Internal audit, as an objective third line of assurance, plays an integral role by providing assurance surrounding the accuracy and reliability of a company’s ESG reporting. By conducting thorough reviews and assessments, internal auditors can identify areas of risk and provide recommendations to strengthen ESG reporting. This not only helps build trust with stakeholders, but also enables companies to better manage ESG risks and opportunities. In this article, we will explore the role of internal audit in ESG reporting,and why it is so important for companies to get it right.
ESG Regulatory Trends
Public concern regarding corporations’ impact on the environment and society has been piqued time and again in response to various controversies. The likelihood of negative climate impacts if global warming exceeds 1.5°C, ethical misconduct in corporate workplaces, employee welfare, and diversity, equity, and inclusion challenges, and an uptick in fraudulent exploitation of private personal data in digital spaces have contributed to a hyper-fraught environmental, social, and governance (ESG) risk landscape.
ESG has taken on greater urgency and focus in recent decades due to increased pressure on corporations to play a more positive role in the environment as well as the people and communities they interact with. Accordingly, ESG reporting has become increasingly important for businesses of all sizes and industries seeking to demonstrate the sustainable and ethical impacts of their financial statements. Yet, for organizations seeking to address ESG, it is not simply a matter of voluntary reporting and disclosure, but also of ensuring those reports are accurate and trustworthy.
The European Council recently finalized its position on the Corporate Sustainability Due Diligence Directive (CSDDD), a proposed legislative framework requiring EU and certain non-EU companies to carry out due diligence in identifying human rights impacts, environmental impacts, and create action plans. Given the SEC’s recently proposed disclosure rules on climate  change, it is prudent to expect the U.S. will soon follow in the footsteps of the European Union in terms of formalizing its federal ESG requirements for corporations. In terms of disclosures, the SEC is closely monitoring1 :
- Disclosure of climate related risks.
- Climate related impacts on strategy, business model and outlook over short, medium, and long term.
- Materiality (typically present looking and may not explicitly consider future events, especially far out events as is with many climate related impacts).
- Greenhouse gas emissions reporting (Scopes 1, 2, and 3 if material).
- Scope 1 Emissions: Direct emissions. Company owned, on-site emissions.
- Scope 2 Emissions: Indirect emissions. Purchase energy for company facilities or vehicles.
- Scope 3 Emissions: Disclosures required if a material or public goal is set. These include supply chain emissions data, which are indirect upstream or downstream emissions from the supply chain.
- Addition of ESG on financial statements.
- ICFR applied to ESG.
ESG Reporting Considerations for Businesses
Although ESG disclosures are currently voluntary in the U.S., sustainability reports are amongst the fastest-growing voluntary disclosures in history due to growing stakeholder pressure from investors, regulators, customers, and employees. The percentage of S&P 500 firms releasing these voluntary disclosures increased from 35% to 86% from 2010 to 2021.
Thus, for businesses choosing to voluntarily report on ESG, it is necessary to consider what shareholders and other stakeholders are interested in seeing in these reports. Employees, consumers, customers, and stockholders may all expect different things from a sustainability report. For example, an investor may want to see an additional MD&A disclosure based on the premise that an event is material when making a decision to invest in a company. Furthermore, failing to disclose an ESG metric that competitors disclose, or which consumers might expect, can negatively impact an organization in numerous ways, from loss of new business to adversely affecting employee recruiting and retention efforts.
Internal Audit’s Critical Role in ESG Reporting
Whether your business will be reporting ESG on its financial statements or within a sustainability report, the information is subject to internal controls and external audit reviews. While boards can add value by setting the initiative and direction for ESG reporting goals, internal audit’s role is to help provide independent assurance that ESG reporting efforts are accurate and reliable.
Internal audit is uniquely qualified to guide and assist ESG reporting efforts for the following reasons:
- Independence and ability to maintain quality control when advising the first and second lines during the risk assessment and controls framework development stages.
