ESG auditing for banks

What does ESG mean for banks and why is it important?

Banks are not unique, but they are subject to greater scrutiny than many other sectors. This scrutiny comes from regulators, customers, governments, and investors, among others. This means that ESG requirements may be more likely to be imposed, often by regulators and governments, or pressure may come from investors and customers. 

There are several different types of banks, and this will influence the way that ESG issues are prioritized and managed. Small, local banks, including credit unions (US), building societies (UK), and similar institutions in different jurisdictions, are often formed for a specific purpose, and are often owned by customers or communities. Larger banks, covering large regions or countries, will be subject to greater regulatory pressure and are more likely to encounter investor activism. The same applies to multinationals, but these will be meeting the needs of multiple governments and regulators and often have different interested parties focused on different issues in different countries. There is also an important distinction between retail banks and corporate and wholesale/investment banks, as stakeholders will differ and have different priorities, although many of the major banks operate in all parts of the sector. 

Key risks of ESG in banks

Understanding the various types of banks will help us identify the key risks that are essential to our role as internal auditors.

ESG risks for banks will typically emanate from their core activities and their interactions with stakeholders. For example, there will be risks from lending and investing activities, from managing and serving customers — particularly individuals and small businesses — as well as employing staff and running the offices. The examples below are based on specific impacts experienced by banks in recent years:

• Environmental
  • Funding controversial projects and activities, such as fossil fuel development.
  • High levels of air travel among bank staff.
• Social
  • Paying low wages (e.g., below minimum wage) to cleaning staff.
  • Lack of clarity or consistency in explaining and selling products to customers. For example, banks in the UK routinely mis-sold payment protection insurance attached to loans; the compensation bill ran to over £50bn.
  • Funding projects (e.g., dams) which displace communities.
• Governance
  • False or exaggerated claims in ESG reports (greenwashing).
  • Perceived excessive pay to senior staff (“bankers’ bonuses”).
  • Creating or facilitating complex corporate structures to avoid regulation or taxation.For example, setting up operations where regulation is more relaxed (regulatory arbitrage) and channeling profits through jurisdictions with lower taxes.

Regulatory environment

As noted above, regulators are a key stakeholder for banks and, arguably, the regulatory landscape is the predominant reason that ESG is more important for banks (and other financial services sectors) than other industries. Risks that involve, for example, consumer protection, are heightened with banks, as regulators set clear expectations and standards; and banks are often the first impacted by emerging practices. For example, stress tests on climate scenarios have been piloted for large banks by regulators and central banks including the Bank of England, the European Central Bank, and The Federal Reserve Bank of New York, and we should expect this to become a regular occurrence going forward. This article highlights how the UK regulator is driving environmental requirements; it also refers to the European landscape which, in many respects is more advanced. Other jurisdictions are following, albeit at different speeds.

ESG reporting for banks

In general, ESG reporting requirements are the same for banks as they are for other entities. But due to their scale, complexity, and a greater demand for such information, banks are more likely to be included within such requirements than many other sectors. Of particular relevance are the introduction of ISSB standards and European Sustainability Reporting Standards (ESRS), but others may apply in different jurisdictions. An issue common to all sectors, but heightened in banks due to their scale, complexity, and value chain, is the availability, integrity, and completeness of data as outlined in this McKinsey article. Good data is clearly required for banks’ own risk management and for stress testing, whether in-house or driven by regulators.

Internal audit’s role

As with any activity, internal auditors that work within banks should start by incorporating ESG and sustainability risks into their risk assessment processes. This should include the risks specific to the banking sector (some examples of which are given above) as well as the more general risks around ESG. It is important to understand what is happening in the market, in your organization, and among stakeholders to effectively assess these risks. As discussed earlier, given the importance of regulatory requirements in driving ESG risk management, it is vital to understand the current and future regulatory landscape. Horizon scanning should also take into account the existing and emerging concerns of other stakeholders, which can be gleaned from within the business, across sector networks, and throughout traditional and social media.

Alongside this, we should also consider and map what we already do. Internal auditors have been auditing ESG risks for much longer than the term “ESG” has been widely recognized – consider, for example, audits of customer service (complaints, compliance with regulations, sales practices) and of governance issues such as tax transparency and conflicts of interest.  More recently, many internal audit departments in the sector have developed programs around climate change, covering topics such as stress testing, evaluation of climate risk in commercial loan products, and alignment with publicly stated commitments.

