Internal Audit’s Role in Supporting Sustainability Reporting

What’s New

Environmental, social and governance (ESG) guidance, stakeholder demands and regulatory mandates are evolving and becoming more specific, and the time of taking a “soft approach” to sustainability reporting has passed. As the need to provide, or prepare to provide, limited and/or reasonable assurance in sustainability reporting grows, internal audit’s role in the reporting process becomes obvious and essential.

Why It Matters

Sustainability disclosures must be backed by high-quality, “regulator-grade” data. The internal audit function, with its understanding of the entire organisation and intimate knowledge of internal controls, is well-suited to validate the accuracy and reliability of the data that is used in ESG reporting. This includes assessing data collection methodologies, data sources, and the accuracy of calculations and conversions.

Bottom Line

Internal audit has a substantial opportunity in helping businesses meet their sustainability reporting obligations and assess ESG risks by imparting operational, technology and financial reporting assurance expertise and bringing together senior leadership, boards and other key parties that have a role to play in providing auditable sustainability reporting.

Go Deeper

The rising importance of environmental, social and governance (ESG) reporting is providing internal audit functions with a prime opportunity to either maximise — or finally step into — the role of a strategic and trusted adviser to the business. The function’s unique vantage point in the organisation and its independence and objectivity can add significant value to a company’s ESG reporting and related processes. That includes assessing ESG and sustainability risks and ensuring that the quantitative and qualitative data presented in sustainability reporting is accurate, relevant, complete and timely.

More senior executives and boards of directors are actively seeking internal audit’s involvement in sustainability reporting as ESG guidance, stakeholder demands and regulatory mandates continue to expand and evolve rapidly. Protiviti’s latest Global Finance Trends Survey found that three in five organisations (60%) have seen a substantial increase in the focus and frequency of their sustainability reporting in the past year. Sustainability metrics and measurement also rate as the #1 priority for chief financial officers (CFOs), other finance leaders and their teams for the next 12 months.

Regulatory Drivers

With the recent release of several major proposals in Europe, the United States, and elsewhere internationally, many businesses now find they face a complex future regulatory landscape for ESG that is far more demanding than ever before. Some firms are at risk of falling behind before they can fully grasp what ESG standards and requirements they must adhere to and when, and determine how best to gather and provide evidence that demonstrates compliance with measures such as:

  • The Corporate Sustainability Reporting Directive (CSRD): The CSRD, which went into effect in January 2023, incorporates the concept of “double materiality” and requires limited assurance (for now) over the reported information. Businesses that must comply with CSRD have to report on how sustainability issues might create financial risks for the company (financial materiality) and how the business impacts people and the environment (impact materiality). Creating a CSRD compliance capability will be a heavy lift for most firms, as it requires substantial data collection and verification, cross-functional collaboration, and, potentially, new reporting infrastructure.
  • The SEC’s Climate Disclosure Rule: In March 2022, the U.S. Securities and Exchange Commission (SEC) issued a proposed rule intended to enhance and standardise climate disclosure requirements provided by publicly listed companies. The SEC explains in its fact sheet about the proposed rule that companies will need to, in addition to meeting other requirements, report details about their greenhouse gas (GHG) emissions, including indirect emissions from upstream and downstream activities in their value chain. The Commission also has proposed that certain GHG emissions for accelerated and large accelerated filers will be subject to assurance. The SEC is expected to finalise the climate disclosure rule by early 2024.
  • California Climate Corporate Data Accountability Act and the Climate-Related Financial Risk Act: California recently passed two climate disclosure laws expected to have a wide reach and affect companies of a certain size that do business in California, regardless of where the company is headquartered. CA SB 253 requires the reporting of Scope 1,2 and 3 GHG emissions, and CA SB 261 requires a sustainability report aligned with the recommendations of the Task Force on Climate-Related Financial Disclosures (TCFD) placed on the company’s website for public viewing. SB 253 requires limited assurance over direct emissions reporting in 2026, graduating to reasonable assurance at a later point.
  • Local Requirements: A number of countries around the world, from the United Kingdom to Hong Kong, Australia, China, etc., have enacted sustainability disclosure requirements applying to companies in their respective jurisdictions, with various degrees of oversight and assurance. You can find an overview of some of these requirements in a Protiviti white paper, “Regulations and Demand for Accountability Set the Tone for the Future of ESG Disclosures.”

Stakeholder Dynamics Leading the Way

Besides regulations, there are market forces compelling organisations to provide detailed, accurate and data-backed reporting on their sustainability efforts. While investor pressure was the original impetus for such reporting a year or more ago, one of the main drivers today is pressure from other businesses – customers, suppliers and partners to the organisation, who need the data for their own reporting purposes.

Another, equally important, factor are consumers and employees, who increasingly vote with their wallets and their feet based on the credibility of a company’s ESG claims. A recent study by IBM reveals that consumers increasingly focus on companies’ sustainability performance when making purchasing and employment decisions, and 70% of executives view ESG as a revenue enabler for that reason. The study also indicated that 40% of employees are willing to accept a lower salary at an environmentally and socially responsible company, and a quarter of those actually did so. Another joint study by McKinsey and NielsenIQ found products from consumer packaged goods companies that make ESG-related claims averaged 28% cumulative growth over the past five-year period, versus 20% for products that made no such claims.

As for whether ESG stocks — those that meet certain social responsibility and sustainability criteria — outperform the market, the jury is still out. Some studies suggest that companies with high ESG scores do outperform, while others indicate no significant difference.

