Internal audit’s role in ESG

As featured on BusinessMirror: Internal audit’s role in ESG

Environmental, social and governance (ESG) issues are becoming increasingly relevant for all organizations today. Companies understand that embracing ESG enhances their ability to secure limited talent, strengthen the employee experience, attract loyal customers and raise capital. ESG has gone from a nice-to-have to an integral piece of long-term financial success.

As a result, sustainability is generating a new type of risk: ESG risk. Companies have begun reimagining their governance structures over ESG, creating executive steering committees and making strategic decisions about commitments, actions and disclosures. Companies are also adjusting business-risk strategies and risk-appetite statements — making sure roles and responsibilities are fully transparent across all three lines of defense.

Internal audit can play a critical role in providing objective assurance and advice on ESG reporting and sustainability matters more broadly.

Stakeholder expectations have pressured companies to shift their focus from maximizing shareholder returns to maximizing shareholder value, prompting organizations to publicly report sustainability commitments and strategies. With a potential recession looming and today’s hypercompetitive environment testing CEOs’ commitment to ESG strategies, reducing investment may lead to long-term financial risks.

This test comes at a time when CEOs have made significant strides in tying ESG to profitability, and it becomes a matter of prioritizing short-term and long-term returns.

A comprehensive ESG strategy is now essential to address stakeholder requirements and regulation as well as to build competitive advantage, improve resilience and drive value. Regulators are looking to companies to lead the environmental and governance changes required to meet sustainability goals in the long term and notable regulations in various global jurisdictions have either recently been enacted or pending final passage. As a result, companies will come under greater pressure to reorient their business to sustainable activities.

ESG has become a business imperative, impacting financial resilience, growth and stakeholder expectations. Failing to meet ESG expectations poses challenges that can affect financing, talent recruitment, competitiveness, threats to tenure, employee satisfaction and the loss of customers.

Each company’s sustainability journey is unique. Companies just beginning their journey should align their strategy to their unique needs and not approach it from an ESG-in-a-box solution. Rather than waiting, there are several no-regret moves companies can initiate. These include: understanding stakeholder expectations, determining strategic imperatives against key ESG topics, defining key metrics and investing in quality non-financial data management. As with financial reporting, the independent and objective assurance that internal audit can provide must be an integral part of an organization’s ESG response.

Internal audit is in a unique position to provide guidance, add value and leverage its experience to implement effective change. Guidance to operationalize ESG strategies and goals in a manner that’s subject to internal controls amid upcoming changes is imperative. According to the Institute of Internal Auditors, internal audit has clear roles that may include the following in providing assurance and advisory ESG services:

•  Internal audit’s undeniable role in ESG reporting: ESG systems and controls need time to mature and require internal audit’s first look prior to facing inevitable external auditor scrutiny.
• Review reporting metrics for relevance, accuracy, timing and consistency: Providing public ESG reports and non-financial information that accurately depict an organization’s ESG efforts is critical. Conflicts with formal financial disclosures will raise a red flag with investors and regulators as regulatory oversight and public scrutiny increases.
• Conduct materiality or risk assessments on ESG reporting: Ongoing ESG efforts or public commitments to reaching ESG goals can quickly give rise to higher levels of materiality.
•  Incorporate ESG into regular audit plans: Internal audit has deep corporate knowledge — culture, ethics, governance frameworks and processes and their related risks — and should come to recognize ESG-related assurance engagements in the future.

• Identify areas that are less well-defined and build an ESG control environment: Internal audit can initiate discussions that are not quite ready for assurance involving regulatory guidelines or expectations and advise on internal controls for ESG reporting.
• Recommend reporting metrics: Internal audit can provide insights into the kind of data that accurately reflects relevant ESG efforts within the organization.
• Advise and advocate on ESG governance: Internal audit can provide guidance on ESG governance due to its holistic understanding of risk across the organization, and advocate for the company to approach ESG risk in a thoughtful manner.

Internal audit’s ESG mandate should go beyond simply identifying risks and controls. It should link strategy, governance and risk management to help ensure internal programs, initiatives, controls and supporting technologies are effective organization wide. The KPMG ESG internal audit approach combines different elements of our established internal audit methodology, supplemented by KPMG firms' internal expertise in ESG.

The KPMG Internal Audit methodology is flexible and can be tailored to each company’s specific needs. Internal audit service offerings can range from examining aspects of the company’s ESG governance policy — such as high-level oversight, risk assessment, due diligence procedures and awareness — to assessment of controls to support ESG commitments. The suite of assessments identified on the next page can be separately performed or executed in phases as part of an overall readiness ESG assessment.