ESG Audit Checklist and Best Practices

Environment, Social, and Governance (ESG) reporting has emerged in recent years as an area of attention and progress in the public disclosure landscape. ESG committees have arisen to assess risks to a company’s operations related to environmental, social, and governance issues. ESG encompasses a wide range of issues, from environmental risks like climate change, to social risks related to diversity, equity, and inclusion (DEI), to social responsibility in investing and production, to governance risks related to executive pay and financial reporting. These risks, however, are also opportunities for growth — to become the ethical, inclusive, and sustainable companies that not only manage risk, but proactively increase their stakeholders’ quality of life. 

Currently, international standards for ESG disclosures vary, and in the U.S., they’re not yet required. However, almost all of the S&P 500 publish ESG reports that compare their companies’ ESG performance against their goals. With regulatory bodies paying special attention to ESG disclosures and against rising suspicions about greenwashing, the impetus is on companies to provide reasonable assurance they are disclosing accurate and verified ESG information. 

An ESG audit supports an organization’s ESG disclosures, substantiates the accuracy of any ESG data your organization discloses, and informs stakeholders and leadership if reporting standards are not upheld, or a company’s ESG efforts are missing the mark.  Read on to learn more about top-of-mind ESG topics, what an ESG audit entails, and to download our preliminary ESG audit checklist below. 

What Is an ESG Audit?

An ESG audit is an assessment of the risks an organization faces related to environmental, social, and governance domains, and can provide a level of assurance over the integrity of a company’s ESG statements. Without a formal ESG audit, it can be hard to obtain even limited assurance over the validity of ESG reporting. ESG audits can be internal or external. KPMG, LLP predicts that third-party auditors and specialists who are well-versed in ESG assessments will become increasingly important for companies who wish to assure their stakeholders their ESG claims are accurate. Meanwhile, Deloitte notes, internal audit‘s “role includes validating the effectiveness of ESG-related controls and activities to help organizations manage those risks and foster resilience.” Both internal and external audit functions play a role in ESG assurance.

During an ESG audit, companies should prepare to be asked questions about their ESG-related business processes, what reporting frameworks they use (if any), and how they obtain, analyze, and report on their ESG data. They may need to provide evidence or artifacts for audit processes and validation. Auditors may also offer recommendations on addressing gaps, improving internal controls, and benchmarking.

An ESG audit will likely align with other dimensions of your risk management plan, financial statements, and compliance requirements, and can prepare you to file reports with regulatory agencies. 

It’s important to note that ESG disclosures are used by investors to make informed financial decisions, and by other external stakeholders to understand an organization’s environmental, social, and corporate governance positioning. The format and method for reporting on ESG topics should take the target audience into account.

What Is an ESG Risk?

ESG risks are exactly what the acronym lists – environmental, social, and governance risks. While some argue that the “G” in ESG should be considered separately, these three risk categories are interdependent. We may well see the acronym for ESG evolve in the future, but the SEC’s move to prioritize climate-related disclosures may be a precursor to regulations that codify ESG reporting into law. Most ESG specialists see governance issues, which include board quality and executive pay transparency, as important to managing both environmental and social risk. Here’s a bit more detail about each category: 

1. Environmental risk includes potential for pollution of the air, water, or soil due to production or distribution of goods, climate risk, carbon footprint, greenhouse gas emissions, and energy use. 
2. Social risk includes risk to the well-being, reputation, or privacy of one’s customers, employees, or suppliers, including accessibility in the design and distribution of goods, employee welfare, human capital, and issues related to diversity, equity, and inclusion (DEI). 
3. Governance risk includes issues related to financial reporting, fraud prevention, executive pay, and organization of the company. 

The types of risks that fall into each category are broad as yet, with countries and standards bodies looking to create taxonomies that define which economic activities are eligible for ESG reporting.

What are the Top Four ESG Issues in 2023?

ESG is a hot topic, with subjects like international reporting requirements, sustainability reporting, and even cybersecurity in play.  Four ESG issues that we’ve identified in 2023 include: climate change; diversity, equity, and inclusion; regulatory expansion; and greenwashing — and the drive to eliminate it.

