Skip to content

How to Prepare for Climate Rules Compliance and the Role of Third-Party Assurance

Jun 26, 2024

As organizations navigate the evolving landscape of climate disclosure regulations, understanding the challenges and preparing effectively is essential. Our panel discussed key topics, actionable strategies, and valuable takeaways.


Charles Waring:Thanks, Bella. Good afternoon. Good morning, everyone. We're excited to be co-hosting this webinar with our friends from Greenplaces. So with that, I'm going to turn it over to Corinne, who will be our moderator for today's discussion.

Corinne Hanson:Thanks, Charles. Hi everyone. Welcome. My name is Corinne Hanson and I'm very happy to be moderating this session alongside Charles and Lourenco. As Charles mentioned, I'm the VP of sustainability and ESG strategy with Greenplaces. We are a sustainability software platform that base everything off of carbon accounting and make recommendations about how to decarbonize to our clients.

I, myself have worked in sustainability for close to 15 years everywhere from public policy to environmental policy with nonprofits, and then most of my career has been spent advising Fortune 500 companies and mid-size companies on their sustainability strategies. So being able to do that with a tech and data landscape perspective has been fascinating.

And Greenplaces and EisnerAmper have been partners across our platform and services to give clients accurate, trusted carbon footprints along with access to sustainability experts to meet any reporting needs. We have hundreds of customers across industries like legal, software, tech, restaurants, staffing, professional services, consulting, insurance, more. I'm sure there's more that we can name who, as I'm sure many of you are navigating the regulatory landscape, and calculating and reporting on carbon emissions for the first time.

So it was a pretty natural collaboration for us to want to get together and have this conversation to combine our various experiences, and to break down preparations for upcoming and existing climate rules and the role of third-party assurance. Before we dive into the questions, I just want to hear a little bit more about your background and share with the group. So Charles, do you mind kicking us off?

Charles Waring:Sure, thanks, Corinne. I'm Charles Waring, I'm a partner here at EisnerAmper. And I've been an auditor for almost 20 years and really have... bring that lens to our ESG clients. So I've been working with Lourenco for the last four years as it relates to the ESG space at EisnerAmper.

And I think that it continues to be an evolving area where we're seeing a lot of different things that are coming through from our clients as they've been focused on reporting readiness, doing self-reporting, and now as we continue to move into the assurance space. So that's a little bit about myself. Corinne.

Corinne Hanson:Thank you so much, Charles and Lourenco, how about you?

Lourenco Miranda:Oh, thank you very much, Corinne. My name is Lourenco Miranda. I've been in the industry for about 30 years in different capacities. I was a capital provider, working in banking, working in development. I worked few years in the IFC and the World Bank. I worked in insurance in different capacities, most of my career related to sustainability and ESG. Now I'm helping our clients to develop their own practices, their own ESG and sustainability performance. Thank you very much, Corrine for facilitating this conversation with us today.

Corinne Hanson:Of course. And thank you both for being here and for providing your expert lens on these topics. I think we mentioned at the top, but if anyone does have questions that come up as we're chatting here, please drop them into the Q&A box. We'll turn to those at the end, but for now, I want to dive right in.

So as most of you are, I'm sure aware, this has been really a hot topic for the last many months now, the SEC's climate disclosure ruling was finalized on March 6th and will require publicly traded companies in the US to report on their emissions with legal challenges and a lot of pressure from both sides.

Honestly, there's been a voluntary stay in the implementation, which creates a pretty dynamic and difficult landscape for businesses to navigate. And so Lourenco, I'm hoping you can share with us, how are you seeing the new California regulations and SEC climate rules impact business' approach to sustainability reporting and verification?

Lourenco Miranda:Well, thank you, Corinne. That's a great question. So for me, there is a great change in what the companies have to report and have to disclose. I think the number one benefit is an increasing transparency and accountability from the companies that have to go through this process of reporting.

And as I always say, you cannot report what you don't have. You don't report on a blank sheet of paper. You have to come up with the mechanisms, you have to come up with the base in order to report on your GHG emissions, on your risks and opportunities. In order to do that, there will be some changes, some impact in the operations of these companies.

