Integrating ESG into

Internal Audits
From compliance to commitment..

Gaurav Bhatia
Executive Partner – Risk Advisory
ASA & Associates LLP

09 March 2024
Private & Confidential - Not for external circulation
Resource Scarcity
Earth Overshoot Day marks the date when humanity’s demand for ecological resources and services each year exceeds
what Earth can regenerate in that year.

Private & Confidential - Not for external circulation

 Water Scarcity

• Over 2 Billion people live in countries experiencing high water stress. (UN, 2018)

• Today, 31 Countries face chronic freshwater shortages. Among the countries likely to run short of water in the next 25
years are Ethiopia, India, Kenya, Nigeria and Peru

Private & Confidential - Not for external circulation

 • WHO data shows that 9 out of 10 people breathe air
containing high levels of pollutants
Air Pollution
• Air pollution kills an estimated 7 million people
worldwide every year.

Private & Confidential - Not for external circulation

Contents 01 Defining E-S-G

02 Regulatory scenario - Global & Indian

03 Internal Auditor’s role

04 Integration of ESG with IA function

05 Practical insights
 What is ESG?
Environmental, social and governance (ESG) are factors used to
evaluate company's sustainability and ethical impact (People-Planet-Purpose).

▪ Environmental - how a company performs as a steward of nature.

▪ Social - how it manages relationships with employees, suppliers,

customers, and the communities where it operates.

▪ Governance - company’s leadership, executive pay, audits, internal

controls, and shareholder rights.

Private & Confidential - Not for external circulation

Key ESG – Driving Stakeholders
Investment Firm
• To price externalities
• To measure the intangibles
• To achieve better returns
• To fulfil fiduciary duty
Asset Owners
• To achieve better returns
• To seek for greater transparency
• To reduce risks as universal owners
• To align with increasing awareness on
sustainability
Organisation
• To improve long term financial
performance
• To meet demand for better Business
Management Standards from
stakeholders Policymakers & Regulators
• To achieve sustainable economic growth
targets
• To meet increasing social pressure
• To address the need for regulation

Private & Confidential - Not for external circulation

 Transition to Sustainability
Stakeholder Influence Over ESG Planning and Strategy

• Main push for ESG planning and strategy:

Senior leadership (81%).

• Following influencers: Regulators (54%),

clients/customers (53%), institutional
investors (46%).

• Least influential stakeholders: Activist

investors (22%), finance/treasury
departments (24%).

• Emphasis on regulations and compliance

is highlighted as a top concern for senior
leaders.

The Morningstar Sustainalytics Corporate ESG Survey Report 2022

Private & Confidential - Not for external circulation

 Global Scenario
• Disclosure requirements
for listed companies through
SEC
• New rules issued by SEC
on Mar 6, 2024– to improve
consistency, quality and
comparability of company-
reported climate-related risks.
Private & Confidential - Not for external circulation
• Corporate Sustainability Reporting Directive (CSRD)
adapted to publish regular standardized reports on
companies’ ESG impact activities from the fiscal year 2023
onwards.
• The Corporate Governance Code (CG
• Sustainable Finance Disclosures Regulation (SFDR) Code) requires listed companies to
specific for financial sector appropriately disclose their
initiatives on sustainability
UK
EUROPE
USA JAPAN
CHINA
• Regulations require certain companies
to provide a “sustainability”
information statement on climate-
related disclosures in their annual • China Securities Regulatory
strategic report Commission (CSRC) issued the
Standards for Carbon Financial
• ESG reporting in the UK further
Products
formalised through the Sustainability
Disclosure Requirements (SDRs) • China notified 6 standards
pertaining to ESG
• China’s Green Bond Standards
Committee released the China
Green Bond Principles
ESG related Frameworks
S. No. Framework Name
1 Sustainable Finance Disclosure Regulation (SFDR)

2 The Non-Financial Reporting Directive (NFRD)

3 Corporate Sustainability Reporting Directive (CSRD)

4 Global Reporting Initiative (GRI)

5 Carbon Disclosure Project (CDP)

6 Climate Disclosure Standards Board (CDSB)

7 Task Force on Climate-Related Financial Disclosures (TCFD)

8 Sustainable Development Goals (SDG)

9 National Guidelines on Responsible Business Conduct (NGRBC)

10 Sustainable Finance Group (SFG)

11 Integrated Reporting (IR)

12 Business Responsibility and Sustainability Reporting (BRSR)

Private & Confidential - Not for external circulation

 Global reporting frameworks
Several global reporting frameworks and standards exist for sustainability, helping organizations communicate their economic, environmental,
social, and governance (ESG) performance. Here are some of the prominent ones:

