This is part three of a four-part series. You can give part 1 and part 2 a quick read before you do a deep dive here.
With the rise of environmental, social and governance (ESG) regulations and policies, investors and consumers are demanding more information on company ESG initiatives. Companies are realizing that it’s important to show progress on their ESG commitments and ultimately provide detailed assurance around their reporting. We’re seeing the writing on the wall in the United Kingdom, where the national government is creating a “corporate auditor” role that is charged with assuring the “resilience statement,” along with everything else published in a public company’s annual report, is fair and accurate. The United States is also moving towards mandates that would force transparency around ESG initiatives.
Here’s a look at the current state of ESG auditing and how companies can improve their performance.
ESG Auditing in the S&P 500
A recent report from the Center for Audit Quality analyzed the publicly available ESG data for the S&P 500. CAQ found that 95% of the companies had detailed ESG information publicly available, but only 53% of companies had outside assurance or verification of their data from an audit firm (6%) or an engineering or consulting firm (47%), whereas the other 47% used no outside verification.
CAQ also found that many of the companies that did use public auditors for assurance had a limited scope of assurance, with about 9% of companies only providing assurance over specific metrics related to greenhouse gas emissions, while 22% of companies also had metrics relating to other ESG topics. And because of the varying scopes and assurance providers, many of the companies used different standards for their compliance reporting.
CAQ’s survey data makes it clear that there is little consistency in standards or reporting for ESG initiatives. As the demand for clear ESG reporting grows, companies will need to make it a priority to provide clear and consistent assurance across all of their ESG initiatives, not just a select few. Using integrated risk management technology to collect and analyze your data will provide you with the insights you need to provide strong assurance, whether relying on a strong independent internal audit function or partnering with outside auditors.
Using IRM for ESG Auditing
In order to establish high standards for your auditing and compliance reporting in ESG, whether using an internal or external auditing service, integrated risk management (IRM) is critical.
Because many different areas of the business are involved in ESG initiatives, traditional risk management practices that take a siloed approach won’t work. Instead, you need to start with a top-down strategy with individual goals for your ESG initiatives outlined, and then inventory every potential risk associated with meeting those goals. Your risk management organization and individual business units can then take a bottoms-up approach to monitoring and mitigating those risks as they arise. You’ll be able to track risks in aggregate, so that you can identify key risk trends across business units or geographic locations, or identify changes in your supply chain that might indicate new risks.
Your internal auditing team will add value here by building a comprehensive ESG controls framework that aligns with industry best practices. They’ll be able to independently and objectively measure the effectiveness of your ESG risk assessments, providing analysis that will ultimately serve as assurance to investors and to external auditors and regulatory boards.
Strong assurance by your internal auditors will involve reviewing the accuracy, relevance, completeness and timeliness of your data. As regulatory oversight grows stronger for sustainability policies, this will become increasingly important. It’s also important to review your ESG reporting within the context of your formal financial disclosure filings to ensure consistency with these reports so that you can provide assurance to investors.
Your internal auditors should also conduct periodic risk assessments on your ESG reporting, so that you have the context to properly outline any new risks that might be deemed material for potential investors.
Finally, it’s important to make ESG a larger part of your organization’s audit plan. Today, ESG and sustainability-related initiatives typically only make up about 1% of an organization’s internal audit plan, and little time is spent discussing these initiatives with the board. As the relevance of ESG plans and their associated risks continues to grow, it’s important to give this important subject a bigger spotlight within your audit plans.
Why IRM matters in your organization
The importance of IRM goes beyond ESG — IRM is a framework that empowers your entire risk management. With IRM, you can use integrated data from all of your business units to understand which risks need to be actioned or mitigated and how various scenarios can impact your organization.
The holistic analysis that IRM offers can provide your internal audit team with a contextual view of your organizational risk that it can use to generate better, faster audits and better compliance throughout your company.
An IRM technology solution goes beyond helping internal audit teams. If other parts of the organization are better able to respond to risk, the audit lift will be lighter, and auditors can spend more time on strategic initiatives that will drive the business forward.