Last month, the Securities and Exchange Commission proposed new rules that would require public companies to say much more about their climate-related initiatives. Until now, most environmental, social, and governance disclosures have been voluntary. The SEC proposal has put internal audit functions on alert at the prospect of the biggest change in reporting requirements since the Sarbanes-Oxley Act was passed in 2002.
In advance of the likely new rules, companies are now re-examining their preparedness to meet the requirements. If adopted, the new rules will require companies to report on:
- The company’s processes for identifying, assessing, and managing climate-related risks.
- How climate-related risks identified by the company materially impact its financial statements, strategy, business model, and outlook.
- Specifics on the company’s greenhouse gas emissions.
- How the board and management are overseeing and governing climate-related risks.
- Details on the company’s public climate-related targets or goals, including any use of carbon offsets or renewable energy certificates.
While the rules would drastically overhaul the information companies must provide on their sustainability and social justice initiatives, the ideas behind them are hardly new. The concepts behind ESG initiatives have been around since at least the 1960s, when activists pressured companies to stop production of napalm. In the 1970s an ‘80s, much of the focus shifted to persuading companies to divest from South Africa because of its system of apartheid. More recently, climate concerns over the use of fossil fuels have given way to investment funds in excess of an aggregate $3 trillion that consider ESG criteria in investment decisions.
The Demand for Information
While ESG boasts a decades-long history, over the past few years it’s moved further into the mainstream. “Clients, as well as job candidates and current employees, are asking more questions about ESG issues as it becomes more of a priority for them,” says Phil Benvenuti, senior director of internal audit at software company Pegasystems. “Not having a documented, sustainable, and evidence-backed comprehensive ESG program can put companies at a disadvantage in bringing in new customers and employees.”
A solid ESG program also is becoming more of prerequisite to attract capital from investors, says Matt Orrell, partner in the financial services practice at accounting and advisory firm PKF O’Connor Davies.”
Businesses are responding. As of August 2021, 95 percent of the S&P 500 provide some detailed ESG information publicly, the Center for Audit Quality (CAQ) reports. For most, the information was outside their SEC submissions, often in sustainability, corporate responsibility, or similar reports.
Yet even as more companies report on ESG initiatives, many are not gaining assurance—either from an outside audit firm or from the company’s own internal audit function—on the information they’re publishing. Just over half (51 percent) of organizations reporting on ESG obtain some level of assurance, according to a report by the Institute of Internal Auditors and consulting firm EY. In about 35 percent of organizations, internal audit had no involvement in ESG disclosures at all.
Many industry observers say that needs to change. “Internal auditing teams should be considered the fiduciary ‘boots on the ground’ that oversees the practical day-to-day execution of the specific E, S, and G strategies laid out at the governance level,” says Jeff Hood, founder and chief executive officer at Theia Analytics Group, a provider of analytics solutions.
Senior management would likely be far more comfortable reporting statistics on ESG after an independent, objective team has reviewed it, says Jorge Green, senior director of internal audit at cabinet maker American Woodmark Corp.
Increasing Focus on ESG
One reason? An organization’s reputation can be tightly linked to its ESG performance, says Glenn Sumners, director of the Center for Internal Auditing at Louisiana State University. “If you audit payroll, you probably won’t impact the organization’s reputation. That’s not so with ESG.”
Moreover, regulatory agencies around the world and beyond the SEC are zeroing in on ESG. The European Commission’s proposal for a Corporate Sustainability Reporting Directive (CSRD), for example, aims to improve the flow of sustainability information in the corporate world and make sustainability reporting more consistent.
Internal Auditors’ ESG Role
Internal auditors are uniquely positioned to review their organization’s ESG impact against leading standards and frameworks and determine whether the reported data provides reliability, comparability, and relevance, says Maura Hodge, audit partner and national ESG assurance leader at audit and consulting firm KPMG. They can help identify risks and address the questions top decision makers must consider, such as: What are our controls around ESG data collection? Are we reporting ESG data in line with industry standards and our peers?
Similar to many other steps internal audit might take to protect the organization, its mission with ESG is to identify issues and make recommendations for remediation before an audit or inspection by an outside entity, Benvenuti says. If internal audit is responsible for auditing the enterprise risk management (ERM) program, it should ensure the risks addressed by the ESG program are part of the ERM program, he adds.
