ESG reporting and assurance – a Chartered IIA roundtable debate in association with Workiva
Environmental, social and governance (ESG) reporting has been in the headlines even more than usual recently, as media stories about plastic, sewage and air pollution appear alongside stories about extreme weather events. . The so-called “omnibus” of key EU legislation is being delayed “EU Omnibus” has delayed implementation of the Corporate Sustainability Reporting Directive (CSRD) for smaller organisations and US policy at federal level is currently unsympathetic to ESG concerns, but this is not deflecting organisations from their need to improve ESG performance and report accurately on their progress.
This is because their concerns are being driven by reputation and stakeholder demand as well as by political agendas – in a recent Workiva survey, 97% of executives said sustainability reporting gives them a competitive advantage. In a roundtable of senior internal auditors, hosted by Workiva in March, the discussion revolved around the challenges of auditing ESG reports and of obtaining auditable data.
Graeme Fleming, Industry Principal for Governance, Risk Management and Compliance (GRC) at Workiva, set the scene. Legislation globally is still driving the need for, and format of, reporting, he said, pointing to the EU’s groundbreaking CSRD as well as US state-level legislation, particularly in California. Similar rules are being introduced in other jurisdictions worldwide.
The direction of travel is therefore clear, even if elements are delayed. Organisations that need to report in several regions are likely to aim to meet the most stringent requirements so they can report consistently across borders. CSRD has focused attention on the complexities of establishing what is in scope, what should be considered in double materiality assessments and issues around integrated reporting and digital reporting.
“The move from voluntary reporting to regulatory reporting is a huge challenge – and data management is critical to this,” Fleming said. “Tracing a mix of qualitative and quantitative data around disparate systems and from vast numbers of sources and putting this into meaningful, compliant reports is a massive issue.”
However, he added, there are some common themes emerging from the earliest CSRD reports:
-
Audit committees are taking a central role in the early stages of reporting.
-
Integrated reporting is becoming the norm and ESG and financial data are increasingly seeing these as equally important.
-
A high-level review of the first 50 Wave 1 CSRD reports showed that on average a third of integrated reports was devoted to sustainability reporting (usually around 80-90 pages).
-
Assurance costs have risen by 30%-50%% for organisations requiring a Limited Assurance opinion under CSRD.
Apart from problems gathering auditable data, one major challenge to meaningful ESG reporting is a lack of robust internal controls over disclosures. Lax reporting represents a serious reputational as well as regulatory risk – careless talk could be expensive. Organisations need to focus on their governance and control environment and oversight and compliance policies, as well as on establishing reviews by leaders, internal audit and functional teams. This is an opportunity for internal audit to lead on advisory and educational work to ensure managers and data providers understand controls and why they are important.
Fleming highlighted key questions for assurance providers:
-
What are the reporting risks?
-
What controls do you need to establish?
-
Are they working effectively?
-
Is the data correct?
-
Is the organisation ready to report?
Q&A: What are internal audit teams doing now?
The most important elements that emerged in the roundtable discussion were data (collection, quality and accountability), internal audit’s role both as an advisor and as an assurance provider, and skills training. Most of the attendees’ organisations had net zero commitments, but even those who had been developing their approaches to ESG over several years were finding the step up to mandatory reporting challenging.
Many commented on the need to teach people in the business to understand controls and auditable data. Collaboration was another important theme, with most agreeing that ESG reporting requires many teams to work together.
Fleming and Ann Brook, Head of Technical Content and Research at the Chartered IIA, posed some broad questions to attendees for general discussion.
Q: Where do the teams responsible for preparing this kind of reporting sit in your organisation?
A: In my organisation, it currently sits within compliance, but it’s becoming more of a cross-functional team because it requires accountants and internal audit as well as lawyers and compliance people in the room.
A: For us, it sits under the Chief Financial Officer, but we are asking questions about whether this is the right place and whether finance has the necessary depth of knowledge about data.
A: Our reports are driven by the CEO’s office, but they take evidence from across the whole organisation. We have a Director of Sustainability who collects the data, and the internal audit team then provides assurance over it. The CEO’s office acts like a post box and we check that everything that arrives in it is traceable.
A: In our organisation the key players are the HR team (for data on gender pay gaps and human rights), the sustainability team, the finance team and a sub-committee of the risk team, so there is lots of co-ordination of different groups.
A: We have a dedicated department for “responsible banking”, which includes all our ESG policies and works with people culture and finance teams. However, we think we could improve our data flow and controls, so there’s still work to do.”
A: Data reporting and performance reviews sit within the business, and then we have reviews at business level, audit committee level and internal audit level. We also have designated sustainability groups, so different elements are dotted around the organisation reflecting the varied nature of the business and of sustainability requirements.
A: We have a sustainability team, but it relies heavily on HR and finance for data. There are complex issues about accountability because there is so much data and so many reports. Sustainability analysts are often good at pulling data together, but not necessarily at understanding it or tracing it back to its origins, so we do that in internal audit.”
Q: What do you see as the main challenges to sustainability reporting?
A: Where does the data reside? How do you pull it together from different systems? There are so many frameworks – which ones do you need to/want to report under?
A: Data pluracy – how can we aggregate it? We are restructuring our organisation and need to see how we train people with the skills we want. They need to understand what the difference is between what we must do now and what we did when the reporting was voluntary. We need the people who supply data to understand that they must verify the source from the start, because it’s so hard to do later. People and skills are our biggest challenges.
