Auditing Climate-Related Dsiclosures

As investors are more actively seeking information regarding the effects of climate on individual businesses and entities, companies are providing more climate-related disclosures in their proxy statements, sustainability reports, and websites. The Securities and Exchange Commission (SEC) has recently proposed a set of rules that will require additional disclosure for public issuers on specific matters related to the effects of climate on their business.

The SEC proposal would not only require certain quantitative climate-related information, but also assurance surrounding these climate-related disclosures. Auditors’ responsibilities for the audit of the financial statements and related footnotes would extend to these newly required climate disclosures. This article discusses considerations for auditing these climate-related disclosures and what companies should be doing now to prepare for upcoming audits.

OVERVIEW OF THE CURRENT STATE

Currently, there is no authoritative framework or required standards for providing assurance standards on climate-related disclosures. Several standards for climate-related disclosures have been issued by organizations including the International Organization for Standardization (ISO), the Sustainability Accounting Standards Board (SASB), the Task Force on Climate-Related Financial Disclosures (TCFD), and others. The lack of an authoritative set of standards has resulted in variability in application, and as a result less consistency. The graph below highlights the sets of standards most frequently used in providing assurance on climate-related topics.

SEC PROPOSED RULES FOR CLIMATE-RELATED DISCLOSURES

Given the lack of consistency in standards application and the level of assurance provided for these disclosures, there are risks of inaccurate information being communicated to stakeholders including greenwashing. To address these inconsistencies, the SEC issued a proposal in March of 2022 requiring levels of assurance for all climate-related disclosures, a suggested phase-in period for affected companies, and additional requirements for various specific disclosures.

The SEC’s proposed changes require public issuers to disclose the following climate-related information:

1. The registrant’s governance of climate-related risks and relevant risk management processes

2. How any climate-related risks identified by the registrant have had or are likely to have a material impact on its business and consolidated financial statements, which may manifest over the short-, medium-, or long-term

3. How any identified climate-related risks have affected or are likely to affect the registrant’s strategy, business model, and outlook

4. The impact of climate-related events (severe weather events and other natural conditions) and transition activities on the line items of a registrant’s consolidated financial statements and the financial estimates and assumptions used in the financial statements.” Companies should be prepared to address points proposed by the SEC to gain appropriate assurance from the auditor.²

If the SEC’s proposed rule is passed, public companies will be required to obtain assurance over their climate-related disclosures and provide an audit opinion along with their financial statements. To facilitate this shift, the SEC proposed a phase-in period for affected companies as follows:

The SEC also specifies the required levels of assurance these companies will need to receive on their disclosures as follows (these levels of assurance will be discussed further in subsequent sections of this article):

Many changes have been proposed for various types of disclosures that will need to be implemented in the timeframes detailed above; however, the SEC specifically outlines changes to greenhouse gas emission disclosures that have their own implementation schedules included in the phase-in proposal. The SEC provided Scope 1, Scope 2, and Scope 3 classifications of greenhouse gas (GHG) emissions that will require different disclosures. For example, Scope 1 and Scope 2 GHG emissions (i.e., from the company’s operations and purchased or acquired electricity, steam, heat, or cooling, respectively), would need to be separately disclosed on a disaggregated and aggregated basis. More details will be provided as the proposal becomes regulation, but presently the most pertinent information on these changes is the proposed implementation schedules and required levels of assurance listed above.⁴

When changes are made to financial statement requirements it is typical to see a general phase-in schedule indicating the years in which companies will be required to have the applicable sections audited; however, given the complexity of climate-related disclosures, the SEC also included a timeframe for when companies will be required to have limited and reasonable assurance.

Limited assurance audits are sometimes referred to as review engagements. Review engagements indicate to stakeholders that the information provided has been reviewed by the auditors and that no material misstatements or omissions have come to the auditor’s attention based on inquiries and analysis of the financial statement amounts and disclosures. Reasonable assurance is the standard form of assurance that public companies receive for their financial statements and in certain cases, for their internal controls over financial reporting. An audit entails assessing risks and then designing audit tests to gather evidence to evaluate the reasonableness of the evidence in relation to pertinent assertions by the auditee. Reasonable assurance is sometimes referred to as an examination. This represents a higher level of assurance. Depending on the nature of the entity being audited, auditors follow the applicable Generally Accepted Auditing Standards (e.g., auditing standards of the Public Company Accounting Oversight Board or PCAOB, auditing standards of the Auditing Standards Board or ASB, or international auditing standards of the International Auditing and Assurance Standards Board or IAASB).

