5 Steps for Establishing ESG Reporting Processes
The business world’s increasing focus on environmental, social and governance (ESG) reporting makes it seem like these are new topics for concern; however, the concepts of environmental sustainability, corporate social responsibility and strong corporate governance are arguably anything but new.
The notion of corporate governance dates back to Britain’s first publicly traded companies in the 1600s. Andrew Carnegie’s 1889 essay, “The Gospel of Wealth,” laid out his philosophy that the wealthy have a moral obligation to be philanthropic and is seen as a precursor to the belief that businesses — and not just their owners — are obligated to give back to society. The first Earth Day was observed in 1970, and the U.S. Environmental Protection Agency was established by special executive order shortly thereafter. During the same era, we can point to the U.S. government’s first use of the term “corporate governance” in the Federal Register.
So, while these concepts have clearly been around for a while, what is new (and inconsistent I might add) is the reporting of a company’s activities in each of the ESG domains. In recent years, several organizations have produced frameworks and guidelines for ESG reporting. Some of these were established for the express purpose of addressing such disclosures, while others have taken it on as part of the growing demand for increased disclosure and transparency. These include the Global Reporting Initiative, founded in 1997 after the Exxon Valdez oil spill; the Sustainability Accounting Standards Board, founded in 2011; the Task Force on Climate-Related Financial Disclosures, founded in 2015 by the Financial Stability Board; and the World Economic Forum’s 2020 report on defining a set of common metrics related to sustainable value creation. And, as recently as March 2021, the U.S. Securities and Exchange Commission (SEC) set out its own proposals for requiring specific ESG disclosures in periodic and annual filings.
The SEC’s proposals suggest the need to build out several processes that many companies may not currently have, which will require a thorough assessment to determine the nature of the information that a company needs to track, the level of effort to gather such information, the skills required given the specialized nature of certain types of information, the third parties that need to be considered, the policies that need to be adopted, and even whether a company’s board has the right expert knowledge to provide appropriate governance and oversight.
Regardless of how the SEC proposals evolve — or which particular reporting regime a company is either obligated to or willfully adopts — companies will ultimately require a robust reporting process that can hold up to auditor scrutiny, is flexible enough to adapt to continuously changing requirements, and is sustainable and repeatable with a high level of consistency and efficiency.
Is it any surprise that CPAs are being called up for the task? Given their long history of focus on internal controls, finance professionals are increasingly being tasked with establishing effective control structures related to ESG reporting that will stand up to the heightening scrutiny.
My colleague, Sharon Mathews, director of Discover Financial Service’s Finance & Corporate Services Risk team, was called on to do just that.
“This process feels like a throwback to the early days of the Sarbanes-Oxley Act of 2002 (SOX), where we had to educate everyone as to the purpose of a well-documented control framework. We had several process owners who had never been exposed to external reporting. They required some basic training to help them understand the differences between substantive and control assurance. We had to teach them what good supporting documentation looked like, as well as how to design a control that could be efficiently executed, easily documented, and subsequently tested for effectiveness,” Mathews recalls.
Based on her experience providing internal assurance on Discover Financial Service’s ESG disclosures, Mathews shares a few recommendations for others tasked with building their own ESG disclosure controls and processes:
- Assess the current state: Start by learning about the intended disclosures, which frameworks they connect to, and how they relate to the company’s assessment of what is material to stakeholders. “With that overview, you can understand the specific disclosures relevant to your company,” Mathews says. Think about how key metrics are defined, what assumptions are being made about the data, and if there are specific data sets that should be included or excluded (and how well that is documented). Mathews notes that it’s critical to identify the providers of information and to set up time to walk through their process for gathering data for disclosure.
- Work with the process owners: During the walkthroughs, ask questions to validate your understanding of measures and definitions. “Get an understanding of data flows, including sources, transformations, and any control points along the way. Then, draw out the process flow to help visualize key steps along the way,” Mathews advises. Your goal is to identify key areas of risk, where there may already be controls built into the process, or where controls are needed. Consider, too, the different types of controls that may be best suited to the process.
- Leverage existing controls: Look for data sources that are already subject to other control regimes, such as systems used in financial reporting that are subject to SOX, or systems that are tested by internal or external auditors. If the process includes reviews or data checks, understand whether there are thresholds or other details used that can be clarified and documented as parameters within a control.
- Establish consistency: “To build discipline into the process, design and document controls in a manner similar to other frameworks used by your company,” Mathews suggests. “Then, set the desired frequency for producing the ESG disclosure measures to establish a routine that’s easy to follow and document.”
- Establish a clear report preparation process: Mathews stresses the need for early alignment on optional disclosures and key metrics, so stakeholders are clear on all data requirements and expectations. From there, she suggests overcommunicating throughout the report preparation process: “Build a timeline with milestones and key review dates; ensure accountability for specific disclosures is unambiguous and well communicated; provide guidelines for stakeholders so they know what documents to provide as support and when; establish a designated party responsible for documenting a ‘tie-out’ to cross reference to supporting documentation; and, have a single point of contact for addressing and resolving questions, comments, and issues.”
While evolving ESG measures and SEC proposals are likely to lead us into uncharted territory, we finance professionals have many tried and true tools we can leverage to help establish a strong control environment and set our ESG reporting processes on the right path. Like SOX, ESG offers another opportunity for CPAs to establish themselves as the most trusted and strategic business advisors.
Reprinted courtesy of Insight, the magazine of the Illinois CPA Society. For the latest issue, visit www.icpas.org/insight.