Internal Audit’s Role Within ESG

As companies are undertaking environmental, social, and governance (ESG) initiatives, there is often the question on what should, and even what can, an internal audit (IA) department do in relation to these seemingly new areas.  IA’s role within an organization has always been to help monitor and address its risks, whether financial, regulatory, technology, or operational.  Thus, IA is uniquely posed to tackle ESG.

The Backstory on ESG and Internal Audit

Although ESG is a newer term/acronym, the concepts are not new.  Companies have been incorporating sustainability practices within operations for years.  Diversity, equity, and inclusion (DEI) programs within a company’s employees, suppliers and communities have also been ongoing.  Many companies have been packaging together what they do in these spaces under a corporate social responsibility (CSR) report.  It is only in recent years that all of these have been bundled together under the broad term of ESG. IA may have lightly touched on some of these areas before in conjunction with various operational, human resources, or employee health and safety internal audits.  However, the risks, frameworks for evaluation, and approaches may have not focused on ESG risks, processes and internal controls.

Bringing ESG into the Internal Audit Universe

In order to accurately reflect ESG within an IA risk universe, the first step is to understand what the company has in place or is looking to put into place.  Most commonly, companies have produced CSR reports, ESG reports, or sustainability/impact reports.  Since these are all voluntary, the format, content, and data vary.  Another more prescriptive reporting is through CDP (formerly known as the Carbon Disclosure Project).  CDP reporting follows a lengthy questionnaire which a company can respond to annually.  This can help create the foundation for what risks and processes go into the IA universe tagged to ESG.

Internal Audits and ESG Reporting Frameworks

Once the particular ESG risks are identified, IA has to determine its approach.  Based on an organization’s ESG maturity, it may make sense to do a stand-alone ESG review. For those that are less mature, it may be appropriate to integrate ESG within existing internal audits.  

In planning and scoping an ESG internal audit, IA needs to understand the key processes and, more importantly, data and metrics supporting ESG related processes.  Some of these may be referenced with established reports the company is producing, however these are often a new, complex lexicon for IA. 

Another challenge some internal auditors may find is there is no one ESG framework; there are hundreds. Below are a few of the leading frameworks companies are leveraging and, as with other specialty areas, IA could leverage subject matter experts.

• Global Reporting Initiative (GRI): According to Bloomberg Law, GRI is the most widely used framework with 82% of the world’s largest 250 corporations reporting in accordance with its standards.
• Sustainability Accounting Standards Board (SASB): SASB may be used by publicly traded companies to assess financial statement materiality.
• United Nations Global Compact (UNGC): UNGC is a way for companies to support the United Nations goals.
• Task Force on Climate-Related Financial Disclosures (TCFD): TCFG is focused on climate-related financial disclosures.

As mentioned earlier, it is imperative that IA understand the company’s approach to ESG including which framework(s) the company uses.  While determining if the framework is the most appropriate for the company may be difficult until directives from a regulatory body provide additional guidance, certainly internal audit can align the internal audit scope accordingly.

Don’t Wait to Prepare for Mandatory ESG Reporting

While the SEC currently does not require ESG disclosures for U.S. publicly traded companies, the question being consideration is no longer if but when it will become mandatory.  It is a hot topic listed on the SEC’s Topic Spotlight webpage, SEC.gov | SEC Spotlight and the SEC has created a Climate and ESG Task Force to help with monitoring. So, even if a company has yet to have established processes, systems or internal controls, IA could still look to perform an advisory function for management to help the company prepare.  Similar to other advisory engagements, IA would look to provide objective input on establishing processes and formal internal controls for the flow of information and data.

Whether your company’s ESG program is non-existent to nascent, or robust and mature, when assessing a company’s risk, chief auditors should incorporate ESG risks into their enterprise risk assessment and into their annual internal audit planning process.