Advancing ESG Disclosure Expectations:

The Role of Internal Audit

October 2021
ESG landscape
Environmental, social, and governance

Copyright © 2021 Deloitte Development LLC. All rights reserved. 2

The ESG landscape
What is ESG? The universe of topics that reflect areas of performance management around impacts and dependencies of the business
on society and the environment

Leadership and Business model and

Environment Social capital Human capital
governance innovation
• Greenhouse gas (GHG) • Human rights and • Labor practices • Business ethics • Product design and
emissions compliance • Employee health and • Competitive behavior lifecycle management
• Air quality • Community relations safety • Management of the legal • Business model
• Energy management • Customer privacy • Employee engagement, and regulatory resilience
• Fuel management • Data security diversity, and inclusion environment • Supply chain
• Critical incident risk management
• Water and wastewater • Access and affordability
management management • Material sourcing
• Product quality and efficiency
• Waste and hazardous and safety • Systemic risk
materials management management • Impacts of climate
• Customer welfare
change
• Ecological impacts • Selling practices and
product labeling

Copyright © 2021 Deloitte Development LLC. All rights reserved. Source: SASB Materiality Map 3
The ESG landscape
Rapid pace of change: Shift from voluntary to regulated ESG disclosure

Standard-setters
Rapid move toward acceptance of reporting initiatives of authoritative climate-related and other ESG standard-setters
• International Sustainability Standards Board (ISSB) established

01
• Leading sustainability frameworks include Global Reporting Initiative (GRI), Task Force on Climate-related Financial
Disclosures (TCFD), and Sustainability Accounting Standards Board (SASB) Standards

Regulators

02 Rulemaking taking shape around required climate-related and other ESG disclosures
• SEC rulemaking agenda: climate, board diversity, human capital management, cyber
• Proposed EU Corporate Sustainability Reporting Directive (CSRD) on mandatory ESG disclosures

03 Investors
Accelerating action and requests for transparency on the financial impacts of climate-related and other ESG matters
• Climate Action 100+, an investor initiative to ensure the largest greenhouse gas producers take action

04
Corporations
Ambitious commitments and enhanced climate-related and other ESG disclosures

Copyright © 2021 Deloitte Development LLC. All rights reserved. 4

 The ESG landscape
Timeline of recent developments by US standard setters and regulators
U.S. Securities and Exchange Commission (SEC) Developments and Planned Rulemaking

SEC was appointed as the co-chair
of the IOSCO (International
Organization of Securities
Commissions) Technical Expert
Group to help stand up the ISSB
SEC Rulemaking Agenda: Climate Change SEC Final Rules on Climate Change
Disclosure, Corporate Board Diversity, Human Disclosure, Corporate Board Diversity, Implementation
Capital Management Disclosure, and Human Capital Management Disclosure, period for required
Cybersecurity Risk Governance Rule proposals and Cybersecurity Risk Governance disclosures (TBD)
(anticipated) (anticipated)

2021 2022 2023(+)

March January January

Proposed SEC Rulemaking: Corporate Board Diversity

What we know
Climate Change Human Capital Management (Potential alignment: Nasdaq rule Cybersecurity Risk Governance
approved by the SEC 8/6)

Disclosure Location: Proxy Statement

Implementation Timing: TBD

Form 10K Form 10K Form 10K
potential (or Form 10K if no Proxy Statement)
Deloitte perspective

Could include a “number of Nasdaq Board Diversity Rule:

• Quantitative: Scope 1, 2,
metrics,”: • Public disclosure of board-
possibly 3 GHG emissions Emphasis on disclosure
• Workforce turnover, skills level diversity metrics in
• Qualitative disclosures; standardized form controls and procedures for
and development training,
Disclosure Elements TCFD recommendations • At least 2 diverse directors
“all relevant available
compensation, benefits,
• Industry-specific If not met, explanation of
information” to be included in
workforce demographics
considerations reasons for not meeting or public disclosures.
including diversity, and
• Scenario analysis possible health and safety. description of approach taken.

