Internal audit’s new role: ESG sustainability reporting

At its core, internal audit centers around risk management, and the forthcoming guidance raises a slew of new risks related to formalizing an ESG program and the associated reporting. Organizations are starting to incorporate ESG into annual risk assessments and audit plans to ensure that management is comprehensively considering the right risks spanning all aspects of ESG. Incorporating ESG risks into entitywide risk management practices requires IA teams to understand their organization’s ESG strategy, risk appetite, material ESG issues, and the scale of the various departments involved with the organization’s ESG program. Doing so can help IA identify ESG-related risks and the required compliance and controls needed to develop a strong ESG risk management framework.

IA teams, as independent risk management professionals, will need to take the same risk-based approach with ESG as they do in any other area of practice as they look at the full scope of activity: where data is coming from and going, who is involved, and what controls are in place at various points in the process. For example, managing and reporting greenhouse gas emissions – a significant area of ESG reporting – offers a useful example of the role IA can play. Audit teams will want to explore the source for emissions data, ownership of the data, how it is being validated, who it is being reported to, and who is signing off on the data before publicly reporting – likely internal committees or the board of directors. While some emissions-related data might have been reported for other reasons in the past, some data might be completely novel. Internal audit can explore these questions, refine them if necessary, and identify and establish controls on processes and systems as they’re being implemented.

As organizations begin to formalize their approach to ESG, IA teams have an important advisory role to play. By proactively gathering information on the proposed regulatory rules, conducting peer benchmarking analysis, and supporting a materiality assessment, IA is well positioned to assess the organization’s resource requirements and regulatory considerations and ease the transition to a formalized and sustainable ESG program.

The first step for IA is to stay informed on the new and pending regulatory requirements. Organizations might not have the internal expertise or sufficient resources to remain updated on the evolving regulatory landscape; therefore, IA teams should consider engaging with external subject-matter experts to help better understand ESG risks, their impacts, and the related program needs to support. Such expertise can help management anticipate and plan for the new ESG jobs to be done. IA also should rely on resources such as the Institute of Internal Auditors and the Committee of Sponsoring Organizations of the Treadway Commission (COSO), which offer training curricula to professional audit practitioners.

The next order of business is to gain an understanding of the key players involved in ESG across the organization. In order to holistically evaluate ESG risk and understand the scale of an organization’s ESG program, IA should identify where to find the right information. Given the broad reach of ESG, IA must engage multiple groups through this effort: human resources, information technology, facilities, legal and compliance, finance, and others.

With the relevant parties identified, some important questions to ask include:

• How are these groups coordinating?
• What type of information is being reported?
• What are the controls over the completeness and accuracy of that information?
• What committees are involved with approving the information?

Many organizations are uncertain about where to begin when evaluating their organization’s ESG program. IA teams can add a great deal of value by conducting a benchmarking analysis of peers to determine what others are reporting in their industry. IA then should consider what the organization’s current material topics are and offer preliminary ideas of what areas might be material. This exercise could initiate the materiality assessment process or support one already underway.

In this way, IA can help advise and guide the board and committees on what steps to take and whether the organization has proper, adequate resources in place to maintain a sustainable program. Audit teams should be involved as early as possible to operate in a collaborative role in providing insight and expertise to management as it relates to critical questions and gaps that need to be addressed.

Internal audit professionals understand the concept of “investor ready,” which means they can bring the right level of precision, rigor, and controls to the process of formalizing ESG sustainability reporting. While professionals on other teams, such as environmental health and safety, might be most informed on an organization’s ESG initiatives, IA teams understand the position of senior management and the board as well as regulatory expectations. With their ability to tie together process, strategy, and risk management, IA can be a key translator as companies bring teams together across the organization to address proposed regulatory requirements.

IA also can play a central role in setting up processes and IT controls, using COSO, the Task Force on Climate-Related Financial Disclosures, and other frameworks. Different companies have varying degrees of maturity in their current ESG reporting practices, and for those who are still early in the process, creating a cross-functional team that includes IA is a critical first step. Internal audit can add value to the ESG story, keeping the business accountable and prepared for an evolving regulatory environment.