As the program at Pegasystems matures, the internal audit function will audit against what the company says it’s doing, Benvenuti says. This could be in the form of a broad internal audit engagement, or as part of a larger internal audit. For instance, auditors might fold a review of elements of inclusion and diversity into a larger internal audit around human resources processes.
Macro Challenges to Auditing ESG
To be sure, internal audit departments auditing ESG programs likely will face several obstacles. “While the ‘why’ of ESG is clearly understood, we are finding that companies are still challenged by how to envision, implement, and grow their ESG strategies and by what to report,” Hodge says.
One reason is the lack of a uniform framework, although there’s been “slow but steady progress” in converging multiple ESG reporting standards, Hodge says. In June, the IFRS Foundation is expected to complete its absorption of the Value Reporting Foundation and establish the International Sustainability Standards Board (ISSB), a sister body to the International Accounting Standards Board (IASB). This consolidation “will help put sustainability reporting on the same footing as financial reporting,” she says.
The SEC indicated that its proposed climate-related disclosure framework is modeled in part on recommendations made by the TCFD, or Task Force on Climate-Related Financial Disclosures. The TCFD was established by the Financial Stability Board, which coordinates internationally the work of national financial authorities and international standard-setting bodies.
The European Union has proposed the EU Taxonomy, a transparency tool that introduces mandatory disclosure obligations under the Sustainable Finance Disclosure Regulation and the CSRD, Hodge says. This will allow investors to compare companies and investment portfolios.
“All three standard setters must work together to determine which components of each standard would be building blocks, with the others adding relevant jurisdictional requirements,” Hodge says.
Internal Challenges
Many internal auditors likely will face obstacles within their organizations. In organizations in which internal audit doesn’t have a seat at the ESG table, it may be less able to effectively align and provide assurance for key ESG risks, Hodge notes.
As internal audit begins working with subject matter experts who are new to the audit process or lack familiarity with the detailed level of information required, change management challenges may arise, says Michelle Uwasomba, partner at audit and consulting firm Ernst & Young LLP.
ESG topics like climate change and decarbonization have not historically been part of traditional audit plans, Uwasomba says. “Understanding what ‘good’ looks like so that you can better serve the business will be more challenging,” she says.
On a practical level, the data required to review ESG reporting often is minimal, unavailable, or scattered across multiple departments, says Liz Gousse Ballotte, a partner with PKF O’Connor Davies. Some data may be tracked manually and not fed into centralized data systems or it could be siloed in various parts of the organization. These can make assembling and reviewing information more difficult.
And ESG initiatives may not have as a quantifiable impact as, say, a new accounts payable system, Benvenuti says. Even so, the risk of not having a program has to be addressed, he adds.
Steps to Take
To meet these challenges and provide robust assurance, many internal auditors will need to develop new areas of expertise. “Auditors need to become familiar with items such as Green House Gas (GSG) Calculation Frameworks,” Green says.
In the short- to medium-term, many internal audit teams will need to leverage internal or external technical sustainability experts, particularly for more technical aspects of ESG information, like injury reporting, Uwasomba says.
Internal auditors also will need to gain expertise in testing IT systems and relevant data elements that are used in ESG reporting, but not previously used in financial reporting, Hodge notes. They’ll also need to engage with current process owners, understand how information is defined, where control gaps exist, and explore options to create efficiencies and move certain aspects of data collection and calculations into systems and processes already controlled within the parameters of Sarbanes-Oxley, she adds.
It’s a daunting to-do list. Fortunately, the internal audit profession has a great network of professionals willing to share ideas and strategies, Benvenuti says. External auditors also are good sources of information on steps other companies are taking, he adds.
Investing the time and energy required to gain a greater understanding of ESG can benefit both companies and internal auditors. “You don’t get a lot of visibility auditing HR,” Sumners says. ESG, however, will attract lots of attention from the board, he adds.
Among businesses and organizations, early adopters will gain a competitive advantage as ESG reporting becomes more prevalent and consistent, Green says. “People like to be associated with responsible and environmentally-conscious companies,” he says, adding that he’s “excited to be part of the change.”
In the United States, the SEC recently asked for comments on changes to securities laws that “would require registrants to provide certain climate-related information in their registration statements and annual reports.” What those final rules will look like is still anyone’s guess. What is more certain is that internal audit still has a great deal of work to do to prepare to help their companies comply with them. 
Karen Kroll is a finance and business writer based in Minneapolis, Minnesota.