Professional Documents
Culture Documents
Internal Audit
and ESG criteria
THE INSTITUTE OF INTERNAL AUTIDORS OF SPAIN is a professional body founded in 1983, and its mission is to contribute to the
success of businesses by promoting Internal Audits as a key aspect of good governance. In Spain it counts with around
3,500 members, internal auditors in the leading companies and institutions in all sectors of the country’s economy.
LA FÁBRICA DE PENSAMIENTO is the think tank of the Institute of Internal Auditors of Spain for corporate governance, risk
management, and Internal Audits, in which more than 150 members and professional experts participate.
INTERNAL AUDITS GOOD PRACTICES IN RISK MANAGEMENT SECTOR OBSERVATORY GOOD GOVERNANCE PRACTICES
The laboratory operates with an essentially practical approach to the production of documents based on good practices that
help to improve good governance and risk management systems in Spanish-speaking organizations. Besides creating content,
it also promotes the exchange of information among its members.
Internal Audit
and ESG criteria
November 2021 - 7UDQVODWLRQ)HEUXDU\
This document has been split into two parts. The first will develop the
definitions and identify the fundamental aspects of each of the E, S and G
factors in terms of strategy and governance, risk management and establishing
the reporting framework. The second part will focus on the process of Internal
Audit work on ESG criteria by considering the approaches, tests and indicators
that can be used as reference.
Our proposed model will be very useful as a guide to managing the supervision
of the ESG aspects, although each Internal Audit team will have to adapt,
develop, and complete it with reference to the nature, circumstances and
context of their organization.
3
I N T E R N A L A U D I T
Contents
EXECUTIVE SUMMARY 06
CHAPTER ONE: 08
FUNDAMENTAL ASPECTS OF ESG CRITERIA
Definition and impact .............................................................................. 08
CHAPTER TWO: 23
THE INTERNAL AUDITING OF ESG ASPECTS
Fundamental attributes to consider in Internal Audits for handling
ESG work ................................................................................................ 23
CONCLUSIONS 53
BIBLIOGRAPHY 54
5
I N T E R N A L A U D I T
Executive summary
In recent years, there has been an increase in committees who are in charge of handling this
awareness of environmental, social and issue (Audit Committee and Sustainability
governance (ESG) issues among companies Committee, where present) through defined
and their stakeholders. These aspects have responsibilities and mechanisms, such as an ESG
become the center of attention of many policy or the integration of targets related to its
management boards and regulators around remuneration model.
the world, and they now, in many cases
Identification, assessment and
condition business strategy. Although ESG
management of ESG risks and
criteria come accompanied by significant risks,
opportunities, which are based on a suitable
The ESG aspects can they also represent a gateway for new
analysis of materiality and allow identification of
condition business opportunities.
critical issues, risks and indicators.
strategy and entail It is in this context that the role of Internal
significant risks, but Internal Control System for Non-
Auditing gains greater importance for adding
they can also provide Financial Information
value to the company, both in its role as
new opportunities. provider of assurance as well as in its role as (ICNFR), which is essential to ensure
the coverage of risks associated with ESG factors.
trusted advisor.
Entity level controls and controls specifically
It is important for Internal Auditing to consider directed towards handling ESG related risks are
a series of key aspects that, not only guide its necessary, as well as training that focuses on
fieldwork, but also contribute to adequate these subjects. There also needs to be a policy for
planning. The mentioned aspects are: non-financial information and adequate reporting
and communication resources.
Strategic management and
supervision by the company’s An ESG reporting framework. As
governance bodies and senior well as a formal and documented ESG
management are key actors to ensure the reporting process, organizations must
proper handling of ESG issues and their also assign specific roles and responsibilities
integration into the corporate strategy, in so where technical expertise is required irrespective
much as the need for these to be aligned with of traditional reporting lines and organizational
the vision and purpose of the company, and hierarchy. A review is essential at this point to
the expectations of its stakeholders. It is ensure that the information is suitable, complete
therefore fundamental to count on the and correct, which means that there must be
commitment and leadership of the Board of internal and external validations.
Directors and the support of its delegate
6
I N T E R N A L A U D I T
It is also fundamental that Internal Audits coverage for each and every one of the risks that
identify the specific risks for the material may arise. The importance of these will depend
questions within each one of the three pillars of on factors such as the culture, analysis of
ESG, and establish a specific approach towards materiality, the business model, the industry,
work. This document is intended to serve as a the business context, etc.
manual to guide internal auditors in this task.
However, it does not claim to provide full
It is fundamental to take into These include respect for The structure, governance
account aspects such as Human Rights, diversity, and responsibilities of the
emissions, contamination, equality, contribution to governing bodies of
management of material and society, hiring and companies are important
natural resources, management of human here, along with the
biodiversity, ecosystem resources, safety, the health expectations of
services, circular economy and wellbeing of employees stakeholders, strategies,
and waste management, as and training. risk management and
well as climate change. investments, the
remuneration system, the
internal regulatory
framework information
systems, transparency,
supervision and reporting,
ethics and integrity,
measures to tackle
corruption and bribery and
tax affairs.
Specific types of risks of different categories and those that are just taking their first steps.
have been identified for each of these pillars: In essence, for an Internal Audit to provide
strategic, compliance, financial and value for companies and to fulfill its role of
operational; approaches are suggested to compliance with ESG factors, it has to consider
internal auditors about how to address those, both general and specific aspects of each of
along with possible indicators. these pillars.
This guide can be used by internal auditors of
organizations with more a mature ESG culture
7
I N T E R N A L A U D I T
STRATEGY
AND FRAMEWORK
GOVERNANCE REPORTING
RISK
MANAGEMENT
8
I N T E R N A L A U D I T
· S - Social. This gathers the effects generated · G - Governance. This includes indicators
on human resources and the other related to the internal structures of
stakeholders of companies: respect for companies, policies and decision-making in
Human Rights, investment in human capital, the processes, and how these factors affect
working practices, occupational health and the different stakeholders; the structures of
safety, supply chain management, training, management and leadership, working
and relations with local communities, relations, the policies established by the
among others. principles of independence, transparency
and accountability, the promotion of good
practices and the fight against bribery, fraud
and money laundering ...
The environmental impact of the Impact on society, the community, the The inclusion of good governance
business, such as pollution, the use of economy and stakeholders in general. practices in institutions, in recognition
resources, or the adaptation to, and of its fundamental role among
mitigation of climate change. shareholders, clients, employees and
all the parties involved in business
decisions.
The main objectives in the Some of the main objectives in the social Some of the main objectives in the
environmental sphere (in accordance area (in accordance with the Global good governance area (in accordance
with the Taxonomy of the EU) are: Reporting Initiative (GRI) international with the Global Reporting Initiative
· Climate Change: standard of reference, are: (GRI) international standard of
reference, are:
- Mitigation of climate change. · Eradication of social inequalities.
- Adaptation to climate change. · Development of solid internal
· Social inclusion.
structures for management,
· Environmental Challenges: · Improved working relations. leadership and relations.
- Sustainable use and protection of
· Investment in human capital. · Encouragement of independent
water and other marine resources.
- Transition towards a circular · Protection of local and indigenous decision making.
economy communities. · Support for transparency and
- Prevention and monitoring of · Preservation of cultural heritage. accountability.
pollution. · Promotion of good practices.
- Protection and restoration of
· Fight against corruption and fraud.
biodiversity and ecosystems.
9
I N T E R N A L A U D I T
the ISO 2600 Standard - Guidance on Social (both from 2015) and, more recently, the
Responsibility (2010); the OECD Directives OECD Due Diligence Guidance for Responsible
(2011); the United Nations Guiding Principles Business Conduct (2018) are the most
for Businesses and Human Rights (2011); the outstanding examples of this topic.
