Five highly charged risk areas for Internal Audit

Click the area to see risk details

2. Compliance

Many companies are facing new and expanding regulatory compliance risks resulting from an increasing number of international, national and regional programs.

In a recent Ernst & Young study, of 300 global executives from organizations with revenues of US$1b or more, 94% of respondents see national policies as important or very important in shaping their climate change strategies, although 81% recognize the importance of global or international policies.

In the past year alone, over 250 climate change-related government actions were implemented globally − including state and provincial action across North America.

In the US, for instance, the Environmental Protection Agency declared carbon dioxide a danger to human health and announced that it would require reporting of greenhouse gas emissions starting in 2010 for heavy emitters — on a per-facility basis. As another example, the Federal Trade Commission has indicated its intentions to crack down on "greenwashing" in marketing claims (i.e., misleading consumers and stakeholders about environmental claims).

This not only opens up new regulatory compliance risks for companies, but also reputational ones, given that specific facilities will be under the microscope.

The key risk areas resulting directly or indirectly from regulatory measures are varied and can include:

health and safety
human rights and labor laws
anti-bribery
environmental risks.

Environmental risks can include direct impacts (e.g., emissions trading cost exposures) and indirect impacts (e.g., energy price increases and accompanying reporting and compliance costs). Audit and verification activities will also be required under certain programs, resulting in additional cost exposures. Companies in unregulated jurisdictions face additional risks around policy uncertainty.

In the US, the SEC recently provided public companies with interpretive guidance on existing SEC disclosure requirements. The SEC’s interpretive guidance highlights the following areas as examples of where climate change may trigger disclosure requirements:

Effects of legislation and regulation. When assessing potential disclosure obligations, a company should consider whether the effect of certain existing laws and regulations regarding climate change is material. In certain circumstances, a company should also evaluate the potential effect of pending legislation and regulation.
Effect of international accords. A company should consider, and disclose when material, the risks or effects on its business of international accords and treaties relating to climate change.
Indirect consequences of regulation or business trends. Legal, technological, political and scientific developments regarding climate change may create new opportunities or risks for companies. Physical effects of climate change. Companies also should evaluate, for disclosure purposes, the actual and potential material effects of environmental matters on their business.

What this means for Internal Audit

Internal Audit needs to demonstrate to management the importance of the issues and the identification and management of the potential risks. More than ever, boards need to have confidence in the processes that are in place to manage climate change and sustainability-related risk. Internal Audit also needs to provide assurance that the organization is meeting its compliance obligations in all of the jurisdictions in which it operates (e.g., EPA regulations, such state and provincial actions as California’s AB 32 or Alberta’s Specified Gas Emitter Legislation). Internal Audit also needs to monitor and assess the impact of existing and proposed legislation.

Questions Internal Audit should ask

Does the company have the business processes in place to identify and monitor the regulatory mandates concerning the environment, health and safety, community development and ethical behavior?
Are the company’s climate change and sustainability risks objectively reflected in both the internal and public reporting?
Are processes in place to enable the company to capture all the available tax and non-tax incentives related to its climate change capital spend?
Does the organization fully understand climate change regulation in every jurisdiction in which it operates?
How is the organization managing risk where policy and regulation are not clearly defined?
Does the board or audit committee have appropriate oversight over climate change and sustainability external reporting and disclosures?
Is the board confident that management has a clear understanding of the regulatory initiatives that are under way?
Does the board understand how these could affect the company’s risk profile?

¹ Action amid uncertainty: the business response to climate change, Ernst & Young, 2010.

Click here to download the complete pdf

Business environment	Driving growth	Governance and reporting	IFRS
		Audit Committee XBRL
Managing finance	Managing risk	Operational effectiveness	Talent management

Capital and transactions

Automotive	Cleantech	Consumer Products	Financial Services
			Asset Management Banking & Capital Markets Insurance
Government & Public Sector	Life Sciences	Media & Entertainment	Mining & Metals

Oil & Gas	Power & Utilities	Private Equity	Real Estate

Technology	Telecommunications	United States sectors
		Health Care Retail & Wholesale Transportation

Students	Experienced	Executives
The EY difference Your role here Your development Life at EY Joining EY	Advisory Assurance Tax Transactions Industries Support Services The EY difference Your development Life at EY Joining EY	The EY difference The team at EY

5 categories of risk: Internal audit: Compliance - Ernst & Young - United States

You are here:

Five highly charged risk areas for Internal Audit

2. Compliance