21 minute read
Debunking ESG Myths / SEC Proposed Rule Highlights
Debunking ESG Myths
BY STEPHEN D. WILKERSON, CPA, CFSA
Many organizations realize the importance of ESG (environmental, social, and governance) performance. Putting effort into ESG can improve organizations by making them more efficient and helping them manage risks. Organizations use ESG programs as a differentiator when telling their story to investors, customers, employees, and other stakeholders. However, some organizations have concerns about whether putting effort into ESG programs is worthwhile. Below are a few myths about ESG. ISSB released exposure drafts of its new standards, which include industry-specific standards. On March 21, 2022, the SEC proposed new rules (www.sec.gov/news/press-release/2022-46) that would require most public companies to disclose their greenhouse gas (GHG) emissions and details of how their business is affected by climate change. The SEC proposed rules align with the climate portion of the ISSB’s proposed standards. These proposed rules would bring increased consistency in GHG emissions disclosures if these rules are finalized. The proposed rules include attestation requirements for these disclosures.
MYTH #1: ESG IS A WASTE OF RESOURCES.
ESG covers an extremely broad range of topics, which could lead to organizations giving their attention to areas that do not bring as much value. Having the right ESG proposition provides value. Here are some overall best practices for incorporating ESG into your organization: The proposed SEC rules make the reporting of climate data even more critical. With the universe of ESG standards shrinking considerably due to the ISSB consolidation, the process of selecting the proper framework for your ESG reporting is being made much simpler and more relevant to your organization’s needs.
Focus your resources on matters that are important for stakeholders. Conducting an ESG materiality assessment can help you identify and understand the importance of specific ESG topics to your organization and your customers, employees, investors, and other stakeholders. The organization can then concentrate its effort on those areas that are determined to be important to stakeholders and also contribute to business success. Start by focusing on a limited number, e.g., three to five topics or initiatives, and don’t try to do everything at once. Link ESG reporting to the organization’s strategy and enterprise risk management (ERM) process. Companies often work to improve metrics when those metrics are tracked and included in an ESG report. Therefore, it is valuable to report on ESG metrics that are important for the organization’s success. Linking those metrics to the organization’s ERM helps make them relevant and provides additional focus and executive sponsorship. Answering the following questions can help to link ESG reporting with the organization’s strategy and ERM:
MYTH #3: ESG INFORMATION ISN’T RELIABLE.
Information contained in ESG reports needs to be accurate and reliable since it is used in decision making. This decision making may be internal, e.g., board or management, or external, e.g., customer or investor. Having controls in place for the accurate reporting of ESG information is important, similar to the importance of having controls in place for an organization’s financial reporting. Accounting firms that provide ESG services can conduct a pre-assurance readiness engagement that includes evaluating controls and providing recommendations on improving the quality of ESG data. Assurance of ESG information also can be provided to increase the credibility of the information reported and can be either limited assurance, similar to the level of assurance in a financial statement review, or reasonable assurance, similar to the level of assurance in a financial statement audit.
MYTH #4: ESG IS FOCUSED ON ENVIRONMENTAL FACTORS.
• What things will be increasingly important to future profitability? • What risks would prevent the organization from being successful in the future? • Is employee turnover, efficiency improvements, or employee health and safety important for your organization’s success? Commit to getting value out of the process. Using ESG reporting for only marketing and other external purposes brings limited benefits. Committing to learning from and improving upon the organization’s ESG metrics makes your organization better. Although diversity, equity, and inclusion (DEI) and climate risk are hot topics, governance is a very important, but sometimes overlooked, aspect of ESG. Governance includes such critical areas as risk management, fraud prevention, and oversight of cybersecurity. ESG rating organizations calculate composite ESG scores for companies by using varying weights for ESG components. In many industries, ESG rating organizations often give governance the largest weighting when compared to environmental and social components. Good governance helps organizations capitalize on opportunities and address challenges and risks they may face now and in the future.
MYTH #2: THERE ARE TOO MANY ESG REPORTING STANDARDS AND FRAMEWORKS FOR ESG REPORTING TO BE BENEFICIAL.
