9 minute read 1 Nov 2022
Den Absprung wagen

Why ESG can help internal audit become more relevant

David Sütterlin

Partner, Head of Risk Consulting | Switzerland

Passionate Risk Professional and SAP Consultant. Guides EY clients in building, redesigning and implementing risk functions to support greater trust and better decisions.

Mundia Moola Buesser

Senior Manager, Consulting, EY Sustainability | Switzerland

Passionate about adding extra value to her work. A mom of two and a professional figure competitor.

René Bartholmess

Manager, Enterprise Risk Consulting | Switzerland

Risk Management Coach | Focused on Third-Party Risk Management | Risk Seeking in his Hobbies Sailing & Mountainbiking

9 minute read 1 Nov 2022


Read article in German

In terms of regulations, sustainability is becoming increasingly important. An audit that positions itself for and addresses ESG issues is gaining in importance.

In brief
  • Regulators and stakeholders are placing increasing importance to ESG risks around various aspects of sustainability. There are penalties for non-compliance.
  • Internal Audit must conduct a complete and through review on sustainability risks and their report.
  • An audit that acts as a proactive sparring partner to other departments can provide valuable assistance and increase its importance to the organization

The abbreviation "ESG" stands for the pressure for more sustainability that affects every company. It summarizes which aspects are coming more into focus:

  • Environment (Environmental)
  • Social issues (Social)
  • Responsible corporate management (Governance)

ESG issues are becoming increasingly important to regulators, investors and other stakeholders. If a company does not take them into account adequately, it exposes itself to increasing risks, like compliance with the law, future access to financing, and also the protection of its own reputation.

A particular challenge related to ESG is that many of the systems that will be critical in the future are just emerging, meaning that they are in consultation or have just been adopted with implementation dates. Some ESG-related issues are already well known. In governance, this applies to the area of corruption and other areas that internal auditors have already focused on in the past. New significance on the other hand gain environmental and social issues such as emissions controls, diversity in the workforce, and supplier behavior with regard to human rights risks in supply chains.

One of the issues currently driving discussion in the EU is the regulatory framework for non-financial reporting (Corporate Sustainability Reporting Directive, CSRD). The required KPIs in the areas of environment, social affairs and responsible corporate governance are defined in the European Sustainability Reporting Standards (ESRS) and will lead to far-reaching transparency. Both the scope and the information required go far beyond the requirements of the previous Non-Financial Reporting Directive (NFRD). This also entails new or extended requirements for responsibilities, processes, data, internal control systems and the underlying IT architecture.

Further examples are the German Supply Chain Act (Lieferkettensorgfaltspflichtengesetz, LkSG) and the draft for the Corporate Sustainability Due Diligence Directive (CSDD). Both regulations lead to significantly greater transparency in the company's own business operations and in the supply chain to direct and indirect suppliers, with regard to human rights and environmental risks. They require the establishment of safeguards such as an adequate governance structure, risk analyses and complaints bodies. Here, too, companies face challenges in view of methodology, data availability, but also adequate reporting procedures (including corresponding internal controls to ensure the quality of information).

In addition to regulatory requirements, there are also market mechanisms that are changing companies' strategies and business models. Companies are increasingly concerned with issues such as decarbonization, the circular economy and diverse workforces. But there may also be issues relating to product or packaging design, or topics such as ESG ratings and green refinancing through green or social bonds or sustainability-linked notes.

It is of importance that each company must develop its own ESG profile based on the basic ESG definitions. Questions such as "Where am I particularly exposed?" and "Which ESG risks do I need to keep a special eye on?" vary depending on the industry, company size and location.

ESG issues are becoming increasingly important for the audit function

Does the company have the challenges under control? Are the right and important issues being managed and monitored appropriately? Or is there a need for action?

