When you have to be right

The Role
of Internal
Audit in ESG

By: Kevin Gould

Audit Committee Chair and Internal Audit Consultant
Contents

ESG risk in your organization 4

The need for core knowledge 5

Getting started 5

Top tips for audit planning 6

Summing it up 7

About the Author

Kevin Gould
Audit Committee Chair | Internal Audit Consultant

Kevin is a Chartered Accountant with a strong background in Internal Audit and a recent
focus on ESG. He has 25 years of experience as a consultant, adviser and auditor. Kevin
has a long-held interest in sustainability and a Masters in Sustainability & Environmental
Management. He is now an independent consultant, as well as being a non-executive
director and audit committee chair on several boards.
 3

Introduction

Regulators, investors, stakeholders, and even the public expect more from companies beyond
short-term profits. With a recent focus on issues such as diversity and climate change, it has
become increasingly urgent for organizations to understand and manage Environmental, Social,
and Governance (ESG) risks.
This heightened awareness of socio-economic and critical assurance support by providing an independent
environmental factors has created an opportunity for and objective review of the effectiveness of ESG risk
internal auditors to position themselves as trusted assessments, responses, and controls.”
business advisors while supporting change within their
organizations. Additionally, internal auditors possess the But as with any new initiative, sometimes getting started
necessary skillsets to better identify areas of potential is the hardest part. The Touchstone Insights for Internal
risk and growth opportunities. A recent white paper Audit, conducted by Wolters Kluwer TeamMate, found
from the Institute of Internal Auditors (IIA) stated, that 55% of respondents do not currently include ESG
“Internal audit can and should play a significant role in the audit plan. The encouraging news is that of these
in an organization’s ESG journey. It can add value in an respondents, about half expect to do so in the next two
advisory capacity by helping to identify and establish years. This clearly indicates a building momentum toward
a functional ESG control environment. It also can offer increased audit work on ESG issues.
4
ESG risk in your organization
When it comes to ESG risk, it is not as straightforward
as internal auditors might like. There are overarching
strategic risks around ESG that include how your
organization is perceived and whether or not it is acting
responsibly and transparently. People remember how
leaders respond to crises, especially the speed and
honesty around resolving issues. Reputations are easily
damaged and much harder to repair.
There are also operational risks relating to ESG at play. To
assess these risks, an organization needs to understand
it’s material impacts. In other words, what are the key
ESG issues for the organization? This will be different for
each organization and likely derive from your strategic
approach. Operational risks could be anywhere in your
organization where activities touch an ESG issue. Often,
they’re part of broader risk in a business unit or process
rather than something wholly unrelated or new.
Internal Audit must consider, and ultimately, understand
the organization’s appetite for ESG risks. Organizations
are likely to have different risk appetites for the various
ESG issues. But as internal auditors, you need flexibility
in evaluating how that is expressed. It may be part of a
broader approach to risk appetite or simply implied in the
strategic approach. What’s important is that it is clear and
consistently understood.
 5

The need for core knowledge

While the role of internal audit regarding ESG risk varies

and is evolving, internal auditors do possess the right
skillset for it – they manage change well and have a talent
for assimilating information and assessing complex risk.
Internal auditors also find innovative ways to provide
assurance. And when issues arise, internal auditors use
their problem-solving skills to develop new ways to
provide insight. There is no reason why internal auditors
cannot do the same for ESG.

Even so, there is a knowledge gap that must be addressed.

This lack of core ESG knowledge doesn’t just exist
for Internal Audit. There is a massive shortage of ESG
experience across all disciplines. Internal auditors need to
understand ESG issues well enough to assess risk, create
an audit plan, and determine audit approaches. Internal
auditors should have informed conversations with top
leaders in the organization. This isn’t to say that internal
auditors must be experts in everything – you already need
to know enough about a wide range of topics to operate at
this level and ESG is really just another subject you need
to address. To be fully effective in executing your plan, you
may have to develop some more specialized knowledge on
your team, or you might prefer to recruit or co-source for it.

Getting started

While the need for core ESG knowledge is critical, internal Understand your business
auditors must also have a solid understanding of both the
business landscape they operate in and internal drivers. A keen knowledge of your internal ESG factors is just as
critical as having a clear understanding of your external
Understand the landscape environment. Here are a few questions you should ask
your internal audit team.
It’s essential to have a solid understanding of the
significant ESG issues in your sector. You can do this by: • 
How is ESG aligned to strategy?

• 
Talking to audit colleagues and reading industry press • 
Is it an add-on or integrated within the core strategy?

• 
Staying up to date on all frameworks, pending
legislation, and evolving government policy
enables you to anticipate what is in the pipeline,
so you have time to react
• 
Watching the competition to see
what you can learn from them
• 
Paying attention to key stakeholders
and their agendas
Without understanding the external landscape you
operate in, you won’t be as effective in assessing risk
and managing your audit priorities.
• 
If it is separate, is it consistent? Does it
take the broader strategy into account?
• 
Do you understand the ownership process and risk
over key ESG issues throughout your organization?
• 
Is the ESG risk appetite clear and
consistently understood?
• 
What reporting is in place for both
internal and external stakeholders?
• 
What assurance is there over these reports?
6
Top tips for audit planning
As you move toward incorporating ESG into your audit plan,
it can be helpful to consider how to make it part of your risk
assessment. How you go about this will depend on various
factors, especially how your organization approaches ESG
and its level of maturity. To start, keep it simple and think
about whether ESG could be an overlay to your existing risk
assessment. You can go back and integrate it in more detail
later. Focus on larger issues that will deliver quick wins to
maximize the impact and value of assurance. You might
want to look at your current audit work for ESG elements
that you might not have considered.
Another challenge can be getting senior management
on board in understanding the risks and how internal
audit can help. Internal auditors have a responsibility to
highlight both emerging risks and risks not being mitigated
or addressed by the organization. Although the best
approach to ESG will depend on the organization’s culture,
taking small steps is often an excellent way to get senior
management buy-in.

Summing it up
McKinsey & Company, a global management consulting
firm, believes ESG should be an “inextricable part of how
you do business.” The firm asserts that while implementing
an ESG framework is necessary, it can also lead to a more
sustainable business and better value creation.
There is no right or wrong way to get started. As internal
auditors, you can do standalone work AND work where
ESG factors integrate into your existing audit planning,
so do what is best for your organization.
7
Overall, ESG presents a tremendous opportunity for
Internal Audit to make an impact. And momentum is
building from stakeholders and other external parties
for organizations to become more proactive in their
stewardship. ESG enables internal auditors to raise their
profile as trusted advisors by using their expertise and
influence to ensure organizations identify and mitigate
risk around this important area.
 Contact information: Please visit tm.wolterskluwer.com
for more information.
Americas
4221 W Boy Scout Blvd #500
Tampa, FL 33607
U.S.A.
Phone: +1 800 449 8112

Europe, Middle East, and Africa

41st Floor
25 Canada Square
London
E14 5LQ
United Kingdom
Phone: +44 20 3197 6566

Asia Pacific
5 Shenton Way,
#20-01/03 UIC Building,
Singapore 068808
Phone: +65 6380 8000

Copyright © 2022 Wolters Kluwer Financial Services, Inc.

When you have to be right