Last summer the UK became the first major economy to legislate for a net zero carbon emissions goal by 2050 and some are calling for this deadline to be brought forward. Environmental risks are serious and costly – for example, Southern Water was given a record fine of £126m for environmental breaches and misreporting the performance of its sewage works last year – but they are also becoming a major reputational issue. Organisations that fail to prepare now could find that external factors soon push them into action with too little preparation or forethought.
The risks associated with carbon emissions are important to all of us as citizens and as internal auditors. Many of these risks are being continuously assessed by individuals, specialists, teams, organisations and nations, but still they are not always mitigated and controlled properly at any level. This is changing. Not only has the UK committed to net zero emissions, but it says it is also backing “the growing numbers of purpose-led businesses, which commit to social or environmental objectives alongside profit” as part of its future civil society goals.
However, research into professional internal auditing practices in the UK, Europe and across the world continues to show a low level of interest in addressing environmental risks in internal auditing planning and practices. This is despite guidance and actions by the Chartered IIA and by IIA Global, which launched an Environmental Health & Safety Audit Center (EHSAC) as one of its Specialty Audit Centres in 2016.
Back in 1947 one of the objectives in the IIA’s first Statement of Responsibilities of the Internal Auditor was to ascertain “the extent to which company assets are properly accounted for and safeguarded from losses of all kinds”, and this objective has been built into subsequent Standards for professional internal auditing ever since. No matter how each internal auditor interprets “accounted for”, “safeguarded from” and ‘losses of all kinds”, this must cover environmental risks and the reputations of the organisations for which they work and the supply chains feeding, and being fed by, their organisations.
Risk in Focus 2020, a joint survey by the Chartered and European IIAs in 2019 asked chief audit executives (CAEs) in eight European countries (including the UK) to rank two lists of risks first according to the “top five risks to your organisation” and second to “which is the biggest risk to your organisation?”. In both lists “environment and climate change” are ranked 13th out of 17. This needs to change.
The survey also included interviews with CAEs in each of the eight countries and only 14 per cent cited environmental and climate change as one of the top five risks to their organisation: although this represented a significant increase for this risk from the previous year.
This annual survey is not exceptional. Evidence from research and surveys by the Chartered IIA, IIA Global and European IIAs show that social and environmental issues have been neglected by too many internal auditors, despite many forms of guidance from a variety of organisations on the importance of these risks in internal auditing practices from the mid-1980s onwards. In January last year the World Economic Forum’s "Global Risks Report" put climate change high on its list of threats to the world’s economy.
In the 1980s I was involved with the IIA in the UK establishing a joint discussion group with the then Institute of Social and Ethical Accountability (ISEA) to discuss joint interests in the auditing of social and environmental risks and issues. In 1993 IIA-UK (as it was then called) published guidance on environmental auditing in a series of briefing notes addressing not just the contribution internal audit could make to environmental auditing, but also how environmental risks could be addressed in internal audit planning and practices. This was seen as important then and is even more so today.
Since then, ISEA, now called Accountability, has published international principles and standards on the assurances required for social and environmental practices and the importance of stakeholder engagements. Meanwhile, the Chartered IIA published new guidance on these principles and standards in 2015, summarising their importance to organisations and use in internal auditing assurance and consulting on sustainability issues at executive, board and audit committee levels. Guidance was also published by IIA Global in 2015 and the Committee of Sponsoring Organizations (COSO) in 2018 on the broader trend of organisations addressing management, mitigation and control of sustainability risks in integrated reporting to their stakeholders. COSO introduced its guidance with: "Entities, including businesses, governments and non-profits, face an evolving landscape of environmental, social and governance (ESG)-related risks that can impact their profitability, success and even survival."
More recently, governance oversight by audit committees was added to model terms of reference for audit committees in the UK and has been included in some, but not all, audit committee terms of reference. Some writers have suggested that audit committee terms of reference and oversight should also address environmental and social issues, but there is little evidence that this is being practised widely across all sectors in the UK or internationally, although some countries (not the UK) have included a reference to corporate social responsibility (CSR) in their codes of governance.
In its latest publication on the stewardship responsibilities of asset owners and asset managers, the Financial Reporting Council lists as a principal responsibility the inclusion of "material environmental, social and governance issues, and climate change" in governance and investment decision-making. This integration of environmental and social risks into governance reflects a growing trend by governments and investors to link environmental and social issues to governance strategies, structures and processes.
Internal auditors adopting the Chartered IIA’s definition of internal auditing in their charters – “to evaluate and improve the effectiveness of risk management, control, and governance processes” – must respond to this trend. In every sector they must start taking seriously the need to address and report on all ESG risks and processes and practices in every audit engagement. Considerable guidance for this and climate change risks is already on the Chartered IIA’s website.
Professor Jeffrey Ridley is visiting professor of corporate governance assurance at Lincoln International Business School, University of Lincoln.
This article was first published in January 2020.