Thank You!

You are attempting to access subscriber-restricted content.

Are You Ready to Experience Everything Internal Auditor (Ia) Has to Offer?

​Gauging Social Responsibility

Internal auditors face significant challenges, and opportunities, in helping the organization assess its ESG and CSR reporting.

Comments Views

Corporate social responsibility (CSR) and environmental, social, and governance (ESG) reporting loom ever larger as an area of focus for today's leaders. According to the Governance & Accountability Institute's 2019 Report, nearly 90% of S&P 500 companies published sustainability (CSR and ESG) metrics in their 2019 public reports. And the benefits are clear — disclosing sustainability metrics publicly allows organizations to put their best foot forward in addressing major CSR and ESG challenges.

At the same time, the rules for disclosing, rating, and measuring CSR and ESG factors remain unstructured, appear incomplete, and may be seen as less accurate compared to audited data. Nonetheless, many investors and stakeholders use CSR and ESG metrics to value and assess company performance. According to Morningstar, investors set an all-time record in allocating $21.5 billion to publicly traded companies with strong ESG practices in the first quarter of 2021. This sum nearly equals the amount that flowed into such funds during all of 2019.

CSR and ESG metrics can impact an organization's financial position and may lead to reputational risks. For example, French automaker Peugeot has experienced a decline in its ESG ratings since the company's 2017 acquisition of Opel and Vauxhall, which make less-fuel-efficient vehicles. Consequently, Peugeot may miss the European Union's 2021 target for carbon dioxide emissions, potentially exposing the company to fines of several hundred million euros and damaging its brand.

Assessing and reviewing CSR and ESG metrics will challenge internal auditors. CSR is defined as providing accountability within the organization by integrating social, environmental, and economic concerns into decision-making and culture. ESG, on the other hand, focuses on the collection and measurement of sustainability metrics relevant to the organization's objectives, which allows stakeholders to evaluate potential business investments and ethics. 

Given the increased global focus on sustainability reporting, chief audit executives (CAEs) should assess whether their audit functions are capable of, and have the resources to, perform an engagement focused on sustainability, consistent with IIA Standard 1210: Proficiency. Senior management will likely require support in selecting an appropriate reporting standard from multiple ESG reporting frameworks and rules. Also, sustainability and diversity metrics and data will require internal review and validation before any public reporting. Because both requirements normally fall within internal audit's purview, CAEs must work with their boards to decide on the role internal audit will play in sustainability reporting.  

​On the Horizon

By year-end, the U.S. Securities and Exchange Commission (SEC) is expected to release a climate risk disclosure proposal. If adopted, it would become a mandatory financial reporting rule for SEC-regulated, publicly held companies. In a letter to the SEC earlier this year, The IIA called for uniform climate disclosure by corporations and identification of the independent internal audit function and The Institute's International Standards for the Professional Practice of Internal Auditing in providing assurance on internal controls and risk management systems for complete, accurate, and reliable information.

In November, the International Financial Reporting Standards (IFRS) Foundation announced the creation of an International Sustainability Standards Board to help establish a sustainability reporting disclosure rule under IFRS governance.

Internal auditors should look out for new financial reporting rules that might affect how companies disclose their responses to climate change risk and other threats to sustainability. Moreover, the process for collecting data to calculate ESG metrics may warrant internal audit review to ensure appropriate sustainability data is available regardless of the disclosure rules issued by these regulatory bodies.

Reporting Standards

The demand for more accurate and complete ESG reporting will only increase over time. According to technology firm FirstInsight's 2020 study, Gen Z Shoppers Demand Sustainable Retail Future, Generation Z will make purchasing and investment choices based on companies' assurances to follow their sustainability promises. But for now, determining the metrics for such assurances can be difficult. In fact, investors, company leaders, and board members say determining how to assess their company's ESG practices is one of their biggest challenges, Center for Audit Quality Executive Director Julie Bell Lindsay notes in a 2020 NACD Board Talk article.

The lack of broadly adopted ESG reporting standards is a hurdle to internal audit leaders. Different ESG frameworks, ratings, and standards continue to emerge. For example, the mission statement of the Sustainability Accounting Standards Board — now part of the Value Reporting Foundation — seeks to "establish and improve industry-specific disclosure standards across financially material ESG topics that facilitate communications between companies and investors about decision-useful information." S&P Global, a market intelligence firm, delivers data, research, credit ratings, and benchmarks that governments, companies, and individuals depend on to make decisions. And the Task Force on Climate-related Financial Disclosures, established by the Financial Stability Board, provides recommendations for disclosures that help shed light on climate-related risks in the financial sector.

Internal audit leaders need to recognize that not all ESG metrics or factors impact their organization in the same way. For example, ESG metrics for supply chain manufacturing may require a shoe company to assess child labor, unsafe work conditions, or corruption; but for a transportation company, metrics may need to focus on pollution, carbon emissions, and driving safety measures. Requirements can vary by industry, location, and other factors.

