The following is a summary of a presentation made by Robert Hirth at AuditBoard’s Annual conference held in San Diego on October 18, 2023. Robert is co-author of COSO’s latest supplemental guidance entitled Achieving Effective Internal Control Over Sustainability Reporting (ICSR), published in March 2023. He is a COSO Chair Emeritus and former Senior Managing Director at Protiviti, a global business consulting firm with more than 10,000 professionals operating in more than 25 countries.
ESG and sustainability matters are growing in importance — now more than ever after the March 6th announcement of the SEC’s climate-related disclosure rules — and internal auditors have a key role to play in assisting their organizations with the governance, risk management, compliance, internal control, and monitoring of all material sustainability reporting and activity.
The environmental, social, and governance (ESG) movement has created a formal, fundamental shift in the priorities of global investors and key stakeholders as well as an incremental reporting regime for large companies around the world. Organizations that develop a thoughtful approach to ESG performance to help manage risks and build resilience have an opportunity for more significant competitive advantage and improved long-term performance, benefiting both their business and the regions in which they operate. Given new and evolving mandatory regulations and voluntary reporting guidelines, internal auditors and compliance professionals are playing an increasingly crucial role in the implementation of ESG requirements – but this new territory brings its own set of challenges.
ESG Is Part of Sustainability
ESG is a reporting regime encompassing various sustainability-related areas, from climate change to diversity and inclusion and corporate governance. These areas focus on retaining and regenerating resources for future generations, benefiting employees and communities, and maintaining effective entity oversight for the benefit of stakeholders. When we frame ESG in this way, all of the aspects of ESG come together as a drive for sustainability encompassing both historical performance data as well as future goals and targets.
If we build houses out of wood, we should plant trees to replenish resources and manage these natural resources in a responsible manner, knowing that if we don’t, someday these non-replenishable natural resources will no longer exist. We should not hunt or harvest species to extinction. We should invest in the community where we are headquartered to benefit the company, local infrastructure, and its residents to help ensure long-term viability and support. We should govern our companies well to protect employee and stakeholder interests. This is the essence of sustainability.
The bottom line is that organizations need to continuously evolve their sustainability programs to achieve that essence. In response, internal auditors may need to acquire or expand their knowledge base to assess governance, compliance, and risk across these domains effectively.
ESG Applies to All Organizations
ESG principles apply to all companies, whether private or public, including public-sector organizations. While regulations generally target publicly traded companies, the underlying principles also impact privately held companies. For example, you could be a supplier to a larger public company. Amazon requires all suppliers to share carbon emission data. The next time your company applies for a long-term loan, you might find some environmental-related questions. You might discover ESG questions on your next property and casualty insurance policy application if you are in an extreme weather area. It does not matter if your company is public or private – ESG issues are applicable to everyone, and increasingly, so is the need to report on them.
ESG Regulations Are Still Evolving
ESG regulations are still somewhat fragmented but evolving rapidly, including convergence and consolidation of reporting and disclosure standards, with numerous rules in effect and others on the horizon, making it difficult for auditors to know what constitutes compliance and how to assess it consistently. The SEC’s climate-related disclosure rules, the EU’s Corporate Sustainability Reporting Directive (CSRD), the Global Reporting Initiative (GRI) Standards, and other overlapping rules such as California SB 253 complicate knowing which ones impact your organization. To make matters more complex, groups are challenging the requirements in court as soon as each one is made public. But ultimately, the most important principle behind every legislation, rule, and standard is to have complete, accurate, and reliable data to back up any claims and disclosures.
ESG Compliance Offers Opportunities
Internal audit professionals already have strong critical thinking skills and understand processes, risks, controls, and materiality. They possess good interviewing skills and know how to document what matters. While the world is trying to get their arms around ESG requirements, internal auditors cannot stand idly by on the sidelines. Many companies are moving their ESG reporting and disclosures to the financial reporting team since they are more experienced than sustainability groups with the rigor of financial reporting controls they operate and test under the Sarbanes-Oxley Act (SOX). ESG compliance requires effective internal controls over measuring, aggregating, and reporting sustainability metrics, just like public companies already do for SOX. Moving audit teams into ESG reporting can add value to your organization and assurance professionals’ careers.
COSO’s latest supplemental guidance entitled Achieving Effective Internal Control Over Sustainability Reporting (ICSR) describes attributes of ESG reporting that differ from financial reporting as follows:
Source: COSO ICSR Supplemental Guidance, available at www.coso.org
ESG Is Here to Stay
While there is an anti-ESG movement that continues to challenge regulations, the underlying driver behind ESG – the need to ensure the long-term viability of both businesses and humanity – is not going away. And interestingly, the ESG disclosures reported by a high majority of public companies have come about not because of regulation, but because various influential stakeholders have demanded them.
Companies realize the advantage of having a future-focused sustainability plan and the benefits of backing up reports with irrefutable data. Those of us in the audit and compliance profession should focus our efforts on supporting our organizations as senior management faces and sets new expectations, educating ourselves on the details of the requirements, and ensuring there are effective controls over the goal setting, data aggregation, and reporting processes so all material external disclosures and internal decision-making information are complete and accurate. If we keep our teams committed to these objectives, our companies will successfully navigate the evolving landscape of ESG requirements.