Internal auditors are busy folks. There never seems to be enough hours in the day to get through everything on the audit plan, not to mention the issues that seem to crop up all the time. These days, the topics that seems to be on the tip of everyone’s tongue and the top of every regulator’s mind are Environmental, Social, and Governance issues, commonly referred to as ESG.
Open your email and you’re likely to see one or more messages about a webinar, article, exposure draft, regulatory development, or training on ESG. It can be so overwhelming that you might even want to delete them, keep your head down, and stick to your knitting. But as any good internal audit expert will tell you—ignore ESG at your peril!
As stated in the Institute of Internal Auditors’ recent Global Knowledge Brief, The ESG Risk Landscape: Part One : “Clearly, the ESG reporting landscape is complex and—in light of recent developments to establish global reporting standards—evolving. As assurance providers for their organizations, internal auditors already are tasked with continually monitoring a multi-faceted risk landscape that includes fraud, cybersecurity and IT-related risks, stringent financial reporting standards, data privacy risks, talent management, and much more.”
See Related Article, “As New Rules Loom, Internal Audit’s Role in ESG Reporting Under Review.”
What seems to be a dilemma for internal audit these days is looking in the mirror and asking what role it should play regarding ESG. Well, of course, just like most everything in life … it depends. So, let us explore the idea further.
Where Is Your Organization on ESG?
Before we start to think about what role internal audit should play when it comes to ESG, we must first gain a full understanding of where the organization stands when it comes to the topic. Certainly, the industries the organization competes in will be a big factor, as well as the counties where it does business. Those are, to an important degree, contextual givens that need to be navigated.
Another important factor is: what is the organization thinking when it comes to ESG? And that might differ with each component: the E (environment), the S (social), and the G (governance). How much of ESG reporting will be strategic and how much of it will be tactical compliance? How much of it will be to create a strategic advantage among one or more stakeholders, versus how much of it will be to do as little as possible to just comply and keep critics and regulators at bay? Is the organization looking to be a leader, setting the tone for competitors? Or is it content to be a follower, watching what competitors do first?
Understanding where the organization’s “head” is on ESG would be the first thing to do. It provides context, and it allows internal audit to challenge if that “strategic versus compliance oriented” stance is consistent with the organization’s mission, vision, and values, as well as what the board expects. And it allows internal audit leaders to make sure the board and the organization’s strategic plan is considering ESG in a way that is consistent with those ideas. Misalignment at this level can cause a number of issues that will crop up in internal discussions as tactical disagreements on the right path forward and what is or is not important. If internal audit understands the strategic mindset of the organization, it may also be able to help facilitate and broker some of the tactical disagreements on ESG that are sure to arise and help the organization keep on its desired path.
So, start here. Understand where your organization’s “head” is. And, as time goes on, do a strategic “gut check” to make sure that what your organization is doing as it relates to ESG remains consistent with the company’s approved strategic plan. Next, track what your competitors are doing so that you can raise questions internally to test whether the strategy around ESG is still appropriate.
Internal Audit’s Part to Play
Once the overall ESG mindset and goals are established, internal audit can carve out its role in helping the organization meet those goals. There are two very distinct and important roles for internal audit when it comes to ESG. Hopefully the organization is supportive of the internal audit participating in both spaces. Those roles are: 1. Advisory, and 2. Assurance. Simple, right? Well, not exactly.
First, the internal audit staff needs to have the skills and knowledge to contribute. Yes, as IIA Professional Standards call for, competence does mean a lot for internal audit’s credibility with each of these separate and distinct roles. If internal audit doesn’t have the skills and knowledge, the organization should first provide the resources needed to acquire that competence, either through direct hire, rotational staff, or third-party co-sourcing.
Before you do any work, though, think about basic economics: You cannot just supply the competent resources, there must be a demand for those resources. The meaning here is that internal audit must be viewed as being able to add value and make a difference by contributing to the organization’s ESG approach in an advisory and assurance capacity. Look, you can knock on the door all you want, if your organization does not view it as “opportunity knocking” they will not answer the door!
Now it is time for the rubber to meet the road. Is internal audit going to do advisory work—making sure the organization has the right numbers? Or is it going to do assurance work—making sure the numbers are right? Or both?
Putting the Horse Before the Cart
Before internal audit can consider assurance projects, hopefully it is well positioned to do advisory work. Again, let us make sure the organization is identifying the right data (determining whether the data is actually right comes later). So, how can internal audit help to ensure the organization is identifying the right items to report in terms of the “E” component, the “S” component, and the “G” component? Let us start with identifying all the constituents the organization serves.
