HomeAbout UsServices Our ExpertsResources InsightsGet in Touch
Home/ Insights/ Governance
Governance

ESG and the Audit Function: What Internal Auditors Need to Know

Kamran Iqbal, CIA, CISA, CFE, CRMA June 2026 8 min read
Environmental, social, and governance reporting has moved rapidly from voluntary disclosure to regulatory expectation across major jurisdictions. As organisations face increasing pressure to produce credible, auditable ESG data, internal audit functions are being asked to provide assurance over an entirely new category of non-financial information. Understanding what this demand requires — and how to respond to it — is becoming a core professional competency.

The ESG Assurance Landscape

The regulatory environment around ESG disclosure is evolving rapidly. The European Union's Corporate Sustainability Reporting Directive requires companies above certain size thresholds to publish sustainability information that is subject to independent assurance. The International Sustainability Standards Board has published disclosure standards that are being adopted and mandated across multiple jurisdictions. The SEC in the United States has implemented climate disclosure requirements for public companies.

These developments mean that ESG information — once confined to voluntary sustainability reports prepared primarily for reputational purposes — is increasingly treated with the same governance rigour as financial information. It must be supported by adequate data collection processes, internal controls, governance oversight, and independent assurance.

What ESG Assurance Actually Involves

ESG assurance covers a broad range of subject matter that varies significantly in its auditability and in the maturity of available assurance standards. The key categories include:

Environmental data: Greenhouse gas emissions, energy consumption, water usage, waste generation, and biodiversity impact. The primary assurance challenge is data quality — many organisations are collecting environmental data through manual processes with significant estimation, extrapolation, and measurement error. Assurance over environmental data requires assessment of measurement methodology, data collection controls, and the treatment of uncertainty.

Social data: Workforce metrics (headcount, diversity, turnover, compensation equity), health and safety performance, supply chain labour standards, and community impact. Social data tends to be more process-intensive and involves significant judgement in categorisation and boundary-setting. Assurance requires assessment of definition consistency, process controls, and completeness of scope.

Governance data: Board composition, executive compensation structure, anti-corruption programmes, and whistleblowing mechanisms. This is the ESG component closest to traditional internal audit territory — governance assurance has always been a core internal audit function, and the expansion of governance disclosure requirements largely extends this existing work rather than creating new audit requirements.

The Internal Audit Role in ESG Governance

Internal audit's contribution to the organisation's ESG governance can take several forms. At the assurance end of the spectrum, internal audit can provide independent assurance over ESG data and disclosure processes — examining the controls over data collection, assessing the completeness and accuracy of reported metrics, and evaluating the governance structures and processes underlying ESG commitments. At the advisory end, internal audit can provide input into the design of ESG governance frameworks, helping management build the internal control infrastructure that robust ESG reporting requires before making external commitments.

The organisations that will produce credible ESG reporting over the long term are those that treat ESG governance with the same rigour they apply to financial governance — with clear ownership, robust data controls, independent oversight, and honest disclosure of limitations. Internal audit is uniquely positioned to assess whether that rigour is actually present.

Building ESG Audit Capability

Most internal audit functions currently lack the specialist skills needed to provide comprehensive assurance over the full spectrum of ESG subject matter. Building this capability requires a combination of training existing staff in the relevant disclosure frameworks and assurance standards, recruiting or co-sourcing specialist expertise in environmental measurement and social impact assessment, and developing working relationships with the organisation's sustainability and investor relations teams. The investment is significant — but for organisations where ESG reporting is becoming a regulatory requirement and a material investor concern, it is increasingly non-optional.

Share

Request Training

CTC Global delivers expert-led training on Governance topics for corporate teams across all sectors.

Request Training Proposal View All Services

Related Publications

Deepen your knowledge with our practical books, revision kits, and toolkits.

Book
Internal Audit Quality Assurance in PracticeGovernance, independence, and audit quality — comprehensively covered.
Store
CTC Global Publications StoreBrowse all books, revision kits, and toolkits on our Gumroad store.
 Browse All Publications →

About the Author

Kamran Iqbal is a seasoned internal audit and risk professional holding CIA, CISA, CFE, and CRMA credentials. He leads CTC Global's training and consultancy practice across Pakistan and the UAE.

View Full Profile →

Continue Reading

More practical insights from CTC Global on Governance and related topics.

← Back to All Articles & Insights