10.

The evolution of internal auditing and ESG

criteria compliance
Nabyla Daidj

INTRODUCTION

Since its emergence, digital transformation has been the focus of many discussions (Zaoui &
Souissi, 2020) and the main concern of both academic sphere and professional world in sectors
as varied as service (banking and insurance), industry, energy, transportation, retail, education
and training, etc. Digitization affects all sectors of the economy and is becoming the norm for
large groups, small to medium-sized businesses (SMEs/SMIs) but also for the public sector
(hospitals, universities, etc.). The digital transformation implemented in companies is coupled
with new challenges for the internal audit function that must both address the new risks faced
by the organization and carry out its own transformation.
Since the beginning of the 2010s, changes in the economic conditions, the technological
environment, the multiplicity of sources of data (structured and unstructured) and the regula-
tory landscape have had a great impact on the way the audit industry operates. In addition, the
evolving digital transformation has started to affect internal auditing at several levels:

– on the audit sector as a whole and the major players involved;

– on internal audit function (especially within large companies) and processes;
– on internal audit methodology;
– on auditors’ tools and working methods;
– on auditors’ role, missions and skills.

The primary role of internal audit functions is to help decision-makers in all financial and
non-financial dimensions of the organization (Ramamoorti, 2003; Kotb et al., 2020). More and
more, internal auditors have to take into consideration environmental, social and governance
(ESG) risks and proceed to the disclosure of ESG positions because of compliance require-
ments. The accelerating pace of change in both environment (climate change) and society is
sharpening stakeholder focus on ESG risks that many organizations are facing.

Organizations that aspire to go beyond minimal legal compliance need to pay particular attention
to corporate governance and corporate social responsibility (CSR), as well as stakeholder pressure
coming from investors, among other groups. Over the past decade, the use of environmental, social,
and governance (ESG) criteria among investors has risen sharply partly as an outgrowth of CSR and,
more recently, corporate sustainability discussions (Boffo and Patalano 2020). (Minkkinen et al.,
2024, p. 330)

The structure of the chapter is as follows. The first part explores the evolution of internal audit-
ing in a more complex context, focusing on several key challenges related to the development
of new technologies, further risks (including ESG) and higher standards of compliance with
the laws, regulations and/or mandatory guidelines. The second part focuses on the important

159

Nabyla Daidj - 9781035316267

Downloaded from https://www.elgaronline.com/ at 06/24/2025 03:56:46PM
via UB Bochum *
160 Research handbook on sustainability reporting

role of internal audit in determining and executing the company’s ESG activities. Internal
auditors should analyze how ESG could be integrated within the existing risk assessment
program and ESG assurance into the annual audit plan. Both insights from internal audit prac-
titioners and theoretical vision by academics are presented, before the concluding remarks.

THE TRANSFORMATION OF INTERNAL AUDIT IN THE DIGITAL

AGE: NEW PRACTICES AND CHALLENGES

Internal Audit versus External Audit: Definitions

At a general level, the International Organization for Standardization (ISO), a worldwide

federation of national standards bodies (ISO member bodies), provides a definition of audit
included in its Guidelines for auditing management systems (ISO 19011:2011, ISO (2021)).
It is a

systematic, independent and documented process for obtaining audit evidence (records, statements
of fact or other information which are relevant to the audit criteria and verifiable) and evaluating it
objectively to determine the extent to which the audit criteria (set of policies, procedures or require-
ments used as a reference against which audit evidence is compared) are fulfilled. (https://​www​.iso​
.org/​obp/​ui/​fr/​#iso:​std:​iso:​19011:​ed​-2:​v1:​en:​fr)

According to ISO, audit activities are divided into two main categories, as shown in Table
10.1.

– Internal audits are also named first party audits. They are conducted by the organization
itself, or on its behalf, for management review and other internal purposes (e.g. to confirm
the effectiveness of the management system or to get information for the improvement
of the management system). “Internal audits can form the basis for an organization’s
self-declaration of conformity. In many cases, particularly in small organizations, inde-
pendence can be demonstrated by the freedom from responsibility for the activity being
audited or freedom from bias and conflict of interest.”
– External audits include second- and third-party audits. Second party audits are conducted
by parties having an interest in the organization, such as customers, or by other persons on
their behalf. Third party audits are conducted by independent auditing organizations, such
as regulators or those providing certification.

Internal and external auditing activities are complementary within the assurance framework
and both play a critical role in the effective governance of an organization.

Nabyla Daidj - 9781035316267

Downloaded from https://www.elgaronline.com/ at 06/24/2025 03:56:46PM
via UB Bochum *
 The evolution of internal auditing and ESG criteria compliance 161

Table 10.1 The distinct roles of internal and external audit

Item External audit Internal audit

Recipient of reports Shareholders, investors, banks or The board, the audit committee and
members senior managers
Employment/Report Hired by the organisation and reporting Employed by the organisation
to the shareholders or equivalent and reporting to the board or audit
committee
Scope Financial reports and related All categories of risks and their
disclosures, financial reporting risks management including the flow of
and their management, the external information around the company
auditor has some responsibility for and governance. Internal audit
considering the risk of material helps a company ensure it has the
misstatement due to fraud proper controls, governance and risk
management processes in place
Objectives Add credibility and reliability to Provide the assurance that members of
reports from the organisation to its the board and senior management use
shareholders by giving an opinion on to fulfil their duties
them Specifically, the objectives of an
internal audit function are to:
Establish the areas of risk in the area
being audited
Establish the controls in place to
address those risks and review their
adequacy
Check whether financial regulations are
being followed
Carry out detailed testing of the
controls being relied on
Make recommendations where
weaknesses or inefficiencies are
observed
Timing and frequency Project(s) tied into financial reporting Ongoing and pervasive
cycle, focused on objective of audit
opinion, usually annually
Focus Mainly historical Historic, but ideally future focussed
Responsibility for None – duty to report control Fundamental to the purpose of internal
improvement weaknesses auditing
Status and authority Statutory and regulatory framework International professional standards and
Corporate Governance Code
Independence Professional ethical standards overseen Professional ethical standards overseen
by audit committee and regulatory by audit committee
framework

Source: Chartered Institute of Internal Auditors (IIA) (2020a).

The Broader Scope of Internal Audit

Internal audit reports represent crucial documents that provide valuable insights and rec-
ommendations to improve an organization’s operations, risk management, and governance.

Nabyla Daidj - 9781035316267

Downloaded from https://www.elgaronline.com/ at 06/24/2025 03:56:46PM
via UB Bochum *
162 Research handbook on sustainability reporting

Internal audit reports are often known for addressing the Five Cs reporting requirement. The
Five Cs stand for:

Criterion (or criteria): What standards or controls are in place (or should be)?
Condition: What is the particular issue identified? It usually does not match the criterion or
criteria. Why is the internal audit necessary?
Cause: Why did the problem occur? What is the root cause?
Consequence: What is/are the risk/s? Are issues limited to internal matters, or are there
risks of external consequences for various stakeholders?
Corrective action: What are your recommendations? What should management do about
the finding? What are their plans to fix things?

These areas report on why the audit was conducted, how the audit will be performed, what
the auditor aims to achieve, and what steps will be taken after the presentation of the audit
findings. In an audit process, follow-up audits are also performed after an initial audit to ensure
that corrective action has been implemented properly.
Delivering effective and meaningful internal audit reports is not easy, as the scope of inter-
nal audits has increased considerably over the past few years, nowadays covering a vast scope,
including governance, risk management and compliance.
Initially, audits mainly involved a company’s accounting and financial activities (Table
10.2). Today, they can cover the organization as a whole, all activities, the different areas and/
or specific functions of the company (R&D, purchasing, production, manufacturing, supply
chain, information system (IS)/information technology (IT), data quality, customer relations,
etc.) and the related processes, but also all outsourced functions and all associated risks. In
addition, internal audit is more and more involved in corporate social responsibility (CSR),
sustainable development (SD)issues and governance assurance (see section 2).

