The finalization of the US Security and Exchange Commission (SEC)’s rule on climate-related disclosures marks the culmination of a multi-year journey to enhance the quality, transparency and comparability of reported sustainability information in the United States. Nearly all SEC registrants are in scope, which includes domestic registrants, most foreign private issuers and companies filing registration statements, such as those looking to IPO.
At a very high-level, there are three key types of disclosures the SEC is requiring, all subject to materiality considerations.
First, in a note to the audited financial statements, disclosures include actual expenditures caused by severe weather events and other natural conditions, material effects on financial estimates and assumptions, and the cost of any carbon offsets or renewable energy certificates. These notes will be subject to the integrated audit.
Second, in a separate section of the annual report, larger registrants will need to disclose scope 1 and 2 greenhouse gas (GHG) emissions, if material. GHG emissions will be subject to assurance over time, first limited, then reasonable for large accelerated filers.
Third, registrants will need to disclose information similar to that required by the TCFD framework, including both the quantitative and qualitative impacts of their climate risks and strategies.
To learn more about the assurance requirements of these disclosures, Watershed sat down with the ESG Audit Leader at KPMG US, Maura Hodge.
Which parts of the new SEC climate disclosures will require assurance and to what level?
Hodge: The SEC has put forward a phased timeline for assurance over scope 1 and 2 GHG emissions disclosures. It begins with limited assurance for large accelerated filers starting in 2029 and for accelerated filers in 2031. It then moves to reasonable assurance for large accelerated filers beginning in 2033. Accelerated filers are exempt from reasonable assurance, and non-accelerated filers are exempt from assurance entirely.
Importantly, many U.S. multinationals are also in scope of the European Union’s Corporate Sustainability Reporting Directive (CSRD) and the California climate laws, both of which include their own assurance requirements. It is critical that companies take a close look at all of the reporting and assurance requirements they may be subject to, at the state, national and international level.
What does assurance over the SEC required climate information mean in practice for companies? What are the key challenges?
Hodge: It’s important to note that only GHG emissions are subject to assurance. The financial statement impact note that is in the financial statements will be subject to the integrated audit (financial statement and SOX), which is a separate process and level of assurance.
In order to obtain assurance from an accounting firm over greenhouse gasses, companies will need to ensure that their GHG emissions reporting meets the preconditions for the assurance. These preconditions include:
- Establishing clear responsibility for the GHG emissions;
- Selecting and applying a standard; and
- Obtaining evidence that supports the assurance provider’s conclusion, which often includes documentation of methodologies, estimates and assumptions, supporting information such as invoices, meter readings and emission factor sources, and access to individuals in the company responsible for data collection, calculation and reporting.
In addition to meeting these preconditions, companies should also consider implementing internal controls, such as spot checking for supporting documentation.
How long will assurance take and how much will it cost?
Hodge: It is challenging to give precise figures here as it’s going to vary based on a number of company-specific factors, such as number and location of emissions sources, complexity of methodologies to calculate emissions, global footprint, and level of disaggregation of data collection. In general, organizations should be working with their assurance provider and building in time for the different phases of the assurance process, including Planning, Risk Assessment, Substantive Testing, Completion and Reporting.
Here are some key actions organizations can take to reduce the timeline and cost of the assurance:
- Develop a GHG inventory management plan, which includes documentation of the standard being followed and any deviations from the standard, organizational and operational boundaries, and methodologies and emission factors applied;
- Create a process narrative or flowchart that shows where data originates from and all of the inputs and systems it touches before being included in the final report;
- Educate all data owners on data collection and review procedures and controls;
- Leverage technology for data analysis and validation;
- Consider involving internal audit, asking them to perform testing over the data and identify areas where process or controls could be enhanced to improve the quality and efficiency of data collection and reporting;
- Obtain pre-assurance over GHG metrics prior to receiving assurance; and
- Designate a single point of contact for the assurance provider who is responsible for collecting requested information, setting up meetings, and escalating issues as they arise.
