EPA Climate Rollback

Since 2009, the Endangerment Finding has served as the legal foundation for most federal climate regulations, including rules affecting vehicles, power generation, and industrial emissions. The findings determined that certain greenhouse gases threaten public health and welfare, which is the basis for their regulation under the Clean Air Act.

As of this writing, several states and localities are taking legal action against the federal administration over the endangerment findings’ repeal, so final actions are still somewhat in flux. However, the potential repeal nevertheless represents just one example of a broader shift in regulatory tone. For internal audit leaders, developments like this should prompt a reassessment of how federal-level changes could alter the organization’s risk landscape and control environment.

Redistributed Regulatory Risk

The rollback lessens U.S. federal climate regulation, but it does not eliminate climate-related regulatory risk. Instead, it shifts it to:

• States and localities. Expect more aggressive action from states, cities, and regional compacts that will fill the perceived vacuum with their own rules, reporting requirements, and enforcement regimes.
• Courts and litigation. Environmental groups and some states have already signaled “see you in court” responses to the EPA, increasing litigation and enforcement uncertainty for those who conform to EPA regulations.
• Global and value chain pressure. Non-U.S. regulations (e.g., the Corporate Sustainability Reporting Directive and Carbon Border Adjustment Mechanism) and stakeholder expectations continue to make climate risk strategic for multinationals, regardless of U.S. federal policy changes.

For the internal audit universe, this means climate and environmental compliance risks may become more complex and fragmented, not less, which could result in significantly more organizational risk, if ignored. “The true test of governance is not how an organization behaves under clear rules, but how it behaves when the rules are shifting,” says Mark Maraccini, an Austin, Texas-based public sector internal audit lead partner at Crowe.  “Because EPA finalized this action on legal interpretation rather than a new scientific determination, internal audit should distinguish changes in statutory authority from changes in underlying risk.”

A Standards Approach

The IIA’s Global Internal Audit Standards make it clear: Internal audit’s planning must be risk-based and forward-looking, not tied to the current rulebook. Indeed, the Standards are designed to guide internal auditors through “today’s complex risk landscape” and emphasize robust, risk-based planning and stakeholder-focused assurance. In other words: When regulation becomes more volatile, conformance with the Standards pushes internal audit to lean in, not step back.

Deloitte describes internal audit’s role as enhancing “regulatory compliance” alongside process efficiency, fraud detection, and operational quality. While the EPA rollback does not shrink that mandate, it does change the terrain quite significantly from:

• Single regulator focus to a multi-regime focus — including regulations at the federal, state, and international level, as well as, industry codes, and voluntary frameworks.
• Static rule checking to dynamic horizon scanning — for emerging or returning requirements under future administrations.
• Narrow legal compliance to broader “license to operate” — based on stakeholder expectations, sustainability commitments, and public statements the organization has made.

Given that the current U.S. administration prioritizes deregulation, should internal audit deprioritize regulatory compliance for now? The short answer is no. If anything, it should reframe and reinforce it. “The repeal of federal vehicle greenhouse-gas standards should prompt internal audit to verify that fleet strategy, procurement criteria, contracts, and compliance inventories have been updated with precision,” says Maraccini.

Regulatory compliance should remain a core risk theme for any organization subject to regulation, but in 2026, internal audit can aid stakeholders in reframing the compliance conversation. Topics to be covered could include:

• Climate and environmental obligations across jurisdictions.
• Sustainability disclosures and data integrity.
• Governance over public commitments and scenario analysis.
• Readiness for rapid regulatory “snapback” under a future administration or court decision.

Internal audit should also be vocal about the illusion of reduced risk and help leadership see the second- and third-order effects of deregulation. “Because the repeal is limited to greenhouse-gas requirements, internal audit must ensure that compliance training, monitoring, and accountability do not weaken where traditional air-pollutant obligations still stand,” he says.

Action Items for Internal Auditors

So, what are some ways internal audit functions could react to the latest developments that could maximize value to the organization? A few possible short-term initiatives include:

Reassess the audit universe through a volatility lens.

• Update the risk taxonomy: Tag risks influenced by political and regulatory volatility (e.g., climate, sustainability, trade, data privacy).
• Scenario-based planning: Build scenarios where climate regulation tightens again (domestically or globally) and assess whether current controls, data, and governance would stand up to renewed scrutiny.
• Cross-border alignment: For multinationals, test alignment between U.S. practices and stricter foreign regimes and highlight any potential inconsistencies that could create operational and reputational risk.

Focus audits on governance, data, and promises.

• Board oversight: Review how the board and its committees oversee climate and sustainability risk in a world where federal signals are weakening but stakeholder expectations are not.
• Data and reporting: Test the reliability of emissions, climate, and sustainability data used in public reporting, investor decks, and sustainability reports — regardless of whether the EPA currently requires it.
• Commitment tracking: Audit the organization’s own climate and sustainability commitments (e.g., net-zero targets, transition plans, and supplier codes) as “quasi-regulatory” obligations.

Strengthen regulatory intelligence and agility.

• Regulatory horizon scanning: Evaluate whether management has a structured process to track and interpret regulatory developments at federal, state, and international levels.
• Playbooks for rapid change: Assess whether the organization has playbooks to respond quickly to new or reinstated rules (e.g., emissions standards, disclosure mandates).
• Coordination across risk, legal, compliance, and sustainability: Test whether these functions are aligned or working in silos as the landscape shifts.

Volatile Policy, Steadfast Oversight

The EPA rollback may tempt some organizations to relax their focus on climate and environmental compliance. For a mature internal audit function, however, it should have the opposite effect. Internal audit’s role is to assure, advise, and anticipate in a volatile, politically sensitive risk environment — not to mirror the regulatory mood of the moment.

“For internal audit, the rescission of the Endangerment Finding is not merely a regulatory development,” says Maraccini. “It is a governance event that requires management’s assumptions to be re-examined, documented, and tested.”