- Experience working with multiple functions across the organization.
- Understanding of process and responses to risk.
- Experience in reporting compliance with established frameworks/standards.
- Audit committee expertise in financial reporting enables it to understand and assess methodologies surrounding the development of reporting metrics and disclosure.
- The audit committee can help determine if internal controls are sufficient.
While ESG reporting will vary from business to business, there are some general best practices internal audit can follow when it comes to advising the business on ESG reporting efforts:
Emphasize a top-down approach.
The direction of your ESG efforts must come from the top of the organization — from the board of directors to the committees overseeing ESG, to the C-Suite. This level of leadership is necessary to communicate ESG goals throughout the business, which will ultimately help develop the controls that should be tested to verify your disclosures.
Leverage COSO guidance when advising the first and second lines during risk assessments and controls development.
COSO’s latest publication, Achieving Effective Internal Control over Sustainability Reporting (ICSR): Building Trust and Confidence through the COSO Internal Control―Integrated Framework, was released on March 30, 2023. Internal audit should ensure it is communicating relevant information from industry-leading guidance not only across the various entities or business lines of the company, but also with employees of all levels.
Advise in the selection of ESG metrics that are material value drivers.
Internal audit should independently review existing sustainability standards and consult with the audit committee when helping to develop appropriate reporting metrics and disclosure for each ESG topic. Some examples of reputable resources include:
- International Sustainability Standards Board (ISSB)
- Sustainability Accounting Standards Board (SASB)
- Global Reporting Initiative (GRI)
At minimum, audit groups should begin partnering with other stakeholders to understand ESG requirements, conduct a self-inventory of where the organization is at, and understand how to achieve what will be required. When preparing to advise an ESG reporting initiative, some places internal auditors can start include:
- Assess whether your company has a more established climate-related program.
- Assess contenders for proposed controls and partner with other assurance functions to start compiling these controls.
- Determine if a materiality assessment has been conducted based on a percent of the FS line item.
- Assess the identification and reporting of various scope emissions. Is reporting being done by other groups?
- Identify top vendors that would be providing emissions data and assess their ability to do so.
- Assess materiality of emissions; companies may need to conclude on their scope 3 emissions to determine if they are material or not.
- If possible, calculate an internal carbon price. Have the assumptions for senior analysis been vetted to be robust and reliable?
- Determine if the business is qualified to continue providing attestation services based on the new requirements for service providers. Audit groups should consider who is attesting data at present.
Internal Audit Leading the Way With ESG Sustainability Reporting
As regulatory focus on ESG continues to expand, organizations need to consider how ESG fits into their internal audit scope. Although there is no federal standard for ESG reporting as of this writing, it is critical to ensure that any voluntary disclosures or sustainability reports are accurate and trustworthy in the meantime. By leveraging the expertise of internal audit, companies can develop strong internal controls around ESG risks and address any issues ahead of an external audit. Ultimately, by embracing ESG and taking a proactive approach to reporting, organizations can build trust with stakeholders and, in doing so, drive long-term value for their business, customers, employees, and investors.
ESG information included outside an SEC filing (e.g., on a company sustainability report) is also subject to SEC Rule 10b-5, which prohibits companies from making any untrue statements of material fact. ↩
Serhat Khan is the Global Chief Audit Executive at McDermott and is responsible for overseeing McDermott’s Internal Audit and Internal Controls efforts globally. Serhat brings over 20 years of professional expertise within the energy, construction, manufacturing, and technology industries, including delivering internal audit services, SOX compliance, and conducting risk assessments at both public and private companies. Connect with Serhat on LinkedIn.
Dwight Ternes is the Sr. Manager of Internal Controls at McDermott and is responsible for administrating McDermott’s Internal Controls framework, including quarterly certification and year-end testing efforts. Dwight has 25 years of professional experience in energy commodities, EPC, Big 4, in addition to internal audit and controls. Connect with Dwight on LinkedIn.