The Institute of Internal Auditors has released a White Paper entitled Internal Audit’s Role in ESG Reporting. The paper discusses risks related to ESG reporting and outlines how internal audit can support ESG objectives and add value.
The White Paper notes that ESG risks, which it describes broadly as “risks associated with how organizations operate in respect to their impact on the world around them,” include “areas that are dynamic and often driven by factors that can be difficult to measure objectively, such as inclusion, ethical behavior, corporate culture, and embracing sustainability across the organization.” Risks associated with ESG “include reliance on third-party data, potential reputational damage from faulty reporting, and the real possibility that an organization’s explicit commitments to meet specific sustainability goals could grow into a material weakness.” Accordingly, ESG reporting “should be treated with the same care as financial reporting.” In that context, the IIA sees two roles that internal audit should play – assurance and advisory.
Assurance
Directors need internal audit to provide reliable assurance on the effectiveness of ESG risk management and reporting. That assurance should include four components:
Review reporting metrics for relevancy, accuracy, timeliness, and consistency. It is critical that all public sustainability reports provide information that accurately depicts an organization’s ESG efforts. Internal audit can provide assurance on whether data (quantitative and qualitative) being reported is accurate, relevant, complete, and timely. This is particularly important as regulatory oversight increases.
Review reporting for consistency with formal financial disclosure filings. While sustainability reporting provides nonfinancial data, any information that conflicts with formal financial disclosures will raise a red flag with regulators and investors.
Conduct materiality or risk assessments on ESG reporting. Organizations sometimes struggle with understanding and reporting what is material in the ESG context. “However, organizations must have a clear understanding on how ongoing sustainability efforts or public commitments to reaching sustainability goals can rise to the level of materiality.”
Incorporate ESG into audit plans. ESG and sustainability-related engagements currently make up about one percent of the typical internal audit plan. IIA says that this “must change as ESG risks and risk management take on greater significance for organizations.”
Advisory
Internal audit can also add value in an advisory capacity. The White Paper describes three components of internal audit’s advisory role:
Build an ESG control environment. Competent internal audit functions are familiar with the building blocks of effective control environments. They can also recommend control frameworks (e.g., COSO’s Internal Control – Integrated Framework) to manage/mitigate ESG risks. Internal audit also can advise on developing specific internal controls over ESG reporting.
Recommend reporting metrics. Internal audit can provide insights into the kind of data (quantitative and qualitative) that accurately reflect relevant sustainability efforts within the organization.
Advise on ESG governance. Internal audit can provide guidance on ESG governance and can help identify roles and responsibilities, as well as provide training on internal controls.
The IIA White Paper also discusses the growth in corporate ESG reporting and the growing regulatory focus on climate change and other ESG disclosures. The paper briefly describes the various ESG reporting standards and frameworks, including the work of the Sustainability Accounting Standards Board, the Global Reporting Initiative, the Task Force on Climate-Related Financial Disclosure, and the CDP Climate Change Questionnaire. It also provides an overview of investor pressure for expanded ESG disclosure, such as the efforts of BlackRock, the world’s largest asset manager, in promoting portfolio company ESG disclosure and strategy. See BlackRock Calls for Disclosure and Board Oversight of Company Plans for the Net-Zero Economy, January-February 2021 Update.
The White Paper concludes with the observation that the ability of organizations to integrate ESG considerations into their business strategy and risk management practices depends on the design and effectiveness of internal control around accounting, reporting, and communication of information. “Applying the same systematic rigor to measuring, validating, managing, and reporting material sustainability information that is typically applied to financial reporting should lead to greater corporate and investor/stakeholder confidence, organizational value, and capital markets’ effectiveness.”
Comment: As the White Paper emphasizes, ESG disclosure has become ubiquitous. However, many companies lack the kinds of controls and procedures with respect to ESG that are in place to assure the accuracy of traditional financial disclosures. The Update has urged in the past that audit committees direct their attention to the control environment in which ESG disclosures are created and the controls and procedures that support their accuracy, particularly as investors rely more heavily on ESG metrics in decision-making. See, e.g., What is the Audit Committee’s Role in ESG Oversight, December 2020 Update. As the IIA points out, internal audit can play an important role in promoting the accuracy of these disclosures, and it would be prudent for audit committees to consider how best to leverage the work of internal audit in ESG disclosure.