Internal Audit’s Role in Supporting Sustainability Reporting What’s NewEnvironmental, social and governance (ESG) guidance, stakeholder demands and regulatory mandates are evolving and becoming more specific, and the time of taking a “soft approach” to sustainability reporting has passed. As the need to provide, or prepare to provide, limited and/or reasonable assurance in sustainability reporting grows, internal audit’s role in the reporting process becomes obvious and essential.Why It MattersSustainability disclosures must be backed by high-quality, “regulator-grade” data. The internal audit function, with its understanding of the entire organisation and intimate knowledge of internal controls, is well-suited to validate the accuracy and reliability of the data that is used in ESG reporting. This includes assessing data collection methodologies, data sources, and the accuracy of calculations and conversions.Bottom LineInternal audit has a substantial opportunity in helping businesses meet their sustainability reporting obligations and assess ESG risks by imparting operational, technology and financial reporting assurance expertise and bringing together senior leadership, boards and other key parties that have a role to play in providing auditable sustainability reporting. Go DeeperThe rising importance of environmental, social and governance (ESG) reporting is providing internal audit functions with a prime opportunity to either maximise — or finally step into — the role of a strategic and trusted adviser to the business. The function’s unique vantage point in the organisation and its independence and objectivity can add significant value to a company’s ESG reporting and related processes. That includes assessing ESG and sustainability risks and ensuring that the quantitative and qualitative data presented in sustainability reporting is accurate, relevant, complete and timely.More senior executives and boards of directors are actively seeking internal audit’s involvement in sustainability reporting as ESG guidance, stakeholder demands and regulatory mandates continue to expand and evolve rapidly. Protiviti’s latest Global Finance Trends Survey found that three in five organisations (60%) have seen a substantial increase in the focus and frequency of their sustainability reporting in the past year. Sustainability metrics and measurement also rate as the #1 priority for chief financial officers (CFOs), other finance leaders and their teams for the next 12 months.Regulatory DriversWith the recent release of several major regulations in Europe, the United States and elsewhere, many businesses now find they face a complex future regulatory landscape for ESG that is far more demanding than ever before. Some firms are at risk of falling behind before they can fully grasp what ESG standards and requirements they must adhere to and when, and determine how best to gather and provide evidence that demonstrates compliance with measures such as:The Corporate Sustainability Reporting Directive (CSRD) in the European Union: The CSRD, which went into effect in January 2023, incorporates the concept of “double materiality” and requires limited assurance (for now) over the reported information. Businesses that must comply with CSRD have to report on how sustainability issues might create financial risks for the company (financial materiality) and how the business impacts people and the environment (impact materiality). Creating a CSRD compliance capability will be a heavy lift for most firms, as it requires substantial data collection and verification, cross-functional collaboration, and, potentially, new reporting infrastructure.The SEC’s Climate Disclosure Rule in the United States: In March 2024, the U.S. Securities and Exchange Commission (SEC) issued its final rule intended to enhance and standardise climate disclosure requirements provided by publicly listed companies. The rule requires SEC-listed companies to report on climate-related risks and efforts to manage those risks, starting as early as 2026. The Commission is also requiring accelerated and large accelerated filers to disclose their material direct and indirect greenhouse gas (GHG) emissions, with the disclosures subject to assurance – limited at first but advancing to reasonable assurance in a few years.California Climate Corporate Data Accountability Act and the Climate-Related Financial Risk Act: California recently passed two climate disclosure laws expected to have a wide reach and affect companies of a certain size that do business in California, regardless of where the company is headquartered. CA SB 253 requires the reporting of Scope 1,2 and 3 GHG emissions, and CA SB 261 requires a sustainability report aligned with the recommendations of the Task Force on Climate-Related Financial Disclosures (TCFD) placed on the company’s website for public viewing. SB 253 requires limited assurance over direct emissions reporting in 2026, graduating to reasonable assurance at a later point.Local Requirements: A number of countries around the world, from the United Kingdom to Hong Kong, Australia, China, etc., have enacted sustainability disclosure requirements applying to companies in their respective jurisdictions, with various degrees of oversight and assurance. You can find an overview of some of these requirements in a Protiviti white paper, “Regulations and Demand for Accountability Set the Tone for the Future of ESG Disclosures.”Stakeholder Dynamics Leading the WayBesides regulations, there are market forces compelling organisations to provide detailed, accurate and data-backed reporting on their sustainability efforts. While investor pressure was the original impetus for such reporting a year or more ago, one of the main drivers today is pressure from other businesses – customers, suppliers and partners to the organisation – who need the data for their own reporting purposes.Another equally important factor are the consumers and employees, who increasingly vote with their wallets and their feet based on the credibility of a company’s ESG claims. A recent study by IBM reveals that consumers increasingly focus on companies’ sustainability performance when making purchasing and employment decisions, and 70% of executives view ESG as a revenue enabler for that reason. The study also indicated that 40% of employees are willing to accept a lower salary at an environmentally and socially responsible company, and a quarter of those actually did so. Another joint study by McKinsey and NielsenIQ found products from consumer packaged goods companies that make ESG-related claims averaged 28% cumulative growth over the past five-year period, versus 20% for products that made no such claims.Growing Emphasis on Reasonable Assurance Makes Internal Audit’s Role in ESG Reporting a MustThe simple fact that companies are under increasing pressure from many stakeholders, internal and external, to produce reliable and high-quality reporting on their sustainability efforts is reason enough for internal audit to be involved in the process. And as mandates tip the scale toward assurance over ESG matters – limited at first and reasonable thereafter – that involvement becomes essential.