Internal audit in ESG and sustainability planning

Over the past few years, there’s been a major shift in how businesses approach sustainability. From customers and employees to investors and regulators, more stakeholders have a vested interest in changing corporate culture to inspire climate action. Reliable data and reporting are at the heart of those initiatives, which means internal audit has a key role to play.

In the fourth episode of our podcast, “Material Observations: Insights on Internal Audit,” Katie Landy, RSM risk consulting principal, hosts an experienced panel of sustainability pros, including Trish Beltran, RSM manager of sustainability services solutions, and Anthony DeCandido, RSM co-leader and principal of sustainability services solutions, to tackle critical environmental, social and governance (ESG) issues.

The sustainability panel shares insights from their memorable projects and experiences, with real-life observations of internal and external pressures driving transparency. As the team sees it, internal audit has an important role to play in planning and reporting as the world tries to become more sustainable.

Listen to Episode 4 of our podcast to hear more about the convergence of internal audit with ESG and sustainability.

Edited transcript

Katie Landy: Hello, and welcome to the episode four of RSM's Material Observations Insights on Internal Audit, where we will explore what's happening in internal audit today. I'm your host, Katie Landy, risk consulting principal at RSM. Today I'm joined by Trish Beltran, manager of Sustainability Services Solutions at RSM, and Anthony DeCandido, partner and co-leader of the Sustainability Service Solution Practice for RSM. We're going to be talking about ESG and the role of internal audit in which it plays in sustainability planning. Let's get started.

All right, guys. Thanks for joining me today. Obviously, there's been a significant shift in how business are approaching sustainability and the responsible practices. We've talking about factors that include stakeholders, investors, regulators, and how we're recognizing the value of integrating environmental, social, and governance considerations into those decision-making processes. We'd love to hear from you all first on the evolving landscape of ESG and specifically sustainability.

Anthony DeCandido: Sure, Katie, thanks for having us here with you today. I'm glad to start in that response. I think number one, the biggest difference of how businesses have organized over the last five to seven years today is around this idea that companies want to do both good financially, but simultaneously do well societally and for things like climate action. So it's a basic business tenant that mass majority of professionals could get behind because who doesn't want to demonstrate pro societal outcomes and climate actions while simultaneously driving financial performance? The real crux of the discussion, I think, surrounds itself with at what cost and with what opportunity, and the balancing of that to me is the needle that's really difficult to thread.

I would describe the market in two separate forms. One is the elevated stakeholder concerns for the sustainability topic. You hear terms like ESG and impact and corporate social responsibility thrown around all the time. And the second is for pending regulatory responses. So we're in a market today, particularly in Europe and other parts of the global marketplace, whereby companies already have to comply with things like CSRD or Sustainable Finance Disclosure Regulation. Here in North America, we're only beginning to see that. And so for the audiences who are listening in here, I imagine most are oriented to the regulatory and compliance side of the house, which is highly important. But I think it's also important to note that stakeholder concerns for the topic have preceded regulations in many parts of the world and therefore validate the purpose of the exercise in the first place.

KL: Awesome. Appreciate that background, Anthony. When we think about ESG and specifically how internal audit can support the program development or the execution of the program, we'd love to hear you all on the role of which internal audit has played. I'm sure that we need to take into consideration the maturity of the ESG programs themselves, but also the maturity of the internal audit function.

Trish Beltran: So related to the internal auditors, I really see them as a key contributor to the reliability of ESG data and reporting. Just like their native function, they're validating that accuracy, completeness, and consistency of the data. So the ensuring of the same way towards the ESG data, we would look into seeing them as being that kind of third round of control that we tell our clients. That first round being really data process owners that's in day-to-day. The second round being the process and procedures they might have to support those data process owners. So the third control would be the internal auditors who would be providing that independent assurance of the process to really probably uncover some of the continuous improvement that they would have to look into as they're setting up this ESG programming and process. So conducting those independent assessments that I was mentioning, I really see the internal auditors playing that role of enhancing the credibility and trustworthiness of the organization's ESG disclosures and reporting.

ADC: Yeah. And just to add to a few things on that, I agree with what Trisha's saying. I mean, risk plays a tremendous role in institutionalizing the contents of reporting. Very similar to as she described we've observed in financial reports historically. What we've noticed within our client deck thus far has been this wave of companies striving for that institutional grade. So the market's been shown to have, especially mid-cap companies rush to report, many have now reported. But then the question gets begged around, "Well, what's the usefulness or reliability of this information and how is it elevating itself into boards and amongst C-suite and management?" And that isn't something that we've observed pervasively is occurring.