Most of them besides the big ones that are already doing this for quite some time. Most of the companies, they have to change some of their internal processes and start looking at different data... type of data like greenhouse gas emissions. They will have to create internal processes, they have to change probably internal controls or include different internal controls or adapt those, use, for instance, a framework that is an industry framework like TCFD, the Task Force of Climate-related Financial Disclosures or use any other framework that they choose.

Usually TCFD is the one that the SCC and the California regulators are using in order to base their rules upon. So there will be a change in terms of understanding these rules and what those acronyms mean. So what do they mean? And all this alphabet soup of reporting. So there's a lot of change in education from the companies as well.

So changing processes, and there's another thing that is part of this change management that it goes into the different companies that have to go through this that comply with these rules is related to investment in systems, investment in data. So again, you cannot report what you don't have. If you don't identify your data sources, you don't identify how to capture them, how to analyze them, store them in a reliable system that will enable you, enable the company to report on these numbers and to analyze these numbers and do something about it.

Again, you have to invest in these systems, in these platforms and then go again as a corollary of this, as a consequence of that, you have to do something about it. So it's also expected that you start thinking about what is your carbon footprint, what are your hotspots in terms of your processes? And start changing those, adapting those in order to improve your footprint or become more sustainable, transform your business into a more sustainable one so that you can identify this data, understand, report it, and do something about it.

And it's not only a regulatory demand that we're seeing, but also a market driven requirement. A lot of these companies... A lot of big companies and investors, consumers, they are requiring companies in order to change their processes, to change their business models into more sustainable ones. And the natural consequence of that is start reporting on those and then making more transparent. Goes back to my initial point of transparency and accountability.

So changing processes, investment in data and technology and more accountability and transparency that will be beneficial for the company, for the industry, for the consumers, for the regulators, for the society in general, for the general public.

Because companies, they have an impact in the society and the environment, but making them more accountable and more transparent, we'll be able to see which companies are more responsible in terms of corporate responsibility. And that will also generate a business advantage, a competitive advantage for those companies.

So a lot of changes, a lot of impact. There will be of course, challenges related to those changes. And these challenges are many. So the first one is the alphabet soup that I was talking about. What is TCFD? What's GRI? What are all these nomenclature, these acronyms that pop up in different conversations and even consumers start thinking about this, regulators start talking about this, putting that in the rules. The investors start talking about this as well. They hear these names and these acronyms, and they start asking questions about those.

So we've seen clients of ours questioning. So our consumers, our vendors, they are asking if we report according to GRI, according to TCFD, "So what does that mean?" Can be overwhelming for companies. But all these things we've seen as a challenge. And the other one is, "Okay, where do I start? So how do I get there? How do I get to report on my sustainability numbers, on GHG emissions, on risks and opportunities? Where do I start?" People talk about materiality assessments because the rules talk about materiality. What does that mean? All of this becomes overwhelming and challenging for the companies.

Corinne Hanson:I'd say you're right, we definitely hear a lot of overwhelm from a lot of our clients. I know you hear the same. And I think you're right that measurement and transparency really are the name of the game this year in a way that they always have been, but it's really come to the fore. So thanks for calling those pieces out.

Charles, what specific roles do auditors and CPAs play in ensuring the accuracy and reliability of sustainability reports? We're talking about that measurement and transparency piece. How do their responsibilities differ from those of traditional financial audits?

Charles Waring:Sure. So, it's a great question and something I hear a lot of, I guess first off, just step back, the CPA's auditors have been providing and doing audits and assurance work for nearly a hundred years now over a company's financials records. And then we've been... still have also been doing other types of assurance work for not necessarily financial, but it's typically somewhat related to or financially driven. So other topical areas for, I don't know if we've got a specific date, but at least 50 years.

So it is something that we're accustomed to, and that's where I think that many clients, many companies are turning to their auditor, their external auditor, their CPA to help them in their reporting process to help them in the assurance process. And just like as Lourenco was mentioning, that as reporting and that the whole marketplace has continued to evolve here and mature, that's the last cusp of, at least from the reporting side, is the assurance piece of that.

