Internal audit's role during times of change
It might seem early to get internal audit involved in ESG strategy for climate disclosures. However, given other regulatory shifts businesses have faced over the years, such as Sarbanes-Oxley, data privacy, and conflict minerals regulations, getting started now is a proactive move. Internal audit likely has played a significant part in each of these shifts and already has deep experience in creating new processes and procedures and helping monitor and manage risk. As climate disclosure reporting needs and other ESG topics become increasingly important to many organizations’ enterprise risk assessments, it’s natural to involve internal audit in monitoring ESG-related regulations, risks, and changes.
How does this work in practice? Management might identify changes the organization should make based on the ever-evolving ESG landscape and what effects those changes could have on business operations. Internal audit can’t rely on process owners. It’s vital that the internal audit function has its own mechanisms to monitor ESG-related changes and that it understands how those changes might affect the organization’s processes. This objectivity provides checks and balances for the organization. Since internal audit already has experience in providing these checks and balances in other areas of the organization, engaging them in ESG-related changes is a natural fit.
Internal audit’s role in a cross-functional ESG team
Since ESG touches every area of an organization, it’s critical to establish a cross-functional team that represents key stakeholders and assigns clear roles and responsibilities for assurance, advisory, and management activities. This team is responsible for establishing a formal governance structure, developing policies, creating standards, and managing new ESG-related initiatives. By creating this team up front, organizations can tap into a diverse set of experiences and expertise to inform the data gathering and reporting process prior to attestation or assurance engagements provided by third parties.
Internal audit should serve as part of this team in a nonvoting capacity to provide insights while maintaining objectivity. A cross-functional team can benefit from internal audit’s expertise in assessing risk, evaluating controls, and monitoring reporting. In turn, internal audit can benefit from having a first-hand understanding of how the organization is monitoring, evaluating, and responding to ESG-related changes.
Cross-functional ESG team roles
Board
|
Compliance and enterprise risk management
|
Internal audit
|
Vision
Strategy
Governance structure
Policy
Subcommittee
|
Policy standards
Required risk assessments
New initiative standards
|
Objective evaluation of design and operating effectiveness
Auditing of reporting metrics
Assistance with materiality assessments
Advisory services
Internal controls training
|
Involving internal audit in ESG strategy
When the internal audit team engages with ESG strategy and implementation from the beginning, it can be better equipped to provide support long before the first external assurance engagement. While internal audit works to preserve value by assessing internal controls later in the process, it can also be involved in value creation by advising management early in the design phase. Including internal audit during the design of key processes and controls can help prevent the redesign of key activities later. Internal audit also has insights into risks, metrics, and processes prior to the official audit planning phase.
The type of ESG-related topics organizations might face in internal audits or external assurance engagements vary by industry, but there are some common topics across industries. Diversity, equity, and inclusion is a good example. It’s a popular topic in ESG discussion, with emerging regulatory obligations and potential for assurance requirements, although the applications and tasks that come alongside those audits might differ.
Climate risk is another emerging topic that touches every single industry and business. A bank might examine its loan portfolio in certain geographies affected by natural disasters, for example, while a manufacturer might look at processes and controls regarding sourcing materials.
Regardless of ESG subject matter or industry, the themes and goals are the same: assessing the reliability of data and effectiveness of the organization’s controls. That’s why it’s essential to have a team committed to keeping up with ESG trends before they become regulations. Because of its core role as an independent reviewer, internal audit is uniquely positioned to support the ESG strategy process from the beginning to help prepare the organization for future external assurance engagements.
Preparing for an internal audit
Before conducting an internal audit with ESG-related components, an internal audit team needs to properly prepare, considering both internal and external resources and anticipating challenges along the way.
It’s important for internal audit to develop a strategy regarding auditing ESG-related metrics and topics, including if it should consider broad audits by topic or deep audits by location, as well as if it should prepare for stand-alone or integrated ESG auditing. Several factors might influence internal audit’s approach, including risk taxonomy, organizational responsibilities and resources, the ESG program’s maturity, and the ESG strategy. Internal audit should include topics from all three areas of ESG – environmental, social, and governance – in its internal audit risk assessment.
Becoming familiar with the major ESG-related frameworks and standards allows internal audit to understand the terminology and reporting requirements relevant for its organization’s industry and to mitigate challenges. Internal audit has several resources available, including the Committee of Sponsoring Organizations of the Treadway Commission’s Internal Control Over Sustainability Reporting guidance as well as standards from the Sustainability Accounting Standards Board, the Global Reporting Initiative, the Task Force on Climate-related Financial Disclosures, and the International Organization for Standardization.
