Norman Marks on Governance, Risk Management, and Internal Audit

I have seen several articles and blog posts lamenting the apparent fact that internal audit teams are not spending a large percentage of their audit plan addressing ESG risks.

CIO.com defines ESG as:

Environmental, social, and corporate governance (ESG) is a strategic framework for identifying, assessing, and addressing organizational objectives and activities ranging from the company’s carbon footprint and commitment to sustainability, to its workplace culture and commitment to diversity and inclusion, to its overall ethos regarding corporate risks and practices. It’s an organizational construct that’s become increasingly important, especially to socially responsible investors who want to invest in companies that have a high ESG rating or score.

The three main pillars of ESG include:

• Environmental commitment: This includes everything around a company’s commitment to sustainability and the impact it has on the environment, including its carbon emissions and footprint, energy usage, waste, and environmental responsibility.
• Social commitment: This covers a company’s internal workplace culture, employee satisfaction, retention, diversity, workplace conditions, and employee health and safety. Companies with happy and healthy employees perform better and are viewed as a stronger investment.
• Corporate governance: A company’s commitment to governance includes compliance, the internal corporate culture, pay ratios, the company ethos, and transparency and accountability in leadership. Investors are interested in companies that can keep up with changing laws and regulations, and that have a commitment to equity and equality in the workplace.

My reaction is similar to what it was when I read opinions that internal auditors were not spending enough time on cybersecurity.

I even saw one post by an eminent (and unnamed) thought leader that pointed out that while internal auditors saw cyber as perhaps the top risk to their organization, they were only spending 10%-15% of their time on it. They were spending more time on financial, compliance, and other operational risks.

My principle is this: perform the audit engagements that address the more significant risks to the organization and its enterprise objectives.

You can do a great deal with 10%-15% of your audit resources!

X

When it comes to ESG, we need to recognize the huge breadth and depth of it.

It is much more than sustainability or corporate social responsibility (CSR).

It’s not something you can say you audit in totality. At best, you can audit elements.

Much of it is not new, and governance is covered in the IIA’s Standards as an area requiring consideration when building the audit plan.

X

My friend, Dr. Rainer Lenz (whom I am looking forward to meeting at a company’s annual internal audit team meeting next week), has written a piece with Florian Hoos on the issue: The Future Role Of The Internal Audit Function: Assure. Build. Consult.

He says:

[Richard] Chambers recently raised “a red flag” by pointing out that internal auditors have been unduly placing Environmental, Social, and Governance (ESG) risks on the back burner. Internal auditors currently do not play a significant role as assurance providers and are absent from potential advisory services about ESG – on both sides of the Atlantic. We diagnose an “ESG helplessness syndrome.” Like in the world of animals, the internal audit function is in a state of freeze response when it comes to ESG topics. The ESG challenge is so big, and the threats for the role of the Internal Audit Function (IAF) are so real, that the profession reacts like animals in the face of a threat: they freeze. We discuss and challenge the professional demand for “objectivity” and “independence” in the ESG context as they might represent obstacles to the IAF playing a significant role in the ESG agenda. We suggest practitioners consider widening the repertoire of internal auditing. We suggest an ABC-Model © of Internal Auditing, adding “Building” as a new third pillar of internal audit value creation which complements the traditional assurance and consulting services. We encourage internal auditors to become “builders” when tackling the ESG challenge in their respective organizations. Metaphorically speaking, we borrow from Yvon Chouinard, the founder of Patagonia which is often used as an ESG role model company when we suggest “Let Internal Auditors Go Surfing” as our call to action.

Later in the piece, they say:

ESG seems to be far from being well integrated into the internal audit function’s work. Referencing the World Economic Forum and other organizations, [Richard] Chambers concludes that “overall, ESG is one of the fastest-growing risks this year (…)”; “a top risk for 2023”. At the same time, his survey among 188 CAEs and internal audit directors in organizations based primarily in North America show that ESG risks are at the bottom of their priority list for 2023 audits, with significantly lower priority than for instance cyber and data security, attraction and retention of talent, macroeconomic conditions, regulatory changes, supply chain-related issues, etc.

Let’s think about this.

1. ESG is not “a risk”. It is something you do. But you can have risks to the ESG-related objectives of the enterprise.
2. Talent management and compliance are part of ESG. Saying that they get more attention than ESG makes little sense to me.
3. Surveys are telling us that while organizations may be giving more attention to ESG today than in the past , they have started to lower their related investments given the change in economic conditions.

If management and the board have not given a priority to ESG, and by that I am referring to the social responsibility elements, and included it in the objectives they set for the period, why should we be concerned that internal audit is doing the same?

Should internal audit be the conscience of the organization?

No.

We can make sure the board and top management understand the risks that a failure to be socially responsible can mean to their success.

But it is not our job to tell them, bluntly, that they are making a mistake.

Our job is to provide assurance, advice, and insight.

The emphasis here is on advice.

But when management and the board set objectives, we can provide assurance as well.

For example, some years ago I visited the internal audit leadership of Adobe in San Jose, led by Eric Allegakoen. In the reception area, there were multiple displays showing the clean energy and other sustainability achievements of the company. Eric told me that his team audited and provided assurance on related reporting, some of which was included in public filings.

Rainer goes much further. After discussing and trying to set aside obstacles like objectivity and independence, he and Florian say:

We advocate that addressing ESG may be an opportunity for internal auditors and the internal audit profession to consider going beyond their core remit of rendering assurance and consulting services, to help building an ESG program – before it can be audited (by external auditors, as seems likely).

On the ESG journey, internal auditors can be most valuable as co-creators, as builders, as members of the ESG team.

When I first read this, I thought they were going too far by talking about internal audit building anything. That is a management responsibility! But then they say:

We see potential in positioning internal auditors more clearly as enablers of learning and change. We regard a promising path forward to be overcoming hurdles, including those set by professional demands for independence and objectivity. The more effective internal auditor can be “a hinge, a connector, a relation facilitator”.

Not only do I accept that, I don’t think it is anything new!! It’s just the advice part of our mission!

CAEs and their teams have been champions and enablers for many things over the years, including:

• Risk management
• Information security
• Controls over derivative trading
• Controls and security over new computer systems
• Whistleblower and ethics programs
• And much more

Here’s my take on the topic:

1. ESG is about paying more attention to the role of the enterprise in society.
2. ESG is a broad spectrum of activities and related processes and activities.
3. Internal audit should be aligned, where possible and practical, with management and the board.
4. When the leadership has established ESG-related objectives, risks to those objectives should be considered when developing and maintaining the audit plan.
5. When leadership has not established ESG-related objectives, the CAE should work to understand why not. This may be an opportunity to lead a discussion among the management team.
6. Internal audit should be a champion when that is the best use of their time. (There are so many issues to champion, so our time should be prioritized.)
7. Internal audit should build and maintain an audit plan that addresses the most significant sources of risk to the enterprise and its objectives. They may or may not include ESG-related issues.
8. If management and the board have not prioritized ESG, we should be careful about prioritizing it ourselves at the expense of other areas that they have prioritized.
9. It would be better to break down the topic into meaningful parts, such as environmental compliance, human capital management, compliance, sustainability, and so on.
10. Focus on what matters to your organization, not what others are doing.

I welcome your thoughts.