So to me, I think where risk [inaudible 00:05:02] plays a huge role is elevating the reporting function of broad sustainability topics, both quantitative and non-quantitative so that it has higher level of relevance amongst the C-suite. Now, where things sometimes go wrong is we've observed that in not all cases are risk departments being included in the discussion at the front end of strategy. So to us, in order for sustainability reporting to truly be effective, risk assurance, finance teams, they have to be included at the front end of these sustainability strategies in order to put their fingerprints on what that report will ultimately look like at the later stages of that strategy.

TB: Yeah, exactly. Because to that point, I think for one of the clients that we executed a staff augmentation support for the ESG internal audit process, one of the items that we uncovered was really just the first step in that cross-functional type of internal audit process because those metrics that's being reported on is all throughout the different departments of a business. And so as part of that, and even going in towards the testing or the questioning of where data was coming from, there was a lot of education that needed to happen. So if internal audit was really at that forefront of the strategy and just being really weaved into the cross-functional idea of ESG, then that could also help set up for the process that they plan to execute. So I think one of the foundational items to really get started on is at least to do that cross-functional education on ESG and then what's being planned to be audited as part of that internal audit process.

KL: Well, it's clear that having that seat at the table upfront is going to be necessary to support the program overall. And just by the nature of what your team does, I'm sure you guys have seen the gamut of very immature ESG programs and then very mature. Can you share with our listeners maybe some use cases and some best practices where organizations have had some quick wins and maybe some considerations for more long-term focus projects and investments?

ADC: So one of the things that comes up more often than not are gap assessments. So for those that have a regulatory mindset around pending SEC climate-related disclosure rules or things like CSRD, the initial interest is to ensure compliance. And that's important. There's value in all that. None of our clients want to be noncompliant. So more times than not what that looks like, it's just directing what are some of the gaps between the practices that would be expected of a compliant organization under those regs versus what are those existing business practice. So we've done those types of services for many years from a financial lens, and we repeat that approach for sustainability in this way.

Because internal audit departments are sometimes very lean and because these business topics are newer and require some technical orientation, we also get a lot of fair shake around outsourcing, especially as it relates to things like CSRD, which is a global regulatory requirement. So certain groups have engaged with RSM to bring our staff on their staff as an augmentation type of arrangement. And then we also see a fair number of instances where there's some form of technology rollout. So we as a firm have done demos with at least three dozen or so tech enabled sustainability solution providers, ranging from things that feel like a ERP system to things that elevate decision-making, to things that have a pure public company reporting lens. Whatever the end state may look like, technology has a very high enabling factor for driving sustainability strategies. And so we've gone through those adoptions with some of our teaming partners.

Just to circle back on one thing you said, Katie, on the things we've observed that have caught us by surprise in one such example, a Fortune 500 footprint company, very rich decarbonization strategy, very high ESG rating scores that are shown publicly. We started this program thinking, "Despite our efforts, are there really going to be a lot of advisory opportunities within this gap assessment?" And we were surprised to learn that despite all that public-facing press and perceived excellence in market, there were a tremendous number of gaps within that organization. Certain lack of reviews, certain folks didn't have basic technical orientation to things like climate accounting or missions accounting. Parts of the organization weren't working cross-functionally or collaboratively one another, particularly in front-end strategy and back-end risk and reporting. The list goes on and on and on and on. So that for us was a bit illuminating just to see a company who gets so much market cred for their sustainability program actually underneath the roof having so many issues that were worth remediating.

KL: It's interesting to hear that obviously folks are investing a lot in these programs, but sometimes it takes a third-party to take a look at what's underneath the hood and see what we're really working with.

I'm curious from your guys' perspective and what you've seen, obviously internal audit, I feel like, has traditionally been associated with as a compliance function, but oftentimes rearview facing. Not looking ahead necessarily what's to come, but looking at things retrospectively. So given where we are today with the global focus on sustainability, what do you anticipate organizations should be ready for in the next several years? And then more specifically, how can internal audit or what can they do now to be prepared to support their business as that evolves over time?

ADC: Yeah. To me, the first term that comes to mind is value creation. I mean, no doubt risk departments will always have to deal with compliance, but over time, that's just going to be seen as table stakes. So all of us need to center around why ultimately are we doing this exercise. So I'll kind of end where I started, which is seeking to drive elevated financial performance while simultaneously driving pro societal and climate results.