Starting point: ESG

TCFD, GHG Protocol GRI, SASB, WEF-IBC* GRI, SASB, WEF-IBC GRI , SASB, COSO
Standards and Frameworks
*World Economic Forum International Business
Copyright © 2021 Deloitte Development LLC. All rights reserved. Council
5
 The ESG landscape
Timeline of recent developments by international standard setters and regulators

International Developments CDSB1 TCFD VRF2 GRI

IFRS Foundation to establish an Trustees form a working group to accelerate convergence ISSB first climate standard
International Sustainability of global sustainability standards with strategic direction of expected by June 2022.
reporting Standards Board (ISSB) SSB: 1) building on well-established work of existing Announcement of BoE/PRA expects TCFD
with support from IOSCO standard-setters, 2) working with standard setters from key ISSB at COP26 compliant disclosure for listed
(International Organization of jurisdictions, 3) focusing initially on climate-related companies/large asset owners
Securities Commissions) reporting by 2022
April June
2021 2022 2023

February March November

The European Commission (EC) EFRAG SRB4 standard expected by
published its proposed Corporate BoE/PRA3: Climate Summer 2022, Reporting
Sustainability Reporting Directive Change BES stress test requirements in effect for 2023;
(CSRD) management report and limited
assurance

1 Carbon Disclosure Standards Board

2 Value Reporting Foundation (formed as a result of the merger between SASB and the international integrated reporting council (IIRC)
3 Bank of England / Prudential Regulation Authority
4 European Financial Reporting Advisory Group Sustainability Reporting Board
Copyright © 2021 Deloitte Development LLC. All rights reserved. 6
Internal audit’s organizational position and role

Copyright © 2021 Deloitte Development LLC. All rights reserved. 7

ESG within the organization
As the pace and impact of societal and environmental disruption continues to intensify, organizations need to build capacity to drive
ESG performance and resilience.

Strategy Internal audit

Integrate ESG risk and compliance considerations into the internal
Integrate ESG factors to drive innovative and brand-enhancing
audit plan to instill discipline and enhance controls related to material
strategies, including strategic choices across the value chain.
ESG risks.

Communication Finance
Optimize strategic communications to stakeholders to navigate
Incorporate ESG-related risks into investor engagement, pricing,
changing expectations and credibly demonstrate prioritization and
forecasting and budgeting, capital-allocation and annual reporting.
management of ESG risk and opportunities.

Human resources Legal

Invest in leading practices around employee health and safety,
Chief
Understand and manage risk and liability considerations elated to ESG
diversity, equity, and inclusion, and development to attract, retain and Sustainability performance – e.g., inadequate, or inaccurate disclosure of material
incentivize talent to innovate, drive productivity and deliver on the
business strategy. Officer financial risks.

Sustainability function Compliance

Broaden the integration of ESG performance into the existing
Design and activate strategies to deliver on the corporate strategy,
management control frameworks to support compliance
purpose and ESG objectives to drive performance.
around ESG risk.

Operations Risk
Prioritize and measure opportunities for cost savings, risk mitigation, Identify, manage and respond to latent and emerging ESG risks;
and reputation enhancement and implement solutions to reduce integrate ESG risk capabilities into existing risk and control
resource inputs and wasteful outputs. frameworks.

Copyright © 2021 Deloitte Development LLC. All rights reserved. 8

Internal audit’s role in assessing ESG
An adapted three lines of defense model applied to ESG reporting

Example areas to Three lines model

take action: Roles across the organization have a responsibility to manage ESG risk and drive organizational alignment.
• Drive accountability and visibility
while monitoring risks to the
The Board, chief executive, and management create the ESG vision and strategy,
entity raised by environmental 1st
which are reinforced by functional departments that drive performance
and social issues alongside ERM
• Enhance governance processes,
controls, and policies
• Leadership reporting to desired actual
proactively identify risks, inform organizational ESG program 1ST line 2nd line 3rd line organizational
action plans, and promote ESG value creation value creation
integration
• Training and guidance to
operational teams and business
units Risk, ethics and compliance, operations, finance, legal, Internal audit can test
• Escalation criteria and 2nd technology, etc.., help manage, monitor, and mitigate risk and 3rd relevant controls and risks,
response capabilities actively act on opportunities; own data and responsible for effective advise on ESG reporting,
mitigate threats processes, controls, and policies supporting ESG reporting and validate risk mitigation
activities

Copyright © 2021 Deloitte Development LLC. All rights reserved. 9

Inherent value underpinning internal audit’s role – internal assurance, advising, anticipating
As the third line, internal audit plays a vital role in assuring fundamental financial, operational, and compliance internal controls are
operating effectively and validating the effectiveness of ESG activities