Although these changes have only been proposed, based on current reactions to the SEC’s proposal, many of these changes will likely appear in some form in the final rule. The information provided in the following section of this article is meant to assist companies that will be impacted by the proposed changes to current climate-related disclosures. It also includes considerations to help companies prepare for future audits of their disclosures and the related internal controls around these climate-related data and disclosures. Although specific audit processes can vary across assurance providers, the principles outlined below are generally applicable.

PLANNING THE AUDIT – RISK ASSESSMENT

The AICPA Attestation Engagements on Information (Including Greenhouse Gas Emissions Information) Guide provides detailed information related to both examinations and review engagements of climate-related financial disclosures and greenhouse gas emissions information. This guide will be referenced frequently in the remainder of the article.

Auditors will begin by identifying risks and planning appropriate procedures for the audit, which includes obtaining an overview of the organizational and reporting boundaries. To ensure completeness and accuracy, it is important to understand what information should be included or excluded from the sustainability report. Auditors will be on the alert for changes to the reporting boundaries of certain metrics to ensure a complete list of applicable reporting units, not just those that are performing well. According to the AICPA “understanding boundaries includes determining, usually through inquiry of management, whether there have been any changes in the organizational, operational, or reporting boundaries from the prior period and, if so, the reasons for such changes.”

The audit also includes obtaining an understanding of the subject matter (i.e., gaining an understanding of the entity’s process for collecting and reporting sustainability information). Many characteristics of processes, systems, and controls are considered in the planning phase of the audit. The following are relevant characteristics according to the AICPA guide.

The complexity and number of the information systems and processes applicable to the collection, aggregation, and reporting of the sustainability information, and the frequency with which the systems and processes operate
The existence, suitability of design, and effectiveness of controls over the collection, aggregation, and reporting processes of the sustainability information and the frequency in which the controls operate
Where the records for the sustainability information reside⁵

Because reporting quantified sustainability information may be fairly new for a company, some controls and processes may not yet be in place for the collection and reporting process. In these cases, some companies may still rely on manual processes. For these situations, the AICPA recommends that auditors consider “whether any of the following situations are present and the effects that any such situations might have on planning and performing” the audit.

Systems and processes have been designed for purposes other than reporting information about sustainability; in such cases, they may not capture all the required information.
Systems and processes that produce the sustainability information are not traditional accounting systems and processes and therefore have not been previously subject to assessment (for example, by internal audit or in conjunction with external audit, review, or attestation services); in such cases, they may not produce or contain the necessary documentation.
Systems and processes capturing measurements are complex and involve highly technical information involving engineering and other science skills; in such cases, specialized skills may be necessary.
Systems for capturing sustainability information are not subject to the same backup requirements or IT general controls as traditional accounting systems and, therefore, data and subsequent system reports may not be complete or accurate.⁶

One of the most important assertions in relation to climate-related risk information is completeness. There is a high risk that the information being reported is not complete. This may be because the source of the information lacks completeness as well.

According to the AICPA guide, the following should be considered in relation to climate-related risks:

Disclosures of governance and risk management processes and activities regarding climate-related issues are not accurate nor reflective of the entity's processes and activities.
Identification of significant climate-related issues may be incomplete.
The risk management actions that it plans to undertake may not be appropriately identified and described (for example, accept, avoid, pursue, reduce, or share or transfer).
Systems may not be designed to capture impacts to the financial statements or investments related to climate-related issues.
The disclosure of the impacts to the financial statements or investments related to climate-related issues may be inaccurate.
Progress information may be incomplete.
Time horizons may be inconsistently assigned between subsidiaries, sectors, or locations.
The entity's materiality for climate-related financial disclosures may not be determined consistently with how it determines materiality of other information included in its annual financial filings.
The review process of climate-related financial disclosures may not be consistent with the process used for the entity's other public financial disclosures.⁷