Table 10.2 The evolving scope of internal audit

Features Checking Compliance System-based Risk-based Partnership Value-based

Up to 1960s 1960s–1980s 1980s–1990s 1990s–2010s 2010s Emerging
onwards
Independence Independent Independent Independent Independent Independent Independent
of activities of activities of activities of activities of activities of activities
audited audited audited audited audited audited
Serving Finance Finance Finance/ Business Organisation Organisation
business units units
Reporting to Generally Generally Generally Emerged to Audit Audit
CFO CFO CFO CEO and Committee Committee
then Audit for operations for operations
Committee / CEO for / CEO for
reporting admin- admin-
istration istration

Nabyla Daidj - 9781035316267

Downloaded from https://www.elgaronline.com/ at 06/24/2025 03:56:46PM
via UB Bochum *
 The evolution of internal auditing and ESG criteria compliance 163

Features Checking Compliance System-based Risk-based Partnership Value-based

Up to 1960s 1960s–1980s 1980s–1990s 1990s–2010s 2010s Emerging
onwards
Objective Assurance Assurance Assurance Assurance Assurance Assurance
and advisory and advisory /
/ Value Value adding
adding / Proactive /
Offer insights
/ Key agent
of change
Focus Historical Historical Historical Historical Forward- Forward-
looking looking /
Insights
Coverage Controls Controls Controls Controls Governance Governance
/ Risk / Risk
management management /
/ Controls Controls
Outcome Detect Detect Improve Improve Improve Improve
mistakes mistakes controls business unit business organisation /
controls units Actively seek
innovation
/ Help
organisation
achieve
strategic
intent
Fraud focus Detect fraud Detect fraud Detect fraud Detect fraud Prevent fraud Prevent fraud
Reports go to Management Management Management Management Management Management
/ Emerged and Audit and Audit
to Audit Committee Committee
Committee
Standards No Internal Audit Internal Audit Internal Audit Internal Internal Audit
Standards in Standards Standards Audit Standards
1978 Standards
Resourcing In-house In-house In-house In-house / Co-sourced Co-sourced
Emerged to / Subject / Subject
co-sourced matter matter experts
experts and guest
and guest auditors
auditors
Staff Financial Financial Financial Financial Some Many
qualifications non-financial non-financial
disciplines disciplines
Planning Cyclical Cyclical Cyclical 5-year Risk-based Risk-based Risk-based
annual plan annual plan plan 3-year plan 3-year or rolling plan
annual plan
Audit types Compliance Compliance System Operational Integrated Service
catalogue
Management No No No Some Yes Yes – many
requested
services

Source: Adapted from Institute of Internal Auditors (IIA) – Australia (2022, p. 2).

Nabyla Daidj - 9781035316267

Downloaded from https://www.elgaronline.com/ at 06/24/2025 03:56:46PM
via UB Bochum *
164 Research handbook on sustainability reporting

The Higher Frequency of Internal Audits

Internal audits can be conducted on a daily, weekly, monthly, or annual basis. Some depart-
ments may be audited more frequently than others. It can be the case that a manufacturing
process may be audited on a daily basis for quality control requirements while the human
resources department may only be audited once a year.
A number of factors are behind the increase in the frequency of internal audit operations,
as follows:

1 Towards technology-enhanced audits: internal audit 3.0

Technology is more and more used to assist in auditor’s decision-making. Digital transfor-
mation, combined with an increasing and faster use of new technologies, has an impact on
the internal audit process and practices (Betti et al., 2021). Most new technologies (e.g. big
data, data analytics, artificial intelligence (AI), robotic process automation, blockchain, etc.)
are transforming auditing activities, as shown by several authors (Brown-Liburd et al., 2015;
Kokina & Davenport, 2017; Rose et al., 2017; Huang & Vasarhelyi, 2019; Daidj, 2022). For
example, advances in technology have expanded the data analysis capabilities that can be
incorporated into the audit process. At a general level, an audit function based on new technol-
ogies and increased automation can allow faster audit cycles and more timely reporting (Daidj
& Tounkara, 2021; Daidj et al., 2023).
Castka et al. (2020) make a distinction between low audit (essentially performed without
technology) and high audit, relying on multiple technologies. Internal auditors are now
expected to have a good understanding of the technology used by the organization and update
their knowledge and expertise accordingly. Betti and Sarens (2021) consider that

a digitalised business environment affects the internal audit function in three respects. First, it impacts
its scope. The agility of the internal audit planning and the required digital knowledge are expected
to increase and information technology (IT) risks gain importance, especially cybersecurity threats.
Second, the demand for consulting activities performed by internal auditors is higher and third, digi-
talisation modifies the working practices of internal auditors in their day-to-day tasks. New technol-
ogies such as data analytics tools are being implemented progressively in internal audit departments
and digital skills are considered a critical asset. (p. 872)

2 Complexity and emergence of further risks such as ESG risks (see below) in an
uncertain environment
In such a context, in which strategic decision-making is made even more difficult, internal
auditors and controllers once again play a fundamental role. The increasing complexity of the
environment in all its dimensions (economic, legal, regulatory, digital, technological, etc.)
favors the development of new analysis models and risk management strategies. Organizations
are more and more concerned with risk identification, assessment, and management. The
COVID-19 pandemic is a good example of emerging risk areas for internal audit to consider.
This health crisis has been an unprecedented external factor, challenging internal audit in
particular.

The third line of defence is uniquely placed to play a key role in the response to the COVID-19 crisis,
from a position of good organisational knowledge and with a highly relevant skill-set. As organisa-
tions adapt to dealing with the initial impact of COVID-19, IA functions have an important role to

Nabyla Daidj - 9781035316267

Downloaded from https://www.elgaronline.com/ at 06/24/2025 03:56:46PM
via UB Bochum *
 The evolution of internal auditing and ESG criteria compliance 165

play to continue to provide critical Assurance, help Advise management and the Board on the shifting
risk and controls landscape, and help Anticipate emerging risks. (Deloitte, 2020a, p. 2)

More broadly, risk analysis consists in better understanding qualitative aspects but also
in taking into account quantitative information (financial results, performance indicators,
etc.). Risk-based audit methodologies have been used for years. The COSO (Committee of
Sponsoring Organizations of the Treadway Commission), initially established by five major
accounting associations and institutes in the U.S.A. in the mid 1980s, has developed one of
the world’s most widely used risk management frameworks: the Enterprise Risk Management
(ERM)-Integrated Framework.
The first version of the COSO ERM framework was proposed in 2004. In an updated
version issued in 2017, two new items, strategy and performance, have been added. Since then,
several initiatives have been taken in order to include environmental, social and governance
(ESG)-related risks into the ERM. It is designed to be used by any entity facing ESG-related
risks – from startups, to not-for-profits, for-profit, large corporations or government entities –
whether public or private. The COSO defines the ESG-related risks as

the environmental, social and governance-related risks and/or opportunities that may impact an entity.
There is no universal or agreed-upon definition of ESG-related risks, which may also be referred to
as sustainability, non-financial or extra-financial risks. Each entity will have its own definition based
on its unique business model; internal and external environment; product or services mix; mission,
vision and core values and more. (COSO & WBCSD, 2018, p. 1)

More recently in March 2023, the COSO released a study with supplemental guidance for
organizations to achieve effective internal control over sustainability reporting (ICSR), using
the COSO Internal Control-Integrated Framework (ICIF). The ICSR guidance includes, in
particular, references to the role of the internal audit function in sustainability reporting in the
scope of the guidance, reflecting its integral part of ICSR.

