The Internal Audit function is authorized by Boards worldwide to monitor and report on risks across the organization.  Internal Audit is structurally independent of Management.  The Institute of Internal Auditors (IIA) publishes and maintains the International Professional Practices Framework (IPPF), setting the standard for its 180,000 members worldwide.

The IIA has learned from over 75 years of experience that Internal Auditors can get too comfortable doing the same thing year after year, decade after decade.  The world changes, organizations change, risks change – and Internal Audit should adapt, too.  The IPPF includes a requirement for a periodic Quality Assurance Review (QAR) of the Internal Audit function, including a periodic external review – recommended no less than once every five years.  This is so Internal Audit can instill more confidence in the Board that they are directing their attention to the issues that matter.

The IIA’s Environmental, Health & Safety (EHS) Audit Center provides benefits to IIA members in the ESG space.  EHS auditors should abide by the IPPF – including the QAR provision.  Many organizations’ EHS audit programs remain rooted in mitigating risk of agency enforcement.  EHS audit program leaders have largely kept up with new laws and regulations, adopted new technology, and maintained audit skills.   However, in this “second line” EHS audit function, few EHS audit programs have procured an independent QAR.  The design of many EHS audit programs date back decades – the world has changed a lot since then!

DHC performs Quality Assurance Review of ESG audit programs.  A QAR programs provides value as noted below.

• Ensure general alignment with applicable frameworks and standards
• Re-focus on appropriate risks
• Reconsider performance measures
• Mitigate risks associated with enforcement actions
• Enhance communications and reporting to Management and the Board
• Improve efficiency, effectiveness, and value of ESG audit programs

DHC’s QAR services for EHS/ ESG audit programs add value across the organization.  This includes to the EHS/ ESG audit programs themselves, to Internal Audit (who reports to the Board), and Operations, Compliance and other stakeholders who rely on ESG audit activities to mitigate risk and identify opportunities.

With COVID-19 – a health & safety issue – driving dramatic changes across the global economy and in every organization, no risks are the same.  The same is true for ESG.  A QAR adds value to an organization by applying a global auditing practice to the any or all ESG audit activities.

ESG audit programs can demonstrate value – and attain their “seat at the table” by adopting practices done by other types of audits.  ESG audits are commonly “second line” functions, per the IIA’s Three Lines of governance model (formerly “Three Lines of Defense”).  The IIA’s IPPF has long included the requirement for periodic independent QARs.  This independent insight provides comfort to the Boards that Internal Audit has been exposed to other perspectives on risk and risk mitigation practices for the benefit of the organization.  Internal Audit functions risk settling into a rut without this independent perspective.  Second line audit activities – including ESG audit programs – have not embraced this practice, but they should.

QARs provide value, regardless of the level of maturity of the ESG audit program.  Environmental compliance audits have been around for nearly 40 years.  Programs, plans, checklists, and IT platforms have grown up to support them.  Other ESG audit programs are relatively new, such as ESG provisions in supply chains.  DHC believes that other ESG risks should be audited with more regularity and rigor than they are now.  In particular, companies’ ESG disclosures in financial filings (often following SASB guidelines), are important to stakeholders.  Shouldn’t stakeholders have confidence that they’re reliable?  DHC considers the relative maturity of the ESG audit program in conducting QARs.