SEC Climate Disclosure Proposal May Be the Next SOX for Internal Audit

SEC Climate Disclosure Proposal May Be the Next SOX for Internal Audit

After a year of hinting at development of sweeping environmental disclosure rules, the U.S. Securities and Exchange Commission (SEC) has finally announced proposed regulations, titled The Enhancement and Standardization of Climate-Related Disclosures for Investors. Over the past 20 years, there have been only a couple of other seismic legislative/regulatory events — the Sarbanes-Oxley Act (SOX) in 2002 and, to a lesser extent, the Dodd-Frank Act in 2010 — so greatly impacting internal audit. And, while we’re only at the “proposed rules” stage, U.S. companies can fully expect new requirements for climate reporting as the SEC seeks to overcome existing disclosures that it feels inadequately protect the public and investors. Already, the United Kingdom has worked to shore up deficiencies through an ESG regulatory requirement for public companies.

There are two broad requirements in the SEC’s proposal: First, the agency suggests that publicly traded companies disclose information about “climate-related risks that are reasonably likely to have a material impact on its business, results of operations, or financial condition,” including greenhouse gas emissions. Second, and the reason this proposal might be compared with SOX, is a requirement that companies disclose “climate-related financial metrics” as part of their audited financial statements.

If the proposed regulations are adopted, businesses would need to clearly define, assess, and track the impact of climate risks, including against specific financial metrics.

Three Phases for Compliance Preparation

As I have said many times before, today’s legislative and regulatory headlines are tomorrow’s compliance risks. All internal auditors for publicly traded companies need to take note of the SEC’s proposed regulations right now. The challenges — and opportunities — for internal audit will likely come in three phases:

Phase One: Input During the Public Comment Period

The SEC’s proposed rules are queued up for publication, so at this early stage we can add the most value by making sure our organization’s leadership is aware of them and that we are ready to assist in formulating a response. Make sure your voice is heard and, to add value to the discussion, get up to speed on this significant emerging compliance risk and keep up with any changes as the SEC releases updates.

If your department is not yet seen as a partner, this is an important opportunity to demonstrate that your responsibilities extend to assurance and advice on all of the company’s risks. As assurance professionals, we must be adept at identifying risks related to any new compliance requirements, and the business should seek us out as an independent partner who can help the company navigate compliance risks.

Phase Two: Climate Disclosure Readiness

Once the dust settles, we will likely have new disclosure requirements dependent upon new sources of data and information that could be fraught with yet more risks. As we saw in the runup to SOX disclosure requirements, during the readiness phase, internal auditors can provide assurance related to the organization’s preparation efforts.

Before the regulations are settled and come into effect, assurance professionals should keep in mind the basics of risk and control: gather objectives, identify risks, implement controls, test, and report results. It is better to call out any gaps in the company’s planned disclosure process early. Much of the reporting is likely to hinge on metrics your company establishes as a result of the new regulations and the ability to disclose against those metrics accurately. We learned going through SOX readiness that the process may be bumpy, and that we must remain agile to make adjustments along the way.

Phase Three: Sustainable Compliance

The need for internal auditors to review controls over the accuracy of information on climate reporting will evolve as the requirements mature and management attestations eventually become mandatory. From this point on, climate disclosure reporting will likely be an ongoing risk, regardless of the final reporting requirements. Accurate reporting is an absolute; final regulations will dictate how and when your company reports information.

Looking beyond the initial compliance push, the intent of regulations like these is a better-informed investor and a model that will enable your company to remain sustainable as we face the widely recognized risks of climate change. On the other hand, failure to comply could result in penalties, mitigation costs — and a tarnished reputation in the capital markets. While your company is assessing its risks and designing and implementing reporting controls, internal audit should be one of its most valued assets. We must engage with a long-term view, leverage technology whenever possible, and help our companies foster a culture of compliance.

The Time Is Now: Step Up to Be a Resource

As assurance professionals, we must keep our eyes on the horizon to identify, monitor, and address critical compliance risks. As I mentioned, the proposed climate disclosure requirements present challenges and opportunities for internal auditors. Those who joined the profession after SOX was embedded into our compliance practice will learn firsthand about management’s need for accurate information and the importance of internal audit’s advice through the early days of a major regulatory change. Our first duty is to help our companies achieve and maintain compliance, but we also have an excellent opportunity to demonstrate our crucial role in confronting significant emerging risks. First and foremost, look for ways to help protect and create value for your company. The clock is already ticking.


Richard Chambers, CIA, CRMA, CFE, CGAP, is the CEO of Richard F. Chambers & Associates, a global advisory firm for internal audit professionals, and also serves as Senior Advisor, Risk and Audit at AuditBoard. Previously, he served for over a decade as the president and CEO of The Institute of Internal Auditors (IIA). Connect with Richard on LinkedIn.