Imagine there were no rules for corporate financial disclosures (such as IFRS or US GAAP, now known as US GAAS, a rather unfortunate acronym). Companies could make up their own ways of reporting financial information—revenues, accounts receivable, inventory, debt, etc.—using their own definitions and preferences. For investors and others who rely on financial statements, this would be chaotic, unreliable, and definitely not comparable across companies.
However, up to now (or technically until 2024), companies have not been required to provide assurance that ESG-related data they publish has been verified. This has given rise to a growing call for something like a financial audit for ESG data, and such audits—often called ESG Assurances—are a growing trend. In this article, we discuss what is involved in an ESG audit and why companies are recognizing the benefits of doing one, and how they outweigh the costs.
Why do we need ESG audits?
The need for comparability is one of the main motivations behind environmental, social, and governance (ESG) reporting frameworks. Many have been established, including the Global Reporting Initiative (GRI), Sustainability Accounting Standards Board (SASB), the Task Force on Climate-Related Financial Disclosures(TCFD), the new EU Corporate Sustainability Reporting Directive (CSRD), which will require companies to follow the European Sustainability Reporting Standards (ESRS), India’s Business Responsibility and Sustainability Report (BRSR), standards for Australian companies to be released in 2024, among others.
Establishing these reporting frameworks is unquestionably important, but the standards themselves can only go so far. If no one checks to see whether the inputs behind the numbers published in these disclosures are valid, they won’t be seen as reliable.
Imagine that public companies were not required to publish audited financials. In that scenario, if the Income Statement showed a company’s operating margin had weakened in a given quarter, the CFO could simply report a different Cost of Goods Sold that would make everything look better. Such blatant manipulations are fairly rare because public companies must provide audited financials in just about every country where publicly traded companies exist. These audits allow investors, lenders, suppliers, and others who rely on financial statements to assume the inputs behind the numbers on those statements are legitimate.
Similarly, one of the main reasons for an ESG audit is to verify the accuracy of the ESG-related data that a company discloses to investors, employees, suppliers, and regulators. In a previous article, we asked the question: Why is it so difficult to obtain useful, reliable ESG data that is comparable across companies? Without a formal ESG audit, it’s hard to know whether the information reported is anything more than a back-of-the-envelope estimate, or worse—a deliberate deception.
Audits uncover ESG risks
In addition to validating the integrity of a company’s ESG-related information, an ESG audit can also assess the organization’s ESG risks and recommend ways to address them. In that sense, an ESG audit extends into what may be thought of as due diligence. As Deloitte notes, this risk assessment “includes validating the effectiveness of ESG-related controls and activities to help organizations manage those risks.”
Here are some of the risks an ESG audit may examine:
- Environmental riskscreated by greenhouse gas emissions and other forms of pollution, inadequate water supplies, shifts in tourism patterns due to extreme heat, deforestation, loss of biodiversity, and soil erosion associated with agricultural activities, etc. The US Federal Reserve notes that such risks can affect economic activities and may pose financial risks such as changes in the value of financial assets and the cost or availability of liquidity or credit, among others.
- Social risks that can affect job satisfaction across a company’s workforce, and lead to costly turnover, as well as damage to brand image and overall corporate reputation. This category covers worker safety, biases in hiring practices, and supply chain issues such as child labor and modern slavery.
- Governance risks may include adherence to anti-corruption laws, data privacy and protection practices, and issues associated with the use of artificial intelligence that may be trained on biased data sets or may make predictions about customer preferences that are wildly off-base.
An ESG risk audit requires an understanding of, and a decision about, the issue of single or double materiality– i.e., will the audit focus exclusively on how a given risk could affect the company’s business, or will it also consider how the company’s business activities contribute to that risk for society? A favorite example: coal-fired power plants are responsible for a large percentage of the world’s CO2 emissions, but a utility’s business is not particularly affected by climate change. In contrast, property and casualty insurers’ CO2 emissions are negligible but their businesses are clearly impacted by the increased frequency and severity of fires and floods caused by global warming.
