What is the role of audit in ESG?
The past several years have seen growing pressure on companies to demonstrate not only their progress on environmental, social and governance (ESG) goals, but also effective management of climate risk across their entire organization.
What role should internal and third-party auditors play in reviewing and providing assurance for an organization's climate risk data? What happens now that auditors in more and more jurisdictions are legally required to provide assurance on that data?
Here, we'll explore the trends, issues and challenges facing audit teams as regulators and stakeholders continue to demand greater ESG transparency and assurance.
What evolving ESG trends mean for audit teams
Investors are not the only ones demanding more from organizations today. Recent regulations in both the U.S. and Europe reflect a growing focus on climate risk management. For example, the SEC's recently passed climate risk disclosure rules require large, publicly listed U.S. companies to outline any material Scope 1 and Scope 2 emissions, and also obtain external assurance for those disclosures.
What does this mean for auditors?
“Look at what’s happening internationally,” says Kristen Sullivan, Partner, U.S. Sustainability and ESG Services Leader at Deloitte & Touche LLP. “The EU is moving fast and furious and comprehensively [on ESG]. The SEC is focused on climate. Many of the organizations [auditors] work for and engage with are going to be required to audit [ESG data].”
Renee Murphy, Distinguished Evangelist at Diligent and former auditor, says it's time for audit teams to jump into action.
"Auditors must establish a clear governance structure for their ESG audits if they want to help their organizations withstand scrutiny from regulators and external auditors," she explains. "But in order to do that, they must be able to trust the data they collect. And you can't get there with spreadsheets and all your data hidden across disparate sources."
She goes on to say, “But it’s also important to note that auditors are positioned nicely to make strategic recommendations as long as they develop an understanding of ESG metrics and leverage the GRI’s standards for assurance, particularly for testing climate-related data.”
And, as Sullivan notes, there’s an immense diversity in climate risk management practices among organizations. Even many of the most sophisticated organizations don’t have an enterprise resource planning (ERP) system for reporting ESG data. Additionally, how auditors access sustainability data (if they currently access it at all), apply methodologies and handle that data is different from how they audit traditional financial data. Consequently, auditors frequently need to build the processes that allow them to provide assurance over ESG initiatives from the ground up.
How is the role of the auditor becoming more critical?
As increased disclosure becomes the norm, the way companies approach climate risk will change. “Businesses are about to invest more than ever before in sustainability. Offsets are going to become insurance instruments, and there will be real financial consequences for misguided strategy or executions,” says Murphy. “For auditors, only one part is getting and trusting information and making sure that the company is meeting their goals. The second part, strategy, is going to be just as important and even more costly. Offsets are evolving into insurance instruments, and any misguided strategies or executions will have significant financial implications.”
Murphy continues, "Climate-related impacts have already been showing up on a voluntary basis in financial reports. And now with the SEC's rules, we'll see even more climate risks being disclosed, with auditors evaluating how those impacts are generated, how they’re captured, the risks they create and, perhaps even more importantly, whether the organization is making the right judgments around climate risk and materiality."
In doing so, auditors can help drive trust and build the board’s confidence in data, which helps boards make better choices and build value. However, as Helle Bank Jorgensen, CEO of Competent Boards and a former auditor, explains, auditors must first know which questions to ask.
“We don’t have the debit/credit for this data,” Jorgensen says. “How do we ensure we have the info we need? I don’t want to be accused of greenwashing. What are the questions I need to ask? How do I know if I can sign off on this data?”
Indeed, ensuring the accuracy and relevancy of data is key to avoiding accusations of greenwashing. And, increasingly, auditors will be called on to provide assurance on an organization’s judgments around risk and materiality.
"The role of the auditor is to enhance confidence in the data, and to improve the board’s confidence that they’re being stewards of responsibility and making the right choices," says Sullivan. "If they’re making decisions on incomplete data, that’s fuel for inefficiency and risk. That's the critical role that assurance plays."
According to Jorgensen, CFOs are also taking an increasingly proactive approach, asking auditors, “How do we ensure we have the [right] systems in place? How do we apply the same rigor to all this [non-financial] data?”
