ESG governance: questions boards should ask to lead the sustainability transition

Companies’ stakeholders from investors to citizens increasingly demand better sustainability performance and disclosures from businesses. Policymakers and regulators are also introducing new legislation on companies’ sustainability obligations and value chains.

Company boards need to prepare for their enhanced sustainability obligations. This document, issued by Accountancy EuropeecoDa and ECIIA, aims to help boards with embedding sustainability – and specifically environmental, social and governance (ESG) factors – into company strategy and business models, and to ensure that proper governance supports this. It is based on exchanges with specialists from the 3 organisations and interviews.

This document is innovative in that it proposes a whole set of questions that structure the thinking of board members around sustainability and turns it from a buzzword to a concrete reality. It sets out practical questions to consider in their efforts on ESG, sustainability transition planning, delivery on sustainability objectives and limiting greenwashing risks.

The role of Internal Audit in ESG in industrial and commercial companies

Internal auditors and industrial/commercial companies are still looking for best practices in dealing with the risks and benefits associated with ESG. The regulation is evolving quickly and it is not just about compliance but about the business, strategy, culture, and operations that must evolve.

This position paper is a clear call for Board Members and Top Management to move towards a more sustainable business with Internal Audit as a valuable partner in this journey; leveraging on the experience, the business knowledge and the role Internal Audit plays in Governance, Risk Management and Internal Controls. In industrial and commercial companies, the support of Internal Audit can vary depending on the maturity of the organisation with opportunities also for less mature companies to invest and get ready.

The various roles are described and the question “if” Internal Audit could play a fundamental role over ESG” is no longer a question Boards and Top Management should ask but rather it is more of “how” they can best benefit from this privileged view.

DORA

The Digital Operational Resilience Act (DORA) is the European Union’s (EU) strategic approach to managing systemic risk within the financial system. DORA is designed to improve the cybersecurity and operational resilience of the financial services sector (as of 2025). The paper explains the role internal auditors should play, specifically regarding third-party outsourcing. 

Third-Party Risk Management

Driving Enterprise Value

In Third-Party Risk Management: Driving Enterprise Value, author Linda Tuck Chapman provides a guide to optimizing third-party due diligence, controls, and monitoring so your institution can maximize value from the “mini operational and cultural ecosystems” that are third-party relationships.

A Journey into Auditing Culture

The topic of auditing culture is relatively new and is a challenging one for internal auditors, as the risks and controls are more difficult to identify, assess, and audit. There are a number of emerging approaches to this type of audit, and this book provides both suggested approaches and a framework of areas to consider when examining the topic.

Culture itself is dynamic and changes over time, and we can see this as we explore how to audit it. There are many factors influencing—and therefore altering—the culture of an organization. This book offers:

  • Research and technical elements
  • Key success factors
  • Killer questions internal auditors should be asking when they audit culture in their own organizations

About the Authors

Susan Jex is culture lead within the Business Risk Services team at Grant Thornton and has designed the methodology for culture audit across the firm. She has undertaken culture audits across a number of firms and sectors, including at a major global retailer, and has undertaken HR value-added audits across many organisations, in both cases liaising at board level linking strategy and the achievement of business goals with culture. 

She previously worked at HSBC as group head of diversity and group head of employee relations, amongst other roles. As head of customer service and culture, she developed an integrated and holistic approach to culture and client service, implementing business wide and driving through to delivery. The culture programme saw the bank move from bottom to top of the industry customer satisfaction index in just two years.  

She also helped to develop the brand and marketing strategy of HSBC globally, leading to the launch of “The World’s Local Bank.” She is BA (Hons), a fellow of the Chartered Institute of Certified Accountants, and a Fellow of the Royal Society of Arts.

Eddie J. Best is global co-leader within the Business Risk Services team at Grant Thornton. He specializes in providing risk-based internal audit to global listed organisations, with experience across sectors including retail, energy, extraction, and technology gained both with Grant Thornton and formerly at Arthur Andersen. He has extensive experience supporting our international listed clients with the development and implementation of global risk management and internal audit, supporting a number of major clients as they embark on significant people and culture change programmes in order to pursue their strategic and regulatory objectives. Eddie works closely with colleagues around the world to provide cohesive expert support to clients. He is BA (Hons), a Fellow of the Institute of Chartered Accountants in England & Wales, and an affiliate of The IIA.

Risk in Focus 2024

A major research report has revealed a looming poly-crisis as a series of high-impact risk events are occurring simultaneously and exacerbating a multitude of interconnected risks. This includes ongoing economic uncertainty, the cost-of-living crisis, the Ukraine crisis and growing geopolitical turmoil, labour shortages, along with extreme weather events fuelled by the climate crisis.

