Home > Risk > Internal Audit and ESG. How much should we do?

Internal Audit and ESG. How much should we do?

April 5, 2022 Leave a comment Go to comments

The latest headline topic for internal auditors seems to be Environmental, Social, and Corporate Governance (ESG).

For background, I refer you to a sensible piece by Richard Chambers.

SEC Climate Disclosure Proposal May Be the Next SOX for Internal Audit summarizes in a clear and concise way (thank you, Richard) the SEC’s proposed climate-related disclosure requirements.

Rather than repeat the proposed requirements here, I refer you to Richard’s piece or, if you need, the SEC’s proposal.

Richard suggests three ways internal audit can assist:

  1. Make sure our leaders are aware of the rules and help them to formulate a response to the risk of non-compliance.
  2. Provide assurance on the planned disclosure process. In the same way that internal audit assesses and provides assurance on new technology projects, we can provide assurance on the new disclosure process.
  3. On a continuing basis, assess and provide assurance on related controls.

He closes his article with encouragement:

As assurance professionals, we must keep our eyes on the horizon to identify, monitor, and address critical compliance risks. As I mentioned, the proposed climate disclosure requirements present challenges and opportunities for internal auditors. Those who joined the profession after SOX was embedded into our compliance practice will learn firsthand about management’s need for accurate information and the importance of internal audit’s advice through the early days of a major regulatory change. Our first duty is to help our companies achieve and maintain compliance, but we also have an excellent opportunity to demonstrate our crucial role in confronting significant emerging risks. First and foremost, look for ways to help protect and create value for your company. The clock is already ticking.

(My disagreement is mild: our first duty is helping with the achievement of enterprise objectives.)

The IIA has taken a similar stance.

They published a series of questions internal auditors can ask in a Bulletin last month.

In addition, the IIA’s Internal Audit Foundation collaborated with EY on a white paper: Prioritizing Environmental, Social, and Governance (ESG) – Exploring Internal Audit’s Role as a Critical Collaborator. Like the others, it summarizes the proposed rules before talking about the role of internal audit.

They shared the results of a survey when it comes to current internal audit involvement:

Most organizations have involved their internal audit functions in some way with the organization’s ESG initiatives. Just under 30 percent of CAEs of internal audit functions that are involved indicate they are engaged in one or more of the following:

  • Providing advice on setting ESG program goals and metrics.
  • Reviewing how ESG goals and metrics are tracked and monitored.
  • Reviewing implementation of the ESG program and related policy documents.
  • Reviewing the accuracy of ESG reports provided to stakeholders.

…internal audit is most often involved in assurance services supporting processes, controls, and data validation for reported material ESG information. Typical advisory services include weighing in on climate risk and the inclusion of ESG in the organization’s enterprise risk management (ERM) program. Internal audit functions also perform governance engagements to assess whether adequate roles, responsibilities, and processes are in place to execute on the ESG strategy and manage risk…. internal audit also can provide ESG-focused audits on topics such as climate, environmental compliance and performance, worker safety, data security, and sustainable supply chain practices. Additionally, 10 percent of CAEs indicate that their internal audit function is involved in other ways as well.

One area we have seen internal audit add significant value to ESG reporting is assessing the completeness of the operational boundaries, especially for large, decentralized organizations. For example, inventorying the greenhouse gas emissions sources across Scope 1, 2, and 3 emissions requires a deep understanding of the company’s operations. Internal audit can provide this insight to validate that all applicable business activities, locations, subsidiaries, and joint ventures are included in reporting. However, 35 percent of CAEs indicate that their internal audit functions have no involvement.

Going forward, two-thirds of CAEs indicate that they plan to perform ESG-related engagements over the next 12 months, with 45 percent planning advisory services and 31 percent planning internal control reviews.

Many of the internal audit executives view ESG as the next SOX. There are many parallels between today’s ESG reporting landscape and how SOX developed in the early 2000s. Internal audit functions have an opportunity to get ahead of impending disclosure regulations and the ensuing assurance requirements by implementing a ‘SOX-like’ framework to enhance the reliability of ESG reporting within their organizations.