Growing an ESG network, both within an organization and a specific industry, can be a fruitful way to connect internal initiatives and strategy to regulatory requirements and best practices. Organizations should consider what ESG-related education their internal audit teams might need and if they need to bring in a more experienced third party to help with some (or all) of the internal audit preparation process.
ESG-related data considerations
Data is a major part of any audit, and understanding how ESG-specific data differs from other types of audit data can be immensely helpful. Organizations should consider building audit programs that look at how ESG-related metrics are defined, how the data is aggregated, how the data is validated, who reviews the data, and general data governance issues. While audit planning, internal audit should also consider whether ESG-related data presented in sustainability reports ties to data that is already audited and shared in financial reports for consistency.
The maturity of sustainability reporting is also a major consideration. For example, the internal data an organization currently uses for climate disclosures and reports might be housed on less mature systems than the data used for financial statement audits. Those systems might not have gone through an information technology (IT) control review, so the reporting might not be verified as complete and accurate.
Organizations need to closely evaluate systems and reports for completeness and accuracy and potentially involve the IT audit team to check general controls, user access, workflow configuration, and other application controls. The business might have a formal data governance program that can be used to assess reporting standards.
For example, the Crowe team worked with a client that had a system to collect emissions data from many global locations for CDP reporting. While auditing the prior year’s data, the team identified a few sites that looked like outliers. Working with the client, the team discovered someone was entering those sites’ emissions in the wrong units, which skewed the data. The team also found multiple leased sites that had zero emissions entered due to a misunderstanding of reporting requirements and incorrect boundaries used in reporting. The second line of defense had to work with those locations to rework processes and gather the right data.
Another data challenge with sustainability reporting is the reliance on third-party data. For example, greenhouse gas emission reporting is broken down into Scope 1, Scope 2, and Scope 3 reporting. Scope 3 requires an understanding of third-party emissions in the supply chain and how those emissions affect operations and products. Internal audit needs to closely assess the quality and reliability of the data received from those suppliers.
Why preparation is critical
So, what can happen when an organization is not prepared? Some organizations haven’t invested in ESG technical expertise because they haven’t considered ESG a critical factor in internal audit planning, and they are choosing to wait for formal regulations to force their hand. This false sense of security and lack of urgency can drastically affect the timeline for ESG-related reporting needs.
It’s not just about the regulations that affect a specific organization. For example, some customers have their own ESG regulatory requirements, and they need data from that organization to fulfill those requirements. It’s important to consider the regulatory obligations stakeholders face, which is another reason why cross-functional teams are so important.
Although internal audit has vast experience in assessing the governance structure of organizations, such as policies, procedures, charters, and board and management committee activities, it should develop or increase its level of ESG competence regarding current and emerging regulations and risks.
Internal audit can use the risk assessment process that should be in place in the first and second lines of defense to understand management’s view of ESG risks and controls. Internal audit should also include ESG in its top-down, third-line risk assessment to understand the relative ESG risk in the audit universe, which might help determine the frequency of ESG-focused audits.
Internal audit’s role in voluntary reporting
It’s also important to note that any voluntary ESG-related reporting already performed might become mandatory – and in fact, it already has for some organizations. Organizations have produced qualitative and quantitative data for mandatory regulations, and now the Securities and Exchange Commission’s Climate and ESG Task Force is asking why sustainability report content is more informational than financial statement content.
In the past, what organizations said about their ESG-related initiatives might have been for marketing or publicity purposes. Now, organizations are being held accountable for those initiatives, which invites risk if those initiatives are not reported on consistently.
Keeping up with ESG trends and regulatory changes
ESG regulations and trends are constantly evolving, so it’s important to keep a list of resources for more information. General standards and frameworks are integral, and so is industry-specific information. Organizations should reach out to their third-party professionals, including law, accounting, and consulting firms, which might have their own ESG-focused practice areas. Creating continual, ESG-focused education for internal audit and other teams in the organization is also essential. Some companies are even creating roles for an ESG controller to manage the cross-functional team, establish internal controls, and protect data integrity.
Building and expanding a cross-functional ESG team to include internal audit, investing in education, and seeking help from a third-party can help your organization get up to speed on current ESG efforts and changes in the industry and be prepared for future ESG-related regulatory requirements.