And that brings a consistency to companies reporting. So the investors, the other stakeholders can say, "Okay, I've got these two companies maybe within the same industry or in different industries, and how do I compare that information?" And it's one thing if we're comparing against the same set of standards that we're reporting on, same metrics, quantitative, qualitative, et cetera.

But then if you know that there's been that independent objective third party that has performed that additional work that those additional assurance procedures over that company's report or data or the nuance of what we're covering here, then we know that that's been the quintessential kick to tires, but in a consistent manner so that they can get reassured that the information is meeting conformed standards there.

That someone's gone through a rigorous process to evaluate it, to perform procedures, and ultimately that CPA, him or her or the firm has to commit to sign the auditor's opinion and essentially put their name on the line, their reputation on the line. So that's the culmination of that company's reporting process there.

And I think that that brings itself and raises the level of integrity of sustainability reporting so that it can be comparable, it can be... Again, I think that we're focused on the reporting piece. I mean, the next level is the action and the investment decisions and all that. But in order to have that comparable assured information, that's the key step there.

Corinne Hanson:That makes a lot of sense to me that from the auditor's perspective, you'd be talking about assurance, and I want to dig into that a little bit more with you. I'm curious if you could talk about the importance of third-party verification specifically in enhancing the credibility of those reports, that for many years we've been operating in a world without that piece and companies have had a little bit of a green light, pardon the pun, to talk about what their programs have looked like and the KPIs they're using to track. So what key criteria do you use to evaluate the effectiveness of those verifications?

Charles Waring:Sure. And I'll toss out some terms and we will elaborate and explain on them. So one of the things you typically hear about within this space is you hear limited assurance, you hear reasonable assurance. So let's first level set on what those are and recognizing that there's folks that are online here that are outside of the finance function that might have not been a recovering auditor here. So just kind of elaborate.

So limited assurance is like the first level of assurance that an auditor or a CPA can perform. And really that's essentially the least amount of procedures that are performed. And the opinion there is that we're not aware of anything that would alter what the company has put in place or has been stating here.

And so that's, again, if you want to use the analogy of the walk before run, limited procedure, limited assurance is also equivalent for public companies, what an auditor would do for the Q filings. So it's a light touch... it's a lighter touch. I mean, it's still going through a process for assurance, for verification purposes here.

The other side of the coin is the reasonable assurance. Now this one is the highest degree that an auditor or CPA can perform. This is at the same standard as a financial audit or a SOC report that many companies receive. And so that is much more detailed. That is, we're pulling samples, we're digging into, and really scrutinizing the execution of internal controls that are in place, et cetera. So that's the higher end.

And a lot of either companies or the emerging regulations will start with limit assurance and then gradually move over to reasonable assurance because of what I just explained. There's nuances on getting deeper, and it candidly allows for maturing of processes. But at the same time as the CPA, I'm expecting that those processes are in place, that there is sufficiency there to support the reporting that's in place here.

So that's the general basis here. Now, just going back to your question as a CPA, we are leaning on AICPA, American Institute CPAs professional standards and guidance, and that has been in place, a lot of people are asking, "Well, is this something new?" Well, no, the AICPA has really since 2016, established really a guide on much older, prior existing standards that the profession can use, ruling, providing assurance over sustainable information including greenhouse gas emissions.

And so that's typically the criteria, the framework, the basis that we're using. We can go against any reporting aspects, whether it's SASB, GRI, CDP or greenhouse gas protocols, any of those ones there. So long as it's a robust, well established and accepted framework, we're able to provide and perform procedures over that.

There's also international standards, but a lot of that, it just replicates what we're doing with the AICPA standards. There's other stuff that is, I'll call it emerging and in public comments or period that's still being formulated. But in general, this is something that's been in place for a while.

There's other things that we also lean on, there's a framework out there from COSO, which really establishes and brings together a lot of the control environment, maybe the softer components around what frames out the reporting and the internal controls at a company, which as the CPA, the auditor, we need to have an appreciation and understanding on in order to opine on the sustainable information, the sustainability report.

