Insights

Internal Audit and ESG Strategy Development, Implementation, and Reporting: If Not Now, When?

internal audit and esg

 

By the end of 2022, environmental, social, and governance (ESG) assets under global management are expected to surpass $41 trillion. Three years later, this figure is projected to rise to $50 trillion, emphasizing the scale, growth, and importance of ESG causes to corporate and consumer interests alike. 

As ESG takes on greater significance in boardrooms, organizations are shifting sustainability strategies and consequently embedding sustainability reporting into financial reporting practices. Additionally, decision-makers are working to effectively incorporate ESG matters into short- and long-term strategy planning. 

With ESG performance now factored into the perceptions and calculus of shareholders, prospective investors, employees, third-party vendors, industry peers, regulators, and governments, the Internal Audit function can serve as the tip of the ESG strategy spear on behalf of the business. 

ESG Efforts Meet Disclosure, Compliance, and Assurance 

Organizations with adolescent sustainability programs likely lack the ESG criteria, strategy, and reporting to meaningfully drive progress toward meeting each and every ESG goal. The leadership bandwidth and staff expertise to shepherd such change is likewise often lacking.  

ESG adoption and internal audit(Source)

On the other end of the ESG maturation spectrum, firms that have already designed detailed reporting processes and are well on their way to leading ESG efforts in their sectors still require support in some capacity, often in the form of external advisory or increased Internal Audit involvement. 

And what about the companies that haven’t given honest thought to the matter at all? 

In all of the above scenarios – and in all stages in between – now is the perfect time for internal auditors to collaborate with and educate management on the gravity and urgency of including ESG goals into overall corporate strategy. 

With SEC rulemaking set to begin in 2022 (enhancing and standardizing climate-related disclosures to investors) and various mandatory European Union regulations already in place or on the horizon, implementing and reporting on sustainability goals will not remain optional forever. ESG disclosure and assurance can not be punted on.

Building the infrastructure for optimal ESG success and compliance is imperative. Internal Audit’s perspective and current-state assessment can bring clarity and focus to management's decision-making.

Developing the ESG Strategy: Is Management Laying the Right Foundation?  

All good strategies include specific, measurable goals supported by an action plan defining who, what, when, and why.   

When assessing an organization’s ESG strategy and how it was developed (or could be developed from scratch), the Internal Audit function should consider the following:  

  • Has ESG been considered in Internal Audit’s enterprise-wide risk assessment process?  
  • Has a cross-functional team been established with representatives from departments (such as Human Resources, Legal, Information Technology, Facilities, and Procurement) with the requisite understanding of ESG issues?  
  • Have the right stakeholders been identified, and does management understand their expectations? Has this helped inform the ESG strategy and what is most material? 
  • Are industry frameworks, such as the Sustainability Accounting Standards Board (SASB), International Sustainability Standards Board (ISSB), Global Reporting Initiative (GRI), or Task Force on Climate-Related Financial Disclosures (TCFD), being leveraged to identify material topics and associated metrics specific to an organization’s industry?  
  • Is management placing the right emphasis on each component of ESG, or is the focus weighed too heavily on one aspect over the other (e.g., “S” over “G”). The table below spotlights how organizations in different countries are prioritizing individual components of ESG, with "environment" unanimously outpacing "social" and "corporate governance." 

ESG by country(Source)

Answers to these questions – and the action taken as a result of them – inform the entire scope of ESG metrics and exposure to expected or unexpected ESG risk. Internal Audit’s guidance at the early stages of ESG decision-making can deliver a stronger foundation to the strategy at large. 

Putting Words Into Action: Has Management Effectively Operationalized Its Strategy? 

Internal Audit should assess whether the necessary processes, controls, and systems that management has put in place integrate ESG priorities into day-to-day business activities.  

For example, if contradictory actions exist in dispersed areas of the business, what takes precedent with respect to ESG goals? Consider a company that lends to another business, but the ESG mission of the company is to refrain from financing businesses that operate in industries that aren’t environmentally friendly? Is the mission clearly defined and articulated to remediate such discrepancies? Does the credit policy outline ESG lending criteria in a way that a potential transaction of this kind is flagged beforehand? 

If so, are there controls in place to ensure the policy is not easy to override? And how are policy exceptions approved and documented?   

Other ways in which Internal Audit can work with organizations to provide oversight and assess the effectiveness and maturity of processes include:  

  • Documenting process narratives and flowcharts to identify key controls. 
  • Performing a control gap analysis to identify opportunities for process improvement.  
  • Assessing whether roles and responsibilities have been established and communicated throughout the organization to promote accountability and drive progress.  
  • Assessing the design of controls to effectively implement and measure ESG objectives. 
  • Testing the effectiveness of controls over ESG-related processes and procedures.  

Reporting on ESG Objectives and Progress 

Reliably reporting on ESG information is highly dependent on access to relevant data and the integrity thereof.  

Internal Audit can assist management by providing assurance over the organization’s ESG reporting and data integrity by: 

  • Verifying that ESG data disclosed in an ESG report is consistent across the organization’s platforms and other disclosures made (e.g., external website, SEC filings). 
  • Reperforming conversion of data inputs to reported outputs to confirm accuracy and completeness.  
  • Where an organization relies on third parties for collecting or measuring data, assessing the adequacy of controls over the accuracy and completeness of such data (e.g., by reviewing SOC 1 reports and reconciling two sets of data). 
  • Confirming consistency of metrics reported (whether internally or externally) with supporting data. 
  • Assessing the organization’s overall reported metrics against ESG frameworks.  

As regulators roll out additional ESG reporting requirements and global businesses operate within a complex framework of non-standardized ESG compliance, it’s clear the Internal Audit can deliver the support, implementation, and assurance leaders need to translate ESG strategy into lasting success. 

And the Internal Audit department should proactively bring ESG initiatives and plans to management in the pursuit of remaining ahead of risk management and regulatory compliance curves. The ongoing pivot and prioritization of ESG necessitates a vital role for internal auditors now and in the future.   

To strengthen your firm’s ESG program, contact CrossCountry Consulting today. 

 

Editor's note: Updated August 2022

Internal Audit and Cybersecurity: Time to Level-Up
FinTech Cybersecurity Considerations and Action Items
Related Posts
Audit, Cyber, and Operational Readiness for a Public Digital Payments and Exchange Firm
Audit, Cyber, and Operational Readiness for a Public Digital Payments and Exchange Firm
Launching a DEI Dashboard for a Globally Diversified Conglomerate
Launching a DEI Dashboard for a Globally Diversified Conglomerate
Internal Audit Is More Than SOX: How IA Can Expand Risk Coverage
Internal Audit Is More Than SOX: How IA Can Expand Risk Coverage

Comment