Responsible reckoning: how internal audit can support new ESG controls

Being socially responsible means not only meeting legal obligations, but also investing in human capital, the environment and relationships with other interested parties. There is also increasing practical interest in developing and disseminating ethical financial culture and ethical finance tools and internal audit has a clear role to play in supporting financial service organisations, among others, to meet rapidly evolving demands and helping them to remodel their internal control systems accordingly.


The internal control system

One important aspect is to understand how organisations assess the impact of climate risks and whether they are adequately covered by capital. In the EU, for example, the European Banking Authority (EBA) has introduced an obligation for management bodies in the finance sector to guarantee the construction of a sustainable business model that takes into account all risks, including ESG ones. The internal control system (ICS) therefore needs to be remodelled to meet evolving demands, while remaining flexible to guarantee a constant and adequate level of control.

Each of the three lines has a role here, including the internal audit function. Creating or redeveloping an ICS must start with completely and accurately mapping risks, identifying the specific risk profiles of each activity and quantifying the risk appetite for each of these.

Internal audit should contribute to developing and refining the methodologies chosen to assess the risks relating to assets and activities linked to environmental or social goals. It should also ensure that the criteria used to assess physical and transition risks are appropriate.

The function has a key role in supporting governance by providing supervisors with tools to understand, monitor and assess ESG risks; devising a taxonomy, as required by the relevant authority or classification system; monitoring the flow of capital to economically sustainable activities, etc.

There are clear opportunities in terms of improving resilience and profitability, but to benefit, boards must understand ESG goals, possess sufficient knowledge of climate risks and have a vision of the evolution and impacts of these risks over time. Introducing formal interventions in the audit plan can help to encourage the board’s appropriate and direct involvement.

Internal auditors must therefore ask whether they themselves have the necessary skills – for example, specific knowledge of strategic planning and data analytics. They must consider the extent to which external pressure affects executive decision-making by, for example, monitoring behaviour that prioritises short-term needs over long-term interventions related to climate change.

Another issue is risk culture. Are all relevant stakeholders aware of the impact of the choices they make in terms of environmental and social risk? Organisations need a training process that makes risk culture understandable and accessible and ensures behaviour consistent with the board’s strategies. Internal audit is a key promoter of risk culture and has a role verifying that the information and messages in training are consistent with strategic intentions and that training plans are complete and sufficient.

Organisations must also demonstrate a consistent risk culture and set of values in the wider world and internal audit can monitor the consequences of any perceived gaps. For example, environmental initiatives may change employee working practices in ways that affect their carbon emissions – for example, by using offices differently – as well as an organisation’s choice of external suppliers, who in turn make environmental decisions. Organisations will attract responsible investments only if they operate in a socially responsible way in the wider market.

Regulators are increasingly requiring specific disclosures on ESG risks to allow stakeholders to make informed decisions and to protect consumers, and demanding a clearer link between corporate strategies and goals and ESG objectives. The internal audit function could develop transparent metrics showing how ESG risks are incorporated into strategy and risk management and ensure that information is clear and understandable.

Such disclosures must consider the needs of various audiences and could, for example, include estimates deriving from models used to integrate ESG risks, or key performance indicators (KPIs) showing objectives in terms of volume or the percentage of green activities in the social report. They need to show progress towards stated goals and follow non-financial reporting guidelines.


An internal audit approach

An internal audit model focusing on ESG risks could start by stating explicitly how much ESG risk the entity wants to assume, ie, its ESG risk appetite, both for the purposes of disclosure and risk culture. This requires a holistic approach that considers both the macroeconomic scenario and the internal features of the organisation, as well as physical and transition risks.

The first step is to map ESG risks completely and accurately. Since these may be considered “new” risks, it might be appropriate to identify macro-areas of interest and then go into detail each time we obtain more precise information about the risk profiles of each activity held by the entity and its impacts and correlations. It is essential to share information with risk management, and this also contributes to drafting an effective risk coverage system.

