Driving Accountability: Internal Audit’s Role in ESG

Charles Waring:

Thanks, Nina. It's great to be here today.

Nina Kelleher:

Thanks. So oftentimes, we get a lot of questions from our clients around how internal audit can get involved in ESG and what should they know about ESG. So maybe we could take a little step back and if you could just give us a high level overview of what's going on in the space, and maybe we can drill down on what internal audit directors or heads of audit committees should care about?

Charles Waring:

Sure. And this is a common question that I get a lot from a standpoint of how does internal audit get involved in the ESG space? So one of the biggest things, and by its just basis is ESG as it relates to risk management. And I think a lot of clients and companies are looking at just ESG as a single line item. But THE reality is that there's three components there, environmental, social, governance risks. And within each one of those areas, there's plenty of other aspects and risks that are below that. So for instance, with environmental, you'll have emissions, which is the one that gets a lot of highlights, and that's the one many companies are focused in on.

But beyond emissions, you've got water, water management, waste, outputs, et cetera. So that's just environmental, but then also within the social components, you've got aspects around worker makeup, worker compensation ratios, working conditions, engaging in the community, and then governance is that whole piece that handles the responsibilities and the policies, procedures for the governance of those two areas there. So it's important for internal audit directors and professionals to understand that there's multiple components there that should be factored in when they're doing their risk assessments or establishing their audit universes.

Nina Kelleher:

So that's a lot to unpack there in a small acronym. And certainly, internal auditors are very used to looking at risk from a governance perspective, but the E and the S are a little of a different perspective than what we're used to seeing. And so a lot of internal auditors always want to add value. How can they get a full set of risks within the ESG space and then further bring that to where they're adding value to the organization?

Charles Waring:

Right, so I think it's important to understand where the company is on their ESG journey or their roadmap. And one of the key things is to look to see is the company doing any external reporting? ESG currently is not a required reporting requirement, but there's many companies that have been doing voluntary reporting. So does the company produce a ESG or a sustainability report or a CSR report? Sorry, more acronyms there, but are there producing and externally reporting on any of these initiatives, aspects, et cetera? Because that can identify that there are established processes within an organization that an internal audit would be appropriate to go through and perform. But if they're not doing that or if they're not even doing any internal reporting on where they are, then they might be in more of an infancy stage within their ESG processes.

And so it's better for those situations that internal audit might want to look at doing more of an advisory project. So one where if the company, if management is in the process of standing up those processes or evaluating what they need to be doing, et cetera, then the internal audit practitioner can engage with management in an advisory standpoint because what we find is that the people that are charged with the sustainability or the ESG initiatives at those companies, they're less familiar with what many folks in finance or operations would be for internal controls requirements, et cetera. So there is a great opportunity for an internal audit professional to add value to the organization by going along as those projects are unfolding.

Nina Kelleher:

So you mentioned about external reporting and voluntary disclosures. Can you just unpack that a little bit more? Certainly when an organization has external reporting, internal auditors, antennas go up and we know we need to take a look at something. Where regulation requires something versus a company voluntarily disclosing something, is there any differentiators in what internal audit should focus on? Or is it all the same and you're disclosing something and therefore internal audit should take a look?

Charles Waring:

Right. So first, as the internal auditor should be looking at what is applicable to that organization. So if there're public company in the US, they will likely be subject to the SEC's proposed rule on climate related disclosures, which that's still as a proposed rule and we're expecting that to be adopted later this year. The other rule that is out there that is fully adopted is the European Union's corporate sustainability reporting directive, CSRD, which went into effect at the end of last year. And that has ramifications for companies that are either based in the EU, have EU operations, or are selling or servicing to companies that are in the EU. So first and foremost is understanding what is the regulatory requirement for a company.

But then there's an aspect, and I alluded to that, if you are not specifically fall into the direct buckets of either those two regulatory requirements, there could be an arm's length requirement there. So companies that are subject to those are looking to those companies that are in their value chain. So the providers of raw materials, inputs, et cetera, to their organization, and then other companies that are assisting with the delivery of those products. This can include landlords. So if you are a real estate company, but you've got a EU tenants, then you could expect to get these types of questions. So it's first and foremost understanding the landscape of the regulatory requirements because those spell out specific requirements. Beyond that, there's really two main frameworks, SASB and then GRI, which really drives a lot of the elements and the reporting aspects that go along with with ESG reporting.

