Like outside accounting firms, a company's internal audit function plays an important role in determining and executing on the company's ESG activities
Corporate initiatives around environmental, social & governance (ESG) are in the emerging state of compliance 2.0, and once the compliance part is built, monitoring and the tracking will remain, which is often times the responsibility of internal audit functions within corporations.
We had previously discussed how outside audit and accounting firms can help their corporate clients with ESG activities, now we examine how internal corporate auditing functions have a role to play as well.
Indeed, internal audit functions help both increase transparency because most companies self-define ESG program requirements on what information is disclosed publicly, and help directors perform their oversight duties through the audit committee interaction with the corporate board.
Role of internal audit
A company’s internal audit function can step in to help implement consistent sets of standards and establish an internal independent mechanism by leveraging ESG program governance as part of a company’s overall governance program. This is crucial because currently, the lack of transparency on what information is disclosed publicly increases the importance of this type of internal independent audit function.
The short term challenge for internal audit functions is getting up to speed on the company’s ESG efforts, but fortunately, ramping up knowledge is something with which these teams often have experienced. The first step is to understand the ESG landscape of the industry and sector of the organization. Benchmarking what the company’s competitors are doing, attending industry conferences, staying current on changes to government policy and legislation, and keeping tabs on the varying perspectives among internal and external stakeholders are all critical to effectively assessing and managing ESG risks while balancing those risks with other high-priority auditing requirements.
Similarly, it is equally important for internal audit teams to understand the current state of the company’s internal strategy, maturity, and risk appetite as it relates to ESG topics. Critically, internal auditors must: i) understand the organization’s appetite for ESG risks, ii) grasp how ESG is aligned with and integrated into the company core strategy; iii) identify which company teams own specific ESG processes; and iv) map out the current state of reporting to internal and external stakeholders.
The last two factors are of key importance, because the audit function needs its role to be explicitly valued by leaders of the company who direct, govern, and own a data or delivery function within the company’s ESG program.
Further, integrating ESG assurance into the annual audit plan, especially when the level of ESG knowledge within the team is low, is another key challenge to conquer. To overcome this, audit team leaders should analyze how ESG could be integrated within the existing risk assessment program, then focus on larger issues that will deliver quick wins to maximize the impact and value of assurance.
To assess the level of integration of sustainability within a company’s operations, the following questions — suggested by the Institute of Internal Auditors (IIA) — should be considered:
- How do internal audit teams work with external auditors on ESG assurance?
- To what extent does internal audit provide assurance on structures, systems, and processes for decision-making and reporting?
- What controls exist that outline how data is collected, analyzed, and reported?
- What are the policies and processes that measure, monitor, and report on progress towards company commitments?
- What role does internal audit play to influence a shift in mindset to integrate sustainability into governance and operations?
Internal audit’s role in the “G” of ESG
Perhaps the most important role for internal audit teams in ESG strategy is in governance and teams’ ability to perform its responsibilities around testing internal controls to better assure accuracy in ESG information and information integrity in ESG data disclosure and reporting.
Appropriate governance around ESG will involve the oversight group that creates and directs mechanisms to harmonize ESG into the strategic objectives of the organization. It also includes management’s outlining all of the financial and nonfinancial inputs and investments, as well as an assessment of materiality for adequate operational performance.
Finally, the independence of the audit function from the oversight and delivery functions is the most critical part of its role in governance and ESG assurance. For example, the IIA’s Three Lines Model demonstrates how internal audit teams fit into the varying responsibilities across the governing body. Importantly, the independence from the ESG governing body and the management allows for the audit function to: i) maintain a reliability of internal control over ESG data collection, analysis, and reporting; ii) determine how the various corporate functions involved with ESG data are interacting regularly; and iii) monitor the evolving regulatory framework in order to anticipate ESG disclosure regulations.
When a company’s level of maturity around ESG is in the beginning stages, one of the key challenges for internal audit is getting senior management on board, especially in understanding ESG risks and how internal audit can help alleviate those risks. A company’s internal audit function needs to be seen by partners as a trusted advisor with an obligation to highlight on-going, new, and emerging risks that are not being addressed. In this way, audit functions can have the most effective pathway to influence a positive outcome in a company’s ESG operations.