• Most widely used sustainability
reporting frameworks globally.
• Provides a comprehensive set
of standards that cover
economic, environmental, and
social aspects.
• Aims to provide a holistic view
of an organization's strategy,
governance, performance, and
prospects.
• Encourages organizations to
connect financial and non-
financial information in a
cohesive narrative.
• Focuses on industry-specific
standards, helping companies
disclose financially material
ESG information to investors.
• Industry-specific standards
designed to be relevant to the
financial performance of
companies within each sector.
• Provides recommendations for
disclosing climate-related
financial risks and
opportunities.
• Encourages organizations to
disclose information related to
governance, strategy, risk
management, and metrics and
targets.

Sustainability Task Force on

Global Reporting Integrated Accounting Climate-related
Initiative (GRI) Reporting (IR) Standards Board Financial
(SASB) Disclosures (TCFD)

Private & Confidential - Not for external circulation

 ESG Evolution in India
In Line with the ESG, Ministry of Corporate Affairs (MCA) developed the BRSR framework after years of evolution, as can be seen from the
table below:

SEBI introduced
Business
National Voluntary Business
Responsibility and
Guidelines for ‘Social, Responsibility
Sustainability
Environmental and Report (BRR) was
Report (BRSR)
Economic extended by SEBI to
along with the BRSR
Responsibility of the top 500 listed
template in May
Business' issued by companies by market
2021.
MCA capitalisation.

2009 2011 2012-14 2015 2019 2021 2023

Ministry of Corporate SEBI mandates filing MCA released the SEBI introduced
Affairs (“MCA”) of Business National Guidelines on BRSR Core
issued the National Responsibility Responsible Business. framework to
Voluntary Report (BRR) based Conduct (NGBRC). mandate listed
Guidelines on the NVGs by top companies to obtain
(“NGVs”) on CSR. 100 listed BRR was extended by reasonable
companies SEBI to the top 1000 listed assurance on
companies by market selected KPIs
CSR was mandated capitalisation.
and CSR Rules came
into force.

Private & Confidential - Not for external circulation

 ESG In the News

Private & Confidential - Not for external circulation

Regulatory updates - ESG in India
1 SEBI introduces BRSR report which outlines
mandatory ESG policies and requirements for the
ICAI has issued Standards on Sustainability
Assurance Engagement (SSAE) 3000 which 4
top 1000 listed companies by market capitalization. is applicable for attestation of all assurance
engagements on sustainability information.

2 SEBI constitutes a committee for advising on

ESG related matters in the securities market.
SEBI's amendment mandate top 250 listed
5
entities to comply with or explain ESG
The terms of reference of the committee includes
disclosures, including supply chain KPIs, using
enhancement of Business Responsibility and
the "BRSR Core” format from FY 2024-25, with
Sustainability report (BRSR), ESG ratings and
limited assurance applicable from FY 2025-26,
ESG investing.
emphasizing transparency and accountability.

3 Section 134(m) mandates companies to

include a report by their Board of
Directors on conservation of energy,
along with annual financial statement.
SEBI issued a circular on ‘Disclosure
Requirements for Issuance and
6
Listing of Green Debt Securities’, to
introduce the regulatory framework for
issuance of green debt securities in India
Key Statistics
pertaining to
ESG in India

Private & Confidential - Not for external circulation

 Business Responsibility and Sustainability Reporting (BRSR)
In Line with the ESG, Ministry of Corporate Affairs (MCA) developed after years of evolution, as can be seen from the table
below:

• SEBI issued circular introducing BRSR on May 10, 2021.

• New reporting format outlines mandatory ESG policies and

requirements for the top 1000 listed companies by market
capitalization.

• Reporting mandatory from FY 2022-23 (Voluntary for FY 2021-

22).

• Seeks disclosures from listed entities on their performance

against the nine principles of the ‘National Guidelines on
Responsible Business Conduct’ (NGRBCs)

• Reporting under each principle is divided into essential and

leadership indicators.

