The latest headline topic for internal auditors seems to be Environmental, Social, and Corporate Governance (ESG).
For background, I refer you to a sensible piece by Richard Chambers.
SEC Climate Disclosure Proposal May Be the Next SOX for Internal Audit summarizes in a clear and concise way (thank you, Richard) the SEC’s proposed climate-related disclosure requirements.
Rather than repeat the proposed requirements here, I refer you to Richard’s piece or, if you need, the SEC’s proposal.
Richard suggests three ways internal audit can assist:
- Make sure our leaders are aware of the rules and help them to formulate a response to the risk of non-compliance.
- Provide assurance on the planned disclosure process. In the same way that internal audit assesses and provides assurance on new technology projects, we can provide assurance on the new disclosure process.
- On a continuing basis, assess and provide assurance on related controls.
He closes his article with encouragement:
As assurance professionals, we must keep our eyes on the horizon to identify, monitor, and address critical compliance risks. As I mentioned, the proposed climate disclosure requirements present challenges and opportunities for internal auditors. Those who joined the profession after SOX was embedded into our compliance practice will learn firsthand about management’s need for accurate information and the importance of internal audit’s advice through the early days of a major regulatory change. Our first duty is to help our companies achieve and maintain compliance, but we also have an excellent opportunity to demonstrate our crucial role in confronting significant emerging risks. First and foremost, look for ways to help protect and create value for your company. The clock is already ticking.
(My disagreement is mild: our first duty is helping with the achievement of enterprise objectives.)
The IIA has taken a similar stance.
They published a series of questions internal auditors can ask in a Bulletin last month.
In addition, the IIA’s Internal Audit Foundation collaborated with EY on a white paper: Prioritizing Environmental, Social, and Governance (ESG) – Exploring Internal Audit’s Role as a Critical Collaborator. Like the others, it summarizes the proposed rules before talking about the role of internal audit.
They shared the results of a survey when it comes to current internal audit involvement:
Most organizations have involved their internal audit functions in some way with the organization’s ESG initiatives. Just under 30 percent of CAEs of internal audit functions that are involved indicate they are engaged in one or more of the follow:
• Providing advice on setting ESG program goals and metrics.
• Reviewing how ESG goals and metrics are tracked and monitored.
• Reviewing implementation of the ESG program and related policy documents.
• Reviewing the accuracy of ESG reports provided to stakeholders.
…internal audit is most often involved in assurance services supporting processes, controls, and data validation for reported material ESG information. Typical advisory services include weighing in on climate risk and the inclusion of ESG in the organization’s enterprise risk management (ERM) program. Internal audit functions also perform governance engagements to assess whether adequate roles, responsibilities, and processes are in place to execute on the ESG strategy and manage risk…. internal audit also can provide ESG-focused audits on topics such as climate, environmental compliance and performance, worker safety, data security, and sustainable supply chain practices. Additionally, 10 percent of CAEs indicate that their internal audit function is involved in other ways as well.
One area we have seen internal audit add significant value to ESG reporting is assessing the completeness of the operational boundaries, especially for large, decentralized organizations. For example, inventorying the greenhouse gas emissions sources across Scope 1, 2, and 3 emissions requires a deep understanding of the company’s operations. Internal audit can provide this insight to validate that all applicable business activities, locations, subsidiaries, and joint ventures are included in reporting. However, 35 percent of CAEs indicate that their internal audit functions have no involvement.
Going forward, two-thirds of CAEs indicate that they plan to perform ESG-related engagements over the next 12 months, with 45 percent planning advisory services and 31 percent planning internal control reviews.
Many of the internal audit executives view ESG as the next SOX. There are many parallels between today’s ESG reporting landscape and how SOX developed in the early 2000s. Internal audit functions have an opportunity to get ahead of impending disclosure regulations and the ensuing assurance requirements by implementing a ‘SOX-like’ framework to enhance the reliability of ESG reporting within their organizations.
My major problem with the above is that it should not be internal audit that is “implementing a ‘SOX-like’ framework to enhance the reliability of ESG reporting within their organizations”. That is a management responsibility.
KPMG weighed in with Internal Audit’s role in ESG. They say (see my emphasis):
As with financial reporting, the independent and objective assurance only internal audit can provide must be an integral part of an organisation’s ESG response.
Management teams across organisations are recognising the opportunities and risks ESG presents. This includes the due-diligence required to integrate ESG measures across any organisation. To make informed decisions, directors must have reliable assurance on the effectiveness of ESG management, including ESG governance, risk assessment, KPI monitoring and reporting. That assurance should come from internal audit.
They refer to the IIA’s publications, with perhaps stronger language than the IIA would prefer.
According to the IIA, at a minimum the internal audit function should provide the following assurance over ESG reporting:
— Review reporting metrics for relevancy, accuracy, timeliness and consistency: It is critical that all public ESG reports provide information that accurately depicts an organisation’s ESG efforts. This is particularly important as regulatory oversight and public scrutiny increases.
