The green reveal: Internal audit and ESG compliance

Calls for better disclosure over climate risks have been gathering momentum for years, and in April the UK will become the first G20 country to introduce mandatory requirements for the largest companies and financial institutions to report on their climate-related risks and opportunities.

The move is part of the UK government’s Net-Zero Strategy and will affect around 1,300 “premium-listed” businesses – those with 500 or more employees, and/or turnovers of £500m – whose accounting periods began on, or after, 1 January 2021. These will have to report their performance against measures recommended by the Task Force on Climate-related Financial Disclosures (TCFD) on a “comply or explain” basis (see section below).

It is not before time: a report released last September by think-tank Carbon Tracker, called “Flying blind: the glaring absence of climate risks in financial reporting”, found that over 70 per cent of global companies it reviewed disclosed only limited consideration of, and reference to, climate change.

The new rules should be taken seriously. The Financial Reporting Council (FRC), the UK’s corporate governance regulator, has said climate-related risk disclosures will be at the heart of its monitoring in 2022. In October, it released guidance to help companies prepare and ensure they can provide the depth of information and insight that regulators and stakeholders expect.

The key recommendations include providing better disclosures about how boards consider and assess climate-related issues and how these may affect its business model; how the company may respond to those challenges; what scenarios might affect the company’s sustainability and viability, and how the company is responding; and how climate-related issues, and their impact, are measured, including metrics, data and financially relevant information.

While mandatory disclosures about the business impacts of climate change currently apply only to large companies, the direction of travel seems clear and other organisations would be well advised to consider what they would need to do to comply, since it is likely that similar disclosure rules will eventually apply to them. The FRC already expects material climate change policies, risks and uncertainties to be included in companies’ narrative reporting and “appropriately considered and reflected” in the financial statements more widely.

In addition, the UK’s introduction of mandatory disclosure is unlikely to remain unique for long. It “may prove the spark that inspires other countries to do the same” and could “signal future government policy that could be introduced at a later date,” warns Mathias Lelievre, CEO at sustainability consultancy ENGIE Impact.


Explain and coordinate

However, while the trend for more disclosure may be clear, providing the data is less easy. Many companies say they are struggling to disclose in line with the TCFD’s four pillars of governance, strategy, risk management and metrics and targets, according to Leas Bachatene, CEO of third-party risk consultancy ethiXbase.

A common complaint is that climate risk is so deeply embedded in processes, it is hard to discuss it separately in risk management and governance disclosures. Others are reluctant to reveal scenario analysis assumptions that they argue include confidential business information.

Providing details about the metrics and targets used to assess and manage relevant climate-related risks and opportunities is difficult without standard industry metrics, Bachatene says.

Internal audit should therefore be prompting organisations to prepare for future disclosure demands – and helping them to find ways to do it. The function can also help to coordinate actions from the start to ensure executives, management and other key functions are aware and involved in the process.

Ben Stansfield, partner and head of the UK’s environmental team at law firm Gowling WLG, says internal audit should make sure that the organisation nominates people globally –ideally at senior management level – who are directly responsible (and accountable) for telling different parts of the business what data they need, and how and when that data should be presented.

“It is important to establish a lead for gathering the data, and it is better if a senior officer within the company takes responsibility for it. The more senior the person in charge, the more likely it will be that the organisation gets behind the process,” he says.

Georgie Edwards, principal consultant at sustainability organisation Anthesis, says internal auditors should use the TCFD recommendations to “start a conversation internally” with those responsible for risk, investor relations and sustainability.

“The intention of the TCFD is that the risks and opportunities related to climate change and the transition to a low-carbon future should be integrated with company-wide risk-management processes for identification, evaluation and management,” she says.

She also believes internal auditors should use the new mandatory requirement to build capacity and understanding at board level so that executives “have oversight of climate-related issues” and that management “can demonstrate their responsibilities in managing climate-related risks and opportunities”.

Internal auditors can encourage their companies to engage with people across the whole organisation – different business units, locations and perspectives – to identify the relevance and potential significance of climate-related risks and opportunities, she adds.


Barriers to disclosure

However, Edwards warns that companies are likely to face significant problems. “Scenario analysis continues to pose challenges,” she says, while “data availability, understanding climate-change impacts and the interrelated nature of those impacts can create hurdles”.

Another problem is that, while some companies have been voluntarily reporting their climate-related financial risks for some time, they may not have been doing so in line with TCFD. If they rest on their laurels without making adequate checks, there may be many who discover late that they do not fully comply.

