ESG reporting: Internal audit’s role in the fast-changing landscape

Getting started

Some organizations are reporting under multiple ESG reporting frameworks or standards for different stakeholders. Some of these may have been used for several years while others are new or planned, particularly given the emerging requirements of ISSB and ESRS. The first thing internal audit needs to do is understand what different reports the organization is producing and planning to produce. You will need to assess the risk around these reports — given the stakeholders involved and the way they use the information in the reports — and prioritize them based on this and any internal insights you may have (more about this later).

The approach will clearly be different depending on whether the reports are relatively mature (i.e., been produced for more than one year) or are being planned or implemented. For emerging reporting, internal audit’s role is no less valuable. In fact, given the pace of change in requirements, the scrutiny both ISSB and ESRS are likely to be given by stakeholders and the greater comparability of emerging standards, internal audit’s early insight may be of greater value for reporting as it is being developed or piloted. In any case, similar governance, processes, and controls will be needed.

Some questions and topics internal audit may want to consider in determining where to focus include:

• If there are multiple reports, are processes for different reports aligned? Is there consistent data, messaging, and approach?
• What existing assurance is in place? Few reports have comprehensive external assurance – if anything, it is “limited” in nature, meaning a high reliance on review and enquiry with a limited amount of testing. ISSB and ESRS will require external assurance, but it is likely to be limited in the early years. Internal audit can still play a key role as processes, controls, and governance frameworks are developed. It can also help ensure the business is prepared for external assurance.
  
• Any insights into the maturity of processes and governance, and any known challenges or weaknesses.
• Any insight into stakeholder engagement and interest in different issues and different reports.

Planning the audit

Having determined the scope of an audit — and this may be an individual report, a set of reports, the reporting of a particular ESG “issue” or any combination of these — there are several factors to consider. For the purposes of clarity, I will assume that we are planning an audit of a single report, but the same principles and thought process can be applied, regardless of scope.

• How is the report structured? Most standards allow a high level of flexibility, with varying degrees of mandatory disclosure, so it helps to know how it is compiled.
• Where disclosures are optional, what approach is taken to determine which items to disclose? There should be a materiality assessment to drive this. Bear in mind requirements vary, with one key difference being the concepts of double materiality (which applies to ESRS and GRI and incorporates impacts to people and the environment) and single materiality (which applies to most other standards and is focused on the financial impact to the organization itself). You will need to review the materiality assessment and form a view of its conclusions and the processes used to produce it. This is essential to confirm that the right things have been disclosed.
• It is important to understand governance, key roles, and ownership. This goes beyond some of the considerations over data in the previous article, relating additionally to processes for collating, presenting, and approving data to create required disclosures. This clarity is important in terms of facilitating a coherent governance and control framework. It may be that responsibility is dispersed — understanding this and assessing its effectiveness is a key foundation for any audit.
• At the top level, how is the report approved? Ideally, this will be at the Board level with sufficient supporting material to assure the Board that it provides an accurate picture.
• Whereas the first article discussed the controls over data, here we need to understand the processes and controls over data collation — how it is combined, adjusted where necessary, and ultimately presented in the report. It is even more likely that this will be spreadsheet-based. The level of automation, reconciliations, and review and approval are all controls that we should consider.
• The process for writing, compiling, and approving narrative commentary is perhaps more important than for data disclosures given the inherent subjectivity involved. The risk of “greenwashing”, where a misleading picture is painted, can be greater for narrative. This applies to narrative around the data disclosures, examples given to show off good practices, and narrative disclosures specifically required by the particular standard. COSO’s report on “Achieving effective internal control over sustainability reporting (ICSR)” identifies three key differences to financial reporting. Two of these — that it is inherently more qualitative and that it can be more forward-looking — are relevant when considering this risk (the third relates to boundaries for the report which is important, but not directly relevant, to how we audit).
• Finally, consider the five components and 17 principles given in the COSO report mentioned above. This is focused on internal control but can provide support as we consider the risks and controls we would expect.

Providing assurance: Testing approaches

As with any internal audit, the approach will depend on the scope, the risk assessment, and the initial assessment of controls discussed above and in the first article. In most cases, it is likely that we will want to perform a combination of control-based and substantive testing, although the controls-based work may stop at the design phase for some aspects; this is not wasted effort, as it does have value in helping move the organization to a more mature state. I will assume here that we are likely to need to test data presented in disclosures substantively, but that we should be looking at and testing higher-level controls, such as approvals and broader governance.

