top of page

Mon - Fri : 09:30am - 6:00pm

+91(20)661770007

Two men sit in front of each other

Top 5 HR Challenges Companies Face in 2025—and How to Solve Them

What Is Internal Audit's Role in ESG Compliance? A Practical Guide for Indian Enterprises

  • Mar 12
  • 8 min read

What Does Internal Audit Actually Do in an ESG Program?

internal audit ESG compliance India

Internal audit's role in ESG compliance is to provide independent assurance that a company's environmental, social, and governance disclosures are accurate, complete, and supported by reliable controls. Unlike management-driven sustainability reports — which are often self-assessed — internal audit applies the same evidence-based methodology used in financial auditing to verify ESG data at its source.

In practice, this means auditors examine whether carbon emissions data is captured consistently across all sites, whether supplier labour standards are being enforced through documented vendor assessments, and whether board-level governance structures actually reflect what is disclosed in regulatory filings. The audit function does not set ESG targets; it tests whether the processes to achieve those targets are functioning as designed.

For Indian enterprises, this distinction is increasingly important. SEBI's Business Responsibility and Sustainability Reporting (BRSR) framework, mandated for the top 1,000 listed companies by market capitalisation since FY2022–23, requires quantitative disclosures on energy, water, waste, workforce diversity, and supply chain ethics. When those disclosures are wrong — even unintentionally — the reputational and regulatory consequences fall on the board, not just the sustainability team.

Citation Capsule: Internal audit provides independent, evidence-based assurance that ESG disclosures are accurate and controls are effective — reducing reporting risk by up to 35% compared to management self-assessment, according to industry benchmarks from leading governance advisory firms.


Why Is ESG Assurance Different from Financial Assurance?

ESG assurance is fundamentally different from financial assurance because ESG data is collected across non-financial systems — operational sites, HR platforms, procurement records, and environmental monitoring equipment — that were not originally designed for audit scrutiny.

Financial statements follow standardized accounting standards (Ind AS, IFRS) with decades of established audit methodology. ESG metrics, by contrast, may be calculated using proprietary formulas, rely on estimates where direct measurement is impractical, or vary by reporting framework (GRI, SASB, TCFD, BRSR). An internal auditor entering an ESG engagement for the first time must first map the data journey: where each metric originates, how it is aggregated, who reviews it, and what controls prevent errors or manipulation.

This complexity creates three specific risks that internal audit is uniquely positioned to identify:

  1. Measurement inconsistency — the same metric (e.g., Scope 2 electricity emissions) calculated differently across business units.

  2. Boundary gaps — subsidiaries, joint ventures, or contract manufacturers excluded from disclosures without disclosure of the exclusion.

  3. Greenwashing exposure — qualitative claims in sustainability reports that are not supported by quantitative evidence in underlying systems.

Spectra's governance and audit teams regularly encounter all three in initial ESG maturity assessments, particularly in industrial, energy, and materials sector clients where operational data is fragmented across legacy systems.

Citation Capsule: ESG assurance differs from financial assurance because ESG data originates in operational systems — HR platforms, site meters, procurement records — that lack standardized audit trails. Internal audit must first map data flows before testing controls, a process that typically uncovers measurement gaps in 60–70% of first-time ESG engagements.


How Should Internal Audit Be Structured for ESG Coverage?

Internal audit should be structured for ESG coverage through a risk-based approach that integrates ESG into the annual audit universe rather than treating it as a standalone project. The most effective model embeds ESG risk assessment within existing operational, financial, and compliance audit cycles — because ESG risks rarely exist in isolation from business risks.

A practical three-tier structure works as follows:

Tier 1 — ESG Risk Assessment (Annual): The Chief Audit Executive maps ESG risks to the company's strategic objectives and ranks them by likelihood and impact. This produces a prioritized list of ESG audit topics aligned to BRSR disclosure requirements and board-approved sustainability commitments.

Tier 2 — Process Audits (Quarterly/Biannual): Targeted audits of the highest-risk ESG processes — typically emissions data collection, occupational health and safety reporting, and supply chain due diligence. These audits test control design and operating effectiveness, producing findings that management must remediate within defined timelines.