3 Compliance requirements
Compliance is defined by the IIA (2018) as “the adherence to policies, plans, procedures, laws,
regulations, contracts, or other requirements” (p. 26). The auditing profession is exposed to
major challenges including compliance. Internal auditors have to ensure that the organization
is meeting its compliance obligations. Compliance is one of the most important components of
the well-known “three lines of defense model” defining roles, responsibilities and accounta-
bilities for decision-making, risk and control to achieve effective governance risk management
and assurance. The model has been used on a large scale for organizing governance and risk
management in organizations.
Operational management (including IT) represents the first line of defense and is respon-
sible for the implementation and maintenance of processes and controls to manage risks.
Compliance functions and risk management represent the second line of defense and are
responsible for monitoring risks across the organization. Internal audit represents the third line
of defense and is responsible for providing independent assurance that risk management and
controls are operating effectively, and for advising senior management and the board when
deficiencies are identified. Internal audit functions are traditionally considered as an organi-
zation’s third line of defense. The European Confederation of Institutes of Internal Auditing
(ECIIA) and the Federation of European Risk Management Associations (FERMA) support

Nabyla Daidj - 9781035316267

Downloaded from https://www.elgaronline.com/ at 06/24/2025 03:56:46PM
via UB Bochum *
166 Research handbook on sustainability reporting

the “three lines of defense” model as a benchmark for current and future regulatory guidance
(Figure 10.1). From an academic angle, several authors have underlined the fact that the start-
ing point for a value-adding internal audit is commonly offered by the three lines of defense
model (Bantleon et al., 2021; Eulerich, 2021; Eulerich et al., 2022).

Source: Adapted from ECIIA (2021).

Figure 10.1 The three lines of defense model

In 2020, Deloitte (2020c) advocated the modernization of the three lines of defense as the
internal audit function should become “more agile, nimble, and forward-looking” (Deloitte,
2020c, p. 5). The same year, the IIA updated the “three lines model” (Figure 10.2) previously
known as the three lines of defense, described above.
The revised model relies on a six-step, principles-based approach which allows the govern-
ing body (i.e., the audit committee or board of directors) to provide delegation and oversight
to each line, with the respective lines collaborating and providing accountability and insightful
reporting (Deloitte, 2020b). First and second line roles may be mixed or distinct (Figure 10.2).

Some second line roles may be assigned to specialists to provide complementary expertise, support,
monitoring, and challenge to those with first line roles. Second line roles can focus on specific
objectives of risk management, such as compliance with laws, regulations, and acceptable ethical
behavior; internal control; information and technology security; sustainability; and quality assurance.
(IIA, 2020b, p. 3)

The model highlights the importance and nature of internal audit independence, setting inter-
nal audit apart from other functions.
Interactions within the three lines in organizations could vary with the nature and com-
plexity of the external environment (business, industry, regulations, etc.) and with internal
constraints (resources, capabilities, competencies, organization of work, etc.).
As seen in this part, internal audit, independent from the governing body and the manage-
ment, assures the reliability of internal control processes. Internal audit is concerned with
fraud in all activities within the organization. Internal audits may serve various objectives and

Nabyla Daidj - 9781035316267

Downloaded from https://www.elgaronline.com/ at 06/24/2025 03:56:46PM
via UB Bochum *
 The evolution of internal auditing and ESG criteria compliance 167

Source: Adapted from IIA (2020b, p. 4).

Figure 10.2 The IIA’s three lines model

multiple stakeholders within an organization. The scope of internal audit work has broadened
from strict controls to risk management, control and governance. More recently, internal audit-
ing activities aim more and more at supporting, in particular, the growth of environmental,
social and governance outcomes for stakeholders. How do ESG issues impact the company
and internal auditing activities?

INTERNAL AUDITING AND ESG MATTERS

ESG Criteria, Indicators and Landscape

The acronym ESG refers to the three distinct pillars of organizational sustainability: environ-
mental, social and governance.

Often, this term is used synonymously or as a shorthand for sustainability or sustainable business
to refer to the internal and external information value chain. More narrowly and within, this term is
used generally to describe the constructs of external disclosure of categories of sustainable business
information to investors and other stakeholders. (COSO, 2023, p. 8)

ESG is a framework for assessing risks to a company’s operations related to environmental,

social, and governance issues. ESG criteria are multiple and various (Table 10.3). The most
frequently cited and most critical factors are related to mitigation of climate change (E), adap-
tation to climate change (E), respect for human rights (S), diversity, equity and inclusion (S),
and business ethics, such as anti-bribery, anti-corruption and transparency (G).

Nabyla Daidj - 9781035316267

Downloaded from https://www.elgaronline.com/ at 06/24/2025 03:56:46PM
via UB Bochum *
168 Research handbook on sustainability reporting

Even if sustainability information is more qualitative than traditional financial reporting,

there are key performance indicators (KPIs) and metrics measuring companies’ commitments
to ESG (Table 10.3).

Table 10.3 ESG criteria, scores and indicators

ESG ESG criteria: main Key scores and/or indicators & metrics (some examples)
framework challenges (some
examples)
Environment Climate change Annual average temperature/rainfall
Renewable energy contributes to the global effort to reduce
reliance on fossil fuels and mitigate climate change (renewable
energy share; renewable energy intensity; renewable energy
footprint)
GHG emissions Emission of greenhouse gases including scope 1 (direct
emissions from owned or controlled source), scope 2 (indirect
emissions from the generation of purchased energy consumed),
and scope 3 (all other indirect emissions that occur in
a company’s value chain)
Water management Water footprint & withdrawal
Total volume of water and % diverted or re-used
Social Community relations Number of employees volunteering in their local communities
Percentage of the workforce participating in volunteer programs
Diversity, equity, and Percentage of men/women and salaries – labor gap
inclusion Diversity within leadership ranks
Employee engagement Staff turnover/absenteeism
Health and safety Workplace injuries/illnesses by severity, type, and costs
Human rights Measure of a company’s commitment and effectiveness towards
respecting the fundamental Human Rights Convention
Number of controversies published in the media linked to human
rights issues and to use of child labor issues
Governance Anti-bribery and Number and percentage of members of the governance body to
anti-corruption whom the company’s anti-corruption policies and procedures
have been reported, broken down by region
Number and percentage of members of the governance body who
have been trained against corruption, broken down by region
Anti-fraud (tax fraud Number of controversies published in the media linked to tax
controversies) fraud, parallel imports or money laundering
Data protection Company’s capacity to produce quality goods and services
integrating the customer’s health and safety, integrity and data
privacy
Executive Ratio of CEO compensation to median for all employees
compensation policies Number of controversies published in the media linked to high
executive or board compensation
Regulatory compliance Number of reviews of corporate governance framework carried
out in the period
Number of corporate governance non-compliant events recorded
in the period
Number of actions implemented in response to corporate
governance non-compliance

Nabyla Daidj - 9781035316267

Downloaded from https://www.elgaronline.com/ at 06/24/2025 03:56:46PM
via UB Bochum *
 The evolution of internal auditing and ESG criteria compliance 169

ESG ESG criteria: main Key scores and/or indicators & metrics (some examples)
framework challenges (some
examples)
Governance Shareholder rights and Company’s effectiveness towards equal treatment of
engagement shareholders and the use of anti-takeover devices
Transparency, There are several channels for ESG metrics disclosure: internal
disclosure communications, annual reports, websites, social media, press,
ESG ratings providers

Source: Based on Thomson Reuters (2017); Institute of Internal Auditors & Instituto de Auditores Internos de
Espana (2022) and COSO (2023, p. 8).

