ESG planning for internal audit in 3 easy steps

1. Determine responsibility

The first step in creating an audit plan that incorporates ESG factors is to figure out who’s responsible for what and see if any roles need to shift. Nearly two-thirds of chief audit executives (CAE) said that boards drive their organizations' “focus and integration of ESG strategy and reporting,” according to a study by The Internal Audit Foundation, The Institute of Internal Auditors (IIA), and EY.

That might work at some organizations, but it could also be the case that your internal audit team is well placed to assume this responsibility, or at least take on a larger role than what you’re currently handling. That same study found that over half of CAEs think “boards and C-suites should mandate that their internal audit function participate in ESG efforts.”

And because ESG issues touch so many areas of business, it’s important to know who to turn to in order to get the right information about ESG risks and ESG compliance. Reviewing current roles and responsibilities might lead to identifying gaps, like if senior management becomes so focused on the “E” and “S” of “ESG” that the governance angle is overlooked.

2. Get a lay of the land

Developing an audit plan that incorporates ESG factors often requires internal auditors to gain a better understanding of ESG issues. That’s not to say that every internal audit member has to be an expert about everything related to ESG, but it helps to at least get a lay of the land, comparable to how you might brush up on cybersecurity to provide better IT assurance.

To do so, internal auditors might turn to internal sources, like meeting with HR to discuss DEI issues or operations teams to understand if or how emissions are being accounted for. Externally, internal auditors might turn to industry reports, to review other companies’ ESG disclosures, or discuss ESG risks with external auditors.

Because of the complexity and many arms of ESG, organizations might also need to bring in additional expertise through hiring or consulting arrangements to better understand ESG risk and ESG compliance needs. Doing so can help organizations determine what ESG data is already available and what needs to be calculated.

3. Communicate ESG risk

Gaining an understanding of ESG risks is only part of the process for internal audit teams. You also need to be able to communicate ESG risks to stakeholders, like senior management. Long-term, your goal might be to develop a separate ESG risk report, but for now, it might be more realistic to incorporate ESG risk reporting into your current processes. 

In doing so, keep in mind that this may be a new area for those receiving risk reports. That’s why it might not be practical to start with, say, a deep dive on your Scope 1 vs. Scope 2 vs. Scope 3 emissions. Instead, you may need to fold ESG risks into more familiar, traditionally used areas and then layer in additional ESG metrics over time.

For example, when sharing financial risks with executives during an internal audit presentation, you might point out how shortcomings in ESG principles could hurt consumer demand, thereby decreasing top-line revenue. Or, when discussing legal risks, you might include information on emerging ESG compliance regulations, such as proposed SEC rules, that prompt leaders to expand legal or compliance budgets.

Prioritize ESG

Internal audit teams that prioritize ESG risk management now can position their organizations to navigate changing stakeholder expectations and be better prepared as new ESG compliance rules take shape. Public companies or those who are fundraising can also make themselves attractive to those interested in ESG investing.

ESG objectives tend to evolve. The sooner you’re able to implement these factors into your assurance processes, the better. It’s important to understand who’s responsible for ESG policy and the various ESG practices within your organization. By developing a solid understanding of ESG issues, and applying a robust communication strategy with stakeholders, you’ll have a greater opportunity to build a strong foundation; one that increases your organization’s appeal to stakeholders, from institutional investors to individual customers.