As the example shows, a process can be proper and functional, i.e., it can fulfill its goal and generate numbers. Nevertheless, it may not be fit for purpose or economically efficient, perhaps even fraught with risk.
CSRD: accompany new processes from the start
The CSRD brings new reporting obligations for many more companies, especially for SMEs, which were not previously subject to such regulations. The information requested will be more detailed. New processes have to be set up.
Especially for smaller companies, which manage many things themselves without external consultants from their own departments, an independent pair of eyes is important. The auditing department can already provide process support during the creation phase – while being independent, but questioning.
A joint study by the Internal Audit Foundation, the Institute of Internal Auditors (IIA) and EY found that about half of the departments surveyed are already planning advisory or performance oriented ESG auditing activities.
How the audit department can tackle new tasks
In the future, generally, Internal Audit must look at the entire existing management system of ESG risks within the organization - and then audit the right thing, using the right methods. A three-stage approach is recommended:
- Maturity Assessment for the big picture: At the beginning, there is a view from above - Where does the company stand in terms of sustainability as a whole, where could the greatest risks arise, where are the greatest areas for action? A maturity assessment can show how far a company has come on the road to sustainable management, where it has a lot of catching up to do, and where it may already be ahead of the game. The role of the audit would be to ask, in accordance with its auditing task: Does a sustainability strategy exist at all? Is the topic of sustainability anchored in the strategy? Is it considered in risk management and compliance?
- First, focus on regulatory-driven audits: The next question is - In which areas is the pressure to act greatest from a regulatory perspective? Here, in addition to non-financial reporting (CSRD), the German Supply Chain Act comes to mind. Understanding what's next and what needs to be particularly scrutinized is especially important for the organization. Behind the new laws and regulations are sometimes also high penalties for non-compliance or incorrect reporting. It is therefore also important for the auditing department not only to keep an eye on the overall concept, but also to check specific data at its central or decentralized origin.
- Setting further priorities: The third step clarifies the question of which topics are particularly important for the company, even without regulatory drivers. If significant risks are identified here, the next step is high-impact audits - the substantial examination of individual projects and processes. With regard to the functionality of control and risk management mechanisms, the questions are: Do controls exist? And are they effective?
Energy consumption, diversity, the behavior of suppliers - many things that were previously less of a focus are becoming important. Until it is accepted throughout the organization that the world has changed and new rules apply, internal auditing must help to incorporate these aspects and point out problems - in accordance with its central function of preventing damage to the company.
Not to be neglected is the fraud aspect, like possible intentionally incorrect behavior, in relation to ESG. As the pressure to meet the new targets increases, so may the motivation to do so - perhaps more so in some business units or regions than in others. Analogous to fraud in financial reporting, fraudulent approvals or misclassified products are conceivable.
While detecting fraud is not the primary objective of an internal audit department, it must consider cases of intentional ESG non-compliance as relevant risks. If necessary they need to be included in audit program planning, while maintaining professional skepticism in this regard as part of its audit procedures - especially in the area of ESG, which has long been considered less relevant and now plays a greater role for many companies.
So, in many ways, the internal audit department cannot only help the organization find the best solutions to report numbers accurately and meet any new requirements, it can also support the design of corporate change.
ESG as a risk field will remain with audits in perpetuity. It is important and will remain important. This would be comparable to the likewise increased importance of digitization topics such as IT security and data protection over the last ten years.
The auditing functions should therefore build up know-how. They need to penetrate the whole subject matter: the regulatory environment and the behavior of their organization itself. To be able to audit in a risk-oriented way, the first step is to understand what material ESG risks the company is exposed to and what regulatory requirements have to be met.
In the area of emissions, for example, the auditor needs someone who knows how Scopes 1, 2 and 3 of emissions are defined and how to collect, read, evaluate and report this data. For risk-oriented audit planning and deciding what are actually appropriate audit topics alone, this basic understanding is needed.
There are several ways to build up such know-how in the long term or to bring expertise in-house:
- Train your own employees
- Recruit ESG-competent colleagues from other departments
- Hire new experts (however, many functions in companies, such as sustainability departments, are currently recruiting employees with ESG skills; internal audit could use the fact that its employees have an overview of the entire organization and can get to know it as a trump card here)
- Outsourcing tasks to stable external partners