Private & Confidential - Not for external circulation

 BRSR Core Assurance
❖ The BRSR Core is a subset of the BRSR. The new format has
additional KPIs (relevant for the Indian economy) under 9 ESG
attributes, mandating listed entities to disclose and obtain
reasonable assurance.

❖ Listed entities to report BRSR Core parameters for their value

chain partners, specifically those attributable to their business,
covering top upstream and downstream partners representing
75% of purchases/sales.

❖ ESG Ratings Providers (ERPs) in India need to prepare a

separate ESG rating category - core ESG rating, based on
assured parameters under BRSR Core.

❖ The listed entity must avoid conflicts by ensuring the assurance

provider and its associates do not offer non-assurance services to
the entity or its group.

Private & Confidential - Not for external circulation

 BRSR reporting framework
▪ Developed for the top 1000 companies listed in India

▪ To be stretched to several unlisted companies that meet specified thresholds of turnover and/or
paid-up capital.
Comprehensive
BRSR ▪ This approach consists of 3 sections and 9 principles

• Developed for unlisted companies unfamiliar with the groundwork of sustainability reporting.

• Format to encourage more companies to begin sustainability reporting as it is easier for all
companies to adopt this format.
BRSR Lite
• Adoption of BRSR Lite is voluntary for such companies.

Private & Confidential - Not for external circulation

 Structure of BRSR
The reporting questionnaire as per SEBI circular dated May 10,
2021, is divided into three sections

Section A Section A: General disclosures

General Disclosures Details of the listed entity; products/services; operations; employees;
About the entity
holding, subsidiary and associate companies (including joint ventures);
BRSR Format

CSR; transparency and disclosure compliances.

Section B
Management and Process Disclosures
About Management approach Section B: Management and process disclosures
Essential Indicators
Questions related to policy and management processes, governance,
Section C Mandatory
leadership and oversight.
Principle wise performance
disclosures
About each principle
Leadership Indicators Section C: Principle-wise performance disclosures
Voluntary Companies are required to report upon KPIs in alignment with the nine
principles of the NGRBC.

Private & Confidential - Not for external circulation

 Nine Principles of NGBRC
Businesses should respect and
1 Businesses should conduct and govern
themselves with integrity, and in a
manner that is ethical, transparent, and
2 Business should provide goods and
services in a manner that is 3 promote the well-being of all
employees, including those in their
sustainable and safe
accountable value chains

4 Businesses should respect the

interests of and be responsive to all
its stakeholders
5 Businesses should respect and
promote human rights.
6 Businesses should respect and
make efforts to protect and
restore the environment

7 Businesses, when engaging in

influencing public and regulatory
policy, should do so in a manner that
8 Business should promote
inclusive growth and equitable
9 Businesses should engage with
and provide value to their
consumers in a responsible
development
is responsible and transparent manner

Private & Confidential - Not for external circulation

 GRI vs BRSR framework - Comparison
Particulars BRSR GRI Standards

Developed by.. Regulatory body Non-governmental organization

Specifically made for use for

Geographical specificity.. Not specific to any country
Indian companies

Currently sector-agnostic;
Industry sector specificity.. Sector program underway
Provision for future

NGRBC (9 principles of Triple bottom-lines (Economic,

Underlying principles..
responsible business conduct) Environment, Social)

Structure of disclosures.. Principle-wise indicators Topic-wise indicators

Standalone disclosure (Annexure Standalone report (Sustainability

Commonly used as…
to Board Report) Report)

Degree of integration with Economic disclosures without

None
financial disclosures.. integration

Mandated by SEBI (for Top 1000

Regulatory mandate in India.. companies by market Voluntary
capitalization)
Private & Confidential - Not for external circulation
 GRI vs BRSR framework – Mapping of 9 principles
NGRBC Principles GRI Topics

