What is internal audit?

Internal audit aims to provide assurance that an organisation’s risk management, governance and internal control processes are operating effectively by undertaking an independent risk-based objective assessment.

Internal audit is undertaken by staff from within organisation, internal auditors, but who are independent from the operations which are being assessed. Internal auditors should have unfettered access to information to undertake their work and to the highest levels of management in the organisations to report their findings and recommendations.

Internal audit is the third line of defense providing as independent assurance as possible from within the organisation. The first line of defence relate to functions that own and manage risks; the second line of defense are functions that oversee or specialise in compliance and management of risk.

Larger organisations are likely to have in-house team of internal auditors. However, SMEs often may outsource internal audit functions to an independent professional service provider. Of course, these would be separate from their external auditors to avoid conflict of interest.

Risk-based approach

Internal auditors take a risk-based approach to providing their assurance over the internal controls of an organisation. Using the Board agreed-upon organisational strategy, internal auditor evaluates the key controls risks faced by the organisation to target their assessment on the various functions of an organisation.

Such internal audit plans are continuously considering economic and market conditions which could determine the need to focus on particular operation and/or control areas to ensure operational efficiency. Such rolling internal audit plans forms part of an agile internal audit strategy.

Shift towards sustainability

No doubt as the social and market conditions moves toward driving organisations to pursue ESG-friendly and sustainable business practises, the role of internal auditors is critical. Internal auditors are well placed to guard against greenwashing practises of organisations while recommending controls improvement to accelerate ESG-friendly and sustainable business practises. Of course, internal auditors cannot execute recommendations, but they can be vocal advocates of such positive business practises.

Sustainability reporting

While the world is yet to truly develop and agree upon an internationally recognised standard for sustainability reporting, the Global Reporting Initiative (GRI) aims to do just that. GRI is an independent, international organisation that helps businesses and other organizations take responsibility for their impacts.

The drive for greater reporting on sustainability and ESG factors can be influenced by both internal and external stakeholders. Employees can drive change in organisations which has a positive impact overall. For example, worker unions in the 1950s and 1960s such as the International Brotherhood of Electrical Workers in the US invested considerable capital in developing affordable housing projects, whilst the United Mine Workers invested in health facilities. These are early example of ESG in action.

External influences from customers and more recently social media influencers also have a huge role in driving the ESG agenda. For example, the most recent PR disaster suffered by some of the larges UK Premier League football clubs. For their role in wanting to establish a European Super League, is an example of how external stakeholders like club fans, drove club owners to do a quick U-turn on their plans.

Role of Internal Auditors

Tone at the top

Internal auditors play a critical role in driving the ESG and sustainability agenda. Internal auditors are well placed to ensure that Board members and senior management of organisations are prioritising ESG factors in all activities. Internal audit plan should specifically incorporate an ESG Internal Audit review. This is not to say that ESG will be considered as part of all existing internal controls reviews, but to have a specific internal audit plan for accessing and making recommendations on ESG activities and initiatives.

Such an ESG internal audit plan may include the following.


  • The organisation has processes and policies for recycling any wastage.
  • The organisation has eliminated single-use plastic water bottles from the employee breakroom and for all meetings, including board meetings.
  • The organisation saves energy by using only energy-efficient LEDs for all indoor & outdoor lighting.


  • The organisation has adopted a blind application process for recruitment.
  • The organisation has processes to ensure diversity and inclusion at all levels of the organisation.
  • Suppliers are asked to complete a code of conduct which specific clauses for ESG considerations.


  • The organisation has a written mission statement that includes a commitment to ESG and sustainability responsibility.
  • The Board has made sustainability a priority and allocated resources (staff & budget) for a sustainability action plan.
  • The company has a charitable giving policy.

Of course, this is a non-exhaustive very simplified high-level example for illustration purpose. Different organisations will need a different approach to ESG. There is no one-size-fits-all approach here. Ashlynwood would be happy to discuss what ESG internal audit measures would be suitable for your organisations. Please do get in touch with us.

Quantifiable results and recommendations

The key to optimising the output from an ESG internal audit is how quantifiable the results and recommendations are, such that they can be comparable from one period of review to the next. There is need to have smart measures that consider interconnect factors.

Take the case of an accounting company that halved its paper wastage from year 1 to year 2 by adopting greater use of e-documents on cloud in the second year. While the physical paper wastage may have come down and saved the company money. Greater electronic resources employed in the day-to-day operations in year 2 need to be considered to work out the net position and impact on ESG criteria.

Each business process may need to develop a suitable ESG scoring methodology, to help monitor and track progress from one review period to the next.

Expertise and tools

While internal auditors may have good intentions to undertake ESG, the key to success is having the expertise and resources to undertake an effective ESG internal audit. Sound knowledge and understanding of all business process is a pre-requisite to formulating an effective ESG internal audit plan. Considerable time may need to be expended in developing the right methodology suitable for the organisation. Access to the relevant information to be able to undertaken suitable assessment is critical. The likely case is that often the relevant ESG data and information is not currently being produced by the organisation. Developing ESG dashboards for different business processes would also demand considerable time and efforts from the outset.

Ultimately these different business process level dashboards can feed into a Board level dashboard which monitors progress on ESG matters, with key performance indicators that resonate with the Board as well as internal and external stakeholders.

Share This Article On Social Media