How to Perform ESG Audits: A 5-Step Checklist

Given the hyper focus on environmental, social, and governance (ESG) issues by investors, the public, and other stakeholders in recent years, it's no surprise that overlooking ESG issues can lead to massive reputational damage, legal liabilities, and the loss of investor and customer trust. Missteps in ESG are costly, and companies are starting to pay attention.

But managing ESG risk is not all downside. There’s plenty of opportunity when these risks are handled correctly. According to McKinsey, companies that effectively manage ESG-related risks benefit from higher equity returns, a lower cost of capital, more sustainable operations, and increased employee productivity. 

ESG audits are valuable tools for both protecting organizations and taking advantage of ESG-related opportunities. These audits are designed to assess how environmental, social, and governance factors could affect your organization, and knowing the potential impact allows companies to proactively address any risks and seize upon opportunities.

Just like auditing operational or IT risks is integral to any risk and compliance program, comprehensive and continuous ESG auditing helps protect organizations from ESG-related risks. 

This article provides actionable guidance on how organizations can successfully carry out ESG audits to limit downside risk while capturing ESG-related opportunities. 

What is ESG?

ESG stands for environmental, social, and governance, and covers each organization’s responsibilities beyond taking care of their bottom line. 

ESG reflects the fact that businesses have responsibilities beyond financial performance, where it’s operating in a sustainable fashion, taking evolving societal pressures and expectations into account, or complying with increasing disclosure requirements. In short, businesses today need to meet their financial and other goals while also doing the right thing, and that’s the core idea behind environmental, social, and governance management.

ESG management helps organizations evaluate their sustainability and societal impact by identifying how environmental, social, and governance factors affect their business. Is there a major source of pollution or poor labor practices somewhere in your supply chain? Is your organization committed to diversity and inclusion? Are there glaring differences in your compensation structure tied to factors like race or gender?

Organizations are focusing on ESG to meet these evolving stakeholder expectations as their awareness of their responsibilities toward these issues grows.

Understanding ESG risk

ESG risk is the potentially negative impact of environmental, social, and governance factors on a business. Whether this risk is external or internal, it can significantly impact an organization's reputation, operational efficiency, and financial performance. ESG risk differs from other types of risk organizations manage, such as operational risk, third-party risk, or legal risks, but it also ties into each of these other types of risk in various ways.

Let’s take a look at each type of ESG risk.

Types of ESG risk

Environmental

Environmental risks stem from an organization’s impact on the natural environment and span issues such as climate change, resource depletion, and pollution. Climate change-related risks include extreme weather events, resource scarcity, and regulatory changes impacting carbon emissions. Supply chain risks may involve issues like deforestation, unethical sourcing, or disruptions due to environmental factors. Pollution risks encompass air and water pollution, waste management challenges, and hazardous materials handling.

Social

Social risks arise from a company's relationships with employees, customers, communities, and other stakeholders. These risks are related to things like labor standards, diversity and inclusion, and data privacy. Labor standards risks include poor working conditions, human rights violations, child labor, and forced labor within the company's operations or supply chain. Data privacy risks arise from poor handling of or unauthorized access to customer data, leading to reputational damage and legal consequences.

Governance

Governance risks flow from an organization's internal processes and structures, such as leadership, ethics, and transparency. Diversity risks arise when organizations lack diverse representation in leadership positions or fail to promote inclusivity and equal opportunities. Ethical risks involve fraud, bribery, corruption, and unethical business practices. Compensation risks include excessive executive compensation or a mismatch between executive pay and performance.

Real-world ESG incidents and their consequences

Companies that fail to manage or mitigate ESG risks face financial, reputational, and legal costs. Some examples of this include:

• BP's Deepwater Horizon oil spill in 2010, which resulted in the loss of lives, extensive environmental damage, and significant financial liabilities, damaged BP's reputation and led to massive fines and legal settlements.
• Volkswagen's diesel emissions scandal in 2015, when the company intentionally manipulated emissions test results, leading to environmental pollution and undermining consumer trust. The company faced substantial financial penalties, lawsuits, and a damaged brand image.
• Facebook's Cambridge Analytica scandal in 2018 revealed the mishandling of user data and raised concerns about privacy and data protection. The incident triggered investigations, legal actions, and public backlash, negatively impacting Facebook's reputation and user trust.

A comprehensive risk management program identifies the variety of risks an organization faces. ESG audits are a part of that, helping organizations identify and assess their impact on the environment and society, and develop strategies for mitigating or otherwise addressing ESG risks. 

These audits are an essential source of information for investors, employees, and customers, who demand accurate information and transparency around how organizations approach ESG issues.

What are the benefits of an ESG audit?