Corinne Hanson:That's really helpful. And I think it's important to remember that auditing has been happening for a really long time. The topics that we're covering now are, of course, new. Collecting the data is more challenging because it's new and because they're not things that have been prioritized to track in the same way historically for companies. But the process by which we audit and assure those things is not necessarily new at all.

Charles Waring:Exactly.

Corinne Hanson:But I think that that framing is helpful, and I want to talk a little bit about best practices. So Lourenco, what are some tactics that companies can use to prepare for and undergo audits? How can they ensure their reporting processes are robust enough and aligned with standards that they are caught off guard?

Lourenco Miranda:Yeah, the first thing that I would recommend is to come up with a gap assessment... is to conduct a gap assessment on your business practices and check how your business practices and your processes are aligned with the rules. So the consequence of that is to understand the rules. So you have to understand what the rules are asking.

The SEC and the California basically asking similar things, California, they are two rules that they separated greenhouse gas emissions from risks and opportunities. So they did that separate, but they are very much aligned with the SEC. So once you start, the SEC, California is a byproduct and vice versa. So they all talk the same language.

So first thing, understand what the rules are asking, and they're asking basic things, asking for you to create governance for managing climate related risks. And climate related risks you want to have to understand also the taxonomy behind climate related risks and how those climate risks will impact your business. Then that's the first thing. So if you don't understand that part, then everything else will become more complicated, more challenging.

So first, understand what the rules are asking, what is the underlying object? What is the underlying risk that we're talking about? Climate related risks and how those impact your business, and create governance for that. Which means creating policies, accountability, who does what, committees and charters, all the good stuff that a risk management practice requires companies to do. And many companies, and most of the companies that are already reporting according to the SEC already have that. They already have to report their risks in their 10-Ks naturally.

So climate related risks will only be an addition to their financial risks that they're already reporting in taking. So that's how to understand this and how these will be added to the list of risks that you already report. It's something that you have to understand. And the best way to do that is to create a checklist. So go to the rule, understand the rule, and create a checklist, a questionnaire or what call a gap assessment questionnaire that will guide you through this compliance checklist, the compliance preparedness.

And by doing that, you start asking yourselves, "Okay, what do I need to do now? So after I conduct this gap assessment, do I need to create a policy? Do I need to create somebody at the board level that understands climate related risks? How about management, the ones that are going to implement that? How about the business leaders that will start questioning, 'Okay, what does that mean for me?' Finance... that will have to understand what's the impact of climate related risks and their financials." So all of these elements will start creating these discussions and then these internal dialogues.

                                             So that would be extremely helpful that you start creating these groups and then involving people, CFO, the COO, all the business, everybody integrated, it's a collective understanding. And because California is asking for scope 3, which is, also I'll call a big deal because it's a big deal. You have to understand your value chain, your business partners. So you have to involve them as well because scope 3 will involve your vendors, your upstream and downstream value chain, so that you have to understand that as well. Have we evolved them? It's a stakeholders' management program process.

 Again, checklist, gap assessment, understand what needs to be done. And after that, start creating a strategy in order to address those gaps. And there are priorities for sure that need to be tackled. For instance, create the governance. Governance is a big one that has to be done first. So people start... Again, there's not a wrong thing because it's a good to start understanding the sources of your greenhouse gas emissions, scope 1 and scope 2 and scope 3. You have to understand the sources, you have to understand where the data is. But if you don't have a governance in order to help and then to sustain this on the long run, it's going to be more difficult. It's going to be way more challenging.

So yes, so you create your governance, create your processes, start identifying the sources of your green gas, gas emissions. "What is this scope 1, scope 2 and scope 3 mean? What do they mean? So what is to align to the GHG Protocol? What does scope 1 mean? And do I have scope 1, do I have scope 2?" Most likely you'll have scope 3, way bigger than scope 1s and scope 2s if you are in the specific industry. So you have to start understanding your carbon footprint as well.

So all of these are prerequisites for you to start thinking about, "Okay, am I prepared for the rules? Am I ready to comply with the rules and to a question, am I ready to an audit? So again, I can only report what I have. If I don't have all these foundational elements, I won't be able to report, I won't be ready for an audit." The auditor cannot report what's not there. Auditors like processes, they like internal controls, they like to check the origin of the data, the data sources, the golden sources, and they want to check the lineages and then see where the data flows and who's responsible for approving that data, checking the data if you have checks and balances, again based on your governance. So all of these elements are prerequisites for you to understand, "Am I ready for an auditor to come?"

