Collect, connect and protect – internal audit's role in climate change assurance

When Helen Keller said: “Alone we can do so little; together we can do so much,” the deaf-blind author and disability rights activist knew much about adversity. The idea that people have more power as a collective than as individuals is not new, but it is one that has come to bear more than ever recently.

The current business climate is more volatile than most companies have ever experienced before. Even those whose revenues have surged as demand for their goods and services spiked have faced new risks associated with elevated cash flow and working capital financing, while some have struggled to meet high demand with staff at home and long supply chain delays.

For many others, the disruption has undermined their fundamental business model, closing shops and venues, cancelling events and travel and grounding aircraft. Dr Charmaine Griffiths, chief executive of the British Heart Foundation, has said the coronavirus crisis is the single biggest challenge the charity has faced in its 60-year history. 


Why internal audit?

Internal audit is often seen as the gatekeeper of organisational integrity. First, the function is independent from executive management. This allows impartial scrutiny, a crucial requirement for climate change assurance to be effective and credible.

Second, internal audit has a unique vantage point, with in-depth knowledge across all the business functions. Its stakeholder relationships and access to information allow it to understand the business, operations and risks.

Third, internal audit has the broad-based expertise to meet the multi-dimensional challenge of climate change assurance. Internal audit teams have technical expertise in understanding regulations, identifying risk, evaluating processes, testing controls and reporting independently – plus the interpersonal skills required to engage, influence and challenge stakeholders.

If internal audit takes responsibility for providing climate-related assurance and coordinating the broader assurance picture, it will increase its stature and influence in the organisation and reinforce its relevance in strategic, high-impact areas. Those who take a proactive role in this area will position their function as a future-orientated, value-adding partner. Furthermore, it will put them in a strong position to be involved in future development. It allows internal auditors to sharpen their skills in a fast-growing and critically important field.  This not only motivates the current team, but will be a powerful magnet to attract talented people eager to make a difference.

Carolyn Clarke, Vice-Chair of the Chartered IIA, believes this creates an opportunity for “internal audit to take its rightful place at the executive table, creating the insights, and raising the difficult questions, that directors should be considering. It’s not easy, but it’s necessary,” she says.

Assurance in practice

Climate change assurance gives stakeholders confidence by providing an objective assessment of climate-related risk management activities alongside an opinion on the accuracy and completeness of disclosures. It validates the efforts of the organisation to do the right thing and gives directors the confidence to make strategic decisions and act on them.

However, assuring climate change risk activities is challenging. Climate change is a long-term and complex issue. The data available is limited and there are multiple standards, which are constantly evolving. It will be many years before assurance in this area reaches the established maturity we expect for assurance over organisations’ financial obligations.

Start with the basics

Focus on external disclosures and those that form the basis of important decisions such as executive remuneration. The recommendations from the Task Force for Climate-related Financial Disclosures (TCFD) can be used as an assurance framework.

1. Strategy

Consider how climate change strategy aligns with the overall business strategy. Are climate considerations integrated into strategic decisions? Is the ambition sufficiently bold? Is risk appetite aligned with climate objectives? Are transition programmes effective?

It’s important to understand what commitments have been made and how clearly they have been defined and understood. One fast-moving consumer goods (FMCG) company was shocked to find it had made over 100 commitments, some formal through reporting and some informal through media outlets and branding. Even the simple ones were more complicated than they first appeared – for example, did a commitment to switch to 100% electrical vehicles include leased vehicles and outsourced logistics providers?

2. Governance

Review for effective governance with clear accountability and oversight, both in executive management and the board. Do governing functions and committees have adequate knowledge and training? Are executive remuneration practices consistent with intentions? Do directors know whether the organisation is doing what it claims, or is there a “say-do” gap? Organisations make commitments with the best intentions, but there is rarely any available evidence that these are supported by sustainable processes and data.

