Amid the growing momentum toward increased organizational disclosure of environmental, social, and governance (ESG) information, internal audit has a pivotal role to play in driving organizational value related to these issues.
Interest in these issues has increased, with the SEC exploring potential regulation amid a reckoning on diversity, equity, and inclusion (DEI) issues over the past year.
Even where regulations don’t exist yet, investors and the public are demanding information on these topics. Anthony Pugliese, CPA/CITP, CGMA, president and CEO of The Institute of Internal Auditors (IIA), said organizational value is going to be affected by these disclosures.
“With greater scrutiny on organizations over ESG-related issues, those who are out front in disclosing performance are probably going to have an edge in the marketplace, particularly from the standpoint of investors and other stakeholders,” he said. “For those who don’t, they are going to face increased risks and potential backlash.”
A white paper The IIA recently published on internal audit’s role describes independent assurance as a critical element of ESG reporting. Pugliese acknowledged that this is an area that can be challenging because there remains a lack of one set of standards and the regulatory environment is still evolving.
A more uniform approach may emerge after the fall, as the IFRS Foundation is considering creating a board to establish standards for global sustainability reporting. In the meantime, Pugliese said, organizations are working to find the best path forward on ESG reporting.
“There is mixed messaging, that’s also adding a lot of pressure,” he said. “The standards, I think, are going to have to begin quickly coalescing. Otherwise, we’re going to have a lot of people putting out reports that don’t have the right context.”
Internal audit can help cut through the confusion. Pugliese said internal audit’s imperatives in ESG reporting can include:
Advisory services. If the board or management is uncertain about best practices in ESG reporting, internal audit might be able to help. “Sometimes the board and management know they have the ability in a well-resourced internal audit function to say, ‘Hey, we need some help. Could you please work in a way that’s independent and give us some advice on where we want to focus?’” Pugliese said. Once internal audit provides information, management and the board can make more informed decisions on how to move forward.
Compliance work. Regulation in this area is increasing. Companies with operations outside the United States might need to comply with established regulations in their ESG reporting. Some states, such as California, might have stricter regulations that need to be addressed in reporting. Internal audit needs to be on top of that, as well as new requirements that may be emerging.
Meeting the demand. Pugliese said internal auditors will need to analyze what measures investors, customers, banks, and other stakeholders would want to know about ESG issues that the business is able to provide. “The thing that’s hard about it is that it’s going to keep evolving, and you’re never going to have it quite nailed down until we have a common reporting system,” .
Assessing controls. Internal auditors will need to understand what ESG measures are applicable to their organization, “and the risk assessment process would begin there as to whether the company has a system of internal control around monitoring those measures,” Pugliese said.
Monitoring consistency and comparability. The value of ESG reporting might be limited if there is no way to compare it. “Sometimes we’re seeing companies come up with their own measures, but that’s far from ideal because it only breeds a lack of uniformity,” Pugliese said. “You want to have something consistent so one company can be measured against others in its industry, or you want to look at companies in different industries and see how they’re performing against their benchmarks.”