Image: ESG Issues

#1: Climate Change and Sustainability 

Climate change issues remain top of mind for the public and pervade corporate operations, from the sustainability of production choices and mining of raw materials to companies’ investments and greenhouse gas (GHG) emissions. Climate change and sustainability is one of the biggest concerns for consumers, especially Gen Z. And the SEC is concerned as well – when the U.S. Securities and Exchange Commission solicited public input early in 2022, 75% of 550 individual responses supported mandatory climate disclosures in financial reporting. Sustainability audits are often separate from ESG audits, but they overlap significantly – the main difference is that sustainability audits are internal and organizations are left to create their own definitions, while ESG frameworks are more specific and standardized. Climate-change-driven weather events have posed a special problem for companies, with travel, air quality, and supply chains affected.

#2: Diversity, Equity, and Inclusion 

DEI initiatives have gained momentum in recent years, along with an increasing consumer focus on the social responsibility of the companies they support. Companies are increasingly held accountable for their actions to attract, recruit, and retain employees from diverse backgrounds. There have also been imperatives for transparency in pay structures to expose pay gaps, and a push for human resources and internal communications specialists to explicitly address how systemic inequality impacts hiring decisions and the employment history of industries. With the pandemic slowed down and return-to-office mandates issued, the labor landscape has changed, posing new challenges to DEI initiatives. 

#3: International Regulations Expand

EU and UK ESG regulations and standards have already taken flight, with reporting requirements affecting companies very soon. The US SEC declared increased focus on ESG matters in 2022, and the trend towards standardized ESG reporting requirements hasn’t stopped there. Around the world, governments are proposing regulations and legislation for ESG issues, and the wave of standards seems imminently ready to land. Organizations that have not yet issued ESG reports, especially public companies, may want to consider beginning an ESG disclosure program or committee; existing ESG programs should be ready to support their assurances with ESG audits or attestations.

#4: Combating Greenwashing through Litigation and Regulation

A major driver of governments’ efforts to regulate ESG disclosures is due to a pattern of “greenwashing,” that is, making your ESG performance look better than it is. Since investors and other external stakeholders are making big decisions based on ESG reports, greenwashing or “fluffing” the numbers poses a threat to their decision-making and general trust in the market. To combat the practice of greenwashing, experts predict that agencies and governments will use the tools at their disposal — litigation and legislation — to crack down on this fraudulent activity. ESG audits play a special role in preventing greenwashing, as they can flag inaccurate data or incomplete information as part of the audit process.

What is a ESG Audit Checklist?

The success of an ESG audit is dependent on the maturity of the organization, the type of product manufactured or service rendered, the auditing standards used, and the social context of your company. An ESG audit will help to determine the specific moves your company needs to take to shut down risks and capture opportunities most relevant to its goals. An ESG audit will also verify the accuracy of your ESG-related disclosures. We’ve listed five steps for preparing for an ESG audit, but to learn more, download our ESG Audit Checklist for some best practices to help you identify ESG risks and establish ESG controls. 

Five steps to consider when preparing for an ESG audit are: interview your stakeholders; incorporate ESG into risk management; map ESG compliance requirements to other frameworks; select a guiding ESG framework, and prepare for ESG reporting.

​​​​​#1: Inventory and Interview Your Stakeholders

Preparation for an ESG audit must include informing stakeholders about the audit, understanding and assuaging their concerns, and clarifying what will be expected as part of the audit process. Because ESG is an emerging area, it may be worth it to educate stakeholders about ESG risks, data, and how they will be incorporated into disclosures. Not all stakeholders may need to be involved for an ESG assessment, but those who are should be prepared to speak to the audit team and provide evidence as needed. 

#2: Incorporate ESG Into Your Overarching Risk Management Plan

As you develop or revise your organization’s risk management plan, you’ll want to consider how ESG risks and opportunities intersect with other types of risks. Take stock of your risks and opportunities and use your stakeholders’ answers to help you keep track of ESG risks that may not have shown up in your initial procedures. Maintaining a centralized risk register and including ESG risks can be a good step towards integrating ESG issues into risk management initiatives.  A report from Deloitte Ireland promotes full integration of ESG into risk management plans, concluding that “future developments in regulation, an increase in ESG expertise in the industry and resulting improvements in available data should lead to the ongoing maturity of firm’s ESG risk management capabilities.” Taking an integrated risk management (IRM) approach can help organizations combine ESG risk management with other risk management functions.

