Browse Auditing and Attestation (AUD)

Integrating ESG Risks into Audit Planning and Risk Assessment

Feb 7, 2025

How ESG matters can affect inherent risk, control risk, materiality, audit planning, and financial statement disclosure.

On this page

ESG matters can affect an audit even when the engagement is not an ESG assurance engagement. Environmental events, labor issues, regulatory exposure, supply-chain disruption, governance weaknesses, or climate-related commitments may affect financial statement risks, estimates, disclosures, going concern, impairment, provisions, or subsequent events.

The CPA exam point is to connect the ESG fact pattern to the ordinary audit risk model. ESG information is not a separate world; it can affect inherent risk, control risk, detection risk, materiality judgments, audit procedures, and reporting.

    flowchart LR
	    A["ESG condition or commitment"] --> B["Financial statement or disclosure risk"]
	    B --> C["Inherent risk assessment"]
	    C --> D["Controls and governance over response"]
	    D --> E["Planned audit procedures"]
	    E --> F["Evaluate evidence and reporting effects"]

ESG Risks That Can Affect the Audit

ESG risks become audit-relevant when they could affect amounts, disclosures, or the auditor’s risk assessment. The connection may be direct, such as a remediation obligation, or indirect, such as a reputational event that affects future cash flows.

ESG matter Possible audit effect
Severe weather or resource scarcity Asset impairment, inventory loss, business interruption, going-concern uncertainty
Environmental law or remediation obligation Accruals, contingencies, asset retirement obligations, disclosures
Public climate or sustainability commitments Disclosure consistency, estimates, capital plans, impairment assumptions
Labor disputes or safety failures Contingencies, payroll costs, operating disruption, disclosure risk
Supply-chain or human-rights issues Inventory availability, supplier concentration risk, reputational exposure
Weak governance over ESG disclosures Control risk, inconsistent external reporting, management-bias concerns

The auditor should avoid both extremes: ignoring ESG because it is “nonfinancial” and treating every ESG issue as material. The question is whether the matter could reasonably affect the financial statements, disclosures, audit risk, or users’ understanding.

Inherent Risk

Inherent risk increases when the underlying ESG matter is complex, uncertain, judgmental, or susceptible to management bias. Examples include estimating remediation costs, assessing useful lives after environmental regulation changes, evaluating impairment when demand shifts, or disclosing climate-related commitments that depend on future actions.

Inherent risk questions include:

  • Could the event or condition affect recorded assets, liabilities, revenue, expenses, or disclosures?
  • Does management need to make significant estimates or assumptions?
  • Is there regulatory, litigation, or reputational pressure?
  • Are public statements inconsistent with internal forecasts or budgets?
  • Could management bias affect the estimate or disclosure?

The stronger exam answer links the ESG risk to a specific assertion or disclosure area, rather than saying broadly that ESG increases audit risk.

Control Risk and Governance

Controls over ESG-related financial statement effects may involve legal, operations, sustainability, finance, HR, and IT teams. Weak cross-functional governance increases the risk that relevant facts do not reach the financial reporting process.

Auditors may evaluate whether:

  • responsibility for ESG risk identification is assigned
  • legal and compliance matters are communicated to accounting personnel
  • operational incidents are assessed for financial reporting effects
  • sustainability commitments are reviewed before public release
  • data used in estimates or disclosures is reviewed and approved
  • the board or audit committee receives relevant ESG risk information

If ESG data feeds a financial estimate or disclosure, controls over that data may matter. For example, emissions data may affect a regulatory obligation, remediation estimate, or public commitment disclosure. The auditor should understand how the data is captured, reviewed, and reconciled.

Materiality and Disclosure

ESG matters may be quantitatively material, qualitatively material, or both. A small fine may be quantitatively immaterial but qualitatively important if it reveals illegal acts, regulatory scrutiny, management integrity concerns, or a trend that affects future operations.

Materiality judgment should consider:

  • size of the financial effect
  • likelihood of additional losses or obligations
  • effect on trends, covenants, liquidity, or going concern
  • sensitivity of the matter to investors, regulators, or other users
  • whether omission would make other disclosures misleading

The auditor should also evaluate consistency across reporting channels. If management makes strong sustainability claims in one public report but the financial statements omit related risks, assumptions, or contingencies, the auditor should consider whether the financial statement disclosures are complete and not misleading.

Audit Procedures

Procedures depend on how the ESG matter affects the audit. The auditor may not need a separate ESG workpaper section, but the risk response should be visible in planning and testing.

