Home > Risk > Internal Audit and ESG: My Opinion

Internal Audit and ESG: My Opinion

January 19, 2023 Leave a comment Go to comments

I have seen several articles and blog posts lamenting the apparent fact that internal audit teams are not spending a large percentage of their audit plan addressing ESG risks.

CIO.com defines ESG as:

Environmental, social, and corporate governance (ESG) is a strategic framework for identifying, assessing, and addressing organizational objectives and activities ranging from the company’s carbon footprint and commitment to sustainability, to its workplace culture and commitment to diversity and inclusion, to its overall ethos regarding corporate risks and practices. It’s an organizational construct that’s become increasingly important, especially to socially responsible investors who want to invest in companies that have a high ESG rating or score.

The three main pillars of ESG include:

  • Environmental commitment: This includes everything around a company’s commitment to sustainability and the impact it has on the environment, including its carbon emissions and footprint, energy usage, waste, and environmental responsibility.
  • Social commitment: This covers a company’s internal workplace culture, employee satisfaction, retention, diversity, workplace conditions, and employee health and safety. Companies with happy and healthy employees perform better and are viewed as a stronger investment.
  • Corporate governance: A company’s commitment to governance includes compliance, the internal corporate culture, pay ratios, the company ethos, and transparency and accountability in leadership. Investors are interested in companies that can keep up with changing laws and regulations, and that have a commitment to equity and equality in the workplace.

My reaction is similar to what it was when I read opinions that internal auditors were not spending enough time on cybersecurity.

I even saw one post by an eminent (and unnamed) thought leader that pointed out that while internal auditors saw cyber as perhaps the top risk to their organization, they were only spending 10%-15% of their time on it. They were spending more time on financial, compliance, and other operational risks.

My principle is this: perform the audit engagements that address the more significant risks to the organization and its enterprise objectives.

You can do a great deal with 10%-15% of your audit resources!


When it comes to ESG, we need to recognize the huge breadth and depth of it.

It is much more than sustainability or corporate social responsibility (CSR).

It’s not something you can say you audit in totality. At best, you can audit elements.

Much of it is not new, and governance is covered in the IIA’s Standards as an area requiring consideration when building the audit plan.


My friend, Dr. Rainer Lenz (whom I am looking forward to meeting at a company’s annual internal audit team meeting next week), has written a piece with Florian Hoos on the issue: The Future Role Of The Internal Audit Function: Assure. Build. Consult.

He says:

[Richard] Chambers recently raised “a red flag” by pointing out that internal auditors have been unduly placing Environmental, Social, and Governance (ESG) risks on the back burner. Internal auditors currently do not play a significant role as assurance providers and are absent from potential advisory services about ESG – on both sides of the Atlantic. We diagnose an “ESG helplessness syndrome.” Like in the world of animals, the internal audit function is in a state of freeze response when it comes to ESG topics. The ESG challenge is so big, and the threats for the role of the Internal Audit Function (IAF) are so real, that the profession reacts like animals in the face of a threat: they freeze. We discuss and challenge the professional demand for “objectivity” and “independence” in the ESG context as they might represent obstacles to the IAF playing a significant role in the ESG agenda. We suggest practitioners consider widening the repertoire of internal auditing. We suggest an ABC-Model © of Internal Auditing, adding “Building” as a new third pillar of internal audit value creation which complements the traditional assurance and consulting services. We encourage internal auditors to become “builders” when tackling the ESG challenge in their respective organizations. Metaphorically speaking, we borrow from Yvon Chouinard, the founder of Patagonia which is often used as an ESG role model company when we suggest “Let Internal Auditors Go Surfing” as our call to action.

Later in the piece, they say:

ESG seems to be far from being well integrated into the internal audit function’s work. Referencing the World Economic Forum and other organizations, [Richard] Chambers concludes that “overall, ESG is one of the fastest-growing risks this year (…)”; “a top risk for 2023”. At the same time, his survey among 188 CAEs and internal audit directors in organizations based primarily in North America show that ESG risks are at the bottom of their priority list for 2023 audits, with significantly lower priority than for instance cyber and data security, attraction and retention of talent, macroeconomic conditions, regulatory changes, supply chain-related issues, etc.

Let’s think about this.

  1. ESG is not “a risk”. It is something you do. But you can have risks to the ESG-related objectives of the enterprise.
  2. Talent management and compliance are part of ESG. Saying that they get more attention than ESG makes little sense to me.
  3. Surveys are telling us that while organizations may be giving more attention to ESG today than in the past , they have started to lower their related investments given the change in economic conditions.

If management and the board have not given a priority to ESG, and by that I am referring to the social responsibility elements, and included it in the objectives they set for the period, why should we be concerned that internal audit is doing the same?

Should internal audit be the conscience of the organization?


We can make sure the board and top management understand the risks that a failure to be socially responsible can mean to their success.