My major problem with the above is that it should not be internal audit that is “implementing a ‘SOX-like’ framework to enhance the reliability of ESG reporting within their organizations”. That is a management responsibility.

KPMG weighed in with Internal Audit’s role in ESG. They say (see my emphasis):

As with financial reporting, the independent and objective assurance only internal audit can provide must be an integral part of an organisation’s ESG response.

Management teams across organisations are recognising the opportunities and risks ESG presents. This includes the due-diligence required to integrate ESG measures across any organisation. To make informed decisions, directors must have reliable assurance on the effectiveness of ESG management, including ESG governance, risk assessment, KPI monitoring and reporting. That assurance should come from internal audit.

They refer to the IIA’s publications, with perhaps stronger language than the IIA would prefer.

According to the IIA, at a minimum the internal audit function should provide the following assurance over ESG reporting:

— Review reporting metrics for relevancy, accuracy, timeliness and consistency: It is critical that all public ESG reports provide information that accurately depicts an organisation’s ESG efforts. This is particularly important as regulatory oversight and public scrutiny increases.

— Review reporting for consistency with formal financial disclosure filings: While ESG reporting provides non-financial data, any information that conflicts with formal financial disclosures will raise a red flag with investors and regulators.

— Conduct materiality or risk assessments on ESG reporting: Organisations must have a clear understanding on how ongoing ESG efforts or public commitments to reaching ESG goals can rise to the level of materiality.

— Incorporate ESG into regular audit plans.

— Build an ESG control environment: Internal audit can advise on developing specific internal controls for ESG reporting.

— Recommend reporting metrics: Internal audit can provide insights into the kind of data that accurately reflects relevant ESG efforts within the organisation.

— Advise on ESG Governance: Internal audit can provide guidance on ESG governance because of its holistic understanding of risk across the organisation.

As with the EY and IIA’s materials, the KPMG paper has some valuable advice, although we have to be careful with the word “should”.

Deloitte had their say in an article published in the Wall Street Journal’s CFO Journal.

In ESG and the Role of Internal Audit, they correctly say:

With their ability to anticipate risks, advise senior leaders and the board of directors, and provide assurance, internal auditors are well positioned to act as catalysts for furthering an organization’s ESG goals while helping to identify potential obstacles.

Given their broad purview across the enterprise, internal auditors can assess an organization’s ESG risk from multiple perspectives and help connect dots. For example, in assessing governance and policy, internal auditors can consider whether the organization has created a governance structure and culture that support effective climate risk management and whether information on climate risk is being reported to the board.

The paper sees a role for the external auditor that worries me. It is not something I would engage them for.

The American Institute of Certified Public Accountants (AICPA) and the CAQ are similarly encouraging external auditors to engage in ESG reporting, providing a road map for audit practitioners to understand ESG reporting as well as the related risks and legal considerations associated with including this information in regulatory filings.

“Independent auditors, in their public interest role, play a part in the flow of reliable information for decision-making,” the AICPA and CAQ wrote in releasing the road map in February 2021. Third-party assurance from an independent auditor can enhance the reliability of ESG information reported by companies, they say.

An article last year in the Journal of Accountancy has the title of Internal audit has pivotal role in ESG reporting.

That may be hyperbole.

Anthony Pugliese, CPA/CITP, CGMA, president and CEO of The Institute of Internal Auditors (IIA) is quoted by the Journal as saying that (with my emphasis) there is an “imperative” for internal audit to be involved.

Is there an “imperative”?

Should internal audit be involved, and how much should we be involved?

We can:

  • Stand on the sidelines for now, waiting for a better time. This is unlikely to be the best option.
  • Participate as a consultant as the organization prepares for the regulations. I like this and see the CAE or a senior audit executive in this role.
  • Assess the planned design of the controls to ensure compliance with anticipated ESG disclosure requirements.
  • Assess the design and operation of the controls over the organization’s carbon footprint, the controls that ensure that footprint is at a desired level.
  • Assess the operation of the ESG disclosure controls.
  • Provide annual (or more frequent) independent assurance on ESG disclosure controls.

