©gesrey/iStock/Getty Images Plus
Sounding the Alarm
In June 2021, The IIA and the Internal Audit Foundation, in collaboration with EY, conducted a survey to understand how organizations are using their internal audit functions in support of their environmental, social, and governance (ESG) initiatives. The survey was distributed in North America to chief audit executives (CAEs) and directors in the internal audit profession; 102 responses were received. The survey was designed to gather data and answer the following questions:
- Is ESG an internal audit priority?
- How are organizations reporting ESG metrics?
- What are the existing barriers to internal audit’s involvement with ESG programs?
- If internal audit is not involved in ESG program advisory and assurance activities, what function is?
- What support and resources does internal audit need to provide ESG coverage?
From climate change to social and political unrest fueled by diversity, equity, and inclusion (DEI) issues, investors and other stakeholders are sounding the ESG alarm. This is partly the result of the COVID-19 pandemic and devastating weather events around the world attributed to climate change. Stakeholders such as boards, employees, and investors want to know how ESG issues impact the organization’s long-term strategy, performance, and value creation. Further, while ESG analysis plays an important role in investing, other stakeholders such as consumers are paying more attention to these measures of organizations’ performance. For example, consumers would pay more for sustainable products and demand greater transparency on issues ranging from sustainable practices and labor standards to executive compensation and deforestation policies. Because internal audit’s mission is to “enhance and protect organizational value by providing risk-based and objective assurance, advice, and insight,” its involvement in ESG is paramount and a natural fit. However, internal audit’s contribution to ESG efforts may be influenced and dependent on the organization’s ambition, strategy, programs, and reporting in ESG.
In addition to stakeholder demands, the shift toward a greater focus on ESG is also being fueled by impending regulations. According to EY, there are three important dynamics to watch on global climate disclosure standards:
- There is growing consensus on the need for a baseline climate disclosure standard.
- Disclosures are just one piece of the broader policy approach to mitigating climate change.
- Despite the uncertainty over future disclosure requirements, the direction is clear that it is time for organizations to build institutional capacity.
At the 26th United Nations (UN) Climate Change Conference (COP26) held in November 2021, the International Financial Reporting Standards Foundation (IFRS) announced the development of the International Sustainability Standards Board (ISSB), which will set recommendations for ESG reporting designed for an investor audience. It will focus first on climate change disclosures, followed by broader ESG issues. This announcement is significant in that it identifies potential convergence of existing standards for future reporting. The Value Reporting Foundation (VRF), which includes the Sustainability Accounting Standards Board (SASB) and the International Integrated Reporting Council (IIRC), announced its intention to merge into the ISSB. The Climate Disclosure Standards Board (CDSB) announced its intention to merge some of its standard-setting intellectual property into the ISSB, while the CDP will remain separate.
In addition, the U.S. Securities and Exchange Commission (SEC) has been signaling it is on the path to- ward regulated climate and ESG disclosures. On 4 March 2021, it created a Climate and ESG Task Force in the Division of Enforcement to develop initiatives to proactively identify ESG-related misconduct.
On 22 September 2021, it shared publicly some example letters it is issuing to organizations regarding climate change disclosures based on 2010 Climate Change Guidance. Organizations should have their internal auditors stay current on these market-driven and regulatory developments.
Risk Management
While ESG-related issues are considered to be material risks to businesses, only 51 percent of organizations that are reporting on ESG obtain some level of assurance. According to IIA Standard 2120 – Risk Management, “The internal audit activity must evaluate the effectiveness and contribute to the improvement of risk management processes.” Further, IIA Standard 2130 – Control states, “The internal audit activity must assist the organization in maintaining effective controls by evaluating their effectiveness and efficiency and by promoting continuous improvement.” Standards 2120 and 2130 clearly establish a foundation for internal audit’s role in providing assurance over the organization’s ESG reporting process- es and controls.
In addition, The IIA’s Internal Audit Competency Framework© specifies competencies required to identify and address the risks specific to the industry and environment in which the organization operates, including competencies related to the social, corporate responsibility, and sustainability knowledge area:
- At the general awareness level, internal auditors are able to describe corporate social responsibility and sustainability.
- Internal auditors at the applied knowledge level examine the organization’s approach to social responsibility.
- Internal auditors at the expert level recommend actions to improve the organization’s approach to social responsibility and sustainability.
Given Standards 2120 and 2130 and the Framework, internal auditors need to increase support in the near future. The Internal Audit Foundation and EY share these survey findings to help prepare internal audit to become more of a trusted business advisor in ESG.
Read the full report here.