Possible procedures include:

  1. inquire of management, legal counsel, operations, sustainability personnel, and those charged with governance
  2. inspect board minutes, legal correspondence, regulatory notices, contracts, insurance records, and public commitments
  3. test management’s estimates for remediation, impairment, contingencies, or useful lives
  4. compare sustainability statements with financial statement disclosures for consistency
  5. evaluate subsequent events involving incidents, regulation, litigation, or asset damage
  6. use specialists when environmental engineering, valuation, legal interpretation, or technical measurement is outside the auditor’s competence

The response should be proportional. A general ESG concern may require inquiry and documentation; a probable remediation liability may require detailed testing of recognition, measurement, and disclosure.

Exam Traps

  • Treating ESG risk as relevant only to separate ESG assurance engagements.
  • Failing to connect an ESG fact to a specific assertion, estimate, contingency, disclosure, or going-concern issue.
  • Ignoring qualitative materiality because the initial dollar amount is small.
  • Assuming public sustainability commitments have no audit relevance.
  • Overlooking control risk when ESG data comes from operations rather than finance.
  • Failing to involve specialists when technical environmental or valuation matters are outside the auditor’s competence.

Quick Review

ESG risk belongs inside the normal audit risk framework when it could affect financial statement amounts, disclosures, or user understanding. The auditor identifies the ESG condition, maps it to assertions and disclosures, evaluates controls and governance, designs procedures, and considers whether specialist work or expanded disclosure testing is needed.

Review Questions

### How can an ESG matter affect a financial statement audit? - [ ] Only by requiring a separate ESG assurance report. - [x] By affecting risks of material misstatement, estimates, contingencies, disclosures, or going concern. - [ ] Only if the entity voluntarily publishes a sustainability report. - [ ] By eliminating the need for materiality judgments. > **Explanation:** ESG matters can affect ordinary audit areas such as estimates, contingencies, disclosures, and going concern. ### Which ESG fact pattern most directly raises a financial statement audit issue? - [ ] A company uses a green logo in advertising. - [x] A regulator orders cleanup of contaminated property owned by the entity. - [ ] Employees volunteer at a community event. - [ ] Management attends a sustainability conference. > **Explanation:** A cleanup order may create recognition, measurement, and disclosure issues. ### Why might a small environmental fine be qualitatively material? - [ ] Qualitative materiality means all ESG items are material. - [x] It may indicate illegal acts, regulatory scrutiny, management integrity concerns, or future exposure. - [ ] It automatically exceeds planning materiality. - [ ] It eliminates control risk. > **Explanation:** Qualitative factors can make a small amount important to users. ### Which assertion or disclosure area could be affected by severe weather damage to a facility? - [ ] Only revenue occurrence. - [x] Asset impairment, inventory loss, business interruption, or going concern. - [ ] Only payroll classification. - [ ] No audit area unless the facility is uninsured. > **Explanation:** Physical damage may affect asset values, inventory, operations, and future cash flows. ### What should the auditor do if public sustainability claims appear inconsistent with financial statement assumptions? - [ ] Ignore the claims because they are outside the financial statements. - [x] Evaluate whether the financial statement disclosures and assumptions are complete and not misleading. - [ ] Automatically withdraw from the engagement. - [ ] Remove all ESG references from the audit file. > **Explanation:** Inconsistent public information may indicate disclosure, estimate, or bias risks. ### Which control-risk issue is common with ESG-related data? - [ ] ESG data is always generated by the general ledger. - [ ] ESG data never affects estimates. - [x] Data may come from operational systems with less mature review and reconciliation controls. - [ ] ESG data is always externally verified before the audit. > **Explanation:** ESG-related inputs often originate outside finance and may need control evaluation. ### When should the auditor consider using a specialist? - [x] When environmental, engineering, valuation, legal, or measurement matters exceed the auditor's competence. - [ ] Whenever ESG is mentioned in management discussion. - [ ] Only after issuing the audit report. - [ ] Never, because specialists cannot support audit evidence. > **Explanation:** Specialists may be needed for technical matters outside the auditor's expertise. ### Which procedure could help evaluate an ESG-related contingency? - [ ] Ignore legal correspondence because ESG is nonfinancial. - [x] Inspect regulatory notices, legal correspondence, and management's loss assessment. - [ ] Test only petty cash. - [ ] Ask employees whether they like the company's sustainability policy. > **Explanation:** Contingencies require evidence about obligation, probability, measurement, and disclosure. ### What is the best audit planning approach to ESG risk? - [ ] Add the word ESG to the audit plan without changing procedures. - [ ] Treat every ESG issue as automatically material. - [x] Map the ESG matter to specific assertions, disclosures, controls, and procedures. - [ ] Delegate all ESG matters to marketing. > **Explanation:** The auditor should connect the risk to concrete audit areas and planned responses. ### ESG risks can affect inherent risk, control risk, and planned detection risk. - [x] True. - [ ] False. > **Explanation:** ESG conditions may affect the likelihood of misstatement, the effectiveness of controls, and the procedures needed to detect misstatement.
Revised on Monday, June 15, 2026
ESG Frameworks
ESG Reporting