The world of environmental, social and governance (ESG) compliance is moving from nice-to-have to need-to-have. Organizations that fail to understand ESG risks and that don’t provide clear ESG reporting face potential consequences like falling behind competitors and losing stakeholder trust. Meanwhile, regulators are moving toward making ESG disclosures mandatory.
For example, the Securities and Exchange Commission (SEC) proposed new rules in March 2022 that would mandate climate-related disclosures, for example, a company’s governance of climate-related risks.
“Until now, most environmental, social, and governance disclosures have been voluntary. The SEC proposal has put internal audit functions on alert at the prospect of the biggest change in reporting requirements since the Sarbanes-Oxley Act was passed in 2002,” notes an Internal Audit 360 article.
Meanwhile, other stakeholders like customers and employees have come to expect more ESG commitments, around diversity, equity, and inclusion (DEI), and sustainability topics like emissions reductions. Organizations that falter could face employee and customer turnover, as they instead turn to competitors that excel in these areas.
“Three-quarters of U.S. adults care about a company's impact on the environment when making purchase decisions, and 68% say the same of efforts to promote diversity and inclusion in a company's workforce and customer base,” finds Gallup.
So, even if ESG compliance is not required yet, there’s good reason to adopt best practices as early as possible. And given how many areas of a company ESG issues touch — and that governance is literally in the name — it makes sense for internal audit to incorporate ESG into its overall assurance responsibilities.
Not sure where to start? In this article, we’ll look at three easy steps your internal audit team can take regarding ESG risk management and ESG compliance when developing an audit plan.
1) Determine responsibility
The first step in creating an audit plan that incorporates ESG factors is to figure out who’s responsible for what and see if any roles need to shift. Nearly two-thirds of chief audit executives (CAE) said that boards drive their organizations' “focus and integration of ESG strategy and reporting,” according to a study by The Internal Audit Foundation, The Institute of Internal Auditors (IIA), and EY.
That might work at some organizations, but it could also be the case that your internal audit team is well placed to assume this responsibility, or at least take on a larger role than what you’re currently handling. That same study found that over half of CAEs think “boards and C-suites should mandate that their internal audit function participate in ESG efforts.”
2) Get a lay of the land
Developing an audit plan that incorporates ESG factors often requires internal auditors to gain a better understanding of ESG issues. That’s not to say that every internal audit member has to be an expert about everything related to ESG, but it helps to at least get a lay of the land, comparable to how you might brush up on cybersecurity to provide better IT assurance.
To do so, internal auditors might turn to internal sources, like meeting with HR to discuss DEI issues or operations teams to understand if or how emissions are being accounted for. Externally, internal auditors might turn to industry reports, to review other companies’ ESG disclosures or discuss ESG risks with external auditors.
Because of the complexity and many arms of ESG, organizations might also need to bring in additional expertise through hiring or consulting arrangements, to better understand ESG risk and ESG compliance needs. Doing so can help organizations determine what ESG data is already available and what needs to be calculated.
3) Communicate ESG risk
Gaining an understanding of ESG risks is only part of the process for internal audit teams. You also need to be able to communicate ESG risks to stakeholders like senior management. Long-term, your goal might be to develop a separate ESG risk report, but for now, it might be more realistic to incorporate ESG risk reporting into your current processes.
In doing so, keep in mind that this may be a new area for those receiving risk reports. That’s why it might not be practical to start with, say, a deep dive on your Scope 1 vs. Scope 2 vs. Scope 3 emissions. Instead, you may need to fold ESG risks into more familiar, traditionally used areas and then layer in additional ESG metrics over time.
For example, when sharing financial risks with executives during an internal audit presentation, you might point out how shortcomings in ESG principles could hurt consumer demand, thereby decreasing top-line revenue. Or, when discussing legal risks, you might include information on emerging ESG compliance regulations, such as proposed SEC rules, that prompt leaders to expand legal or compliance budgets.
Internal audit teams that prioritize ESG risk management now can position their organizations to navigate changing stakeholder expectations and be better prepared as new ESG compliance rules take shape. Public companies or those who are fundraising can also make themselves attractive to those interested in ESG investing.
SG objectives tend to evolve. The sooner you’re able to implement these factors into your assurance processes, the better. It’s important to understand who’s responsible for ESG policy and the various ESG practices within your organization. By developing a solid understanding of ESG issues, and applying a robust communication strategy with stakeholders, you’ll have a greater opportunity to build a strong foundation; one that increases your organization’s appeal to stakeholders, from institutional investors to individual customers.