Amid the growing momentum toward increased organizational disclosure of environmental, social, and governance (ESG) information, internal audit has a pivotal role to play in driving organizational value related to these issues.
Interest in these issues has increased in the United States, with the SEC exploring potential regulation amid a reckoning on diversity, equity, and inclusion (DEI) issues over the past year. In many areas outside the United States, ESG regulations already have been established.
Even where regulations don’t exist yet, investors and the public are demanding information on these topics. Anthony Pugliese, CPA/CITP, CGMA, president and CEO of The Institute of Internal Auditors (IIA), said organizational value is going to be affected by these disclosures.
“With greater scrutiny on organizations over ESG-related issues, those who are out front in disclosing performance are probably going to have an edge in the marketplace, particularly from the standpoint of investors and other stakeholders,” he said. “For those who don’t, they are going to face increased risks and potential backlash.”
A white paper The IIA recently published on internal audit’s role describes independent assurance as a critical element of ESG reporting. Pugliese acknowledged that this is an area that can be challenging because there remains a lack of one set of standards and the regulatory environment is still evolving.
A more uniform approach may emerge after the fall, as the IFRS Foundation is considering creating a board to establish standards for global sustainability reporting. In the meantime, Pugliese said, organizations are working to find the best path forward on ESG reporting in an environment that’s both exciting and inconsistent.
“There is mixed messaging, and with a new [US government] administration prioritizing it, that’s also adding a lot of pressure,” he said. “The standards, I think, are going to have to begin quickly coalescing. Otherwise, we’re going to have a lot of people putting out reports that don’t have the right context.”
Internal audit can help cut through the confusion. Pugliese said internal audit’s imperatives in ESG reporting can include:
Advisory services. If the board or management is uncertain about best practices in ESG reporting, internal audit might be able to help. “Sometimes the board and management know they have the ability in a well-resourced internal audit function to say, ‘Hey, we need some help. Could you please work in a way that’s independent and give us some advice on where we want to focus?’” Pugliese said. Once internal audit provides information, management and the board can make more informed decisions on how to move forward.
Compliance work. Regulation in this area is increasing. Companies with operations outside the United States might need to comply with established regulations in their ESG reporting. Some states, such as California, might have stricter regulations that need to be addressed in reporting. “Is there something in your local environment that’s going to require disclosures?” Pugliese asked. Internal audit needs to be on top of that, as well as new requirements that may be emerging.
Meeting the demand. Pugliese said internal auditors will need to analyze what measures investors, customers, banks, and other stakeholders would want to know about ESG issues that the business is able to provide. “The thing that’s hard about it is that it’s going to keep evolving, and you’re never going to have it quite nailed down until we have a common reporting system,” Pugliese said.
Remembering the audience. ESG reporting has to be understandable to investors and other users of the information. “It’s one thing to be in compliance where you’ve reported what you need to,” Pugliese said. “It’s another thing for the average consumer or investor to be able to understand that and its context.”
Assessing controls. Internal auditors will need to understand what ESG measures are applicable to their organization, “and the risk assessment process would begin there as to whether the company has a system of internal control around monitoring those measures,” Pugliese said.
Monitoring consistency and comparability. The value of ESG reporting might be limited if there is no way to compare it. “Sometimes we’re seeing companies come up with their own measures, but that’s far from ideal because it only breeds a lack of uniformity,” Pugliese said. “You want to have something consistent so one company can be measured against others in its industry, or you want to look at companies in different industries and see how they’re performing against their benchmarks.”
Perhaps the most important thing for internal auditors to remember is that ESG reporting requirements and best practices are destined to change significantly in the coming years as the focus on these issues increases.
That means it will be important to constantly watch for what’s coming next even as internal auditors provide advice and assurance on current ESG issues.
“There are just a lot of moving parts,” Pugliese said. “We’re going to pay close attention to it.”
— Ken Tysiac (Kenneth.Tysiac@aicpa-cima.com) is the JofA’s editorial director.