Assure.
Internal audit provides risk–
based internal assurance on the
fundamental financial, operation
• Integrate ESG risks with • Provide input on
and compliance internal controls
ongoing internal audits potential risk indicators
and risks of the organization.
and risk appetite
Advise.
• Report on aspects of these risks Internal audit advises the
through audit reports • Link audit assessments organization on the ability to
• Provide input as a key stakeholder and other inputs into effectively manage risk broadly.
on risk dashboards and internal audit risk Internal audit is proactive and
resulting actions assessment (e.g., surveys, transparent, relevant and valued
• Participate in broader diagnostics) by the organization. Relevant
organizational risk governance subject matter specialists assist in
delivering value added insights.
• Conduct targeted audits as part • Consider targeted audits in
Anticipate.
of risks as appropriate based on developing your internal audit plan
• Coordinate with other Internal audit anticipates and
resourcing and risk appetite aligns efforts to emerging risks,
• Validate risk mitigation activities stakeholders on inputs to
internal audit plan strategies and operational
• Coordinate with other objectives of the organization.
stakeholders to optimize Analytics and new technologies
• Link risks to control steps and
audit coverage enable the organization to deliver
incorporate metrics and control
aspects into audit programs insightful, proactive, and future–
focused insights.
Copyright © 2021 Deloitte Development LLC. All rights reserved. 10
Typical approach to incorporating into an internal audit plan
Boards and executive leadership are asking more of the third line to assess and audit intangible risks either through individually focused
audits, audits on areas of known risk, or through incorporating elements of these risks throughout each audit in the plan.

Standalone reviews Integrated audit approach

Standalone assessments can help Embedded approach should be
understand appropriate policy, used as pulse check on the
control landscape, and business as part of any audit
responsibilities around ESG as of performed to ensure ESG related
a point in time. activities are being appropriately
identified, considered, and
documented.

Internal Audit
Framework

Focused reviews Competency

Deep dive focus can provide valuable Investment in resources with the
assurance on key ESG areas, where right capability and skillset to
stakeholders have concern, or where understand, recognize, and
risk appetite is low. assess ESG risks.

Copyright © 2021 Deloitte Development LLC. All rights reserved. 11

ESG reporting internal audits – key differences
and execution

Copyright © 2021 Deloitte Development LLC. All rights reserved. 12

ESG reporting internal audits – key forces against the traditional internal audit approach
The driving forces of unique opportunity and risk to the traditional internal audit approach, requiring a tailored approach to the nature,
extent, and timing of executing an effective audit plan.
Unique ESG assertions Applicable financial reporting assertions

− Balance − Completeness − Cutoff

− Accuracy − Understandability (clarity)
− Stakeholder inclusiveness
Disparate reporting principles − Materiality
− Timeliness

and degree of application − Sustainability context

− Lack of common denominator across accounts
and metrics (i.e., P&L flows to balance sheet,
etc.)
− Varying frameworks and standards, with no
generally accepted basis for reporting
− High degree of judgment in application of
standards and lack of clarity on being Traditional Internal Timeliness and reliability
“compliant” with a standard or framework
− Potential gaps in subject matter expertise in
Audit Approach − Complex and disparate ownership of data
sources, resulting in less-timely report
application of standards and frameworks compilation
− Implications of accelerated reporting
• CDSB timeframe (i.e., 10-K reporting)
• GRI Standards − High degree of variation in reliability of data
driven by different internal and external risk
• TCFD Framework factors
• VRF’s SASB Standards
• VRF’s <IR> Framework Varying degrees of use cases
• WEF IBC
− Emerging “required” reporting requirements
− Internal and/or external disclosure
Copyright © 2021 Deloitte Development LLC. All rights reserved. 13
− Executive compensation and goal setting
ESG reporting internal audits – key considerations for a risk-based approach
Limited resources and accelerated reporting timelines imply the need for a grounded risk assessment, utilizing meaningful criteria to
inform and develop a tailored audit response to material ESG reporting risks. A unique and key driver of ESG risk (and relevancy of
disclosure) is an ESG materiality (or prioritization) assessment.

“Sustainability Materiality
Matrix”

Material
External
Topics for

Influence on stakeholder
stakeholder
engagement Focus

assessments
Benchmarking &
Universe of
Topics
industry trends
= Topics to Monitor

Internal
stakeholder
engagement Topics for
Awareness

Significance of the organizations

environmental, social and economic
impacts

MATERIALITY ASSESSMENT PROCESS TO DRIVE ESG PRIORITIZATION AND FOCUS AREAS

Copyright © 2021 Deloitte Development LLC. All rights reserved. 14
ESG reporting internal audits – key considerations for a risk-based approach
The below can provide a starting point for internal audit functions to assess the risks across the enterprise.

