The U.S. Securities and Exchange Commission (SEC) announced on March 4 that it has created a 22-member Climate and ESG Task Force within the Division of Enforcement to monitor how organizations report their climate- and ESG-related disclosures to investors. Based on that announcement, it is clear the task force is focused on enforcing reporting rules.
“Proactively addressing emerging disclosure gaps that threaten investors and the market has always been core to the SEC’s mission,” Acting Deputy Director of Enforcement Kelly L. Gibson, who will lead the task force, said in the SEC’s statement. “This task force brings together a broad array of experience and expertise, which will allow us to better police the market, pursue misconduct, and protect investors.”
Internal auditors are well-positioned to support their organizations in this evolving risk area. While most regulations on ESG reporting are relatively new, the processes for evaluating the effectiveness and efficiency of any regulatory compliance regime are well-established — validating that reporting processes are complete, accurate, timely, and relevant.
The first step should be for internal auditors to update their risk assessments in this area and consult with stakeholders on the board and in the C-suite on whether changes are needed in the audit plan. The IIA published an IIA Bulletin on this subject this week to support its members.
The SEC’s action provides a prime example of the importance of two issues that have I written about repeatedly over the years. First, the speed or velocity of risk is increasing. For many organizations, ESG was not on the radar as little as five years ago. Today, it is quickly rising as a top risk with regulatory, reputational, ethical, shareholder, and operational implications.
However, internal auditors may not yet be in the best position to support their organizations on this complex risk overall. According to The IIA’s OnRisk 2021 report, “All parties are reasonably well-aligned with regard to organizations’ capability to manage environmental, social, and governance risks, which collectively comprise sustainability. However, confidence is fairly low. CAEs rate their personal knowledge about this increasingly relevant risk category as very low.”
The second is agility. Internal auditors must be ready, not just to respond quickly to changing stakeholder demands on risk assurance, but to lead the way when risk assessments show changes to likelihood and impact. The SEC’s new zeal to “better police the market, pursue misconduct, and protect investors” is a clear call for internal auditors to inform and educate stakeholders on this evolving regulatory risk.
Beyond the immediate response to changing regulatory risks related to ESG, internal audit leaders should firmly establish their role on the issue within their organization. Last month, The IIA contributed a letter to a hearing of the U.S. House of Representatives Committee on Financial Services titled, “Climate Change and Social Responsibility: Helping Corporate Boards and Investors Make Decisions for a Sustainable World.” In that letter, I made the case for internal audit playing a critical role in sustainability beyond simple assurance on reporting.
“While worthwhile, that narrow view fails to address the natural inhibitors to organizations to do more to comprehensively tackle this critical issue,” according to the letter. “Internal audit, as an objective and independent provider of assurance and advice with the purpose of continuous improvement, is ideally positioned to help organizations find the motivation and the means to embrace and incorporate sustainability measures that can advance both organizational performance and broader social, economic, and environmental objectives.”
Indeed, internal auditors are generally tasked with supporting management of key operational risk areas, including strategic, legal, and compliance, which historically account for up to 80% of an organization’s risk portfolio.
Internal audit cannot find itself on the outside looking in on such critical risks. It must improve its understanding of this issue by educating practitioners about emerging risks related to sustainability and how it fits into an organization’s operational and strategic priorities. It also must clearly articulate the value of “independent assurance” on ESG reporting, as regulators focus increasingly in this area.
As always, I look forward to your comments.