Skip to content

Role of internal audit in ESG heats up amid global wave of regulation

Natalie Runyon  Director / ESG content & Advisory Services / Thomson Reuters Institute

· 5 minute read

Natalie Runyon  Director / ESG content & Advisory Services / Thomson Reuters Institute

· 5 minute read

Internal audit teams' responsibility to verify material ESG data continues to expand as more than 60 jurisdictions weigh new sustainability reporting requirements

The reporting deadlines coming within the next year or two from the European Union’s extra territorial Corporate Sustainability Reporting Directive along with the wave of other legislation and regulation across Latin America, California, and Asia will instigate an increased role for corporate internal audit functions, especially around the verification of data internal controls in regard to environmental, social & governance (ESG) reporting and because many jurisdictions require third-party assurance.

Across corporate governance, internal audit executives are central to board oversight duties and in particular interfacing with the board’s audit committee. Indeed, audit executives’ duties include risk management, controls, and governance processes and policies, and they report on these to boards of directors, audit committees, and relevant stakeholders, according to the International Sustainability Standards Board (ISSB).

In addition, internal audit leaders can offer insights on the necessary degree of data control and oversight in risk management to guide executive management on the company’s sustainability performance and assist in conducting quality checks and reviews of controls for sustainability data.

The role in internal audit in ESG data and reporting is critical for the usefulness of sustainability information to be enhanced, both to improve the value of sustainability information and to be capable of verification. Verifiable data signals to investors that the information is reliable and can be trusted to be complete, neutral, and accurate.

Further, companies frequently depend on appropriate board oversight, established internal controls, and external assurance as three foundational elements of trustworthy information, according to the ISSB.

Details of internal audits role

More specifically, internal audit provides two ways of verifying ESG information through assurance and advisory, according to KPMG. On the assurance side, internal audit teams incorporate ESG into regular audit plans and help to ensure the methodology of information calculation — such as those to calculate greenhouse gases, and processes and procedures for reporting metrics — is accurate, timely, and consistent. These teams can also examine the mechanisms used to conduct materiality or risk assessments to ensure those assessments meet the standard of scrutiny for regulatory filings. Equally, on the advisory side, audit teams can help to identify gaps in procedures and internal controls that may be ambiguous and could be highlighted as deficiencies in disclosure.

Internal audit functions also provide a perspective on assessing the following questions on behalf of corporate C-suites and boards:

        • How clear is the view that executive-level leaders have on all of the ESG risks and opportunities, including compliance risk related to existing and upcoming regulations and the regularity with which these risks are examined?
        • What is the company’s level of readiness for upcoming legislative and regulatory expectations?
        • How aligned is the ESG culture and risk management with the company’s ESG goals and strategies?
        • What are the current public commitments to ESG and how robust are the company’s policies, procedures, and controls around the data to support these external goals?

Guidance for internal audit functions to prepare

For internal audit teams beginning to explore ways to assist their organizations in complying with current and future regulations, now is the time to take action. The first step is to get knowledgeable. Internal audit teams should actively pursue training, stay abreast of ESG reporting standards, and collaborate with external experts to better build their own expertise, ensuring they are well-equipped to play a pivotal role in their company’s ESG reporting. Certificates such as Internal Auditing for Sustainable Organizations provided by the Institute of Internal Auditors is a good place to start.

Once the team as the necessary expertise to conduct audits on the company’s ESG strategies, the full audit team — including input from the company’s legal, finance, and compliance functions, as well as those responsible for the company’s enterprise risk management program — should work cross-functionally to evaluate in what ways the efforts of the team are best placed to be most effective. According to Deloitte, some of the best areas for internal audit to examine include:

Conduct peer benchmarking — Teams should evaluate their company’s ESG strategy maturity level by benchmarking it against other organizations and pinpointing potential areas or opportunities for enhancement.

Review governance roles — Teams could examine the distribution of roles and responsibilities within the organization for implementing ESG strategy and overseeing ESG issues.

Ensure quality of ESG risk management — Enterprise risk management strategies must incorporate actions to pinpoint and evaluate key ESG risks and manage them across the organization. Internal audit can support management in identifying ESG risks and integrating these into risk registries.

Assess the framework for managing ESG risks — Internal audit teams can examine a company’s current frameworks and standards to verify their adequacy, proper implementation, and alignment with industry-recommended frameworks and regulatory expectations.

Scrutinize the documentation of policies and procedures — Finally, teams can also assess the effectiveness of design and operation of controls, examining crucial controls for reducing ESG risks and uncovering any significant deficiencies or gaps.

ESG is known as a silo-breaker, as a number of corporate functions play a critical role in making sure the company meets obligations in regulations on ESG reporting. In addition to internal audit teams, corporate representatives from the company’s legal, compliance, investor relations, finance, risk management, technology, and human resources groups all have a vital part in ensuring the company fulfills its regulatory requirements regarding ESG reporting.

Among these, internal audit emerges as a critical function to help their companies navigate the increasingly complex global landscape of ESG regulations.

More insights