These questions also increase the demands on internal auditors, who are required by the International Principles for the Professional Framework (IPPF) to examine the design and functionality of both a company's risk management and internal control systems. For capital market-oriented companies, there are also the requirements of the German Act to Strengthen Financial Market Integrity (FISG) and the German Corporate Governance Code (DCGK). The latter also includes a focus on sustainability in the current version dated May 17, 2022.

The audit function is in a unique position to oversee, audit and advise on the "business as a whole".

Since it also has a view of the sustainability program as a whole, it is precisely here that it can position itself as an active sparring partner for the rest of the company. To do this, it must develop resources and know-how accordingly and possibly expand its own role.

Questioning the self-image

In order to be able to develop and drive forward the many topics surrounding ESG and sustainability, internal auditing should reflect on its self-image: Does it see itself more as a pure audit unit - or as a proactive partner?

The reactive audit department is the classic self-image of a "third line": a kind of overseeing function that looks into other areas and makes sure that everything is running properly there:

  • Are clear rules and procedures specified?
  • Are these guidelines being adhered to?
  • Are control systems and risk management mechanisms set up in such a way that they can also reach the targets?

The proactive audit department, on the other hand, has the additional claim of thinking along, challenging and asking questions, and also questioning decisions. It is more actively involved - but of course still independent. The signal to other departments can be: "We see that you have something new in front of you. We'll be happy to take a look at it with you during the project."

  • In areas that have not yet been fully defined, you are available to other departments as a sparring partner and challenger.
  • In committees, one expands the questions and addresses topics that are not yet on the departments radar. Is the organization just taking the best path in the ESG audit environment?
  • With one's own understanding, one keeps an eye on both compliance targets and the cost-benefit ratio. Because new topics are sometimes shot with cannons at sparrows, it is sometimes necessary to question: Is it efficient how things are done there? 

It is likely that an internal audit department will do well to combine both role models in its work.

Grafik zur Umgestaltung der Innenrevision

Characteristics of a proactive audit

As part of its non-financial CSRD reporting, a global company must report diversity indicators from its workforce. These are usually available in decentralized form in various regions or locations. To do this, it collects key figures from Excel documents from various HR departments and aggregates them at headquarters.

An audit committed to the reactive approach will conclude when examining this process the following: A system existed and it fulfilled the requirement for its function. A figure had to be reported, and the company duly complied with it.

A proactive auditor will note that this appears to be a very risk-prone construct and that it would be appropriate to have technology-based processes in place. The advantages would be higher data consistency and quality, less error-proneness and fast compilation.

It is a matter of considering, beyond the basic task, whether a process is actually good as it is.

As the example shows, a process can be proper and functional, i.e., it can fulfill its goal and generate numbers. Nevertheless, it may not be fit for purpose or economically efficient, perhaps even fraught with risk.

CSRD: accompany new processes from the start

The CSRD brings new reporting obligations for many more companies, especially for SMEs, which were not previously subject to such regulations. The information requested will be more detailed. New processes have to be set up.

Especially for smaller companies, which manage many things themselves without external consultants from their own departments, an independent pair of eyes is important. The auditing department can already provide process support during the creation phase – while being independent, but questioning.

A joint study by the Internal Audit Foundation, the Institute of Internal Auditors (IIA) and EY found that about half of the departments surveyed are already planning advisory or performance oriented ESG auditing activities.

How the audit department can tackle new tasks

In the future, generally, Internal Audit must look at the entire existing management system of ESG risks within the organization - and then audit the right thing, using the right methods. A three-stage approach is recommended:

