The role of internal audit: Start small and look at the bigger picture
In the years that followed the introduction of SOX, the effect that it had on the internal audit profession was clearly a double-edged sword. On the one hand, internal auditors were quickly recognized as the experts needed to step into this space and provide the guidance that so many organizations needed. This resulted in growth across both the internal audit profession, as well as the various functions internal auditors were able to provide assurances for. It’s fair to say that internal audit membership more than doubled during the first few years of SOX implementation.
However, due to the urgency and level of uncertainty that SOX presented, leaning heavily on internal auditors also resulted in their spending greater amounts of time focused exclusively on SOX priorities, and significantly less time focused on those risk-based audits that organizations depend on. From an internal audit perspective it was a massive undertaking, and one that led to organizations developing SOX-specific internal audit teams.
Over the course of the last 20 years, and as a direct result of SOX, internal audit’s role around internal controls for financial reporting has become well established. Many of those same auditing skills and practices can (and should) be applied to ESG. However, an all-too-common question that’s on everyone’s mind is — “Who is responsible for ESG?”
ESG should be viewed as a top-down initiative, particularly from an organizational perspective regarding mandates, targets, and how goals are being established, monitored, and reported on. Each area or department of an organization should be aware of and responsible for their ESG initiatives. However, internal audit has an opportunity to become trusted advisors and take on more of an influential role when it comes to those first steps.
How can internal audit provide the greatest value?
Organizations should reflect on the experiences they had in the early days of SOX and focus on identifying and understanding what the key controls of ESG will be. Where SOX was focused exclusively on financial reporting, ESG falls into that category of “everything else”. It comes down to the accuracy and reliability of the information. But how does an organization go about achieving that? The same way financial reporting was achieved with SOX.
Organizations have become comfortable with their financial reporting. They have been measured according to their financial results for a very long time. ESG in audit is different. It's broader. It covers more ground and organizations will need to take some time to comprehend how to effectively turn the foundations of ESG into meaningful reports. Although it may be more complicated, the underlying processes that have been used for Sarbanes-Oxley for the last 20 years can be leaned on as a starting point when addressing ESG and identifying a methodology for assurance.
ESG presents a tremendous opportunity for internal audit to make an impact within their organizations. Because it is still evolving, and new guidelines and mandates are being released every day, a good strategy for internal audit would be to start small and identify those ESG factors that can be quickly included into your existing audit plan. Whether that’s reducing overall energy consumption throughout your office or working more closely with Human Resources to ensure new-hire practices are following appropriate guidelines, acknowledging the industry your organization resides in, understanding its risk landscape, and identifying a best-practices framework will give you the direction you need to successfully navigate ESG.
If there is one takeaway from the lessons learned when SOX was first implemented, it’s that those in the internal audit profession should avoid taking the “wait and see” approach with ESG. ESG is here and is gaining exposure and traction every day. The social ramifications of ESG alone should be enough for organizations to sit up and take notice. Understanding how to audit ESG — knowing your organization’s metrics and targeted reporting requirements, what to audit against and include in the final audit report — will better position you for success as a trusted advisor within your organization. Fill those essential Subject Matter Expert gaps early on, identify and engage with key stakeholders, and avoid the reactionary trappings and costly mistakes of waiting too long and scrambling for solutions.
Lean into technology today, to help you succeed tomorrow
TeamMate is well positioned to support your organization’s ESG audit needs. The lessons that have been learned from 20 years of SOX requirements and a 30-year relationship with the audit profession have allowed us to build a foundation that provides the stability and know-how to deliver future-ready capabilities for internal audit professionals.
TeamMate+ is a global expert solution for end-to-end audit management that helps auditors and audit leaders execute and manage the audit workflow. Trusted by audit and controls professionals from global financial institutions to local government agencies and every sector in between, TeamMate delivers innovative and purpose-built solutions to enhance the power of audit teams.
No other tool has the depth or functionality that TeamMate+ has in terms of risk, planning, resource management, engagement management, analytics, issue tracking, and reporting. Adding the ability to easily enter in ESG reporting requirements increases efficiency and effectiveness of your internal audit function.