Key questions to ask

• Has the enterprise created a governance structure and culture that supports effective ESG risk management?
1. Governance and • Has the organization defined a strategy to strengthen internal awareness and commitment, emanating from top
policy management (setting the “tone at the top”)?
• Is information on ESG risk being reported to the board?
• Is ESG strategy and risk appetite consistently cascaded through the organization, including limits and metrics?
2. Risk strategy and • Are ESG-related risks being considered in new products and services?
appetite • How has ESG change and the changing external business environment affected the resilience of the business model and
hence the risk strategy?
3. Risk assessment,
• Has the organization defined a consistent and comprehensive methodology for ESG quantification?
measurement and
ESG Risk • Has stress testing been adapted to reflect the long-term horizon of ESG risk?
analytics
Framework
• What ESG-related disclosures around governance, strategy, risk management, and Key Performance Indicators (KPI’s) and
4. Monitoring
and reporting
Key Risk Indicators (KRIs) are being published?
• How is ESG risk monitoring and reporting being aggregated into existing risk practices?
5. Portfolio and • Are there potential capital add-ons that are associated with integrating ESG risk into existing risk management
capital frameworks?
management • Are there portfolios of ESG risk-related products and services to manage?
• Is there readily available, consistent, credible, and sufficiently meaningful data?
6. Risk data and
systems
• What are the ‘new’ data elements that will be required for the organization, as well as it’s suppliers, borrowers, and other
third-parties?
7. Risk operating • Has ownership and accountability for ESG risks been determined and is it linked with other risk types?
model, people and • How are we monitoring and understanding the complex and evolving regulatory landscape?
culture • Are we attracting and retaining resources with ESG skillsets?
Copyright © 2021 Deloitte Development LLC. All rights reserved. 15
ESG reporting internal audits – key considerations for a risk-based approach
The below highlights examples of criteria that can be applied alongside existing risk-based criteria

Complexity of metric and

Publicly disclosed?
application of standard?

SEC reporting requirement? Tied to organizational goals?

Other regulatory requirement?

Common ESG Risk Historical errors?
Criteria

Used in operations (or purpose ESG materiality (i.e. importance to

isolated to ESG reporting)? stakeholder)?

Individuals responsible for

Data complexity and aggregation?
preparation and review?

Copyright © 2021 Deloitte Development LLC. All rights reserved. 16

ESG reporting internal audits – illustrative internal audit plan and approach
A strong control environment as a part of an effective governance structure is imperative as ESG considerations rise to the top of the
agenda for many stakeholders. With the increased attention on ESG comes an increased focus on data quality. Internal Audit plays a key
role in bringing structure, rigor and internal controls to expanding risk areas like ESG risk.

Applying an IA approach to ESG

Frameworks and Standards Process and Controls

Disclosure • Are process and controls formal or
• Are frameworks and standards used
• What disclosure exists? informal?
in current disclosure or internally (if
• Who is responsible? • Are process and controls
so, which)?
• Who is involved? documented?
• How can frameworks and standards
• What are the significant risk • How can lessons from other areas
enable internal audit’s review?
areas? of internal controls (finance and
accounting, risk management) be
applied to ESG?

Leveraging the COSO Framework for ESG Reporting

Information and
Control environment Risk assessment Control activities Monitoring
communication
Copyright © 2021 Deloitte Development LLC. All rights reserved. 17
Questions?

Christine Robinson Mike Schor

Partner Partner
Milwaukee Parsipanny
chrobinson@deloitte.com mschor@deloitte.com
+1.801.366.6839 +1.212.436.6208

Copyright © 2021 Deloitte Development LLC. All rights reserved. 18

Modern Connected
Risk Platform
Elevate your teams with a
practitioner-first, collaborative,
unified platform.
Thank you.
If you qualified for a CPE, you will receive your
certificate by email by the end of the day.

Questions? Email events@auditboard.com.

This presentation contains general information only and Deloitte is not, by means of this presentation, rendering accounting, business, financial, investment, legal, tax, or other
professional advice or services. This presentation is not a substitute for such professional advice or services, nor should it be used as a basis for any decision or action that may affect your
business. Before making any decision or taking any action that may affect your business, you should consult a qualified professional adviser. Deloitte shall not be responsible for any loss
sustained by any person who relies on this presentation.

About Deloitte
As used in this document, “Deloitte” means Deloitte & Touche LLP, a subsidiary of Deloitte LLP. Please see www.deloitte.com/us/about for a detailed description of our legal structure.
Certain services may not be available to attest clients under the rules and regulations of public accounting.
Copyright © 2021 Deloitte Development LLC. All rights reserved. 21