Performance Standards of the International
Finance Corporation (2011); the Sustainable
Development Goals (SDG) or Paris Agreement
Sustainability
Performance Sustainable
Standards Development Supervision of climate
Carbon disclosure Environment/Social risks in the Insurance
Directive Goals (SDG)
Project sector
Disclosure of
Non-
Financial
Protocolo de f
Montreal Reporting
Framework Standards CP on Sustainability
Acuerdo Reporting
Principles de París
10
I N T E R N A L A U D I T
Total assets worth more than 20 million euro, This document, directed to fund and asset
annual net turnover of more than 40 million management companies, venture capital
euro, and an average workforce of more than companies and financial advisors, sets out the
250 employees. This includes companies of obligations for disclosure of sustainability
public interest with consolidated accounts information, in accordance with the content of Sustainability
where the business groups are in excess of the EU Regulation 2019/2088, of the European governance plays a
above and, therefore, companies that issue Parliament and Council, of November 27, crucial role, because the
listed securities. 2019, on this subject. setting of objectives for
In addition, they will have to consider the Internal Auditors must therefore - when ESG matters will
specific nature of the sector in which the planning work related with ESG risks - condition the corporate
company operates, focusing the attention on consider very carefully the sector where the social responsibility
those which are subject to specific legal company operates and the legal obligations strategy that the
requirements. For example, on February 18, which it is subject to. company intends to
2021, the CNMV (Comisión Nacional del follow.
Mercado de Valores) published a Note on the
forthcoming application of Regulation
2019/2088 on the reporting of information
about sustainability in the financial sector.
STRATEGY AND
GOVERNANCE
The importance of governance and
defining strategy in ESG areas. The CNMV recommendations for listed
companies, the Law on Corporations and Law
When addressing ESG matters, sustainability 11/2018 on non-financial information and
governance plays a very significant role, diversity are all in alignment: boards have to
because the objectives defined for these areas guide, oversee and monitor their companies’
will condition the corporate social approach to sustainability.
responsibility strategy that the company wants
to apply. Moreover, the current Code of Good
Governance of Listed Companies of Spain
There are two main components: strategic (hereinafter CBGSC) explicitly assigns to the
control and supervision. Senior management is Audit Committee the task of supervising and
responsible for the strategic leadership in the evaluating the process of preparation and
implementation of objectives in ESG matters. It integrity of the financial and non-financial
defines the actions to be taken and appoints information, as well as the responsibility for
the people in charge of carrying them out. The supervising the systems for controlling and
Board of Directors is responsible for the managing financial and non-financial risks,
supervision. which include operational, technological,
legal, social, environmental, political,
11
I N T E R N A L A U D I T
reputational and bribery risks. The latter are Sustainability or Corporate Social
mentioned explicitly in the identification of the Responsibility has often been linked with the
control and risk management policy, along long-term competitiveness of companies.
with assurance provided by Internal Auditors. Companies that handle these aspects in
This is intended to ensure coherence of the accordance with their main activity and
financial and non-financial aspects, both with purpose will achieve better outcomes. Not only
regard to their management and risk will they identify new opportunities in the
assessment, and with the annual reporting of market and create innovative products,
Sustainability must be
information. This is also aligned with the improve their interaction with their
included in the
direction of regulation in Europe, as we can stakeholders and converge in the medium term
company’s process of
see in the European Union’s current plan to towards more inclusive and sustainable
strategic planning to
revise its directive on non-financial business models, but they will also become
estimate its relevance
information3. more competitive and improve their
for achieving its
reputation.
purpose and getting
closer to its vision. Integration with corporate strategy: The role of regulators is equally significant. As
vision and purpose of management an example, the Sustainable Finance
Disclosure Regulation (SFDR) - in force since
Given the potential impact of ESG risks, it is March 10, 2021 - which requires all financial
inevitable that they be incorporated into the entities that sell products in the European
business strategy and processes, in order to Union to be more transparent on the
ensure the long-term financial resilience of the sustainability of their investment products.
company. By guiding the business in a more
responsible direction that is consistent with Expectations of the stakeholders
the expected social and environmental
transition, it is more likely that the companies
The most common internal and external
plan ahead and ensure they are better
stakeholders are: shareholders, employees,
prepared to prevent and mitigate the long-
investors, financial institutions, suppliers,
term negative impacts of ESG risks and to take
clients, partners, competitors, authorities,
advantage of any associated opportunities
regulators, public bodies, social groups, local
that may arise.
communities and proxy advisors.
Sustainability must also be included in the
company’s process of strategic planning to It is absolutely vital to manage these relations
estimate the extent to which it is relevant for when a company is developing its
achieving its purpose and getting closer to its sustainability strategy. The ability to respond to
vision. all their needs and expectations and
remunerate them according to the value
attributed to the company is the starting
3. Under review during the period when this document was being prepared.
12
I N T E R N A L A U D I T
point to ensure that the ESG aspects are being Include ESG risks within the risk appetite
managed competently, to achieve sustainable framework and in risk models.
profits in the long run. It means that the - Guarantee that Internal Audits include ESG
company is better adapted to its situation, risks in their reviews.
avoids risks and reduces uncertainty, and is
- Consider a remuneration policy that ties
capable of grasping opportunities arising from variable salary components to the
returning value to the society in which it achievement of ESG objectives.
operates.
Provided that ESG aspects must be
In sum, it should be underlined that ESG is an incorporated into the company strategy and
issue that cuts across areas and needs to are a source of value creation, these should be
The concept of ESG
permeate the whole company, not only the supervised and managed from the main
must permeate the
units which are traditionally client/investor organs of governance and direction of the
whole company,
facing, but also others that are commonly company. For example, the CBGSC indicates,
engaged in supervision, such as Internal including units which
in its recommendation number 53, that among
Control, Risk, Compliance and Internal Audit. have traditionally been
its other responsibilities, the Board should
engaged in
supervise questions related with ESG matters.
supervision, such as
Administration and sustainability
A distinction is also needed between the Internal Control, Risk,
committees Compliance and
functions of the Audit Committee - based on
The most senior governance body is involved assurance - and the functions of the delegate Internal Auditing.
in the approval of policies and objectives committee responsible for sustainability, which
related with ESG matters and is responsible for guides the strategy.
encouraging the development of their
companies through the following key Policy on ESG matters and the
initiatives, among others (according to the incorporation of ESG goals into the
recommendations of the European Banking remuneration model
Authority, the EBA):
A defined sustainability or ESG policy in the
- Integrate ESG matters into the corporate
culture. company must include:
- Consider ESG risks in the risk committees or - The principles, commitments, objectives
create specific committees. and strategy related to the company's
- Implement a training program for specific relation with stakeholders.
ESG knowledge and skills within the - Systems for monitoring compliance with
company, and incorporate board members policies, the associated risks and their
with knowledge and expertise on the management.
subject.
- The risk supervision mechanisms for ESG
- Define and supervise a clear structure for
matters.
assuming responsibilities in this area.
13
I N T E R N A L A U D I T
5. European Commission. Interim study on the development of tools and mechanisms for the integration of
environmental, social and governance (ESG) factors into the EU banking prudential framework and into banks' business
strategies and investment policies, 2020.
14
I N T E R N A L A U D I T
into account, and which need to be updated Materiality analysis is a tool that helps a
on a regular basis. company understanding which ESG factors are
the most significant, establishing a new dialog
The result of this analysis of materiality with management, and raising new questions.
indicates what is “material” for the company The underlying ESG risks will then be defined
and what guides and reinforces the from these factors, allowing the creation of
sustainability strategy and, therefore, its ESG risk maps.
overall strategy6.
Significant
issues
Diversity and Socially
Climate Equal responsible Priority for Iberdrola
change opportunities investment
Environmental dimension Economic dimension Social dimension
Example of a materiality matrix. SOURCE: Iberdrola. Statement of non-financial information - Sustainability report (2020)
6. VIVES, A. Materialidad: 12 principios básicos y una metodología para la estrategia de RSE. Ágora. February 2015.
15
I N T E R N A L A U D I T
Material
Evaluate the Identify real Assess the Give priority to features
situation and potential importance of the most
of the impacts the impacts significant
organization identified impacts to
report.
Check the
Collaborate with material
stakeholders and aspects with
relevant expertise experts and
users of the
information
7. Global Sustainability Standards Board. GRI Universal Standards: GRI 101, GRI 102, and GRI 103 – Exposure draft.
Amsterdam: GSSB, 2020.
