• Search in Protiviti.com

Internal Audit’s Role in Supporting Sustainability Reporting

What’s New

Environmental, social and governance (ESG) guidance, stakeholder demands and regulatory mandates are evolving and becoming more specific, and the time of taking a “soft approach” to sustainability reporting has passed. As the need to provide, or prepare to provide, limited and/or reasonable assurance in sustainability reporting grows, internal audit’s role in the reporting process becomes obvious and essential.

Why It Matters

Sustainability disclosures must be backed by high-quality, “regulator-grade” data. The internal audit function, with its understanding of the entire organisation and intimate knowledge of internal controls, is well-suited to validate the accuracy and reliability of the data that is used in ESG reporting. This includes assessing data collection methodologies, data sources, and the accuracy of calculations and conversions.

Bottom Line

Internal audit has a substantial opportunity in helping businesses meet their sustainability reporting obligations and assess ESG risks by imparting operational, technology and financial reporting assurance expertise and bringing together senior leadership, boards and other key parties that have a role to play in providing auditable sustainability reporting.

 

What Have Internal Audit Teams Discovered So Far?[2]

Internal audit functions that have already stepped into this new role have discovered some common problem areas. For example:

  • Much of the data used in drafting sustainability reports is derived from assumptions or its origins are not transparent to the organisation. As a result, this data can undergo significant change when scrutinised by internal audit.
  • Formalisation around internal controls over ESG data is insufficient or lacking. There is a clear need for training and education of the data owners, many of whom are new to the process.
  • Targets and commitments set by companies and announced publicly have emerged as an area of litigation risk. Many internal audits have found that the creation of some of these goals is not well founded, or organisations are lacking proper monitoring of progress.

If problems like these are not addressed, they can lead to regulatory fines, legal trouble or reputational damage.

Where Can Internal Audit Add Value in Sustainability Reporting?

As organisations determine ESG materiality and scope and identify topics, internal audit can step in to provide insight and value through a risk lens. Internal audit should also be involved as the organisation assesses its readiness to comply with the regulatory environment and help assess its commitments and targets.

Internal auditors are also experts in internal controls and governance. Combined with a solid understanding of the ESG standards, demands and regulations the organisation must comply with, that expertise can be invaluable in guiding the business toward creating an effective ESG control environment. In fact, The Institute of Internal Auditors (The IIA) emphasises that the internal audit function can offer “critical assurance support by providing an independent and objective review of the effectiveness of ESG risk assessments, responses, and controls.”

Internal audit is also well-suited to validate the accuracy and reliability of data used in ESG reporting and related processes. This includes assessing data collection methodologies, data sources, and the accuracy of calculations and conversions, and recommending process improvements. Internal audit’s input can help the business avoid ESG missteps by confirming that the data used to measure progress toward sustainability goals is accurate and consistent with the company’s actual performance. This is especially valuable in areas that tend to be highly scrutinised by stakeholders, such as a company’s diversity, equity and inclusion (DEI) programmes and gender pay equity initiatives.

Another area where internal audit can add significant value is by conducting benchmarking exercises to assess the maturity of the company’s ESG control environment and processes. As noted earlier, sustainability is a journey, and ESG-related standards, regulations and stakeholder expectations are constantly evolving. Companies will need to evaluate their ESG progress against their competitors and peers regularly and objectively.

The Opportunity for Internal Audit Is Substantial

A 2023 report by AuditBoard found that two-thirds of organisations globally have yet to implement ESG controls — and 60% do not currently perform internal ESG audits. This is a significant opportunity for internal auditors to help set their organisations on the path to ESG reporting success. That said, they must first increase their own expertise in sustainability matters quickly. They must also prepare for the continuous development of internal audit capabilities to devote to sustainability reporting activities.

Internal audit organisations and the businesses they support should not underestimate the amount of time, effort and resources they will need to devote to managing ESG workloads, which will only continue to grow. Depending on the requirements the company needs to meet and the sustainability goals and related timelines it has committed to, they may need to hire additional staff or engage outside expertise.

Now is also the time for internal audit leaders to increase their communication and collaboration with CFOs, controllers, boards, marketing and sales teams, people leaders, and any other key parties that have a role in helping the company to deliver accurate, data-driven ESG reporting. A sustainability officer or committee, where available, is internal audit’s key partner in this, by virtue of both functions having a unique, cross-organisational view of the business. Together, internal audit and these various stakeholders can grow their collective understanding of the company’s ESG reporting obligations and the ESG risks that the business faces. They can also determine how best to set up the infrastructure to gather and consolidate relevant ESG data from across the organisation in a repeatable way.

It is almost guaranteed that gathering sustainability data will be challenging, at least in the near term, especially as the business seeks to gather data from sources that aren’t accustomed to providing data subject to auditing. Technology investments likely will be needed to enable or improve ongoing data analysis and reporting for ESG. Again, data-driven internal audit functions will have insight and strategies to share on the best way to use technology tools and collaborate with data owners to collect relevant information for sustainability reporting.

Given internal audit’s depth of experience with financial reporting, there is perhaps no other function better positioned to help the business master its sustainability reporting and data collection objectives — and avoid the risks of faulty reporting. The IIA says as much, emphasising that, “ESG reporting … should be treated with the same care as financial reporting” and “internal audit can and should play a significant role in an organisation’s ESG journey.”

1. Reasonable assurance is the more robust level of assurance, stating that the information is correct based on an independent review and testing of processes and controls. Limited assurance, meanwhile, relies less on testing and more on management information and may be limited to certain components of a report.

2. Based on Protiviti’s findings and informal conversations with clients

Loading...