Each organization will have to make a decision based on its specific circumstances.

Let’s face the facts.

  1. We need to put our limited resources where they add the most value, where the more significant sources of risk to enterprise objectives lie.
  2. We can’t audit or consult on everything.
  3. If we allocate resources to ESG compliance and other related risks, that resource has to come from somewhere else, other projects, or we need additional resources.

Is ESG compliance, including but not limited to disclosure controls, one of the top risks at your organization?

Maybe it is, and maybe it is not.

Where does it lie in comparison to traditional areas for internal audit attention, let alone new ones such as?

  • Compliance with sanctions and related regulations, including those imposed as a result of the invasion of the Ukraine
  • The impact on risks and controls of the Great Resignation. How is the operation of key controls affected as people leave the organization?
  • The effect of work-at-home on controls. I heard from a partner in a law firm that his associates are not learning and advancing due to the loss of in-person supervision and training. Some are not putting in the same hours. In addition, his firm is finding it hard to replace those who are leaving.
  • The need for resilience, especially as we are hearing of increased nation-supported cyber-attacks.
  • How to price products and services in a period of inflation.
  • How to prepare for a possible depression.

If the audit committee, management, and the CAE agree that (a) ESG should be an area of focus; (b) there is a need for assurance on related controls and disclosures; and (c) internal audit should have a major role, then the CAE should ensure that:

  • There is sufficient, capable resource to do the work.
  • There is sufficient resource to address all the other sources of significant risk and value.

If management is willing to fund independent audits of ESG-related controls, I prefer that money be allocated to internal audit than used to hire EY, Deloitte, KPMG, or anybody else.

I find it curious that many of the voices that are today advocating for internal audit involvement in auditing management’s controls were strongly opposed to internal audit doing the same for SOX when that came along.

Let’s not repeat the mistake made by many of taking on added responsibilities (in this case for ESG) without added resources.

I welcome your thoughts.

  1. ismjbgap
    April 5, 2022 at 3:44 PM
    Reply

    nonsensical load of regressive woke insanity masquerading as something that is not pure ludicrous garbage.

    What is next witch doctors throwing bones ??

    Opinion: Net-zero Won’t Cure The Climate But It May Kill Canada

    – climate hoax – climate hysteria

    [image: Greenhouse Gas by Sector]

    Ian Clark

    *Financial Post*, Apr. 21, 2021

    “What few recognize, however, is that we are already over 80 per cent green with respect to carbon dioxide (CO2) emissions. This is primarily due to our abundance of hydro and nuclear power.”

    Last November the federal government introduced its Net-Zero Emissions Accountability Act, which establishes our pathway towards reaching that goal by 2050. But don’t hold your breath. It took a full decade to build 12.5 km of electric light rail in Ottawa, arguably the largest green-energy project in Canada over that time. To electrify the rest of Canada’s transportation sector in three decades, as well as our industrial and domestic energy sectors, the new Act starts by convening an advisory board to consult with Canadians on the best pathways to this target . . . tick tock.

    Natural Resources Canada says Canadian electrical use is 600 terawatt hours (TWh or trillion watt-hours) annually. What few recognize, however, is that we are already over 80 per cent green with respect to carbon dioxide (CO2) emissions. This is primarily due to our abundance of hydro and nuclear power. Nuclear is arguably our greenest source of electricity. It produces essentially no CO2; it has by far the best safety record; and we know how to safely manage nuclear waste. As for wind, despite massive subsidies it currently contributes only four per cent to our grid. It remains intermittent, off-peak and low-grade electricity, only marginally better than solar.