The Evolution of the Role of Internal Audit in Relation to the Three Lines Model

In the “three lines of defense” presented previously, internal audit serves as the last line of
defense, integrating ESG risk and compliance considerations into the audit plan (Figure 10.1).
In the updated version called “the three lines”, ESG-related risks and opportunities should be
embedded into processes to ensure efficient and effective risk management (Table 10.4). As
explained by the IIA and World Business Council for Sustainable Development (WBCSD)
(2022), the internal audit could play a major role in providing independent and objective assur-
ance and advice on effective governance and ESG risk management. “There is an opportunity
for the governing body to recognize that internal audit can add value to the company and that
integration with the sustainability function can move beyond compliance and take a more
active approach to monitoring material sustainability topics” (IIA & WBCSD, 2022, p. 19).

Table 10.4 Key actions for the three lines model roles in sustainability and ESG
considerations

Governing body Management Internal audit

Governing body roles: Management roles: Audit roles:
Establish governance mechanisms Develop multi-capital approach Test internal controls and accuracy
of RSG data
Oversee ESG reporting strategy Undertake materiality assessment Anticipate ESG disclosure
to inform ESG risk management regulations
Engage with stakeholders Oversee ESG data quality and Interact regularly with other lines
reporting

Source: Adapted from IIA & WBCSD (2022, p. 14).

Internal audit could be involved in strategic missions with well-defined goals as follows:
ensure reliability of internal control over ESG data collection, analysis, and reporting; iden-
tify how the different functions involved with ESG data work together and communicate on
a regular basis; and monitor changes in the regulatory framework in order to anticipate ESG
disclosure regulations (Table 10.5).

Nabyla Daidj - 9781035316267

Downloaded from https://www.elgaronline.com/ at 06/24/2025 03:56:46PM
via UB Bochum *
170 Research handbook on sustainability reporting

Table 10.5 Applying an internal audit approach to ESG

Disclosure Frameworks and standards Process and controls

What disclosure exists? Are frameworks and standards used Are process and controls formal or
in current disclosure or internally informal?
(if so, which)?
Who is responsible? How can frameworks and standards Are process and controls
enable internal audit’s review? documented?
Who is involved? How can lessons from other areas
of internal controls (finance and
accounting, risk management) be
applied to ESG?
What are the significant risks
areas?

Source: Adapted from AuditBoard and Deloitte (2022, p. 14).

Internal Audit’s New Role: ESG Audit, Reporting and Independent Assurance

ESG report reliability is of particular interest to fund managers for investment decisions as
well as to policymakers for regulating and monitoring purposes. What is an ESG audit? An
ESG audit is an assessment of the risks an organization faces related to environmental, social
and governance domains. Professionals provide several definitions that converge on certain
key matters: assessment, compliance requirements (see below) and risk management. ESG
audits are closely related to the degree of maturity of the organization implementing them, the
type of product/service/application offered and the social and environmental context of the
organization. When planning audits, internal audit should consider what ESG aspects need to
be covered in the scope of work.
KPMG (2021) has shown how internal audit can play a critical role in each phase of a com-
pany’s “ESG journey” (Table 10.6).
In 2021 the IIA published a White Paper on internal audit’s role, describing independent
assurance as a critical element of ESG reporting. As risks associated with ESG become more
obvious and strategic in decision-making by the governing body and executive management,
directors must have reliable assurance on the effectiveness of ESG risk management, including
ESG reporting. That assurance should come from an internal audit. The IIA (2021) suggests
that assurance over ESG reporting should include the following points:

– Review reporting metrics for relevancy, accuracy, timeliness, and consistency. It is crucial
that all public sustainability reports provide information that accurately depicts an organ-
ization’s ESG efforts. Internal audit can provide assurance on whether data (quantitative
and qualitative) being reported is accurate, relevant, complete, and timely. This is particu-
larly important as regulatory oversight increases.
– Review reporting for consistency with formal financial disclosure filings. Although
sustainability reports provide non-financial data, any information that contradicts official
financial information will raise questions from both regulators and investors.
– Conduct materiality or risk assessments on ESG reporting. This area can be potentially
problematic because organizations sometimes struggle with understanding and reporting
what is “material”.

Nabyla Daidj - 9781035316267

Downloaded from https://www.elgaronline.com/ at 06/24/2025 03:56:46PM
via UB Bochum *
 The evolution of internal auditing and ESG criteria compliance 171

Table 10.6 A company’s ESG journey

Assess Operationalize Report

Identify current state of ESG Design and implement tangible Issue consistent, comparable,
initiatives initiatives for specific focus areas to reliable, and assurance ready
increase value reporting
Deep-dive assessment Target setting and ESG due Accounting Assurance
decarbonization diligence
Maturity + Roadmap Resilience Valuation and
materiality modeling
GHP inventory Reporting Governance Reporting
automation
ESG data SOX-like internal Data
controls measurement
Risk and Transition Methodology Disclosure
opportunity planning and policy
creation
Reporting readiness Systems On-call services
implementation
Key drivers
Stakeholder opinion Regulations
Stakeholders, customers, employees and other Rising regulatory expectations and/or mandates
stakeholders linking climate to risk management, in areas of climate risk management, governance,
value creation and brand reputation board/management accountability and reporting

Source: Adapted from KPMG (2021, p. 5).

– Incorporate ESG into audit plans. ESG and sustainability-related engagements currently
make up about 1% of typical internal audit plans. This very low percentage must increase
as ESG risks and risk management are more and more significant for organizations.

ESG Compliance Requirements

Compliance audits evaluate whether the company is following external regulations in relation
to financial, technological, safety, and environmental issues; that is, compliance with laws
and regulations across various country and state legislations that will govern information and
transactions processed. Several regulations could be examined during compliance auditing
missions. Various national, European and international regulations exist: the Sarbanes-Oxley
Act (SOX), the Generally Accepted Auditing Standards (GAAS), Regulation (EU) 2016/679
of the European Parliament and of the Council of 27 April 2016 on the protection of natural
persons with regard to the processing of personal data and on the free movement of such
data, and repealing Directive95/46/EC General Data Protection Regulation (GDPR) and the
European Payment Services Directive, second version (PSD 2).
More specifically, in recent years, a growing number of ESG laws and regulations have
been passed around the world to create better consistency, transparency, and quality within
corporate ESG disclosure.
There are several frameworks, broad in their scope, giving a set of principles to guide and
build the understanding of a certain topic. The frameworks are elaborated by not-for-profit
organizations, business groups, and others, and the recommendations and metrics can vary
widely. At a general level, according to Courtnell (2022), frameworks can be divided into

Nabyla Daidj - 9781035316267

Downloaded from https://www.elgaronline.com/ at 06/24/2025 03:56:46PM
via UB Bochum *
172 Research handbook on sustainability reporting

three categories: voluntary disclosure frameworks, guidance frameworks and third-party

aggregators. The most commonly used ESG frameworks are listed in Table 10.7.

