ESG Governance Auditing: Internal and External Reviews for Australian Businesses

ESG governance auditing provides independent assessment of governance practices, controls, and compliance. Internal and external audits help boards ensure governance effectiveness and identify improvement opportunities. For AASB S1-compliant entities, external assurance of governance and sustainability disclosures is now mandatory. This article explores internal and external ESG governance auditing frameworks and best practices.

For ESG governance continuous improvement, see our article on continuous improvement frameworks and benchmarks. For governance framework context, see our article on ESG governance frameworks and how to build structures for ESG.

Internal ESG Governance Auditing

Internal Audit Function

Many organisations maintain internal audit functions providing independent assessment of governance, risk management, and control. Internal audit can assess:

• ESG governance structure and board oversight effectiveness
• ESG risk management processes and adequacy
• ESG policy implementation and compliance
• Data collection and measurement systems for ESG metrics
• ESG disclosure accuracy and completeness
• ESG target achievement and performance tracking

Audit Scope and Timing

Internal ESG audits can be:

• Periodic: Annual or biennial comprehensive audits
• Rolling: Ongoing assessment across multiple audit cycles
• Triggered: Assessment following incidents, governance changes, or new risks
• Focused: Targeted assessment of specific governance areas (risk management, disclosure, controls)

Internal Audit Reporting

Internal audit findings should be reported to:

• Audit committee (board oversight body)
• Management (for remediation planning)
• Board (for governance oversight)

Internal audit should provide independent perspective without management pressure.

External ESG Governance Auditing and Assurance

External Audit of Financial Statements

External auditors assessing financial statements increasingly evaluate ESG governance implications:

• Whether ESG risks are appropriately reflected in financial statement balances (asset impairments, provisions, disclosures)
• Whether governance systems adequately manage ESG risks affecting financial statements
• Compliance with ESG-related disclosure requirements

ESG Governance and Disclosure Assurance (AASB S1)

AASB S1 requires external assurance over governance and strategy disclosures. This means external assurance providers must verify:

• Governance structures: Board composition, committee composition, decision-making processes
• Risk management: Processes for identifying and managing sustainability-related financial risks
• Strategy: How sustainability risks are integrated into business strategy
• Remuneration linkage: How executive pay is linked to ESG targets

Assurance is typically “limited” (reasonably assured but not absolute) for governance and strategy, more rigorous for specific metrics.

ESG Performance Data Assurance

Many organisations obtain external assurance over ESG performance metrics (emissions, diversity, safety), verifying:

• Data collection processes and accuracy
• Calculation methodologies
• Completeness and boundaries of data
• Year-over-year consistency

ESG Governance Audit Framework

Audit Planning and Scoping

Internal or external audits should begin with clear scoping:

• Objectives: What governance areas are being assessed? What is being tested?
• Scope: Which business units, geographies, processes are in scope?
• Risk assessment: What areas present highest audit risk requiring focused assessment?
• Timeline: When will fieldwork occur? What is reporting timeline?
• Resources: What expertise is required? What people will conduct audit?

Audit Execution

Audits typically include:

• Process walkthroughs: Understanding how governance and processes operate
• Document review: Assessing policies, procedures, meeting minutes, records
• Sample testing: Testing whether policies are consistently followed
• Interviews: Discussions with governance bodies, management, staff
• Data verification: Testing accuracy and completeness of ESG metrics

Audit Findings and Recommendations

Audits should produce:

• Clear findings: Specific observations about governance strengths and weaknesses
• Audit conclusion: Overall assessment of governance maturity and effectiveness
• Recommendations: Specific actions to address weaknesses and enhance governance
• Management responses: Management plan for addressing findings
• Follow-up: Tracking whether management implements recommendations

Audit Committee Role

Oversight of ESG Auditing

Audit committees typically oversee ESG governance auditing by:

• Approving audit scope and plan
• Receiving audit findings and conclusions
• Ensuring management addresses audit findings
• Assessing adequacy of internal and external auditing
• Reviewing compliance with audit recommendations

Relationship with Internal and External Auditors

Audit committee should maintain regular engagement with both internal and external auditors to:

• Understand audit findings and implications
• Assess management responsiveness to findings
• Monitor trends in governance weaknesses
• Ensure audit independence and objectivity

ESG Auditing Best Practices

• Clear objectives: Audits should have clearly defined purposes and scope
• Independence: Internal and external auditors should be independent from management and audit subjects
• Competence: Auditors should have expertise in ESG governance and the industry context
• Timeliness: Audit findings should be reported promptly enabling timely management response
• Evidence-based: Findings should be supported by clear evidence and documentation
• Constructive: Audits should provide actionable recommendations supporting governance improvement
• Follow-up: Audits should include follow-up ensuring management addresses findings

Key Takeaways

Internal and external ESG governance auditing provides independent assessment supporting governance effectiveness. AASB S1 requires external assurance of governance and strategy disclosures for in-scope entities. Internal audit functions assess governance processes, controls, and compliance. External auditors assess ESG governance implications for financial statements and provide assurance over disclosures. Audit committees oversee internal and external auditing. Effective auditing requires clear objectives, independence, competence, and timely reporting with follow-up on management responses.

Frequently Asked Questions

What is the difference between internal and external auditing?

Internal audit is conducted by company employees (often in internal audit function), providing management and board with independent assessment. External audit is conducted by independent audit firms, providing external validation and assurance to stakeholders.

Is AASB S1 assurance mandatory for all entities?

AASB S1 assurance applies to entities meeting size thresholds. Large proprietary companies, listed companies, and financial sector entities meeting thresholds must obtain external assurance over governance and strategy disclosures.

What type of assurance is provided under AASB S1?

AASB S1 typically requires limited assurance (subject matter expert assurance) over governance and strategy disclosures. Performance metrics may require higher assurance levels.

Can internal auditors conduct ESG governance audits without specialist expertise?

Internal audit can conduct ESG governance audits, but may need to engage external experts to supplement internal knowledge on technical ESG matters. Audit committee should assess auditor competence.

What should management do when audit findings identify weaknesses?

Management should respond promptly to findings, develop remediation plans, assign accountability, set implementation timelines, and report progress to audit committee.

How frequently should ESG governance be audited?

Annual or biennial comprehensive audits are typical. More frequent or focused audits should occur for high-risk areas or following governance changes.