ESG audit standards
ESG reporting frameworks such as the GRI, SASB, and TCFD provide principles-based guidance on identifying ESG issues and lay out how companies should present information. They typically help companies to determine which metrics to disclose for each topic —such as carbon intensity or the number of training hours per worker. But a reporting framework does not validate the numbers. That’s where audit or ESG assurance standards come into play.
Generally speaking, there are two levels of ESG assurance. Just to confuse matters, the U.S. and Europe use different terms to describe them:
- U.S. – Examination (higher level); Review (lower level)
- Europe – Reasonable Assurance (higher level); Limited Assurance (lower level)
A higher level audit affirms that the information reported is materially correct. This requires a greater understanding of internal processes and controls, and auditors must trace metrics back to their original sources. It also involves a more in-depth analysis of risks. This type of audit is more costly but limits greenwashing and prevents a company from focusing only on areas that present their ESG practices in a favorable light.
With a lower level audit, the auditors state they are not aware of any material modifications that should be made. There is less verification of input sources, a less detailed understanding of processes and controls and a lower level of scrutiny of source data and topics to include in the report. Auditors rely more heavily on representations made by the company.
An ESG audit can be internal or external, but noting that ESG-related responsibilities within an organization can be unclear and are not always well-coordinated. KPMG predicts that third-party auditors and specialists will become increasingly important.
Challenges in ESG audits
The challenges companies encounter in implementing ESG initiatives will be reflected in the challenges an ESG audit will uncover. For example,
- Does a company clearly define ESG-related reporting items and centralize the data needed to calculate them, or do different divisions (perhaps geographically dispersed) collect and submit their own data to be combined regardless of inconsistencies?
- Can the company truly measure progress on its ESG initiatives (such as reducing its carbon footprint or reaching workforce diversity goals)? See the concerns about centralized, consistent data collection above.
- Can the ESG data collected be mapped into the metrics called for by the relevant reporting framework(s)—CSRD, SASB, GRI, etc.?
- Is one central entity responsible for responding to ESG Rating Agency questionnaires (e.g., from MSCI, S&P Global, ISS, etc.) or are divisions handling these questionnaires based on geographic location?
Global sustainability assurance guidance is in process
In response to a growing demand for reliable, transparent ESG reporting and the shift from voluntary to mandatory disclosures, the International Federation of Accountants reports that the International Auditing and Assurance Standards Board (IAASB) has proposed International Standard on Sustainability Assurance 5000 (ISSA 5000), General Requirements for Sustainability Assurance Engagements. These standards, which aim to establish a global baseline for ESG and sustainability assurance will be:
- Framework neutral, usable regardless of the reporting framework, standard or criteria a company uses so that it can be implemented in different contexts;
- Scalable, meaning it can be used for a single metric, a small company, a multi-national corporation, or even across an entity’s value chain;
- Usable by practitioners from any profession, provided they comply with certain ethical requirements and quality management standards that are at least as rigorous as the International Code of Ethics for Professional Accountants (including International Independence Standards), published by the International Ethics Standards Board for Accountants, and the IAASB’s suite of quality management standards.
The proposed standard is suitable for reporting under frameworks that include the CSRD, ISSB, GRI and IOSCO frameworks. It is due to be finalized by the end of 2024.
To put the icing on the cake in terms of the value of an ESG audit, ESG disclosures can affect valuations in IPOs and M&A transactions. A study titled “ESG Disclosure and Idiosyncratic Risk in Initial Public Offerings,” published in the Journal of Business Ethics, states that “ESG disclosure covers a wide spectrum of sustainability-related aspects that are not normally captured in more traditional investment reporting and analysis. Voluntary disclosure at the time of [an IPO] listing can improve the quality of corporate information, reduce information asymmetry in firm value and signal compliance with societal norms concerning sustainable business conduct, which is assumed to lead to increased legitimacy and reduced idiosyncratic risks.” We think that summary of the value of ESG disclosures applies far beyond the IPO context, but those disclosures need to be validated. Contact us to learn how OWL’s data can help to identify a company’s ESG risks and understand the data involved in disclosure framework