3 Ways to Give ESG Fraud the Consideration It Deserves
Stakeholder pressure to set and demonstrate progress on ESG goals and targets can foster a thriving environment for fraud from both internal and external sources. Proactively integrating ESG into fraud risk management programs is the best approach to maintaining the integrity of ESG programs and reporting.
The pressures is on
Key stakeholder groups including investors, consumers, and employees are reviewing organizations’ ESG values, disclosures, and aspirational goals with ever-increasing scrutiny to identify signs of progress. At the same time, forthcoming SEC rules will require more qualitative and quantitative ESG data in filings than ever before. Companies are feeling the pressure to tell the best possible version of their ESG stories. However, if the best version isn’t the most accurate version, organizations put themselves at risk for ESG fraud.
Two types of fraud risk in ESG
In the not-too-distant past, being accused of greenwashing was the biggest ESG fraud risk companies faced. Greenwashing is the practice of misleading consumers or the public into believing that a company’s products, policies, or practices are more environmentally friendly or socially responsible than they really are. It can include using terms like “eco-friendly” or “sustainable” without providing any meaningful information to back up these claims.
Ironically, while ESG reporting is the best preventative measure against accusations of greenwashing, it opens the door to a different kind of fraud: fraudulent reporting of data to make a company seem more advanced in its ESG program than it is. This type of fraud comes in two forms:
- Internal ESG fraud is committed when employees or management intentionally act to deceive others by misrepresenting or concealing ESG-related information for financial gain. Sometimes it includes corruption, where employees accept bribes or engage in unethical labor practices or other corrupt practices related to corporate governance or social responsibility.
- External ESG fraud is facilitated by third parties such as vendors, customers, or contractors who deceive an organization by omitting material facts or disclosing misleading information regarding ESG programs. Vendors may also provide incorrect ESG information, causing an organization to fraudulently report ESG data.
Why ESG fraud is so common
ESG is becoming a standard agenda item in company-wide discussions. However, ESG reporting is still a new venture for many organizations. Companies wishing to comply with stakeholder requests for information are often providing data and commentary in advance of fully embedding ESG into governance and risk oversight programs.
More often than not, ESG fraud occurs because of improper oversight or lack of effective ESG-focused internal controls. In most companies, ESG-related controls are not yet nearly as robust as the internal controls over financial reporting that companies have in place for SOX.
Integrating ESG into fraud risk management programs
As organizations more deeply consider how they will report on their ESG initiatives, they need to be thinking about ESG fraud risk at the same time. The most effective way to safeguard against ESG fraud is to identify how ESG ties into the three primary components of a company’s fraud risk management program—fraud risk governance, fraud risk assessment, and fraud control activities. Below are some steps for making ESG a focus within each area.
1. Establish ESG Fraud Risk Governance
ESG fraud risk governance falls under the umbrella of corporate governance, which rolls up to enterprise governance and ultimately an organization’s enterprise risk management program. Because the internal control environment is what supports the assessment of fraud risk to help achieve the organization’s higher-level goals, it’s important for ESG to be an integral part of risk governance.
To establish ESG fraud risk governance:
- Consider how mature the organization would like its fraud risk management program to be regarding ESG.
- Have the board set the “tone at the top” and communicate the importance of ESG-related controls and reporting programs as well as how ESG will be incorporated into daily activities.
- Engage leadership to further consider how ESG-related risks redefine the organization’s overall risk appetite and materiality threshold.
- Inform employees who hold responsibility for performing these activities as to how they impact the disclosures made by the organization.
- Establish a foundation of accuracy and transparency by reporting metrics in line with a reputable ESG framework, such as SASB or GRI.
Creating a framework for ESG fraud risk governance sets the foundation for embedding ESG throughout the organization.
2. Incorporate ESG Risks in the Fraud Risk Assessment
A fraud risk assessment is a process that allows an organization to identify and assess fraud risks affecting the organization through fraudulent financial reporting or illegal acts. A fraud risk assessment can be tailored to meet an organization’s needs, allowing the organization to add components to the existing methodology to address developing areas of the business such as ESG reporting.
To incorporate ESG risks within a fraud risk assessment:
- Leverage or develop an ESG-specific fraud taxonomy.
- Conduct a materiality assessment with key stakeholders to get a deeper understanding of ESG-specific fraud risks.
- Think through different fraud risk scenarios specific to ESG and assess their likelihood and significance.
- Assess the control environment to identify areas where risks to accurate ESG disclosures are left unmitigated.
- Develop ESG-focused controls as needed.
Overall, the fraud risk assessment should pave the way for organizations to identify areas of focus through an ESG fraud risk lens.
3. Develop and Test ESG-Specific Fraud Control Activities
A fraud control activity is a specific procedure or process intended to either prevent or detect fraud quickly. The development, implementation, and testing of preventive and detective fraud controls are crucial elements of any fraud risk management program.
To identify and include ESG-specific fraud controls:
- Meet with management and other key stakeholders to understand current activities for verifying data used to report on ESG metrics, including the validation of information received from third parties in the supply chain.
- Document ESG controls in a similar fashion and with the same rigor applied to the organization’s financial controls, including descriptions of risks and potential schemes and the associated control activity.
- Evaluate controls periodically for proper design and operating effectiveness.
By considering ESG during the control development and testing process, organizations will be able to pinpoint mitigation strategies for certain scenarios and designate individuals who are responsible for ESG-specific fraud control.
More reporting = more risk
As companies begin reporting ESG data and setting targets towards achieving aspirational ESG-related goals to meet their stakeholders’ heightened expectations, it’s important to proactively consider the growing opportunity for ESG fraud risk. Tying ESG into all aspects of existing fraud risk management programs can empower companies to report on ESG with greater confidence in their data and to ultimately tell not only their best ESG story but their most accurate story as well. If you have additional questions about fraud risk management and internal controls for your ESG program, contact us.