The Sustainability Imperative

According to international social researcher and educator Marissa Dean in a recent article: "ESG has moved the needle forward, making sustainability a central and verifiable feature of business strategy. By offering a way to clarify, define, and assess a company's sustainability efforts, ESG makes CSR policies more strategically vital." This new corporate focus on sustainability reflects the direction of the Business Roundtable, whose 2019 Statement on the Purpose of a Corporation, signed by 181 CEOs, encourages companies to advance not just shareholder interests, but the interests of all corporate stakeholders. 

In light of these developments, internal auditors need to identify their role in sustainability reporting, including CSR and ESG. Moreover, chief audit executives (CAEs) need to align that role with their organization's leaders and audit committee (see "CAEs on Sustainability" below to learn what this role entails at several high-profile companies). Audit leaders also should stay apprised of CSR and ESG initiatives at other organizations and monitor regulatory developments affecting their industry.

Practices and Regulations Examples of proactive ESG-related change can be found throughout the business community. Many well-known companies, for instance, have sought to diversify their boards. At IT company HP, the board comprises 58% minority directors and 42% women, making it one of the most diverse boards in the tech industry, according to CEO Enrique Lores. Pharmaceutical giant Merck's board also is among its industry's most diverse, with six women and three Black directors among its 13 members. Earlier this year, the Nasdaq Stock Market mandated annual board diversity disclosures for companies listed on its exchange — the New York Stock Exchange established a board advisory council in August to consider comparable initiatives.

Other companies are leading the way in transparent ESG and CSR reporting. Global coffee maker Starbucks' 2020 Environmental and Social Impact Report, released in April, highlights the company's mission to source primarily sustainable coffee beans that are ethically farmed. It also details the impact of that mission, which Starbucks says has been transformative for more than 4,500 smallholder farmers and their families in the Democratic Republic of the Congo. Similarly, Nike released an impact report that announced the multinational sports apparel company's 2025 "purpose targets" — a broad range of sustainability goals encompassing its ESG commitments. As part of the initiative, Nike will for the first time link executive compensation to its performance on ESG goals. 

In his introduction to the report, Nike President and CEO John Donahoe writes, "We will continue to strive to lower emissions across our key operations, to shrink our product carbon footprint, to accelerate diversity and inclusion across our teams, to enable kids to have access to play and sport."

​To learn more about how practitioners can be involved in organizational sustainability, read The IIA's white paper, Internal Audit's Role in ESG Reporting (PDF).

For more information on assessing the organization's ability to address long-term ESG issues, download The IIA's Risk Audit Tool on sustainability, available to Audit Executive Center members.

Audit Assurance Now that Nike has linked executive compensation to ESG metrics, the question for internal auditors is whether this ESG metric will be included in their scope of work to determine reporting accuracy and completeness. For internal auditors of Nasdaq-listed companies, the exchange's new disclosure requirement may necessitate verification to ensure adequacy and timeliness of compliance, consistent with IIA Standard 2100: Nature of Work. However, the extent of internal audit involvement and support should be set by the organization's board, given the nature of the required disclosures.

Call to Action

As the demand and pressure for more sustainability reporting continues to grow, an important call to action may be coming from audit committees, boards, and organizational leaders. Boards and audit committees should decide to what extent, or at what level, to cover the governance, risk, and controls over the creation and reporting of CSR and ESG metrics. Boards, CAEs, and audit committees need to align the CSR and ESG metrics with corporate or organizational strategies and missions. Moreover, internal auditors need to consider what steps to take next.

Some questions that may help CAEs develop an initial CSR and ESG checklist include:

  1. How do organizational leaders view, collect, and leverage CSR and ESG metrics in the strategic plan? Who is responsible for the accuracy and completeness of this data?
  2. How would internal audit assess the level of support and commitment to CSR and ESG from the board, leaders, and entire organization? What is the cultural temperature for CSR and ESG at the organization today? 
  3. Do internal audit and leadership use the enterprise risk management process to strategically assess CSR and ESG governance, risks, and controls?
  4. Does investor relations engage with investors to better understand the CSR- and ESG-related areas of concern and information needs? Has internal audit identified the key investors who seek additional CSR and ESG reporting?
  5. Does the audit committee apply a financially focused materiality assessment to key CSR and ESG performance data?
  6. Who should internal audit engage in performing CSR and ESG reviews? Should the audit function commission an independent rating firm or Big Four firm, or perform the work internally? Does internal audit have the skills and competencies necessary to perform the audit?

Sustainability reporting will be an opportunity and a challenge for internal audit leaders to determine what actions to take. Based on the results of the CAE Research Forum, the best course of action for auditing CSR and ESG metrics is not easily determined. However, internal auditors willing to respond to this call to action should be rewarded by more thorough audit coverage.

