13 Ways Internal Audit Can Play an Essential Role in ESG Reporting for Insurance Companies

By Victor Santos, CPA, Senior Manager

Environmental, social and governance (ESG) initiatives are growing at a rapid pace within the insurance industry, becoming one of the most significant emerging topics in recent years. As ESG risks become a top priority in the insurance sector, internal audit must be in lockstep with executives and the Board of Directors in order to quickly adapt and shift the company’s strategic direction toward ESG priorities, along with providing advisory and audit support to ensure the company’s long-term success.

Internal audit can play a pivotal role in an organization’s ESG performance and reporting goals by providing both recommendations and independent assurance on ESG governance, processes and internal controls. According to the Institute of Internal Auditors’ 2021 North American Pulse of Internal Audit survey, ESG and sustainability-related engagements currently make up approximately 1% of internal audit plans. Generally, the low level of Internal Audit engagements on ESG may be due to other priorities that consume available resources and/or Internal Auditors’ lack of awareness or understanding of ESG risks and the operational and financial implication to the organization. Nevertheless, Internal Audit has a responsibility to highlight both emerging risks and exposures that are not being mitigated or properly addressed by the company. Now is the time for Internal Auditors to be trained on ESG risk solutions to add value by partnering with management to identify and establish effective ESG controls, develop internal audit work programs and verify that reported ESG program outcomes are supported by evidence of performance.

Increasing Regulatory Pressure

In the insurance industry, there has been mounting pressure from investors, customers, media, non-governmental organizations and regulators for insurers to make public commitments to ESG related strategies, goals and performance metrics. For example, the U.S. federal and state regulatory agencies are setting high expectations by holding insurers accountable in establishing prudent ESG governance and disclosing how climate risks are integrated into their corporate governance and risk management activities. However, compliance with ESG reporting is still a new area with no single framework for what should be reported to regulatory agencies, which raises concerns about the trustworthiness and verifiability of the information being reported.

The various frameworks companies rely on today for recommended quantitative and qualitative reporting include standards created by: the Global Reporting Initiative (GRI), the Sustainability Accounting Standards Board (SASB), and the Financial Stability Board’s Task Force on Climate-Related Financial Disclosures (TCFD). The lack of consistent and uniform standards on which companies can build their ESG reporting strategies have caused many organizations to struggle with what should be reported, including the level of detail, how their program works, how often such disclosures should be made and what information may be used by outside stakeholders to rate and compare one insurance company against another.


ESG regulation and the level of oversight is changing rapidly. For instance:

  • According to a 2021 study by Stanford University, there are now more than 2,000 climate laws and policies worldwide. In 2021 there were significant executive orders, legislation and policy changes by federal agencies. For example, the Securities and Exchange Commission (SEC) created a Climate and ESG Task Force to identify any material gaps or misstatements in companies’ disclosure of climate risks.

  • Insurance rating agencies, such as AM Best, are focusing on ESG risk factors and their impact on insurance companies’ investment portfolios and insurance policies.

  • The National Association of Insurance Commissioners (NAIC) now requires six states: California, Connecticut, Minnesota, New Mexico, New York and Washington to have insurance companies that write more than $100 million in premiums to respond to the NAIC Climate Risk Disclosure Survey. This survey provides regulators with substantive information about the financial and operational risks posed by climate change to insurers and the actions being taken by insurers. The American Academy of Actuaries recently completed an analysis of NAIC survey responses from insurers of various sizes and lines of business. The consensus is that there was confusion around the eight NAIC questions and most companies provided narrow narrative responses, which made it difficult to benchmark responses and assess individual companies.

This highlights the importance for companies to effectively manage their ESG reporting and provide more training to those tasked with completing the disclosures.

Internal Audit: ESG Guidance and Reliable Assurance

The demand for independent and objective assurance on ESG-related risk management activities from an internal audit function should be an essential component of any ESG program. 

The following are ways Internal Audit can provide reliable assurance on an organization’s ESG program:

  1. Evaluate the Organization’s Current ESG Maturity – Internal Audit can assess the current maturity of the organization’s ESG strategies by conducting a baseline assessment compared with other organizations to identify opportunities to improve it. Considering each organization’s level of ESG maturity may be different, Internal Audit can begin by raising awareness at the Board and senior leadership levels about ESG priorities and implications and serve as a sounding board as management designs their program.

  2. Performing Risk Assessments – Internal Audit can determine what ESG measures are applicable and significant to their organization, including understanding what investors, customers and other stakeholders would want to know about ESG mitigation measures and company progress.

  3. Ensuring Proper Governance Structure and Oversight – Internal Audit can review roles and responsibilities to ensure they are clearly established and understood throughout the organization to monitor ESG issues, including the formation of an ESG committee consisting of cross-functional executive members.

  4. Validating ESG Risk Management Goals – When it comes to measuring progress, Internal Audit can ensure goals are realistic, measurable, included in the company’s strategic objectives and are a regular item on Board meeting agendas.

