On the Frontlines: Acting on ESG Risk

These include:  

1. What is my organization's environmental, social, and governance (ESG) control environment? Are roles for key participants, including internal audit, clearly delineated as outlined in The IIA's Three Lines Model?
2. Does my organization have in place established ESG reporting internal control processes?
3. What is my organization's ESG governance structure (ESG committee, center of excellence), and how is it operating?
4. How are sustainability-related data points identified, collected, classified, and managed and by whom?
5. What metrics, including RPIs and PRIs, are in place or proposed to monitor sustainability data points and reporting?
6. What activities have been (or will be) implemented to map new sustainability requirements against current sustainability activities?
7. Does my organization's current ESG reporting efforts meet the "faithful presentation" threshold identified in the proposed standards? Does internal audit currently provide necessary "verification" (assurance and validation) on information used in existing reporting?

These questions involve seeking answers and changing our practices for the better to address sustainability risks for our organizations and civil societies, nationally and globally. They are questions I am sure many of us have been asking for some time. But "many of us" is not enough. We must all act before it is too late. But not act alone. Today's environmental, social, and governance-related risks, their assessment, mitigation, and management in all our organizations requires a collaborative effort with others.

Internal audit must start collaborating with ESG specialists in all their assurance, consulting, and teaching assignments. Past and present coordination and cooperation are no longer sufficient to address answers to the above questions. Many of the answers are in the United Nations' 2021 publication, Our Common Agenda: Report of the Secretary-General. Start your collaboration there.  

During my days, if not years, as a professional internal auditor, I incorporated the acronym "ACT" (assurance, consulting, and teaching) in my training to ensure I was providing the best assurance, consulting and teaching in risk management, controls, and governance audits in the areas of planning, practice, reporting, and follow-up. No coincidence it is part of the word, "proACTive." I recommend that every professional internal auditor addressing the ESG questions asked in the bulletin to regularly consider the importance of what it means to "ACT."