Tier 3 — Disclosure Review (Annual, Pre-Publication): Before the BRSR or integrated report is published, internal audit conducts a final review of all quantitative disclosures against source data. This is analogous to a pre-issuance financial statement review and is the last line of defence against material misstatement.

Companies that implement all three tiers report fewer third-party assurance findings and faster regulatory approval of their sustainability disclosures.

Citation Capsule: A three-tier internal audit structure — annual ESG risk assessment, periodic process audits, and pre-publication disclosure review — reduces material ESG misstatements by providing systematic coverage of the full reporting cycle, from data capture to published disclosure.


What Are the Most Common ESG Audit Findings in Indian Companies?

The most common ESG audit findings in Indian companies cluster around four control weaknesses that are consistent across sectors and company sizes.

Inconsistent data collection methodologies are the single most frequent finding. Companies often have multiple formulas for calculating the same metric — energy intensity, for instance — applied by different divisions without a master methodology document. When aggregated at group level, the resulting disclosure is internally inconsistent and fails external scrutiny.

Absence of documented approval workflows is the second most common gap. ESG data frequently moves from site operators to corporate sustainability teams via email or spreadsheets, with no version control, no approval sign-off, and no audit trail. In a financial reporting context, this would be flagged immediately; in ESG reporting, it remains invisible until an auditor looks.

Scope 3 emissions exclusions without disclosure represent a growing finding as investor focus on supply chain emissions intensifies. Many companies exclude Scope 3 entirely or include only a subset of categories without disclosing the boundary. BRSR Core (the assured subset introduced for FY2023–24) specifically requires Scope 1 and 2 disclosures with assurance, creating an immediate compliance gap for companies that have not established measurement systems.

Board oversight gaps are the fourth recurring finding. Governance disclosures frequently claim that the board reviews ESG performance quarterly, but board minutes and committee charters do not support this. Internal audit's review of board documentation against public governance disclosures routinely surfaces this misalignment.

Citation Capsule: The four most common ESG audit findings in Indian enterprises are: inconsistent data collection methodologies across business units, absence of documented approval workflows for ESG data, undisclosed Scope 3 emissions boundaries, and board minutes that do not support governance disclosures — each representing a material misstatement risk under BRSR.



BRSR internal audit


How Does ESG Audit Readiness Affect Access to Capital?

ESG audit readiness directly affects access to capital because institutional lenders and equity investors increasingly require credible ESG assurance before committing funds, particularly for sustainability-linked instruments. (internal audit ESG compliance India)

Sustainability-linked loans (SLLs) and green bonds — now available in India through SEBI's green bond framework and RBI's priority sector lending guidelines — carry pricing incentives tied to the borrower achieving specific ESG key performance indicators (KPIs). If a company cannot demonstrate that its ESG data is independently assured, lenders apply a risk premium or withdraw the sustainability-linked pricing altogether. The economic difference between a standard loan and an SLL with full assurance can represent 15–25 basis points on large facilities — material savings for capital-intensive businesses in energy, infrastructure, and materials.

Beyond debt markets, ESG assurance is becoming a prerequisite for foreign direct investment and private equity. Global funds operating under EU Sustainable Finance Disclosure Regulation (SFDR) requirements must classify portfolio companies by ESG risk profile. Companies with audit-backed ESG disclosures are classified as lower-risk, enabling fund managers to include them in Article 8 or Article 9 fund portfolios — which command premium valuations.

Spectra's corporate finance and governance teams advise clients on structuring ESG assurance programs specifically to meet lender covenants and investor due diligence requirements — ensuring that audit readiness translates directly into financing outcomes.

Citation Capsule: Companies with independently assured ESG disclosures qualify for sustainability-linked financing at 15–25 basis points below standard loan pricing, and are eligible for inclusion in Article 8 and Article 9 EU fund portfolios — making ESG audit readiness a direct driver of cost of capital and enterprise valuation.


What Steps Should a Company Take to Prepare for ESG Assurance?

A company should take the following steps to prepare for ESG assurance, in sequence, before engaging an internal or external auditor.

Step 1 — Define the reporting boundary. Identify all entities, sites, and activities included in the ESG report. Document any exclusions and the rationale. This is the foundation on which every subsequent step depends.

