ESG: Signals of change and the risk agenda

Lack of standards has made it difficult for audit executives to navigate the complex and confusing terrain of environmental, social and governance (ESG).

Steve Estes

Steve Estes

Partner and IA&ER ESG Lead, Advisory, KPMG US

+1 214-840-2448

Susan Burkom

Susan Burkom

Advisory Managing Director, Internal Audit & Enterprise Risk, KPMG US

+1 410-949-8771


Chief Audit Executives (CAEs) continuously assess how to successfully deliver on internal audit’s objectives in this new reality, to earn and keep the trust of both shareholders and stakeholders. Critical to this success is considering signals pointing to changing risks faced by their organizations and, in turn, changing the focus of assurance and advisory projects on the Internal Audit (IA) plan. Our complementary piece, On the CAE Agenda for Q1 2021, provides a view on higher-priority risks CAEs are currently considering on their plans.

ESG: Signals of change and the risk agenda
Download a copy of this article.


Signals of change

ESG refers to the three central factors in measuring the long-term sustainability of a company’s value creation and the societal impact of an investment in a company or business as part of securing confidence and trust amongst shareholders and stakeholders. The lack of ESG standards has made it difficult for executives, including CAEs, to navigate the complex and confusing ESG terrain. 

Customers, employees, shareholders, lenders, rating agencies, and regulators are beginning to demand that companies consider how their business impacts the world, how they contribute to society, and how they conduct themselves. Even further, climate change was amongst the top “threats to growth” in KPMG’s most recent Global CEO Outlook, and the ESG agenda is only increasing in its urgency.1 Although there is not yet one single, agreed reporting framework, organizations are increasingly reporting on sustainability measures2 and the Biden administration has clearly indicated it will take a stronger stand in support of ESG reporting regulations as is expected of the new SEC leadership.3

Risk considerations

  • ESG reporting includes both qualitative and quantitative elements. It is important to determine what are the appropriate ESG reporting elements by considering what is most relevant to the organization’s shareholders, other stakeholders, as well as industry alignment with competitors. The level of information and transparency may be used by various parties to form a point of view on an organizations’ commitment to ESG.
  • On the quantitative side, the growing demand for information about ESG policies, initiatives, and metrics results in organizations providing different ESG data to ratings agencies, regulators, and in stand-alone published reports. CAEs are focusing on understanding the processes and controls which are necessary to ensure completeness and accuracy of information across public and private domains.
  • On the qualitative side, controls around the development and release of assertions about the positive impact the company is having help protect against reputation risk. In addition, it is imperative to have a realistic plan in place to achieve the goals and targets set.

Questions to ask/actions to take

  • Who is responsible for ESG reporting? And what is the governance structure over the reporting?
  • What ESG goals were established? How were they developed? Are they aligned with business strategy?
  • Where is ESG information reported and discussed? Stand-alone ESG reports, analyst calls, regulatory filings, web pages, questionnaires? How are you ensuring consistency across all disclosure avenues?
  • Are there formal mechanisms to reliably collect and review the data needed for public disclosure? And what level of assurance is being provided around metrics ultimately reported?4



2. 2020 S&P 500 Flash Report (


4. Audit committees and corporate ESG commitment: ‘Prove it’ | Accounting Today