Growing Emphasis on Reasonable Assurance Makes Internal Audit’s Role in ESG Reporting a Must

The simple fact that companies are under increasing pressure from many stakeholders, internal and external, to produce reliable and high-quality reporting on their sustainability efforts is reason enough for internal audit to be involved in the process. And as mandates tip the scale toward assurance over ESG matters – limited at first and reasonable thereafter – that involvement becomes essential.[1]

Presently, nearly all large global companies today disclose ESG information, but only 64% of companies are obtaining assurance and verification over some of the ESG information they provide. This percentage will grow in the future as the CSRD and other regulations phase in the reasonable assurance standard.

Further, interpretive guidance on internal control over sustainability reporting released by the Committee of Sponsoring Organisations of the Treadway Commission (COSO) in March 2023 emphasises that companies should leverage their internal audit functions to provide objective assurance and other advice before they turn to external assurance resources to validate their ESG data and disclosures. This COSO guidance is helpful to finance and internal audit professionals, who have substantial experience and “muscle memory” in applying the framework to financial reporting, which can be leveraged for controls over sustainability reporting.

These trends point to a role for internal audit in sustainability reporting that is likely to become part of the function’s core responsibility, and therefore likely to be added to the audit plan for most companies over the near term.


What Did Internal Audit Learn in the Past Year?

Internal audit functions that have stepped into this new role in the past year have learned some valuable lessons. For example:

  • Much of the data used in drafting sustainability reports is derived from assumptions or its origins are not transparent to the organisation. As a result, this data can undergo significant change when scrutinised by internal audit.
  • Formalisation around internal controls over ESG data is insufficient or lacking. There is a clear need for training and education of the data owners, many of whom are new to the process.
  • Targets and commitments set by companies and announced publicly have emerged as an area of litigation risk. Many internal audits have found that the creation of some of these goals are not well founded, or organisations are lacking proper monitoring of progress.

Where Can Internal Audit Add Value in Sustainability Reporting?

Internal auditors are experts in internal controls and governance. Combined with a solid understanding of the ESG standards, demands and regulations the organisation must comply with, that expertise will be invaluable in guiding the business toward creating an effective ESG control environment. In fact, The Institute of Internal Auditors (The IIA) emphasises that the internal audit function can offer “critical assurance support by providing an independent and objective review of the effectiveness of ESG risk assessments, responses, and controls.”

Internal audit is also well-suited to validate the accuracy and reliability of data used in ESG reporting. This includes assessing data collection methodologies, data sources, and the accuracy of calculations and conversions. Internal audit’s input can help the business avoid ESG missteps by confirming that the data used to measure progress toward sustainability goals is accurate and consistent with the company’s actual performance. This is especially valuable in areas that tend to be highly scrutinised, such as a company’s diversity, equity and inclusion (DEI) programmes and gender pay equity initiatives.

Another area where internal audit can add significant value in sustainability reporting and related efforts is by conducting benchmarking exercises to assess the maturity of the company’s ESG control environment and processes. Sustainability is an ongoing journey and, as noted earlier, ESG-related standards, regulations and stakeholder expectations are constantly evolving. Companies will need to evaluate their ESG progress, and the progress of their competitors and peer companies in other industries, regularly — and objectively. Internal audit can help the business to:

  • Review ESG commitments and targets and progress toward those goals
  • Assess the company’s regulatory readiness to meet ESG mandates
  • Assess ESG scoping and materiality
  • Make process improvement recommendations for ESG reporting and data tracking
  • Secure engagement by key stakeholders across the organisation

The Opportunity for Internal Audit Is Substantial

A 2023 report by AuditBoard found that two-thirds of organisations globally have yet to implement ESG controls — and 60% do not currently perform internal ESG audits. This is a significant opportunity for internal auditors to help set their organisations on the path to ESG reporting success. That said, they must first increase their own expertise in sustainability matters quickly. They must also prepare for the continuous development of internal audit capabilities to devote to sustainability reporting activities.

Internal audit organisations and the businesses they support should not underestimate the amount of time, effort and resources they will need to devote to managing ESG workloads, which will only continue to grow. Depending on the requirements the company needs to meet and the sustainability goals and related timelines it has committed to, additional staff may need to be hired and/or consulting expertise engaged.

Now is also the time for internal audit leaders to increase their communication and collaboration with CFOs, controllers, boards, marketing and sales teams, people leaders, and any other key parties that have a role to play in helping the company to deliver accurate, data-driven ESG reporting. A sustainability officer or committee, where available, is internal audit’s key partner in this, by virtue of both functions having a unique, cross-organisational view of the business. Together, internal audit and these various stakeholders can grow their collective understanding of the company’s ESG reporting obligations and the ESG risks that the business faces. They can also determine how best to set up the infrastructure to gather and consolidate relevant ESG data from across the organisation in a repeatable way.

It is almost guaranteed that gathering sustainability data will be challenging, at least in the near term, especially as the business seeks to gather data from sources that aren’t accustomed to providing data subject to auditing. This means technology investments likely will be needed to help the business enable or improve ongoing data analysis and reporting for ESG. Again, data-driven internal audit functions will have insight and strategies to share on how to use technology tools and collaborate with data owners to collect relevant information for sustainability reporting.

Given internal audit’s depth of experience in helping an organisation to achieve its financial reporting requirements, there is perhaps no other function better positioned to help the business master its sustainability reporting and data collection objectives — and avoid the risks of faulty reporting. The IIA says as much, emphasising that, “ESG reporting … should be treated with the same care as financial reporting” and “internal audit can and should play a significant role in an organisation’s ESG journey.”

1. Reasonable assurance is the more robust level of assurance, stating that the information is correct based on an independent review and testing of processes and controls. Limited assurance, meanwhile, relies less on testing and more on management information and may be limited to certain components of a report.