Crown image Columbia Law School

SEC Commissioner Speaks on ESG Risks and Company Accounting Controls

Thank you for the kind introduction Kevin [Gould]. It’s a pleasure to be here today at the annual PepsiCo-PwC CPE conference, which I understand is a tradition going back 18 years now. I appreciate the opportunity to speak, and I look forward to answering your questions today.

It’s not often—even in this job—that I find myself speaking before such a large group of controllers, accountants and other finance professionals of public companies. And I welcome it because it means we can get a bit more technical and talk about financial reporting issues. I suspect many of you will not be surprised that Kevin and his team have shared with me that ESG is top of mind for this group.  I understand there is an interest in hearing what ESG means to the SEC and what ESG regulations are on the horizon. It’s a big question, and spoiler alert – I cannot speak for the Commission and tell you what is to come. I have to caveat my statements today with the standard disclaimer that any views I express today are my own and do not reflect the views of my fellow Commissioners, the Commission or its staff. But I am an U.S. Army reservist, and the Soldier in me truly appreciates your commitment to readiness.  So even though I cannot speak for the Commission, today I will discuss how I have been thinking about ESG in the public issuer context.

I. ESG Risks Facing Today’s Investors & Public Companies

ESG is not a monolithic concept. As you know, it generally refers to environmental, social and governance risks, and these are some of the most pressing issues companies are facing.  In March of this year, the Commission sought public comment on climate change disclosure.[1] We received hundreds of responses; many of which also addressed disclosures concerning other ESG risks. An overwhelming number of comment letters state that investors view ESG information as material to financial performance and that investors need consistent and reliable disclosures of ESG information to inform their investment decisions.[2] According to commenters, ESG related information helps investors assess the long-term sustainability or value of an investment.[3] And this makes sense if you think about the position investors are in today. Many Americans are no longer able to rely on defined-benefit retirement plans. They must, instead, rely on themselves in order to save for their children’s education or for their own retirement.  And they must, in doing so, take on the risks associated with managing the money themselves.[4] Investors increasingly need to consider how companies will “weather” over a longer time horizon when making investment decisions.[5] That requires looking at the risks today’s companies face and analyzing how these risks will impact future financial performance.

With ESG now front and center, the reliability of corporate ESG risk disclosures, and their potential impact on and connectivity to financial statements, is critical. As you know, corporate internal controls play a crucial role in ensuring such risk disclosures are consistent and reliable.  The term “internal accounting controls” refers to an organization’s plan, methods, and procedures related to safeguarding a company’s assets and ensuring the reliability of corporate financial records.[6] These controls broadly include systems designed to ensure transactions are authorized and recorded in a way that maintains accountability for assets and allows for financial statement preparation in conformity with GAAP.[7]  They also include procedures that control access to assets and the systems designed to test the effectiveness of internal controls.[8] The concept of accounting controls is intentionally broad, because a company’s system for tracking its assets and recording transactions – regardless of their form – is vital to accurate financial reporting. And it is vital to identifying risks to the financial statements so leadership can manage them and prepare GAAP-compliant financial statements and disclosures accordingly. At the end of the day, management is responsible for establishing and maintaining an effective system of internal controls that reasonably safeguards corporate assets from risk.[9] So as you think about and discuss ESG risks during this conference, I encourage you to think about them in the context of your internal accounting controls and audit functions.[10]

II. Internal Accounting Controls and ESG Risks

To best serve their function, internal accounting controls must be dynamic enough to consider and respond to changes in the markets, such as those posed by ESG issues. Companies have to evolve over time because the market place is constantly changing in response to new developments and challenges. These changes can be prompted by new technology, developments in the global economy, or even by our planet. Change drives innovation for not just corporate America, but investors, consumers and citizens. Change can be a good thing. But as markets change, so do the risks that can impact a company’s financial statements. Corporate internal accounting controls must evolve as well. Although these are relatively technical matters often thought of as within the remit of accounting and legal professionals of a specific company, I am regularly reminded that, in the aggregate, these details matter to all Americans.  These details impact the companies whose aggregate financial performance undergirds the retirement savings of tens of millions of workers, and retirees.

