Forming an environmental, social, and governance (ESG) strategy can be a resource intensive task given all the areas that it could impact. Luckily, companies with internal audit resources already have in place a valuable contributor to ensuring ESG success. These professionals have many of the requisite technical skills to assist in the formalization of processes and internal controls. Our ESG Solutions Practice recently spoke on the role of internal audit in ESG strategy. These were the key roles and use cases for internal audit resources in an ESG strategy.
The value of internal audit in ESG strategy
Topics like ethics, community relations, cybersecurity, governance, supply chain, environmental impacts, safety, and sustainability that are ESG-related are also areas that internal auditors have already been focused on historically due to the risks they present for many organizations. ESG strategies often combine these topics under a single umbrella with a heightened element of stakeholder interest.
Internal auditors are able to assess processes to ensure that they are efficient and contain appropriate internal controls to mitigate relevant risks while ensuring regulatory compliance. Internal audit will also be vital in assessing the quality of the data that is collected, addressing one of the significant pain points within ESG strategy and reporting. Finally, these professionals will be able to independently confirm that ESG strategy aligns with the strategic goals of the organization and its stakeholders.
Common sense approach to ESG for internal auditors
ESG related risks and opportunities are not reserved for large multi-national corporations and government, they are just as relevant for smaller entities. Since internal audit resources are limited, challenges exist to assess and respond to all ESG-related risks. However, internal auditors can utilize existing frameworks, guidance, and tools that are available for risk management and sustainability such as COSO’s Applying Enterprise Risk Management to Environmental, Social and Governance-related Risks and COSO’s Achieving Effective Internal Control Over Sustainability Reporting (ICSR).
Specific internal audit functions in ESG
Internal auditors are key players in an ESG strategy. Let’s examine some specific areas where they may be able to assist management and add value.
Risk and Internal Controls Assessment
Risk identification and assessment are core functions of internal audit, and though identifying ESG risks can be more challenging than traditional risks, it should be treated in the same way as any other entity risk. It should include not only the risks, but the opportunities to create, preserve, and realize real value for the organization. Sources of ESG risks can be identified through already existing tools like previous external/internal audits, surveys, media monitoring or existing risk inventory. If your organization does not already have an existing risk inventory, this is a great time for internal audit to create one. ESG risks can be difficult to predict but they can have potentially significant impacts or a longer lead time for those impacts to materialize.
Internal control assessments help to identify what ESG controls exist or may need to exist to mitigate the risks identified above. Internal controls for ESG purposes can be related to reporting, information and data collection, the achievement of specific ESG goals and commitments, etc. An internal controls assessment of ESG controls can include an evaluation of the effectiveness of the control environment in achieving organizational goals and stakeholder interests.
Benchmarking
Internal audit often plays a valuable role in the benchmarking of data being captured across an organization or externally, across a common industry. The benchmarking of and ESG program against an accepted maturity model will help define the organizations current state of ESG objectives versus a desired future state.
Regulatory Assessment
Where does your organization stand in relation to the evolving ESG regulatory landscape? Understanding the global state of play is a regular exercise for those with responsibilities in ESG reporting and compliance. A collaborative internal audit team can quickly help assess and report on ESG requirements across the globe, as well as local requirements that may be state specific within the U.S.
Assessment of data quality
Typically, an organization has a strong grasp on recurring financial data, but ESG reporting and strategy will require a great deal of non-financial (and much non-quantitative!) data that might not be as readily available and is likely unstructured. Although internal audit may not own the financial and non-financial data used in many ESG metrics and disclosures, once the data collection process is evaluated, internal auditors can ensure that the data is both relevant and reliable. The well-known concepts of accuracy and completeness apply to both financial and non-financial metrics. Additional focus should be on whether data is replicable in a timely, consistent manner. Data quality should be assessed for and inclusive of both positive and negative metrics that need to be reported. What is the level of assurance on that data? How often is it collected? Who is collecting it and what is the process to collect the data?
Establishing governance and oversight for ESG
Governance in an organization provides the structures, oversight and culture needed to establish strategies and objectives related to ESG. Internal auditors can help map or define mandatory and voluntary ESG requirements and increase board awareness of any ESG related risks. They can provide recommendations to leadership to help embed and incorporate ESG ambitions into the culture and mission of the organization and recommend implementation of these priorities into hiring and talent acquisition.
Ensuring alignment with greater strategic goals
Internal audit has a unique role and perspective that provides end to end visibility across the organization allowing the evaluation of ESG strategy alignment with organizational goals. Is our organizational strategy aligned with our current and future ESG related goals? Do our ESG reporting and non-reporting objectives and strategy make sense within our five and 10-year plans? How can we integrate the information we have into our greater strategic and long-term business goals? Are we prepared for upcoming legislative and regulatory expectations? What are our ESG commitments to the public and internally today and do we have policies, procedures, controls, and data to support these public commitments today? How about for future commitments?
Written by David Plajstek. Originally published by CPA Practice Advisor.
Looking for more information on internal audit's role in ESG? Check out our recent webinar.
Have a Question?
Fill out the form to speak with one of our ESG professionals.