Internal verification by senior staff, the board, a particular department or a working group of ESG information before the submission of a signatory’s report to the PRI is the most basic common type of CBM implemented. 

71% of signatories out of 1,248 that reported, use this form of control activity; 63% conduct it for their whole report. It typically involves two-three teams, the most common one being CEO/C-level staff (54%), followed by the RI/ESG (48%) and investment teams (30%).

However, compliance teams were involved less than expected in these processes. For instance, 11% of asset owners reported that their compliance team reviews their PRI report. This could be because many asset owner signatories do not have compliance teams. 

While internal verification is widely used among signatories, as a standalone practice it is not equipped to give robust confidence of ESG information to external stakeholders and because of the process heavy nature of the Reporting Framework, its confidence is limited to the description of the processes, rather than the implementation of those processes. However, in combination with other components of the internal control system, this practice is much more meaningful.

Internal review of responses

Internal review or verification is often considered a pre- requisite for an internal audit. It is one of the control activities signatories can implement as part of their system of internal controls. The activities include sign-off by board or C-level staff, and review by a compliance (or equivalent) team and any other departments responsible for the implementation of the RI strategy and processes. 

At a glance

  • Prerequisite: good governance for clear segregation of roles
  • Scope: all responses. Review of process based information should be limited to the accurate description of those processes rather than their implementation.
  • Who can review: internal staff with subject matter expertise that are independent from collation process. Senior management oversight is key.
  • Benefits: relatively quick, minimal cost to the company.
  • Challenges: the confidence depends greatly on having clear governance and review being impartial. This may be difficult in small organisations which are less likely to have the three lines of defence.
  • Applicable standards: not applicable
  • Frequency: yearly
  • Next step: internal audit of RI processes and external data assurance

Findings: internal review among signatories

Internal verification by senior staff, the board, a particular department or a working group of ESG information before the submission of a signatory’s report to the PRI is the most basic common type of CBM implemented. 71% of signatories out of 1,248 that reported, use this form of control activity; 63% conduct it for their whole report. It typically involves two-three teams, the most common one being CEO/C-level staff (54%), followed by the RI/ESG (48%) and investment teams (30%). However, compliance teams were involved less than expected in these processes. For instance, 11% of asset owners reported that their compliance team reviews their PRI report. This could be because many asset owner signatories do not have compliance teams.

While internal verification is widely used among signatories, as a standalone practice it is not equipped to give robust confidence of ESG information to external stakeholders and because of the process heavy nature of the Reporting Framework, its confidence is limited to the description of the processes, rather than the implementation of those processes. However, in combination with other components of the internal control system, this practice is much more meaningful.

Responses from 158 asset owners and 634 investment managers on internal verification of their Transparency Reports

Internal audit of internal controls

At a glance

  • Prerequisite: system of internal controls established
  • Governance needed: internal audit function or contracted internal auditor
  • Scope: limited to most important processes based on asset class, asset allocation in that class, management style (internal or external), organisation type (service organisation such as investment managers or user entity as asset owner), and ESG investment strategies (e.g. screening if they only do screening).
  • Benefits: helps an organisation achieve its objectives. Provides an objective perspective of the organisation fs activities, identifies risks and opportunities for improvement.
  • Challenges: time and financial resources. Difficult to communicate outcome externally as auditors’ reports are mainly for internal management.
  • Example of standards: ISAE 3402/SSAE 18/ AF01/06 depending on country or IIA fs international standards
  • Frequency: ongoing as audit team conducts deep dives on a group of processes at any one given time. However, each control is reviewed every three-five years.

The internal audit should be conducted by the internal audit function (the third line of defence), and forms one of the monitoring activities organisations perform as part of their internal controls system. One of the most important benefits of internal audit is that it helps an organisation – whether small or big21 – achieve its objectives “by bringing a systematic and disciplined approach to evaluating and improving the effectiveness of governance, risk management, and control processes”. In this respect, internal audit can, for example, benefit signatories in their ESG reporting process by:

  • Helping the board or senior management to self-assess governance practices (e.g. whether there are clear responsibilities allocated for ESG reporting).
  • Identifying deficiencies and providing advice on how to improve undeveloped governance practices.
  • Observing and assessing risks, control design and operational effectiveness.
  • Providing an early warning system for undesirable practices that the organisation can manage before they become too severe.

Having a robust internal audit function is considered a foundation to any external audit or assurance engagement. The UNGC specifies in its guidance that members aiming for their Communication of Progress (COP) to meet the GC Advanced level, should undergo an internal audit.

Apart from already having an internal controls system in place, organisations should also consider the business case for the internal audit activity. It will substantially help if the board or another highest governing body already have created a top-level demand for it, and will then also help secure resources for the audit.

Other key steps include developing an internal audit programme that outlines what the organisation will audit, how they will prioritise key issues, business units or outputs. The auditors should also have a clear idea of how the organisation measures success and other criteria so that this can be used during the audit activity.

The frequency of auditing internal control systems for the collection and reporting of ESG information should be decided by each individual organisation according to their capacity and resources. While internal audits are ongoing, the AWG found that an individual process should be reviewed every three-five years, with more frequent audits applying to processes of either highest importance, complexity or degree of change.

Sharing auditing outcomes across the organisation is a crucial step. With that information, the teams where areas of improvement have been identified can develop additional control measures to ensure the processes will work as intended. During the auditing process, it is also important to inform relevant teams of the audit and how it will benefit the organisation.

Findings: internal process audit among signatories

Internal audit of controls related to RI processes appears to be rare among PRI signatories. Just 4% of 1,248 signatories reported in their 2017 report that they conducted an internal audit or a third-party assurance of their internal controls specific to RI processes. This could be attributed to the lack of RI-specific standards of internal controls. However, the AWG expected this figure to be higher, as a vast majority of signatories’ reports had been reviewed by a CEO. It would be expected that a sign-off at that level would be supported by an internal audit function.

The responses from those 47 signatories revealed which RI processes are most often reviewed. These were focused on the overarching RI strategy, RI governance roles and responsibilities, active ownership practices in listed equity (voting and engagement), as well as some aspects of ESG integration such as exclusion lists as part of screening.

In practice: alternatives to audit function for small organisations

In some smaller and less complex organisations, the responsibilities of the first and second line of defence might be combined. For the third line of defence, small organisations without the resources to employ a fully independent internal auditor can outsource part of, or the whole, audit function for a limited amount of days per year. The AWG also highlighted that some organisations can make use of internal verification and review functions. In such cases, the board, trustees and/ or senior management should take extra precautions in assessing the risks of this structure and how it might affect the quality of internal control risk assessment and ultimately the organisation’s ability to efficiently achieve its reporting objectives. While not the equivalent to an independent internal audit function, it can provide a solution for particularly resource constrained organisations.

Topics

Introducing confidence-building measures to PRI signatories' reported data