which can be facilitated and streamlined with technology.
While policies are certainly a cornerstone of compliance efforts, putting ESG strategies into action can go beyond risk management or audit practices. They may also provide a foundation for change initiatives that can positively influence the behavior of those employed by and associated with the organization. We believe that this can result in a feedback loop whereby aligning incentives and policies to ESG reinforces good business practices and encourages changes by staff—ultimately resulting in more favorable results to report to stakeholders.
Trust Through Traceability
When reviewing ESG data with stakeholders, significant time is often spent verifying the accuracy of those numbers and establishing where they came from. This is true both internally, with management or the Board, and externally, when reviewing facts and figures with risk and audit committees.
One of the fundamental benefits of an audit-ready platform like Workiva is that it instills trust and assurance through traceability from source to report. And this is particularly important with potentially unstructured ESG data coming from multiple sources and systems, which can be automated via APIs or manually entered by a myriad of different people. Put bluntly: Don’t trust, verify.
What’s more, if you can automate it, it’s easier to audit. Automation is indispensable in saving time and resources, as well as reducing human error, especially when collaborating over one digital hub in order to drive accountability and trust. Automation can also minimize unnecessary activities that simply waste time.
One area where automation is frequently utilized is with third-party assurance providers. Seamlessly sharing documentation directly with an external auditor using the organization’s risk and compliance platform—rather than extracting the data and transferring it to an external platform for review—eliminates this significant waste of valuable internal resources.
Why is streamlining your third-party assurance important? Simply put: It is everyone’s job to manage risk. The Institute of Internal Auditors’ Three Lines Model applies to ESG, and external audit firms act almost like a fourth line by conducting further due diligence. This partnership and dialogue with external partners is invaluable.
Regardless of the outcome of the SEC’s current climate proposal, which will require your company to provide “limited assurance” and eventually “reasonable assurance” on climate disclosures, using audit-ready technology from the start helps reduce audit headaches downstream. And using a platform in which all parties can work simultaneously—providing better visibility into all parts of the process and enabling the use of audit analytics to replace sample testing—gives you greater coverage with less effort.
Into the Future
Technology has improved exponentially since SOX was enacted in 2002. It is essential for organizations to avoid the pitfalls experienced in the early days of SOX compliance by leveraging powerful platforms to simplify and automate challenges such as:
● Ingesting data,
● Connecting and analyzing data,
● Reporting results,
● Establishing internal controls over the reporting process,
● Auditing and assurance on internal controls throughout the entire process.
Platforms that provide all of this functionality set the foundation for collaboration across the breadth and depth of an organization, and deliver the potential for a truly coordinated effort.
Living and working through the pandemic stress-tested every organization, forcing them to adapt to a rapidly changing risk landscape and driving resiliency moving forward. It is now clear that taking a reactive approach to risk management is not enough: Scenario planning, risk assessments, modeling, and testing are likely necessary. Companies that have embraced digital transformation and an agile strategy are better positioned for future growth in the long-term. For most innovative organizations, ESG is part of their core plan, and it strengthens their positions in the marketplace.
Having a solution that not only supports but encourages collaboration within the platform enables global teams to continue to review ESG data asynchronously, regardless of time zone, location or department. This also enables the risk and audit teams to provide guidance and fulfill their assurance roles. Such a connected and collaborative system elevates the organization’s resilience, which is essential in these unpredictable times.
Platforms like Workiva provide the foundation for organizations to go beyond compliance and create behavioral change to make a positive impact in the communities they serve. It is important to note that the effort being led by ESG teams must be supported by audit and risk teams to ensure the progress against goals is trustworthy and verifiable. Brought together by technology, ESG, audit and risk teams can move the needle meaningfully in all aspects of ESG.
Explore how you can ensure your ESG reporting is investor-trusted and audit-ready with Workiva. Learn more about our ESG solution and get the latest ESG resources to accelerate your journey.