P-1: Businesses should conduct and govern themselves with

integrity in a manner that is Ethical, Transparent and Accountable.
P-2: Businesses should provide goods and services in a manner that
is sustainable and safe.
P-3: Businesses should respect and promote the well-being of all
employees, including those in their value chains.
P-4: Businesses should respect the interests of and be responsive to
all its stakeholders.
P-5: Businesses should respect and promote human rights.
P-6: Businesses should respect and make efforts to protect and
restore the environment.
Anti-corruption, Socio-economic Compliance
Supplier Environmental Assessment,
Supplier Social Assessment
Employment, Labour – Management Relations,
Occupational Health & Safety, Training & Education,
Diversity & Equal Opportunity, Security Practices
Rights of Indigenous People, Local Communities
Freedom of Association & Collective Bargaining; Child,
Forced or Compulsory Labour; Human Rights
Assessments
Materials, Energy, Water, Biodiversity, Emissions,
Effluents & Waste, Environmental Compliance

P-7: Businesses, when engaging in influencing public and regulatory

Public Policy
policy, should do so in a manner that is responsible and transparent.

P-8 Businesses should promote inclusive growth and equitable

Local Communities, Indirect Economic Impacts
development.

P-9: Businesses should engage with and provide value to their Anti-competitive Behaviour, Customer Health & Safety,
consumers in a responsible manner. Marketing & Labelling, Customer Privacy

Private & Confidential - Not for external circulation

 Challenges to BRSR/ESG reporting

Multiple ESG Evolving ESG Since data lies at the Laws and
Frameworks - regulations - heart of BRSR regulations
absence of uniform requirement for reporting, adjusting with the
global standards is disclosures are greenwashing poses paradigm shift
challenging for MNCs complex and ever a real risk for
and investors changing corporates.

Private & Confidential - Not for external circulation

 COSO ICIF ESG reporting

Private & Confidential - Not for external circulation

COSO ICIF ESG reporting
The Internal Control – Integrated Framework (ICIF) comprises of 5 components with 17 principles, presented as the COSO
Cube, guiding effective internal controls.

Component Application

• Company values statement

• Board/executive oversight of ESG issues, including charters
• ESG governance model and organization chart
Control environment
• Defined sustainability job roles/responsibilities and personnel requirements
• Policies and procedures for ESG program
• ESG performance targets aligned with incentives and rewards

• ESG risk assessment, including climate risks and opportunities

• Company strategic ESG risk profile
• Interaction of financial materiality, double materiality and dynamic materiality
Risk assessment
• Integration of ESG risks into ERM program and action plans
• Assessment of new laws and regulations over human rights
• Fraud risk assessment related to sustainable business activities and reporting

Private & Confidential - Not for external circulation

COSO ICIF ESG reporting
Component Application

• Internal controls framework to address risks in ESG operational and reporting

processes
Control activities • IT controls over systems used for ESG data and reporting
• Oversight of third-party service providers gathering or processing ESG and
sustainability information

• ESG communications plan for internal and external stakeholders

Information and communication • Employee training on relevant ESG topics
• ESG data collection and reporting processes and procedures

• Periodic evaluation of design and operation of internal controls (e.g., internal

and external audits)
Monitoring activities
• ESG scorecards to monitor progress toward goals and targets
• Protocols for reporting deficiencies to management and the board

An effective control environment for sustainability reporting, akin to financial controls, relies on all 17 principles
from the Integrated Framework, ensuring a robust foundation in design and implementation.

Private & Confidential - Not for external circulation

 COSO ICIF ESG reporting principles
Demonstrates Demonstrates
Exercises board of Establishes structures,
commitment to commitment to Enforces
Control Environment directors’ oversight authority, and
integrity and ethical competent human accountability
responsibilities responsibilities
values resources

Identifies and Identifies and

assesses risks, assesses risks,
Specifies suitable
Risk Assessment developing action Assesses fraud risk developing action
objectives
plans for risk plans for risk
treatment treatment.

Selects and develops Deploys oversight

Control Activities Selects and develops
general controls over through policies and
control activities
technology procedures

Information & Uses relevant Communicates Communicates

Communication information internally externally

Conducts ongoing Evaluates and

Monitoring activities and/or separate communicates
evaluations deficiencies

Private & Confidential - Not for external circulation

Reference material pertaining to ESG
Sustainability Compendium of Social Audit Standards
Reporting Standards
Board (SRSB) of ICAI
Sustainability Reporting Maturity Model (SRMM) - Version 2.0

Social Audit Standards (SAS) 100 to 1600

Standard on Assurance Engagements (SAE) 3410 - Assurance Engagements on Greenhouse Gas

Statements

Standard on Sustainability Assurance Engagements (SSAE) 3000, Assurance Engagements on

Sustainability Information

Private & Confidential - Not for external circulation

Transitioning internal audits to
embrace ESG principles
fosters a culture of
sustainable commitment
 Internal Auditor’s Role
As a function, internal audit can consider including ESG
checkpoints in their audit given the increasing focus of regulators,
investors, customers, third-party affiliates, and society at large.

