How internal audit functions are evolving to cover ESG risks, supply chain ethics, and climate disclosure mandates.
Expanding the Audit Mandate to Cover ESG
The role of internal audit in ESG governance has evolved dramatically over the past three years. Where internal audit teams once focused exclusively on financial controls and regulatory compliance, leading audit functions now formally include ESG risk assessment in their annual audit universe. This shift is driven by regulatory requirements under SEBI BRSR (Business Responsibility and Sustainability Reporting), as well as pressure from institutional investors who increasingly scrutinise the quality and assurance level of ESG disclosures.
A mature ESG audit programme covers three dimensions: the accuracy and completeness of ESG data reported externally, the effectiveness of controls over ESG-related processes such as emissions measurement and waste management, and the robustness of governance structures including board-level ESG committees and executive compensation linkages. Internal audit teams should conduct a gap analysis against the BRSR Core framework to identify which disclosures require independent assurance and which may currently be published without adequate internal controls.
Supply Chain Ethics and Scope 3 Emissions
One of the most complex areas of ESG audit is the supply chain, where most companies' Scope 3 emissions and human rights risks reside. Auditing supply chain ESG performance requires a risk-based vendor segmentation approach, identifying high-risk suppliers by geography, commodity, or process. Audit programmes should include periodic supplier self-assessments, on-site verification for critical vendors, and a formal process for remediating identified gaps within agreed timelines.
India-specific supply chain risks include labour practices in the agricultural and construction supply chains, water usage in water-stressed regions, and artisanal mining in mineral supply chains for technology products. Companies subject to the European Union Corporate Sustainability Due Diligence Directive (CSDDD) — even as Indian exporters — face mandatory due diligence obligations that internal audit must help discharge. Aligning internal audit scope with CSDDD requirements will become a competitive necessity for Indian companies with European customers.
Climate Disclosure and Audit Readiness
SEBI has mandated assurance over the BRSR Core disclosures for the top 150 listed companies by market capitalisation from FY 2024-25, with the scope expanding to the top 1,000 companies over the following two years. This means that internal audit teams must work alongside statutory auditors and independent assurance providers to develop data collection systems that can withstand external scrutiny. The quality of ESG data is often the weakest link, with inconsistencies between ERP data, operational logs, and reported figures creating material assurance risks.
Audit committees should demand that internal audit present an annual ESG audit plan with clearly defined scope, methodology, and reporting format. The plan should be aligned with the BRSR Core indicators and should include specific audit procedures for high-impact topics such as Scope 1 and 2 GHG emissions, water withdrawal, and workforce safety metrics. Companies that invest in ESG audit readiness now will be better positioned when mandatory assurance requirements extend to their tier.