Most audits will not be unique to banks but, for the reasons already discussed, some risks are heightened due to regulations, scale and complexity. Some topics are also likely to be more important due to the stakeholders involved. Below I have highlighted a few potential audits which are either specific to or may have greater impact in banks. In several cases, this involves adding ESG considerations into existing audits, which will often be the best way to efficiently provide added assurance.

• Lending – As one of a bank’s core activities, internal audit will perform various audits of lending processes and related support and risk management activities, whether for commercial lending, mortgage loans, or other consumer lending. These audits could include ESG topics such as:
  • Climate change – For example, whether property on which the loan is secured is vulnerable to changing weather patterns, or whether the risks from decarbonization strategies make the asset less valuable.
  • Other environmental risks such as pollution and uncontrolled waste.
  • Risks of funds being used in activities involving labor violations.
  • Transparency of corporate structures and tax arrangement.

• New product design and approval – Are there processes to ensure consumers are protected in line with regulators’ and public expectations?
• Complaints handling – Are processes in place to ensure customers are treated fairly, again in line with regulators’ and public expectations?
• Anti Money Laundering and “Know Your Customer” processes – Ensuring good governance to prevent money laundering and protection of consumers and small businesses by providing products which are suitable and can be understood.
• Executive pay – With frequent negative publicity about “bankers’ bonuses”, internal audit can provide assurance that pay strategies and bonus schemes are designed with appropriate incentives, appropriately approved, and applied fairly. While this won’t deflect some of the negative sentiment, it will provide a more robust decision-making framework for Boards.
• ESG data – Given its complexity in banks, internal audit is well-placed to provide assurance over integrity, governance, and controls.
• Reporting – Most large and many mid-sized banks have reported under Task Force on Climate-related Financial Disclosures (TCFD) and will be required to report under ISSB and in many cases ESRS. This is an area of regulatory focus for banks and there are a range of roles internal audit can play as described here.
• Sales practices – There are many past cases of banks paying insufficient attention to the needs and interests of customers, primarily (but not only) consumers and small businesses. Most regulators now have clear expectations, and so internal audit can provide assurance over processes to ensure these regulations are met and, more broadly, that appropriate controls are in place to mitigate the risk of mis-selling.
• Data protection – Internal audit will typically audit controls over the collection, processing, and storage of sensitive and confidential automated and manual data.

These are just a few examples, and most are part of the audits we already routinely conduct. Most also lend themselves to both assurance and advisory work by internal audit. Whilst banks clearly have direct impacts from offices, employment, and other standard corporate activities, the key risks and the key opportunities for internal audit action is in the core banking activities.

Planning the audit

Having determined the scope of an audit — and this may be an individual report, a set of reports, the reporting of a particular ESG “issue” or any combination of these — there are several factors to consider. For the purposes of clarity, I will assume that we are planning an audit of a single report, but the same principles and thought process can be applied, regardless of scope.

• How is the report structured? Most standards allow a high level of flexibility, with varying degrees of mandatory disclosure, so it helps to know how it is compiled.
• Where disclosures are optional, what approach is taken to determine which items to disclose? There should be a materiality assessment to drive this. Bear in mind requirements vary, with one key difference being the concepts of double materiality (which applies to ESRS and GRI and incorporates impacts to people and the environment) and single materiality (which applies to most other standards and is focused on the financial impact to the organization itself). You will need to review the materiality assessment and form a view of its conclusions and the processes used to produce it. This is essential to confirm that the right things have been disclosed.
• It is important to understand governance, key roles, and ownership. This goes beyond some of the considerations over data in the previous article, relating additionally to processes for collating, presenting, and approving data to create required disclosures. This clarity is important in terms of facilitating a coherent governance and control framework. It may be that responsibility is dispersed — understanding this and assessing its effectiveness is a key foundation for any audit.
• At the top level, how is the report approved? Ideally, this will be at the Board level with sufficient supporting material to assure the Board that it provides an accurate picture.
• Whereas the first article discussed the controls over data, here we need to understand the processes and controls over data collation — how it is combined, adjusted where necessary, and ultimately presented in the report. It is even more likely that this will be spreadsheet-based. The level of automation, reconciliations, and review and approval are all controls that we should consider.
• The process for writing, compiling, and approving narrative commentary is perhaps more important than for data disclosures given the inherent subjectivity involved. The risk of “greenwashing”, where a misleading picture is painted, can be greater for narrative. This applies to narrative around the data disclosures, examples given to show off good practices, and narrative disclosures specifically required by the particular standard. COSO’s report on “Achieving effective internal control over sustainability reporting (ICSR)” identifies three key differences to financial reporting. Two of these — that it is inherently more qualitative and that it can be more forward-looking — are relevant when considering this risk (the third relates to boundaries for the report which is important, but not directly relevant, to how we audit).
• Finally, consider the five components and 17 principles given in the COSO report mentioned above. This is focused on internal control but can provide support as we consider the risks and controls we would expect.