Assurance

• Review reporting metrics for relevancy, accuracy, timeliness

and consistency
• Review reporting for consistency with formal financial
disclosure filings
• Conduct materiality or risk assessments on ESG reporting
• Incorporate ESG into regular audit plans

Advisory

• Identify areas that are less well-defined and build an ESG

control environment
• Advise and advocate on ESG governance
Source: IIA’s white paper on Internal Audit’s Role in ESG Reporting

Private & Confidential - Not for external circulation

 Approach to integrate ESG into IA plan

Integrated Audit Approach

Standalone Reviews
Immature ESG elements warrant an
Internal audit can assess mature ESG program
integrated audit approach with ESG-
elements independently, providing insights into
focused questions for identifying,
policies, controls, and responsibilities at specific
considering, and documenting activities.
times.

Investing in ESG Competencies

Focused Reviews
Build ESG expertise in internal audit with
Focused reviews employ larger samples and
research, trend understanding,
periodic checkpoints, but some leave issue
benchmarking, stakeholder assessment,
remediation to management's discretion without
and targeted training or certifications.
oversight.

Private & Confidential - Not for external circulation

 Challenges for Internal auditors w.r.t. ESG
Lack of a uniform framework: ESG topics, such as climate Data required to review ESG reporting are
How to check and report the change, decarbonisation have not often minimal, unavailable, or scattered
results of their ESG strategies been part of audit plans across multiple departments

Familiarise with various terms, Engage with experts within their Gain expertise in testing various IT
such as Green House Gas (GHG) teams to be able to better systems and reading relevant non-
calculation frameworks understand and review the financial data to overcome dependency on
underlying documents various departments

Private & Confidential - Not for external circulation

 Internal auditors’ role in ESG efforts
Keeping in mind the internal audit skillset, internal auditor assistance can be useful in developing various facets of
the ESG framework and build-in the necessary governance and control aspect.

1 Evaluate an organisation’s current ESG maturity

Internal audit can assess the current maturity of an organisation’s ESG strategy by comparing it
with other organisations - benchmarking

2 Ensure proper governance structure and oversight

Internal audit can review roles and responsibilities assigned within the organisation to execute
their ESG strategy and monitor ESG issues

3 Validate the ESG risk management goals

Internal audit can ensure that the goals set are realistic, measurable, included in the company’s
strategic objectives

4 Collaborate with Enterprise Risk Management (ERM)

Internal audit can assist the management by mapping risks and incorporating them as part of
their risk registers

Private & Confidential - Not for external circulation

 Internal auditors’ role in ESG efforts
Keeping in mind the internal audit skillset, internal auditor assistance can be useful in developing various facets of the ESG
framework and build-in the necessary governance and control aspect.

5 Ensure documentation of ESG policies and procedures

Internal audit can review ESG policies and procedure manuals, which helps the company to
communicate its strategy, goals, and activities to be undertaken to mitigate ESG risks.

6 Perform risk assessments

Internal audit can determine whether ESG measures are significant to an organisation and
aligned with investors, customers, and other stakeholder expectations.

7 Review ESG financial and non-financial reporting metrics

Internal audit can review the management’s ESG financial and non-financial reporting data used
for public disclosures.

8 Collaborate with the legal and compliance department

Internal audit can work together with the legal and compliance department to validate that ESG
reporting disclosures comply with applicable regulations.

