15 May 2022

Internal auditors' role in assessing sustainability disclosures

Brad Monterio, EVP and member competency and learning at The Institute of Internal Auditors (IIA) and Jim Pelletier, VP portfolio strategy at the IIA, discuss how the role of internal auditors is changing in a world of ever more sustainability disclosures and standards. Interview by Vincent Huck.

Your latest report shows an increased perception of risk linked to sustainability and non-financial reporting, but no increase in terms of budget allocation by insurers, which seems to suggest that internal auditors are keeping this topic on their radar, but not taking action, yet. Is that the correct way to look at it?

Jim Pelletier: We are seeing the early stages of development in a risk that's quickly evolving all around the world. A lot of organisations are waiting for clear guidance and standards and you'll see internal auditor start to shift into doing more work in that space.

What we're seeing is the rise of awareness, of interest, people getting started, getting more educated and having a better understanding of the issues, in preparation for when the reporting requirements come into place. Ultimately, it's based on the natural evolution of good governance in organisations: so we're starting to see organisations that are concerned with effective governance, understanding these issues and getting ready to respond to the disclosure requirements. Effective governance requires objective assurance, independent for management, which is what internal audit provides. Boards, governing bodies of organisations, audit committees, should soon be turning to internal audit as a source for that objective assurance as these new requirements come into place.

Brad Monterio: How much ESG is on internal audit plans is going to start to spike, when you look at the lightning speed at which the standards have been proposed. The ISSB was formed. The SEC has come out with climate disclosure. I anticipate other sorts of national regulatory bodies will start to do something similar.

Brad MonterioWe believe that internal audit functions are a critical pillar in supporting an organization's processes and data for ESG performance and reporting. You hear a lot of discussion around external assurance, but really internal auditors provide that first level of independent internal assurance needed to have trustworthy ESG disclosures, before they're even communicated externally.

And this helps also ensure the effectiveness of the controls, the continuous monitoring and related processes that generate that data. It starts with internal audit, providing that independent assurance to the organisation, that this information is reliable, and then internal auditors' role complements that of external auditors. They're not competitors. They are complementing each other and ultimately that builds confidence in the ESG disclosures that an organisation will share publicly so that it becomes 'decision-useful' information, among investors in particular.

Internal auditors' core skill set is not changing. It's simply learning about new datasets. Internal auditors don't have to be the greenhouse gas emissions experts. Those experts have to exist, but it's not the internal auditors' responsibility to be one of those. Those experts have to be within the company, or advising the company in some way, but the internal auditors core skill set, of how they audit information sets, doesn't change. They don't have to upscale, they just have to work with the internal experts about those datasets and how that information is derived.

The IIA's latest North American report on internal audit highlighted the perception of risk related to sustainability disclosures was far higher at publicly-listed companies than at other type of organisations. How do you explain this?

Brad Monterio: ESG requirements and ESG disclosures know no boundaries. In other words, it doesn't matter what type of organisation it is, all organisations, I believe, have an obligation to understand their ESG risks and report on and disclose that to some set of stakeholders. This is something that all types of entities and organisations should be focused on because it gives a clear understanding of how they operate, what value they create, and how they contribute to, or detract from, society.

Jim Pelletier: From a practical perspective, with that data being primarily based on the US market, what you're seeing is a natural progression. Those requirements are initially going to hit public companies first, and the hardest. That's where you're starting to see chief audit executives in those organisations ramping up their game a little faster than maybe others. But it will come to everyone.

Jim PelletierHere in the US, a lot of the talk is coming from the SEC, which is going to directly impact those companies first, and then it'll flow from there. It's very similar to other regulations. When I think back to Sarbanes Oxley, it started in public companies. At the time I was working in a government entity and it even permeated into the government [sector] in terms of how we improve our controls over financial reporting. So you'll see that develop over time, as well with ESG disclosures.

Brad Monterio: Keeping in mind that, let's take a small- to medium sized organisation privately held that uses natural resources as part of its manufacturing processes. They need access to capital, whether it's bank loans, or venture capital or private placements. There will probably be clauses in their loan documents looking at their use of those resources. The bank is going to want to know what's the risk exposure and how do you price that, which ends up being in the interest rate, commensurate with the level of risk.

So I believe these kinds of things will affect companies of all types and sizes, public or not, and it will become part of doing business. If you want to access capital at a lower cost, you're going to have to make sure that you're measuring this information, disclosing it reliably with independent internal assurance and/or complemented by external auditors.

There are different consultations going on at the moment, most notably by the SEC in the US, the ISSB consultation 'globally' and EFRAG's standards at EU level, and there is much talk about how these standards may or may not diverge, and how those standards use different languages to say the same things. Is divergence a concern for internal auditors?

