The ESG Reporting Landscape and Why Internal Audit Is Now Involved
The proliferation of ESG reporting frameworks — GRI, SASB, TCFD, CSRD in Europe, SEC climate disclosure rules in the United States — has created a complex disclosure environment that most organisations are navigating imperfectly. Boards are being asked to approve ESG disclosures they do not fully understand, based on data they cannot independently verify, using methodologies that are not yet standardised. This is precisely the governance gap that internal audit exists to address.
Regulators and investors increasingly expect some form of internal assurance over ESG data before external assurance is obtained. The European Corporate Sustainability Reporting Directive mandates limited assurance on sustainability reports, with a pathway to reasonable assurance over time. Organisations preparing for external ESG assurance engagements will benefit significantly from having internal audit review and strengthen their data collection, reporting, and governance processes first.
The Scope of ESG Internal Audit
ESG audit encompasses three broad areas. First, data quality and completeness: whether the organisation's ESG metrics — greenhouse gas emissions, energy consumption, water use, workforce diversity statistics — are measured accurately, consistently, and in accordance with the applicable reporting framework. Data quality failures in ESG reporting carry the same risks as financial reporting errors.
Second, governance of ESG commitments: whether the board has oversight of ESG strategy, whether targets and commitments are realistic and evidence-based, whether accountability for ESG performance is assigned and monitored, and whether ESG risks are formally integrated into the enterprise risk management framework.
Third, greenwashing risk: whether ESG disclosures accurately represent the organisation's actual practices and performance, or whether they overstate environmental or social credentials. Greenwashing has become a significant regulatory enforcement priority, and internal audit has a clear role in testing whether public disclosures are supported by underlying evidence.
The Methodological Challenge: Auditing Non-Financial Data
ESG data is often estimated rather than measured. Emissions calculations involve material assumption choices; social indicators may rely on survey data with known limitations; supply chain data depends on third-party reporting that cannot be independently verified. Internal auditors must understand these estimation methodologies and assess whether the assumptions used are reasonable, consistently applied, and appropriately disclosed.
Materiality in ESG reporting is also defined differently. Many frameworks require double materiality assessment — considering both financial materiality (significance to investors) and impact materiality (significance of the organisation's impact on society and environment) simultaneously. Internal auditors reviewing ESG disclosures need to understand which materiality concept the applicable framework uses.
Building the Competency and Practical Starting Points
Most internal audit functions currently lack the specific competencies required to audit ESG data effectively. CAEs should consider: targeted training in ESG audit methodology; co-sourcing with sustainability specialists for initial engagements; and developing relationships with the sustainability team before scoping audit work.
Practical starting points include: auditing the governance process for ESG target-setting and approval; reviewing the data collection methodology for one material metric such as Scope 1 and 2 emissions; assessing whether ESG risks are formally included in the enterprise risk register; and evaluating the completeness and accuracy of one public ESG disclosure. These engagements build competency progressively while delivering immediate governance value.