Thank You!

You are attempting to access subscriber-restricted content.

Are You Ready to Experience Everything Internal Auditor (Ia) Has to Offer?

​Is ESG the New Sarbanes-Oxley?

Internal audit needs to be ready to help organizations report on their environmental, social, and governance risks and initiatives.

Comments Views

​No matter where you’ve turned in the past year, business headlines have heralded environmental, social, and governance (ESG) topics. In April, hundreds of businesses and business leaders took a stand against Georgia’s controversial new voting law, enacted following a tumultuous U.S. presidential election. Earlier this year, Larry Fink, CEO of investment management firm BlackRock, called on CEOs to address climate change and align greenhouse gas reduction with science and global reporting standards. And last year, #BlackLivesMatter and similar campaigns arising from race-based killings brought social justice, equality, and equity to the forefront — even in executive suites.

These examples encapsulate how broad the scope of ESG truly is and the daunting task organizations have in addressing its related risks. Investors, politicians, regulators, and the public are pressuring businesses to hold themselves more accountable. That raises the question of whether comprehensive ESG reporting will become mandatory and have an impact on internal audit similar to how the U.S. Sarbanes-Oxley Act of 2002 changed internal audit’s role in financial reporting. 

Some internal auditors say it might, at least for certain companies and business sectors, pointing out that many countries already require such disclosures or at least are starting to explore them. While the U.S. Securities and Exchange Commission (SEC) hasn’t required ESG reporting, “the winds are definitely changing with the new SEC chair and the Biden administration having this as a very high priority,” says Steve Wang, a managing director at Protiviti in St. Louis. Wang says internal audit has a key role to play in ESG reporting; however, the level of effort needed may not be equivalent to that put into Sarbanes-Oxley compliance. 


Although ESG reporting is becoming an important resource for shareholders and regulators, it’s also important for company stakeholders, including employees and consumers. In fact, it is the pressure from stakeholders and not any one government entity that has been the primary driver of change. 

A good example is the business response to Georgia’s voting law, an unusually vocal move by corporate America to shape the nation’s political discourse. “If you do not have a point of view that supports equality, and that represents justice and democracy, how will you be a company that’s relevant going forward?” asks Edith Cooper, co-founder of Medley, a membership-based community for personal and professional growth in New York, and an independent board director for Etsy and Slack.

Organizational psychologist Dr. Ella Washington of Georgetown University says the public now expects greater action from organizations to address racial diversity, equity, and inclusion (DEI) — particularly from board members. “The narrative at this point has shifted because people of the Black community and their allies globally are saying, ‘OK, words are great, but they’re no longer enough,’” she says. “There’s a clear call for action that companies are responding to, but their follow-through is what people are really paying attention to.” 

To wit, Jason Kilar, the CEO of WarnerMedia, explicitly named racism as a problem in the company and committed to work toward change, while BlackRock announced its intention to have an independent racial equity audit conducted in 2022.


​What Is ESG?

A wide-encompassing term, environmental, social, and governance (ESG) refers to any criteria that characterize an organization’s operations as sustainable, responsible, or ethical. Although there can be some overlap, ESG-related topics generally fall under one of the three main categories represented in its abbreviation: 

E: The “environmental” piece considers how an organization performs as a steward of nature. This can include issues related to carbon emissions, waste management, water management, raw material sourcing, and climate change vulnerability.

S: The “social” piece examines how organizations manage relationships with employees, customers, and the greater community. Risks that fall under this category can include corporate social responsibility, labor management, data privacy, general security, and health and safety. With the recent rise of high-profile movements related to addressing racial injustice, social ESG-related subjects such as diversity, equity, and inclusion have taken prominence. 

G: “Governance” refers to variables such as business ethics, organizational leadership, executive pay, audits, internal controls, intellectual property protection, and shareholder rights. Diversity risks, while social in nature, also can fall under the governance umbrella in certain cases, such as when actions are undertaken to improve board diversity.

Although there is a perception that ESG-related topics are nonfinancial in nature, long-term improvement of organizational performance and financial returns are central to the argument for increased ESG prioritization. Ultimately, the goal of ESG reporting is to give investors and stakeholders more complete analyses that can help them make better-informed investment decisions.

While demand for ESG reporting is building in the U.S., there have been significant advances globally. In fact, ESG movements have a long history in regions such as Europe. For example, Europe has led the charge on the environmental and sustainability front, with initiatives such as the publication of the 2006 Stern Review in the U.K. and the signing of the Paris Agreement on climate change in 2015. These initiatives have had a profound effect on how organizations view economics and productivity against the threat of climate change.

