A recent dialogue session on Sustainability turned my understanding of the Internal Audit maturity levels upside down.
The roots of Internal Audit lays in providing assurance on the company’s financials, and at later stage including some non-financial KPI’s, which are now embedded in the organization’s governance, culture, systems and processes. Most Internal Auditors/departments added capabilities and grew from assurance provider, through problem solver to insight generator, and some to trusted advisor providing valued added services and proactive strategy advise to the business. For several years, one could find articles and trainings on how Internal Audit could evolve from being a “police agent” to the business’ trusted advisor (often ignoring the question whether that would be the most suitable maturity for their organization).
In the “Knowledge lab Internal Sustainability Audit” organized by RGP and Sustainalize, both Internal Auditors and Sustainability Managers exchanged their experiences and challenges. And yes; auditing a sustainability report, or sustainability elements in an integrated report, is in principle no different than auditing any other non-financial KPI. “In principle” because the many guidelines and standards do add complexity. Also measuring, recording, reporting and auditing sustainability KPI’s require a lot of explaining, discussing, adjusting process and systems, before it becomes business as usual
Internal Audit can support to increase transparency on the organization’s environmental footprint, ratings, and progress on the selected sustainability goals. How? As a start by supporting the management to develop the sustainability strategy. As Internal Audit usually has a deep understanding of the organization’s processes, systems, risks and controls, they can help translate the sustainability strategy in the organization’s daily operating model and define KPI’s. Activities which fit the role of insight generator and trusted advisor.
However, while the organization is still developing and learning to uniformly measure, report and consolidate these new type of data, while an audit trail might be missing, while manual activities are high or systems not yet robust, auditing the sustainability or integrated report definitely differs from providing assurance on financial or established non-financial information. To be able provide limited or reasonable assurance on sustainability information, a next level of Internal Audit capability and maturity is needed.
So the Internal Audit maturity levels have changed over time. From trusted advisor and insight generator, to assurance provider as a next level.