One way to approach this audit is to create a matrix to consider the individual disclosure requirements for reporting under any specific standard, assessing the disclosure against the requirement, and creating the test steps as described above. Better still, utilizing a software solution like TeamMate+ ESG, allows you to incorporate the ESG standards into your audit workflow to support overall ESG auditing and assurance. 

Quantitative disclosures

• You will need to assess whether to audit all data presented in the report or focus on the most material data in terms of impact to the organization and/or its stakeholders. This will depend on factors such as risk appetite, available resources, and the strength of controls over source data and the compilation process.
• Audit tests need to be designed to trace disclosures back to source data. There should be a clear audit trail with evidence, but this is often not the case and so may not be straightforward to audit.
• Clearly, appropriate sampling techniques should be deployed. Alternatively, automated tools can be used to support the audit.
• There will be adjustments — for example, to ensure data relates to the correct time period or to eliminate duplicates where there are multiple sources — and these should be clearly documented, reviewed, and approved. Again, this is often not the case in a maturing process which limits the assurance that can be taken. But we should aim to test as far as reasonably possible while recommending improvements to processes and controls.

Qualitative disclosures

• Qualitative disclosures may be mandatory or optional disclosures specified in the standard or additional material used to support the messages presented in the report. Again, you will need to determine the approach using similar criteria to those above.
• Disclosures required by the standard should also be supported by clear evidence. These disclosures often include, for example, a description of governance arrangements, organizational responsibilities, risk management processes, policy arrangements, and executive pay criteria. Disclosures should accurately reflect the true position and be reviewed and approved. Internal audit can assess the supporting evidence that feeds this narrative.
• Other material also needs to be supported by evidence, while also being a fair reflection of the overall picture rather than cherry-picking examples that paint the best picture. This is key to avoiding accusations of greenwashing. Given the subjectivity, the review and approvals are of heightened importance. Internal audit can take its own view with sufficient insight in addition to ensuring appropriate management approvals.

Governance

• Internal audit should look at both formal and informal governance arrangements. Good practice would be that it should be driven at Board level and that the Board should give the final approval for a report.
• We need to consider the review processes of the final report before it reaches the Board. Organizations are moving away from marketing or communications-led productions, but the risk of unbalanced or misleading messages remains, so risk and compliance functions are likely to have some involvement. Ideally, there will be a cross-cutting executive committee that reviews the report and how it is produced as part of its remit, and we would expect relevant leaders to be conducting a thorough review. Evidence of this review should be expected, and internal audit is likely to want to assess this.
• As mentioned earlier, many of the specific disclosures, both quantitative and qualitative, will require strong review and approval processes. These should be assessed by internal audit as they provide key controls.

ESG report analysis: How to add more value

Many of the steps described in this article have the potential to add value, simply by providing insight into gaps in governance, process, and control. Often, teams producing these reports and the underlying data have limited experience of assurance, certainly compared to those dealing with financial reports. As external assurance becomes a requirement, good governance, control, and clear evidence will become increasingly important. Identifying such gaps at this stage can be turned into a positive opportunity for the organization to prepare and mature.

One further suggestion is to add value by benchmarking against other organizations’ reports. Again, use a matrix, but perhaps consider this analysis at a higher level than individual disclosures, focusing instead on themes or issues. The best approach will depend on the specific standard and how it is structured. While this is somewhat subjective, and by its backward-looking nature does not consider emerging developments, it can provide insight into what others are doing well and where your own organization is ahead of the pack.

Opportunities and challenges

There is a real opportunity here for internal audit to fill the assurance gap that has been present in ESG reporting while also adding value by providing insight at the right time. We can help businesses mature their processes both in relation to ESG data and reporting and raise our profile as a result.

But there are challenges. Understanding that there is a skill shortage, this can take significant resources and so priorities must be set. While some of this can be done with limited specific knowledge, there is no doubt that some expertise will be beneficial and necessary. I hope this and the previous article on data governance and quality have shown how this plays very well to internal audit’s skill sets and that you are able to act on the opportunity this presents.