    The challenge for net-zero, however, is not greening the remaining 20 per cent of the 600 TWh of electricity that we use. It is the 9700 petaJoules (equivalent to two billion barrels) of oil and gas we burn every year for transportation, industry and heating. Converting this to electrical would require 2000 TWh per year — more than three times our current annual use of electricity. Quite apart from the challenge of electrifying transportation, industry and heating, is a three-fold increase in our green electrical generating capacity even possible? The government’s “Mid-Century Long-Term Low-Greenhouse Gas Development Strategy” (Mid-Century Strategy) suggests it is, and the Accountability Act will try to enforce it. But let’s take a closer look. [image: Hydroelectric Dam | Bonneville Dam /Flickr]Hydroelectric Dam | Bonneville Dam /Flickr

    Our hydroelectric capacity has largely been exploited, although the Fraser and Mackenzie rivers remain untamed. Battles over land claims, environmental impacts and daunting costs make B.C.’s Site C and Newfoundland and Labrador’s Muskrat Falls perhaps the last projects for big hydro in Canada. Yet the Mid-Century Strategy assumes we double our hydro with 50 to 80 new projects on the scale of Site C.

    How about big wind? Germany favours wind but has learned that its inconsistency requires baseload backup with coal-fired thermal plants. In Canada, net-zero with wind would require upwards of 300,000 turbines, or 50 times more than we have now, plus an extensive distribution network for this decentralized system, plus an equivalent thermal generation backup (unless we resolve to drive and heat our homes only on windy days). [image: Provincial and Territorial Energy Profiles –]Provincial and Territorial Energy Profiles –

    The challenge for net-zero, however, is not greening the remaining 20 per cent of the 600 TWh of electricity that we use. It is the 9700 petaJoules (equivalent to two billion barrels) of oil and gas we burn every year for transportation, industry and heating. Converting this to electrical would require 2000 TWh per year — more than three times our current annual use of electricity. Quite apart from the challenge of electrifying transportation, industry and heating, is a three-fold increase in our green electrical generating capacity even possible? The government’s “Mid-Century Long-Term Low-Greenhouse Gas Development Strategy” (Mid-Century Strategy) suggests it is, and the Accountability Act will try to enforce it. But let’s take a closer look.

    Our hydroelectric capacity has largely been exploited, although the Fraser and Mackenzie rivers remain untamed. Battles over land claims, environmental impacts and daunting costs make B.C.’s Site C and Newfoundland and Labrador’s Muskrat Falls perhaps the last projects for big hydro in Canada. Yet the Mid-Century Strategy assumes we double our hydro with 50 to 80 new projects on the scale of Site C.

    How about big wind? Germany favours wind but has learned that its inconsistency requires baseload backup with coal-fired thermal plants. In Canada, net-zero with wind would require upwards of 300,000 turbines, or 50 times more than we have now, plus an extensive distribution network for this decentralized system, plus an equivalent thermal generation backup (unless we resolve to drive and heat our homes only on windy days).

    Producing this vast number of wind turbines would require considerable quantities of rare-earth metals for the generators. For net-zero wind, we would need the entire global production of neodymium for the next 15 years — for the next 170 years for dysprosium. As it is, the Mid-Century Strategy will complement doubling hydro with up to 100,000 turbines, which will still require five years’ global supply of neodymium. Conclusion? Renewables clearly cannot play a significant role in our move towards net-zero.

    Offsets by planting trees (also planned in the Mid-Century Strategy) are an illusion once one looks closely at the carbon cycle. The only time Earth experienced a notable reduction in atmospheric CO2 by growing trees was during the Carboniferous Period between 350 and 300 million years ago, when our coal resources were formed. Conversely, the slashing of our forests over the past 200 years and today in the Amazon basin has had no measurable impact on atmospheric CO2.

    The large-scale capture and storage of CO2 is only possible (though it remains improbable) for large thermal plants, which of course won’t be a feature of our net-zero electrical grid. Capturing emissions from tailpipes or our gas-warmed homes is now impossible and seems likely to remain so. [image: Chooz Nuclear Power Plant – Wikipedia]Chooz Nuclear Power Plant – Wikipedia

    This leaves nuclear as the only viable option for any plausible net-zero plan. Canada has 19 operating nuclear reactors at four stations, producing 15 per cent of our electricity. Net-zero would require an expansion of this fleet to over 300, operated in about 40 new nuclear power generating stations, and costing upwards of a trillion dollars.