16
I N T E R N A L A U D I T
the company’s strategy is in climate disparity between the value obtained and
scenarios. what was anticipated for that specific risk. The
· In view of the criteria for eligibility for Next mitigation can be achieved by adopting
Gen funding, there is a growing demand for controls that are aligned to the nature and
methods for assessing social impact risk, characteristics of the risks. Society itself is
whether for social impact or the positive setting more demanding thresholds every year
effects of company operations. The for ESG risks, which is forcing companies to
aforementioned methods may combine continually review their risk appetite or to plan
either quantitative elements (such as the ahead so that they are not left behind.
propagation effect) or qualitative elements The best practice is
Usually, for ESG risks there is zero tolerance obtaining a quantification
(such as the effects on vulnerable groups).
towards non compliance with governance and of risks by modeling their
· Determining financial impact is not enough frequency and impact,
social aspects, and more stringent
and aggregating it
to assess certain impacts, such as those requirements in relation to the environment, through correlation
affecting the environment. These cases either due to regulatory restrictions, the matrixes.
usually involve the use of qualitative scales spectrum of which is expanding, or due to the
to account for issues which are significant negative effects of reputation or financial
for the company, per se, but which are not impacts (worse conditions for loan financing,
properly reflected in financial terms. for example).
The best practice is to quantify risks through The company's governance bodies and senior
the use of modeling, both of frequency and
management will be kept informed through
impact, to enable the subsequent insertion of
the reports created from the risk register and
those risks through correlation matrices.
the corresponding risk map (heat maps in
When assessing risks, the value or losses that which the axis of the matrix indicate impact
each risk could cause is compared with the and probability).
maximum loss or value that the company is
willing to accept (risk appetite). This can be
done by considering the company’s mission
and values, its SWOT and materiality analyses
and its strategy. ESG concepts must be
embedded in these sections, for these to be
Impact
17
I N T E R N A L A U D I T
With the aim of continuously supervising risks for each of the selected risks.
and monitoring how they change, there are
several examples of Key Risk Indicators (KRIs)
18
I N T E R N A L A U D I T
out to provide assurance over non-financial job descriptions etc. to incorporate the
information. responsibility in the ICNFR. The
coordination of the different control
In accordance with the COSO integrated
functions is essential to guarantee
framework for internal control (2013) - main effective and efficient coverage, and the
international reference for internal control plan to develop or evolve the ICNFR to a
frameworks - the components and main level of maturity suited to the specific
mechanisms that must be designed, circumstances and context.
implemented and operational to ensure an
- Review codes of conduct and
effective ICNFR are:
whistleblowing provisions and
· Control environment documentation to ensure coverage of
This refers the awareness and importance non-financial information.
afforded to control and supervision of the - Establish a training program with specific
non-financial reporting process by senior material for the persons involved in the the tone at the top
management. The tone at the top will favor preparation and review of the non- will favor an
appropriate
an appropriate definition of standards of financial information that covers aspects
definition of
conduct and policies, and determine the associated with internal control and risk standards of
structures, the supervisors and assign management. The CBGSC reinforces this conduct and
supervisory responsibilities requirement, making the evaluation of policies, and
The main mechanisms to ensure that this experience and specific knowledge of determine the
non-financial risk management as one structures and
component has been well designed,
assign supervisory
implemented and is functioning would be: additional criteria when appointing
responsibilities
- Preparing a policy that defines the members to the Audit Committee.
responsibilities related to the existence,
· Risk assessment
implementation and supervision of the
ICNFR. Here it is important to highlight a This has already been covered when
recent and highly significant regulatory describing materiality and risk management.
milestone: the partial modification of the
CBGSC in June 2020, which assigns the · Control activities
supervision and assessment of the These shape the necessary instruments to
elaboration process and integrity of non- carry out the most important supervision
financial information to the Audit activities in accordance with the risk
Committee. This result of this means that assessment. The following mechanisms
a system of ICNFR becomes critical to should be considered to ensure correct
governance. implementation:
- Drafting of a manual that describes the - Identify and define the processes and
ICNFR, similar to that of the Internal implementation of control activities,
Control of Financial Information (ICFR), based on on the analysis of materiality,
with the review of organization charts,
19
I N T E R N A L A U D I T
identifying the most important risks on This component is singularly important given
which to build the list of indicators and the distribution of ownership of ESG risks
the control model. throughout the organization. (environment,
- Select and implement IT General Control HR, corruption etc.). Correct definition of
for systems involved in constructing non- reporting lines is key to the system of ICNFR
being efficient.
financial information, making sure we are
able to confirm our assertions. Software solutions are often employed to
Internal Auditing must construct the Statement of NFl. It is
- Review ICFR policies and procedures an
supervise the design and important to consider the requirements for
evaluate need for including specific NFI
effectiveness of the aggregation and consolidation from
provisions.
controls included in the different systems.
- Use of significant information: identify
scope of the ICNFR audit · Supervision
key, necessary information for the correct
review.
definition of control activities. Does As previously mentioned, the latest update
materiality analysis and relevant of the CBGSC clearly attributes the
indicators provide relevant information on supervision and assessment of the
control activities? elaboration process and integrity of the non-
financial information to the Audit
· Information and communication Committee.
Mechanisms must be in place to provide
The supervision of the design and
relevant, accurate, timely, effective and effectiveness of controls covered by the
precise information on performance of the scope of the ICNFR audit is an important
organization in non-financial matters. part of the overall process of assurance and
supervision that Internal Audit performs for
the Audit Committee.
20
I N T E R N A L A U D I T
21
I N T E R N A L A U D I T
Responsibility for accuracy must be borne by generated, and the levels of control
the area that produces it. established, whether automated or
validated manually, according to the case.
The reporting process Once the company has listed this
information, requirements of reporting non-
Like processes for Financial Reporting, NFI
financial information must be considered -
reporting must have clear and defined process,
both in terms of type of indicator and the
with internal controls built in to assure
Reporting ESG aspects timing - in order to define, as required, any
integrity and accuracy.
must be a clear process additional needs that might be relevant.
with internal controls to Once the information required for internal and Compiling non-financial information
ensure integrity and external reporting has been defined, the involves a variable number of indicators that
accuracy. function responsible for coordinating the must be selected so that their content is
process must consider the following factors:
adapted to the demands of each company
- Calendars. department and their characteristics, and
- Scope. the frequency in response to the needs.
- Allocation of responsibilities.
· Year on year comparison
- Definition of indicators and reporting
manual. The principles related to defining the quality
of the INF must enable the establishment of
- Tools.
solid and reasonable evaluations by the
- Training. company in view of the following:
- Consolidation.
- Clarity: the information must be presented
in a way that is comprehensible and
Review and monitoring accessible for the stakeholders.
· Frequency and monitoring of the relevant - Accuracy: it must be precise and detailed
non-financial indicators enough to allow the stakeholders to
This section provides a list of the different assess the company’s performance.
sources of information from where the non-
- Balance: it must report both positive and
financial data has been extracted, and its
negative aspects of the company’s
characteristics in terms of integrity,
performance to allow a reasonable non-
automation and type of reports that can be
biased assessment.
- Comparability: the company must choose,
compile, and report information that is
coherent and comparable.
22
I N T E R N A L A U D I T
23
I N T E R N A L A U D I T
24
I N T E R N A L A U D I T
25
I N T E R N A L A U D I T
8. For example, Law 7/2021 on Climate Change and Energy Transition, in force since May 2021.
26
I N T E R N A L A U D I T
ENVIRONMENTAL
Distinguishing between greenhouse gases and pollution emissions
Absence of a specific • Verify that the strategy is included in the road map and in the company’s --
deployment plan that is action plans and that the objectives set are specific and measurable.
integrated in the activity.
• Confirm that there are intermediate targets that enable any deviations to
be detected.
Inadequate measurement Assure periodic performance reviews of emissions reduction plans. KPIs for fuel consumption (e.g,
that impedes measurement Verify indicators exist for emissions and verify the exactness of calculations. kilometers covered/total
of performance. liters).
KPIs for electricity
consumption (e.g, total
consumption/production
volumes; energy
consumed/number of
employees; energy
consumed/hours worked).