#3: Determine Which Compliance Requirements Overlap With ESG

Depending on the scope and maturity of your company, you will likely already have numerous compliance requirements that relate to ESG. For example, if your company is seeking compliance with Sarbanes-Oxley (SOX), you’ll already have a plan for financial reporting in place and will already be reporting to the SEC; thus integrating climate-related disclosures into that report will save you time and energy. The International Organization for Standardization (ISO) also has numerous ESG-related standards, like ISO 14001 for Environmental Management Systems and ISO 45001 for Occupational Health and Safety, which provide strategies for protecting the environment and human capital. ISO recently created a committee (ISO/TC 322) to focus solely on ESG in the coming years. By understanding which compliance requirements overlap with ESG, your organization can avoid reinventing the wheel or developing redundant controls, and instead, consolidate them.

#4 Choose Your ESG Guidance Framework(s)

Whether you’re doing an internal audit or selecting a third-party auditor to evaluate your ESG risks and data, you will need to choose one or more ESG frameworks that work well for your company and its goals. Two of the most popular frameworks are put out by the Sustainability Accounting Standards Board (SASB) and the Task Force on Climate-Related Financial Disclosures (TCFD), with the Global Reporting Initiative (GRI) coming up as a close third. SASB provides broader sector-specific guidelines on a range of ESG risks, while TCFD is more specifically geared toward climate issues. The framework you choose should fit your specific industry and align with your overarching risk management strategy. If a given framework does not meet your organization’s ESG reporting needs, developing a custom framework, or using guidance from multiple frameworks, may fit your company better.

#5: Prepare for ESG Reporting 

ESG reporting may already be familiar to your organization since the SEC requires that publicly-traded companies submit annual reports on human capital resources (HCR). The SEC is in the process of implementing stronger regulations regarding climate-related disclosures in financial reporting. Companies should expect ESG reporting to become increasingly complex in the future. Your ESG audit should include a plan for reporting your ESG risks and strategies to your stakeholders and any regulatory entities. Those reports, in turn, will substantiate that the data you are reporting is accurate, complete, and transparent and that your company’s core values and commitments are authentic. International companies should be especially vigilant of upcoming or in-flight ESG reporting regulations. Many countries around the world are considering or proposing ESG disclosure standards as greenwashing becomes more prevalent and investors seek greater confidence in organizations’ reports.

Overcoming Top ESG Program Challenges

Whether you are driven by your company’s core values or you aim to streamline reporting to the SEC, your ESG strategy should be well aligned with your risk management plan and designed to take the best advantage of your sector’s opportunities for growth. Leading organizations have found that their biggest challenges with managing an effective ESG program include:

• Centralizing all ESG initiatives, claims, and metrics in one system of record.
• Evidence collection to substantiate the organization’s progress towards those public claims and metrics.
• Mapping ESG metrics relevant framework(s) such as SASB, TCFD, and GRI.
• Aggregating data from disparate systems such as carbon emission calculators, HR systems, and Finance systems to improve auditability.
• Responding to Rating Agency questionnaires (MSCI, S&P Global, CDP, ISS). 
• Consolidating results for ESG reporting purposes, whether into stand-alone ESG reports or as part of broader annual disclosures.

Many of these challenges can be overcome with the right technology solution. Centralizing and consolidating metrics, reports, and data becomes much easier when you have a core repository for all ESG efforts. Collecting evidence, responding to questionnaires and coordinating with team members across the organization is a no-brainer with AuditBoard’s ESG program management solution. If your organization is looking to start or accelerate your ESG journey, implementing connected ESG software can help your organization get on the right footing going forward to manage and track the ESG life cycle from end to end.

Frequently Asked Questions About ESG Audit

What Is an ESG Audit?

An ESG audit is an assessment of the risks an organization faces related to environmental, social, and governance domains. ESG audits can be internal or external; KPMG suggests that third-party auditors and assurance specialists who are well-versed in ESG assessments will become increasingly important for companies who wish to assure their stakeholders that their ESG claims are accurate. An ESG audit will likely align with other dimensions of your risk management plan and compliance requirements, as well, and can prepare you to file reports with regulatory agencies. 

What is an ESG Risk?

ESG risks are exactly what the acronym lists – environmental, social, and governance risks. While some argue that the “G” in ESG should be considered separately, these three risk categories are interdependent. We may well see the acronym for ESG evolve in the future, but the SEC’s move to prioritize climate-related disclosures may be a precursor to regulations that codify ESG to law. Most ESG specialists see governance issues, which include board quality and executive pay transparency, as important to managing both environmental and social risk.