The organisation must decide whether to integrate climate risks within its existing risk assessment process or create a separate model for this risk category. The second choice may be simplest and will create a clean database to study the correlations between risks, give an estimated measure of the impact of climate-related events on capital and frame the risk appetite.

An effective audit model should ensure that climate risks are integrated at all levels of the organisation, verifying that specific tasks are assigned correctly. It should also supervise the continuous circulation of information between the various functions.

Another important point is to decide which elements to include or exclude, according to the environmental criteria defined by governance (for example, high-carbon-emissions activities). A good internal audit model must be able to outline the typical risks of those elements and identify the correlation between the probability that events will occur and their impact in the short and medium-long term, with particular attention to the context in which the organisation operates.

The next step is to check how these risks will be monitored. It is useful to begin by establishing the criteria for complete information. This allows the board to decide and implement green strategies.

There are currently no well-defined indications from the regulators on how to manage ESG risks, and no available data for comparisons. However, internal audit can undertake advisory activity around ESG risks and consider how this correlates with other risks.

In the financial services sector, one example could be credit risk. To identify ESG-compliant credit, you must be able to label which customers and loans can be considered ethical and sustainable. According to the requests of the EBA, pre- and post-disbursement checks could ensure this customer evaluation is done correctly. Pre, by carrying out an in-depth analysis of the customer's business model, defining parameters, standards and methods of evaluation, and post, by verifying that the money lent is used appropriately.

This produces an ethical or ESG rating, which is not an alternative to the credit rating, but a further element supporting the evaluation process.

Assuming the ethical rating has the strengths of a regulated rating system and can profile the ESG factors that affect the performance of the company, internal audit could suggest that the company’s ESG component should emerge as much as possible through the qualitative part of the rating questionnaire. This can be achieved using questions that reveal the impact of ESG factors on company performance in terms of cash flow and its ability to pay debts – for example, for investigating the supply of raw materials and understanding how these resources contribute to pollution and climate change.

Improving the organisation’s knowledge of its customers for ESG purposes could therefore increase the quality of its customer base and facilitate transparency.

When considering reputational risk, internal audit could monitor how the compliance function verifies the reliability of non-financial information and whether the constantly evolving environmental legislation is correctly applied.

An internal audit control could be made on the adequacy and completeness of the information, assuring a flow of up-to-date news to monitor exposure to a particular risk or group of risks.

Introducing a monitoring system based on specific KPIs could allow internal audit to view a dynamic representation of exposure and recommend adjustments accordingly. In this way, ESG factors become a full part of the organisation’s strategic plan.

Organisations will suffer if they are associated with third parties who falsely proclaim themselves socially responsible. Internal audit could monitor reputational risk and its consequences for strategic effectiveness using surveys to compare the results of the data analysis from the organisation’s information systems with the importance attributed by the stakeholders to ESG factors.

Organisations must also ensure that their internal processes and external communications comply with ESG rules in different jurisdictions. For instance, when an organisation launches sustainable products or services, the first line should implement manual or automatic controls. Compliance can check sales methods, documentation, the presence of environmental certifications, etc, while internal audit should advise on the application of ESG regulations. If the compliance function ensures that ESG information is accurate, reliable and complete, internal audit could verify the contents of a hypothetical ESG Compliance Programme.

ESG regulatory compliance must also be clear within the organisation. Internal audit should examine policies affecting the wellbeing of collaborators, in terms of training, best practices, professional ethics, inclusion, equal pay, etc, as these demonstrate whether the company actively cares for the environment and people.

Reworking the structure of the internal control system from an ESG perspective should lead to lower costs and provisions in financial statements, and to positive findings in non-financial reports. For example, companies that invest in protecting their consumers say that their leadership became more goal-orientated, their competitive position improved and the markets recognised this, even during the COVID-19 pandemic.

The mission of internal audit is to provide assessments that add value to the organisation. The function should therefore play an important role in supporting companies to achieve their strategic goals. 

Francesca Passalacqua is an internal auditor in Intesa Sanpaolo Bank. She has a postgraduate Masters degree in audit and risk management and is  currently involved in ESG-related projects at work.

This article was published in March 2022.