[1]Presently, nearly all large global companies disclose ESG information, but only 64% of companies are obtaining assurance and verification over some of the ESG information they provide. This percentage will grow in the future as the regulations phase in the reasonable assurance standard.Further, interpretive guidance on internal control over sustainability reporting released by the Committee of Sponsoring Organisations of the Treadway Commission (COSO) in March 2023 emphasises that companies should leverage their internal audit functions to provide objective assurance and other advice before they turn to external assurance resources to validate their ESG data and disclosures. This COSO guidance is helpful to finance and internal audit professionals, who have substantial experience and “muscle memory” in applying the framework to financial reporting, which can be leveraged for controls over sustainability reporting.These trends point to a role for internal audit in sustainability reporting that is likely to become part of the function’s core responsibility, and therefore likely to be added to the audit plan for most companies over the near term. What Have Internal Audit Teams Discovered So Far?[2]Internal audit functions that have already stepped into this new role have discovered some common problem areas. For example:Much of the data used in drafting sustainability reports is derived from assumptions or its origins are not transparent to the organisation. As a result, this data can undergo significant change when scrutinised by internal audit.Formalisation around internal controls over ESG data is insufficient or lacking. There is a clear need for training and education of the data owners, many of whom are new to the process.Targets and commitments set by companies and announced publicly have emerged as an area of litigation risk. Many internal audits have found that the creation of some of these goals is not well founded, or organisations are lacking proper monitoring of progress.If problems like these are not addressed, they can lead to regulatory fines, legal trouble or reputational damage. Where Can Internal Audit Add Value in Sustainability Reporting?As organisations determine ESG materiality and scope and identify topics, internal audit can step in to provide insight and value through a risk lens. Internal audit should also be involved as the organisation assesses its readiness to comply with the regulatory environment and help assess its commitments and targets.Internal auditors are also experts in internal controls and governance. Combined with a solid understanding of the ESG standards, demands and regulations the organisation must comply with, that expertise can be invaluable in guiding the business toward creating an effective ESG control environment. In fact, The Institute of Internal Auditors (The IIA) emphasises that the internal audit function can offer “critical assurance support by providing an independent and objective review of the effectiveness of ESG risk assessments, responses, and controls.”Internal audit is also well-suited to validate the accuracy and reliability of data used in ESG reporting and related processes. This includes assessing data collection methodologies, data sources, and the accuracy of calculations and conversions, and recommending process improvements. Internal audit’s input can help the business avoid ESG missteps by confirming that the data used to measure progress toward sustainability goals is accurate and consistent with the company’s actual performance. This is especially valuable in areas that tend to be highly scrutinised by stakeholders, such as a company’s diversity, equity and inclusion (DEI) programmes and gender pay equity initiatives.Another area where internal audit can add significant value is by conducting benchmarking exercises to assess the maturity of the company’s ESG control environment and processes. As noted earlier, sustainability is a journey, and ESG-related standards, regulations and stakeholder expectations are constantly evolving. Companies will need to evaluate their ESG progress against their competitors and peers regularly and objectively.The Opportunity for Internal Audit Is SubstantialA 2023 report by AuditBoard found that two-thirds of organisations globally have yet to implement ESG controls — and 60% do not currently perform internal ESG audits. This is a significant opportunity for internal auditors to help set their organisations on the path to ESG reporting success. That said, they must first increase their own expertise in sustainability matters quickly. They must also prepare for the continuous development of internal audit capabilities to devote to sustainability reporting activities.Internal audit organisations and the businesses they support should not underestimate the amount of time, effort and resources they will need to devote to managing ESG workloads, which will only continue to grow. Depending on the requirements the company needs to meet and the sustainability goals and related timelines it has committed to, they may need to hire additional staff or engage outside expertise.Now is also the time for internal audit leaders to increase their communication and collaboration with CFOs, controllers, boards, marketing and sales teams, people leaders, and any other key parties that have a role in helping the company to deliver accurate, data-driven ESG reporting. A sustainability officer or committee, where available, is internal audit’s key partner in this, by virtue of both functions having a unique, cross-organisational view of the business. Together, internal audit and these various stakeholders can grow their collective understanding of the company’s ESG reporting obligations and the ESG risks that the business faces. They can also determine how best to set up the infrastructure to gather and consolidate relevant ESG data from across the organisation in a repeatable way. Looking Ahead It is almost guaranteed that gathering sustainability data will be challenging, at least in the near term, especially as the business seeks to gather data from sources that aren’t accustomed to providing data subject to auditing. Technology investments likely will be needed to enable or improve ongoing data analysis and reporting for ESG. Again, data-driven internal audit functions will have insight and strategies to share on the best way to use technology tools and collaborate with data owners to collect relevant information for sustainability reporting.Given internal audit’s depth of experience with financial reporting, there is perhaps no other function better positioned to help the business master its sustainability reporting and data collection objectives — and avoid the risks of faulty reporting. The IIA says as much, emphasising that, “ESG reporting … should be treated with the same care as financial reporting” and “internal audit can and should play a significant role in an organisation’s ESG journey.” 1. Reasonable assurance is the more robust level of assurance, stating that the information is correct based on an independent review and testing of processes and controls. Limited assurance, meanwhile, relies less on testing and more on management information and may be limited to certain components of a report.2. Based on Protiviti’s findings and informal conversations with clients