These are the findings revealed in Risk in Focus – the Internal Auditors’ annual Risk in Focus report produced in partnership with 15 European Institutes of Internal Auditors. Risk in Focus 2024 is the result of a survey of over 700 Chief Internal Auditors across Europe on the risks their businesses are expecting to face in the year ahead.

The top 10 risks for Risk in Focus 2024

  1. Cybersecurity and data security (84 %)
  2. Human capital, diversity, talent management and retention (57 %)
  3. Macroeconomic and geopolitical uncertainty (43 %)
  4. Change in laws and regulations (43 %)
  5. Business continuity, operational resilience, crisis management and disasters response (35 %)
  6. Digital disruption, new technology and AI (33 %)
  7. Climate change, biodiversity and environmental sustainability (32 %)
  8. Supply chain, outsourcing and ‘nth’ party risk (30 %)
  9. Market changes, competition and changing consumer behaviour (30 %)
  10. Financial, liquidity and insolvency risks (26 %)

GRC Part 2: Quantifying Non-financial Risk

Management guru Peter Drucker once said, “[only] what gets measured, gets managed.” So, how are organizations quantifying non-financial risk? Internal audit can play a key role in helping organizations develop strategies that tackle this issue.

This Global Knowledge Brief, the second in a three-part series on governance, risk, and control (GRC), examines the challenges of quantifying non-financial risks and how companies are addressing them, as well as the important role that internal audit can play in advancing understanding in this area.

GRC Part 1 Rethinking Risk Appetite from a Non-financial Perspective
GRC Part 3: How Digital Transformation is Transforming GRC

GRC Part 3: How Digital Transformation is Transforming GRC

The benefits of digital transformation cannot be understated, with tools springing from this trend now being used across nearly every major industry to automate and accelerate processes, allowing GRC and security operations to quickly identify and respond to potential risks and issues.

As Part 3 of The IIA’s Global Knowledge Brief series on GRC, this final installment addresses how GRC systems are evolving from the incorporation of new technologies as well as what inherent risks are involved in embracing digital transformation. This brief also addresses where internal audit fits into this conversation and how it might best aid organizations as they continue this critical journey.

GRC Part 1: Rethinking Risk Appetite from a Non-financial Perspective
GRC Part 2: Quantifying Non-financial Risk

The role of Internal Audit in ESG in the Banking Sector

The report underscores the vital role Internal Audit plays in this ESG management. It calls for Internal Audit to actively engage in ESG matters and help guide organizations on the path to sustainability journey. The relevance of ESG risks and the incorporation of ESG in the strategy of  companies requires the involvement of the Internal Audit function to support the bank’s response to these material challenges. The ESG territory is still developing and there are many (regulatory) uncertainties and challenges, but this cannot be used as an excuse/limitation for Internal audit functions not to get involved and support organizations on their pathway towards a sustainable future.

Artificial Intelligence and Machine Learning Audits within Insurance Firms

Auditing a Digital Insurance World

Internal auditors and insurance companies are still looking for best practices in dealing with the risks and benefits associated with Artificial Intelligence (AI). This position paper elaborates on the progress and relevance of AI within the European insurance industry, the upcoming legislation, and risk response. This is supported by a survey that provides the perspective of the Three Lines and their current state of readiness to manage the risks related to AI.

We then provide suggestions to Internal Audit for a solid audit response on AI, to help the insurance industry prepare for ‘trustworthy AI’ and future legislation. The AI Act is in final discussions at the European Parliament.

The Internal Audit function can play a vital role in minimizing AI risks by advising on risk mitigation, reviewing potential biases, and ensuring compliance with relevant laws and regulations. Their involvement should begin from the onset of AI implementations, and follow a top-down approach, starting with auditing the AI strategy and governance, then testing individual instances, algorithms, and models. A multidisciplinary audit team including IT, data science, business audit, and ethics professionals can help ensure thorough assessments.

The paper closes with a proposal for an AI audit program to identify and test the key AI-related risks, root causes, and testing strategies, across seven different areas:

  • Strategy & Governance
  • Legal & Compliance
  • Developments of AI systems
  • Operations Management for AI systems
  • Security & Data Protection
  • Human Capital
  • Sustainability

Vi bruker informasjonskapsler for å forbedre din opplevelse på nettstedet vårt. For mer informasjon om hvordan vi håndterer dataene dine, vennligst se vår personvernerklæring.