Urban landscape reflected by polyhedral glass
Compliance FinanceTax & AccountingESG30 March, 2023

What twenty years of SOX can teach internal auditors about ESG

When Sarbanes-Oxley (SOX) was first enacted by the US Senate and House of Representatives in 2002, its goal was to increase the overall transparency of financial reporting while, at the same time, develop a more reliable system of checks and balances. It was understood that compliance was both a legal obligation and good business practice.

Affecting both public and private U.S. companies, as well as those non-U.S. companies with a U.S. presence, SOX is focused on corporate governance and financial disclosure. It requires that all financial reports include Internal Controls Reporting and demonstrate that a company's financial data is complete and accurate, with an adequate number of controls established to safeguard it. It also encourages the disclosure of corporate fraud by protecting whistleblower employees of publicly traded companies or their subsidiaries who report illegal activities.

The continued evolution of ESG (Environmental, Social and Governance), on the other hand, includes a variety of factors that are often used to evaluate a company’s commitment to sustainable operations. The environmental factors in ESG offer insight into an organization’s environmental impact, including its carbon footprint, climate change initiatives, waste management policies, natural resource conservation, pollution, or efforts to decrease deforestation.

The social component of ESG examines an organization’s treatment of stakeholders (workforce, customers, providers and suppliers, government, regulators, or the local or global community) on issues such as diversity, equity, and inclusion practices, wages and salaries, and sales practices.

Lastly, the ‘G’ in ESG focuses on the governance factors and how to assess whether a company’s internal processes are able to ensure the organization, and its employees, act with professionalism and integrity.

While SOX is primarily focused on financial information — working with finance professionals and accountants — ESG is more concerned with non-financial data and metrics. It shouldn’t come as any surprise when organizations faced with these evolving and new ESG reporting requirements ask themselves.

How do we apply controls and reporting requirements around environmental, social, and governance? What do these documented definitions and measurements look like? Will these controls and reporting requirements change from one business entity to another?
Solutions

TeamMate+ ESG

ESG assurance

Build a strong ESG assurance foundation with a future-ready internal audit solution.

The role of internal audit: Start small and look at the bigger picture

In the years that followed the introduction of SOX, the effect that it had on the internal audit profession was clearly a double-edged sword. On the one hand, internal auditors were quickly recognized as the experts needed to step into this space and provide the guidance that so many organizations needed. This resulted in growth across both the internal audit profession, as well as the various functions internal auditors were able to provide assurances for. It’s fair to say that internal audit membership more than doubled during the first few years of SOX implementation.

However, due to the urgency and level of uncertainty that SOX presented, leaning heavily on internal auditors also resulted in their spending greater amounts of time focused exclusively on SOX priorities, and significantly less time focused on those risk-based audits that organizations depend on. From an internal audit perspective it was a massive undertaking, and one that led to organizations developing SOX-specific internal audit teams.

Over the course of the last 20 years, and as a direct result of SOX, internal audit’s role around internal controls for financial reporting has become well established. Many of those same auditing skills and practices can (and should) be applied to ESG. However, an all-too-common question that’s on everyone’s mind is — “Who is responsible for ESG?”

ESG should be viewed as a top-down initiative, particularly from an organizational perspective regarding mandates, targets, and how goals are being established, monitored, and reported on. Each area or department of an organization should be aware of and responsible for their ESG initiatives. However, internal audit has an opportunity to become trusted advisors and take on more of an influential role when it comes to those first steps.

ESG Lessons from SOX -TeamMate Audit Benchmark Chart

How can internal audit provide the greatest value?

Organizations should reflect on the experiences they had in the early days of SOX and focus on identifying and understanding what the key controls of ESG will be. Where SOX was focused exclusively on financial reporting, ESG falls into that category of “everything else”. It comes down to the accuracy and reliability of the information. But how does an organization go about achieving that? The same way financial reporting was achieved with SOX.

Organizations have become comfortable with their financial reporting. They have been measured according to their financial results for a very long time. ESG in audit is different. It's broader. It covers more ground and organizations will need to take some time to comprehend how to effectively turn the foundations of ESG into meaningful reports. Although it may be more complicated, the underlying processes that have been used for Sarbanes-Oxley for the last 20 years can be leaned on as a starting point when addressing ESG and identifying a methodology for assurance.

ESG presents a tremendous opportunity for internal audit to make an impact within their organizations. Because it is still evolving, and new guidelines and mandates are being released every day, a good strategy for internal audit would be to start small and identify those ESG factors that can be quickly included into your existing audit plan. Whether that’s reducing overall energy consumption throughout your office or working more closely with Human Resources to ensure new-hire practices are following appropriate guidelines, acknowledging the industry your organization resides in, understanding its risk landscape, and identifying a best-practices framework will give you the direction you need to successfully navigate ESG.

If there is one takeaway from the lessons learned when SOX was first implemented, it’s that those in the internal audit profession should avoid taking the “wait and see” approach with ESG. ESG is here and is gaining exposure and traction every day. The social ramifications of ESG alone should be enough for organizations to sit up and take notice. Understanding how to audit ESG — knowing your organization’s metrics and targeted reporting requirements, what to audit against and include in the final audit report — will better position you for success as a trusted advisor within your organization. Fill those essential Subject Matter Expert gaps early on, identify and engage with key stakeholders, and avoid the reactionary trappings and costly mistakes of waiting too long and scrambling for solutions.

Lean into technology today, to help you succeed tomorrow

TeamMate is well positioned to support your organization’s ESG audit needs. The lessons that have been learned from 20 years of SOX requirements and a 30-year relationship with the audit profession have allowed us to build a foundation that provides the stability and know-how to deliver future-ready capabilities for internal audit professionals.  

TeamMate+ is a global expert solution for end-to-end audit management that helps auditors and audit leaders execute and manage the audit workflow. Trusted by audit and controls professionals from global financial institutions to local government agencies and every sector in between, TeamMate delivers innovative and purpose-built solutions to enhance the power of audit teams.

No other tool has the depth or functionality that TeamMate+ has in terms of risk, planning, resource management, engagement management, analytics, issue tracking, and reporting. Adding the ability to easily enter in ESG reporting requirements increases efficiency and effectiveness of your internal audit function.

Subscribe below to receive monthly Expert Insights in your inbox

For auditors who are challenged to improve audit productivity while delivering strategic insights, TeamMate provides expert solutions, delivered with premium professional services, to auditors around the globe and in every industry.
Back To Top