Thank You!

You are attempting to access subscriber-restricted content.

Are You Ready to Experience Everything Internal Auditor (Ia) Has to Offer?

​5 Things You Need to Know About ESG

Internal auditors should consider several key questions when examining their organization’s environmental, social, and governance activities.

Comments Views

​Environmental, social, and governance (ESG) issues represent a growing area of focus among today’s stakeholders. In the World Economic Forum’s Global Risks Report 2021, businesses surveyed point to multiple ESG-related risks high in likelihood and impact, including extreme weather events, climate action failure, natural resource crisis, and infectious diseases. The report noted each as a threat not only to business activities, but to resilience of social infrastructure, emphasizing both economic and societal challenges. 

Business leaders, according to the KPMG 2020 Global CEO Outlook survey, face increased pressure to address these challenges. Nearly 80% of CEOs polled say their effectiveness in managing ESG risks and opportunities will play a role in determining if they can keep their job over the next five years. In fact, leaders are already called to account for the way they navigate these risks — and for their ability to turn them into strategic advantages. 

But ESG risks are complex and dynamic, making them challenging to predict, monitor, and manage. They also are highly prolific, with the potential to impact business growth trajectories. An unanticipated severe weather event, for example, can cause physical damage to infrastructure, resulting in a standstill of business activities, job loss, stranded asset values, penalties from failure to deliver on contractual commitments, and even increased insurance premiums. The consequences can be severe and long-lasting. 

Internal auditors must keep abreast of ESG developments and carefully consider their potential impact on the organization. The audit function plays an important role in ensuring ESG issues are cascaded down the organization’s three lines (see “The IIA’s Three Lines Model” below) and acting as a steward for the relevance and reliability of ESG data. And because the audit committee regularly reviews internal audit’s effectiveness, the committee’s oversight extends to the processes for managing ESG information. With these considerations in mind, internal auditors must ask, and have answers to, five key questions regarding the organization’s ESG-related activities.

1. Has the organization established a structured ESG framework? If so, how is it integrated with the Three Lines Model? 

A structured ESG framework provides clarity on sustainability objectives and governance over topics that are material to an organization. Integrating the ESG framework with the existing risk management system reduces the risk that deficiencies may be undetected, as mismanagement of material ESG factors may cause organizations to deviate from achieving their strategic and operational objectives. For example, water often constitutes a material issue for food production companies. If the company secures a comparatively low cost for water use, it provides a strategic opportunity and a competitive advantage. At the same time, risks related to water include scarcity, which causes escalating water prices and disruption to supply. 

Viewing risks through an ESG lens helps the organization and the internal auditor focus more acutely on the ESG implications of both new and existing risks. For instance, occupational health and safety is an ESG issue widely found in risk registers. It is not a new risk. However, applying an ESG lens draws attention to the wider social connotation of “occupational safety.” For example, are safety practices in the workplace tracking local regulatory requirements and wider and emerging societal expectations such as mental wellness? An ESG perspective also helps stakeholders realize that managing this risk effectively can increase social capital, enhance enterprise value, and even allow the company to expand its socioeconomic contribution. 

ESG risks should be closely monitored as part of the Three Lines Model. When examined in this context, ESG features prominently within each of the three lines: 

  • Line 1 — Management should take a proactive role in determining material ESG factors and actively seek to mitigate their potential impacts. This effort could include setting ESG policies and procedures that are aligned with the organization’s sustainability objectives. 
  • Line 2 — Risk and compliance functions should provide tactical oversight, guidance, and challenge, and work closely with management on ESG-related matters. 
  • Line 3: The internal audit function needs to help ensure management is on the right track in managing material ESG factors. 

2. Does the organization possess the expertise, and a suitable culture, to manage ESG effectively? 

While some ESG issues may fall within traditional functions, others may not be as clear cut. Areas such as green innovation, for example, may reside under strategy and research and development functions where outcomes are less defined. Or the procurement team may have been tasked with incorporating ESG considerations in its supplier policies despite knowledge gaps around technical understanding and evolving science. Internal auditors should assess whether additional expertise is necessary to supplement what an organization can accomplish in house. Moreover, preparedness to embrace sustainability may differ from one organization to another. Building ESG key performance indicators into balanced scorecards and remuneration frameworks can drive the success of ESG adoption. 