Recent global actions have promised to take the ESG conversation even further. In September 2020, the World Economic Forum’s (WEF’s) International Business Council (IBC) published a white paper that established a set of “stakeholder capitalism metrics.” These metrics are aimed at establishing consistency and comparability for companies reporting on ESG performance in line with the United Nations Sustainable Development Goals. “We have to deliver great returns for our shareholders and help drive progress on society’s most important priorities,” said IBC chairman Brian Moynihan, chairman and CEO of Bank of America, about the white paper. “Common metrics will help all stakeholders measure the progress we are making and ensure that the resources capitalism can marshal — from companies, from investors, and others — are directed to where they can make the most difference.”

In March, the International Financial Reporting Standards (IFRS) Foundation trustees formed a working group of standards-setters to converge ESG standards and set a foundation for the International Sustainability Standards Board. The group includes the Climate Disclosures Standards Board (CDSB), International Integrated Reporting Council, Sustainability Accounting Standards Board, Task Force on Climate-related Financial Disclosures (TCFD), and WEF. “We are encouraged by the prospect of the creation of such a sustainability standard by the IFRS, which would represent in principle the culmination of our original vision,” said CDSB chairman Richard Samans in a statement. He noted that the group will be “building in part upon the CDSB Framework and the use of it by over 500 large listed companies around the world.”


Across the world, there is already a litany of ESG reporting standards, both current and planned. For example, the European Union (EU) Sustainable Finance Disclosure Regulation went into effect in March. This law outlines requirements for asset managers of investment firms to disclose how sustainability risks are incorporated in their decision-making, as well as the principal adverse impact of any investments made on external sustainability factors. This compliments the 2014 EU Non-Financial Reporting Directive, which mandates that all offices within the EU with more than 500 employees adhere to a minimum requirement to report on environmental matters, social matters, human rights, anti-corruption and bribery measures, and board diversity.

Additionally, European companies must maintain an awareness of the reporting requirements of individual countries. For example, the U.K. plans to introduce new ESG disclosure requirements for Financial Conduct Authority-authorized investment managers based on recommendations from the TCFD. 

Aneesa Ruffudeen, national culture and conduct leader at Deloitte Canada in Kitchener, Ontario, foresees increased regulatory action. She points to the heightened awareness of ESG, as well as the need to align it with business strategy and reinforce it through organizational systems. “One can’t help but expect this to be a continued area of focus when evaluating a business,” she says. 

Adoption of standards has been slower in the U.S., where greater concern about ESG has not translated into law or regulations. Under the Biden administration, the SEC has launched an ESG investing resource web page and made related risks a greater focus in its 2021 examination priorities. The commission also established a Climate and ESG Task Force to proactively identify ESG-related misconduct.

Moreover, President Biden has issued two recent executive orders, including EO 13990, which directs all federal departments and agencies to act to confront the climate crisis. The second order, EO 14008, states that climate change should be incorporated into U.S. foreign policy and national security considerations.

ESG reporting is already done through some avenues, but the demand for more is growing fast. “There have long been regulatory requirements for reporting and disclosures to the SEC, as well as agencies that enforce other aspects of ESG: environmental, safety, labor, etc.,” says Douglas Hileman, a Los Angeles-based ESG specialist. “The investment community realizes that ESG is a risk, offering the opportunity to add financial value — or to limit it.” 

Hileman notes that investors are looking for robust, meaningful, and comparable ESG data. Moreover, business-to-business requirements for ESG reporting and performance create additional compliance requirements, which can be enforced through industry standards or contracts. “Noncompliance can put customer relationships — and revenues — at risk,” he explains.


Recent data indicates that organizations have responded to the changing tides, although not comprehensively. For example, about 90% of S&P 500 companies issue corporate sustainability reports, but only 16% refer to any ESG factors in their regulatory filings, according to a July 2020 Government & Accounting Institute study. That creates a mismatch between what they disclose officially to regulators and voluntarily to the public.

There also have been mixed results in incorporating the social aspects of ESG, such as DEI, into reporting structures, despite a wide recognition of the value such insight provides. In a recent Greenwich Associates survey of 92 investors and 22 intermediary distributors across France, Germany, Italy, the Netherlands, the U.K., and the Nordic countries, 79% of respondents see social considerations as having a positive impact on performance and risk management in the long term, yet 42% see a lack of established metrics as the key barrier to social investing. Additionally, 31% say a lack of clarity over what constitutes a socially responsible investment will hold firms back. 