But it is not our job to tell them, bluntly, that they are making a mistake.

Our job is to provide assurance, advice, and insight.

The emphasis here is on advice.

But when management and the board set objectives, we can provide assurance as well.

For example, some years ago I visited the internal audit leadership of Adobe in San Jose, led by Eric Allegakoen. In the reception area, there were multiple displays showing the clean energy and other sustainability achievements of the company. Eric told me that his team audited and provided assurance on related reporting, some of which was included in public filings.

Rainer goes much further. After discussing and trying to set aside obstacles like objectivity and independence, he and Florian say:

We advocate that addressing ESG may be an opportunity for internal auditors and the internal audit profession to consider going beyond their core remit of rendering assurance and consulting services, to help building an ESG program – before it can be audited (by external auditors, as seems likely).

On the ESG journey, internal auditors can be most valuable as co-creators, as builders, as members of the ESG team.

When I first read this, I thought they were going too far by talking about internal audit building anything. That is a management responsibility! But then they say:

We see potential in positioning internal auditors more clearly as enablers of learning and change. We regard a promising path forward to be overcoming hurdles, including those set by professional demands for independence and objectivity. The more effective internal auditor can be “a hinge, a connector, a relation facilitator”.

Not only do I accept that, I don’t think it is anything new!! It’s just the advice part of our mission!

CAEs and their teams have been champions and enablers for many things over the years, including:

  • Risk management
  • Information security
  • Controls over derivative trading
  • Controls and security over new computer systems
  • Whistleblower and ethics programs
  • And much more

Here’s my take on the topic:

  1. ESG is about paying more attention to the role of the enterprise in society.
  2. ESG is a broad spectrum of activities and related processes and activities.
  3. Internal audit should be aligned, where possible and practical, with management and the board.
  4. When the leadership has established ESG-related objectives, risks to those objectives should be considered when developing and maintaining the audit plan.
  5. When leadership has not established ESG-related objectives, the CAE should work to understand why not. This may be an opportunity to lead a discussion among the management team.
  6. Internal audit should be a champion when that is the best use of their time. (There are so many issues to champion, so our time should be prioritized.)
  7. Internal audit should build and maintain an audit plan that addresses the most significant sources of risk to the enterprise and its objectives. They may or may not include ESG-related issues.
  8. If management and the board have not prioritized ESG, we should be careful about prioritizing it ourselves at the expense of other areas that they have prioritized.
  9. It would be better to break down the topic into meaningful parts, such as environmental compliance, human capital management, compliance, sustainability, and so on.
  10. Focus on what matters to your organization, not what others are doing.

I welcome your thoughts.

  1. Bill Spoehr
    January 19, 2023 at 2:09 PM

    The current and appropriate level of IA involvement somewhat depends on where the Company is in the ESG reporting journey. Oil & gas companies, for example, are mature compared to retailers. Also, the level of investor interest in Company ESG matters, as well as the pending SEC requirements for disclosure in the 10-K and financial statements, will further drive ESG risks and related IA opportunities. The AC must also consider the risk of greenwashing in Company ESG disclosures; obviously, this is an area where IA can, and should, consider providing some level of assurance on certain elements. I also believe the ESG “process” is an area where IA can appropriately review and report to the AC on the risks and opportunities for the Company.

    There is no global one size fits all answers to the appropriate role of IA in ESG. That is something that needs addressing by the AC, the CAE, and sr management of each Company.

    It will be an ever growing area of emphasis in the next 2-3 years as the SEC weighs in with a final disclosure requirement. It may not be SOX 2.0, but there will be plenty of heavy lifting required to comply with the rules, both by Companies and IA.

    • Norman Marks
      January 19, 2023 at 2:33 PM

      Well said. My point is that if the risks are seen as low, audit resources probably belong elsewhere

  2. John Fraser
    January 19, 2023 at 5:21 PM

    Totally agree with you, Norman.


  3. January 20, 2023 at 12:29 AM

    Dear Norman, thank you for your feedback on the Lenz-Hoos (2023) thought-piece. I am glad to be your friend. I started to read your articles and blogs since entering the internal audit profession 2007, and I referenced your work in my 2013 PhD. Over the course of these 17 years, I have been cherishing your rich perspective, what you say and how you say it. We do not have to agree on everything 😊 Of course, we do not. Differences in opinion are an opportunity, worth exploring in more detail, preferably in person. Thus, it is so nice meeting you in person next week, eventually, at a company event. I very much looking forward to that. We will discuss further then over a beer or two. Best wishes, Rainer

  4. sean coleman
    January 20, 2023 at 4:11 AM

    Great article

    There so many competing demands and your distillation of the issues is most useful. Point no 10 is very insightful. I think ESG emphasises the need to go beyond what matters for your organisation to what matters for the broader community and environment.

  1. January 19, 2023 at 1:39 PM

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: