Listen on Apple Podcasts, Spotify and YouTube
Welcome to AccelPro Audit, where we provide expert interviews and coaching to accelerate your professional development. Today we’re featuring a conversation with Bob Hirth, Senior Managing Director at Protiviti.
As KPMG Audit Partner Anita Chan explained to AccelPro Audit, one of the biggest challenges to ESG reporting is the “alphabet soup” of different regulations and standards out there. Hirth is the ideal guide for auditors through this tangle.
Hirth previously served as co-chair of SASB, the Sustainability Accounting Standards Board, and is currently a member of the AICPA's Sustainability Assurance and Advisory Task Force. He spoke with AccelPro Audit about the ‘Big 3’ of sustainability regulations, what internal audit departments should be doing in regard to ESG right now, and why more companies should consider getting assurance on their ESG disclosures from the same accounting firm that does the financial statement auditing of the company.
Listen on Apple Podcasts, Spotify and YouTube
Interview References:
Bob Hirth’s Protiviti profile.
1:57 | Sustainability Assurance. American Institute of Certified Public Accountants (AICPA).
2:51 | Climate-Related Disclosures/ESG Investing. US Securities and Exchange Committee.
2:58 | International Sustainability Standards Board (ISSB) Sustainability Standards. International Financial Reporting Standards (IFRS).
3:18 | Corporate Sustainability Reporting Directive (CSRD), (2022). European Commission.
8:36 | Committee of Sponsoring Organizations of the Treadway Commission (COSO) Internal Control—Integrated Framework, (2013).
TRANSCRIPT
I. WHY INTERNAL AUDIT TEAMS SHOULDN’T WAIT TO GET STARTED
Jessica Stillman, Host: Can you give us a quick overview of the most important developments auditors need to know about when it comes to regulations and standards around ESG right now?
Bob Hirth: This applies to many new industries or items where there's a lot of players. Think about automobiles and airlines, where sustainability standards are similar. Over time they've begun to coalesce and consolidate down to a manageable number, which is still not totally acceptable because we'd love to have one single global standard for sustainability reporting. I'm not sure we'll get there, but we'll get close.
We're down to three major proposed standards across the world. Number one, for public companies in the US there's a proposed SEC climate related disclosure rule. That would apply to all US stock exchange companies. We then have the International Sustainability Standards Board. That is the sister organization to the IFRS accounting standards. All of the non-US GAAP organizations who follow IFRS accounting standards would follow those ISSB sustainability standards. And a little bit in the middle is something called the Corporate Sustainability Reporting Directive, and that is a European Union initiative. It's a bit confusing because you think that the ISSB standard would suffice, but we're down to those three, and I think, frankly, we'll end up with those three.
I want to make a point of what the current risk is for our audience of internal auditors. And that current risk is the reporting that is done by any company today on sustainability or ESG. Any reporting an organization does publicly has to be accurate. So many internal audit groups have not gotten into the sustainability reporting of a company, and I think that's unfortunate because these sustainability reports are public information.
They're being relied on and I believe that internal audit functions can't wait and do something later. They need to look at those disclosures now, and do some form of validation. That can vary from simply asking some questions to doing substantive work. The point I want to make as it relates to ESG reporting and sustainability reporting is, don't wait. Do something now, because whatever your organization is saying needs to be accurate, and you need to help validate the accuracy of that information.
JS: Why are internal auditors holding back? Are they waiting for the final word in terms of guidance from regulators and standard setters? Do they feel like they don't have the necessary expertise?
BH: First of all, yes, they might be a little bit afraid of it. They think, what do I know about greenhouse gasses, and do I have the skills? Now that certainly gives internal audit functions the opportunity to get some extra training or hire outside resources. And yes, sometimes people wait until they think they have to act. There's no rule making me do this, so I'm going to wait. There’s also something about human nature and newness. We either want to stay in denial or ignore it and let it pass.
Those are all reasons, but, again, I want to emphasize my statement that if you're reporting information now, how do you know it's accurate? It is very important reporting. So please, everybody in internal audit functions get after this now.
JS: What's your recommendation for getting started? What are the first steps that they should take?
BH: I think there's a couple different ways you might get started. One is they could educate themselves a little bit on sustainability overall. They might talk to some of their contacts outside that they think know something about it. But, of course, you start with the actual ESG report itself.