ESG audits provide transparency on environmental, social, and governance risks and opportunities, allowing companies and organizations to benefit from stakeholder confidence, regulatory compliance, and an enhanced reputation.

Other benefits include:

• Building investor and consumer confidence: Demonstrating commitment to ESG standards and transparently reporting performance builds stakeholder trust and confidence.
• Avoiding reputational damage: ESG audits help identify and address potential risks before they escalate, protecting reputation and brand value, and generating positive publicity. 
• Attracting and retaining talent: Today's workforce values companies that prioritize sustainability and social responsibility. ESG audits showcase an organization’s commitment to these values, making attracting and retaining top talent easier.
• Improving compliance with ESG-focused regulations: ESG standards and regulations are on the rise globally, varying by industry and geography. Countries such as the US, UK, and Singapore are or have enacted mandatory ESG reporting. As regulations evolve, conducting ESG audits ensures compliance and avoids legal and regulatory repercussions.
• Strengthening social and environmental stewardship: Embracing ESG values goes beyond compliance to positively impact society and the environment. ESG audits demonstrate commitment to an organization’s responsibility to society and the environment. 

What is ESG assurance and why is it important?

Another concept central to ESG management and ESG auditing is ESG assurance. ESG assurance submitting your organization’s ESG audits and other information for independent, third-party verification of ESG performance, compliance and reporting.

ESG assurance enhances transparency, builds trust, and validates an organization's commitment to ESG goals. It gives stakeholders confidence that the information reported has been checked for accuracy, reliability, and is aligned with established standards and frameworks. 

Attaining ESG assurance also makes it easier to broadcast your organization’s commitment to ESG, since stakeholders will know of and trust the accrediting organizations, similarly to how obtaining SOC 2 or ISO 270001 certification makes it easier for organizations to prove their cybersecurity standards.

ESG audits vs. corporate social responsibility

While complementary, ESG audits and corporate social responsibility (CSR) differ in scope and purpose. CSR is self-reported and refers to a company’s voluntary contributions to social and environmental goals, such as carbon emissions, volunteer hours, or charitable donations. ESG audits focus on specific ESG metrics and becnhmarks that can be externally validated.

How to perform an ESG audit

An effective ESG audit requires buy-in from multiple stakeholders, adherence to specific ESG standards, and detailed reporting. Using an ESG checklist makes it easier to identify, understand, and manage ESG risk.

1. Understand your ESG risk exposure

To effectively identify and manage ESG risk, you need to understand where in your organization they exist. This requires interviewing internal and external stakeholders to fully understand how ESG factors impact the organization, and digging into ESG data. 

A comprehensive risk assessment should include everyone in the company’s sphere of influence, including senior management, customers, suppliers, investors, and employees, and should reveal the most critical ESG issues and areas where the organization may be falling short.

2. Choose an appropriate ESG audit framework to conduct your audit

Fortunately, you don’t need to start from scratch when preparing to perform an ESG audit: There are numerous proven frameworks available that provide jumping off points for ESG auditing.

Select an ESG framework that aligns with your organization's goals, industry standards, and geography or jurisdiction. There are a number of accepted frameworks that can help assess ESG risks, such as ISO, SASB, TCFD, and GRI. 

• GRI: The most popular or well-known of these frameworks comes from the Global Reporting Initiative (GRI). This framework is focused on sustainability and impact reporting. 
• ISO Standards: The International Organization for Standardization, or ISO, offers multiple internationally accepted frameworks that outline best practices in different domains. Some useful ISO standards that provide ESG audit frameworks include ISO 26000 (Social Responsibility), ISO 14001 (Environmental Management Systems), and ISO 45001 (Occupational Health and Safety).
• SASB: Industry-specific ESG standards issued by the Sustainability Accounting Standards Board offer ESG frameworks that focus on subsets of environmental, social and governance issues most relevant to financial performance and enterprise value. 
• TCFD: Finally, the Task Force on Climate-Related Financial Disclosures (TCFD) also offers an ESG audit framework for climate-related financial disclosures which can be used across different industries and jurisdictions. 

As some frameworks address a specific aspect of ESG, you may want to consider whether using or combining parts of multiple frameworks makes sense.

3. Set up reporting and develop ESG KPIs

Measuring, tracking, and reporting ESG goals and initiatives is critical to a successful ESG risk management program — you need to be able to prove that what you’re doing is working. 

Using key performance indicators (KPIs) to communicate progress on ESG goals helps align the organization and build stakeholder support. Examples of ESG KPIs include carbon emissions reduction targets, diversity and inclusion metrics, and employee health and safety indicators.