Private & Confidential - Not for external circulation

 Key checkpoints for an internal auditor (1/3)
Environmental

Material issues Regulatory Carbon Waste

management/end
Natural hazards emissions/exposure Air emissions
Compliance to climate change life of
• Serious • Company subject to Carbon emissions • Company operations • Production process
incidents/regulatory flood, seismic, or • Company operations originate significant originate relevant

Checkpoints for
breach w.r.t other natural in an energy emissions to air (for quantities of waste
environmental hazards intensive sector example, oil & gas, or hazardous waste?
aspects • GHG emissions energy,
consideration • Nature of the
incident and
monitoring transportation,
chemical)
• Waste management
initiatives to
Exposure to climate
improvements made change minimise or
• Regulatory action • Business risk from reuse/recycle waste
(enforcement/prosec the current/evolving
ution/fine) climate change
regulation

Private & Confidential - Not for external circulation

 Key checkpoints for an internal auditor (2/3)
Social

Fair disclosure
Material issues Human resources Health and safety
Consumer safety/
products regulations and labelling/fair Customer privacy
marketing
• Workforce • Company’s • Product- or sector- • Incidents of non- • Company’s data
composition operations in an specific regulations compliance security policy and
• Diversity issues industry that (for example, food concerning product IT security

Checkpoints for • Serious labour presents a high risk safety, pharma Good and service management system
related of health and safety? Manufacturing information and • Sensitivity of
• Company’s workers Practices (GMP)) labelling information in
consideration
complaints/claims/en
forcement actions exposed to high possession of the
• Benefits provided to incidence or risk of • Actions taken to • Incidents of non- company
employees diseases ensure the health compliance • Breach in cyber
• Training • Company been and safety of concerning security across the
subject to consumers marketing past 2-3 years
enforcement actions communications
by the regulators

Private & Confidential - Not for external circulation

 Key checkpoints for an internal auditor (3/3)
Governance

ESG systems and processes Corruption and business ethics Supply Chain
Material issues
Roles and responsibilities • Financial or in-kind political • High social, human labour, and
•ESG committee/steering committee been contributions by the company environmental risks in company’s
established or not supply chain
•Designated reference person for day-to- • Company internal controls to safeguard
Checkpoints for day ESG matters been assigned?
Policies & Procedures
themselves against illegal practices • Responsible purchasing policy/code of
conduct for suppliers by company
consideration •ESG values and principles clearly
communicated (for example, on the
• Corporate governance and/or ethical
related employee claims/ • ESG criteria included in the selection
website) breach/enforcement/litigation actions and monitoring of key suppliers by
•Company have sustainability or business related to issues, such as anti-bribery company
conduct policies and corruption
•Environmental/health and safety
procedures in place
Monitoring & reporting
•Sustainability section on the website?
•Company publish an
ESG/CSR/sustainability report

Private & Confidential - Not for external circulation

 Role of professionals
From assessing the various strategic implications of climate change to
assessing social impact through to implementing the reporting
requirements: The ESG experts can advise on every facet of
sustainable corporate governance. Services in following domains can
be delivered to the clients:

Due Diligence
ESG ESG Reporting ESG Strategy and BRSR Core
and investment BRSR Reporting
implementation and Assurance Transformation Assurance
analysis

Private & Confidential - Not for external circulation

 Challenge
A service industry leader wants to enhance employee
well-being and social responsibility.

Internal Auditor’s Role

Case Evaluate HR policies, assess employee satisfaction
and engagement levels, and conduct surveys on
Study workplace well-being.

Approach

Analysing policies and surveys, the internal auditor creates a plan

to enhance employee well-being, foster a positive work
environment, and improve social responsibility.

Private & Confidential - Not for external circulation

 Challenge
A manufacturing company commits to reducing its
environmental impact.

Internal Auditor’s Role

Case Evaluate environmental management systems, ensure
compliance with regulations, and recommend improvements
Study for minimizing the company's carbon footprint.

Approach
The internal auditor evaluates systems, ensures compliance,
assesses the carbon footprint, suggests reductions, and
establishes monitoring for a manufacturing company's
environmental impact.

Private & Confidential - Not for external circulation

 Challenge
A financial institution prioritizes strong corporate
governance and ethical leadership.

Internal Auditor’s Role

Case Evaluate governance structures, adherence to ethical
standards, and the implementation of codes of conduct.
Study Ensure a culture of integrity and ethical decision-making.

Approach
The internal auditor ensures the financial institution's commitment
to strong corporate governance and ethical leadership by
evaluating structures, adherence to ethical standards, and codes
of conduct, fostering a culture of integrity and ethical decision-
making.

Private & Confidential - Not for external circulation

Thank you
Gaurav.bhatia@asa.in