And so those are part of that scoping process. If the company has performed a materiality assessment, that's the terminology used within the space to assess what are the relevant ESG risks from an organization. The company needs to have that put in place and the internal audit group could determine, "Hey, has management done that? Is that robust? Is that a robust formalized assessment?" To really identify those risks that are out there. So that is the process that both management and the internal audit group could be going through to understand and use that as the basis for either the internal audit or the advisory project there.

Nina Kelleher:

Okay, so there was a whole lot to unpack. So some of my takeaways from that are it seems like there's quite a few areas where internal audit could or should be involved in the process and evaluating the risks from high level risk assessment to then really more so based on the maturity of the organization's E G program, whether it's a standalone internal audit or incorporated on an integrated basis to internal audits that already exist.

But internal auditors, we like a methodology. We're happy to be agile and apply agile methods, but we typically like where there's either a regulation which is prescriptive or then a policy that goes with that, and we're able to evaluate the policy against the regulation and take it down to how the policies are impacting procedures and controls within the organization. And usually, that's how we set up our internal audits. But you're talking about certain risks that aren't necessarily intuitive. If I'm a US based private company, why should I care or be concerned about something that's going on in the EU with their regulations as it relates to ESG? So you've given some examples of why you know should care or what you may look out for. Is there any other example like that which might not be intuitive to internal audit or an organization as a whole that might be a risk?

Charles Waring:

Yeah, I think that one of the things that we see is that when a company is in its infancy with ESG or sustainability reporting oftentimes, there's different groups or different departments within an organization that are taking up these charges. One of the things that I've seen is a prime example that if the marketing group is putting out materials that is emphasizing some sustainability initiatives or programs that they've got going on or engagement in the community from a social component. And that's great that they're doing that, but it needs to be contemplated and taken into account from a holistic perspective. Because if externally, the organization is representing that they're doing certain components here, then there needs to be an insurance that it's looking at holistically, that if you're reporting on something that's going on in one department or one geographic location, but then there's contrary behaviors or activities that are being done in another location, another business unit, then that can put a company at risk from a standpoint of greenwashing.

Greenwashing is the industry's term that we're promoting something, we're externally representing something, but we're not really embracing it. It's misrepresentation of what we're actually doing, the data around it, et cetera. So if you're putting that out there as a standalone group within an organization, there is risks to the reputation of the company if, again, it's not in line with what's activities are being performed elsewhere. There is also potential legal litigation risk as well. So it's important that all efforts in this space be centrally governed, managed so that there can be consistency and that there's minimizing that risk of greenwashing there.

Nina Kelleher:

Great. I mean, that sounds like it could be really tricky to get ahold of, especially if maybe not the intent is to greenwash, but maybe it's a little elaboration on what you are doing, and then at some point, it becomes exaggeration. And so I think that can get a little tricky. In terms of getting up to speed, I mean, certainly watching this video is a small start for how internal audit can get involved with ESG and become aware of some of the risks to an organization, but what are some other things that you would recommend internal auditors do?

Charles Waring:

Sure. The IIA and the AICPA have actually come out recently with some really strong overview programs, certificate programs, which really helps the practitioner get a good overall view of the landscape, some of the familiarity with the terminology, et cetera. But that just really is the starting point. It doesn't get into the deep dive knowledge to perform internal audit over ESG or to have a full appreciation for all the regulatory components here, all the different frameworks. But just like with any other specialized or unique internal audit, involving a specialist is really the best way to ensure that were hitting all the marks. We're evaluating our risks accordingly, and that what is being obtained and reviewed is appropriate given the space here. So that's the advice I would give to a practitioner.

Nina Kelleher:

Thank you for that insight. So in closing, what would you say the maturity of the program looks like? And is ESG going away?

Charles Waring:

So what I would say is that many companies, if they haven't already, this is just getting their foot in the door or dipping their foot in the pool here. And as there's more regulatory involvement as well as investors, and then once external reporting is robust and much more routine, this is something that is going to be just part of the normal cadence for any company, any internal audit organization, et cetera. So it's important to get out in front of this now, especially if you haven't had a key request from a stakeholder. But this is something that if an internal audit group has not started to have that conversation or started any of these procedures, this is something that they should be getting to right now.

Nina Kelleher:

Okay. Thank you for joining us today, Charles. It was a great conversation. And thank you for everyone for listening.

^{Transcribed by Rev.com}