If we think back to when the American Institute of Certified Public Accountants (AICPA) first defined internal controls in 1949, I expect few companies were thinking about the specific ESG risks investors are focused on today. But, at that time, it was less common for supply chains to be disrupted by flooding, or wild fires, or ransomware attacks, or global pandemics,[11] as they are today.[12] Most, I suspect, did not contemplate that the majority of economic transactions would happen electronically rather than face-to-face, or the ubiquity of the computing hardware and related software that today informs every aspect of our personal and professional lives. We simply could not foresee that. At that time, the risk that a businesses’ entire operations could be taken offline by a technological glitch – or a cyber-attack – did not exist.[13] And although I understand that companies have, for some time now, put processes in place to protect customer information from theft or to detect and protect against spoofing and malware, it’s only more recently that companies are facing this frequency of ransomware attacks. And it’s only recently that public companies are starting to hold corporate assets in the form of digital assets that are not necessarily custodied and controlled by a regulated bank or financial institution.

Given all these changes, it is important to think about many risks.[14]  But there are a few specific ESG risks where internal corporate accounting controls play a critical role, and it is particularly important to assess whether these existing corporate internal accounting controls are sufficient to provide reasonable assurances that each business and its assets are, in fact, adequately controlled. [15]

A. Safeguarding Information and Systems

I’ll start with cybersecurity, which can fall into the “S” or “G” bucket depending on the specific risk at issue. The Commission noted in a 2018 statement that “[c]ompanies today rely on digital technology to conduct their business operations and engage with their customers, business partners, and other constituencies. In a digitally connected world, cybersecurity presents ongoing risks and threats to our capital markets and to companies operating in all industries, including public companies regulated by the Commission.”[16] Unfortunately, the gravity of the threat appears to have grown since the statement was issued – or at least evolved in light of the recent rise in ransomware attacks.[17] You may recall that earlier this year, a motor vehicles manufacturer suffered a nationwide IT infrastructure outage after a ransomware attack demanding payment of Bitcoin.[18] And those of you on the East Coast were likely impacted by the ransomware attack that took offline the computer systems that manage the gasoline pipeline system responsible for transporting around 45 percent of the East Coast’s fuel supply.[19]

Cyber-intrusions are no longer limited to events that put sensitive information for sale on the dark web. Every day, companies’ operations are disrupted and management must make difficult choices about how to respond, typically when faced with only expensive and unwelcome options.[20] It is understandable that investors might consider how companies manage the risk of cyber-intrusions when making investment decisions.

Turning back to internal controls, I’m particularly interested in understanding how public companies are responding to the various types of cybersecurity intrusions and attacks public issuers are facing, since these create threats to management’s ability to safeguard the company’s assets, in particular. Are companies evaluating authentication protocols and potential weaknesses in security frameworks? And what internal controls are in place to protect electronic systems from unauthorized access or to ensure financial transactions are processed as authorized and not diverted?  I am also thinking about whether it might make sense for companies have expertise at the management and board levels to evaluate the resources the company is putting into these controls, and to regularly brief the C-suite and board on internal controls testing and effectiveness. Otherwise, it could be hard to assess whether management truly has control over corporate assets.

For good reason, the Commission has brought enforcement actions when public companies and regulated entities have lacked adequate internal accounting controls, or made inadequate public disclosures concerning cyber-intrusions and related risks.  This is an area where I expect our Enforcement and Exams Divisions’ staff would continue to pay attention.

B. Identifying and Measuring Climate Risk

In the world of ESG, I suspect climate change risk is an area you’re thinking about as much as cyber.   It is on my mind too.  I would like to hear how public companies are assessing whether and how climate change risk impacts revenues and expenses, both now and in the foreseeable future. In particular, I am interested in understanding how companies are evaluating whether climate risk impacts their business. Some issues that I would think companies are considering as part of this process include whether assets are at risk of depreciating more quickly or becoming “stranded” in response to climate change; whether supply chain or transportation networks are at greater risk of being impacted by extreme weather events; or whether existing revenue streams depend on the status quo, such that new regulations pertaining to deforestation or carbon emission could potentially reduce income.[21] No matter where public companies come out on these topics – or how they assess climate risk – I would like to understand the underlying internal accounting controls that guide decision making.  On a related note, if climate change presents risks to a company, or at least requires disclosure, I’m interested in understanding how that company evaluates climate change risk. For example, do companies rely on third party service providers, and if so, do they evaluate the controls that the service providers have in place over information and disclose to investors the identity of the service provider, in the same way you disclose your auditors and underwriters?

