Publishing note: At the time of this article’s publication, the current status of the SEC climate disclosure rule has been voluntarily stayed pending judicial review of consolidated challenges by the Court of Appeals for the Eighth Circuit.
The SEC’s “The Enhancement and Standardization of Climate-Related Disclosures for Investors” rule requires registrants to develop systems, controls, and processes necessary to comply with this climate disclosure rule. The rule has nuances that need to be considered when tailoring the control environment since the various sections have different assurance requirements, safe harbor protections, and internal control expectations.
It may take substantial effort from organizations to prepare for these requirements. To effectively design internal controls that will comply with the SEC rule, it is critical to understand and navigate the details of the new climate disclosure requirements in regard to greenhouse gas reporting (GHG).
Overview of Internal Controls for SEC Climate Disclosure Rule
The rule adds Article 14 to Regulation S-X and Subpart 1500 to Regulation S-K. Before implementing internal controls for the rule, it is important to understand which disclosure requirements are under Regulation S-X versus Regulation S-K, as there are different internal control expectations. The figure below details the differences between Regulations S-X and S-K and provides a summary of the climate disclosure additions, along with important information for developing an implementation approach.
| Regulation S-X | Regulation S-K | |
|---|---|---|
| Contents | Financial statements and their footnotes. | Qualitative information, including:
|
| New Climate Disclosures | Financial statement footnote climate disclosures of:
| Disclosure of:
|
| Location of New Climate Disclosures | Registration statement or annual report, e.g., Form 10-K. | Registration statement, annual report, or another SEC filing, if the disclosure meets the electronic tagging requirements. |
| Third-Party Assurance | Financial statement auditors are responsible for auditing the financial statements and their footnotes, which are subject to SEC requirements for internal control over financial reporting (ICFR). | GHG emissions include phased-in assurance requirements for large, accelerated filers and accelerated filers. Non-accelerated filers, smaller reporting companies (SRCs), and emerging growth companies (EGCs) are exempt from GHG emissions and GHG assurance disclosures. However, all other disclosure requirements are applicable to all registrants. |
| Safe Harbors | No safe harbors. | No safe harbor for GHG emissions; however safe harbors exist for forward-looking climate-related disclosures (including transition plans, scenario analysis, internal carbon pricing, and targets and goals). |
| The above climate disclosures are subject to various materiality and applicability thresholds. The rules do not apply to asset-backed issuers or Canadian registrants that use the Multijurisdictional Disclosure System (MJDS) and file their Exchange Act registration statements and annual reports on Form 40-F. | ||
Regulation S-X disclosures require internal control over financial reporting (ICFR) controls to be in place. Regulation S-K disclosures do not require ICFR controls. However, disclosure controls and procedures (DCP) still need to be established. The SEC expects these DCPs to “enhance not only the reliability of the climate-related disclosures themselves, including both qualitative climate-related information and quantitative climate-related data, but also their accuracy and consistency.”1
Internal Controls for IT Systems
IT systems are important to facilitate compliance with the SEC climate disclosure rule. These systems both house internal control information and serve as tools to comply with the reporting requirements more directly, such as systems to calculate GHG emissions or conduct climate risk scenario analysis.
Governance, risk, and compliance (GRC) systems house internal control information and help manage risk. GRC systems can be used to bring together data from risk assessments, flow charts, policies, control matrices, and control testing.
IT systems with well-established internal controls can streamline reporting and improve confidence in data. A System and Organization Controls (SOC) report provides transparency in the control environment of an IT system. For significant systems used in SEC and GHG reporting, the SOC report should be reviewed so that user entity controls are implemented by the SEC registrant and that internal controls are designed and operated effectively.
Internal Controls for Regulation S-X Climate Disclosures
Regulation S-X climate disclosures do not have any safe harbor protections. SEC registrants should incorporate new Regulation S-X disclosures into existing financial reporting processes. This includes assessing risks and identifying key controls to address those risks. These key controls will then need to be added to the registrant’s existing risk and control matrix (RACM) and be included as an ICFR control for consideration of operating effectiveness testing by internal and external audit. The information in Regulation S-X is subject to both management’s report on internal control over financial reporting and external audit.
Internal Controls for GHG Emissions & Other Regulation S-K Climate Disclosures
Information in Regulation S-K is outside the scope of ICFR controls; however, these disclosures are subject to DCP, in addition to potential liability and investor protections that come with this information being part of SEC Commission filings. GHG emissions are subject to phased-in assurance requirements for accelerated filers and large accelerated filers without a safe harbor. Assurance providers will expect DCP to be in place and may test internal controls as part of their assurance procedures. An SEC registrant may have a different assurance provider for GHG emissions than the financial statement auditor.
Significant risks exist that are unique to GHG reporting, the SEC registrant’s industry, and the company’s specific reporting systems. As a result, controls need to be developed to address these risks. For example, the completeness of GHG data is often a significant risk. Therefore, controls often need to be implemented to ensure that all locations, equipment, and other emissions sources are included in GHG calculations.
Key Takeaways
Significant effort will be required by registrants to implement the SEC climate reporting requirements. More liability, DCP, and other investor protections are expected for SEC filings compared to non-SEC reports. Companies need to implement a robust control environment to prepare for disclosure under these rules, including identifying risks and designing ICFR controls to be added for the new Regulation S-X disclosures. Existing financial reporting processes need to incorporate these new Regulation S-X disclosures. After applicability and materiality are determined for the new Regulation S-K disclosures, responsibilities, data collection plans, and DCP need to be established. Management needs to determine the correct level of oversight to be comfortable with these public disclosures.
If you have any questions or need assistance, please reach out to a professional at Forvis Mazars.
See our related FORsights™ for more information:
- Key Details on SEC’s New Climate Disclosure Rule
- Five Critical Insights in Applying COSO’s Guidance for ICSR
- Behind the Curtain: What You Need to Know About ESG Assurance
- 1“The Enhancement and Standardization of Climate-Related Disclosures for Investors,” sec.gov, March 6, 2024.