Table 10.7 Main ESG reporting frameworks and compliance requirements

Frameworks or standards Description

Global Reporting Initiative (GRI) The GRI offers universal standards that are designed to
GRI was founded in Boston in 1997 following apply to all organizations. The GRI voluntary disclosures
the public outcry over the environmental damage are broad in their aim. These disclosures address a range
of the Exxon Valdez oil spill in Alaska in 1989. of ESG topics. GRI standards are divided into universal,
(https://​www​.globalreporting​.org/​) sector (40 sectors), and topic-specific standards (for
waste, occupational health and safety, tax, etc.) that can
be applied to companies depending on their industry and
impact. The GRI Standards are regularly reviewed
The Sustainability Accounting Standards Board The aim of the SASB is to provide information to
(SASB) the SEC, which investors can then use to compare
Founded in 2011 as a not-for-profit, independent business performance on critical ESG issues. SASB
standard-setting organization. SASB’s mission Standards identify the subset of environmental, social,
was to establish and maintain industry-specific and governance issues most relevant to financial
standards that assist companies in disclosing performance in each of 77 industries. They are designed
financially material, decision-useful to help companies disclose financially-material
sustainability information to investors. (https://​ sustainability information to investors
sasb​.org) Disclosure topics: each SASB Standard includes a set of
disclosure topics, which vary from industry to industry.
The standard lists and briefly describes how management
or mismanagement of various aspects of the topic may
impact a company’s ability to create long-term value. On
average, SASB Standards include six disclosure topics
per industry
Accounting metrics: each SASB Standard provides
companies with standardized quantitative – or, in
some cases, qualitative – metrics intended to measure
performance on each disclosure topic or an aspect of
the topic. On average, SASB Standards include 13
accounting metrics per industry
The Task Force on Climate-Related Financial Its goal is to develop recommendations for more
Disclosures (TCFD). Established in December effective climate-related disclosures about governance,
2015 following COP21. (https://​www​.fsb​-tcfd​ strategy, risk management, and metrics and targets
.org)
International Integrated Reporting Council The IIRC has been developed to accelerate the adoption
(IIRC) (https://​www​.integratedreporting​.org/​the​ of integrated reporting. To this end, the IIRC merged
-iirc​-2/​council) with SASB in 2021, producing the Value Reporting
Foundation (VRF). The aim is to create a baseline for
corporate sustainability disclosure that can be used
around the world. The Integrated Reporting Framework,
originally published in 2013, was accordingly updated
in 2021

Source: Adapted from Courtnell (2022) and content from organizations’ web sites.

As regards standards, they are specific requirements including detailed criteria explaining
what needs to be reported (e.g., what data can be collected and how it can be structured.
In all audits, it is critical to understand the data being relied upon. It is particularly true for
ESG reporting). For example, ISO has numerous ESG-related standards, like ISO 14001 for

Nabyla Daidj - 9781035316267

Downloaded from https://www.elgaronline.com/ at 06/24/2025 03:56:46PM
via UB Bochum *
 The evolution of internal auditing and ESG criteria compliance 173

Environmental Management Systems and ISO 45001 for Occupational Health and Safety,
which provide strategies for protecting the environment and human capital. In January 2020
ISO created a committee (ISO/TC 322) to focus exclusively on ESG in the coming years.
There is a high number of different laws and a constantly evolving ESG regulatory land-
scape. One of the key issues with ESG reporting is the lack of globally recognized standards
and frameworks. Therefore, there is a need for more clarity and simplification in the sustaina-
bility and ESG disclosure landscape.

ESG Criteria Compliance: Evidence from Emerging and Developed Markets

ESG commitment is vital for both developed and emerging markets (Boston Consulting
Group, 2023; Morgan Stanley Investment Management, 2020) even if the level of ESG disclo-
sure compliance is still higher in developed countries. In developed countries, non-financial
disclosure by companies is mandatory and regulated by statute. Various standards of disclo-
sure have been implemented, as seen previously. In many emerging countries, frameworks are
either missing or a very low level of disclosure is required (Khemir et al., 2019). The question
that frequently arises also is how ESG can shape future economic growth in developing econ-
omies (Casanova et al., 2023; Fodor, 2023).
Several scholars have analyzed and/or compared regulatory frameworks for ESG disclosures
in developed and developing countries (Duran & Rodrigo, 2018; Lavin & Montecinos-Pearce,
2021; Plastun et al., 2020; Singhania et al., 2024). The adoption of ESG guidelines has evolved
all around the world.
In their paper, Singhania and Saini (2023) have attempted to identify similarities, differ-
ences and trends to contribute to effective and sustainable practices globally. On the basis of
their own methodology on ESG disclosures, the two authors have provided a detailed analysis
of ESG implementation rules in a sample of 13 developed and developing countries (Table
10.8). They have depicted and have classified these 13 countries into four different categories
from well-developed ESG frameworks to ESG frameworks at an early stage. Their conclu-
sions are very interesting regarding emerging countries in particular.

Table 10.8 Classification of ESG framework

Well-developed ESG Rapidly improving ESG ESG framework at ESG framework at early
framework framework developing stage stage
(Score range 28–30) (Score range 24–27) (Score range 24–27) (Score range 24–27)
Norway Germany Singapore Russia
Sweden Italy India Indonesia
Denmark USA China Thailand
Finland Australia Philippines Nigeria
United Kingdom Switzerland Malaysia Vietnam
Belgium Canada Argentina
France Japan
Brazil
South Africa

Source: Adapted from Singhania & Saini (2023).

Nabyla Daidj - 9781035316267

Downloaded from https://www.elgaronline.com/ at 06/24/2025 03:56:46PM
via UB Bochum *
174 Research handbook on sustainability reporting

Countries that were plagued by high corruption and had low governance visibility, like Indonesia and
Vietnam, focused on adopting the global framework like GRI and SASB as the initial step towards
integrating ESG factors into business operations and reporting. Strengthening corporate governance
measures could boost the range and depth of voluntary disclosure in these economies (Aureli et al.
2020; Elfeky 2017; Lagasio and Cucari 2019; Zhou 2019). (Singhania & Saini, 2023, p. 548)

THE GROWING IMPORTANCE OF ESG IN RESEARCH ON

INTERNAL AUDIT

Internal audit’s role in ESG reporting is strategic, and independent assurance is crucial to
effective sustainability reporting (IIA, 2021) even if “so far, academics and practitioners have
not agreed on the responsibilities of internal auditing in ESG matters” (Eulerich et al., 2022).
Indeed, at a theoretical level, research on the inclusion of new criteria such as ESG in
internal auditing is still limited, as several authors have pointed out. Several topics have been
explored, as summarized in Table 10.9. As mentioned previously, reporting ESG information
addresses new challenges and issues. Several authors have pointed out that ESG reporting
is not entirely satisfactory (Table 10.9). The integration of ESG factors into internal audit is
recent and should be improved on several levels.

CONCLUSION

Internal audit has changed dramatically in the past 20 years. Several factors (in particular
technology) prompted these changes in the context of the digital era. Expectations are becom-
ing higher for value-added audits in relation to risk-based and objective assurance. Internal
auditing activities are also closely linked with the value creation process. “The value is not
only characterized by the internal audit func­tion’s output (e.g., number of audits, findings,
recommen­dations), but also by the character of tasks performed by the internal audit function
(e.g., focus on assurance vs. consulting activities) or the role model (e.g., watchdog vs. trusted
advisor)” (Eulerich & Eulerich, 2020, p. 84).
In addition, new criteria such as ESG are becoming increasingly important to regulators,
investors and other stakeholders. As mentioned by the ECIIA (2023) in its position paper,
the question if Internal Audit could play a fundamental role over ESG is no longer an issue.
“Boards and Top Management should ask but rather it is more of ‘how’ they can best benefit
on this privileged view” (p. 9).
Internal auditors should provide not only advice but also independent and objective assur-
ance on current ESG issues in the future as organizational value is going to be affected by these
disclosures (Tysiac, 2021). Organizations that will be first to disclose their performance are
likely to have an advantage in the marketplace, particularly from the point of view of inves-
tors and other stakeholders (IIA, 2021). Organizations most probably need to establish new
processes, new projects, new teams, and new investment to reach such targets (ECIIA, 2023).
The support of internal audit could also vary depending on the maturity of the organization.
This chapter has focused on an exploratory analysis of the evolution of internal auditing and
ESG criteria compliance and related disclosure and assurance issues. In future research works,
it will be relevant to study more specifically newly established and emerging ESG reporting
frameworks.