Substances that deplete the ozone layer (ODS) Emissions of substances that
Where relevant: deplete the ozone layer (GRI
305- 6).
Confirm that the calculated ODS emissions are within the set limits and in
compliance with the regulations. KPIs in relation with the
production of ODS (e.g,
difference between the
amount of ODS produced
minus the amount destroyed
by approved technologies, and
minus the amount used as raw
material for the manufacture
of other chemical substances).
Nitrogen oxide NOx (excluding N2O), SOx, volatile organic compounds EM-EP-120A.1 EM-RM-120
(VOC) and particles (PM10), H2S, HAP A.1 RT-CH-120A.1 (SASB).
Confirm that the method for calculating emissions (direct measurements, Air emissions for each
based on data centers, estimates…) is correct and properly backed up. category (GRI 305-7).
Non-compliance of the Confirm that the company complies with the regulations for emissions that No. of penalties. Amount of
standard may apply. penalties (€).
27
I N T E R N A L A U D I T
28
I N T E R N A L A U D I T
Reputational risks:
- Absence of a strategy for improving material
consumption, waste minimization and promotion
of recycling and reuse. No consideration of the
analysis of product or service life-cycle.
29
I N T E R N A L A U D I T
CLIMATE CHANGE
Governance
Non-compliance with the - Review of the company’s public commitments in relation to governance - The company’s sustainability
organization’s agreed on (e.g. Sustainability Report, information reported to CDP, information sent rating.
governance model. to other rating agencies (e.g. DJSI, FTSE).
- Number of jobs in the
- Comparison with elements of governance (previous risk) and definition of company with specific
senior and intermediate management positions (in areas like Sustainability, responsibilities in managing
Risk, Strategy, etc.). climate risk
Misalignment between the - Review of the information shared by the company in relation to the risk N/A
reported risk management management process (e.g. Sustainability Report, information reported to
process and the process CDP, information sent to rating agencies (e.g. DJSI, FTSE).
used internally.
- Review of the risk policy and process of risk management (or, where
relevant, risk manual).
- Where relevant, review of the latest process to identify and assess risks
(“risk workshop”) with a focus on climate risks: basic documents, input
information, insights generated.
- Review of the process of identifying mitigation plans for climate risks.
30
I N T E R N A L A U D I T
Strategy
Dissemination of messages - Analysis of information shared with stakeholders (i.e., frequent reports, - Climate value at risk by
not aligned with the information sent to investment funds or raters and messages to investors scenario
outcome of climate risk in roadshows) in showing a resilient strategy to the climate change
- CVaR breakdown by
quantification exercises. scenario.
business and geographical
- Review of the outcomes of internal climate risk quantification exercises area
(Net risk/opportunity impact) by climate scenario.
Investor flight or restricted - Assure that the company pursues a short, medium, and long-term energy - Reviewing the strategy plan
access to finance due to: transition and decarbonization strategy, and that goals for its and the degree of
implementation have been set and are being followed up. compliance with goals.
- Not providing detailed risk - Assure that a short, medium, and long-term risk assessment of the
information to investors. - Number of fully or partially
company’s climate change mitigation activities has been carried out. completed risk assessments.
- Not providing information Ensure this is completed with an action plan.
on the organization’s - Number of outstanding
resilience strategy for - Assure existence of policies and regulations regarding the management of items on action plans, length
climate scenarios. greenhouse gas (GHG) emissions, inventory measuring and its verification. of delay, criticality of the
- Ensure the quality of data (measuring instruments, calculations, tools, etc.) item.
measuring GHG emissions, as well as reduction of such emissions and - Verification of emissions and
offsetting measures. strength of registration and
- Verify that the company has a governance model, defining roles and reporting processes.
responsibilities. - Verifying reports issued by
third parties for their
validation in accordance
with international standards
(ISO 14064).
- Degree of implementation of
the control model.
- Number of climate change
goals which have an impact
on the remuneration
systems for senior
management and
employees.
31
I N T E R N A L A U D I T
Goals
Non-inclusion of - Review of existing remuneration policies, both for managers and for - Percentage of staff whose
sustainability indicators in employees, identifying elements linked to sustainability. variable remuneration is
remuneration. partially affected by
- Review of associated indicators and alignment with the company’s overall sustainability indicators.
goals.
- Average percentage of
variable remuneration
affected by sustainability
elements.
32
I N T E R N A L A U D I T
Additional voluntary benchmarking standards The proposed approach would split auditing
in the financial sector are the Principles for in to two areas:
Responsible Banking and the Principles for - Environmental risk assessments performed
Responsible Investment, backed by the United on clients, transactions and vendors,
Nations, establishing the general principles for assessing financial and reputational impact
banking and investment, as well as on the organization.
transparency and reporting obligations for - A detailed review of the audit approach for
companies adhered and the UN’s Principles for climate risks.
Sustainable Insurance (PSI).
33
I N T E R N A L A U D I T
Environmental analysis
34
I N T E R N A L A U D I T
35
I N T E R N A L A U D I T
Asset management: Integration of climate risks in the investment process: 3. Maximum expected loss
- Verify end to end investment process (policies/investment guides, due to natural disasters
Environmental and climate risks caused by climate change
are not sufficiently considered in decision on asset selection, building the investment portfolio,
portfolio management and monitoring, participation of (life/non-life/reinsurance).
the investment process and may
lead to financial loss and shareholders and reporting). 4. Total losses attributable
reputational risk. - Verifying that the investment policy provides proper guidance in the to insurance payments due
investment process, highlights investment goals and is aligned with to (1) expected natural
the investment strategy in terms of climate risks. disasters, (2) unexpected
- Verify that, for an adequate selection of assets, climate factors are natural disasters, by type of
included (indicators, trends, ...) in the macroanalysis, based on the event and geographical
industry and country, and that an estimate is made of the potential area.
financial impact of climate risks in each industry on cash flows, the
balance sheet, income, and integrated in assessment models.
- Verify that the environmental challenges in companies invested into Asset management
are analyzed, with special focus on carbon footprint (scopes 1, 2 activities:
and 3) and GHG emissions volume compared to its competitors in
the industry. 1. Breakdown of assets
- Verify that climate risks are integrated in the process of building managed by each business
the portfolio and of selecting the investment strategy to be area through the different
followed to integrate said climate factors. types of assets
- Verify climate-related performance monitoring is carried out for (equity/bonds/infrastructur
assets. e/real estate/structured
products/MBS/derivatives).
a) Validate the application of the company and the group’s 2. Rate of funds managed
Subscription restrictions: responsibly (Social
subscription directives, including:
The entity may have not altered - The existence of a list of banned activities. Responsible Investment)
its subscription activities to over total assets managed.
comply with the restrictions and - Existing processes to ensure compliance with the subscription
prohibitions set by the group. policy.
- Appropriate communication of the strategy regarding the
The entity may not comply with application of the subscription policy to the entity’s employees.
subscription restrictions set by
the group. b) Validate that the company has defined a criterion to screen all the
green projects and activities in its insurance portfolio, as well as a
related control model, to monitor the degree of implementation of
adopted policies, and to review the management process for
additional existing risks related to climate change.
c) Validate that locally defined criteria are aligned with the restrictions
set by the group (i.e. Restriction to insure assets related to coal and
oil sands, drilling in the Arctic Pole or illegal fishing boats).
d) For exceptions, make sure that the entity involves relevant
governance bodies and consults the Corporate Responsibility and
Risk Management areas for advice.
“Green” hazards:
Validate credentials of claims settlement process (repair v
The entity may not comply with replace, sustainability of parts and materials etc.).
the group’s regulations on green
hazards.
36
I N T E R N A L A U D I T
Strategy
RISKS AUDIT APPROACH INDICATORS
Measures for climate Strategy to manage the organization’s carbon footprint: 1. Group’s financed
impact: - Validate that the environmental policy is defined and consistent with emissions (Scope 3):
(qualitative and quantitative) goals and action plans (i.e. Reducing CO2 - Quantity (in EUR million) of
Incorrect reporting of carbon-related assets in the
environmental operations emissions by person by 25%, 15% water consumption, 95% of paper is
recycled or proceeds from sustainable resources). portfolio or % over the total
from operations. portfolio.
