Conversations regarding environmental, social, and governance (ESG) strategy have in 2021 reached peak volume, and now more than ever organizations are making serious advancements in ESG reporting. Pressure from investors is one reason for this trend, but with the introduction of mandatory global reporting standards becoming increasingly likely in the coming years, many organizational leaders are seeing the writing on the wall and want to make a concerted effort to get ahead.
With these advancements, however, organizations will also have to overcome the growing pains that come with increased scrutiny of a reporting process they are still struggling to understand. This, by extension, opens organizations up to a variety of risks such as "greenwashing," where stated sustainability goals don't comport with actions taken. As they struggle to overcome such challenges, internal audit will have a golden opportunity not seen since the introduction of the U.S. Sarbanes-Oxley Act of 2002 to assert their value by assisting with ESG reporting efforts.
Organizations Unprepared for Increased Scrutiny
ESG reporting, while still new to some organizations, is far from new to the business landscape. According to KPMG's report, The Time Has Come: The KPMG Survey of Sustainability Reporting 2020, 80% of companies worldwide now report on sustainability; looking at only the 250 largest companies globally, that figure rises to 96%. According to the Governance & Accountability Institute, the percentage of S&P 500 companies issuing sustainability reports in the U.S., the U.K., and Ireland has grown from 20% in 2011 to 90% in 2020.
Despite this, however, there is also evidence that many organizations currently presenting some form of ESG reporting are not quite prepared for the intense scrutiny these reports will be placed under by investors and regulators. According to data in The IIA's upcoming OnRisk 2022 report, which surveys board members, chief audit executives (CAEs), and members of the C-suite to gauge alignment on organizational risks, participants ranked governance as the most relevant risk to their organizations with 70% of CAEs, 83% of C-suite members, and 80% of board members ranking it highly. Meanwhile, 63% of CAEs, 60% of C-suite members, and 63% of board members ranked social sustainability as highly important to their organizations. Environmental sustainability, another ESG-related risk, ranked even lower with 50% of CAEs, 37% of C-suite members, and 50% of board members rating it as highly important. One element of ESG — governance — clearly is seen as more relevant than the other two.
Also of concern are signs that internal audit as a whole is still working to catch up with the ESG-reporting trend, and it still has far to go. According to The IIA's 2021 North American Pulse of Internal Audit, sustainability/nonfinancial reporting made up only 1% or less of audit plans between 2016 and 2020.
"The ultimate tomorrow we're looking at is the Sarbanes-Oxley era of ESG, but where internal audit is at today is still the consultative phase," says Edward Olsen, regional leader, Enterprise Risk Services at MNP. "But what has been done this year alone has even my head spinning a little bit. We're all trying to understand what is happening at same pace as the regulatory rollouts and figure out how to accelerate towards a finalization of the implementation phase."
OnRisk 2022suggests a learning curve ahead for the profession, as well. According to report, only 23% of CAEs rank their personal knowledge of environmental sustainability and social sustainability highly, both critical elements of ESG reporting. This is compared to 40% of C-suite members and 50% of board members for social sustainability, and 30% of C-suite members and 23% of board members for environmental sustainability.
Besides pointing to significant room for improvement regarding social and environmental sustainability knowledge, the findings also show that internal audit, by its own admission, may not be prepared to face the possibility of rapidly approaching regulatory landscape. Additionally, the misalignment among CAEs, board members, and C-suite members on certain aspects of ESG risks — especially social sustainability — creates a potentially worrisome environment where organizational leaders may have greater confidence in their reporting structures than should be warranted, which increases the chances of inadequate or misleading reporting that could lead to reputational damage, financial penalties, or censure.
The "Greenwashing" Risk
According to a recent report from Bloomberg, the U.S. Securities and Exchange Commission and BaFin, Germany's financial regulator, "initiated a probe into allegations that Deutsche Bank AG's DWS Group asset-management arm has been misstating the environmental — and possibly the social — credentials of some of its ESG-labeled investment products." The report says that the review is still at an early stage, and DWS has rejected claims it overstated ESG assets.
Regardless of the outcome of the investigation, this allegation is an example of what has become known as greenwashing. As referenced earlier, this occurs when the stated goals and expectations of an organization regarding environmental sustainability initiatives are not reflected in meaningful action. Inaccurate or misleading reporting, either intentionally or unintentionally, can play a part in contributing to this narrative and result in significant reputational damage.
"Your ESG reporting must detail what you're actually doing, and if your organization is delivering on what the funnel target is going to be like," Olsen says. "Otherwise, inaccuracies are going to feed the greenwashing narrative, even if the organization's intentions were good."
Svenja Hüsing, manager advisory, PwC Switzerland says that such inaccuracies can be caused at least in part by shortcomings in the compliance function. "It could show that the function has not been enabled to make informed decisions about ESG-related matters," she says. "And where effective controls, policies, and procedures are missing, the risk that business practices are diverting from disclosed ESG information increases, resulting in the risk of greenwashing."
Additionally, according to Olsen, the confusing nature of the current reporting landscape itself contributes to the greenwashing risk. "The real problem is that there are too many frameworks and standards," he says. "It's an Achilles heel of the reporting process. There are so many rating agencies with different rating standards, and each one has a different algorithm that's only pulling qualitative information from the report. You can say in a report you're addressing biodiversity, for example, and if a reporting agency's algorithm sees that word, that's going to give you get a bump in your rate. You may have not done anything, but you said the right word in a report. In essence, this creates greenwashing."
Where Internal Audit Fits
Despite so many frameworks under increasing scrutiny from investors, regulators, and even the public, internal audit, as it often does in the face of emerging risks, has a generational chance to assert itself as an indispensable value add to the organization — much like many practitioners did after the introduction of Sarbanes-Oxley.
"I expect that stakeholders will at some point require ESG reporting to be subject to the rigor of a uniform framework," says Geoff Dingle, managing director at Johnson Global Accountancy Corp. "But even now, auditors have the perfect opportunity to transfer some of their accountability, impartiality, and standards-based analysis to perform oversight over ESG reporting." According to Dingle, independent validation through examination of disclosures from internal audit will not just be ideal, but expected in the eyes of stakeholders.
Hüsing expresses a similar sentiment. "Compliance and risk control functions must be involved in the process of disclosing ESG-related information, as well as in decisions impacting the underlying business processes," she says. "It is absolutely critical to make informed assessments of disclosed information to mitigate the risk of greenwashing."
But internal audit doesn't have to wait to examine disclosures to provide value, Olsen says. "We always have to keep the Three Lines [Model] in mind and understand the spheres of influence, especially today," he explains. "Even though we don't have mandatory requirements yet — which means really not auditing things yet — we can still provide to the first and second line a consultative and advisory approach through our benchmarking to show leaders what risks to focus on."
According to Olsen, if an organization focuses on the wrong issues, even if they make the organization look good, in reality it is likely underperforming against competitors. "You want alignment on what matters, such as material ESG topics," he says. "That's ultimately what is going to drive accurate ESG reporting."
Finally, the importance of internal audit in helping to create a buy-in culture within the organization regarding ESG issues cannot be underestimated. "A culture that is toxic at its core is going to significantly hamper an organization's ability to deliver on sustainable topics," Olsen says. "Internal audit must assess where a culture of risk is present within the second line. If it is, how then can you know you're going to perform well on sustainability issues? It's a house of cards that can break down quickly without core fundamentals in place."
With risk comes opportunity, but it will ultimately be internal audit's responsibility to take advantage of it.