The IIA's recent white paper (PDF), Internal Audit's Role in ESG Reporting: Independent Assurance Is Critical to Effective Sustainability Reporting, is clear about why and how all internal auditors should be contributing to the global achievement of the United Nations' (UN's) 2015 sustainable development goals. Auditors' scope, assurance, consulting, and practices should all be working toward accomplishing each of the 17 U.N. goals for environmental, social, and governance (ESG).
Logan Wamsley's excellent article, "Is ESG the New Sarbanes-Oxley?", and Anne Millage's Editor's Note in the June issue of Internal Auditor each set out the way forward for all internal audit functions across all sectors throughout the world. There are signs this is happening, but those signs are too few. Past and current research evidence has shown that few practitioners address the connectivity of national and global ESG issues in their risk-based internal auditing.
Yet, any study of The Institute's history of modern internal auditing since 1941 can find many examples of guidance for internal auditors to recognize their role beyond just organizational and regulatory governance. Auditors must focus more widely on how their organization commits to public needs and interest as part of its culture.
This focus is being driven today by many regulators globally. All internal auditors must be drivers — not just passengers — as the long-term, sustainable future of all people, the planet, and global prosperity enfolds. These three P's must be everyone's guiding light. Otherwise, we all fail.
My first internal audits in the U.K. in the early 1960s, as a senior internal auditor in two major U.S. manufacturing companies, covered material waste control and recycling in production areas. Little did I realize at the time that I was addressing some aspects of ESG in my scope, planning, and practice. The lessons I learned in those audits influenced a lot of my future work as an internal auditor, manager, academic, board member, and author, even though at the time there was little regulatory or public interest in the waste that companies produce.
Today, regulatory and public interest should be in the scope, planning, practices, and reporting of all internal audit assignments. This has to be today's paradigm shift for our profession, just as it was in the past with fraud in publicly listed companies.
For those who have not read the U.S. Treadway Commission Report of 1987, there are many parallels to learn for today's ESG risks and mitigations. This report predated the global corporate governance movement of the early 1990s and as it moved into the 21st century. It placed internal auditing ahead of the pack in promoting the principles of openness, integrity, and accountability in good governance. Ultimately, the report led to the establishment of The Committee of Sponsoring Organizations of the Treadway Commission (COSO), its Internal Control–Integrated Framework, and The IIA's updated Three Lines Model.
What is less known and mentioned is COSO's 2018 statement on the "evolving landscape of environmental, social, and governance (ESG)-related risks that can impact their profitability, success, and even survival." COSO partnered with the World Business Council for Sustainable Development to develop guidance to "help risk management and sustainability practitioners apply enterprise risk management concepts and processes to ESG-related risks." This is guidance that every internal auditor should study, if not every board and audit committee member. If they do not follow this guidance, they are in peril of being challenged on it by governments, regulators, and other key stakeholders.
This challenge is real. It will never go away.
The IIA has been on the ESG stage for many years with environmental management and assurance, as well as with the International Integrated Reporting Council, which combined with the Sustainability Accounting Standards Board in June to form the Value Reporting Foundation. That organization's global membership is promoting and developing business and investor ESG decision-making and reporting.
The direction of our profession has always been there, beginning with The IIA's first Statement of Responsibilities in 1947, which defined the activity of the internal auditor to "Ascertain the extent to which company assets are properly accounted for and safeguarded from losses of all kinds." The IIA was the first professional institution to establish a global Code of Ethics for its members in 1968. Since then, The Institute has progressed from issuing its first professional Standards in 1978, to releasing its current Core Principles for the Professional Practices of Internal Auditing, which underpin the International Professional Practices Framework.
Those Core Principles embrace all that is required for quality and improvement in the services internal auditors provide. The evaluation of that quality and improvement in every internal audit function must now include how internal auditors, management, and boards are walking the talk of ESG.
Is this happening in your organization today? If not, it should be. Do not delay!
Jeffrey Ridley, CIA, is a visiting professor at Birmingham City University, University of Lincoln, and London South Bank University. He was the first president of the Chartered Institute of Internal Auditors in the U.K. in 1975-1976.
Want to be a part of Your Voices? Click here to learn how to contribute a blog post.