And I've been working with Charles for quite some time now, and I understand how the auditors operate a little better than I was before. And they really want to know processes, internal controls, documentation. If it's not documented, it doesn't exist. So all of these things that are... We are used to doing this for financial reporting, but now we are talking about non-financial reporting, and most of the companies are not used to that.

So when the auditor comes, will come with this mindset, "I'm looking for processes, internal controls, I'm looking for checks and balances, I'm looking for approval processes, I'm looking for this formalism." The rest is... it's meaningless if you don't have all these things, you have to put yourselves in the shoes of an auditor. And that's what I've been doing to help our clients.

Corinne Hanson:That's excellent. I think related question back to you, we are talking through best practices. What are some of the pitfalls, the other side of the coin here that companies encounter when they're engaging in their sustainability reporting, and how can they avoid those to make sure they're compliant and accurate in their reporting?

Lourenco Miranda:Yeah, if you don't have the documentation, you don't understand your data sources and the lineages and internal controls, you don't have this ready. And when going through the internal governance, then you won't be ready for the auditor because the auditor will ask for this information.

Charles Waring:Can I just add on to that, Corinne?

Corinne Hanson:Please.

Charles Waring:So I would say one of the biggest pitfalls that we see is that clients or companies are just waiting too long. They're waiting until they get that key stakeholder, their key investor, or they're taking a wait and see approach, and then they don't have an appreciation on the level of effort that goes in, one.

And then two, when they actually start doing, either... If they're starting to do their voluntary reporting or they're starting to do assurance or verification there, oftentimes they find stuff that they don't necessarily want to... that they don't like, but put them in their best light and they want to take remedial action to correct that.

And if companies wait too long, one, the ability to fix that, and two, the level of effort, the cost to fix that is really affected. So I think that that's probably the biggest pitfall just in general that we're seeing.

Corinne Hanson:This is a really good point. I think this field is one that's benefited so much from the existence of voluntary frameworks being dominant for so long, the companies that have participated in those voluntary disclosures for years have that appreciation, have the basis of their data, have an understanding of who to contact and how to resource around data collection, all the way to that remediation step. Finding out bad news is something you want to do early so that you can address it before you have to disclose, but we're certainly there now.

Charles, can you talk a little bit about how you approach the integration of environmental, social and governance factors, ESG factors into traditional financial reporting, which is what's required of most of the existing regulation out there, is integration within your existing financial reporting and also just same thing, flip side of the coin, what are the challenges there as well?

Charles Waring:Yeah, so I think that one of the things that we often are hearing is ESG reporting going through a SOXification or is it being... So taking the same lens that companies have been doing for over 20 years here with the Sarbanes-Oxley internal controls reporting that has been in place and is that being applied to sustainability reporting?

And I would just push back on that from a standpoint of there's... it's not necessarily SOX driven, but if you think about if the company is looking to put out their key information that stakeholders and investors are looking to make decisions on, on whether it's to invest in the company to do business with their company from an employee perspective, to work for the company, et cetera.

That information needs to go through a defined set of processes, internal controls, and as Lourenco mentioned earlier, that does need to be formalized. So well, I don't know, and I hate to put that misnomer of the SOXification. I think that this is just more of good solid business practices as well as risk management for a company.

Because what a company doesn't want is for them to say something and not necessarily being to fully commit to that or uphold that and potentially open themselves to either reputational and or legal risk. So we're still... Again, going back to your question, what we're looking for is that has management, has the company created and defined those processes? So it is going from the initiation of the transaction.

So if we're talking about emissions data and information coming from the utility, and then how does it ultimately get aggregated reported up and analyzed? And then again, if we're starting to do anything from that, whether it's transition planning, how does that go against targets, et cetera? How does that information flow through that company in well controlled process that ensures integrity?

