An ESG risk and reporting program should not be implemented in isolation — it should be part of a larger, integrated risk management approach. Internal audit serves as the last line of defense in this approach, integrating ESG risk and compliance considerations into the audit plan while driving discipline and controls around material ESG risks. As a part of this role, internal audit is responsible for advising the organization on its broader risk management capabilities, and in anticipating and aligning efforts to emerging ESG risks, strategies, and organizational objectives.
AuditBoard and Deloitte’s new guide, How to Audit ESG Risk and Reporting, explores how auditors can strategically integrate ESG into their audit planning and activities. Download the full guide, and continue reading below for three key ESG considerations auditors should take into account when audit planning.
Three Key ESG Internal Audit Planning Considerations
Internal audit should ensure that ESG is part of the risk conversation, incorporate ESG into the internal audit plan, and perform audits to provide assurance that the control environment is sound. The goal is to extend what you’re already doing to incorporate ESG. As your organization gets focused on more effective ESG audit planning, the most important strategy is to ensure that you’re asking all the appropriate questions.
1. Data Quality: Process Control and Governance.
Planning an effective audit of ESG requires an increased focus on data quality, as internal audit strives to validate and assess the relevance, completeness, and accuracy of ESG risk and reporting data.
- What ESG data is the organization currently reporting and to whom?
- How complex are the data or metrics? Where is it housed?
- What controls and processes support the data being reported? How does that fit into the internal audit plan? If it doesn’t, how does it need to change?
2. Key ESG Forces Impacting the Traditional Internal Audit Approach.
Begin identifying key questions for your internal audit plan by viewing activities in light of the unique ESG assertions impacting the traditional audit approach. These assertions require you to tailor your approach to the nature, extent, and timing of executing your audit plan. Alongside traditional applicable financial reporting assertions of completeness, accuracy, timeliness, cutoff, and understandability (clarity), unique ESG assertions include:
- Balance — Are you providing a well-rounded, balanced perspective on ESG activities? Are you identifying not only achievements and progress, but also limitations, weaknesses, and areas for improvement?
- Stakeholder inclusiveness — Who are your priority ESG stakeholders? Are you including them in how you contemplate ESG impacts? ESG stakeholders extend beyond capital market investors to employees, customers, consumers, and communities.
- Sustainability context — Are you providing reporting information within a framework that makes sense for your business, industry, and the related ESG impacts?
- Prioritization — What ESG topics are most important for your organization to focus on? How are you thinking through potential ESG risk impacts? How does that thinking guide your ESG strategy, governance, and disclosures?
3. A Risk-Based Approach to Auditing ESG Risk and Reporting
Limited resources and accelerated reporting timelines require a tailored risk assessment grounded in meaningful criteria. Taking a risk-based approach helps to drive the selection and prioritization of ESG focus areas. It’s helpful to begin by filtering ESG topics through a lens of stakeholder engagement, industry trends, and benchmarking. From there, the higher-risk areas for your audit response are those where:
- Impacts are the most significant if ESG objectives are not achieved.
- Influence on stakeholder assessments is highest.
In other words, what matters most to stakeholders? And how does that overlap with your most significant impacts? For many companies, this is a process called a “materiality assessment” undertaken to help determine ESG focus areas for strategy and disclosure. The graphic
below from How to Audit ESG Risk and Reporting illustrates the high-level materiality assessment process that culminates in a relative prioritization of ESG topics to consider.
Internal audit plays an important role in helping the organization manage ESG risk by testing relevant controls and risks, advising on ESG reporting, and validating risk mitigation activities. By focusing on the three key planning considerations described above when audit planning, internal audit can set its ESG risk management activities up for success. To learn more about common approaches to incorporating ESG risk and reporting in audit plans, download the full guide, How to Audit ESG Risk and Reporting.