The role of Internal Audit in the ESG agenda

What is the role of Internal Audit in contributing to an organisation’s Environmental, Social and Governance (ESG) agenda? And what should Internal Audit functions be doing now to support their business? In this blog we explore some of the key steps your function can take to maximise its impact.

Internal Audit has a critical role to play in supporting a business on ESG. As one of the only functions with oversight of the entire organisation, the challenges, insights, and advice it can provide to management are invaluable. But getting to this value-adding position and defining what, how and when to provide assurance requires some thought.

Understanding your organisation’s priorities

The starting point for Internal Audit must be a comprehensive understanding of your organisation’s ESG priorities and recognising how these translate to risk and opportunities. If your organisation has a clearly defined ESG strategy and publicly declared targets, this may be more obvious. But what do you do when this is not the case?

A broad review of the ESG risks your organisation may face is the first step, and an important one, as this will identify the best approach for future assurance. These reviews are also valuable to the business, particularly if you can weave in some indication of where the organisation sits relative to its peers.

Creating an assurance roadmap

The Internal Audit function needs to ensure all ESG risks are captured and appropriately represented in their Internal Audit Universe, and then perform a risk assessment to create a prioritised roadmap for delivery. Many organisations need support with this as it can be a daunting task. To bring this to life, we recently worked with a large international organisation which has 15 planned audits related to climate change this year alone as they have embedded ESG risks into their Internal Audit ‘business as usual’ approach.

The assurance roadmap delivers most value when assurance priorities take into consideration the ESG strategy of the business as a whole, as well as any other assurance the business will receive. We recommend a combination of dedicated audits focused on ESG topics/themes as well as broader audits where a few ESG scoping elements are woven in. This maximises coverage. Common ESG topics/themes we’re seeing organisations run dedicated audits for are: sustainable supply chain; ESG data; ESG reporting and ESG management information.

Topics relating to ESG are likely to feature on your Internal Audit plans every year going forwards in some form and will pervade most topics on your plan.

The necessary skills and experience

Do you have the skillsets in your team needed to deliver on the ESG aspects of your internal audit plan? We recommend audits be scoped based on risk but understand this can be a challenge if there are skills gaps. Organisations often utilise external support to help deliver ESG audits, particularly around ESG regulation, reporting and data.

Moving into a business-as-usual approach

As your organisation’s approach to ESG matures, your function needs to move towards a more business-as-usual approach in line with other repeated audit topics. We expect organisations to use a blend of different approaches as appropriate to the topic including; traditional point in time internal audit reviews; project/programme assurance; and agile assurance. In addition, assurance functions will want to consider how they advise management and anticipate risks and opportunities, and how in doing so they can accelerate organisational learning and management action.

Reporting to the Audit Committee

Reporting to the Audit Committee on ESG is potentially the biggest area for Internal Audit to add value to the organisation. We suggest creating a thematic overview within Audit Committee reporting, adding an ESG section within the annual opinion where this exists.

And why is this an important role for Internal Audit? The function is uniquely positioned with an overarching view of the entire business. This means, it can make connections between risks and opportunities that other departments cannot see. For example, when reviewing the operations of a regional site, Internal Audit may identify an improvement that the site was unaware of. This would benefit the specific site but could also be rolled out across other sites as well, creating a cross-business opportunity.

Supporting change

Finally, it’s worth keeping one eye on the future in terms of changing regulations and emerging risks to anticipate when your function and your organisation needs to flex its focus. This is especially pertinent for ESG as the landscape is constantly changing.

Deloitte is helping Heads of Internal Audit across this whole ESG journey, including;

• The initial internal audit review to develop a baseline understanding of an organisations ESG maturity and priorities
• Developing an ESG assurance roadmap
• Full delivery of ESG specific audits
• Support from subject matter experts across a broad range of ESG topics.

For more information on the role of Internal Audit across the ESG agenda, please don’t hesitate to get in touch.