Over half a decade has lapsed since the signoff of the Paris Agreement with commitments to address ESG risks however today these mostly equate to a passive focus on ESG diagnosis.
Internal Audit’s ESG approach has been generally reactive over how their institutions are identifying, quantifying, and managing ESG risks. A core evidence is IIA’s white paper issued in February 2022 focused on internal audit role in supporting ESG initiatives.
It is key for the lines of defense, particularly Internal Audit functions, to make up for lost time and rollout audit actions and dynamics that can challenge the organization’s ESG approach in risk identification, risk awareness and organization-wide understanding of ESG risks. Over time this approach will soon illustrate that ESG risks are wider than the obligations raised by regulation.
The Paris Agreement was signed over 6 years however Internal Audit functions (and other lines of defense) in financial services industry mostly focus on diagnosing Environment, Social, Governance (ESG) risks (with some IAs operating below this minimum benchmark).
The environmental degradation, social inequalities and governance challenges are frequently highlighted as key material risks but Internal Audit departments remain at a conservative distance and have limited view over their organizations’ ESG agenda.
The Financial Services industry pushed by regulatory requirements and regulatory pressure, focused their actions on the ‘E’ side of ‘ESG’ typically by: i) implementing procedures to comply with the disclosure requirements as outlined in the regulation (EU Regulation 2019/2088) on sustainability-related disclosures and ii) reviewing their business model to address the regulatory requirements (EU Regulation 2020/852), a framework set to facilitate sustainable investments. The stated regulation is gaining global prevalence and is seen as a key reference for the financial services industry.
Such proactive managerial activities are mostly met with a passive Internal Audit approach which adopts a cautiously distant and passive approach over how their institutions are identifying, quantifying and managing ESG risks. In this regard, IIA has outlined key factual evidence (an auditor’s bread and butter) in their white paper released in February 2022 that examined how organizations were using their internal audit functions to support ESG initiatives. The paper shared interesting insights namely that less than 30% respondents indicated that their internal audit functions are actively involved in ESG initiatives, only 51% obtain some level of internal audit assurance with over 2/3 of internal audit functions acknowledging barriers in their involvement in ESG efforts (such as lack of available data).
This key evidence seems to point out that the root cause (an auditor’s cup of tea) could be two-fold: on one hand, internal auditors shy away from uncertainty and assessing ESG risks can be overwhelming and complex requiring a wider skillset; on the other hand, organizational leaders are developing their ESG approach without involving the lines of defense (particularly internal audit teams).
This approach misses out on a unique opportunity to leverage from in-house internal audit knowledge and experience as they are well versed in risk management, internal policies and practices and have an unbiased and objective view over existing and potential risks. These teams are also well experienced in outlining practical recommendations to address root causes and realistic actionable approaches that can be measured and monitored.
It is true that Internal Audit’s audit plans are increasingly risk based hence gradually would cover ESG risks, however it is also true that regulation is quickly driving a rapid adoption of emerging risks in these plans (and ESG role has expanded beyond emerging risk status).
In this context, European Commission approved in April 2021, the Corporate Sustainability Reporting Directive which requires large companies to publish regular reports on the social and environmental impacts of their activities including the need for this information to be regularly audited. Although the set of rules are under EFRAG (European Financial Reporting Advisory Group) analysis, it is a great opportunity for Internal Audit functions to catchup on time lapsed since the Paris Agreement but also for management to involve their lines of defense and make use of their in-house knowledge banks.
Overall, it is up to Internal Audit to issue an independent opinion over their institutions ESG Agenda, identify potential risks and opportunities for fulfill their institutions’ strategic and business objectives, contribute towards assessing the performance of set objectives and foster transparent communication across all with involved stakeholders.