  5. Evaluating the ESG Risk Management Framework – Internal Audit can review the company’s existing frameworks and standards, ranking, measurement protocols, and reporting to ensure they are reasonable, being followed, consistent with industry recommended frameworks, regulatory expectations and comparable with similar entities.

  6. Collaborating with Enterprise Risk Management (ERM) – It is important for enterprise risk management plans to be refreshed so they prioritize significant ESG risks so management can identify, assess and manage them more broadly and consistently throughout the organization. Internal Audit can assist management with mapping ESG factors to the company’s strategy and major risk categories to identify risks related to inadequately addressing ESG critical issues.

  7. Ensuring ESG Policies and Procedures Are Documented – Verifying that risk management procedures are clearly defined is vital to ensure management understands how ESG impacts its respective business operations. Internal Audit can review ESG policy and procedure manuals to help communicate the company’s ESG strategy, goals and specific processes and activities throughout the organization to mitigate ESG risks.

  8. Evaluating the Design and Operating Effectiveness of Control Activities – Internal Audit can plan meaningful audits to identify and evaluate key controls needed to mitigate ESG risks and identify gaps or material weaknesses in core business functions throughout the organization, including underwriting, actuarial, investment, finance and legal. For instance, Internal Audit can confirm if underwriters are adhering to the insurer’s updated risk appetite and underwriting guidelines that no longer provide coverage to a business that is a high-profile polluter and has chosen to do nothing to remediate the situation.

  9. Reviewing ESG Financial and Non-Financial Reporting Metrics – One of the most critical areas for Internal Audit to play a role is in validating the relevancy, accuracy, completeness and timeliness of management’s ESG financial and non-financial reporting metrics used for public disclosures to avoid unsubstantiated claims that could adversely impact an insurer’s reputation. For example, Internal Audit can team up with internal or external subject matter experts in verifying the company’s total fuel and water consumption and waste-water produced, used in computing how the aggregate total energy consumption impacts their carbon footprint.

  10. Assessing the Adequacy of Impact Assessments and Stress Tests – Internal Audit can evaluate the design and operating effectiveness of management’s performance of periodic impact assessments and organization-wide stress tests to ensure ESG risk scenarios are plausible and capital and liquidity implications are monitored and remediated. For example, verifying stress tests are performed using relevant risk scenarios, such as the aggregate damage to assets from increasing frequency or severity of extreme weather events (physical risk), negative investment returns from an abrupt transition in exiting the underwriting of thermal coal or other fossil fuel businesses (transition risk) and insureds being sued for their contribution and/or failure to mitigate climate change that leads to new claims on directors and officers liability insurance (D&O) policies (liability risk).

  11. Confirming Catastrophe (CAT) Models Are Enhanced – As extreme weather events and other perils become increasingly prevalent, insurance companies use of CAT models is critical in quantifying the financial impact of a range of potential future disasters, such as floods, hurricanes, droughts and forest fires. Informing insurers on the location, frequency and severity of these events, can help to manage risk and foster resilience. While many CAT models focus on extreme weather events, Internal Audit can verify that the model used follows industry standards, does not only rely on historical data, incorporates advanced technology, scientific and engineering methods and takes in to consideration the short- and long-term impact of climate change risks and other threats, such as pandemic, warfare, terrorism, insurrection and cyber breaches. In addition, Internal Audit can evaluate the effectiveness of CAT models used in decision-making activities, such as risk selection, underwriting, reserving, pricing, reinsurance and investments.

  12. Evaluating Accounting and Reporting Procedures for Material ESG Matters – Internal Audit can evaluate the design and operating effectiveness of internal controls around accounting and reporting procedures over material ESG matters. This can help ensure governance of financial reporting and disclosure controls which can lead to greater investor and stakeholder confidence. External stakeholders expect that, similar to financial statements, ESG metrics and disclosures should “fairly present” the company’s operations and the impact it has on the environment and socio-economic conditions in the communities where it operates. Internal Audit can also assess ESG data integrity by validating the quality of data input/output across management systems and evaluating the application of materiality thresholds used for decision making and reporting disclosures.

  13. Collaborating with the Legal and Compliance Department – Internal Audit can work together collectively with the Legal and Compliance Department to validate ESG reporting disclosures comply with applicable regulations. For example, Internal Audit can create an inventory of ESG disclosure requirements to identify what disclosures are required, by which agencies (e.g., SEC, AM Best, state governments) and filing deadlines.

Contact Us

There is no one-size-fits-all approach, so feel free to contact your PKF O’Connor Davies’ client engagement team, or Victor Santos, Senior Manager, Risk Advisory at [email protected] or Mark Bednarz, Partner and Risk Advisory Practice Leader at [email protected] to discuss how to tailor your own internal audit work program to create a multi-year ESG internal audit plan that works for your organization.