Articles Emily Primeaux Apr 15, 2024
The SEC’s new rules will require publicly listed companies to disclose how they are managing climate-related risks. Internal audit can help companies understand and prepare for compliance with the regulations.
The U.S. Securities and Exchange Commission’s (SEC) recent adoption of rules for climate-related disclosures by publicly listed companies marks a significant milestone in corporate transparency. This move responds to investors’ growing demand for consistent, comparable, and reliable information regarding the financial effects of climate-related business risks.
The SEC rules add to a raft of climate-related reporting regulations, ranging from the European Union’s Corporate Sustainability Reporting Directive to California’s recently enacted Climate Corporate Data Accountability Act. These rules hinge on a common set of standards and frameworks, said Sarah Digirolamo, partner at Deloitte & Touche LLP in Boston during The IIA’s recent webinar, Future-Focused: Unpacking the SEC Climate-risk Disclosure Rule. “When you’re tackling this as an organization, it’s important to understand the regulatory applicability landscape and not try to look at these regulations in silos,” she explained.
For internal auditors, understanding the intricacies of the SEC rules and their implications will be crucial to navigating the regulatory landscape, proactively identifying areas of compliance and risk, and advising organizations on how to adopt business emissions reporting practices.
“This is a unique standard in that it’s the first nonfinancial metrics in a disclosure requirement that I can remember,” says Anthony DeCandido, partner and head of the sustainability services group at RSM US LLP in New York City. Until now, most organizations have reported on climate voluntarily and chosen what they disclose without the rigorous requirements of financial reporting, he notes.
“Now the market has responded by saying this information, like financial data, must be verifiable, complete, accurate, and comparable,” DeCandido says. “A lot has been done to ensure ultimate relevance in the usefulness of the data being used by companies while reporting.”
The SEC rules require registrants to disclose climate-related risks that have had or are likely to have a material impact on their operations, including strategies to mitigate such risks. Of particular significance are Scope 1 and Scope 2 greenhouse gas (GHG) emissions. These emissions, which encompass direct emissions from company-owned or controlled sources (Scope 1) and indirect emissions from the generation of purchased energy (Scope 2), must be disclosed on a phased-in basis by larger registrants when deemed material.
Additionally, listed companies must subject their reporting to assurance covering these emissions, enhancing the reliability of disclosed information. This emphasis on emissions disclosure underscores the SEC’s commitment to providing investors with comprehensive insights into companies’ environmental impact and risk management practices — but it has its detractors.
“There’s been backlash from broad market participants — CEOs, chief financial officers, internal audit, and sustainability — about the relevance of these disclosures because companies will now need to do fundamental climate accounting,” DeCandido says. In response to public comments on the draft rules, the SEC omitted some requirements, including Scope 3 emissions that he says would be difficult to track and report.
DeCandido says companies must now prepare certain nonfinancial climate accounting metrics along with a slew of climate-related disclosures, such as metrics and targets, expenditures and impacts, and risk management strategy. All principles come from the Task Force on Climate-related Financial Disclosures (TCFD).
According to Mallory Thomas, partner and head of ESG and sustainability at Baker Tilly in Minneapolis, the most impactful piece of the SEC rules is the risk disclosure element. “How are companies evaluating climate-related risks within their organizations?” she asks. “How are they thinking through their overall enterprise risk management (ERM) processes? How are these risks interrelated and how are they disclosing these risks? This is going to be a lift for a lot of smaller public companies that might not have a formal ERM function to leverage.”
Specifically, Thomas says companies will need to take inventory of the Scope 1 and 2 reporting data collection process. Also, there will be more of an ongoing cadence of reporting to meet disclosure requirements, which will require an upfront planning process. “Make sure you’re identifying data sources, including vendors, invoices, and how you can gather that information and plan out the process of Scope 1 and 2 reporting,” she says.
As for climate risks, Thomas explains that because they are physical risks, organizations will need to determine all their physical locations. Where does the company have manufacturing plants? What are the acute and chronic risks that are applicable to those plant locations? Companies may seek additional support and resources to perform scenario analyses and evaluate these risks because of the complexities in evaluating physical risks.
Auditors have a unique opportunity to contribute to their organization’s response to the SEC’s emissions disclosure ruling by using their expertise in governance, risk management, and compliance, experts say. As guardians of transparency and accountability, internal auditors can help guide companies through the complexities of regulatory compliance while simultaneously enhancing their resilience to climate-related risks. By proactively engaging with stakeholders, facilitating strategic discussions, and implementing robust assurance processes, auditors can position their organizations to successfully navigate sustainable and responsible business practices.
DeCandido first recommends ensuring internal auditors have a complete understanding of the regulations. “Do you have the requisite expertise with carbon accounting?” he asks. He notes that companies must evaluate their data aggregation competencies. “If you’re a capital-intensive business, do you have proper systems to organize the data in sufficient form so you can ultimately report?” he adds.
DeCandido also recommends mirroring controls that internal auditors are accustomed to from a financial lens and assigning cross-functional responsibility for the end product because it has elements of sustainability and climate mixed with auditing, accounting, and finance. “If you’re relying on your sustainability department to prepare client accounting, they’re not technically trained in financial reporting,” he explains. “Their systems of control might vary from the work initiated by an internal audit or finance department.”
Moreover, internal audit must gain sustainability expertise. “You need to evaluate your competencies inside the group and assign roles and responsibilities like accountability measurements, proper governance, and regular checkpoints,” DeCandido says.
Other recommendations include:
These recommendations align with internal audit’s skills, Thomas notes. “Internal auditors understand where systems and data live within an organization and know controls — making sure data sets are complete and accurate and that the population is complete that they’re reporting,” she says. “Internal audit can think through IT controls, proper identification of control owners, the use of third-party provided data and information, and change management protocols. Internal audit can help organizations identify source data and the controls for source systems, data, and spreadsheets.”
Thomas recommends using the many free resources available from the TCFD’s webinars, toolkits, and articles. Though the SEC didn’t fully adopt all the TCFD’s recommendations, it is aligned with the TCFD’s disclosure requirements.
The Fifth Circuit U.S. Court of Appeals ruling on March 19 granting an administrative stay to temporarily halt the implementation of the SEC’s climate disclosure rule has introduced a new layer of uncertainty for companies. This decision, prompted by a petition filed by Liberty Energy and Nomad Proppant, highlights the contentious nature of the rule, particularly regarding its potential impact on businesses and the scope of information required for disclosure. Moreover, the SEC announced this month that it will temporarily hold off implementing the rules, pending the outcome of a separate lawsuit brought by attorney generals from nine states.
These developments signal ongoing challenges and debates surrounding climate-related disclosures in the corporate landscape. However, according to DeCandido, the largest U.S companies had already been doing some form of reporting before the SEC’s rule was finalized because their stakeholder groups have asked for it. From a leadership standpoint, that implies that other companies should complete similar reporting because many of them align with those large firms’ value chains.
Penalties for noncompliance also are to be determined by the SEC. While some precedent exists, DeCandido says brand or reputational risk is most concerning. “We have a whole new frontier of compliance risk and the minute any of this lives in your public company filings, the scrutiny that would come with it is akin to financial reporting,” he explains. “Hence, why companies are trying to get this right, institutionalizing their control environment, and bringing in expertise.”
This is a pivotal moment in corporate transparency, prompting publicly listed companies to navigate a complex regulatory landscape, guide strategic decision-making, and enhance resilience against climate-related risks.