  1. Maturity Assessment for the big picture: At the beginning, there is a view from above - Where does the company stand in terms of sustainability as a whole, where could the greatest risks arise, where are the greatest areas for action? A maturity assessment can show how far a company has come on the road to sustainable management, where it has a lot of catching up to do, and where it may already be ahead of the game. The role of the audit would be to ask, in accordance with its auditing task: Does a sustainability strategy exist at all? Is the topic of sustainability anchored in the strategy? Is it considered in risk management and compliance?
  2. First, focus on regulatory-driven audits: The next question is - In which areas is the pressure to act greatest from a regulatory perspective? Here, in addition to non-financial reporting (CSRD), the German Supply Chain Act comes to mind. Understanding what's next and what needs to be particularly scrutinized is especially important for the organization. Behind the new laws and regulations are sometimes also high penalties for non-compliance or incorrect reporting. It is therefore also important for the auditing department not only to keep an eye on the overall concept, but also to check specific data at its central or decentralized origin.
  3. Setting further priorities: The third step clarifies the question of which topics are particularly important for the company, even without regulatory drivers. If significant risks are identified here, the next step is high-impact audits - the substantial examination of individual projects and processes. With regard to the functionality of control and risk management mechanisms, the questions are: Do controls exist? And are they effective?

Energy consumption, diversity, the behavior of suppliers - many things that were previously less of a focus are becoming important. Until it is accepted throughout the organization that the world has changed and new rules apply, internal auditing must help to incorporate these aspects and point out problems - in accordance with its central function of preventing damage to the company.

Not to be neglected is the fraud aspect, like possible intentionally incorrect behavior, in relation to ESG. As the pressure to meet the new targets increases, so may the motivation to do so - perhaps more so in some business units or regions than in others. Analogous to fraud in financial reporting, fraudulent approvals or misclassified products are conceivable.

While detecting fraud is not the primary objective of an internal audit department, it must consider cases of intentional ESG non-compliance as relevant risks.  If necessary they need to be included in audit program planning, while maintaining professional skepticism in this regard as part of its audit procedures - especially in the area of ESG, which has long been considered less relevant and now plays a greater role for many companies.

So, in many ways, the internal audit department cannot only help the organization find the best solutions to report numbers accurately and meet any new requirements, it can also support the design of corporate change.

Build ESG-Know-how

ESG as a risk field will remain with audits in perpetuity. It is important and will remain important. This would be comparable to the likewise increased importance of digitization topics such as IT security and data protection over the last ten years.

The auditing functions should therefore build up know-how. They need to penetrate the whole subject matter: the regulatory environment and the behavior of their organization itself. To be able to audit in a risk-oriented way, the first step is to understand what material ESG risks the company is exposed to and what regulatory requirements have to be met.

In the area of emissions, for example, the auditor needs someone who knows how Scopes 1, 2 and 3 of emissions are defined and how to collect, read, evaluate and report this data. For risk-oriented audit planning and deciding what are actually appropriate audit topics alone, this basic understanding is needed.

There are several ways to build up such know-how in the long term or to bring expertise in-house:

  • Train your own employees
  • Recruit ESG-competent colleagues from other departments
  • Hire new experts (however, many functions in companies, such as sustainability departments, are currently recruiting employees with ESG skills; internal audit could use the fact that its employees have an overview of the entire organization and can get to know it as a trump card here)
  • Outsourcing tasks to stable external partners


Given the increasing importance of ESG issues, internal audit must appropriately position itself and build up its knowledge. The challenge lies in including ESG aspects to audit planning and risk assessment as well as in adjusting audit methods where necessary. By approaching this topic with a more proactive sense of purpose instead of seeing its role as a mere audit entity, internal audit will help the entire company on its transformation journey and become a sought-after partner for other functions.

About this article

David Sütterlin

Partner, Head of Risk Consulting | Switzerland

Passionate Risk Professional and SAP Consultant. Guides EY clients in building, redesigning and implementing risk functions to support greater trust and better decisions.

Mundia Moola Buesser

Senior Manager, Consulting, EY Sustainability | Switzerland

Passionate about adding extra value to her work. A mom of two and a professional figure competitor.

René Bartholmess

Manager, Enterprise Risk Consulting | Switzerland

Risk Management Coach | Focused on Third-Party Risk Management | Risk Seeking in his Hobbies Sailing & Mountainbiking