A: Compliance lawyers are great at interpreting legislation and scope, but not as good as accountants and internal auditors at understanding controls and frameworks that ensure the data is collected and documented correctly. This was not there historically and is challenging to implement.
A: The mix of qualitative and quantitative data is challenging.
A: Engagement with the board is getting more robust. The board must now sign off the data, so directors are getting more concerned about where it comes from. Sustainability has moved from something that’s nice to have to something they need, so they are asking lots more demanding questions about frameworks and policies and are sceptical about the quality and control of data.
A: We’re trying to make sense of so many different directives and standards and to work out how we can put these all together. We need to understand which ones we need to comply with, what is material, who views the reports before they’re published, and what is an assurance process and who does it. There are lots of consultants offering to do this, but we want to build the skills internally. Internal audit is well placed to take a leading role.
Q: What is internal audit’s involvement in sustainability reporting?
A: We approach it from different angles. I have a dedicated health and safety team and a performance metric team. We do lots of assurance on reporting and validating the figures in our reports. We work closely with the CEO’s office on corporate governance and we’re about to set up a new committee to oversee this.
A: Provision 29 of the Corporate Governance Code [which requires directors to make a declaration about the efficacy of risk management and internal controls] is the first thing I think about when I wake up, and the last thing I think about when I go to bed. It gives us a real opportunity to build up our controls.
A: I sit on the steering committee and provide advisory thought-leadership. We’ve also verified data from our European business units and worked with the compliance team to establish the controls framework. We’ve done some business audits to check they are ready for these new controls and we’ve worked to identify impacts, risks and opportunities to report to the executive committee and the audit committee. Collaboration with other assurance providers has been important.
A: I’ve led on the audit side doing work on scope one and two emissions, especially around data management. We’re also looking at third-party data and methodology for scope three emissions. And I reviewed our double materiality assessment. The people who had made the decisions about this weren’t auditors, so we highlighted areas that lacked evidence and made some recommendations.
A: We look at how ESG is governed across the organisation. We’ve been auditing the data used in different reports. Now we’re going deeper into activities that support the numbers. We’re also analysing new green financial products and the conditions we must meet when we sell them. We’re treating sustainability as we do the Consumer Duty rules – it cuts across all processes and business areas and requires a mindset change.
A: My organisation hired an external verifier to audit the figures in our sustainability reports and at first they wanted to check everything back to its source. We worked with them to establish what is in scope and to identify where data comes from in advance (like working with an external auditor). The business appreciated this because it kept the costs down and oiled the wheels.
A: We use a risk-based approach in different parts of the business. We look at the accuracy of the data, ensuring it’s correct at the source and that people understand what they need to report and where. We look at all the different data collection systems in central and end-to-end audits for a risk-based selection of sustainability issues – and this also helps to ensure we don’t do any unintentional greenwashing.
Q: Have you been using foresight to identify future ESG issues?
A: I’ve held sessions with the business on CSRD and EU taxonomy to see what we should be planning for and what the double materiality assessment could look like in our business. We ask them to do the initial steps and then we review it and advise.
A: We are looking at our transition plan towards achieving net zero by 2030. This requires collective understanding and planning. It’s an interesting area to provide insights in because it’s so different from the rest of our work.
A: We’re creating a cycle so that we continually think about emerging risks and learning and evolving and building this into our methodology.
Q: Is there a skills gap for ESG internal audit work and, if so, how are you filling it?
A: We’ve been working with subject-matter experts. We didn’t understand all the terminology, so asked a sustainability data manager to join us on relevant audits. This helped us to develop our skills.
A: We have had help from partners on systems testing. We also use secondments – we had two people for six months learning about systems and controls in the business and then they trained the rest of the internal audit team. It was helpful to understand what actually happens in different teams.
A: I’ve gone on a journey from generalist internal auditor to understanding all the ESG legislation. I worked with a sustainability analyst to check my knowledge and to agree an interpretation to build into the internal audit methodology. It was a collaborative way to learn the skills.
A: Some external learning can be helpful. Most professional bodies now provide online training around ESG issues. I did 20 hours of external training, which I found useful.
A: It’s also important to promote education and skills in the first and second lines, so they do things in a way that makes our job more straightforward.
Q: Are you doing one-off ESG audits or are you continually looking at ESG throughout your audit cycle?
A: We do both – focused pieces on issues such as double materiality and advisory work and quarterly assurance on balanced scorecard and data accuracy, plus deep dives into significant risk areas.
Further information
-
The Chartered IIA is running a full day course on Auditing Climate Risk and Environmental Sustainability: An ESG Masterclass on 13 June, as well as a series of courses on Auditing ESG: A Strategic Overview.
-
It has also published a report on Supply Chain ESG Risks: Harnessing the Potential of Internal Audit.
-
Chartered IIA guidance is available on: How to Audit Viability Statements; United Nations Human Rights Reporting; How to Audit Carbon Usage; and on Modern Slavery and Human Trafficking Annual Statements.
-
IIA Global is undertaking research with the ACCA entitled “The Internal Control over Sustainability Data”. If you would like to be involved in a roundtable for this, contact Ann Brook.
-
ESG will be a topic for discussion and information at the Internal Audit Conference in October. Tickets are available now.