Nabyla Daidj - 9781035316267

Downloaded from https://www.elgaronline.com/ at 06/24/2025 03:56:46PM
via UB Bochum *
 The evolution of internal auditing and ESG criteria compliance 175

Table 10.9 Main insights on internal audit and ESG reporting and assessment
(2003–2023)

Topics Authors Insights and/or quotations

The role of internal audit in ESG reporting
Characteristics of ESG Adams (2004) A reporting-performance portrayal gap (Adams, 2004)
reporting Bradford et al. A lack of completeness (Bradford et al., 2017)
(2017) ESG reporting is mostly voluntary and unregulated with
Pinnuck et al. no generally accepted reporting principles or standards
(2021) (Pinnuck et al., 2021)
Variety of ESG data, Cascone et al. “The well-known aphorism ‘what gets measured gets
measures, KPIs/ metrics (2010) done’ has been used by business leaders for many
and reporting structure years. As it applies to the audit function’s involvement
in auditing sustainability key performance indicators
(KPIs), that phrase can be modified as, ‘what gets
measured accurately gets done more effectively.’ By
providing management with assurance that the measured
data is accurate, internal auditing can help ensure the
organization aligns its resources with the organization’s
long-term objectives and help management make strategic
decisions based on reliable nonfinancial data.” (p. 49)
Disclosure Ackers (2016) Although internal audit will continue to incorporate
material CSR issues into its mandatory risk-based
auditing approach, the results will not necessarily be
publicly available. The extent of reliance that external
stakeholders can place on company CSR disclosures
are therefore not directly influenced by internal audit’s
involvement in CSR-related matters
The role of internal audit in sustainability assurance
ESG disclosure and Eulerich et al. The authors provide a holistic view of internal auditor’s
assurance (2022) role in ESG assurance and disclosure. They “demonstrate
that IAF’s maturity in ESG is significantly correlated
with ESG disclosure, emphasizing the unique role of the
IAF in this context. [They] find that IAF involvement
in ESG reporting and attributing high relevance to the
environmental pillar correlate with ESG assurance and
thereby expand Trotman and Trotman’s (2015) study
about greenhouse gas emissions and energy usage.”
(p. 84; see below)
A more complex role of Trotman & Trotman Their paper is based on several interviews (Australian
internal auditors (2015) companies). It “suggests that GHG/energy assurance
involves assessments by a range of stakeholders (e.g.,
audit committee members and senior accountants) of
both in-house and outsourced internal auditors and that
these internal auditors also need to assess the knowledge
of a range of specialists from different disciplines, as
substantial reliance is placed on their skills. This task
becomes more complex in multidisciplinary teams”

Nabyla Daidj - 9781035316267

Downloaded from https://www.elgaronline.com/ at 06/24/2025 03:56:46PM
via UB Bochum *
176 Research handbook on sustainability reporting

Topics Authors Insights and/or quotations

Creation of value by Nieuwlands (2006; “Internal audits of sustainability are much like internal
internal auditors 2007) financial audits in that internal auditors evaluate
DeSimone et al. controls over reporting and suggest corrective action by
(2021) communicating with management and the AC (Darnall
et al. 2009). But they also have a long-term focus by
continually assessing sustainability progress toward
achieving desired outcomes (Darnall et al. 2009). By
engaging the IAF in sustainability audits, organizations
create processes and procedures aimed at improving
sustainability activities, and also increase the probability
of discovering sustainability issues before they become
significant, thus reducing various risks (Stanwick and
Stanwick 2001). IAFs may be in a position to add value
to the sustainability process (Nieuwlands 2006), and
have a significant role in the corporate governance
process (Cohen et al. 2004).” (DeSimone et al., 2021,
pp. 567–568)
Internal audit as an independent CSR assurance provider
Internal audit and Tiron-Tudor & The authors examine the role of internal audit in CSR
corporate social Bota-Avram (2015) and provide practical suggestions on how internal audit
responsibility (CSR) practitioners should develop their audit programs in
order to provide the best possible contribution in terms of
corporate social responsibility
Involvement of internal audit in various ESG areas
Environmental audit Darnall et al. (2009) “The landscape of environmental audits is diverse in
that organizations can implement internal, external
or both environmental audit types. The stakeholder
influences associated with the use of these audits differs.
For example, organizations that adopt internal audits
are associated more with perceived influences from
internal stakeholders, but not regulatory or supply chain
stakeholders. However, since the results of these audits
cannot be verified by external parties they may lack
legitimacy with some external constituencies. By contrast,
organizations that utilize external audits are more likely
to be associated with greater perceived influences from
internal and regulatory Stakeholders.” (pp. 183–184)
Green in IT audits Patón-Romero, & The authors are working on the creation of a framework
Indicators for Green in Piattini (2016) for Green in IT audits, which will provide the basis for
IT Audits a subsequent audit framework of Green IT. They have
developed an early version of this framework (based
on COBIT 5), entitled “Governance and Management
Framework for Green IT”, through which organizations
can establish governance and management of Green IT, as
well as being able to audit this area

Note: IAF = internal audit function.

Source: Elaborated by the author (based on quoted papers and authors).

Nabyla Daidj - 9781035316267

Downloaded from https://www.elgaronline.com/ at 06/24/2025 03:56:46PM
via UB Bochum *
 The evolution of internal auditing and ESG criteria compliance 177