​CAEs on Sustainability

In December 2020, the Seattle University Internal Audit Center of Excellence, supported by The IIA, sponsored a CAE Research Forum that gathered several prominent chief audit executives (CAEs) on a videoconference to discuss how they address CSR and ESG. Participants hailed from a range of company types and industries. During the discussion, CAEs were asked two key questions: 

  • What are internal audit teams doing to assess nonfinancial information, especially CSR and ESG?
  • Do internal CAEs who assess nonfinancial information about their organization increase their risk assessment universe, increase audit coverage, and provide increased risk insights?

Several key takeaways on CSR and ESG emerged during the forum — and were revisited this past summer — that have broad implications for internal audit functions. The participants' edited remarks shed light on leading audit executives' involvement in these areas.

Amazon CAE Lynnette Richmann stated that her audit function does not necessarily perform any specific nonfinancial reviews and audits of a set of metrics. 

"Internal audit is starting to talk about CSR and ESG criteria as necessary and asking if we should be doing something. Amazon's external auditors are looking at nonfinancial information about the things we report publicly and auditing them. Currently, internal audit does not do this process. As internal audit performs reviews across the company, we look at the integrity of reported things and to whom they are reported. Internal audit does bits and pieces of reviewing nonfinancial data as we execute our audit plan."

Randa Saleh, CAE at Starbucks, spoke about her audit team's approach and how it recently started to engage with CSR reporting because some of the data is subject to a third-party audit. 

"The current internal audit approach is to assess how the CSR metrics are developed and sourced. For example, we seek to understand how the information is gathered, the quality of the underlying data and systems, and the methodology used. In future years, we will engage more directly in assessing the underlying controls."

Patti Felz, Nordstrom's CAE, stated that the company's internal auditors review and verify metrics that get reported in Nordstrom's annual CSR report. 

"A couple of years ago, we supplemented a review of CSR data using an external partner, and they had some great insights into how to approach the work and recommend process improvements. We need to be clear on understanding where the data comes from, and how the data is controlled and managed. … Clarity of how metrics are defined is important, such as capturing the year donation dollars are received versus the year when donations are pledged." 

Jacki Fischer, CAE at Micron, discussed how her company issued its sustainability reports, as well as its diversity, equity, and inclusion (DEI) reports. 

"In both of those cases, Micron Internal Audit chose to go to outside firms to validate the information in those reports. Micron did not feel it had the expertise for sustainability and DEI auditing." 

Paul Colin, assistant corporate controller at Fanatics, spoke about how leveraging the principles of The Committee of Sponsoring Organizations of the Treadway Commission's (COSO's) Internal Control–Integrated Framework can help improve upstream business processes and enhance the ability to achieve CSR objectives. 

"Using the COSO Framework as a foundation, we can influence the standardization of third-party acceptance, onboarding, and monitoring processes to provide ongoing assurance that the third parties whom we choose to do business with continue to demonstrate a commitment to our shared values and that the nature of our relationship does not introduce unacceptable risk. The Framework can also be a formidable tool to support achieving diversity and inclusion objectives."

Comments from participants at the forum indicate that, at the time, internal auditors who ventured into reviewing CSR and ESG metrics sat at the cutting edge. To advance to the next stage of maturity, practitioners must begin trying different approaches to reviewing governance, risk, and controls over these areas.

Steve Mar
Gabriel Saucedo
Dennis Applegate
Internal Auditor is pleased to provide you an opportunity to share your thoughts about the articles posted on this site. Some comments may be reprinted elsewhere, online or offline. We encourage lively, open discussion and only ask that you refrain from personal comments and remarks that are off topic. Internal Auditor reserves the right to remove comments.

About the Authors



Steve MarSteve Mar<p>Steve Mar, CFSA, CISA, is a part-time professor in the Albers School of Business and Economics, Internal Audit Center of Excellence, at Seattle University and at the Shidler School of Business at the University of Hawaii. <br></p><style> p.p1 { line-height:9.0px; font:8.0px 'Interstate Light'; } span.s1 { font:8.0px Interstate; } span.s2 { } </style>



Gabriel SaucedoGabriel Saucedo<p>​Gabriel Saucedo, PHD, CPA, is an associate professor of accounting in the Albers School of Business and Economics, Internal Audit Center of Excellence, at Seattle University.<br></p>



Dennis ApplegateDennis Applegate<p>Dennis Applegate, CIA, CPA, CMA, CFE, is a lecturer and adjunct professor of accounting in the Albers School of Business and Economics, Internal Audit Center of Excellence, at Seattle University.<br></p>


Comment on this article

comments powered by Disqus
  • CIA-December-2021-Premium-1
  • AuditBoard-December-2021-Premium-2
  • 2022-GAM-December-2021-Premium-3