And that, again, there can be a variety of different forms of how to do that, we've seen different companies do in different ways. But I think that that needs to be established and understood, and really it's somewhat dependent upon the nuance, the nature of the company, the size of the company, the industry that they're in, but they need to establish a process that's doing that. And so I think that that's the first piece.

And again, if we go in to a company and they haven't established those processes and they're looking for assurance, that's going to be a major red flag there. So we will often, again, it goes back to allowing and allocating enough time crawl, walk, run, to understand, establish these processes, ensuring that they're meeting the standards for both reporting and then ultimately assurance, and do that kick the tires before it's absolutely required or that key stakeholder comes in.

So those are... The challenge is really thinking that this could be stood up in a short amount of time thinking that we can do some components first and others later. Again, you can do that, but it needs to be well-thought-out and rationalized and it can't just be done on the back of a napkin here. So those are the things that, where we see successful ones is that companies are really marshaling cross departments, ops, finance, IT, third-party risk management or third-party vendor management programs. Bringing them together, and so they're all coordinated amongst their established processes.

Corinne Hanson:Excellent. Yeah, makes a lot of sense. Okay, I want to pose this to the both of you as I think you might have similar but different perspectives on this. Can you talk a little bit about examples of companies that have successfully leveraged sustainability reporting to enhance their corporate reputation or investor relations within their companies, and what lessons can be learned from those cases?

Charles Waring:So maybe I'll start with that one. I think that one of the things that we've seen, so we've got a couple of companies where they are not public, but are looking for either private equity investment or potentially that they're working with a lot of public companies as their customers.

And having that sustainability reporting put in place and then taking it to the next level for assurance has really addressed a lot of the questions that either a potential private equity investor is looking for because there is a multitude of investors and some are looking more than others, but the investor community is asking those questions.

And if you have a set defined reporting framework that's been assured, that removes all questions from the investors' mindset. As well as again on if you've got a key customer or key customers that are large public companies or European companies and subject to any of those other larger frameworks that by establishing that reporting and assurance, then that has allowed them to continue to be a top vendor for those customers there.

So those are ones that we've tangibly seen the positive results of that. I think that on the flip side, there's been companies that aren't doing that. They're, I hate to say rolling the dice, but they're waiting to see is that going to be a question that comes down the pike? But again, to my point earlier, waiting too long can really put yourself at risk for, again, not putting your best foot forward to key stakeholders.

Lourenco Miranda:And then also leveraging what Charles has said, we have the government as well, so if you want to deal with the government, you want to be a business partner with the government, you have to follow certain specific, you have to comply with certain specific requests. The same thing that for capital providers, Charles mentioned private equity as a capital provider, having access to finance from bankers.

So banks is also something that if you have a sustainability report and you are already showing that you are identifying hotspots in terms of your carbon footprint or ESG, other social or governance elements, you have a better rate. You can have a better rate in your bank relationship or a loan or bond or whatnot. So you can have a better access to finance or to funding in that sense. So the banks will look at you in a much more respected way.

So they look at you and say, "Okay, now this is a good client that I want to invest my capital." The same thing that you can think about credit. So bank starts lending to clients and ask questions related to credit worthiness, client related risks, and ESG elements will also be part of this questions. So if you show good ESG performance for a bank I would look at you and then say, "Well, it can have a very good correlation with your credit worthiness, so I'll be able to bank you with you instead of... I would prefer to bank with you than with other clients that are not." So then puts you in a competitive advantage with bankers as well with the government, with all the...

Again goes back to the point that the regulations are great and I think they create a nice boost in terms of sustainability reporting and they create this accountability in the market, but it is a market-driven as well. So most of the sustainability reports and the sustainability practices and all the targets that the companies are setting in terms of decarbonization strategies come from the market, the market itself. So it's a good example that the market is driving this before the regulations themselves.

Corinne Hanson:Yeah, definitely not just spontaneously arriving at this point. Of course, we definitely have been responding to requests from regulators. I think you both touched on this, but what it brings to mind for me is the discussion around trust. And that was always an early conversation with companies was you show trust to your investors, to your employees, to your various stakeholders in many different ways. This is another dimension of that.