REFERENCES
Ackers, B. (2016). An exploration of internal audit’s corporate social responsibility role – insights from
South Africa. Social Responsibility Journal, 12(4), 719–739. https://​doi:​10​.1108/​SRJ​-01​-2016​-0003
Adams, C. (2004). The ethical, social and environmental reporting–performance portrayal gap.
Accounting, Auditing & Accountability Journal, 17(5), 731–757. http://​dx​.doi​.org/​10​.1108/​
09513570410567791
AuditBoard & Deloitte (2022). How to audit ESG risk and reporting. Key considerations for developing
your environmental, social and governance audit strategy. Retrieved October 24, 2022 from: https://​
www2​.deloitte​.com/​content/​dam/​Deloitte/​us/​Documents/​audit/​us​-how​-to​-audit​-esg​-risk​-reporting​
.pdf
Bantleon, U., D’Arcy, A., Eulerich, M., Hucke, A., Pedell, B., & Ratzinger-Sakel, N. V. S. (2021).
Coordination challenges in implementing the three lines of defense model. International Journal of
Auditing, 25(1), 59–74. https://​doi​.org/​10​.1111/​ijau​.12201
Betti, N., & Sarens, G. (2021). Understanding the internal audit function in a digitalised business envi-
ronment. Journal of Accounting & Organizational Change, 17(2), 197–216. https://​doi​.org/​10​.1108/​
JAOC​-11​-2019​-0114
Betti, N., Sarens, G., & Poncin, I. (2021). Effects of digitalization of organisations on internal audit
activities and practices. Managerial Auditing Journal, 36(6), 872–888. https://​doi​.org/​10​.1108/​maj​
-08​-2020​-2792
Boston Consulting Group (2023). Why Emerging Markets Need to Prepare for the EU’s New Climate
and ESG Regulations. https://​www​.bcg​.com/​publications/​2023/​how​-emerging​-markets​-can​-prepare​
-for​-the​-new​-esg​-regulations
Bradford, M., Earp, J. B., Showalter, D. S., & Williams, P. E. (2017). Corporate sustainability reporting
and stakeholder concerns: is there a disconnect? Accounting Horizons, 31(1), 83–102. https://​doi​.org/​
10​.2308/​acch​-51639
Brown-Liburd, H., Issa, H., & Lombardi, D. (2015). Behavioral implications of big data’s impact on
audit judgment and decision making and future research directions. Accounting Horizons, 29(2),
451–468. https://​doi:​10​.2308/​acch​-51023
Casanova, L., Miroux, A. & Bang Shah, S. (2023). In search of an ESG framework for emerging markets.
What about growth? Working Paper. Emerging Markets Institute (EMI). http://​dx​.doi​.org/​10​.2139/​
ssrn​.4509150
Cascone, J., Derose, J., & Nefedova, A. (2010). Equipped to sustain: is your audit plan comprehensive
enough to help the organization meet today’s sustainability needs? Internal Auditor, 67(6), 49–52.
Castka, P., Searcy C., & Fischer, S. (2020). Technology-enhanced auditing in voluntary sustainability
standards: the impact of COVID-19. Sustainability, 12(11), 4740. https://​doi​.org/​10​.3390/​su12114740
COSO (2023). Achieving effective internal control over sustainability reporting (ICSR): Building Trust
and Confidence through the COSO Internal Control—Integrated Framework. Retrieved May 29,
2023 from: https://​www​.coso​.org/​Shared​%20Documents/​COSO​-ICSR​-Report​.pdf
COSO & WBCSD (2018). Enterprise Risk Management. Applying enterprise risk management to envi-
ronmental, social and governance-related risks. Executive summary. Retrieved October 24, 2022 from:
https://​www​.finchandbeak​.com/​documents/​COSO​-WBCSD​%20ESGERM​_Executive​_Summary​.pdf
Courtnell, J. (2022). ESG Reporting Frameworks, Standards, and Requirements. July 12. Green
Business Bureau.
Daidj, N. (2022). The Digital Transformation of Auditing and the Evolution of the Internal Audit.
London: Taylor & Francis Group.
Daidj, N., & Tounkara, T. (2021). Le futur de l’audit IT : quelles évolutions possibles? (The future of
IT auditing. White Paper. Original work published in French). https://​www​.imt​-bs​.eu/​wp​-content/​
uploads/​2021/​05/​Livre​-blanc​-audit​_N​.​-Daidj​-T​.​-Tounkara​.pdf
Daidj, N., Bordeaux, C., & Neyrial, J. (2023). Audit, innovation et nouvelles technologies: vers l’audit
augmenté avec la RPA? (Auditing, innovation and new technologies. Towards enhanced auditing with
RPA? White Paper. Original work published in French). https://​hal​.science/​hal​-04034162/​document
Darnall, N., Seol, I., & Sarkis, J. (2009). Perceived stakeholder influences and organizations’ use of
environmental audits. Accounting, Organizations and Society, 34(2), 170–187. https://​doi:​10​.1016/​j​
.aos​.2008​.07​.002

Nabyla Daidj - 9781035316267

Downloaded from https://www.elgaronline.com/ at 06/24/2025 03:56:46PM
via UB Bochum *
178 Research handbook on sustainability reporting

Deloitte (2020a). Internal Audit considerations in response to COVID-19. Retrieved May 11, 2023
from: https://​www2​.deloitte​.com/​ch/​en/​pages/​audit/​articles/​internal​-audit​-considerations​-in​-response​
-to​-covid​-19​.html
Deloitte (2020b). A call to action on the three lines model. Retrieved May 11, 2023 from: https://​www2​
.deloitte​.com/​us/​en/​pages/​advisory/​articles/​iia​-three​-lines​-of​-defense​-risk​-management​.html
Deloitte (2020c). Modernising the three lines of defense model. An internal audit perspective. Retrieved
May 11, 2023 from: https://​www2​.deloitte​.com/​uk/​en/​pages/​risk/​articles/​modernising​-the​-three​-lines​
-of​-defence​-model​.html
DeSimone, S., D’Onza, G., & Sarens, G. (2021). Correlates of internal audit function involvement in
sustainability audits. Journal of Management & Governance, 25(2), 561–591, https://​doi:​10​.1007/​
s10997​-020​-09511​-3
Duran, I. J., & Rodrigo, P. (2018). Why do firms in emerging markets report? A stakeholder theory
approach to study the determinants of non-financial disclosure in Latin America. Sustainability, 10(9),
3111. https://​doi​.org/​10​.3390/​su10093111
ECIIA (2021). What is internal auditing? Retrieved January 12, 2022 from: https://​www​.eciia​.eu/​what​
-is​-internal​-auditing/​
ECIIA (2023). The role of internal audit in ESG in industrial and commercial companies. Position Paper.
Retrieved November 2, 2023 from: https://​www​.eciia​.eu/​wp​-content/​uploads/​2023/​10/​IA​-in​-ESG​-v3​
.pdf
Eulerich, M. (2021). The new three lines model for structuring corporate governance – A critical discus-
sion of similarities and differences. Corporate Ownership and Control, 18(2), 180–187. https://​doi​
.org/​10​.22495/​cocv18i2art15
Eulerich, A. K., & Eulerich, M. (2020). What is the value of internal auditing? A literature review
on qualitative and quantitative perspectives. Maandblad Voor Accountancy en Bedrijfseconomie,
94(3/4), 83–92. https://​doi​.org/​10​.5117/​mab​.94​.50375
Eulerich, M., Bonrath, A., & Lopez Kasper, V. I. (2022). Internal auditor’s role in ESG disclosure and
assurance: an analysis of practical insights. Corporate Ownership & Control, 20(1), 78–86. https://​doi​
.org/​10​.22495/​cocv20i1art7
Fodor, K. (2023). How to instrumentalize ESG to achieve sustainable development. January 16.
SciencesPo. The European Chair for Sustainable Development and Climate Transition. https://​www​
.sciencespo​.fr/​psia/​chair​-sustainable​-development/​2023/​01/​16/​how​-to​-instrumentalize​-esgto​-achieve​
-sus​tainabledevelopment/​#
Huang, F., & Vasarhelyi, M. A. (2019). Applying robotic process automation (RPA) in auditing: a frame-
work. International Journal of Accounting Information Systems, 35(C). https://​doi:​10​.1016/​j​.accinf​
.2019​.100433
IIA (2018). International Professional Practices Framework Supplemental Guidance. Global Technology
Audit Guide (GTAG). Auditing IT Governance. Retrieved January 15, 2022 from: https://​www​.iia​.nl/​
SiteFiles/​GTAG​%2017​%20Auditing​%20IT​%20Governance​.pdf
IIA (2020a). Internal audit’s relationship with external audit. Position paper. https://​www​.iia​.org​.uk/​
resources/​delivering​-internal​-audit/​position​-paper​-internal​-audits​-relationship​-with​-external​-audit/​
IIA (2020b). The IIA’s Three Lines Model. An update of the Three Lines of Defense. Retrieved September
23, 2022 from: https://​www​.theiia​.org/​globalassets/​documents/​resources/​the​-iias​-three​-lines​-model​
-an​-update​-of​-the​-three​-lines​-of​-defense​-july​-2020/​three​-lines​-model​-updated​-english​.pdf
IIA (2021). Internal Audit’s Role in ESG Reporting. Independent assurance is critical to effective sus-
tainability reporting. Retrieved September 23, 2022 from: https://​www​.theiia​.org/​globalassets/​site/​
content/​articles/​iia​-white​-paper​-​-​-internal​-audits​-role​-in​-esg​-reporting​.pdf
IIA & WBCSD (2022). Embedding ESG and sustainability considerations into the Three Lines Model.
Retrieved May 28, 2023 from: https://​www​.theiia​.org/​en/​content/​tools/​advocacy/​2022/​embedding​
-esg​-and​-sustainability​-considerations​-into​-the​-three​-lines​-model/​
Institute of Internal Auditors & Instituto de Auditores Internos de Espana (2022). Internal Audit and ESG
criteria. Retrieved May 28, 2023 from: https://​auditoresinternos​.es/​uploads/​media​_items/​220221​
-internal​-audit​-and​-esg​-criteria​-la​-f​%C3​%A1brica​-de​-pensamiento​.original​.pdf
Institute of Internal Auditors (IIA) – Australia (2022). Factsheet – Internal Audit Evolution. Retrieved
September 30, 2023 from: https://​iia​.org​.au/​technical​-resources/​fact​-sheet/​iia​-australia​-factsheet​
-evolution​-of​-internal​-audit

