View from IIA Global: ESG – internal audit’s role

Organisations around the world are under increasing pressure to prove their commitment to effective environmental, social and governance (ESG) practices. The demand has heightened in recent years amid greater concerns over climate change, social inequities and corporate culture.

One of the most significant challenges is the lack of standards for uniform ESG reporting and an evolving regulatory environment. Some organisations and governments have begun to create their own solutions – for example, the UK’s efforts to introduce compulsory environmental reporting.

A recent paper by IIA Global examines the landscape of ESG reporting and outlines how internal audit leaders can and should assist their organisations in dealing with this important issue. Internal Audit’s Role in ESG Reporting: Independent Assurance is Critical to Effective Sustainability Reporting explains how strong governance over ESG, as with effective governance generally, requires the principal players to be aligned.

One key component to reaching that alignment is IIA Global’s Three Lines Model. Created to help organisations identify structures and processes for achieving objectives while facilitating strong governance and risk management, it can easily be applied in ESG reporting because it defines roles and responsibilities. The third line, which includes internal audit, maintains objective assurance and advice to management and the governing body on the adequacy and effectiveness of risk management policies and processes.

Internal audit is one of the few functions that can look at ESG reporting enterprise-wide to identify what is already working and recommend what still needs to be done.

The problem is that ESG reporting varies depending on factors including the organisation’s industry, geography, size, demographic make-up, and governance structure.  

Consider what goes into an ESG report. According to IIA Global’s paper, ESG refers to “criteria that characterise an organisation’s operations as sustainable, responsible, or ethical”.  ESG-related topics generally fall into one of three categories:

  • Environmental: How an organisation performs as a steward of nature. This can include its carbon emissions, waste management, water management, raw material sourcing and contribution to climate change. The biggest risks in this category involve public disasters, such as oil spills and chemical leaks.
  • Social: How organisations manage relationships with employees, customers and the greater community. Risks in this category include labour management, data privacy, general security and health and safety. However, most people think of this category in terms of diversity, equity and inclusion (DE&I), which includes diversity of the board, the workforce and the supply chain, as well as factors such as promotion and equal pay.
  • Governance: How organisations manage variables such as business ethics, leadership, executive pay, audits, internal controls, intellectual property protection and shareholder rights. Diversity risks, such as board diversity, can also fall under this umbrella. People generally tend to think of the largest risks here as anything that can cause major damage to an organisation’s reputation.

With so many different issues in the three ESG categories, reporting can and will be unclear at times. It will call for a systematic, disciplined approach to meet investor, stakeholder and other expectations. Internal auditors have had plenty of practice in this through their use of IIA Global’s International Professional Practices Framework. That is why our profession is well-suited to provide the assurance organisations need in ESG risk management and reporting.

Our paper lays out what that might look like. ESG reporting should include at least the following components:

  • A review of the reporting metrics. Internal auditors will look for relevancy, accuracy, timeliness and consistency.
  • A review of the reporting itself. Internal auditors will check the reports are consistent with formal financial disclosure filings.
  • Materiality or risk assessments on ESG reporting. Organisations sometimes struggle to understand and report what is “material”,  or could affect financial statements. Internal auditors know how to handle this.
  • Incorporation of ESG into audit plans. ESG and sustainability-related engagements currently make up only one per cent of typical internal audit plans, according to the 2021 Pulse of Internal Audit.

Calls for ESG reporting will increase worldwide. In the UK, for example, a 2019 government paper called for listed companies and large asset owners to align corporate reporting with the recommendations of the Task Force on Climate-Related Financial Disclosures (TCFD) by 2022. The government says it wants the UK to be the first G20 country to make TCFD disclosures mandatory.

A recent development at the global level is the union of the International Integrated Reporting Council (IIRC), on which IIA Global holds a council seat, with the Sustainability Accounting Standards Board (SASB), to create a new Value Reporting Foundation. One of its primary goals is to enable businesses to provide a comprehensive view of performance to investors and others. This is an important step towards establishing a simplified corporate reporting landscape.

ESG reporting in the US is also expected to gain momentum under President Biden’s administration, which has announced its commitment to ESG issues. Other countries are also addressing these challenges. internal audit needs to be prepared. 

Anthony J Pugliese is president and CEO of IIA Global and sits on the International Integrated Reporting Council of the Value Reporting Foundation.

This article was published in July 2021.