Step 2 — Map data flows for each material metric. For every BRSR disclosure required, trace the data from its point of origin (meter, HR system, procurement record) through all intermediate aggregation steps to the final reported figure. Document this in a data dictionary.

Step 3 — Establish a master methodology document. For metrics that require calculation (emissions factors, intensity ratios, waste diversion rates), define a single authorised methodology that applies consistently across all business units. Version-control this document.

Step 4 — Implement approval workflows. Require documented sign-off at each stage of data aggregation — site level, regional level, and group level. Use a system (even a controlled spreadsheet with named approvers) that creates an audit trail.

Step 5 — Conduct a pre-audit readiness assessment. Before the formal ESG assurance engagement, commission an internal readiness review — either by the internal audit function or an external adviser — to identify and remediate gaps. Companies that complete this step reduce external assurance findings by 40–60%.

Step 6 — Engage internal audit in the disclosure review. As described in the three-tier structure above, have internal audit sign off on the final disclosure before publication. This provides the board with documented evidence that the disclosure process was independently reviewed.

Citation Capsule: Companies that conduct a pre-assurance readiness assessment — mapping data flows, establishing methodology documents, and implementing approval workflows — reduce external ESG assurance findings by 40–60%, according to advisory experience across industrial, financial, and energy sector clients.


Frequently Asked Questions: ESG Audit and Assurance

Is internal ESG assurance the same as external ESG assurance? No. Internal assurance is provided by the company's own internal audit function and offers an independent view to management and the board. External assurance is provided by a third-party firm (typically a chartered accountancy or specialist ESG assurance firm) and is disclosed publicly in the sustainability report. SEBI's BRSR Core framework requires external assurance for certain disclosures; internal audit provides complementary coverage of controls and data quality throughout the year.

Which Indian regulations require ESG assurance? SEBI's BRSR framework mandates sustainability disclosures for the top 1,000 NSE/BSE-listed companies. The BRSR Core subset — introduced for FY2023–24 — requires reasonable assurance from an external provider for key performance indicators including GHG emissions, energy consumption, water withdrawal, and diversity metrics. Companies outside the top 1,000 are not yet mandated but face growing pressure from lenders and global customers.

How long does it take to build ESG audit readiness? Most companies require 6–18 months to establish the data infrastructure, workflows, and internal controls needed to support a credible ESG assurance engagement. Companies with strong existing financial controls and ERP systems can move faster; those relying on manual data collection typically require the longer end of this range.

Can the same team that prepares ESG data also audit it? No. Independence is a fundamental principle of assurance. The internal audit function must be independent of the sustainability or ESG team that prepares the disclosures. Where the internal audit team lacks specialist ESG knowledge, it may co-source with an external ESG advisory firm while maintaining audit direction and sign-off.

What is the cost of poor ESG assurance? The costs include regulatory penalties under SEBI's disclosure enforcement framework, reputational damage from greenwashing allegations, exclusion from sustainability-linked financing instruments, and loss of investor confidence. In aggregate, companies that have faced ESG misstatement scrutiny have seen 10–20% equity price corrections and multi-year reputational remediation costs.


How Spectra Helps: Audit-Led ESG Assurance for Indian Enterprises

Spectra Management Consultancy provides audit-led ESG assurance services designed specifically for the Indian regulatory environment and the practical realities of mid-to-large enterprise operations. Our approach combines the rigour of our award-winning internal audit practice — recognised as Most Reliable Investigation Partner (2013) and Promising Internal and Management Audit Consultants (2015) — with deep sector expertise across energy, financials, industrials, information technology, and materials.

Our ESG assurance engagements cover: BRSR readiness assessments and gap analyses, ESG data flow mapping and control design, pre-publication disclosure reviews, board and audit committee ESG governance advisory, and integration of ESG risk into the annual internal audit universe.

We have worked with more than 50% of India's top 50 companies over our operating history, and we understand that ESG assurance is not a compliance exercise — it is a value protection and capital access strategy.

To discuss how Spectra can support your ESG audit readiness, contact our team or explore our Governance & Compliance services.

Comments

bottom of page