In this article, accounting firm Deloitte observes that boards and managements often experience “denial” when the topic of fraud risk arises—no one wants to feel that the trust they place in their own employees is actually misplaced.  Still, fraud risk is one topic that typically finds its way onto the agendas of audit committees. Deloitte advises that, with the current attention to ESG and in anticipation of new rulemaking from the SEC on disclosure related to climate, human capital and other ESG-related topics (see this PubCo post), “fraud risk in this area should be top of mind for audit committees and a focal point in fraud risk assessments overseen by the audit committee.” While audit committees focus primarily on financial statement fraud risk, Deloitte suggests that audit committees should consider expanding their attention to fraud risk related to ESG, an area that is “not governed by the same types of controls present in financial reporting processes,” and, therefore, may be more susceptible to manipulation. In their oversight capacity, audit committees have a role to play, Deloitte suggests, by engaging with “management, including internal audit, fraud risk specialists, and independent auditors to understand the extent to which fraud risk is being considered and mitigated.”

Deloitte cites the classic fraud triangle theory, which holds that three factors elevate fraud risk: financial pressure, opportunity and rationalization. As an example, some companies are tying ESG metrics to executive compensation, which can represent a source of financial pressure to manipulate data. Companies may also feel pressure to adopt sustainable practices and reflect positive trends in ESG for investors, NGOs and other stakeholders. In addition, companies may provide voluntary sustainability reports, but often the information “has not been gathered, tested, and reported under the kind of internal controls that typically are present with financial reporting.” These controls, if any, tend to be more novel and immature.  As a result, these reports “may suggest a heightened opportunity for people within the organization to manipulate ESG-related information.”

In its Audit Committee Practices Report, reflecting the results of a 2021 survey by Deloitte and the CAQ, Deloitte found that 42% of audit committee survey respondents reported an increase in fraud risk. And litigation risk related to ESG fraud and greenwashing appears to be growing. (See, e.g., this article.) ESG fraud is a focus of SEC Enforcement as well, the article notes.  In 2021, then Acting SEC Chair Allison Herren Lee established a new Climate and ESG Task Force in the Division of Enforcement, which sought to identify ESG-related misconduct. (See this PubCo post.)  Last year, the Task Force played a role in the SEC’s complaint against Vale S.A., a publicly traded (NYSE) Brazilian mining company and one of the world’s largest iron ore producers, charging that it made “false and misleading claims about the safety of its dams” prior to the collapse of a major dam that killed 270 people. The SEC alleged that Vale “intentionally concealed alarming signs of the dam’s instability from the investing public and Brazilian authorities. Vale also deliberately manipulated multiple dam safety audits; obtained numerous fraudulent stability declarations; and regularly and intentionally misled local governments, communities, and investors about the dam’s integrity.” (See this PubCo post.)

Drilling down, Deloitte addresses fraud risk in two areas: climate and human capital. With respect to climate, the article observes that companies may be providing climate-related metrics in voluntary reporting that may not be consistent with periodic reports ad financial statements. According to the article, “the novelty of ESG-related information and the information gathering process, as well as the reliance stakeholders may be placing on such information, can make it susceptible to fraud risk…. Newer or less mature controls over reporting, ineffective controls, and the absence of controls can increase the opportunity for fraud to occur.” Anticipated regulatory developments and  demands of various investors, lenders, customers and other stakeholders can “create pressure for management and the board to appear well positioned to meet targets or comply with future regulations.” In addition, any climate-related metrics that are included in key contracts or compensation agreements may also impose pressures.  And, to the extent that climate-related disclosures are based on estimates, forecasts and judgments, these are “by their nature subjective and are subject to manipulation or bias.” The article advises that audit committees consider asking management “how reliable data sources are, whether they could be manipulated, and how management could potentially be motivated to intentionally manage these ESG metrics in ways that would serve management or the company’s best interests.”

Human capital is another area where fraud risk appears, the article continues, pointing to constant turnover, vacant or hard-to-fill positions and  remote or hybrid work as potential factors contributing to heightened fraud risk. These factors raise concerns about control activities, segregation of duties, corporate culture that does not permit error—especially for new employees—and quality management.  Deloitte suggests that audit committees challenge management regarding the efficacy of training and management, contingency plans for key personnel absences, corporate culture and management’s approach to reporting mistakes or errors, and how management is promoting culture and tone at the top, especially in remote/hybrid work environments. In addition, some companies have amped up their disclosures of human capital metrics, such as health and safety, engagement, culture, development, diversity, equity, and inclusion.  Deloitte cautions that these metrics are subject to manipulation; audit committees may want to discuss with management the development of these metrics and the presence of internal controls to promote completeness, accuracy and reliability.

Deloitte also advises that audit committees ensure that ESG-related risks are included as part of companies’ fraud-risk assessments, noting that COSO—which has provided the widely recognized framework for internal control over financial reporting—has approved a study to develop supplemental guidance applying its internal control framework in the areas of sustainability and ESG for both internal decision-making and public reporting. As described by Deloitte, fraud risk assessments are “intended to help management understand who could commit fraud, what type of schemes they might devise, where and how these schemes could be carried out, and what controls a company has or does not have in place, which may help identify potential gaps in the internal control framework that is intended to prevent and detect fraud.” Deloitte suggests that audit committees “understand the company’s antifraud programs and controls, evaluate management’s process, and ask questions about the extent to which the company’s fraud risk assessments consider the risk of fraud in emerging or evolving ESG-related reporting activities. Audit committees should also understand the independent auditor’s fraud risk assessment process and findings with respect to the antifraud programs and controls as well as the risk of management override of controls.”  In addition, Deloitte recommends that audit committees ask management to “share evidence of the risk assessment to understand the level of attention given to evolving ESG fraud risks and what measures are being taken to mitigate risks as ESG-related activities evolve.”

Deloitte recommends the following questions for audit committees to ask in connection with audit-related fraud risks:

  • “To what extent has management assessed the risk of fraud with respect to the company’s growing focus on ESG strategy and reporting as part of its enterprise-wide fraud risk assessment?
  • Is the audit committee primarily responsible for ESG-related fraud risk, or is responsibility shared with other committees and/or the full board? How often does the audit committee discuss fraud risk, including ESG-related fraud risk?
  • Which member of management has authority over fraud risk, and does this person have a comprehensive view of the ESG-related fraud risks that could be present? For example, does this person’s visibility and authority extend beyond financial reporting?
  • How is management developing metrics that are provided to stakeholders related to ESG strategies or initiatives? How is management developing reporting mechanisms and addressing the potential for fraud in these ESG strategies and initiatives?
  • What internal controls are in place with respect to the development of metrics and reporting mechanisms, especially those related to ESG? What process has management adopted for promoting completeness, accuracy, and reliability of ESG-related metrics and reporting?
  • What fraud risks have been identified? How have they been evaluated and prioritized? What mitigation measures are being implemented?
  • To what extent are these metrics and ESG-related reports reviewed by internal auditors and independent auditors?”

Posted by Cydney Posner