- Validate that there are clear and precise action plans aimed at reducing
- Weighted average carbon
the company’s environmental footprint (i.e. CO2 emissions, electricity intensity per portfolio
consumption, business travel, vehicle fleets, paper, water consumption,
- Volume of exposure by
waste management).
industry or counterpart, to
- Verify the usage of actual and reliable data to report information (under show the concentration of
the framework of Directive 2014/49/EU on non-financial reporting). exposure towards low/high
carbon intensity industries.
1. Business model:
Business model:
Verify climate impact on business model is measured over different time 2. Percentage of income from
Climate risks are not frames. Assure that outcomes of analysis are considered in decision products or services that
considered in objective making. finance/invest in economic
setting or decision making, activities contributing to
thus potentially threatening mitigating or adapting to
continuity of business. climate change (according to
There might be the risk that 2. Business strategy: EU taxonomy).
the company is not feasible
in the future due to an a) Ensure the company has short, medium, and long-term energy transition
inadequate strategy or and decarbonization strategy, that goals for its implementation have been
set, and that they are being monitored (i.e. that there are goals aligned to 3. Volume of financial assets
green-washing risk. financing sustainable
the entity’s customers’ portfolio to comply with the Paris Agreement to
keep global warming below an increase of <2ºC). economic activities which are
a significant contribution to
b) Verify that the short, medium, and long-term analysis of climate risks has mitigating or adapting to
been accounted for when determining the company’s strategy and setting climate change (compared to
new business goals. total assets) according to the
c) Verify that goals (KPIs) have been defined aligned with the company’s EU taxonomy. Example of
climate risk strategy and that the latter have been adequately reported in retail banking: % of loans for
the company and are monitored. electric/hybrid vehicles, % of
d) Assess if the entity’s product and services portfolio consists of mortgages for more energy
products/services to finance or invest in assets promoting sustainable efficient housing, Example of
activities substantially contributing to mitigating or adapting to climate wholesale banking: % of
change. loans to improve energy
efficiency in housing.
1. Investment strategy:
Responsible investment: Validate that an adequate action plan has been implemented in the 4. Number and quota of
Investment strategy may company to achieve the goals of limiting “global warming” under 1.5ºC subscription products offered
diverge from the by 2050, including at least: in relation to climate (non-
organization’s climate - Verify the company’s investment plan to achieve the group’s Green Bond life/reinsurance) - (if the
goals. goals. company has prepared a
specific offer by geographical
Investment process does - Analysis of the entity’s plan to launch transition bonds assets. areas specially exposed to
not comply with policy. - Verify that blacklisted investment aligns to goals to full detachment from extreme climate events).
coal as set out in Paris Agreement or by the WEF.
The organization may not
promote the development
5. No. of climate change
of greens bonds and
goals included in
transition bonds financing.
remuneration systems for
senior management and
employees
37
I N T E R N A L A U D I T
Reporting
38
I N T E R N A L A U D I T
Social risks are driven by numerous factors. Initiatives such as GRI give a basis on which
Diversity and equality in policies, training and we can look at risks possible audit
development of employees, health and safety, approaches for organizations.
care for and contribution to society and the
promotions of positive impacts in stakeholder
communities.
SOCIAL AUDIT
Diversity and equality
Weak vendor due diligence - Review onboarding process for new vendors or suppliers that include Child labor, forced labor or
program or processes can acceptance of ethics code covering social and environmental risks. mandatory labor risk.
lead to indirect criminal - Review evidence for ethics training given to vendors. (GRI 408-1b, GRI 409- 1).
liability for organizations.
39
I N T E R N A L A U D I T
- Evaluate design of, and compliance with, policies related to freedom of Freedom of association and
association and collective bargaining provisions. right to collective bargaining
at risk (%) (GRI 407-1).
Percentage of working
population covered by
collective bargaining
agreements.
Long term strategy for - Obtain the strategic plan and goals in the longer term related to ESG Criteria and indicators set in
adding value to society is matters, as well as indicators associated to each of them, and verifying the company's strategy to
not aligned with companies favor the community at social
their degree of compliance, following up, if applicable, action plans that level. (Deviations).
activities. may arise because of deviations.
40
I N T E R N A L A U D I T
Innovation
RISKS AUDIT APPROACH INDICATORS
No clear strategy for - Verify that R&D+i projects are meeting the established deadlines and Innovation benchmark
innovation may limit growth physical and financial goals. between organizations and its
and competitiveness. competitors.
Innovation indicators included
in the strategy.
Technological advances are - Review metrics and indicators. Manual ordinary tasks vs
not deployed in line with automated tasks.
competition. - Review internal controls over bot deployment.
Workers’ free hours vs robots.
41
I N T E R N A L A U D I T
42
I N T E R N A L A U D I T
Training
RISKS AUDIT APPROACH INDICATORS
Employees do not receive - Assess governance when setting employee’s training strategies and % of employees that have
required training. goals. received training.
- Evaluate controls over the recording of training hours and attendance. (GRI: 404- 2).
- Verify that learning objectives are achieved.
- Review content of community development programs and performance
against objectives.
Discrimination in training. - Verify that training is provided to all employees of the same rank. No. of yearly training hours
- Assure that there are no discriminatory practices. per employee. (GRI: 404- 1.)
- Assessing the criteria to select employees for training. % of employees receiving
regular feedbacks on their
- Verify the consistency of the adopted approaches for training. performance and professional
- Review the percentage of training hours among the number of development. (GRI: 404-3).
employees.
Unmotivated employees - Review employee satisfaction with training programs. Training programs to upgrade
affect talent retention and employee’s skills.
productivity. - Verify if actions are implemented based on survey results. (GRI: 404.2).
- Investigate high employee rotation and root causes.
Lack of employee talent - Assure whether training goals are included for future workers. Programs to help transition.
and employability in the (GRI: 404.2).
- Verify the existence of training help programs to drive future
medium/long-term. employment.
GOVERNANCE AUDIT
There is a consensus between markets, More specifically this covers management and
investors, society and employees that good leadership structures, labor relations, policies
corporate governance is critical. The establishing independence, transparency, and
supervision of ESG criteria in organizations is accounting policies, promotion of good
therefore gaining importance at board and practices, or the fight against corruption,
management level. fraud, and money laundering, among other
factors.
Governance in this sense includes those
aspects related to the organization’s internal
structures, policies, decision making processes
and how these factors reverberate with
stakeholders.
43
I N T E R N A L A U D I T
Internal Audit plays a key role in ensuring Various benchmarking initiatives give a basis on
initiatives which promote responsibility, which we can look at risks and possible audit
transparency, and that good corporate approaches for organizations.
governance practices are adopted and
implemented in their organizations.
GOVERNANCE AUDIT
Governance structure and responsibilities
RISKS AUDIT APPROACH INDICATORS
The compositions of - Assure rules of procedure for the board include rules of procedure for - % of female members of the
governing bodies do not hit supervising committees, and that these are consistent with legal board/Total members of the
targets for representation requirements. board.
or length of mandate. - % of independent members
of the board/Total members
of the board
- % of foreign members of the
board/Total members of the
board
- Average seniority of
independent members of
the board.
Sustainability and audit - Verify there is adequate monitoring of ESG matters from the Board of No. of meetings for each
committees do not have Directors and sustainability and auditing committees, through an annual committee in the year
sufficient scope to supervise schedule of matters to be dealt with aligned with their respective discussing ESG matters.
ESG matters. responsibilities, such as approval of the adequate sustainability policy in
terms of environmental and social aspects, as a non-delegable power of
the Board of Directors, transparently providing information about its
development, application and results.
Information on ESG risk - Verify that management is involved in sustainable development and that - No. of meetings of each
management does not flow this matter is regularly discussed in executive management committees. committee per year
through the organization. discussing ESG matters.
- Sufficient time to prepare
meetings.
- Rules on the number of
committees in which their
members can be.
Lack of specific ESG - Verify existence of specific ESG training programs. ESG training hours/member of
knowledge at Director, C- the governance body.
Level and on the Board. - Verify that selection of board members includes specialists.