There is a strong correlation because if you're transparent with your investors about all of these metrics, they know that they can trust what you're saying, they can see it directly. And that's the intent of auditing as well, is I need to be able to see what you're doing, not just go on trust. So that's how we cultivate that.

So diving into that piece a little bit further, and then maybe we'll turn to questions. Looking ahead, how do you see the role of auditors and third-party verifiers evolving in the context of sustainability reporting? Are there trends or technologies that you think will shape the future of this field? Do you think there are new roles and positions that will develop from here, specialties, things like that?

Charles Waring:Sure. And maybe I'll start and then Lourenco, you can chime in. So I think that one of the things that.... And so both Lourenco and myself, and I know some of your colleagues, Corinne, were at Green Fin last week, and one of the key discussion points there is just the evolution of what's being termed as the ESG controller.

So that's someone that sits within the finance organization and has a similar type of skillset that a financial controller... So that's one step below the chief accounting officer or chief financial officer, but really for those organizations that have either regulatory requirements or that they frankly have chosen to have a variety of reporting elements with their sustainability reporting that they have put in place an ESG controller.

So that's, I'd say a position that has really come to market in the last 12 months. And I think that there may have been a few folks that have been around in those roles for slightly longer, but we're seeing the proliferation of that. So I think that that is... Because when we think about the role of the auditor, the role of the CPA we're... As Lourenco and I have been talking from our side as the external party, but there's typically the formation or compliment within an organization. And I think that that's how this ESG controller position is starting to take hold.

And I think that that has, because when you've got someone within a company that is their sole focus is on this reporting requirements. And I think that one of the things that we've been seeing is that with the consolidation of reporting standards, principles and frameworks, but what we're now seeing the fragmentation of the regulation and the regular space. I think that companies have all these thought about, "Well, where do I start if I've got all these different frameworks or reporting aspects?"

But now they're into this fragmentation of reporting and regulatory requirements, now they're saying it's like, "Oh my goodness, how am I going to be able to do all this stuff?" Because there's the SEC, there's California, there's CDP, there's the rating agency, there's all these different regulators and people that are looking at your reporting. And so that's where the company's response is to create these internal positions.

And then also leverage and start to branch out within the internal audit functions within a company. And then also the third-party assurance to really have that role as an ongoing position, ongoing dialogue, ongoing, just natural cadence that, "Hey, you know what? We're going to do our sustainability report every year. We're going to have to submit either a subset of it or in its entirety to a variety of key stakeholders, regulators, et cetera. And we're going to just build this process that ensures that as our reporting is there, that it's following the established processes and internal controls. And oh, by the way, when there's a change to the company, we acquire something, we divest something, we just change up an organization structure."

That stuff just doesn't come to a screeching halt. Just like financial reporting, that doesn't stop when those types of business actions are occurring. The sustainability reporting continues along. And as we think about whether it's emissions, water waste, biodiversity, that those all start to be integrated there too. So that's a key thing that I see as a continued evolution there.

Lourenco Miranda:And then just to compliment, I think having worked with this topic for quite some time, I just see the demand and the need for third-party verification to grow even more. So in the past, financial statements were not entirely audited, now it cannot fathom a financial statement that's not audited.

The same thing will go through the non-financial data, GHG emissions. So it again goes back to my point that you cannot report on what you don't have. So you have to create the processes, the internal controls, you have to find the data and understand what you're reporting and create a report so that an auditor can come and audit.

And that has to do with the maturity stage of your company. If your company is in the stage that you is still doing gap assessments and you don't know where to start, the auditor is not going to come and then audit that. They'll come after you report and you have a mature process that you can say, "Well, now I have governance, I have the processes, internal controls, I know the data. That's my report. Please audit it."

So then the auditor will come and then audit the whole process, all the elements that you created in order to create that report. So that's the stage is a maturity stage. So first gap assessment, execute or implement gap assessment report and then audit.

And that's why I think I see most of the companies, not necessarily the big ones as I said, but most of the companies still in this stage of gap assessment, understanding and then executing on the gap assessment, and they're not in the audit stage yet. So they are still building their reports and understanding what does that mean.