I do not think I am alone in wanting to understand how companies are determining whether and how financial statements are impacted by climate change risk; how assumptions used to reach these determinations are set, tested, and reevaluated over time; and how any existing disclosures are being formulated. I have an open door policy and welcome input on these issues, and of course other issues as well.

C. Safeguarding Digital Assets

Finally, I want to touch on one last fairly recent risk that potentially implicates governance issues. There are media reports that public companies are purchasing digital assets with corporate cash, or accepting digital assets as a form of payment.[22] Such decisions raise a whole new set of internal controls questions, including whether and what internal accounting controls are in place to safeguard those assets from unauthorized use or other custodial risks. It would seem beneficial for companies transacting in digital assets to consider instituting robust processes that validate custody, verify transactions and protect assets from ransomware events. Otherwise, it could be difficult to authorize and account for the transactions.[23] I think it is critical for companies to consider, among other things, whether the internal accounting controls frameworks safeguarding these assets are working, how they need to be modified from existing frameworks applied to transactions in fiat currencies, and what changes need to be implemented, if any.

III. Conclusion

The purpose of internal accounting controls is, and has always been, to provide for corporate and managerial control over a company’s assets. It’s about ensuring accountability to shareholders and building a foundation that reasonably assures that financial reporting and corporate disclosures are accurate and reliable. As businesses and transactions evolve, so too do the risks to corporate assets. It is for these reasons, among others, that I think of internal accounting controls when I think of ESG risks.

ESG risks serve as a good reminder of the need to be vigilant about regularly reexamining and reconsidering the risks to public companies and their financial statements. It is important, particularly for financial professionals, to identify and assess the ESG risks that might impact company or client, not just in this year, but in future reporting periods too. Of course, we all know that internal controls are only effective if they work, so it is also important to evaluate and test controls frameworks to ensure that they are adequately managing risk. As today’s investors are evaluating how ESG risks might impact their investments in companies, I would not be surprised if they are also assessing corporate readiness to manage new and emerging risks.

Thank you for your time. I look forward to your questions.

ENDNOTES

[1] Allison Herren Lee, Acting Chair, Sec. & Exch. Comm’n, Public Input Welcomed on Climate Change Disclosures (Mar. 15, 2021).

[2] See, e.g., Gary Gensler, Chair, Sec. & Exch. Comm’n, Prepared Remarks Before the Principles for Responsible Investment “Climate and Global Financial Markets” Webinar (“More than 550 unique comment letters were submitted in response to my fellow Commissioner Allison Herren Lee’s statement on climate disclosures in March. Three out of every four of these responses support mandatory climate disclosure rules.”).

[3] See, e.g., BlackRock, Comment Letter on Climate Change Disclosures (June 11, 2021).

[4] See, e.g., John Broadbent, Michael Palumbo & Elizabeth Woodman, The Shift from Defined Benefit to Defined Contribution Pension Plans: Implications for Asset Allocation and Risk Management (Dec. 2006); Samuel Estreicher & Laurence Gold, The Shift from Defined Benefit Plans to Defined Contribution Plans, 11 Lewis & Clark L. Rev. 331 (2007). Of course, retail investors have several options. One can choose to work with a broker-dealer or investment adviser. And we have certain protections in place that govern those relationships. However, ultimately, retail investors have to make the decision on who they rely on to invest; how they engage the marketplace; and understand the trade-offs of those decisions, the related fee structures, conflicts of interest, and how their representatives are managing their money.

[5] See, e.g., supra note 3.

[6] See Securities Exchange Act of 1934 § 13(b)(2)(B); American Institute of Certified Public Accountants, Committee on Auditing Procedures, Statement on Auditing Standards, 001 320.01 (1973).

[7] While my remarks focus on management’s responsibilities for effective internal accounting controls, management also is responsible for maintaining effective internal controls over financial reporting and disclosure controls and procedures.

[8] See American Institute of Certified Public Accountants, supra note 6.

[10] My remarks today are focused on the importance of robust internal controls, but I would be remiss if I did not acknowledge the importance of high quality independent audits in increasing shareholder confidence in financial information. The Commission’s Acting Chief Accountant Paul Munter recently addressed this topic in a thoughtful statement that is available on the Commission’s website.

