6 minute read 17 Aug 2022

Internal audit is a natural fit to enhance ESG risk management and disclosure.

Solar panels getting recharged on high-rise towers

How internal audit can support ESG programs in financial institutions

By Aloysius Fua

EY Asean Sustainable Finance Lead; Partner, Financial Services Assurance, Ernst & Young LLP

Trust and confidence builder in financial services ecosystem. Assurance provider to protect and promote sustainable, long-term value for stakeholders. Avid traveler.

6 minute read 17 Aug 2022

Internal audit is a natural fit to enhance ESG risk management and disclosure.

In brief
  • As the pressure to manage and report on ESG issues intensifies, ESG-related risks must be built into enterprise-wide risk assessment and control.
  • Internal audit teams should be embedded in this process, formally assessing material ESG risks and reviewing the accuracy and completeness of ESG disclosures.
  • This will be an important step to catalyze the evolution of the role of internal audit from a compliance monitor to a strategic advisor.

A wave of climate risk and other environmental, social and governance (ESG) risk management regulatory requirements has recently manifested across Asia-Pacific. The region’s ESG policies have increased two-fold in the past five years, resulting in disclosure rates in most markets in line with or above those in the US.1  

At the same time, investors and other stakeholders are also sounding the ESG alarm. Boards and investors want to know how ESG issues will impact an institution’s long-term strategy, performance and value creation. They are mindful that ESG is a rising feature in the financial services risk universe. New risks and opportunities are emerging, whether from the physical impact of climate change on assets or changes in the regulatory landscape contributing to high transition risks and public demand for greater transparency of an organization’s carbon footprint, labor standards and deforestation policies resulting in changes to the credit risk, investment risk and/or underwriting risk of various financial institutions.

Financial institutions are experienced in dealing with traditional risk areas like credit, investment, market, liquidity, underwriting, operational, reputational and strategic risks. However, climate and other ESG risks present new and unprecedented challenges — and some of the region’s institutions are not ready to meet the risk management and disclosure expectations of the many stakeholders focusing on ESG.

For example, in many jurisdictions, institutions are still using informal processes and manual data collection for key ESG metrics, which will need to be enhanced as this data receives more scrutiny in the market and by regulators.

Effectively responding to accelerating ESG-related risks and opportunities will require institutions to integrate ESG into business strategy and enterprise risk management (ERM) in a coordinated, strategic approach with strong oversight. Institutions must consider how climate and other ESG risks will translate into the traditional risk types and assess them on varying time horizons to plan appropriately.

This will require two new capabilities:

1. The expertise to understand the regulatory expectations, to identify and manage climate and other ESG risks — and to understand how these may manifest as physical, operational, compliance and financial risks.

2. The resources, processes, technology, data sources and metrics to assess and monitor these emerging risks.

Risk-based and objective ESG assurance, advice and insight 

Financial institutions need to incorporate climate and broader environmental risks in their risk management process, including setting risk appetite aligned to strategy, identifying, assessing, monitoring, controlling, mitigating and reporting such risks. As they do so, internal audit is perfectly placed to play a leading role.

For example, inventorying the greenhouse gas emissions sources across Scope 1, 2, and 3 emissions requires a deep understanding of an institution’s operations. Internal audit can provide this insight to validate that all applicable business activities, locations, subsidiaries and joint ventures are included in reporting.

Yet, according to a survey by Ernst & Young LLP and the Institute of Internal Auditors, while most organizations have ESG programs and reporting, many are not yet involving their internal audit function’s support in a meaningful way.

The survey found internal audit is most often involved in assurance services supporting processes, controls and data validation for reported material ESG information. More than a quarter of respondents said internal audit was variously involved in the following:

  • Providing advice on setting ESG program goals and metrics
  • Reviewing how ESG goals and metrics are tracked and monitored
  • Reviewing implementation of the ESG program and related policy documents
  • Reviewing the accuracy of ESG reports provided to stakeholders

But this is just the start. Internal audit can be a key advisor in assessing the effectiveness of ESG controls, which may be relatively new and immature for the level of rigor needed for robust risk management to enhance resilience to emerging physical and transitional risk stemming from ESG-related risks.

Given its remit, internal audit should also be weighing in on climate risk and the inclusion of ESG in the organization’s enterprise risk management (ERM) program.

Internal audit functions should step up and start performing governance engagements to assess whether adequate roles, responsibilities and processes are in place to execute on the ESG strategy and manage risk. Internal audit should also consider providing thematic ESG-focused audits into broader audit plans that focus on traditional risk areas (e.g., credit risk, investment risk, underwriting risk and more) which are now intertwined with ESG risks.

In all cases, the involvement of internal audit increases the level of stakeholder confidence in the organization’s ESG risk management and reporting, as well as the organization’s preparedness to obtain external assurance from an independent assurance provider to build trust with stakeholders.

Stepping-stone to a broader, advisory role 

Stepping up to support ESG initiatives can be a win-win for both internal audit and the business. While helping to accelerate an institution’s ESG risk management and reporting maturity, the involvement of internal audit can also help the function to move away from its origins in control and compliance efforts and towards a more strategic advisory role.

In EY experience of engaging with C-suite executives and Audit Committee members, the region’s institutions are keen to broaden the role of internal audit beyond reliable assurance and efficient audits. Advising on ESG risk is an important opportunity to begin this process.

While the end goal is supporting the institutions in integrating ESG risk into traditional risk categories that enable long-term value, easy-win starting points for internal audit could include the following.  

Elevating ESG risks assessment to the board and C-suite

In this regard, internal audit functions might consider initially performing ESG-related activities and provide the required assurance at the ESG governance level, focusing on ESG strategy and risk management framework. In EY experience, internal audit functions have an opportunity to get ahead of impending risk management and disclosure regulations, and the ensuing assurance requirements by ensuring that the institution has the right ESG foundational program to govern, identify, risk manage and report ESG risks.

Reviewing current ESG reporting

Many organizations have publicly disclosed metrics such as greenhouse gas emissions, community investment and workforce diversity. But often this nonfinancial reporting has not been validated or assured. Internal audit should review the completeness and accuracy of these metrics and underlying data, assess alignment with any industry standards or protocols, and evaluate management’s reporting processes and controls.

Reviewing stakeholder engagement and materiality assessments

Many institutions have already undertaken these assessments, but an internal audit lens can often find opportunities to supplement assessment findings via additional reviews. These reviews, even if limited in time and scope, can go a long way to help internal audit identify critical ESG-related risks and existing initiatives to mitigate them — building their ESG knowledge and awareness.

To fulfill their role in ESG risk management, internal auditors must gain the subject-matter expertise needed to make meaningful contributions. The expectation that internal auditors can “learn as they go” from already overburdened in-house ESG professionals may be unrealistic. Internal audit may need outside assistance from ESG specialists who can work alongside internal teams and facilitate knowledge transfer.

Summary

Rapidly evolving investor, lender, underwriter and consumer expectations and ever-expanding ESG regulatory reporting requirements mean financial institutions must take credible and proactive measures to integrate ESG in risk management. Internal audit has a key part to play in ESG program advisory and assurance, helping to frame the function in a more strategic role and lift its stature within the institution. New subject-matter professionals will likely be required to support this shift.

About this article

By Aloysius Fua

EY Asean Sustainable Finance Lead; Partner, Financial Services Assurance, Ernst & Young LLP

Trust and confidence builder in financial services ecosystem. Assurance provider to protect and promote sustainable, long-term value for stakeholders. Avid traveler.