Stakeholder expectations that organisations report on their Environmental, Social and Governance (ESG) performance and risks are increasing. Understanding of corporate sustainability performance enables organisations and investors to make informed choices that drive value and improve sustainability outcomes.
Regulators, investors, consumers, governments and the general public all have an interest. Climate change is at the heart of this and is becoming a core component of most non-financial reporting. This guidance focuses on auditing both external and internal climate-related reporting and the data underlying such reports. The principles and suggested approach can equally be applied to other ESG elements.
There has been a proliferation of overlapping reporting standards in the past 20 years. Some of the most common initiatives are the Global Reporting Initiative (GRI), Integrated Reporting disclosures relating to the UN’s Sustainable Development Goals (SDGs) and, importantly for climate change specifically, the Task Force on Climate-related Financial Disclosures (TCFD). Many organisations take their own approach, often drawing from one or more initiatives. Published reports may be integrated within the annual report or a separate sustainability report, corporate responsible report, or a series of specific publications, to name but a few.
The EU introduced a requirement (‘Non-Financial Reporting Directive’) that from 2017 some large entities must include limited non-financial information in their strategic reports; this includes Environment and Social Reporting (ESR) and thus climate-related information. This has been implemented in all EU countries, including the UK and Ireland, although some details differ.
Certain large UK businesses also need to report under the Streamlined Energy and Carbon Reporting (SECR) requirements for financial years starting on or after 1 April 2019. And the UK government’s Green Finance Strategy sets an expectation that all listed companies and large asset owners will disclose in line with the TCFD recommendations by 2022. While some organisations are moving towards this, reporting remains inconsistent. And many organisations will not have to comply with any specific requirement.
External assurance of published non-financial reports is also variable, and rarely as comprehensive as for financial information. There is a very limited requirement under the EU Non-Financial Reporting Directive, which mirrors the existing requirement that information in the strategic report is consistent with information presented in the financial statements or knowledge gained in the (external) audit. External assurance of SECR reports is suggested but not mandated. In practice, many larger organisations do have additional external assurance of non-financial information, based on the International Standard on Assurance Engagements (ISAE 3000) or the AA1000 Assurance Standard.
IIA Performance Standards 2120 and 2130 require internal audit to evaluate risk exposures and internal controls regarding the reliability and integrity of financial and operational information. In addition, the Internal Audit Code of Practice and the Financial Services Code specifically state that the scope of internal audit should include information presented to the board and executive management for strategic and operational decision-making. Given the importance of climate and other ESR issues in decision-making, this is clearly a relevant part of this scope.
The internal auditor will need to understand the climate-related impacts of the organisation (and the industry in which it operates) and the potential impacts of climate change on the organisation in order to define the scope appropriate for the organisation. This will drive the extent and precise nature of the work.
Internal audit could usefully consider four broad areas in defining the scope of relevant engagements in this area:
The internal auditor should consider any external assurance and the extent to which reliance can be placed on it, bearing in mind the scope of such engagements and extent of the assurance provided. This may impact both the priorities for internal audit and the timing of the work, particularly for assurance over published information. Unlike external assurance, some internal audit assurance can be year-round, not simply at the time of reporting, although part of the work may need to link into the reporting cycle.
The main overriding risks for an organisation are:
In order to address these, the internal auditor should consider the following operational-level risks.
1. Reports provide incomplete or inaccurate information due to incomplete or unreliable data sources.
2. Reports provide incomplete or inaccurate information due to errors in compilation from source data.
3. Reports fail to provide relevant data or are inconsistent year-on-year, thus failing to provide a fair view of the organisation’s climate performance and impacts.
4. The narrative in published reports does not provide a balanced or fair view of the organisation’s climate performance or impacts, or assertions are made that cannot be substantiated.
5. Data is unavailable due to system error or data breach.
6. For organisations required to make specific disclosures, non-availability of data over required timeframes (for example, organisations which are subject to the requirement to disclose in line with TCFD recommendations).
Reporting on climate performance and impacts is an evolving activity which is of increasing interest to a wide range of stakeholders.
External assurance is far more limited than for financial reporting, and so there is an opportunity for internal audit to add value by providing assurance on the reliability of data and the effectiveness of reporting processes. But the role should also include providing a challenge to the relevance, consistency and balance in the narrative accompanying quantitative information, giving internal audit the opportunity to raise its profile at the top levels of an organisation.
Audit and Risk Jan/Feb 2020 - Climate change for internal auditors: Project Zero
Financial Reporting Council – Non-Financial Reporting Factsheet
Global Reporting Initiative (GRI) - Standards
Accountability - AA1000 Assurance Standard
Task Force on Climate related Financial Disclosures (TFCFD)