Currently, there are a number of different ESG reporting standards and frameworks that organizations are using to report ESG information. However, this number is shrinking. Six of the seven most commonly used ESG reporting standards and frameworks are in the process of being consolidated with the International Sustainability Standards Board (ISSB) or have committed to coordinating standard-setting activities with the ISSB. This process is intended to bring more consistency to ESG reporting. On March 31, 2022, the Stephen D. Wilkerson, CPA, CFSA, FSA Credential Holder, is a manager with FORVIS, Denver. Contact him at
Steve.Wilkerson@forvis.com.
The Proposed Climate Disclosure Rule
BY STEPHEN D. WILKERSON, CPA, CFSA
The SEC’s proposed rule for the enhancement and standardization of climate-related disclosures for investors has received extensive attention since its release in March 2022. The proposed rule would make amendments to Regulations S-X and S-K, which set reporting requirements for registrants subject to various SEC filings, including the annual Form 10-K. These proposed rules generally align with the existing Task Force on Climate-related Financial Disclosures (TCFD) framework and the Greenhouse Gas Protocol standards. SEC reporting companies, even those with no publicly listed securities, will need to assess the proposed rule’s impact on their company and design a strategy for compliance with the proposed requirements. This article will not cover the entire proposed climate disclosure rule. Instead, it will focus on the following disclosure areas of the proposed rule, which are expected to take considerable effort for filers to prepare: • Risk identification and risk management activities • Financial metrics • Greenhouse gas (GHG) emissions
RISK IDENTIFICATION & RISK MANAGEMENT ACTIVITIES
Registrants will be required to disclose information regarding their processes for identifying, assessing, and managing climate-related risks.
Climate-related risks are classified as either: • Physical risk or conditions and events, both acute and chronic, which present risks to the company related to the physical impacts of the climate, i.e., climate-related natural disasters and changes in weather patterns; or, • Transition risk or risks related to a potential transition to a lower carbon economy, e.g., shifts in consumer preferences or carbon taxation policies In addition, certain information about a company’s transition plan would require disclosure if a company has a transition plan. The proposed rules define a transition plan as a filer’s strategy and implementation plan to reduce climate-related risks.
FINANCIAL METRICS
Registrants will be required to disclose certain disaggregated climate-related financial statement metrics in a note to the audited financial statements. These disclosures are intended to increase the transparency about how climate-related risks impact the financial statements. These metrics include:
• Financial impact metrics, which describe the impact of climate-related events and conditions, i.e., severe weather events and other natural conditions and identified physical risks, on the consolidated financial statements, unless such impact is below a specified threshold; • Financial expenditure metrics, which describe any expenditures or capitalized costs as a result of climate-related events and conditions or transition activities; and, • Financial estimates and assumptions, which describe whether the estimates and assumptions used to produce the consolidated financial statements were impacted by climate-related risks
GREENHOUSE GAS (GHG) EMISSIONS
GHG emissions fall into three categories, or “scopes,” including: • Scope 1: Direct emissions from a registrant’s owned or controlled operations • Scope 2: Indirect emissions from purchased or acquired electricity, steam, heat, or cooling • Scope 3: Indirect emissions resulting from activities that are not owned by the organization but that the organization incurs through its supply chain (upstream and downstream) All registrants will be required to disclose their Scope 1 and 2 GHG emissions, and certain registrants will be required to disclose Scope 3 GHG emissions. (See the table here.) The proposed timelines for the GHG disclosures required under the proposed rule depend on the filing status of the company and the category of the emissions being disclosed.