Regarding GHG emissions, the AIPCA guide identifies the following risks that should be taken into consideration:

Identification of GHG-emitting sources may be incomplete.
Identification of all types of GHG emissions may be incomplete (for example, omission of methane emissions).
If measurements or calculations are performed manually, there is risk of human error.
Incorrect or outdated GHG emission factors may be used.
Identification of or accounting for leakage may be incomplete or inaccurate.
The base year may need to be adjusted for events such as sales or acquisitions of GHG-emitting sources.
There may be double-counting of a GHG emission source within the entity.
There may be regulatory considerations providing incentive to falsify GHG emissions.
Renewable energy sources may not be considered, resulting in an overstatement of GHG emissions.⁸

See the guide (linked above) for additional risks auditors should consider in relation to health and safety, waste management, water usage, governance, and economics.

One challenge with some sustainability information is that it is incredibly difficult to measure with any accuracy. This difficulty can affect the likelihood of a material misstatement in the financial statement disclosures. The lack of measurability can affect the risks related to management bias, as well as comparability of the information for financial statement users. When this type of measurement uncertainty exists, auditors will generally increase focus on the areas where the risk of material misstatement is high. The auditor will also consider “whether management intends to include disclosures related to the reported point values with high measurement uncertainty…such as the range of values that could reasonably be attributed to the subject matter”.

After all relevant risks and assertions have been identified and the planning of the audit is complete, the audit team will begin testing procedures to gain the required level of assurance.

PERFORMING THE AUDIT

In a review audit, the assurance method employed will primarily involve higher-level procedures working with aggregated data since the level of assurance required for this type of audit is limited. The procedures for an examination audit will be more extensive and detailed in nature. While analytical procedures may be used in these audits, their utility may be limited due to the data's lack of measurability. The following is a summary of a table of example procedures that may be used to gain assurance over relevant assertions in an examination or review of climate-related disclosures. Note that certain procedures require judgment from the audit team to determine if they are necessary or sufficient.

Climate-Related Audit Procedures
a. Reading climate-related disclsoures and considering whether all required components are included
b. Inquiry of management about any known omissions of required disclosures
c. Inquiry of management with respect to climate-related processes and activities
d. Inspection of documents related to procedures in (c)
e. Obtaining written reports of risk assessments
f. Designing and performing analytical procedures on certain metrics that are accurate in measurability
g. Obtaining evidence about how metrics were calculated, and assumptions used

See the Guide for a more detailed and extensive list of procedures.

REPORTING ON THE AUDIT

After the auditor has gathered sufficient evidence and performed all procedures necessary, they will form an opinion on the reasonableness of the information. When forming an opinion, the auditor must evaluate “the sufficiency and appropriateness of evidence obtained, and whether uncorrected misstatements are material, individually or in aggregate”. If the auditor concludes that the evidence is sufficient and that uncorrected misstatements are not material, they should then evaluate “whether the presentation of the subject matter or assertion is misleading within the context of the engagement”. The auditor should re-address any risks that were identified in the planning portion of the audit. The wording and content included in the auditor’s basis for opinion will change based on whether the audit was an examination or review engagement.

A primary concern of auditors will be the completeness, presentation, and accuracy of the climate related disclosures. Companies should be prepared to show or explain how they arrived at certain numbers that they used in their calculations. Auditors will likely ask for assistance from specialists, so companies should be prepared with specific details and sources of the calculations.

Companies can prepare for these upcoming audits by understanding some of the general information that may be requested by auditors in any of the previously mentioned areas, and understanding how auditors currently approach audits of financial statement disclosures and internal controls. The process followed by auditors in an audit of climate-related risks will follow many of the same steps for an auditor of financial disclosures. It is important to keep in mind the kind of risks surrounding sustainability information that the auditor will likely want to address and ensure that your company has processes and procedures in place to provide accurate and complete information.

Resources Consulted:

https://www.thecaq.org/sp-500-and-esg-reporting/

https://www.sec.gov/files/33-11042-fact-sheet.pdf

https://www2.deloitte.com/us/en/pages/audit/articles/sec-climate-disclosure-guidance.html

‍

AICPA Attestation Engagements on Information (Including Greenhouse Gas Emissions Information) Guide