    What would we get for these efforts? Net-zero would have no measurable impact on climate, as Canada emits only about 1.5 per cent of global greenhouse gases. The developing world, which emits most, is manifestly more interested in growth, not carbon reductions. Moreover, recent science shows that CO2 is not a significant driver of climate. Even the UN science reports state that the warming experienced up to 1980 was natural, that only part of warming through the 1990s was anthropogenic, and that over the past two decades warming has paused. It also shows no link to extreme weather.

    The only sensible option for Canada is to invest our environmental goodwill and dollars where they can have a positive effect, such as for sustainable agriculture, biodiversity and healthy waterways — and into adapting to climate change, for the climate will indeed change. It always has.

    Ian Clark is a professor of earth and environmental sciences at the University of Ottawa.

    On Tue, Apr 5, 2022 at 10:17 AM Norman Marks on Governance, Risk Management, and Audit wrote:

    > Norman Marks posted: “The latest headline topic for internal auditors > seems to be Environmental, Social, and Corporate Governance (ESG). For > background, I refer you to a sensible piece by Richard Chambers. SEC > Climate Disclosure Proposal May Be the Next SOX for Internal Audi” >

    • Norman Marks
      April 5, 2022 at 4:36 PM
      Reply

      I fail to see what this has to do with the post.

  2. Frans Kersten
    April 6, 2022 at 1:35 AM
    Reply

    Hi Norman,

    On the website of the Dutch equivalent of AICPA is a post (sorry in Dutch) with a severe warning against malicious reporting about EGS:
    https://www.accountant.nl/discussie/columns/2022/4/liegen-over-esg-ondermijnt-klimaattransitie/
    One of the statements is that many companies that reported high on ESG now appear to have large interests in Russia: u mention Ukrain so what is that worth.
    Other problems are the lack of reliable standard. We in Europe were busy to end the use of coal-fired power stations (Ukrain-Russia may put a hold on that) because of the climate change needed, In other parts of the world they are building them on a large scale. Won’t help to contribute to the desired change.
    Not to speak of many countries of which anybody knows that you can’t do business there without bribe / payments to officals we would consider illegal but where international companies still have their local branches. Never hear Big4 about that, so why should the board listen to IA?
    It would be better for the entire audit business to stay away from this till there are reliable and widely accepted standards.

  3. Charles D. Schrock
    April 7, 2022 at 11:10 AM
    Reply

    Your post is comprehensive and sensible. Our profession is often viewed as a batch of disconnected activities to which we are expected to add or subtract (with blame sometimes attached through the naive question “where were the auditors?”). Our scope is actually quite simple. Whatever is deemed to be a strategically significant activity should be on the list of activities subject to internal audit’s independent assessment of both strategy and reported results. The allocation of internal audit effort is a supply/demand or cost/benefit analysis by executive leadership and the Audit Committee. Is ESG high enough on that list? As you say — maybe. Maybe not. But let’s not get our heart rates up over something simply because it’s new, shiny, and the “consultants” say that we should. Let’s talk through this uncertainty with executive leadership, figure out who (in management) is responsible, and then collectively decide if it’s worthy of internal audit’s attention.

    • Norman Marks
      April 7, 2022 at 11:21 AM
      Reply

      Well said. Thank you

  4. Ali Zafar
    May 4, 2022 at 11:46 PM
    Reply

    That was insightful and thoroughly explained. I believe ESG compliance risks and controls is extremely varies between industries. For instance, manufacturing, mining and oil & gas sectors are highly effected by such risks whereas service oriented sectors are least effected by ESG risks. Therefore, CAEs need to assess whether such risks are relevant to their organisations and what priority should it be given among other risks.

  5. anilmenontcr
    May 8, 2023 at 9:21 AM
    Reply

    Good Blog

  1. April 5, 2022 at 8:19 AM
    Internal Audit and ESG. How much should we do? - RISK OWNER by RISK-ACADEMY

Leave a comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.