Registrant Type
Large Accelerated
Accelerated
Non-Accelerated
SRC
Scope 1 & 2 Emissions & Other Proposed Disclosures
Fiscal year 2023 (filed in 2024)
Fiscal year 2024 (filed in 2025) Fiscal year 2024 (filed in 2025) Fiscal year 2025 (filed in 2026)
Attestation – Scope 1 & 2 GHG Emissions
Limited Assurance Reasonable Assurance
Fiscal year 2024 (filed in 2025) Fiscal year 2026 (filed in 2027)
Scope 3 Emissions Disclosures, if Material or in a Reduction Target or Goal
Fiscal year 2024 (filed in 2025)
Fiscal year 2025 (filed in 2026) Fiscal year 2027 (filed in 2028) Fiscal year 2025 (filed in 2026)
Exempted Exempted Fiscal year 2025 (filed in 2026)
Exempted Exempted Exempted
Registrants required to disclose Scope 3 emissions may ask private companies in their supply chain, e.g., vendors and suppliers, to provide GHG emissions estimates for the registrant’s Scope 3 disclosures, since the emissions associated with services and products purchased from vendors and suppliers are included in Scope 3 emissions. CONTINUED ON PAGE 23
BY BRUCE A. GRAY, CPA CGMA
As CPAs, we are responsible for safeguarding our clients’ sensitive data. With the migration to cloud-based computing, increased remote work, and the increasing sophistication of hackers targeting the very data we are responsible for protecting, it is critical for us to provide safeguards aimed at preventing unauthorized access. We’ve all seen the stories of hackers gaining access to databases with personal information like credit card and social security numbers. Even the government has been victim to these attacks. Early on, we all employed user IDs and passwords to access our computers and other devices. We even learned to make our passwords more difficult to decipher by using upper and lower case letters, special symbols, and numbers. But even the most sophisticated user IDs and passwords are no longer sufficient protection. Today, a myriad of tools can be employed to circumvent passwords. It also doesn’t help that often we are ultimately the weak link by creating simple passwords, using the same password for multiple sites, and making access to our passwords too easy. Accordingly, for those of us required to protect data, we need to take the use of multi factor authentication, or MFA, seriously. The fundamental premise of MFA is to require more than one barrier to access to data, and in so doing, make it more difficult for unauthorized users to access. MFA uses multiple elements to establish the identity of someone attempting to access data. The three typical elements are: • Something the user knows – a password, pass phrase, or PIN • Something the user has – a physical token or device-based authenticator • Something the user is – using a biometric such as a fingerprint, face recognition, or retina scan You probably have encountered MFA in connection with a bank or other financial account. An early example of MFA was accessing your bank account via an ATM. You insert your bank card into the ATM and then provide a PIN to gain access. So, in this example, the MFA utilized both something the user has (card) and something the user knows (PIN). Several years ago, when I was one of a handful of people who had approval authority for outgoing wire transfers, I had a small fob that generated a new passcode at periodic intervals. When providing approval, I would login using my user ID and password and would need to provide the code that was displayed on the fob after which the bank was authorized to complete the wire transfer. Access to the members only section of the COCPA website utilizes a basic form of MFA. You enter your email which is matched against a member database, and if matched to an email on file, a passcode is emailed to you which you enter to gain access. These passcodes typically have a short lifespan after which they expire and will no longer access the account.
With the increase in online banking, financial institutions have increasingly moved to MFA access tools. Sometimes it is the addition of a passphrase or PIN following the initial user ID and password input. Other times it involves sending a one time passcode to a mobile device or to email. SaaS vendors of software that maintains sensitive data such as identifying information or financial data have also increasingly used MFA to control access to data. QuickBooks Online allows you to use a user ID and password but also provides for using a passcode for login purposes. Even though there is access via only user ID and password, the software periodically requests the addition of a passcode before providing access. As we increasingly login from a variety of locations, these same systems are doing some behind the scenes verification and will require an additional form of authentication if they do not recognize the IP address from which someone is attempting to login. Many of us have probably adopted some form of secure exchange tools for sending and receiving sensitive client data such as ShareFile, Bynder, or FileInvite. I utilize a secure portal via my website to allow for the exchange of documents with my clients. Many of these tools are now adopting the use of MFA to increase the existing security of the environment as well.
Hardware manufacturers also are utilizing some MFA for accessing devices. Increasingly, both Android and iOS based phones, tablets, and laptops have either a fingerprint reader or facial recognition software included as login options on their software. While this technology was a bit inconsistent in early implementation, it has improved to be much more reliable. Once only seen in science fiction and spy movies, things like facial and voice recognition and retina scans are ready to be used in commercial and consumer applications. Several MFA software tools are available. Check out the article at cofes.com/mfa-solutions/ for examples and reviews. Several software tools have this capability embedded as part of the software. You should probably check with your software vendors to see if there are options for turning on MFA within the software. Data security always will be a concern, and as we improve the barriers, those who would exploit the data always will be right on the heels of the improvements made. Creating a series of barriers to access, especially integrating the use of biometric data, will be an important part of protecting sensitive data.
Bruce A. Gray, CPA, CGMA, Miliken, is a member of the COCPA Technology Users Group. Contact him at bruce@bagcpa.net. For information on and to join the Technology Users Group, contact Stacy Svendsen, stacy@cocpa.org.