ESG risk management - Verify that accountability and responsibility for ESG risks is clearly defined No. of meetings for each
structures and through policies and procedures, and that supervising committees are committee per year in which
responsibilities are established. ESG matters are discussed.
inadequate.
9. Such as OECD and G20's corporate governance principles, GRI 102 and ICGN (International Corporate Governance Network)
principles.
44
I N T E R N A L A U D I T
Stakeholders’ expectations
The general shareholders’ - Verify the existence of regulations regarding the participation of- Information on the percentage of
meeting does not minority shareholders, proxy voting, remote attendance, etc. quorum participating in each meeting
adequately manage through “proxy voting”.
minority shareholders’ - Evaluate the level of transparency of the proxy voting procedure. - No. of proxy voting requests accepted
participation. Risk - Verify there is a policy promoting shareholders’ participation, and rejected.
associated to power abuse such as a share policy to attend shareholders’ meetings. - No. of questions included in the
by controlling shareholders. agenda under request of minority
shareholders.
- Disclosure of resolutions adopted and
percentage of favorable and
unfavorable votes.
Poor management of - Verify the existence of rules regarding costumer and consumer - No. of complaints filed by
customer or consumer relations and management. customers/consumers.
relations. - Verify the existence of a communications office or channel for - Percentage of complaints settled
clients and consumers (customer office, customer service, etc.). appropriately (customer’s
assessment).
Poor management of - Verify the general procurement and supply policies including the - No. of suppliers analyzed for approval
supplier/vendor or supply assessment, approval and onboarding of suppliers. over the period (percentage of
chain relations. suppliers approved and suppliers
- Verify that environmental, social, corruption and bribery matters rejected).
are included in suppliers’ assessment and approval procedures. - No. of suppliers rejected for ESG
- Verifying the existence of a suppliers’ code of ethics or similar matters.
documentation extending the entity’s commitment to ESG goals - No. of suppliers adhered to the
to the supply chain suppliers’ code of ethics.
- Verify there are provisions made for auditing and supervising - No. of complaints received regarding
suppliers. breaches related to the supply chain.
- No. of audits of suppliers over the
year (% of “apt” and “not apt”
suppliers).
45
I N T E R N A L A U D I T
ESG strategy is not aligned - Verify that ESG strategy is consistent with other strategies. - % of ESG related goals with
to global or other strategy. employees’ variable remuneration.
ESG risks are not - Verify assessment of new trends in sustainability to identify risks. - % of ESG risks over total risks.
considered when - No. of KRIs (key risk indicators)
establishing the company’s defined in terms of ESG.
strategy.
- Review strategy and objective setting processes to assure ESG - No. of KRIs (key risk indicators)
risks are considered, according to their relevance for the defined in ESG terms.
company's strategy in the long-term, its competitive position, its
qualitative factors and, if possible, quantitative values driving
financial value.
- Verify that impact from new and emerging ESG topics are - % of sustainable finance KPIs vs
evaluated and incorporated into long term forecasts. financial KPIs
- No. of KRIs (key risk indicators)
defined in ESG terms.
- Verify specific governance mechanisms have been established to - No. of meetings of the ESG
manage ESG risks. committee.
- ESG risks discussed in risk committees.
- Specific ESG risk working groups have been set up.
ESG strategy is not fluidly - Verify disclosure of ESG strategy to stakeholders. - No. of ESG training communications
communicated. and/or actions.
ESG aspects are not part of - Verify that the company includes ESG aspects in its investment - Sustainable investment criteria
the company’s investment proposals and decisions, to contribute to improving profitability
strategy. adjusted to risk. - % of sustainable finance KPIs vs
financial KPIs
46
I N T E R N A L A U D I T
Remuneration system
RISKS AUDIT APPROACH INDICATORS
Lack of commitment in the - Verify that variable remuneration policy is linked to ESG goals. - % of variable remuneration linked to
achievement of ESG goals. Verify policy does not promote or allow excesive risk taking. attaining ESG goals.
- Verify maintenance tasks have been carried out. - Number of governance reviews
carried out in year.
- Number of actions implemented in
response to corporate governance
reviews.
Internal corporate - Verify internal corporate governance regulations meet external - Number of reviews of corporate
governance regulations do requirements and disclosed voluntary commitments. governance framework carried out in
not meet external the period.
requirements.
- Verify that the corporate governance regulatory framework is - Number of actions implemented in
updated in line with regulatory updates and/or voluntary response to corporate governance
commitments undertaken by the company in the last year. reviews.
Corporate Governance - Assure mechanisms exist to communicate corporate governance - No. of platforms/corporate vehicles
framework is no adequately framework. existing for the internal dissemination
communicated. of the internal corporate governance
- Assure communications have been made. regulatory framework.
- Number of communications made
regarding corporate governance
framework.
47
I N T E R N A L A U D I T
Insufficient resources to - Assure responsibilities for maintaining the corporate governance - People/areas/committees responsible
assure compliance with framework are clearly defined. for ensuring compliance with the
corporate governance corporate governance regulatory
framework. requirements.
- Verify actions taken correspond to responsibility framework. - No of reviews of corporate
governance framework carried out in
the period.
- Number of corporate governance
non-compliant events recorded in the
period.
- Number of actions implemented in
response to corporate governance
non-compliance.
- Assure IT systems exist for recording ESG information and these - Number of indicators for ESG risks
IT systems are not
implemented or do not are adequately maintained. embedded in IT systems.
have the capacity to record
non-financial information.
IT systems have weak - Assure controls for data integrity are implemented and - Results of the review done on
controls and cannot functioning according to design. corporate IT systems handling
guarantee data integrity. information/indicators related to ESG
risks and the internal corporate
governance framework.
- Number of remediation measures
implemented in IT systems over the
period.
48
I N T E R N A L A U D I T
- Review design of risk and control matrices. No. of risks and controls per taxonomy
- Verify ESG risks are covered. and organizational levels.
- Verify approach for risk assessment.
- Verify adequacy of internal controls.
- Assure issues are escalated to senior management and Directors. Number and frequency of reports to
senior management and governance
bodies.
Internal and external - Verify existence of approved communication and reporting plan. Last plan update and level of approval.
communication and - Verify that this is shared with stakeholders.
reporting plan is not
documented or is - Assure mechanisms in place for assuring transparency in ESG risk --
inconsistent with principles reporting.
and commitments.
- Assure compliance with ESG commitments. Internal and external reports
- Verify KPIs are implemented, monitored and acted on.
ESG KPIs performance and trends.
Opportunities arising from - Assure mechanisms exist to identify and process opportunities No. of potential opportunities and %
transparency, supervision arising from ESG reporting and supervision. implemented.
and reporting initiatives are
not identified.
49
I N T E R N A L A U D I T
Organization does not have - Obtain evidence of its communication to employees and Initiatives to spread the organization's
a formalized compliance suppliers and confirmation they understand and accept them code of ethics.
system. or, compliance when entering the company and, on an annual basis, take into
system does no offer account their potential adaptations.
employee guidance and
training.
Not following up ethical - Obtain and review joint authorization and approval delegation - Powers delegation matrix.
issues and performance matrices, order approval flows, approval flow for invoices - Implemented approval flows.
using an effective system to integrated in ERP, granted powers, traceability of each approval - Analysis of level of segregation of
measure progress. and signature. Governance responsibility and segregation of duties.
duties is always taken into account.
Remuneration system does - Defining the company’s mission and vision and verifying - Presence and publication of ethical
not contemplate employee values.
whether it includes ethical principles and conducts.
performance related to - No. and frequency of ethical audits
corporate values. and level of dissemination of results.
There is no provision for
disciplinary action for non- - Obtain evidence on the application of ethical principles in No. of candidates assessed based on
compliance with corporate employee recruiting processes. ethical criteria per process/number of
values. candidates hired.
- Review remuneration system for inclusion of realizable and Analysis of salary bands in the
quantifiable objectives for performance and behavior. company and market benchmarking.
50
I N T E R N A L A U D I T
- Verify mechanisms for monitoring and supervising (AML- or - No. of existing controls and
Anticorruption) programs. frequency to verify they work
adequately.