This is, for lack of a better word, the document or the digital information on the website that is telling that story. It's a combination of qualitative information about programs that the company has, but it also has quantitative information. It has the company’s greenhouse gas emissions, the tons of carbon that it produces, the amount of water that they use, or the percentage of waste that goes to landfills.
There's a lot of quantitative information. The other thing that's different about sustainability reporting as compared to financial reporting, is it's not just a baseline of historical information. Once you get that information, companies set goals and targets. This is our water usage. We're going to reduce it to this. This is our emissions number. We plan to reduce it to that number by this date. That commitment, that liability, has now been publicly stated, and one of the roles of internal audits should be to try to validate or challenge the reasonableness of those targets to make sure the company can get there.
JS: Water usage targets and greenhouse gas are quite a distance from financial metrics that folks in audit are traditionally trained on. Is it helpful to develop partnerships with other departments? How do they deal with this new expertise that is well outside the financial spectrum that auditors are used to dealing with?
BH: That's a good point. It is different information, but nevertheless, it's information. There's objectivity to it. For all those things, looking at outside resources, etc., can you contract with someone for a while and have them actually teach you this and be a part of the team?
Is there external training or certification programs that you can get to really become, not expert, but knowledgeable? And then, to your point, how can you leverage the organization that you're in? How can you go to people, for example, who are responsible for measuring emissions or managing water, and learn from them?
I think it's a combination of these, but what's also important is the innate skills the audit group already has–their ability to be objective, to think critically, to really understand the facts and circumstances and the procedures and controls. It's a bit of both, using internal audit’s existing skills and gaining some additional skills, and there are a number of ways to do that.
—
II. WHICH STANDARD SHOULD YOU CHOOSE?
JS: For internal auditors, is the goal to meet all the standards or are teams looking to stakeholders to determine priorities? What are your thoughts on where to aim?
BH: There's two ways to look at that, and to use the COSO term, ‘applicable laws and regulations,’ there's a lot of standards and laws and regulations. Not all of them apply. So you want to figure out which ones apply to you. And then once you've got that, we go through the concept of materiality.
I think auditors will understand what are the items that matter, which are the items that would change someone's decision, if that number was this or that. So determining applicability and taking an inventory, if you will, of which regulations apply. And then applying the lens of materiality to it so that in some respects you don't look at everything, but you look at the items that matter.
And when it comes to sustainability, a really important point is those items that matter will vary by industry. As you mentioned, I was the co-vice chair at SASB for about five years, and those standards are developed specifically industry by industry. We have separate standards for 77 industries. Everyone can imagine the material issues for an oil and gas company are different than a bank or a technology company or a manufacturing company. So what's applicable, what's material, and what really matters is, most of the time, driven by industry and business models.
JS: In some areas there are still data shortcomings. You don't have all the data or you're not sure about the data. When you have these sorts of shortcomings, is it more important to be transparent that you don't have the data? Are you trying to get to perfection?
BH: Everybody says data is the new gold. That is the case with sustainability reporting as well. There’s a lot of data, and that data has to come from somewhere. Many will understand the concept of information technology, general controls. That data usually resides in some form of electronic system. There is work that all the audit groups have to do around the control, the continuity, the protection, the privacy of that information.
What is a little different about sustainability reporting is it's still emerging. It's still voluntary to a point. And there are a number of situations where companies can't become an Olympic athlete by next Friday. There are some excuses you can use to not report everything right away, but at the end of the day, if there's a regulation, we need to be compliant with that.
The information technology general controls, understanding where the data comes from, and the controls around that reporting are really important because the data collection piece is absolutely essential to ESG reporting.
—
III. HIRTH’S WORK ON STANDARD SETTING BOARDS
JS: I want to also talk about your current role as a member of the AICPA Sustainability Assurance Advisory Task Force. Can you tell us a little bit about your role there and how the work of the board is relevant to CPAs?
BH: Let’s step back to the reporting world. We have financial reporting, and it's so important that it needs to be validated by a third party. We're all familiar with the audit of financial statements or financial information. Let's go over to the sustainability report, and, again, it's emerging and evolving, but there's a view that sustainability reporting is becoming as important as financial reporting.
Many people now are looking to this notion of getting third party assurance from a CPA firm. And today, even though it's voluntary, a number of large companies get third party assurance on certain aspects of their sustainability reporting. The regulations that I mentioned, the SEC rule, the Corporate Social Responsibility Reporting Directive, the ISSB standards, they all have an assurance. The ISSB makes it voluntary, but the SEC and the CSRD regulation would require assurance, and that assurance needs to come from a third party.
