ESG and the role of IA

A growing focus on ESG and the role for Internal Audit
As organisations look to address ESG issues and better anticipate and meet stakeholder expectations, Internal Audit has a pivotal role to play

By Sophie Langshaw, National Internal Audit Leader and Partner, PwC Australia 

Share this article

Demand for companies to report externally on their Environmental, Social and Governance (ESG) related activities doesn’t look to abate any time soon. Internal Audit (IA) is in the perfect and unique position to help ensure frameworks, governance and data are available, in place and meet stakeholder expectations.

In our recent Senior IA webcast, ‘ESG & The opportunity for Internal Audit’, I spoke with my colleague, Matthew Lunn, ESG Assurance Leader and PwC Partner, along with Penny Bingham-Hall, Non-Executive Director (NED) of Fortescue Metals, Dexus and Vocus Group, about how IA could take the lead and be clear on the vital role it needs and should be playing to help drive ESG change across an organisation. 

Matthew highlighted that in Australia, the ‘E’ element is very much front of mind, and individuals immediately go to climate-related matters, but ESG is much more than that. IA can help focus efforts on other key issues across the ‘Social’ and ‘Governance’ elements, such as responsible investments, labour practices, talent management, product safety, data security, board diversity, executive pay and more.

With this broader approach to ESG in mind, we launched our discussion with an audience poll, “To what extent has ESG been considered as part of your IA activities?”. 50% of users stated that ESG is included on their risk assessment and audit plan radar for the upcoming year, which was positive to see. Another 30% had discussed ESG as part of their risk assessment only, while just 12% had executed an ESG-related audit. IA has made positive inroads, but there’s still much room for improvement. 

Demand for transparency

External reporting expectations are usually driven by regulators, but with ESG, demand is coming from various sources. Investors, customers, employees and communities all want (and expect) companies to be transparent about their activities and to be accountable for improvement. 

There is not a set of ESG standards or broad-brush regulations that Australian entities need to adhere to, however there are a number of changes happening that are beginning to impact local companies. Robust controls, processes and data that deliver  accurate and complete ESG information that can be relied on for ESG strategy development and decision-making  are driving the agenda for IA functions in the short to medium term. 

Standards on the way 

Frameworks, principles and guidelines for ESG reporting are currently varied, but some consolidation is underway which will help IA know what to focus on. 

Matthew said in late 2021, the International Financial Reporting Standards Foundation (IFRS) formed the International Sustainability Standards Board (ISSB), with the goal to develop a comprehensive global baseline of high-quality sustainability disclosure standards to meet investors’ information needs. The ISSB has two prototypes underway – a ‘Presentation Standard’ and ‘Thematic Standard’, with the first theme being climate. The standards are being based on the Task Force on Climate-Related Financial Disclosures (TCFD) four-pillar framework, covering governance, strategy, risk management, and metrics and targets.

At an Australian regulator level, Matthew pointed out that ASIC already expects good disclosure in the Operating and Financial Review, with a specific focus on climate change risk where it relates to an entity's future financial position. Similarly, the ASX expects disclosure of any material environmental or social risks and how they are being, or will be, managed. The Australian Accounting Standards Board (AASB), has released a proposed interim climate change reporting standards framework for industry feedback, based on the TCFD, and will work closely with the ISSB to develop Australian guidance.

“So, you've got three different regulators all coming at this from different angles, but nonetheless also providing impetus for increased requirements for disclosures.” 

For IA, Matthew said this all points to a need to build ESG frameworks into everyday practice.  

“We need good internal frameworks and a robust approach to the three lines of defence to ensure a company has the end-to-end processes, controls data, frameworks, and lineage that are required to provide insights and report against the standards that are coming.” 

View from the board

From a board-level perspective, Penny said she is increasingly seeing ESG performance be considered as important as financial performance. 

“I think the general community concern over how fast our planet's heating up, and the flow-on impacts of the extreme weather events that we see all too often in Australia…combined with social movements such as Me Too and Black Lives Matter…means that all organisations are grappling with very real and very public pressure around how they manage and report on ESG.”

Penny said NEDs are concerned about different aspects of the ESG agenda, depending on their company’s sector.  

“If they're heavy-emitting and hard to abate industries, trying to plot a viable pathway to Net Zero is going to be a major challenge. Organisations with global supply chains are going to be very focused on how to assess and mitigate modern slavery.” 

For Penny, a useful way to think about ESG risk is to ask, “What are the crown jewels? What do we need to protect as a high priority? And what are the things that we need to perhaps check in on every so often?”

The important role for Internal Audit 

Our conversation turned to how IA could start to build frameworks to support ESG reporting. The most important things are to assess the design and effectiveness of internal controls over the ESG program, linking ESG risks to enterprise risks, and verifying the completeness and accuracy of data used in ESG reporting and disclosures. I broke this down into the categories of policies & procedures, data management, calculations & estimations, control design & review, and consolidation & disclosure. I then shared five actions that IA leaders can take now. These were: 

  1. Engage with the board: Audit committees are continuing to expect more involvement from IA over the data being disclosed in the public domain. Showcase how IA can help, what risks you're going to address, and any gaps that you need to meet. 

  2. Collaborate with the corporate reporting team: We’re seeing a lot of companies mirroring their ESG reporting with their financial reporting. IA can leverage existing frameworks, and critically review the controls and governance as the reporting models are built, matured and onboarded.

  3. Consider ESG as part of your risk management program: Enterprise risk management processes should include assessment and mitigation plans for all ESG-related risks. IA can identify focus areas for the upcoming audit plan. Remember, ESG risks are definitely not ‘set and forget risks’, so review them annually. 

  4. Prepare for investor-grade data: Think about how IA can test and drive rigour around ESG controls. The key is putting in the right controls around data gathering and documentation, so that what feeds through to external reporting is accurate and reliable. 

  5. Consider the role of technology in managing data: Technology solutions can help to streamline and expedite data consolidation, monitoring and reporting. IA can review new solutions to make sure they deliver these benefits.

Ready for an ESG future 

The role of IA in ESG reporting isn’t just in the set-up stages, but will be ongoing, particularly as new decarbonisation programs are implemented into companies that need to be measured and reported. Matthew emphasised that “internal audit has a big role to play in relation to the governance over those programs and projects, and the assurance they can provide”. 

For IA teams looking to collaborate more closely with external audit teams on ESG, there is great potential to streamline and consolidate activities. As noted by Matthew during the webcast, we can think about it as an “audit universe” and consider, “how does each organisation play its part from an internal or external audit perspective in that audit universe?”. 

The key is not to wait to get started, as regulation will be here before we know it. There is so much on the ESG front that IA can do to prepare – now is the time to get involved.


Contact us

Sophie Langshaw

National Leader, Internal Audit Services, Sydney, PwC Australia

+61 410 520 548


Caroline Mara

ESG Assurance Lead Partner, Newcastle, PwC Australia

+61 (2) 4925 1125