Introduction
Environmental, Social, Governance (ESG) is by now a well-worn topic in corporations; seems like almost every company is looking to “greenify” its business model and practices, intent on reducing carbon footprint while increasing corporate sustainability. The ‘purpose and principles of business’ have been universally challenged and social governance and equity are critical business topics. All great endeavors, but where should Internal Audit focus its efforts across this ESG expanse, to add value and provide some bang for the buck?
While ESG is a broad risk topic, covering 15 – 20 risk areas, here are my top 3 suggestions for Internal Audit teams to add value and increase relevance covering ESG risk.
Audit your Company’s Diversity Equity and Inclusion (DEI) Program
Many if not all organizations have devoted much effort over recent years to developing their DEI Programs, covering all aspects of gender, race, age, orientation, disability, equity within hiring and promotion, compensation, organization impact and roles. However, many organizations still fall short on achieving their diversity goals, despite well-coordinated and well-intended efforts often involving the most senior corporate executives and board members. For example, post-pandemic, disability has spiked up and become much more prevalent given the big increase in people managing through lockdown-related mental health challenges and it is critical that US companies be mindful of and fully comply with the broad disability-related provisions within the Americans With Disabilities Act. Internal Audit can objectively review the set-up and operation of these programs and ask tough questions that everyone in the organization should want to know the answers to, for example:
- Does the actual funding match the commitment?
- In support of the overarching goal, have specific goals been set within each process / area (e.g., hiring, promotion, compensation, corporate title / banding level)?
- Have sound benchmarks and data sources been identified, approved, and used transparently?
- Are there detailed departmental (and aggregate) scorecards and metrics supporting the broader goals?
- Does the company gather exit interview feedback covering diversity and is it being shared with Executive Mgt and the Board and being actioned? (Employees leaving the company will often be more candid on risks that matter)
- Is ownership clear within the executive management team and is there a good sense of tone at the middle and bottom of the organization, as well as at the top?
- Are there regular town hall meetings to share updates on progress being made?
- If sufficient progress is not being made, are the root causes understood, and have these been thoroughly vetted and challenged, and corrective actions agreed?
- How transparent is management being on such a critical risk for the organization? Diversity is a critical risk that matters, and Internal Audit needs to be objectively assessing how it is being managed.
Unfortunately, biases are all too real and easy to creep into even the best designed Diversity Program and as such there is a critical need for sustained management attention to get it right. Data can get skewed in the short-term given unpredictable staff turnover and company financial performance impacting hiring and contraction plans periodically. Indeed, compounding matters as I am penning this article, (December 2022) people risk is at or above risk tolerance in many companies, reflecting our new post-pandemic reality. Even in large organizations, diversity is a topic for continuous focus by executive management, the board, line managers and employees. Internal Audit can play an important role in being catalysts for positive change and auditing DEI Programs more actively and vigorously, will help organizations to make course corrections if necessary, and achieve the good outcomes that are universally desired.
Audit Your Organization’s Carbon Footprint / Net Zero Framework
De-carbonization is among the most critical risks in our lifetimes and long into the future. Almost all organizations have published goals and timeframes to achieve carbon footprint reductions / target – Net Zero. This is great to see and collectively serve the public good, a true social and environmental cause. Now comes the hard part – modelling and measuring carbon usage and emissions with integrity and proving compliance with standards and increasing regulatory expectations. In large corporations with multiple locations and complex global logistics, often involving third and fourth parties, that is not an easy undertaking. De-carbonization is among the most critical risks facing corporations, especially public companies. Investors and investing mandates basically require public corporations to have measurable sustainability scorecards and Net Zero targets and plans, just to survive and to be eligible for future investment allocation.
Internal Audit can and should focus on how management is progressing in mitigating the risks and achieving stated goals. IA should be focused on decarbonization risk as a key risk that matters to the corporate reputation/brand, and its future viability and existence. IA can be catalysts for positive and sustainable organization change by focusing on this long-term transition and organizational transformation. Internal Audit can independently assess the Net Zero plan components and the integrity of the carbon modelling, measurements, and reporting framework. Organizations’ reputations are riding on achieving these commitments in the long-run and no organization wants to risk public admonishment for failing the grade. Key questions that Internal Audit may pose, include:
- Is the commitment actively supported by resource investment? Does the organization have suitability qualified carbon modelling and measurement expertise?
- Do the carbon measurement models have integrity, and do they clearly align to the United Nations Sustainability Goals outlining Scope 1 (organization direct use) / Scope 2 (indirect / third party / out-sourcing use) and Scope 3 (overall value chain including suppliers, distributors, and end consumers) measurement buckets?
- Are all organizational sources and uses of carbon accurately identified? If assumptions are being made – who is validating / approving these assumptions and related model parameterization?
- What is the approach to using and measuring carbon offsets and are these contracted for and measurable in terms of outcomes, and sustainable solutions in their own right?
- Has management ownership been agreed and is the Risk Committee and Board receive regular updates on decarbonization progress? Like cyber risk, every Board should ask itself if it has the right level of decarbonization expertise in its ranks or through an expert advisor.
- Has the company put in place effective monitoring to generate carbon financials and metrics? Do Carbon Balance Sheet, Profit & Loss (net usage) and flow statements hold up to independent scrutiny, including measurement assumptions?
- What controls have been established and are they effectively designed and operated and supported by a sufficient audit trail (given ever-increasing regulatory expectations and disclosure requirements)? Related to this has fraud risk been assessed across the organization’s Net Zero Framework – for example key components such as validating integrity over carbon reporting for outsourced activities and validity of carbon off-sets purchased or contracted for.
A challenging Net Zero framework audit now will help management to keep on track to achieve its carbon reduction targets.
Establish ESG as an Audit Plan Key Risk Theme
This third recommendation is intentionally broad. The ESG tree has many branches. Audit can perform specific audits over areas such as Sustainable Investing, Renewable Energy / Product Polices, i.e., many banks have imposed lending or client restrictions covering specific industries or carbon-based technology; insurance companies have placed coverage restrictions on new business that does not conform to green product or environmental standards etc. Many companies are transitioning core business policies and standards to reduce or eliminate products that are carbon heavy. Regulatory disclosures can also be audited as a theme or on specific products or business line audits. By establishing ESG as an overarching audit plan topic, Internal Audit can dedicate resources to different ESG risk components over time.
Conclusion
IA can and should play a critical stewardship role through performing challenging, transparent audits focused on ESG topics that will transform organizations and increase corporate resilience and sustainability. As a broad set of risk topics, ESG is best viewed as transformational change – with varying delivery maturities. Internal Audit teams dedicated to adding value to their organizations will keep ESG topics in sharp focus for a long time to come.
Want to learn more? – Check-out Shane’s recent Webinar with Chartered Accountants Worldwide Network USA on Auditing the Future – Where Does Internal Audit Go from Here?
Here is the webinar link: https://cawnetusadev.wpengine.com/webinar/auditing-the-future/
© Copyright – Shane Rogers FCA, MBA, all rights reserved.
Shane Rogers FCA, MBA is an independent risk and audit management consultant. A former Audit Managing Director and US-based Chief Audit Executive with deep, partner-level, insurance, and investment banking experience globally, he has led progressive and agile Audit teams that thrive. A Chartered Accountant, Shane has global experience working large multi-national organizations, including, Swiss Re, Credit Suisse / First Boston and Price Waterhouse. Shane has expertise setting and aligning organization Strategy, Vision & Mission, and conducting external Audit assessments (against IIA standards) and ERM team assessments and positions teams to optimize business impact and value-add. He can be contacted via LinkedIn, or email [email protected].