- Verify the organization has a clear, updated, visible and - Last update and approval by
accessible policy banning corruption and money laundering. adequate level and consistency with
the risks assessment.
- Verify the organization has detailed AML and anti-corruption - Existence of a risk map related to
policies by specific risk areas. existing policies and/or procedures
(Yes/No).
- Verify that the anti-corruption and money laundering program is - Number and % of business partners
applied to business partners. that recognize organizations anti-
corruption policies and procedures,
broken down by type of partner,
business and region. Describing
whether the company’s anti
corruption policies and procedures
have been reported to another person
or organization.
- No. of cases in which contracts with
business partners have been
terminated or have not been renewed
due to corruption related issues.
- Review plans and programs for the promotions of ethical - Number and % of employees that
behavior and compliance. have been trained on the
organization’s anti-corruption
policies and procedures.
51
I N T E R N A L A U D I T
- Review adequacy of investigations protocols for breach of ethics - Public legal cases filed against the
codes. company or its employees
regarding corruption in the
reporting year and outcome.
- Assure anti-corruption and AML policies are reviewed and - Number and frequency of
updated. compliance management audits.
- Number of recommendations and
severity etc.
Tax
RISKS AUDIT APPROACH INDICATORS
Inadequate or inconsistent - Obtain evidence there is a tax strategy. Strategy approved by the Board of
tax strategy. Directors. (Yes/No).
- Review to assure tax strategy is designed, approved and There are governance rules or statutes
reviewed by persons with sufficient accountability and adequate (Yes/No).
knowledge.
- Review for adequate tax compliance provisions in all There are third-party reports
jurisdictions. evidencing compliance levels (Yes/No).
Insufficient controls over tax - Obtain evidence that the body responsible for the company’s tax A tax decision matrix exists.
processes. strategy can describe the degree of responsibility of governance
bodies and the responsibility delegation procedures within the
company.
- Obtain evidence of the processes, projects, and initiatives to back No. of controls implemented, executed
up effective tax compliance within the company. and verified.
- Review training programs that tie fiscal strategy to corporate No. and % of employees trained on
development. fiscal matters.
- Review effectiveness of internal controls for tax compliance. No. and nature of cases confirmed.
- Obtain evidence of the level of commitment with tax authorities No. and type of agreements with third
and public fiscal policies, as well as the progress on gathering parties.
opinions from stakeholders.
52
I N T E R N A L A U D I T
Conclusions
ESG matters entail a series of risks and with compliance tests and review and
opportunities that challenge internal audit to verification of information and indicators. The
provide concrete assurance to senior auditor may check for inconsistencies or
management and the Board. deviations and then recommend actions be
taken.
Internal audit should therefore understand and
analyze certain questions: Regarding social (S) aspects, the main matters
to be approached by Internal Audit are related
- Senior management and the Board´s role
to diversity and equality, contributing value to
in monitoring sustainability issues.
society, recruitment and human resources
- The process for identification, assessment management, health, safety and well-being of It is essential that
and management of ESG risks. employees, and training. Adverse impact from Internal Auditing
risks may be seen on the organization’s
- The framework used for non-financial reputation, its capacity to attract and retain identifies the specific
reporting. talent, the violation of human and workers’ risks of each ESG pillar
- The internal control system for non- rights, loss of competitiveness and obviously and establishes a
financial reporting. on its bottom line. The internal auditor may specific approach
use substantive testing or internal controls
Furthermore, it is essential for Internal towards work.
assessments. Review of quantitative indicators
Auditing to identify specific risks for each is also a useful tool.
material matter, within each of the three ESG
pillars, and to establish a specific approach The main risks related to the Governance pillar
towards carrying out its work. cover:
- Corporate governance compliance.
Environmental (E) aspects are very diverse and - Not satisfying stakeholder´s expectations.
often require subject matter experts. Two large - Non-alignment of sustainability strategy
blocks stand out: environmental management and overall objectives.
and climate change, which may entail
reputational, regulatory, operational or - Non-transparent internal and external
financial risks. In this case, audit tests may reporting
mostly be substantive due to the abundant
- Non-alignment of remuneration policy
existing information on non-financial data,
with ESG policy.
such as tons of CO2 or other energy
consumption. However, especially when it - Undefined tax strategy.
comes to climate change risks, the internal
auditor may combine control tests - Undefined ethics culture.
- Non-compliance with anti-bribery laws.
53
I N T E R N A L A U D I T
The internal auditor may wish to evaluate the Internal Audit is key to providing the Audit
organization’s compliance model and Committee, senior management and other
procedures, and review internal controls. stakeholders, with the assurance they require
on the impact of ESG risks.
Bibliographical references
MONOGRAPHS
• BONIME-BLANC, A. Gloom to Boom: How Leaders Transform Risk into Resilience and Value. London:
Routledge, October 2019. ISBN 978-1783538157.
54
I N T E R N A L A U D I T
• CORPORATE REPORTING DIALOGUE. The Sustainable Development Goals and the future of corporate
reporting, 2019.
• ENAGÁS. Annual report 2019, 2020.
• EU TECHNICAL EXPERT GROUP ON SUSTAINABLE FINANCE. Taxonomy: Final report of the Technical
Expert Group on Sustainable Finance, 2020.
• EUROPEAN CONFEDERATION OF INSTITUTES OF INTERNAL AUDITING. Non-Financial Reporting: Building
trust with internal audit, 2015.
• EUROPEAN CONFEDERATION OF INSTITUTES OF INTERNAL AUDITING. Practical guidance on climate
change and environmental sustainability, 2021.
• EY. Barómetro de Divulgación del Riesgo Climático 2020, 2020.
• FERROVIAL. Integrated annual report 2020, 2021.
• FORÉTICA. El futuro de la sostenibilidad en las empresas - Resiliencia y ‘nueva normalidad’ Post COVID-19, 2020.
• IBERDROLA. Non-financial information report - Sustainability report 2020, 2021.
• KPMG. La importancia de los asuntos ESG, 2020.
• KPMG. Reporting en información no financiera: Recorriendo el camino, 2020.
• KPMG. The time has come - The KPMG Survey of Sustainability Reporting 2020, 2020.
• MANAGEMENT SOLUTIONS. La gestión de riesgos asociados al cambio climático, 2020.
• SUSTAINABILITY ACCOUNTING STANDARDS BOARD. ESG Integration Insights - 2020 Edition, 2020.
• PRINCIPLES FOR RESPONSIBLE INVESTMENT. Principles for Responsible Investment, 2019.
• PRINCIPLES FOR SUSTAINABLE INSURANCE. Underwriting environmental, social and governance risks in
non-life insurance business, 2019.
• SCIENCE BASED TARGETS. Foundations for science-based net-zero target setting in the corporate sector, 2020.
• TASK FORCE ON CLIMATE-RELATED FINANCIAL DISCLOSURES. Recommendations of the Task Force on
Climate-related Financial Disclosures, 2017.
• THE INSTITUTE OF INTERNAL AUDITORS. Internal Audit’s Role in ESG reporting - White Paper, 2021.
• THE INSTITUTE OF INTERNAL AUDITORS - AUSTRALIA. The 20 Critical Questions Series: What Directors
should ask about ESG, 2020.
• UNITED NATIONS. Sustainable Development Goals, 2015.
• UNITED NATIONS DEVELOPMENT GROUP. Guidelines to Support Country Reporting on the Sustainable
Development Goals, 2017.
• UNITED NATIONS GLOBAL COMPACT. Integrating the Sustainable Development Goals into Corporate
Reporting: A Practical Guide, 2018.
• UNITED NATIONS HUMAN RIGHTS. Guiding Principles on Business and Human Rights, 2011.
• WORLD BUSINESS COUNCIL FOR SUSTAINABLE DEVELOPMENT. Controlling Non-Financial Reporting, 2013.
• WORLD ECONOMIC FORUM. Measuring Stakeholder Capitalism - Towards Common Metrics and
Consistent Reporting of Sustainable Value Creation, 2020.
