The rising importance of environmental, social and governance (ESG) reporting is providing internal audit functions with a prime opportunity to either maximise — or finally step into — the role of a strategic and trusted adviser to the business. The function’s unique vantage point in the organisation and its independence and objectivity can add significant value to a company’s ESG reporting and related processes. That includes assessing ESG and sustainability risks and ensuring that the quantitative and qualitative data presented in sustainability reporting is accurate, relevant, complete and timely.
More senior executives and boards of directors are actively seeking internal audit’s involvement in sustainability reporting as ESG guidance, stakeholder demands and regulatory mandates continue to expand and evolve rapidly. Protiviti’s latest Global Finance Trends Survey found that three in five organisations (60%) have seen a substantial increase in the focus and frequency of their sustainability reporting in the past year. Sustainability metrics and measurement also rate as the #1 priority for chief financial officers (CFOs), other finance leaders and their teams for the next 12 months.
With the recent release of several major proposals in Europe, the United States, and elsewhere internationally, many businesses now find they face a complex future regulatory landscape for ESG that is far more demanding than ever before. Some firms are at risk of falling behind before they can fully grasp what ESG standards and requirements they must adhere to and when, and determine how best to gather and provide evidence that demonstrates compliance with measures such as:
- The Corporate Sustainability Reporting Directive (CSRD): The CSRD, which went into effect in January 2023, incorporates the concept of “double materiality” and requires limited assurance (for now) over the reported information. Businesses that must comply with CSRD have to report on how sustainability issues might create financial risks for the company (financial materiality) and how the business impacts people and the environment (impact materiality). Creating a CSRD compliance capability will be a heavy lift for most firms, as it requires substantial data collection and verification, cross-functional collaboration, and, potentially, new reporting infrastructure.
- The SEC’s Climate Disclosure Rule: In March 2022, the U.S. Securities and Exchange Commission (SEC) issued a proposed rule intended to enhance and standardise climate disclosure requirements provided by publicly listed companies. The SEC explains in its fact sheet about the proposed rule that companies will need to, in addition to meeting other requirements, report details about their greenhouse gas (GHG) emissions, including indirect emissions from upstream and downstream activities in their value chain. The Commission also has proposed that certain GHG emissions for accelerated and large accelerated filers will be subject to assurance. The SEC is expected to finalise the climate disclosure rule by early 2024.
- California Climate Corporate Data Accountability Act and the Climate-Related Financial Risk Act: California recently passed two climate disclosure laws expected to have a wide reach and affect companies of a certain size that do business in California, regardless of where the company is headquartered. CA SB 253 requires the reporting of Scope 1,2 and 3 GHG emissions, and CA SB 261 requires a sustainability report aligned with the recommendations of the Task Force on Climate-Related Financial Disclosures (TCFD) placed on the company’s website for public viewing. SB 253 requires limited assurance over direct emissions reporting in 2026, graduating to reasonable assurance at a later point.
- Local Requirements: A number of countries around the world, from the United Kingdom to Hong Kong, Australia, China, etc., have enacted sustainability disclosure requirements applying to companies in their respective jurisdictions, with various degrees of oversight and assurance. You can find an overview of some of these requirements in a Protiviti white paper, “Regulations and Demand for Accountability Set the Tone for the Future of ESG Disclosures.”
Stakeholder Dynamics Leading the Way
Besides regulations, there are market forces compelling organisations to provide detailed, accurate and data-backed reporting on their sustainability efforts. While investor pressure was the original impetus for such reporting a year or more ago, one of the main drivers today is pressure from other businesses – customers, suppliers and partners to the organisation, who need the data for their own reporting purposes.
Another, equally important, factor are consumers and employees, who increasingly vote with their wallets and their feet based on the credibility of a company’s ESG claims. A recent study by IBM reveals that consumers increasingly focus on companies’ sustainability performance when making purchasing and employment decisions, and 70% of executives view ESG as a revenue enabler for that reason. The study also indicated that 40% of employees are willing to accept a lower salary at an environmentally and socially responsible company, and a quarter of those actually did so. Another joint study by McKinsey and NielsenIQ found products from consumer packaged goods companies that make ESG-related claims averaged 28% cumulative growth over the past five-year period, versus 20% for products that made no such claims.
As for whether ESG stocks — those that meet certain social responsibility and sustainability criteria — outperform the market, the jury is still out. Some studies suggest that companies with high ESG scores do outperform, while others indicate no significant difference.
Growing Emphasis on Reasonable Assurance Makes Internal Audit’s Role in ESG Reporting a Must
The simple fact that companies are under increasing pressure from many stakeholders, internal and external, to produce reliable and high-quality reporting on their sustainability efforts is reason enough for internal audit to be involved in the process. And as mandates tip the scale toward assurance over ESG matters – limited at first and reasonable thereafter – that involvement becomes essential.
Presently, nearly all large global companies today disclose ESG information, but only 64% of companies are obtaining assurance and verification over some of the ESG information they provide. This percentage will grow in the future as the CSRD and other regulations phase in the reasonable assurance standard.
Further, interpretive guidance on internal control over sustainability reporting released by the Committee of Sponsoring Organisations of the Treadway Commission (COSO) in March 2023 emphasises that companies should leverage their internal audit functions to provide objective assurance and other advice before they turn to external assurance resources to validate their ESG data and disclosures. This COSO guidance is helpful to finance and internal audit professionals, who have substantial experience and “muscle memory” in applying the framework to financial reporting, which can be leveraged for controls over sustainability reporting.
These trends point to a role for internal audit in sustainability reporting that is likely to become part of the function’s core responsibility, and therefore likely to be added to the audit plan for most companies over the near term.