Why start with constituents? Well, each constituent will have a different lens through which they view the organization, and their expectation of the organization may vary based on their relationship with the company. Some of the constituents you identify will include: customers, current employees, future employees, vendors, investors, creditors, insurers, regulators, and others.
Take each one of these identified constituents separately and ask yourself, “what does this particular constituent expect of us with regard to the E, the S, and the G, and what information could we be sharing with them that would make them feel good about our approach to our responsibilities and obligations as a corporation?” I did say “could,” since this is brainstorming, and what could be disclosed may not be what should be disclosed. This will result in a rather comprehensive list of items to discuss with organizational leadership.
It is also important to consider what competitors are doing on ESG, or what they are discussing doing. The best place to get this type of information may be through industry networking, peer groups, roundtables, conferences, and other professional gatherings. Consulting firms are another valuable source to keep your finger on the pulse of what competitors are doing or considering.
An additional place where internal audit’s talents can be put to skillful use on ESG is to advise on the processes and procedures around data collection, validation, and approval. These routines should be well established, with the right internal controls, to help assure company leadership and the board that good data will be collected, and accuracy can be reasonably assured.
Throughout all this advisory work, never forget to collaborate with key functions like compliance, legal, and IT, as well as any other key functions in the organization to include all relevant aspects of operational and financial management.
Even if you have already shifted to doing assurance work on the actual ESG disclosures already being provided, that does not abdicate your roles as top questioner and trusted advisor to your organization as you provide advisory services across the ESG landscape.
OK, so there is plenty to do in terms of advisory work and truly positioning yourself to add value. Ask the questions around “is it the right data” before concerning yourself with “is the data right?”
But Wait, There’s More
Yes, in the end, we are also expected to provide assurance over ESG. Regardless of whether it is the right data, if we are reporting something to the world outside of the organization, is what we are reporting correct? Assessing the accuracy, voracity, and verifiability of the data is a role well suited to internal audit. That is an assurance role, and it is right up our alley.
Let us establish, as best as we can within the organization, it is not internal audit’s responsibility to get operational. Operational aspects of ESG data collection and reporting should be avoided as much as possible. This is not the time to go down the SOX path and end up having internal audit with operational duties related to external reporting and the infrastructure to support it.
On the flip side, though, also avoid bayonetting the wounded by applying hindsight to audit on data that has already been report in past periods. That just gives us a bad name and reputation.
To avoid doing too much auditing on previously reported numbers and statistics, focus on the procedures, processes, and documentation established for existing and decided upon disclosures. In essence, you will recognize this as evaluating the design of the controls and asking, is the design adequate to produce reliable, verifiable, and consistent data? Providing assurance on the design will help the organization avoid future reporting errors and position internal audit to add value to the organization and truly make a difference.
It generally will be difficult to provide assurance on what is going to be reported while it is “in flight,” as there will likely be tight time windows between data collection, internal operational review, and actual external reporting. But, if that is possible, at least on the highest risk disclosures, then that is much better than doing assurance work on previously reported data and statistics.
This all leads to a potential final area of work for internal audit: doing a risk assessment on the data that is already being reported. Not all disclosures are created equal and some will create a lot more risk to the organization if there are inaccuracies than others. So, with limited time, focus on the high-risk disclosures and share your risk assessment of the ESG disclosures with the organization. That will create interesting and valuable dialogue and might make the organization think differently about what and how it is disclosing ESG information. Or, at a minimum, it will educate you and your staff on the thought process the organization is going through as part of its ESG reporting cycles.
What Did We Miss?
You’re not done though. A wise place to pivot to is to consider what areas the organization is not paying enough attention. Most of the focus these days tends to overweight the environmental component of ESG. Especially with all the rightful attention being given to climate change concerns and the regulatory pressure for disclosures on climate matters. Don’t forget the social and governance aspects. That does not mean you should take your eye off the environmental facets. Not in the least. But, with all the focus on the E, it is quite possible not enough attention is being placed on the S or on the G components. Take the effort to give special thought to the social and governance aspects of what the organization could be reporting on. There are several issues under these topics that will have true and valuable meaning for many of those stakeholders you previously identified.
If you have been in internal auditing long enough, you have seen many acronyms come and go. But, in this case, it looks like the ESG train is picking up steam and will be with us for good. So, stake out your role, be strategic, provide advisory work, and follow with assurance work. Make sure your audit plans consider these key roles and that your audit committee supports your efforts. Have or obtain the necessary competence. And make sure that data is not only right, but that it is the right data. And, more than anything else, continue to position yourself to add value and make a difference. That is our job. 
Hal Garyn is Managing Director and Owner of Audit Executive Advisory Services, LLC based in FL.