A variety of tools promise to help organisations provide regional information about physical climate drivers in different scenarios (including the new Intergovernmental Panel on Climate Change (IPCC) Atlas). However, coverage is patchy. “Most resources must be paid for and require expert support to interpret in a useful way,” Edwards says.

She points out that the TCFD Status Report 2021 found that disclosure of climate-related risks and opportunities on financial performance and position is still limited. “Discussing your organisation’s resilience to climate change and the transition to a net-zero economy is key, but is currently the least reported disclosure,” she says.

On the other side, over-disclosure causes its own problems. “Businesses should be careful of promising to hit targets if they do not fully understand the implications,” she warns. For example, many companies have voluntarily set themselves a target of becoming “net zero” in terms of greenhouse gas emissions, but what this means in practice varies.

The Science Based Targets Initiative’s (SBTI) Net Zero Guidance (a global partnership between organisations including the United Nations Global Compact and the World Wide Fund for Nature (WWF)) has produced a definition that may differ from a company’s original intention. “Language and terminology is key,” Edwards advises.


Data delve

Franki Hackett, head of audit and ethics at data solutions firm Engine B, believes collecting and understanding climate risk data will be “challenging”. This is because the information, when it is available, is diverse, lacks a uniform format and is spread across multiple systems. Often, it is not even collected.

Once companies collect the data, they need to perform an informed risk assessment. They therefore need the expertise to understand the information before they can present it in a meaningful way to management and external stakeholders, she says. She advises those who are reporting this information for the first time (which will be most) to “follow the leaders”.

“Look to those who have previously reported voluntarily for examples of best practice” – ie, good quality, well-controlled data flows and expertise-driven management of climate risk.

“Management needs to ensure it understands its responsibility and what the data is communicating regarding its climate risks,” she says. This might mean more training or bringing in additional expertise. A robust internal audit process will be essential, and external audit firms that offer assurance on ESG reporting could be a critical part of delivering this assurance, she adds.

It is also vital that companies do not try to hide uncomfortable truths. “It is better to disclose information that may indicate poor practice now, in order to show real progress in future, than to be misleading and face potential sanctions,” Hackett says.

To test whether disclosures match the expectations of the TCFD’s principles, Liam Healy, managing director at governance, risk and compliance company Diligent, recommends that heads of internal audit “measure the data against the company’s own metrics first and ask whether it makes sense. Look for flaws. Then stack the information up against the TCFD and see if it matches its guidelines, as well as the FRC’s ‘comply or explain’ requirements. The next step is to ask: ‘Can the data, the metrics, the framework or the presentation be improved?’”he says.

“Regulatory monitoring and enforcement will probably be light touch at first,” says Sailesh Mehta, a regulatory barrister at Red Lion Chambers. However “this should not be taken as a signal that compliance does not matter”. Failure to report – or reporting badly – can lead to fines under the UK Companies Act 2006, as well as other legislation, including the Streamlined Energy & Carbon Reporting (SECR) requirements introduced in 2019.

The UK’s new reporting regime is part of a far wider trend. New climate change legislation is coming into force in the EU and the pace will accelerate in all sectors and jurisdictions. Failure to disclose the correct information and to understand what it means for the organisation may currently damage companies’ reputations more than their balance sheets, but there are also great opportunities for those that do it well. Internal audit can help management to avoid the one, while taking full advantage of the other. 


What is TFCD?

In 2017 the Task Force on Climate-related Financial Disclosures (TCFD), an organisation that seeks to provide a standardised framework for climate-related financial reporting, set out 11 recommendations for financial disclosures that show how climate-related risks affect a company’s governance, strategy, risk management, metrics and targets.

These include describing the board’s oversight of climate-related risks and management’s role in assessing risks and opportunities, as well as examining how the organisation manages them as part of its overall business strategy.

It has also developed seven principles for effective disclosure. Each disclosure should present relevant information; be specific and complete; be clear, balanced and understandable; be consistent over time; be comparable among companies within a sector, industry or portfolio; be reliable, verifiable and objective; and be provided on a timely basis.

This disclosure framework is intended to show how boardroom decision-making is being influenced by physical climate risks such as floods and wildfires, as well as how companies quantify the financial impact of transitional risks as the business shifts to meet the demands of a low-carbon economy.

What sets the TCFD recommendations apart from other sustainability reporting frameworks is the requirement to focus primarily on the impact of climate-related risks on the company, rather than on the impact of the company on the climate. 

For more information, read the Chartered IIA's preparedness for climate change report.

This article was published in March 2022.