So that's why I think as we progress in this maturity stage of companies, the external parties, the external verifiers that auditors will be in a high demand in very near future. So it's only going to grow.

Corinne Hanson:I think that's extremely correct. I think one of the points that each of you raised in different ways earlier was around compatibility, comparability, there being alignment eventually. It's a gift that the auditing process brings to this whole thing is that there would be a cohesiveness to how disclosures are made. I think that's something we're all really seeking, and so I think that's a future hope for sure.

I want to turn us to questions briefly. While we have a little bit of time left, if you have some that you've been holding onto, please feel free to drop them into the Q&A box here. But one really interesting one from Douglas Hillman. Question for you, Charles, follow up to companies waiting too long, "If companies authorize an assurance engagement and it becomes apparent they won't like the outcome, can an assurance engagement be stopped?"

Charles Waring:It's a great question, Doug. What I would say is that candidly, the assurance provider should be looking to make sure that there's been either a readiness engagement done. So I mean, that's an engagement that the assurance provider can do. Or if there's been, again, another CPA or internal auditor has kicked the tires on the entity on the subject matter here with the same types of lens that the assurance provider would be performing.

From a technicality perspective, once the assurance engagement has really started, under professional standards, the assurance provider is really obligated to issue something. What is done with that report, including a disengagement, is up to what management to do. But I think that for everyone's dollars and time and resources, there really needs to be that readiness assessment that's done first and foremost to really understand where there is potential gaps and where that company stands.

I mean, candidly, that's a requirement from our side that there's been... We've either done a readiness assessment or that there's someone or a firm that's done it under a similar set of standards before we would contemplate doing any ESG assurance engagement.

Corinne Hanson:That's helpful. I think we get the question a lot too from folks just what do we need to do to be prepared for assurance? How do we make sure that we're traceable and auditable? I think we talked through best practices a little bit, and I wait for hopefully another question or two to pop up. I'm curious if you each could talk about circumstances that you feel like are cream of the crop here.

What is the best case scenario for a company in terms of process? If you were like... look end to end and just say, "Here's what I really want you to do to be ready for the most extreme example of an audit." We've got a lot of companies and clients who are saying, "Well, the SEC has been voluntarily stayed. We're now looking across CSRD. What guidance can we get from that?" So maybe if there's something to draw from the perspective of the more rigorous examples that would be helpful.

Lourenco Miranda:For the CSRD... You mentioned CSRD. CSRD is a good starting point for you to measuring yourself or trying to gauge how well you are in terms of sustainability reporting and performance. The only difference between CSRD and SEC, SEC is very much concerned about investor on the investor point of view and the financial materiality.

CSRD is interested in the, not only in the investor, but also in the society, the social and environmental impact of your operations, of the operation of your company. So there's this, so-called double materiality that the CSRD is about.

SEC is just financial materiality. We are interested in financial... the climate related risks impacting the financial stability or financial of the company. CSRD is both not only financials, but also the impact that the company has, the environment and the society.

Corinne Hanson:Yeah, that's really helpful. I think for years we've been talking about value creation has expanded. The whole premise of ESG of course is that they're each individual components of value creation and we want to break out that financial lens. But maybe as a hindrance to the comparability piece, I think the SEC has been very clear about delineating that incorporated within financial disclosures, existing, et cetera.

I have to thank you both so much for your insights across so many topics. I really hope that the audience has some tangible action items to take away from today. Thinking through upcoming regulations and the role of third-party assurance within those, I know the both of us Greenplaces and EisnerAmper would be happy to chat through these questions.

If you have anything further to add, we'll be sending a follow-up email with recording contact information from us. Is there anything else that Charles, you Lourenco want to add before we close today?

Charles Waring:No, I think that we had a great discussion and thanks Corinne for joining us there.

Lourenco Miranda:Thank you very much, Corinne.

Corinne Hanson:Thank you all so much and thanks to everyone for joining us today. We'll send that follow up email. Please get in touch if you'd like to discuss anything more. Thank you so much and enjoy the rest of your day.

Transcribed by

What's on Your Mind?

Start a conversation with the team

Receive the latest business insights, analysis, and perspectives from EisnerAmper professionals.