Who can provide assurance services?
Hodge: The SEC does not mandate a particular type of provider. However, it does require that the provider adhere to recognized attestation standards. The standards must be publicly available or widely used for GHG emissions assurance and established by a provider or group that has followed due process procedures. These procedures may include, for example, the AICPA attestation standards or IAASB assurance standards. Importantly, the provider must have significant experience relevant to GHG emissions and be independent of the organization and any affiliates (which may include downstream entities where the organization may have a controlling interest).
What does it mean for an assurance provider to be independent?
Hodge: This means that the provider is free from any conflicts of interest or biases that could compromise their objectivity and integrity in assessing and verifying GHG emissions data. It’s the same principle that applies when a company has its financial statements audited by an independent third party. There are specific standards and guidelines that providers must follow to achieve and maintain their independence. The Greenhouse Gas Protocol, for example, outlines some of those requirements for independence, including disclosing any potential conflicts of interest and maintaining professional skepticism.
An example of where a firm is not independent is when it prepares an organization’s GHG inventory or develops a calculation methodology and then also assures it. Even if the team working on the engagements is different, because they work for the same firm, they are not independent. Additionally, the Audit Committee should consider its own level of involvement in the selection and retention of assurance providers.
What if I am already receiving assurance?
Hodge: In the lead-up to the finalization of the SEC’s climate rule, we have seen more and more companies voluntarily seeking assurance to improve the degree of confidence in their reported information. For organizations not in this boat, they will need to ensure that they move toward limited or reasonable assurance over their scope 1 and 2 greenhouse gas emissions, if material, in the timeframe required by the SEC. However, for those that are already receiving assurance in some capacity, they should take into account the rule's requirements, including the standard being followed to prepare their inventory, and whether their current assurance provider meets the rule's criteria.
What is pre-assurance and what are the benefits?
Hodge: Pre-assurance is a process that organizations might voluntarily undergo to assess how prepared they are for external assurance. It’s essentially a readiness assessment. Pre-assurance helps organizations identify any gaps in their methodologies, data collection, reporting infrastructure, processes and controls so that when they are ready for limited or reasonable assurance, they have a greater degree of confidence in their reported information. By going through the pre-assurance process, typically on prior year data, they essentially get a practice run.
How should companies get started and when?
Hodge: While the SEC has pushed out assurance timelines several years, it is important that companies start preparing now. As I mentioned, multinationals doing business in California and the European Union have different assurance requirements, some of which are imminent.
Perhaps the biggest challenge that companies are facing is collecting high-quality, comparable data. Data, after all, is the foundation of any good reporting program. KPMG conducted a recent survey that found 83% of organizations believe they are ahead of peers on ESG reporting, but almost half (47%) still use spreadsheets to manage this data. Building a greenhouse gas emissions reporting program that can withstand assurance necessitates a mature data strategy.
Notably, 58% of organizations we surveyed said they plan to use artificial intelligence (AI) to improve data collection. AI offers a promising path to more effectively report and unearth insights that drive strategy. However, to truly realize the benefits of AI in sustainability reporting, organizations must first have high-quality, well-organized and highly comparable data.
In addition, a recent KPMG survey found that 75% of companies globally are in the early stages of ESG assurance maturity and therefore not ready to meet upcoming regulatory requirements. However, 66% say their firms must now report ESG data or will be required to do so soon. Furthermore, only 26% have a clear audit trail to support their non-financial information.
Becoming assurance-ready requires a multi-dimensional approach. A few steps companies can take include:
- Determining applicable reporting standards.
- Building a robust governance program where roles and responsibilities are clear.
- Identifying the applicable disclosures and data requirements across functions.
- Digitizing data processes and ensuring high quality data.
- Working with the value chain to collect ESG information (Note, the SEC does not require scope 3 reporting, but other reporting regimes do).
Importantly, for companies earlier in their sustainability journeys, they have the benefit of being able to build with the end in mind, or in other words, build a program that can withstand assurance while bringing financial value to the company.
