ESG fraud risk: Understanding Internal Audit's role

Upskill ESG fraud awareness

As with all fraud knowledge, not every auditor needs to be an expert, but all auditors should have a baseline knowledge of what ESG fraud is, as well as the various indicators. This means understanding ESG fraud risk factors in context with the classic fraud triangle and the occupational fraud tree. By upskilling the audit team they will be better prepared when red flags arise during assessments and testing.

Include ESG fraud risk in assessments

Internal audit teams need to include ESG fraud risk management in their risk assessment and consider the outcome for audit planning. ESG fraud risk assessments can consist of several internal and external factors. When conducting ESG fraud risk assessments, questions for internal factors include:

• Who is responsible for determining the metrics for disclosure?
• Is there a proper separation of duties between metric gathering and reporting?
• How is this information collected, automated or manually?
• Are your organization's ESG claims fully supported with accurate and reliable data? How do you provide assurance against “greenwashing”?
• Is the control environment related to ESG fraud risks effective?
• Are incentives (both explicit and implicit) driving the right behaviors and attitudes or increasing pressure for fraudulent reporting?
• Are proper data governance policies and practices in place?

Likewise, the assessment should consider external factors such as relationships with third parties. Questions to consider for external fraud risks include:

• Are key third-party relationships related to your organization's ESG activities identified?
• How are these relationships managed and evaluated for viability?
• Are "right to audit" clauses included in contracts and exercised?
• How is data flowing from third parties evaluated and monitored?
• What is the process for provisioning and de-provisioning third-party access to internal systems?

Evaluate internal controls for fraud risks

The answers to the fraud risk management assessment will drive your team's audit plan. For example, you may find executive compensation plans are directly tied to ESG initiatives, and the data used in ESG disclosure reporting is compiled manually. This would represent a high-risk scenario for ESG fraud risks and should be audited. During the audit, the team will evaluate whether internal controls are designed to prevent or detect fraud sufficiently. They would test to verify the fraud prevention and detection controls are operating effectively. Finally, if fraud occurs, internal auditors should only conduct a fraud investigation if they are qualified. Otherwise, they should delegate the investigation to trained fraud examiners.

Internal Audit's role in fraud risk management

As with any fraud, internal audit plays a vital role in addressing ESG frauds. Building knowledge in this area, assessing the organization's ESG fraud risk management, and pulling in experts when needed will be critical to a solid assurance program. Leverage the tools you already have and keep your antenna up as the ESG reporting landscape evolves.