“This can be attributed in part to the fact that the nature of social indicators can seem less tangible or measurable, with standards that are more likely to vary by region,” says Jane Ambachtsheer, global head of sustainability at BNP Paribas Asset Management, which sponsored the study. “However, the same can hold for environmental and governance factors.”


Internal audit can help the board understand the importance of getting ESG reporting right. A new IIA report, Internal Audit’s Role in ESG Reporting discusses the value of independent assurance of such reporting. 

With an increasing body of laws and regulations rapidly becoming a reality, the enforcement potential for public ESG reporting and disclosures is growing. “ESG efforts are typically widely distributed through an organization, with varying degrees of rigor for systems and controls for generating data and information,” Hileman says. He explains that internal audit’s assurance role for internal controls over financial reporting is understood, because of Sarbanes-Oxley, and auditors can apply the same skills to nonfinancial reporting such as ESG. “With the pace of change, it is a classic example of where internal audit can provide value at the speed of risk,” he says.  

Likewise, Wang notes that the SEC intends to review sustainability reports that companies disclose voluntarily. “They could open enforcement investigations where a sustainability report or voluntary disclosure suggests that something in the required filings could be materially misleading,” he says. “The risk right there should be evidence as to why organizations should be looking for any inconsistencies in reporting between voluntary disclosures and the financials, and internal audit can and should play a role in that.” 

In navigating the social aspects of ESG without definitive metrics, internal audit’s involvement might be even more important. IIA Standard 2060: Reporting to Senior Management and the Board requires internal audit to report significant risk and control issues requiring attention to senior management and the board. Without clear standards for reporting on DEI, for example, internal audit could consult with company leadership on what information would be most valuable for investors and stakeholders. 

DEI is a good opportunity for internal audit to discuss risk with management and the board. “The whole aspect of culture risk and DEI misalignment within organizations can be understood from an internal auditor’s perspective,” Ruffudeen says. To determine a framework for DEI, she advises breaking it into four pillars: the organization’s culture, risk culture, compliance needs tied to the culture, and conduct risks. “If we talk to leaders in the organization about it, we can help them determine if we have the right culture in our organization, if we are living by the shared values we promote, and where we can begin to improve,” she says.


Regardless of whether additional statutory ESG reporting requirements materialize, that does nothing to diminish ESG’s importance to the organization or its place in internal audit’s risk scope. ESG reporting does not just represent a moral imperative; in fact, long-term productivity and success is a core argument for increased ESG-related disclosures. This can be seen in a variety of ways, including a reduction in operational expenses, fewer costly regulatory and legal interventions, increases in employee morale and productivity, and significant top-line growth. 

Additionally, organizations would do well to account for the shifts in cultural attitudes regarding ESG topics in their long-term forecasts. In a recent McKinsey & Co. report, more than 70% of consumers say they would pay an additional 5% for a “green” product if it met the same performance standards as a non-green alternative.

This is equally important on the employee side. According to Deloitte, three-fourths of the global workforce in 2025 will be millennials — a generation deeply invested in climate change, corporate accountability, consumer ethics, and diversity. Companies whose values align with those of their talent pool will be best positioned to attract the best people.

These are three key areas where internal audit can gain the greatest buy-in from board members and assist in reporting. As the culture shifts, so does the money. In many ways, the push for ESG reporting can be seen as downstream of culture , which is moving forward swiftly. 

Logan Wamsley
Internal Auditor is pleased to provide you an opportunity to share your thoughts about the articles posted on this site. Some comments may be reprinted elsewhere, online or offline. We encourage lively, open discussion and only ask that you refrain from personal comments and remarks that are off topic. Internal Auditor reserves the right to remove comments.

About the Author



Logan WamsleyLogan Wamsley<p>​Logan Wamsley is associate manager, Content Development, at The IIA.<br></p>


Comment on this article

comments powered by Disqus
  • AuditBoard-January-2022-Premium-1
  • CIA-January-2022-Premium-2
  • 2022-GAM-January-2022-Premium-3



Stopwatch Auditing Auditing
Thanks, We Already Know That, We Already Know That
Remember the 98 Account the 98 Account
Hidden Goals Goals