A strong sustainability culture exists when leadership establishes a clear directive that ESG is integral to organizational purpose and values — and therefore core to business strategy. Everyone throughout the organization must understand that sustainability is an imperative, with each individual committed to the same vision and outcomes. Auditors can find evidence of this commitment in the establishment of ESG considerations within risk management processes, decision-making metrics, balanced scorecards, and remuneration frameworks. But these formal structures alone cannot drive sustainability. Practitioners also should make sure individuals are fully engaged on ESG topics and have adopted a growth mindset to embracing it.

3. Which ESG topics are being measured and reported, and why? 

Internal auditors should not set the organization’s ESG strategy, but they must understand stakeholder priorities, material ESG issues, and most importantly, the intersection between the two. Ultimately, internal and external reporting should reflect both current state (what the organization is doing) and future state (what the organization intends to do), with metrics showing the efficacy of ESG initiatives. Internal auditors need to understand how ESG brings new risks to the organization’s business model and opportunities for growth and transformation. Each organization will have its own mix of ESG priorities, encompassing those that are key to its business success and important to stakeholders. 

4. What processes and controls already exist over ESG data collection and reporting? 

Data collection — especially in global, multiline businesses — can be challenging. For instance, many businesses currently report on their greenhouse gas emissions using the Greenhouse Gas Protocol, a global standard launched in 2001 by the World Resources Institute and the World Business Council for Sustainable Development. The protocol outlines a clear standard recognized by most investor groups. But tracking greenhouse gas emissions requires that each office, division, region, and business line is aligned on metrics, reporting style, cadence, and other areas. In addition, traditional approaches to risk management — even with horizon scanning to identify new and emerging risks — may not be sufficient for effective ESG management, as they typically examine the manifestation of risks within a predetermined time frame.

The Financial Stability Board’s Task Force on Climate-related Financial Disclosures recommends the use of scenario planning, sensitivity analysis, and stress testing to ascertain an organization’s resilience against climate risks. Those tasked with risk management and sustainability initiatives should harmonize their processes to facilitate cross-sharing of information and data control activities. Internal auditors should ask probing questions to understand the procedures and controls in place and assess their effectiveness. 

5. What is the organization currently publishing in its ESG reporting? 

Different reporting styles come with different levels of rigor. The data’s importance to an organization’s overall ESG strategy, risk appetite, and financial materiality should align with the corresponding regulations and levels of risk associated with the data. Thoroughly assessing these areas should help determine the reporting method. Likewise, ESG information included in a management analysis should be monitored with the same rigor as traditional financial metrics. A data-driven ESG approach helps make conceptual risks real and can more practically inform corporate strategy. Internal auditors should consider the risks associated with reporting strategies for certain metrics — especially as stakeholder demands rapidly increase — and help ensure the accuracy of disclosed data and measures. 


In an increasingly volatile environment, internal auditors play a critical role in helping the organization accomplish its goals by ensuring a systematic, disciplined approach to ESG. Material ESG issues should be addressed in the structured ESG framework — and when assessed to be of high impact and probability, these issues should be monitored through the organization’s established enterprise risk management processes. Internal audit also should assess the risks that may not be covered in the framework, making sure adequate and effective measures are in place to address them. Using a thoughtfully considered approach, internal audit can help ensure the organization’s overall ESG-related risk is managed effectively and that any residual ESG risks can be mitigated to an acceptable level.  

Cherine Fok
Internal Auditor is pleased to provide you an opportunity to share your thoughts about the articles posted on this site. Some comments may be reprinted elsewhere, online or offline. We encourage lively, open discussion and only ask that you refrain from personal comments and remarks that are off topic. Internal Auditor reserves the right to remove comments.

About the Author



Cherine FokCherine Fok<p>​Cherine Fok, CA, is director, Sustainability Services, at KPMG in Singapore.<br></p>


Comment on this article

comments powered by Disqus
  • AuditBoard-November-2021-Premium-1
  • OnRisk-2022-November-2021-Premium-2
  • 2021-All-Star-Conference-November-2021-Premium-3



Stopwatch Auditing Auditing
Thanks, We Already Know That, We Already Know That
Hidden Goals Goals
Building a Better Auditor: Which Way Should I Go? a Better Auditor: Which Way Should I Go?