“No one wants the sudden message that 'We need to do a restatement,'” says Jorgensen.
Aligning your climate risk strategy to established frameworks
Both Sullivan and Jorgensen highlight the importance of aligning audit strategies to specific ESG frameworks, such as the Task Force on Climate-related Financial Disclosures (TCFD).
The International Sustainability Standards Board (ISSB) takes the TCFD a step further by providing more specific criteria for what needs to be disclosed. The ISSB serves as a foundation and helps to create a global baseline in standards. This is important for all businesses, because even those that don’t have a global presence still engage with global suppliers and other key stakeholders.
"The TCFD is a framework, a guide," says Sullivan. "It doesn't provide the criteria to follow from a data perspective. The ISSB takes the TCFD framework and puts meat on the bones about what needs to be disclosed."
How audit teams can provide assurance for climate risk disclosures: 4 steps
Sullivan and Jorgensen offer several practical tips for organizations to create a successful audit strategy when it comes to reporting on climate risk mitigation efforts:
1. Start with a materiality assessment: Materiality is the foundation for understanding how to prioritize your approach and tie it to your business strategy. Use either a double materiality assessment (aligning with CSRD guidance) or a single materiality assessment (as outlined by the SEC rules and the ISSB), and follow the metrics that align with that approach.
"It's a false narrative that ESG is 'non-financial info' because it is financial and it will eventually manifest itself financially," says Sullivan.
2. Put a governance structure in place: Once priorities have been identified through a materiality assessment, auditors can put the right data governance structure in place to conduct effective audits.
Start by identifying which data you need to assemble, determine rights and responsibilities, then prepare for reporting.
Be careful not to overlook data sources. Jorgensen advises, "Look at your company's communication and marketing materials. Do you have the underlying documentation you need for that? Even in marketing materials, companies are saying something you as an auditor may not be comfortable with."
3. Bring the board on board: As auditors begin the reporting process, Murphy recommends involving the board. "You need the right tools to streamline climate data collection, categorize your climate risk, and systemize reporting to feed insights right up to executives and the board, because that information is essential in their decision-making process," she says.
"Identify for the board what's material now, and what's going to be material three, four or five years from now," adds Jorgensen. "It's a lot of risk — not just financial risk, but reputational risk. ESG is a risk for the board of directors."
Similarly, benchmarking your disclosures against those of your peers and competitors, and delivering that information to directors with the appropriate context, will help your board provide the appropriate level of oversight.
4. Begin preparing for where the organization wants to go: Focusing only on current climate risk programs without looking ahead can leave organizations unprepared for what's coming. "What does your organization's transition plan look like?" Jorgensen asked. "Are you trying to get to net zero? Do you have the right competencies on the board and in the C-suite to get there? Do you have the right auditors who feel they can sign off on these things?"
Sullivan added, “As organizations get more proactive and intentional [about climate risk], it’s about, ‘How do we intentionally take these market indicators and regulations to make the pivot and capture value, to tap into a new market, to tap into new research and development?’”
How the right solutions can help
Today’s audit teams face increased responsibility when it comes to an organization’s climate-related data and reporting, but the right technology can make their jobs easier and less prone to errors.
The Diligent One Platform combines best-in-class carbon accounting with risk and audit management solutions for a comprehensive view of your organization's climate risk posture. Automated workflows and dashboards offer real-time insights and standardized, auditable reports, so your team can build executive confidence and ensure they have data that is defensible to regulators and external auditors alike.
With all your climate risk data in one place, Murphy says, "you can stay ahead of the regulations and market shifts that have an impact on sustainability and supply chains, while also benchmarking your progress and surfacing critical information for the board."
Additionally, the Diligent Institute's Climate Leadership Certification helps leaders at every level prepare for new climate risk requirements and challenges.
"It’s very clear the direction of travel," Sullivan says. "Establish the governance structure you will need. Align your strategic objectives to these areas of impact. Institute policies and controls to withstand market scrutiny. The time to act is now."