Now to my role on the AICPA committee. What our committee is trying to do is ensure, because we truly believe the CPA is most qualified to do this, that the CPA firm becomes the primary or exclusive assurance provider of sustainability information. And we do that through educating the people who would hire those CPAs, the firms themselves, the investors that use the information.
JS: Anyone who reads the business news knows that there's a lot of noise about anti-ESG backlash going on at the moment. Is that something audit professionals need to follow or worry about? Or is that something that's unlikely to impact them?
BH: I think auditors, both external and internal, need to be aware of what we'll call the anti-ESG movement, just like they need to be aware of any market development. At the end of the day, there will be regulations they need to comply with or their organizations want to complete some reporting, and they should help their organization. As we all know, the definition of internal auditing includes the word ‘adds value.’ So yes, I think you need to be aware of it, but you need to move on and do the job that you're asked to do.
JS: Tell me a little bit about how you got started in the audit profession and how things were different back then compared to how they are now.
BH: I got started on the CPA audit firm track at Arthur Anderson and actually made partner there. During my time at Arthur Anderson in the mid nineties, we established a contract internal audit practice where we would provide certain internal audit work at companies on a contract basis. Many people would know that as co-sourcing, and that's become a very accepted approach for companies to take when they don't have all the resources that they need all of the time. They might be short two or three people, or they might need a really specialized skill that they don't need every day of the year but would like to, for lack of a better word, rent.
So that's how my experience went from external audit in a CPA firm to internal audit in a CPA firm.
JS: Can you talk about what experiences in your career shaped your interest in ESG?
BH: I got involved in SASB and sustainability on a bike ride with a friend of mine who mentioned this SASB thing. I looked into it and, timing wise, it was good to become interested in something new because I was moving off of being the chairman at COSO.
I met with the founder of the SASB, Jean Rogers, and she was looking for board members. I'd say the rest is history, but the point I want to make is I got involved in that because I was curious, and just because you're curious doesn't mean you end up doing something. But I looked into it, tried to understand it. I thought that it had a really good value proposition. They had already recruited some good people and I concluded that I wanted to be part of that. That's how the SASB opportunity came up, and it’s been a very rewarding experience.
JS: What would be your advice for audit professionals who are interested in steering their career to focus on ESG?
BH: There needs to be some self-education. There's tons of material out there from firms like Protiviti, from the CPA firms, from law firms. Educate yourself a little bit on the issues and the terminology.
Certifications don't always mean that you're qualified, but they do demonstrate a commitment and an interest. Organizations like the IIA and the AICPA and others have created certification programs around sustainability, so you can learn more about how greenhouse gas emissions are calculated. I think taking advantage of those formal certification programs would be a next step.
And, of course, getting involved and contributing. There are a number of people in internal audit, and because they know the business, they'd be great sustainability officers. So, self-education certification programs, and getting involved at your organization is my advice.
JS: I understand CPAs and traditional auditors only do a small percentage of review around ESG reporting right now, but assuming that's set to grow if your work at the AICPA is successful, is ESG a good career growth opportunity for folks?
BH: ESG, sustainability, is clearly an evolving area. It's changing so quickly, but I think the end game is that public formal corporate reporting has now expanded permanently to include sustainability and ESG information and it's not going back.
It has become a fully baked-in concept of reporting, whether it’s working in the company around those programs or internal auditing to validate your company's report to the third party assurance,
To your point about assurance and the AICPA committee. If we look around the world, the large companies get some form of third party assurance and most companies outside of the US use a CPA firm. In the US that is really not the case. They've used boutique engineering firms and other certification firms, so the big change we hope will happen through the AICPA committee is that CPAs become more of the primary or exclusive assurer of this information. And I think at the committee level, I and others believe that, for the most part, that will be the same accounting firm that does the financial statement auditing of the company.
This AccelPro audio transcript has been edited and organized for clarity. This interview was recorded on July 19, 2023.
Listen on Apple Podcasts, Spotify and YouTube
AccelPro’s expert interviews and coaching accelerate your professional development. Our mission is to improve your day-to-day job performance and make your career goals achievable.
Send your comments and career questions to questions@joinaccelpro.com. You can also call us at 614-642-2235.
If your colleagues in any sector of the audit field might be interested, please let them know about AccelPro. As our community grows, it grows more useful for its members.
