Internal audit and the environment: how green is your audit?

Formerly the preserve of a few ethical consumers, environmental
sustainability is now a very real and important part of all walks of business
life. From the products companies deliver to the premises they occupy,
organisations are now sitting up and taking note of the value of their ‘green
credentials’. Internal audit needs to play a central role in this.

Being ‘green’ is no longer a PR-led matter of reputation management.
Regulatory pressures, employee retention and perhaps most importantly attracting
investment and raising finance, all increasingly require organisations to prove
they operate in an environmentally friendly way.

High-profile examples of companies making bold environmental statements
include M&S and BSkyB.
The question is, while a company’s move to address its ‘green’ responsibilities
is commendable, a lack of measurement, control and independent verification can
render many such statements meaningless.

For example, if an organisation pledges to reduce its carbon footprint by x%,
does it specify the original baseline? Does it detail how this is measured? And
are these figures properly audited?

It is not unreasonable to suggest that regulators, who are already active in
this area, will ultimately require external attestation for any environmental
claims made. In this instance, those organisations which have positioned
internal audit at the heart of this process will certainly have the upper hand.

Most internal audit departments currently fail to include environmental risks
when establishing the overall risks affecting their organisations. As a result,
they will often not develop audit programmes that provide assurance, even in
part, over the relevant environmental issues.

There is a wide range of assignments that could form part of the audit
planning process, taking into account risk, materiality, scope of audit
coverage, skill sets of the resources, and budget. Some examples include:

  • the adequacy of policies addressing corporate social responsibility (CSR)
    and environmental strategies;
  • the accuracy of statements and figures reported externally;
  • the adequacy of environmental reporting procedures and controls;
  • compliance with existing and future environmental legislation;
  • benchmarking green policies against competitors and other industries;
  • efficiency programmes to develop the sustainable use of resources;
  • potential to engage with carbon offset schemes;
  • major purchasing projects; and
  • supply chains and partner practices.

This kind of audit activity is not the only way that internal audit should
engage with environmental sustainability. As part of its ‘change agent’ role,
there are several hot topics that internal audit should track ­ each could have
a significant impact on its work.

How effectively is the business dealing with the climate change agenda? This
is one of the hottest topics among leading businesses and is beginning to have a
profound impact on business models, risk management, innovation and product

How effectively is the company meeting its legal obligations to report to
shareholders on environmental issues?

The Companies Act 2006 states that from October 2007 quoted companies must
ensure their business review, as part of the director’s annual report, discloses
information on environmental, employee, social and community matters.

Does the organisation have appropriate and specific corporate social
responsibility policies? Are CSR policies embedded in business-as-usual
management functions, or are they treated as a bolt-on responsibility, or as
something taken care of by staff in a separate CSR ‘silo’?

What present and future legislation or initiatives could specifically affect
your organisation, industry sector and geography? A brief look at just some of
the UK legislation on this topic highlights what a significant task this is. At
a wider level, the European Union is working on new policies to cover
sustainable consumption and production and sustainable industrial policy. Both
could lead to significant new regulations.

What assurance does the organisation have that any claims referred to in its
websites, corporate reports, etc are accurate and will not leave it open to
accusations of misreporting? The process of overstating a company’s green
credentials ­ known as ‘greenwashing’ ­ is a dangerous game.

What assurance does the organisation have that its environmental strategy is
not operating in a silo, dislocated from the organisation’s other aims and

Where is the organisation on the change curve with respect to sustainability
programmes? For example, does management understand the significance of society
expectations for the company and the sector within which it operates?

Heads of internal audit should review their risk universe and perhaps even
their operating charter to ensure that they are able to provide assurance around
these risks.

Those who are able to establish a role for internal audit in this area will
be contributing significant value to their organisations.

UK legislation

These are just some of the areas in which environmental laws or regulations
can affect organisations in the UK.

• Companies Act 2006
• Low Emission Zone (London)
• Pollution permit auctions
• EU directive on packaging and packaging waste
• Kyoto Protocol
• Climate change levy
• Climate change agreement
• EU Emissions Trading Scheme
• Customer carbon offset schemes
• The European Waste Electronic and Electrical Equipment Directive
• The government’s carbon reduction commitment requirements
• ISO 14001

Risk universe

The specific environmental risks that an organisation faces will depend on
its industry sector, the kinds of service or products that it provides, its
geographical locations, the legislation it has to comply with and the ways in
which it uses technology. And while many of the risks have a compliance focus,
there are equally many opportunities in this area that are not necessarily
driven by a compliance requirement but rather just make good business sense.

Some of the risks we would expect to see in an organisation’s risk universe
as they relate to environmental risk are listed below.

• Compliance with applicable laws and regulations
• Responding to environmental changes and local initiatives
• Knowledge of proposed changes in environmental laws
• Nature and extent of new or potential environmental liabilities
• Costs associated with existing and anticipated environmental risks
• Lack of environmental management
• Public opposition to the environmental stance
• Accuracy of environmental disclosures
• Ability to raise and secure funds
• Adequacy of insurance cover
• Damage to reputation

Dene Burke is a director at

Related reading