Providing assurance: Testing approaches

As with any internal audit, the approach will depend on the scope, the risk assessment, and the initial assessment of controls discussed above and in the first article. In most cases, it is likely that we will want to perform a combination of control-based and substantive testing, although the controls-based work may stop at the design phase for some aspects; this is not wasted effort, as it does have value in helping move the organization to a more mature state. I will assume here that we are likely to need to test data presented in disclosures substantively, but that we should be looking at and testing higher-level controls, such as approvals and broader governance.

One way to approach this audit is to create a matrix to consider the individual disclosure requirements for reporting under any specific standard, assessing the disclosure against the requirement, and creating the test steps as described above. Better still, utilizing a software solution like TeamMate+ ESG, allows you to incorporate the ESG standards into your audit workflow to support overall ESG auditing and assurance. 

Quantitative disclosures

• You will need to assess whether to audit all data presented in the report or focus on the most material data in terms of impact to the organization and/or its stakeholders. This will depend on factors such as risk appetite, available resources, and the strength of controls over source data and the compilation process.
• Audit tests need to be designed to trace disclosures back to source data. There should be a clear audit trail with evidence, but this is often not the case and so may not be straightforward to audit.
• Clearly, appropriate sampling techniques should be deployed. Alternatively, automated tools can be used to support the audit.
• There will be adjustments — for example, to ensure data relates to the correct time period or to eliminate duplicates where there are multiple sources — and these should be clearly documented, reviewed, and approved. Again, this is often not the case in a maturing process which limits the assurance that can be taken. But we should aim to test as far as reasonably possible while recommending improvements to processes and controls.

Qualitative disclosures

• Qualitative disclosures may be mandatory or optional disclosures specified in the standard or additional material used to support the messages presented in the report. Again, you will need to determine the approach using similar criteria to those above.
• Disclosures required by the standard should also be supported by clear evidence. These disclosures often include, for example, a description of governance arrangements, organizational responsibilities, risk management processes, policy arrangements, and executive pay criteria. Disclosures should accurately reflect the true position and be reviewed and approved. Internal audit can assess the supporting evidence that feeds this narrative.
• Other material also needs to be supported by evidence, while also being a fair reflection of the overall picture rather than cherry-picking examples that paint the best picture. This is key to avoiding accusations of greenwashing. Given the subjectivity, the review and approvals are of heightened importance. Internal audit can take its own view with sufficient insight in addition to ensuring appropriate management approvals.

Governance

• Internal audit should look at both formal and informal governance arrangements. Good practice would be that it should be driven at Board level and that the Board should give the final approval for a report.
• We need to consider the review processes of the final report before it reaches the Board. Organizations are moving away from marketing or communications-led productions, but the risk of unbalanced or misleading messages remains, so risk and compliance functions are likely to have some involvement. Ideally, there will be a cross-cutting executive committee that reviews the report and how it is produced as part of its remit, and we would expect relevant leaders to be conducting a thorough review. Evidence of this review should be expected, and internal audit is likely to want to assess this.
• As mentioned earlier, many of the specific disclosures, both quantitative and qualitative, will require strong review and approval processes. These should be assessed by internal audit as they provide key controls.

Conclusion

This article has demonstrated that many of the ESG issues highlighted are already ingrained in a bank’s processes, governance, and control frameworks. However, it is important that we ensure they are given appropriate prominence in our audit plans. And many of the most volatile and emerging risks – responses to climate change, new reporting requirements, and evolving consumer protection, for example – are providing challenges for the organizations as well as for internal audit. Early engagement and effective targeted assurance and advisory activities are a great opportunity for internal audit to add value.