But an informed risk professional, whether it's in the service provider side of the house or on the company side of the house, has to determine what they're doing and how it correlates into financial value. And there's so many opportunities in plain sight that people don't always see. There might be federal and state credits and incentives. There might be cost containment opportunities. There might be higher exit multiples if a company completes a possible transaction, access to new geographies and products and organizational innovation. There's a whole slew of things that even our brightest and most sophisticated clients don't always connect to. And I think it's equally the role of risk professionals and also the front-end strategy folks to show that to the C-suite, to show that to the boards, to validate ultimately the exercise in its first place.

TB: In addition to that, I think to also bring back to one of the points that Anthony brought up earlier, we are in this really unique position where we're seeing two different approaches to ESG integration or ESG maturity between how we're doing it in the US and in Europe, the difference of that top-down approach in Europe and bottom up approach here in the US. So I think one of the tangible things that those in the compliance area can look into is any of the regulations that might pop up in our jurisdiction is already being implemented across the seas. So we can see how those reports are being put together. We can see that ESG frameworks that's already being called out, that our own potential regulations that's being proposed is using guidelines to almost represent the same type of reporting structure. So I think in that sense, we almost have a guide to what might be needed to be reported on and look into those reports that's already published to also kind of put that into the same way into the current reporting that may be expected of us in the near future.

KL: That's a great call out. So we should be looking at our constituent and colleagues over in Europe and taking what they've put in place or lessons learned from them that we could then apply here in the US.

I often get asked by our internal audit clients on what is the outlook as it relates to ESG sustainability and will this become SOXified. Anthony would love to get your thoughts on your vision for the future or what internal audit organizations could anticipate from that perspective.

ADC: I think that's right on. I mean, most people don't recognize how the sustainability reporting landscape has already been codified. So just as financial professionals know that FASB has its imprints on things like GAAP and IFRS, and every single financial statement light item that's reported on is able to be mapped to certain accounting policies and such.

The same is true for sustainability reporting. The issue is that most people don't have that fundamental knowledge basis on these reputable reporting frameworks. So things like SASB that our team is licensed in, or GRI, the Global Reporting Initiative, or Task Force on Climate-elated Financial disclosure, TCFD, even the GHC protocol, every one of these topics has codified quantitative and qualitative metrics. So my personal technical background is in financial reporting, so this feels very familiar to me because these metrics get outlined and there's authoritative guidance for how you report and why you're reporting these things that any reasonable practitioner can follow.

So getting to your question about the SOXification of it, absolutely, because as I mentioned earlier, companies have rushed to report. Reporting has been overall shaky, questionable around its decision usefulness. The next chapter of that evolution stage is groups are reporting better and better and better, and they're absolutely going to report better as they're required to for regulatory purposes, particularly the public's first large accelerated filers, accelerated filers than small reporting companies. And so you just start seeing this trend line where the quality of reporting will increase, which then creates the need for risk professionals to institutionalize reporting with complete and accurate data.

The groups that we've supported that are most advanced, they're already doing this. They serve as a really good forecast for us as to how our predominant mid-cap company client base might similarly adopt at a future period. So I think that's right on Katie and I fully expect that to occur, not necessarily suddenly, but reasonably over the next number of years.

KL: Obviously with ESG and sustainability, there's a lot to unpack, and as organizations continue to adapt to the evolving landscape, what would you leave our listeners with, a piece of advice or suggestion on where to start or what to do moving forward?

ADC: Sure, I could take that first. I think number one, sustainability will effectively be another business language that all corporate leaders will speak over time. So yes, there's going to be pockets of expertise. Our team is well-trained in all things climate-related or sustainability-related. But most of our clients will just need to have a cursory knowledge-base over that. And there's some pretty easy things that groups can do to get themselves well-informed. For example, the Task Force on Climate-related Financial Disclosures as a learning hub, it's free. You can bring yourself from zero to hero in your organization reasonably quickly at no cost. That's number one.

I think boards especially need to take a sponsorship sort of role in this. Without that sponsorship feel, these programs and initiatives don't always catch wind like they otherwise should. I even see that in our organization. With all the different things that we have going on, when you have that executive sponsor, when you have accountability, when you delineate that onto the field, it makes for so much more of a productive type initiative.

And then lastly, I think over time you're going to start seeing these topics live in a greater number of people's scorecards. Certain top corporates are already showing that climate action and diversity equity inclusion initiatives and metrics are being outlined within performance management. So that's a whole different ball game where you start hitting people's pockets if they don't behave that way and you start rewarding them differently when they do. And so I'm curious to see how that all plays out. But those are just some of the initial things that come to mind around what we're in store for over time. How about you, Trish?