Nabyla Daidj - 9781035316267

Downloaded from https://www.elgaronline.com/ at 06/24/2025 03:56:46PM
via UB Bochum *
 The evolution of internal auditing and ESG criteria compliance 179

ISO (2021). ISO(19011:2011). Guidelines for auditing management systems. Retrieved November 5,
2021 from: https://​www​.iso​.org/​obp/​ui/​fr/​#iso:​std:​iso:​19011:​ed​-2:​v1:​en:​fr
Khemir, S., Baccouche, C., & Damak Ayadi, S. (2019). The influence of ESG information on investment
allocation decisions: an experimental study in an emerging country. Journal of Applied Accounting
Research, 20(4), 458–480. https://​doi​.org/​10​.1108/​JAAR​-12​-2017​-0141
Kokina, J., & Davenport, T. (2017). The emergence of artificial intelligence: how automation is changing
auditing. Journal of Emerging Technologies in Accounting, 14(1), 115–122. https://​doi​.org/​10​.2308/​
jeta​-51730
Kotb, A., Elbardan, H., & Halabi, H. (2020). Mapping of internal audit research: a post-Enron structured
literature review. Accounting, Auditing & Accountability Journal, 33(8), 1969–1996. https://​doi​.org/​
10​.1108/​AAAJ​-07​-2018​-3581
KPMG (2021). Internal Audit’s role in ESG. Retrieved January 17, 2023 from: https://​assets​.kpmg​.com/​
content/​dam/​kpmg/​cn/​pdf/​en/​2021/​10/​internal​-audit​-s​-role​-in​-esg​.pdf
Lavin, J. F., & Montecinos-Pearce, A. A. (2021). ESG disclosure in an emerging market: an empirical
analysis of the influence of board characteristics and ownership structure. Sustainability, 13(19),
10498. http://​dx​.doi​.org/​10​.3390/​su131910498
Minkkinen, M., Niukkanen, A., & Mäntymäki, M. (2024). What about investors? ESG analyses as tools
for ethics-based AI auditing. AI & Society, 39, 329–343. https://​doi​.org/​10​.1007/​s00146​-022​-01415​-0
Morgan Stanley Investment Management (2020). Diving Below the Surface: ESG Integration in Emerging
Markets. Retrieved November 5, 2023 from: https://​www​.morganstanley​.com/​im/​publication/​insights/​
investment​-insights/​si​_diving​-below​-surface​-esg​-integration​-in​-emerging​-markets​_en​.pdf
Nieuwlands, H. (2006). Sustainability and Internal Auditing. Altamonte Springs, FL: The IIA Research
Foundation.
Nieuwlands, H. (2007). Auditing sustainable development. Internal Auditor, 64(2), 91–93.
Patón-Romero, J. D., & Piattini, M. (2016). Indicators for Green in IT Audits: A Systematic Mapping
Study. [Paper presentation]. Third International Workshop on Measurement and Metrics for Green and
Sustainable Software Systems (MeGSuS’16), Ciudad Real, Spain.
Pinnuck, M., Ranasinghe, A., Soderstrom, N., & Zhou, J. (2021). Restatement of CSR reports: frequency,
magnitude, and determinants. Contemporary Accounting Research, 38(3), 2376–2416. https://​doi​.org/​
10​.1111/​1911​-3846​.12666
Plastun, A., Makarenko, I., Khomutenko, L., Osetrova, O., & Shcherbakov, P. (2020). SDGs and ESG
disclosure regulation: is there an impact? Evidence from Top-50 world economies. Problems and
Perspectives in Management, 18(2), 231–245. https://​doi​.org/​10​.21511/​ppm​.18(2)​.2020​.20
Ramamoorti, S. (2003). Internal auditing: history, evolution, and prospects. In A. Bailey, A. Gramling,
& S. Ramamoorti (eds), Research Opportunities in Internal Auditing (pp. 1–23). Altamonte Springs,
FL: The Institute of Internal Auditors.
Rose, A. M., Rose, J. M., Sanderson, K.-A., & Thibodeau, J. C. (2017). When should audit firms intro-
duce analyses of big data into the audit process? The Journal of Information Systems, 31(3), 81–99.
https://​doi​.org/​10​.2308/​isys​-51837
Singhania, M. & Saini, N. (2023). Institutional framework of ESG disclosures: comparative analysis of
developed and developing countries. Journal of Sustainable Finance & Investment, 13(1), 516–559.
https://​doi​.org/​10​.1080/​20430795​.2021​.1964810
Singhania, M., Saini, N., Shri, C., & Bhatia, S. (2024). Cross-country comparative trend analysis in
ESG regulatory framework across developed and developing nations. Management of Environmental
Quality, 35(1), 61–100. https://​doi​.org/​10​.1108/​MEQ​-02​-2023​-0056
Thomson Reuters (2017). Thomson Reuters ESG scores. https://​www​.thomsonreuters​.com/​en/​press​
-releases/​2017/​july/​thomson​-reuters​-and​-s​-network​-introduce​-esg​-best​-practices​-ratings​-and​-indices​
.html
Tiron Tudor, A., & Bota-Avram, C. (2015). New challenges for internal audit: corporate social respon-
sibility aspects. In M. M. Rahim & S. O. Idowu (eds), Social Audit Regulation (pp. 15–31). Cham:
Springer International Publishing.
Trotman, A. J., & Trotman, K. T. (2015). Internal audit’s role in GHG emissions and energy reporting:
evidence from audit committees, senior accountants and internal auditors. Auditing: A Journal of
Practice and Theory, 34(1), 199–230. https://​doi​.org/​10​.2308/​ajpt​-50675

Nabyla Daidj - 9781035316267

Downloaded from https://www.elgaronline.com/ at 06/24/2025 03:56:46PM
via UB Bochum *
180 Research handbook on sustainability reporting

Tysiac, K. (2021). Internal audit has pivotal role in ESG reporting. June 7. https://​www​.​journalofa​
ccountancy​.com/​news/​2021/​jun/​esg​-reporting​-role​-of​-internal​-audit​.html
Zaoui, F., & Souissi, N. (2020). Roadmap for digital transformation: a literature review. Procedia
Computer Science, 175, 621–628. https://​doi​.org/​10​.1016/​j​.procs​.2020​.07​.090.

Nabyla Daidj - 9781035316267

Downloaded from https://www.elgaronline.com/ at 06/24/2025 03:56:46PM
via UB Bochum *