— Review reporting for consistency with formal financial disclosure filings: While ESG reporting provides non-financial data, any information that conflicts with formal financial disclosures will raise a red flag with investors and regulators.
— Conduct materiality or risk assessments on ESG reporting: Organisations must have a clear understanding on how ongoing ESG efforts or public commitments to reaching ESG goals can rise to the level of materiality.
— Incorporate ESG into regular audit plans.
— Build an ESG control environment: Internal audit can advise on developing specific internal controls for ESG reporting.
— Recommend reporting metrics: Internal audit can provide insights into the kind of data that accurately reflects relevant ESG efforts within the organisation.
— Advise on ESG Governance: Internal audit can provide guidance on ESG governance because of its holistic understanding of risk across the organisation.
As with the EY and IIA’s materials, the KPMG paper has some valuable advice, although we have to be careful with the word “should”.
Deloitte had their say in an article published in the Wall Street Journal’s CFO Journal.
In ESG and the Role of Internal Audit, they correctly say:
With their ability to anticipate risks, advise senior leaders and the board of directors, and provide assurance, internal auditors are well positioned to act as catalysts for furthering an organization’s ESG goals while helping to identify potential obstacles.
Given their broad purview across the enterprise, internal auditors can assess an organization’s ESG risk from multiple perspectives and help connect dots. For example, in assessing governance and policy, internal auditors can consider whether the organization has created a governance structure and culture that support effective climate risk management and whether information on climate risk is being reported to the board.
The paper sees a role for the external auditor that worries me. It is not something I would engage them for.
The American Institute of Certified Public Accountants (AICPA) and the CAQ are similarly encouraging external auditors to engage in ESG reporting, providing a road map for audit practitioners to understand ESG reporting as well as the related risks and legal considerations associated with including this information in regulatory filings.
“Independent auditors, in their public interest role, play a part in the flow of reliable information for decision-making,” the AICPA and CAQ wrote in releasing the road map in February 2021. Third-party assurance from an independent auditor can enhance the reliability of ESG information reported by companies, they say.
An article last year in the Journal of Accountancy has the title of Internal audit has pivotal role in ESG reporting.
That may be hyperbole.
Anthony Pugliese, CPA/CITP, CGMA, president and CEO of The Institute of Internal Auditors (IIA) is quoted by the Journal as saying that (with my emphasis) there is an “imperative” for internal audit to be involved.
Is there an “imperative”?
Should internal audit be involved, and how much should we be involved?
- Stand on the sidelines for now, waiting for a better time. This is unlikely to be the best option.
- Participate as a consultant as the organization prepares for the regulations. I like this and see the CAE or a senior audit executive in this role.
- Assess the planned design of the controls to ensure compliance with anticipated ESG disclosure requirements.
- Assess the design and operation of the controls over the organization’s carbon footprint, the controls that ensure that footprint is at a desired level.
- Assess the operation of the ESG disclosure controls.
- Provide annual (or more frequent) independent assurance on ESG disclosure controls.
Each organization will have to make a decision based on its specific circumstances.
Let’s face the facts.
- We need to put our limited resources where they add the most value, where the more significant sources of risk to enterprise objectives lie.
- We can’t audit or consult on everything.
- If we allocate resources to ESG compliance and other related risks, that resource has to come from somewhere else, other projects, or we need additional resources.
Is ESG compliance, including but not limited to disclosure controls, one of the top risks at your organization?
Maybe it is, and maybe it is not.
Where does it lie in comparison to traditional areas for internal audit attention, let alone new ones such as?
- Compliance with sanctions and related regulations, including those imposed as a result of the invasion of the Ukraine
- The impact on risks and controls of the Great Resignation. How is the operation of key controls affected as people leave the organization?
- The effect of work-at-home on controls. I heard from a partner in a law firm that his associates are not learning and advancing due to the loss of in-person supervision and training. Some are not putting in the same hours. In addition, his firm is finding it hard to replace those who are leaving.
- The need for resilience, especially as we are hearing of increased nation-supported cyber-attacks.
- How to price products and services in a period of inflation.
- How to prepare for a possible depression.
If the audit committee, management, and the CAE agree that (a) ESG should be an area of focus; (b) there is a need for assurance on related controls and disclosures; and (c) internal audit should have a major role, then the CAE should ensure that:
- There is sufficient, capable resource to do the work.
- There is sufficient resource to address all the other sources of significant risk and value.
If management is willing to fund independent audits of ESG-related controls, I prefer that money be allocated to internal audit than used to hire EY, Deloitte, KPMG, or anybody else.
I find it curious that many of the voices that are today advocating for internal audit involvement in auditing management’s controls were strongly opposed to internal audit doing the same for SOX when that came along.
Let’s not repeat the mistake made by many of taking on added responsibilities (in this case for ESG) without added resources.
I welcome your thoughts.