Brad Monterio: The lexicon for a long time has been messy. When I first started getting involved in this, we talked about everything from corporate social responsibility, sustainability, integrated reporting, integrating thinking and it really has gotten a little bit messy. It's hard to put the horse back into the barn, once it's left. Regulators and the standards are all recognising this, and there are certainly efforts underway to better align language. I'm not sure that it'll be perfect because once it's out there, we all casually use terms and terminology in our conversations that might not be exactly the same meaning, or intended meaning.

With the SEC rule that's came out recently, and with ISSB, there's a natural curiosity about the term 'materiality'. The SEC has a definition and there are slightly different definitions in other jurisdictions. But that's not the only term, what do we mean by 'assurance'? External third-party assurance is mentioned only once in the entire ISSB exposure draft. Nevertheless, there's a level of independent internal assurance that internal auditors provide, which we believe as a profession is absolutely essential, before we even think about that external assurance.

Jim Pelletier: It adds complexity, but I wouldn't call it a problem. Internal audit needs to be properly resourced to deal with the level of complexity that any organisation is hit with. The internal audit needs to assess what's the impact on the organisation and adjust audit plans accordingly, so that they are prioritised and focused on the right things, maximising their value to the organisation.

Brad Monterio: A report we did with EY found that 51% of companies that report on ESG have obtained some level of assurance from their internal audit function. To some extent, then, the internal audit function has already been involved for some time at some of the larger companies. So there's a some degree of familiarity already within the profession and that will continue to grow.

You said the role of the internal auditor is to provide assurance, but what is the assurance of, exactly? Is it assurance that the data is correct, that the data is correctly used, or something else?

Jim Pelletier: It will vary of course, based on what internal audit is looking at, at any given time. I'll address the question looking at the external audit versus internal audit difference, because I think that will help to tell the story. External audit is looking at the data that's being reported out, and making sure that that data is correct. When you think about all of the things that are happening inside an organisation to get to that point where the data can be incorporated and reported - all of the business processes, activities and operations that are happening to produce that data that ends up in the report - that's where internal audit can really add value. Because it's inside the organisation, but independent from management, which means it can provide objective assurance on whether those processes are operating effectively, if they're designed and operating to produce the results that are necessary, if the data that's coming out of those processes is accurate. That data is what's ultimately flowing up to produce those reports that the external auditors are validating.

Brad Monterio: Part of that independence is also in that they're not designing the internal controls, obviously - that would not be independent, but they are testing the effectiveness of those controls. Someone else is designing the controls around that information, but they need to know:

  • how is that data offered?
  • What business rules were applied?
  • Is it in fact the exact information so that you can draw a specific conclusion for a certain disclosure?
  • Is it reliable?
  • What were the inputs and how is it calculated?
  • Is the information accurate, and does it meet the needs of that particular disclosure?

Is it fair to say that the internal auditors don't have a view or stake on what the reporting standards coming out of ISSB, EFRAG or the US SEC are, because they will give assurance on the fact that - whatever the standards are - the company has implemented them correctly?

Brad Monterio: The IIA is a voting member of the International Integrated Reporting Council, which is now part of the Value Reporting Foundation which of course is now part of the IFRS foundation through all the consolidation. Those organisations and those collective efforts - like the IIRC and SASB and GRI and others around the world,- recognise the importance of the voice of internal audit as part of the bigger conversation around the value of this kind of disclosure. Of course, we pay attention to this and contribute to the debate and the dialogue, not only on a national but also an international level.

We're actively involved in, and will be contributing to, the comment periods for all of these proposed rules to make sure that the role of internal audit is a) communicated and understood, and b) has a place in the process.

Does the internal audit profession have a stand on whether the standard should cover one thing and not something else?

Jim Pelletier: We would let the experts decide on the standards for that. We would want a clear set of standards that we can audit against, that would be valuable.

Having cohesive sets of standards, the more consistency there is, the less complexity, which allows us to better prioritise the audits that we're doing.

Brad, you said earlier that 'the skill set is not changing, so internal auditors are not upscaling'. That sounds to me to be different to external auditors, because external auditors will have to change their skill sets and upscale, in a way. Why do internal auditors not have to upscale?

Brad Monterio: My view is that external auditors are hiring experts, scientists, biologists, engineers to supplement the knowledge of their auditors, because their auditors are not experts in those areas. They typically are not becoming experts in those areas, but they're bringing in domain experts to sit side by side with them on the team. That's my perception and from watching hiring patterns and what the Big Four [audit firms] and other large firms, are doing.

Jim Pelletier: The core skills of being an auditor are going to apply in any type of audit, in terms of understanding how you would approach assessing risk and evaluating the design and effectiveness of an internal control. Internal auditors have the skills to audit ESG or cyber or other risks. That's the underlining skills of being an auditor. But internal auditors need to be looking at what issues are emerging, and making sure that they have a strong enough understanding of those issues, that they can have the intelligent conversations they need to have with the people that they're auditing, so they can carry out those audits effectively. But those core skills of being an auditor are really not changing.