3. Risk management

Think about the range of risks associated with climate change. Have physical, transition, compliance and reputational risks and opportunities been adequately identified? Has climate risk been integrated into broader risk management process? Is scenario analysis effective?

A digital bank was authentic in its intention to put people and planet first and had invested significant time and resources in a meaningful programme of actions. But the business remained uncommitted because there was too little strategic alignment. Integrating climate risk into the broader risk framework provided the missing connection to strategic priorities.

4. Metrics and targets

Stakeholders are demanding more data points. A range of models and expectations for disclosure are emerging. Practices for financial reporting are well established. Most companies have financial systems with a degree of automated control. Accountants understand the need for rigour in generating the numbers, but are the processes and data used to generate climate metrics reliable?

It is also possible that focusing too much on accuracy may deflect management effort from where it needs to be. For example, rather than debating whether emissions are 100 or 102.5, discussions should centre on how to get them down to 60.

How much assurance is required to support disclosures, and in what form?

Debate about the need for external assurance continues. The frameworks available are restricted to activities under ISAE (UK) 3000 “Assurance Engagements other than Audits”. This enables an external audit firm to provide limited or reasonable assurance, but doesn’t address the underlying risks and the end-to-end processes that mitigate them. This can create an illusion of assurance.

A FTSE 100 company faced this challenge. The external audit report was “clean” and the opinion was scheduled to be published in the annual report. At the last minute, internal auditors found that the assurance covered only the mapping of information provided by the company to the annual report. There was no assurance over the source systems and processes.

“There will be a role for external assurance over specific annual report disclosures, particularly where there are financial consequences,” Clarke says, “but the directors have to be confident in their internal procedures and look for internal assurance first.”

Co-ordinating assurance

There are multiple sources of assurance available to directors. Collating these and triangulating a view of effectiveness based on underlying risks will create a more balanced and effective picture. Assurance mapping will help to visualise the different types and sources of assurance activity and their scope. This is an essential step in “defining an Audit and Assurance Policy”, as required for Public Interest Entities in the BEIS paper on Restoring Trust in Audit and Corporate Governance. Such a policy can then be used to engage stakeholders about the nature and level of assurance obtained. This both informs and educates them.

Sources of assurance include self-assessments, the performance of controls, incident data, key risk indicators, compliance functions, external audit and, of course, internal audit. It may also include external experts engaged by the organisation for specific assurance needs. Collaborating and coordinating with the various sources iteratively supports decisions about how to avoid overlaps and fill gaps to complete the picture. As always, the overall plan will need to be dynamic to respond to constantly changing circumstances.

Taking responsibility

To coordinate assurance effectively, internal auditors must be up to date on climate change risks and trends. As well as auditing and assurance principles, you must understand the underlying subject matter of climate change and sustainability. Consider getting involved in climate change initiatives, networking with other internal auditors working on climate change assurance and using resources such as books, articles, reports and online tools.

Internal auditors could also look for opportunities to collaborate with sustainability, risk management and finance teams to exchange knowledge and foster a multi-disciplinary approach – while maintaining independence, of course. Ongoing training and upskilling are crucial to enhance auditors’ understanding of concepts, methodologies and emerging trends.

Amid the turbulence of climate change events and discussions, the role of internal audit becomes more critical than ever. By coordinating climate risk assurance, internal audit functions can help to safeguard their organisation’s future. Although hugely challenging, this represents a unique opportunity for internal audit to raise its profile, cultivate new skills and, ultimately, contribute to a more sustainable future for us all. Embracing the opportunity will require auditors to remain current with a fast-changing landscape of climate change trends and assurance practices, often pushing the boundaries of traditional internal auditing.

Steven Brown is Founder Partner at Brave.

Further information

IIA Global’s paper on “Internal Audit’s role in ESG reporting”
Task Force on Climate-related Financial Disclosures (TCFD)

ISAE (UK) 3000 Assurance Engagements other than Audits

 

This article was published in September 2023.