Environmental, Social, and Governance (ESG) is a framework that has become increasingly popular in recent years. Many organizations recognize that adapting to changing socio-economic and environmental conditions is not only good reputationally, but it also enables them to better identify areas of potential risk and growth opportunities. Stakeholders are also expecting more from companies beyond profits.
McKinsey & Company, a global management consulting firm, believes ESG should be an “inextricable part of how you do business.” The firm asserts that while implementing an ESG framework is necessary, it can also lead to a more sustainable business and better value creation. In a recent publication, McKinsey & Company stated ESG links to value creation in five critical ways: top-line growth, cost reduction, lower regulatory and legal intervention, productivity gains, and better investment decisions.
As a result, internal auditors feel a need to play a key role in their organization’s ESG practices. However, many internal auditors struggle with where to begin. The Touchstone Insights for Internal Audit, conducted by Wolters Kluwer TeamMate, found that 55% of respondents do not currently include ESG in the audit plan. The encouraging news is that of these respondents, about half expect to do so in the next two years. This clearly indicates a building momentum toward increased audit work on ESG issues.
Another obstacle can be getting senior management on board. Internal auditors have a responsibility to highlight both emerging risks and risks not being mitigated or addressed by the organization. Although the best approach to ESG will depend on the organization’s culture, taking small steps is often an excellent way to get senior management buy-in. For example, mention a few ESG risks in the audit committee pack if you have a section on emerging risks or add steps to existing audits that highlight gaps in controls. ESG doesn’t need to be a single assessment. It encompasses a wide range of risks spanning a wide range of issues. While it can be a single audit, it doesn’t need to be and can be included in one or many existing audits.
As you move toward incorporating ESG into your audit plan, it can be helpful to consider it as part of your risk assessment. How you go about this will depend on a range of factors, especially how your organization approaches ESG and its level of maturity. To start, keep it simple and think about ESG as an overlay to your existing risk assessment. You can go back and integrate it in more detail later. Focus on big issues that can deliver quick wins to maximize the impact and value of assurance. There is no right or wrong. As auditors, we can do both standalone work and work where ESG factors integrate into our existing audit planning, so do what is best for your organization.
Overall, ESG presents a real opportunity for internal audit to make an impact. Personally, I'm passionate about the environment, inclusion, and social justice. But even if you don't have the same personal motivation, these risks are real. And momentum is building from stakeholders and other external parties. ESG should be viewed as an opportunity for internal audit to raise its profile as a trusted advisor by using its expertise and influence to ensure organizations are identifying and mitigating risks around this important area.