Skip to Content

On the Frontlines: ‘No, You’re Not Auditing ESG’

Blogs David Dufek, CIA, CFE Jan 17, 2024

Environmental, social, and governance (ESG) are terms that have become part of the contemporary corporate lexicon — and a renewed focus of markets and regulators. While these concepts seem new and cutting-edge, many internal auditors are grappling with the notion of performing an all-encompassing "ESG audit." Worse yet, some auditors may be representing the work they do as sufficiently covering all things ESG.

The truth is that they're not. It's a far more nuanced and complex process than what the term implies.

The fundamental concepts behind ESG are not new. They encompass aspects such as treating employees fairly, considering environmental impacts, and governing effectively, all of which should be adequately considered under a risk assessment that follows existing IIA standards. What has changed is the language and awareness of these ideas. Attempting to audit ESG as a monolithic entity would mean reducing this gigantic suite of concepts into mere "checking the disclosures." We must look beyond the surface and recognize that ESG principles are part of the company's broader ethical stance and its commitment to responsible business operations.

The idea of an all-in-one ESG audit may sound appealing, but it's a flawed approach. Each aspect of ESG embodies different domains of corporate responsibility. Environmental considerations involve examining a company's carbon footprint, waste management, and conservation efforts, each of which vary widely from company to company based on its industry, geography and office environment. Social aspects focus on employee welfare, community engagement, and diversity. Governance relates to the company's leadership structure, transparency, and ethical conduct (including, by the way, its stated commitment to ESG and its actions to meet its own standards). Each of these components (and sub-components) are themselves potential targets for audits, depending on the materiality of the underlying risk. But it would be a fool's errand to try to audit, say, battery disposal controls simultaneously with an audit of employment bias or of the company's ethics program.

By attempting a cohesive, single ESG audit, one would necessarily overlook (or give a very light touch to) these deeper layers of risk and responsibility that corporations hold. As internal audit professionals, we have to delve into the underlying material risks that align with company objectives and assess how a corporation engages with the world responsibly. One critical point to note is that our audits, including ESG, should focus on material aspects only. Not every nuance or minor detail requires an audit. It's management's role to establish effective controls in line with their risk appetite and to disclose their activities accurately, and this is no different for those controls established over ESG risks.

Indeed, there are material ESG risks that must have proper controls, and these then become subject to our rigorous assessment and audit. By concentrating on these material aspects, we conduct more targeted, actionable, and insightful audits that truly reflect the company's ability to fulfill its significant ESG commitments. By moving away from a superficial audit of ESG, we then lean into a meticulous examination of material risks. By doing so, we foster a culture of transparency and responsibility, aligned with the long-standing principles of good governance. In doing so, we are a much more sophisticated arm of the audit committee, in that we aren't promising "coverage" of ESG that we are either unable to deliver or that provides false assurance due to the superficiality employed.

Remember, our role is to assure, warn, and advise, not to take over the responsibilities of management. By focusing on material risks, we provide valuable insights over the controls that enable management to meet its ESG commitments in a manner that resonates with stakeholders. This approach builds trust and paves the way for stronger corporate governance.

Beyond the buzzwords, ESG is more than a trendy term; it represents a commitment to responsible business practices that have been part of corporate ethos for generations. These commitments are real, they are important, and they are substantial. But they always have been thus. What has changed is how we communicate these principles and the increased scrutiny from stakeholders demanding greater transparency and accountability. In a world where the call for responsible corporate behavior is louder than ever, internal auditors play a vital role in ensuring companies live up to their ESG commitments on purpose and in the language of controls. But we must do so wisely.

Remember, ESG is not a novel invention but a refocusing of principles that have guided responsible corporate behavior for generations. Let's embrace this understanding and elevate our auditing to a level that truly reflects the complexity and importance of ESG in today's corporate landscape. We do this by performing proper risk-based audits as we have evolved to do as a profession.

David Dufek, CIA, CFE

David Dufek is vice president and chief internal auditor for Principal in Des Moines, Iowa.