TB: Yeah. For me, I'd say just start to have the discussion, whether it is you know what you think you might be expecting to do. Or if you don't know, then you can at least outline what it is you don't know. And then from there, you can start to look at maybe where are your pressures coming from. Are they internally? Are they externally? Are they coming from your customers? Your investors? Is it regulation driven? Or is it internally to the point of you want to be that impactful company towards how you're operating in the communities that you're in? Or just whatever angle it may be would be the way I'd see this ESG movement is for that particular company. And that is because in this layer of ESG reporting, it really is about that transparency and intentionality, so I think understanding why you're doing it is really one of the basis of how you can set up your ESG program better.

I can't think of a right word for that, but how to just really do this in the right way, I guess. But I didn't really want to say "right way," but really in the way that ESG is meant to do, which is to make people and organizations more accountable to what they're doing and impacting both people and the planet.

KL: Well said. Appreciate that. I know by trade you all aren't internal audit practitioners, but I know through the clients that you've worked on, the projects that you've delivered, you partner with internal audit teams regularly. And at the end of the day, this is an internal audit podcast. So I've got one signature question for each of you to answer, and that is, can you share a memorable experience or a memorable project you did on the topic of sustainability with internal audit that you are most proud of or was most memorable?

ADC: I could think of one because it just happened today. So there's a crown jewel, RSM client, very rich relationship from both a partner level all the way through a senior partner level. These are individuals that have board responsibilities for RSM. We were introduced. There was some skepticism around, "Does RSM really have the chops today to execute upon this type of mandate?" At the period of time we got engaged, we have done some of these, not loads of them like we feel like we've done now. And so there was really good collaboration that occurred on the onset of passing over institutional knowledge. There was an education that the sustainability professionals gave to the risk professionals. There was communication around who was going to do what and why. Because once you outline the design of a sustainability reporting strategy, a lot of these functions can be administered by a risk professional. That's something not enough people know yet.

And all in all, we did a climate related disclosure gap assessment, which is kind of an off the shelf solution that we have in risk. And by all accounts, this client is very happy. When we presented to a CFO today, very positive feedback. And then what we also like about the arrangement was that with a lot of the gaps that we defined, there's remediation plans. And the CFO in this case asked us for what our remediation scope of work would look like for the next part of the program. So to me, a buying client buying more services is probably the best proof of their satisfaction with the services. And for me, it helps me sleep well at night knowing that we deliver value of these groups. And I had nothing to do with that project, by the way. I just listened in.

TB: So for me, I think what comes to mind is one of those staff augmentation projects. And I think what was fascinating about it is that we were hired really just more of additional support because typically there's resource constraint at the client site so they just kind of needed more bodies to execute an internal audit process. But for this, it was an ESG internal audit process. So it was actually that collaboration between the ESG advisors, sustainability professionals, along with the internal audit group. And so while we were executing the project and doing the internal audit testing and process for the client, at the very end when we finally were presenting our findings, we did find some of those internal improvements that they should be looking into because that process of assurance is including the examination of the ESG data, their systems, their process, really looking at that cross-functional team that I was mentioning earlier.

So really what that process uncovered is that there was really very specific areas that they could now note for next year's reporting to really help them get a grasp of what they really needed to do. So an example would be something as really specific as that data was coming in a very specific invoice or whatever it was, but it was unknown to the next party or group how the kilowatts and the consumption of that electricity was being then converted by another group. So just the communication of how something that was not really a financial metric now being incorporated into something that's externally reported and just really understanding how that whole conversation needs to be had, the client found it really valuable to have that collaboration between the two teams because it brought the strength of how we go about our internal audit process alongside the advisory of how then should I be aligning to the ESG frameworks and guidelines of how I should be reporting to this.

And then we also, like Anthony mentioned in that other example, provided basically the same thing here where we were able to give them that next steps of recommendations of what it is to look into that more structured process or enabling those internal controls or how to align to the SASB, the TCFD, the ESG reporting frameworks we mentioned as well. So overall, really great collaborative. And I do see internal audit as the drivers in that positive change in ESG practices as they will be that extra set of, like I mentioned earlier, that third wave of control that would give that independent assurance to the company. So their input I think is very valuable to the continued improvement of everything.

KL: Great insights and love hearing the stories where we can clearly see the convergence of internal audit and ESG and sustainability and what we've done today. And I'm sure there'll be plenty of opportunities to do that again here going forward.

All right, thank you to RSM's Trish Beltran and Anthony DeCandido for their insights. And thank you to our listeners for joining us today.