[11] See McKinsey, Risk, Resilience, and Rebalancing in Global Value Chains, McKinsey Global Institute (Aug. 6, 2020) (noting that the COVID pandemic has delivered one of the biggest broadest shocks to the global supply chain in recent memory but due to changes in the environment and global economy it is one of a series of disruptions).

[12] See, e.g., Amanda Little, Ida Piles on Climate Threat to U.S. Food, Wash. Post (Sept. 2, 2021) (describing Hurricane Ida’s impact on agricultural product supply chains); Deborah Adam Kaplan, More Frequent, Severe Wildfires Threaten California’s Growing Logistics Network, Supply Chain Dive (June 1, 2021) (noting the dramatic increase in wildfires in 2021 compared to previous fire seasons and the burdens put on transportation, inventory, and warehousing networks).

[13] See Mike Isaac & Sheera Frenkel, Gone in Minutes, Out for Hours: Outage Shakes Facebooks, N.Y. Times (Oct. 4, 2021); infra notes 15-19.

[14] The full suite of ESG related risks is beyond the scope of these remarks, but I encourage anyone interested to look at the Climate Change Disclosure Request for Input and the responses elicited by it. See supra note 1, at Question # 15 (soliciting feedback on a broad range of ESG matters).

[15] See 21(a) Report on Cyber-Related Frauds, supra note 9, at 2 (“[a]s the Senate emphasized over four decades ago when passing these provisions, “[a] fundamental aspect of management’s stewardship responsibility is to provide shareholders with reasonable assurances that the business is adequately controlled.”).

[16] See Sec. & Exch. Comm’n, Statement and Guidance on Public Company Cybersecurity Disclosures at 2 (Feb. 26, 2018).

[17] See, e.g., Christian Cabaluna, Surge in Ransomware and 10 Biggest Attacks in 2021, ISACA Newsletter (Oct. 27, 2021); Lynsey Jeffery & Vingesh Ramachandran, Why Ransomware Attacks are on the Rise – and What Can Be Done to Stop Them, PBS (July 8, 2021).

[19] See William Turton & Kartikay Mehrotra, Hackers Breached Colonial Pipeline Using Compromised Password, Bloomberg (June 4, 2021).

[20] As just one example, Colonial Pipeline paid $5 million to regain access to its systems, and the Justice Department has recovered some but not all of the cryptocurrency that was used to pay the ransom. See Stephanie Kelly & Jessica Resnick-ault, One Password Allowed Hackers to Disrupt Colonial Pipeline, CEO Tells Senators, Reuters (June 8, 2021).

[21] See, e.g., Fin. Stability Bd., The Implications of Climate Change for Financial Stability (Nov. 23, 2020); McKinsey, Climate Risk and Response: Physical Hazards and Socioeconomic Impacts (Jan. 2020); Kristen Sullivan, Kyle Tanger & Michelle Bachir, Climate Change 101 for Business Leaders, Deloitte Article (Jan. 6, 2021).

[22] If you enter the phrases “public companies that own digital currency” or “public companies that accept Bitcoin for payment” in an Internet search engine, multiple websites and news media reports purport to provide the answers. I have no independent knowledge of underlying information, but am interested in thinking through the governance implications of these practices. See, e.g., Ty Haqqi, 15 Biggest Companies That Accept Bitcoin, Yahoo! (Feb. 18, 2021); Companies Now Hold over 1.6 Million Bitcoin, Almost 8% of Total Supply, Nasdaq (Aug. 25, 2021); Zahra Tayeb, More companies, including PayPal and Xbox are accepting bitcoin and other cryptocurrencies as payment. Others are weighing up their options, Business Insider (May 7, 2021); Andrew Lisa, 10 Major Companies That Accept Bitcoin, Yahoo (Aug. 25, 2021).

[23] There are many high-profile examples in which investors in digital assets have lost access to their funds due to problems at exchanges or service providers. See, e.g., Samuel Haig, QuadrigaCX Trustee Only Has $30M to Pay $171M Worth of Claims, Cointelegraph (Nov. 6, 2020); Ryan Browne, ‘Accidental’ Bug May Have Frozen $280 Million Worth of Digital Coin Ether in a Cryptocurrency Wallet, CNBC (Nov. 8, 2017).

These remarks were delivered on November 16, 2021, by Caroline A. Crenshaw, commissioner of the U.S. Securities and Exchange Commission, at the PepsiCo-PwC CPE Conference.