• WORLD ECONOMIC FORUM. The Global Risks Report 2021. 16th Edition, 2021
55
I N T E R N A L A U D I T
LA FÁBRICA
• INSTITUTO DE AUDITORES INTERNOS DE ESPAÑA. LA FÁBRICA DE PENSAMIENTO. Auditoría Interna y la
Información no Financiera, 2018.
• INSTITUTO DE AUDITORES INTERNOS DE ESPAÑA. LA FÁBRICA DE PENSAMIENTO. Auditoría Interna del
proceso de inversión en tecnologías emergentes, 2020.
RULES
• EUROPEAN CENTRAL BANK. Guide on climate-related and environmental risks. Frankfurt: ECB, 2020
• EUROPEAN COMMISSION. Commission Delegated regulation supplementing Regulation (EU) 2020/852 of
the European Parliament and of the Council by establishing the technical screening criteria for determining
the conditions under which an economic activity qualifies as contributing substantially to climate change
mitigation or climate change adaptation and for determining whether that economic activity causes no
significant harm to any of the other environmental objectives. Brussels: EC, 2021.
• EUROPEAN COMMISSION. Directive 2013/34/EU of the European Parliament and of the Council of 26 June
2013 on the annual financial statements, consolidated financial statements and related reports of certain
types of undertakings, amending Directive 2006/43/EC of the European Parliament and of the Council and
repealing Council Directives 78/660/EEC and 83/349/EEC. Brussels, EC, 2013.
• EUROPEAN COMMISSION. Directive 2014/95/EU of the European Parliament and of the Council of
22 October 2014 amending Directive 2013/34/EU as regards disclosure of non-financial and diversity
information by certain large undertakings and groups. Brussels, EC, 2014.
• EUROPEAN COMMISSION. Guidelines on non-financial reporting (methodology for reporting non-financial
information). Brussels: EC, 2017
• EUROPEAN COMMISSION. Guidelines on non-financial reporting: Guidelines on reporting climate-related
information Brussels: EC, 2019
• EUROPEAN COMMISSION. Proposal for a Directive of the European Parliament and of the Council
amending Directive 2013/34/EU, Directive 2004/109/EC, Directive 2006/43/EC and Regulation (EU)
No 537/2014, as regards corporate sustainability reporting. Brussels: EC, 2021
• EUROPEAN COMMISSION. Regulation (EU) 2019/2088 of the European Parliament and of the Council
of 27 November 2019 on sustainability‐related disclosures in the financial services sector (Text with EEA
relevance) Brussels: EC, 2019
• COMISIÓN NACIONAL DEL MERCADO DE VALORES. Código de buen gobierno de las sociedades cotizadas.
Madrid: CNMV, 2020.
• COMISIÓN NACIONAL DEL MERCADO DE VALORES. Comunicado sobre la próxima aplicación del
Reglamento 2019/2088 sobre divulgación de información relativa a sostenibilidad en el sector financiero.
Madrid: CNMV, 2021
• INTERNATIONAL FINANCIAL CORPORATION. Norma de Desempeño 6 - Conservación de la biodiversidad
y gestión sostenible de recursos naturales vivos. Washington: IFC, 2012.
• EUROPEAN BANKING AUTHORITY. EBA Discussion paper - on management and supervision of ESG risks
for credit institutions and investment firms. París: EBA, 2020.
• GLOBAL SUSTAINABILITY STANDARDS BOARD. GRI Universal Standards. Amsterdam: GSSB, 2020.
• GLOBAL SUSTAINABILITY STANDARDS BOARD. GRI Universal Standards: GRI 101, GRI 102, and GRI 103 -
Exposure draft. Amsterdam: GSSB, 2020.
56
I N T E R N A L A U D I T
• GOVERNMENT OF SPAIN. Ley 11/2018, de 28 de diciembre, por la que se modifica el Código de Comercio,
el texto refundido de la Ley de Sociedades de Capital aprobado por el Real Decreto Legislativo 1/2010, de
2 de julio, y la Ley 22/2015, de 20 de julio, de Auditoría de Cuentas, en materia de información no
financiera y diversidad. Madrid: BOE, 2018.
• INSTITUTO DE CENSORES JURADOS DE CUENTAS DE ESPAÑA. Guía de actuación sobre encargos de
verificación del Estado de Información No Financiera. Madrid: ICJCE, 2019.
• INTERNATIONAL AUDITING AND ASSURANCE STANDARDS BOARD. NIEA 3000 (revisada) - Encargos de
aseguramiento distintos de la auditoría o de la revisión de información financiera histórica, marco
internacional de encargos de aseguramiento y las modificaciones de concordancia de otras NIEA. New York:
IAASB, 2018.
• INTERNATIONAL CORPORATE GOVERNANCE NETWORK. ICGN Global Stewardship Principles. London:
ICGN, 2016.
• INTERNATIONAL INTEGRATED REPORTING COUNCIL. International <IR> framework. London: IIRC, 2021.
• ORGANIZACIÓN PARA LA COOPERACIÓN Y EL DESARROLLO ECONÓMICOS. Líneas Directrices de la
OCDE para Empresas Multinacionales. París: OECD, 2011.
• ORGANIZACIÓN PARA LA COOPERACIÓN Y EL DESARROLLO ECONÓMICOS. Principios de Gobierno
Corporativo de la OCDE y del G20. París: OECD, 2016.
• SUSTAINABILITY ACCOUNTING STANDARDS BOARD. SASB Standards. San Francisco: SASB, 2021.
JOURNAL ARTICLES
• PORTER, M.E. and KRAMER, M.R. «The Big Idea: Creating Shared Value. How to Reinvent Capitalism-and
Unleash a Wave of Innovation and Growth». Harvard Business Review. January-February 2011, no, 89,
p. 62- 77.
• SOH, D.S.B and MARTINOV-BENNIE, N. «Internal auditors’ perceptions of their role in environmental, social
and governance assurance and consulting». Managerial Auditing Journal. January 2015, Volume 30 – Book
1, p. 80-111.
57
I N T E R N A L A U D I T
• IONOS. «Stakeholders - ¿Conoces a los grupos de interés de tu empresa? Ionos website. February 2019.
• MONTECELOS, M. and CERVERA, M. «Métricas ESG: ¿es posible mejorar los resultados financieros de las
compañías incluyéndolos en los sistemas retributivos?» Willis Tower Watson website. July 2020.
• PALÁ LAGUNA, R. «Nuevas obligaciones de transparencia para determinadas entidades financieras en
materia de sostenibilidad: exigibilidad a partir del 10 de marzo de 2021». Gómez-Acebo & Pombo website.
February 2021.
• PWC. «Integrar los criterios ESG y el propósito en la estrategia, principal reto de los Consejos de las
empresas españolas en el mundo post-COVID». Auditoría & CO website. May 2020
• SCHRODERS. «Breve historia de la inversión responsable». Schroders website. November 2016.
• SCHWAB, K. «Manifiesto de Davos 2020: El propósito universal de las empresas en la Cuarta Revolución
Industrial». World Economic Forum website. December 2019.
• THE DANISH INSTITUTE FOR HUMAN RIGHTS. «Sustainable Development through Human Rights Due
Diligence (Road-testing version)». The Danish Institute for Human Rights website. 2018.
• UNITED NATIONS ENVIRONMENT PROGRAM. «About ecosystems» UNEP website. 2020.
• UNITED NATIONS ENVIRONMENT PROGRAM. «Water». UNEP website. 2020.
• VAÑÓ, P. «¿Están preparadas las entidades financieras para integrar los factores ESG en la toma de
decisiones?» KPMG Tendencias website. 2020.
• VIVES, A. «Materialidad: 12 principios básicos y una metodología para la estrategia de RSE». Ágora.
February 2015.
58
Instituto de Auditores Internos de España
Santa Cruz de Marcenado, 33 · 28015 Madrid · Tel.: 91 593 23 45 · Fax: 91 593 29 32 · www.auditoresinternos.es
Copyright: M-31844-2021
ISBN: 978-84-122588-7-5
Property of Instituto de Auditores Internos de España. Total or partial public reproduction of this book is allowed,
provided it is not done for commercial purposes, provided the author of the original work is recognized. The creation
of derivative works is not allowed.
OTHER WORKS FROM LA FÁBRICA DE PENSAMIENTO