After determining the appropriate KPIs for each ESG goal, identify the root contributors and desired outcomes. Centralized repository and reporting dashboards, such as those found in modern GRC software like LogicGate Risk CloudⓇ’s ESG Solution, can help track and communicate ESG audit results and measure progress on ESG goals.

4. Automate for continuous auditing and evidence collection

ESG auditing is never a one-and-done activity. New ESG-related issues are emerging all the time, and you need to be constantly performing audits to ensure you’re staying on top of all of them.

Continuous auditing of this sort can be done through automated evidence collection and reporting via a modern risk management platform. Manual data collection and processing introduces the potential for human error, inconsistency, and inefficiency, while automated evidence collection ensures accurate collection of ESG data, supports centralized risk reporting, eliminates siloed communications, and frees up resources to help your organization achieve its ESG goals. Automation also strengthens audit results and ensures accurate reporting.

5. Determine where ESG risks fit into your overall risk management program

Recognize the interconnectedness of ESG risks with other types of risks across the organization, such as cybersecurity and third-party risk. Engage the appropriate people to ensure everyone is aware of and buys into ESG strategy and goals. Incorporate the findings from ESG audits into the broader risk management framework to inform decision-making and prioritize risk mitigation efforts. 

Common challenges and mistakes in ESG auditing

ESG auditing can present several challenges and common mistakes, including:

• Inadequate stakeholder engagement: Not involving the right people can lead to incomplete risk assessments and missed opportunities for improvement. Avoid this by conducting thorough stakeholder interviews and involving cross-functional teams in the audit process.
• Lack of standardized metrics and reporting: Organizations can’t effectively measure and communicate their ESG performance without clear metrics and reporting frameworks. Address this challenge by adopting recognized ESG frameworks, such as those discussed above.
• Manual processes: Humans make mistakes. Relying on manual execution of data collection and audit reporting can result in missed opportunities to identify, capture, and mitigate ESG risk. 
• Siloed Data: ESG data should be collected from across the organization. When data is siloed and access is limited, the organization may not fully understand the ESG risks it faces.

When, how, and where to report ESG audit results

So you’ve got our ESG audit results. What should you do with them, and when are you required to do something with them?

Organizations report ESG audit results for various reasons, including transparency, accountability, and stakeholder expectations. The board and senior leadership may review results to ensure visibility and enable informed decision-making. Additionally, organizations may voluntarily disclose ESG audit results to demonstrate their commitment to sustainability and attract investors and customers who prioritize ESG considerations.

Regulators may require periodic disclosures in some cases. For example, publicly-traded companies must submit ESG reports/disclosures to regulatory bodies like the U.S. Securities and Exchange Commission.

How to obtain third-party ESG certifications

Third-party certifying organizations build stakeholder trust and reputational protection by independently verifying the organization’s ESG practices and commitment to sustainability. 

These organizations use a defined framework to assess an organization's ESG performance against recognized standards and issue certifications or ratings. Often, they’ll require your organization to submit information to their independent auditing teams to verify that your ESG activities and standards are aligned with their specific organization’s requirements for certification.

Top ESG issues to keep an eye on

There’s certainly no shortage of existing and emerging ESG issues out there, but here are a few that are drawing the most attention right now:

• Climate change and sustainability: Climate risk and increased regulatory and consumer pressure to reduce emissions and improve environmental standards and stewardship is impacting how companies operate, making improving sustainability of operations an imperative. Climate-related weather events and other issues are also requiring organizations to pay more attention to business continuity and operational resiliency.
• Diversity, equity, and inclusion: DEI issues are on everyone’s mind, with investors, employees, activists, and the public demanding improved hiring practices, fair pay, and more diverse workplaces.
• International conflicts and war: International conflicts, such as the ongoing war in Ukraine, inject uncertainty on oil and gas prices, fuel social pressure and hacktivist campaigns against organizations doing business with one side or the other, add financing pressure, and limit business opportunities.
• Supply chain ethics and sustainability: Consumers are paying increased attention to supply chains and demanding more ethical practices. Companies are being scrutinized and those that allow poor labor conditions, low pay, or environmentally damaging sourcing practices are being penalized both financially and reputationally.

Streamline your ESG auditing with GRC technology

Protecting your organization from ESG risks is part of an effective enterprise risk management program. Risk Cloud's ESG Solution can help you achieve your ESG goals and streamline ESG audits with automated data collection, simplified reporting, and continuous auditing and evidence collection.

Learn more about Risk Cloud's Environmental, Social, and Governance Solution and how it can streamline your ESG audits.

 

SOC 1®, SOC 2® and SOC 3® are registered trademarks of the American Institute of Certified Public Accountants in the United States. The AICPA Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy is copyrighted by the Association of International Certified Professional Accountants. All rights reserved.