Last month, Doug Hileman published a white paper on Internal Audit’s role in corporate ESG programs. Among Doug’s rather stark findings:
– 44% of respondent companies indicated a “complete commitment” to ESG, yet 25% don’t know where the ESG function “lives”
– 44% of respondents had not performed any internal audits of ESG topics in the past 5 years
– Another 36% didn’t know if any internal audits performed in the past 5 years included ESG topics
– Diversity & inclusion was identified as the top material ESG topic (44%). Supply chain ESG risks garnered exactly zero votes.
The results are based on polling at the Institute of Internal Auditing (IIA) March 2021 Los Angeles conference, so it’s not too surprising that this cohort would think they should be more involved with anything that could border on a compliance issue. Nor is it surprising that there’s some reluctance to add this layer of review to voluntary disclosures. In fact, it’s consistent with my own experience.
But, my humble prediction is that the absence of internal audit from ESG data gathering, evaluation & disclosure is going to start raising alarm bells very soon. Now’s the time to get ahead by starting to involve your own team, if you haven’t done so already. Much rides on ESG information quality these days: investors make decisions/issue guidance on it, media outlets write about it and the Biden administration has made clear that regulatory actions and enforcement will be taken based on it. With so much at stake, it’s only a matter of time before companies will be expected to have more stringent internal controls over this non-financial information – or face reputational & litigation risks for inaccurate disclosure.
Some simple steps for bringing Internal Audit to the ESG party:
– Have IA include internal environmental and social responsibility experts in audits. Blended teams merge IA’s governance and controls expertise and the E&S technical subject matter knowledge.
– Ensure established audit procedures are understood and followed by the blended team – especially evidence sampling methodologies. IA may be concerned about the amount of in scope E&S data and E&S staff may not understand controls testing. E&S staff can filter E&S data/evidence for technical appropriateness and IA can ensure evidence sufficiency.
– Recognize that there are risks with industry collaborative supplier ESG audit programs and certifications. IA needs to understand how these programs produce audit results on which companies rely and disclose to customers, the public and increasingly – regulators.
-Lawrence Heim, TheCorporateCounsel.net April 5, 2021