Challenges and Opportunities
in Governmental A&A
BY NATALIE ROONEY
The governmental accounting and auditing niche is facing a familiar problem – too much work and not enough qualified people to do it. The shortage of accountants working on governmental audits is being driven by several factors, says Jim Rae, CPA, owner of Rae & Co., CPA, LLC, Denver, and co-chair of the COCPA Governmental Issues Forum. The field has become increasingly complex. In addition, single audits, which many organizations need for the first time in the wake of federal stimulus money, are technical and require increased oversight. “The feds threw a ton of money at everyone without a lot of clarity around the rules and how money could be spent,” Rae says. “There was no guidance on how to report things. Does it belong on the SEFA (Schedule of Expenditures of Federal Awards) or not? Single audits are difficult because they’re not something we’re trained to do, and there are so many rules and regulations.” Another challenge has come from a skilled workforce that is shrinking because of retirements and the Great Resignation. “No one is stepping up to fill that void,” Rae says. He describes clients, especially in rural areas, who go for years without a degreed accountant on staff and only Rae and his team doing the financials at the end of the year. “These are highly technical areas with pension reporting and additional GASB pronouncements - the work is not within these local governments’ scope of training.”
SCHOOL DISTRICT SCRAMBLE
School districts have been hit particularly hard by the government auditor shortage. According to Colorado statute, all school districts must have an audit submitted to the Office of the State Auditor and the Colorado Department of Education’s School Finance Division by Dec. 30 each year. While school districts can file for an extension, which they are doing in record numbers, the districts struggle to find anyone to perform the audit, let alone complete it on time. When a school district fails to meet the deadline to submit its audit, the consequence is the withholding of property taxes, and it’s no longer in compliance. That’s a big problem because school districts rely on those funds to operate. “School districts are short-staffed. They can’t get anyone in the door to even train on their finances,” says Crystal Dorsey, CPA, Local Government Audit Manager for the Colorado Office of the State Auditor. “There’s a
Single audits are difficult... and there are so many rules and regulations.
lot of inexperience out there which translates into a delay in preparing the information. When the information does finally go to the auditor, it’s not accurate, rework is required, and there are problems with the audit. It takes longer and costs more.” Dorsey echoes Rae’s comment that auditing standards continue to become more complicated with additional requirements and new wording changes and format for the opinion with factors related to audit complexity. “That affects all auditors, not just government auditors, but when you have these smaller firms with a niche in governmental accounting, staff is struggling to keep up with the standards,” she says. “The combination of all of these factors just in the last two years in a pandemic environment has impacted a lot of auditors,” says Gina Faulkner, Legislative Financial Auditor - Team Lead, for the Office of the State Auditor. “Some have decided to discontinue doing audits for a specific client because a single audit is needed. They say they’ll wait until a client is past this influx of federal money.” Overall, Dorsey says the cost of doing an audit is going up because of more regulations, less labor available, and more mistakes made by clients who lack the internal knowledge. The role of the Office of the State Auditoris to look at the audit opinion and financial statements to make sure an entity is in compliance. “We send letters when we see a deficiency that should be corrected in next year’s report,” Dorsey says. “Maybe it’s a missing note disclosure, or something not tying, but we’re also currently seeing issues with the audit opinion and have to send letters to the auditors.”
When Dorsey speaks at government accounting conferences, she usually makes a plug for auditors to look at the guidance and resources provided by the AICPA. “That’s our guide for reviewing what the opinion should say,” she says. “The information is available to them as practitioners.”
LATE GUIDANCE AND MISSED DEADLINES
When school districts miss their audit deadlines, the consequences are outlined in state statute. The auditor’s office notifies the 2020. While that doesn’t seem like a lot out of Colorado’s 178 school districts, it was out of the norm.
SHOULDERING THE WORKLOAD
local governments and schools districts understand how to prepare an RFP, select an auditor, prepare for the audit, establish internal controls, and generally improve the audit inputs.
county treasurer to place a hold on property taxes. In addition, the auditor’s office may cause an audit, but Dorsey says if an audit is in process, the state auditor’s office won’t come in and start a new audit.
