As auditors embark on developing their 2023 audit plans, one important risk area not to overlook is environmental, social, and governance (ESG). Gartner names ESG one of its Top 12 Audit Plan Hot Spots for 2023, writing: “Expanding and new ESG regulations and increased stakeholder scrutiny mean organizations must build meaningful ESG policies into their strategies to follow all current regulations and avoid accusations of greenwashing.”
Integrating ESG activities into your organization’s internal audit plan is essential for your business to meet the rising demand from shareholders, boards, and the public for increased visibility around ESG risk reporting. Your business’s ability to successfully integrate ESG into its audit plan depends on several factors, including the maturity of your organization and processes, your location, the industry in which you operate, and your ESG risk strategy and appetite.
Learn the four most common approaches below, and download AuditBoard and Deloitte’s full guide, How to Audit ESG Risk and Reporting, for a deeper dive into ways auditors can strategically integrate ESG into their audit planning and activities.
1. Standalone Reviews
Certain elements of your ESG program may be mature enough for internal audit to assess in standalone reviews. These assessments can help organizations understand their ESG policies, control landscape, and responsibilities at a specific point in time. For example, is the appropriate executive sponsorship in place? Are the necessary resources being made available? Are project plans in place to make sure implementations are being done according to plan, and at the appropriate level of detail and specificity? Is the source data substantiating that all ESG disclosures are complete, accurate, and readily available?
2. Focused Reviews
For ESG areas of high stakeholder concern or low-risk appetite, organizations may wish to undertake more focused reviews. These deep dives can provide valuable assurance in key ESG areas, acting as more traditional audits that help to ensure policies, processes, and other individual ESG program elements are operating as they should. Focused reviews are likely to become more common as regulators begin to require specific ESG disclosures.
Focused reviews can include larger sample sizes over a longer period of time. Internal audit teams may layer in periodic checkpoints, such as six-month check-ins or quarterly updates, to ensure that action or mitigation plans are implemented and issues are effectively remediated. In other cases, however, internal audit teams may perform the focused review, identify findings, and leave it to management’s discretion whether to remediate issues, providing no oversight or follow-up.
3. Integrated Audit Approach
When ESG program elements are not mature enough for standalone assessments, organizations should consider the integrated audit approach. This approach can be used as part of any audit as a pulse check on the business that provides reasonable assurance that ESG-related activities are being appropriately identified, considered, and documented.
Getting started with an integrated audit approach may be as simple as adding ESG-focused questions into the planning documents or checklists used by your internal auditors. Your fundamental objective in adding these questions is to begin gaining an understanding of where potential risks and opportunities lie throughout the organization.
4. Investing in ESG Competencies
Initially, most internal audit teams may lack deep ESG expertise among their ranks. Your organization may need to invest in ESG competencies by devoting resources to:
- Research and monitor ESG regulatory guidance and updates.
- Understand ESG risk and reporting trends and frameworks in your industry.
- Benchmark ESG topics in your industry.
- Assess internal and external stakeholder engagement in ESG topics.
- Build ESG knowledge through targeted training or via certifications such as the Global Reporting Initiative’s Professional Certification Program or Competent Boards’ ESG Certificate Program.
As you determine how best to invest in ESG competencies, begin by looking inside your organization for professionals who are motivated to upskill in this area. Internal audit skill sets already bring a foundation of professional skepticism and experience with other transformational change initiatives — a solid foundation for springboarding into ESG. Identify professionals to help you develop your capabilities, and work together on a plan to build needed expertise.
Regardless of how far along your business is in responding to ESG risk, the most important step you can take is to simply make it a priority in 2023. Ensure your business is not caught off-guard by ESG before it is too late by incorporating ESG risk into your audit plan. To learn more about ESG audit planning considerations, download AuditBoard and Deloitte’s full guide, How to Audit ESG Risk and Reporting.