As an Audit Committee Chair, I get comprehensive assurance from external audit on the financial statements. But assurance over other information in the annual report is often limited to reporting ‘material inconsistencies’ with financial statements or other known information. This non-financial information is of interest to a wide variety of stakeholders, and so the impact of errors or misleading assertions could be significant. Internal audit has an opportunity to fill the assurance gap.
Reporting relating to climate change and other ESG (environmental, social and governance) issues is a fast-developing and a high-profile example of this. Many larger organisations now have to make some mandatory disclosures, and many are going beyond these minimum requirements. There are several overlapping standards (for example Global Reporting Initiative (GRI) and the UN’s Sustainable Development Goals (SDGs) – confusing for those producing and using such reports, that different standards for reporting have been adopted. The level of adoption varies, and the standards provide a much higher level of flexibility than is the case for financial reporting. Although more organisations are getting external assurance, the scope is generally limited.
Of course, the vast majority of organisations have no mandatory requirement to report. But the demand from stakeholders, investors, consumers, and those higher up the supply chain, is increasing.
The audit committee typically recommends the annual report along with the financial statements to the board for approval, having reviewed the report in detail and gained appropriate assurance. It needs to address the risk that reporting is inadequate or misleading, given the expectations of stakeholders. It also needs to consider the organisation’s ability to comply with current or future climate or ESG-related regulatory requirements, as to comply will require considerable forward-planning.
Non-financial information is clearly also used in strategic or key operational decision-making and so inaccurate data may result in poor investment returns, lost opportunities, reduced profitability, and/or reputational damage. This is a key risk which audit committees and boards need to consider in their assurance frameworks. It potentially goes beyond published information and so the full range of non-financial reporting needs to be considered.
So, how can internal audit fill the assurance gap?
In order to maximise the insight internal audit can provide to the audit committee, the role needs to be broader than simply auditing the data used in the report.
Here are some suggestions as to how this can be achieved:
Firstly, internal audit needs to understand and challenge the organisation’s approach to non-financial reporting. Which standards are adopted or leveraged, and why. To what extent have the Task Force on Climate-related Financial Disclosures (TCFD) recommendations been adopted? What are the relevant mandatory requirements for reporting and disclosure both now and in the future? Who are the relevant stakeholders and is there a clear understanding of their expectations and how these can be met?
As this is an evolving discipline, data sources will be less established than those used in other business processes, particularly financial reporting. Internal audit should look to evaluate the completeness and reliability of these sources. This may be part of a series of audits, potentially across the audit plan, as it is important to ensure controls in each business unit are effective.
Reporting processes themselves need internal audit scrutiny. Processes are likely to rely on spreadsheets for processing complex data, and so assurance over this is useful. It is important to understand the scope of any external assurance and work with the audit committee to identify what is needed alongside this. Some of this work can be done at any time of year, but if assurance over specific reports is required, this may need to be done during the annual reporting cycle.
Does the reporting team have the right skillset? This isn’t financial reporting, and although the underlying processes may be similar, specialist technical knowledge is required. Internal audit should assess whether the reporting team is sufficiently resourced and skilled. Of course, the same applies to the internal audit team – it needs to have sufficient knowledge to perform such an audit in compliance with Standard 1210, Proficiency.
While data disclosures are important, internal audit can also provide independent challenge on the content of accompanying narrative about performance, risks, and future expectations. This is subjective in nature but needs to be balanced and supported by evidence to avoid accusations of ‘greenwashing’(greenwashing is the process of conveying a false impression or providing misleading information about how a company's products are more environmentally sound).