While there are always a certain number of school districts that file extensions, they usually meet that extension. But these last two years have been unique because of the single audits and staffing shortages at CPA firms, Faulkner says. “Some of these school districts aren’t able to get their audits completed in a timely manner, even if they have in the past.” Missing the deadlines hasn’t been the fault of the school districts or the auditors, Dorsey asserts. “The federal government released its guidance in the form of the compliance supplement but didn’t provide the information related to the pandemic until December 2020 for the year that ended June 2020. “Normally, an audit would be finished by then.” In 2021, guidance was available in August with addendums released in December 2021 and January 2022. “If a school district needed an audit and the auditor was waiting for guidance, it was the perfect storm,” Faulkner adds. “Federal funding plus late guidance? Things were destined to be delayed.” Dorsey says the number of delinquent school districts more than doubled in the last two years – from six in 2019 to 16 in Rae says it has come to the point that he’s having to turn down work. “Right now, we can’t take on more clients and meet existing deadlines.” It comes down to the inability to find people to send out to do the work. “For now, this is where we are. We’ll see about adding staff next year.” Fee pressure also is contributing to the ongoing problems. Rae describes a recent bid for a town with a 59-page financial statement, eight opinion units, and two bases of accounting – full and modified accrual. Ultimately, the town went back to its original auditor instead of choosing a new firm. Rae felt it would have been a lot of work for not a lot of money. Because the Office of the State Auditor is on the back end of the process, there is little it can do to relieve the shortage of governmental CPAs. It does work with the Colorado Department of Education, the Department of Local Affairs, and the Colorado Government Finance Officers to offer Budget and Audit 101 classes help
“We’re not able to recommend a specific auditor, but we can offer advice on best practices,” Faulkner emphasizes.
NEW OPPORTUNITIES FOR CPAS
After spending many years in the world of government accounting, Dorsey says she still finds it rewarding. She encourages CPAs who want to expand their book of business to consider the government arena. “This area needs qualified people who are willing to learn. There are plenty of resources available if you want to JOIN THE GOVERNMENTAL ISSUES FORUM expand your skill set.” This COCPA member group provides guidance on current Faulkner says the government implementation issues and legislative matters; maintains world is a completely different liaison with the governmental financial community and animal, inside and out, from the practitioners; responds to exposure drafts from GASB, private sector, made up of public AICPA, and OMB; works on governmental standards servants doing what they think overload; and on a confidential basis, reviews govern- is best to help taxpayers. “It’s mental audit reports submitted by COCPA members for rewarding to keep things on the educational review. To participate, contact Stacy Svendsen, right track for accountability and stacy@cocpa.org, 303-741-8613. transparency.” “Having quality audits and financial statements is so important for the governmental arena because we have those taxpayers to answer to,” Dorsey agrees. Rae looks forward to the continued opportunity to help his governmental clients. “If you want to make an impact, you can do that in government accounting because you’re dealing with clients that in many cases aren’t as sophisticated. They need assistance, and if they’re willing to change, you can see a lot of growth and make a positive impact in what school districts and local governments do.”
CLIMATE DISCLOSURE RULE... CONTINUED FROM PAGE 19 The proposed rule requires large accelerated and accelerated registrants to obtain external attestation of Scope 1 and Scope 2 GHG emissions by an outside firm, beginning with fiscal year 2024 reporting. See forvis.com for other articles about the SEC’s proposed climate disclosure rule. This article is for general information purposes only and is not to be considered as legal advice. This information was written by qualified, experienced professionals at FORVIS, but applying this information to your particular situation requires careful consideration of your specific facts and circumstances. Consult a professional at FORVIS or legal counsel before acting on any matter covered in this update. Article reprinted with permission from FORVIS, LLP, forvis.com. All rights reserved. FORVIS, LLP ranks among the nation’s top 10 professional services firms. Created by the merger of equals of BKD, LLP and Dixon Hughes Goodman, LLP (DHG), FORVIS is driven by the commitment to use our forward vision to deliver Unmatched Client Experiences™. FORVIS is built upon the strong legacies of BKD and DHG, which is reflected in a name that comprises partner initials and represents our unique focus on preparing our clients for what is next. With more than 5,500 dedicated professionals who serve clients in all 50 states as well as across the globe, FORVIS offers assurance, tax, advisory, and wealth management services. Visit forvis.com for additional information.
