69urn:lsid:arphahub.com:pub:8D21F818-6EEF-540F-91C7-D50E3E5A13E0Maandblad voor Accountancy en BedrijfseconomieMAB0924-63042543-1684Amsterdam University Press10.5117/mab.99.167721167721EssayOverige vakgebieden (Other disciplines)Internal Audit’s Strategic Role in Sustainability and ESG Transformationde LeeuwRobrdeleeuw@deloitte.nl1de DraaijerArjan1Deloitte, Rotterdam, NetherlandsDeloitteRotterdamNetherlands
Corresponding author: Rob de Leeuw (rdeleeuw@deloitte.nl).
Academic editor: Annemarie Oord
202511092025994243250BD967F64-6878-5F3D-9519-9632D079F64B0408202511082025Rob de Leeuw, Arjan de DraaijerThis is an open access article distributed under the terms of the Creative Commons Attribution License (CC BY-NC-ND 4.0), which permits to copy and distribute the article for non-commercial purposes, provided that the article is not altered or modified and the original author and source are credited.
The global rise of sustainability and ESG (Environmental, Social, and Governance) presents Internal Audit (IA) with a strategic opportunity to strengthen governance, build trust, and support long-term value creation. As regulatory demands increase and stakeholder scrutiny intensifies, IA is evolving from a compliance-oriented function to a proactive business partner. This paper offers practical guidelines and tools, including a four-stage maturity model, to support IA’s transformation. Drawing on international guidance, case studies, and regional insights, the paper demonstrates how IA can enhance ESG assurance, contribute to integrated risk management, and enable sustainable decision-making. These tools are designed to help IA deliver improved data reliability, clearer ESG insights for the board, and credible assurance that builds stakeholder confidence.
Internal AuditESGsustainabilityregulatory reportingrisk managementCSRDISSBRelevance to practice
This paper equips IA professionals with applied tools and regionally informed strategies to meet growing ESG expectations. It supports audit leaders in enhancing sustainability data assurance, strengthening risk alignment, and collaborating with boards to deliver forward-looking insights. Content is grounded in evolving international standards and stakeholder needs.
1. Introduction: the challenge to transform
Environmental, Social, and Governance (ESG) issues are reshaping the global business environment. Rising climate risks, supply chain disruptions, and social accountability have triggered a wave of new regulations, investor scrutiny, and stakeholder expectations. In response, many organisations are embedding sustainability into core strategy. This transformation is not only driven by values but also by risk management, innovation, and long-term value creation.
The Internal Audit Function (IAF) is directly impacted. Traditionally focused on financial controls and compliance, IA is increasingly expected to provide independent assurance over sustainability-related risks and data. Regulatory developments such as the European Union’s Corporate Sustainability Reporting Directive (CSRD), the standards of the International Sustainability Standards Board (ISSB), and the United States Securities and Exchange Commission (SEC) climate disclosure rules are accelerating demand for credible, auditable ESG reporting (European Commission 2022; IFRS Foundation 2024; SEC 2024).
However, many IAFs are still developing their capacity to address ESG. Current audit methodologies and skill sets may not fully align with the forward-looking, cross-functional, and often qualitative nature of sustainability risks. There is a growing recognition that IA must move beyond its traditional role. As Otto-Mentz et al. (2022) argue, IA can become a business partner and strategic advisor, supporting governance, risk management, and assurance as sustainability expectations evolve.
This paper aims to address the following question: How can IA adapt its role to effectively support sustainability and ESG within a rapidly evolving regulatory and stakeholder landscape? To answer this question the paper draws on international guidance, case studies, and professional insights to identify the concrete steps IA must take to become a credible and strategic partner in the ESG transition.
2. Historical context and evolution of Internal Audit
The evolution of the Internal Audit Function (IAF) mirrors broader changes in organisational governance, risk and control. Initially concerned almost exclusively with financial oversight, IA has become a multidimensional activity that intersects with enterprise-risk management, strategy, sustainability and stakeholder engagement.
In the early 2000s IA’s remit centered on financial controls, operational efficiency and regulatory compliance. The Sarbanes-Oxley Act of 2002, enacted after high-profile corporate failures, intensified regulatory scrutiny and pushed organisations to strengthen internal-control systems (SEC 2024). During the same period the Institute of Internal Auditors (IIA) reinforced the principles of independence, objectivity and risk-based auditing through updates to its International Professional Practices Framework, which still shapes audit professionalism today (IIA 2017).
By the mid-2010s non-financial reporting gained prominence. Companies adopted broader standards such as the standards of the Global Reporting Initiative and the Sustainability Accounting Standards Board, laying early foundations for structured ESG disclosures (GRI 2016; SASB 2017). These frameworks introduced metrics on environmental, social and governance performance and prompted IA to review data quality, reporting processes and alignment with external guidance.
Climate and sustainability risk soon emerged as critical business issues. The Task Force on Climate-related Financial Disclosures encouraged transparency on climate governance, scenario planning and board oversight, bringing new expectations for assurance and accountability (IFRS Foundation 2024).
In the current decade IA is expected to address a wider range of strategic matters, including ESG risk, value-chain sustainability and data governance. Recent research show that IA is moving beyond a control-testing role to act as a business partner contributing to long-term value creation (Otto-Mentz et al. 2022). A 2025 survey by IIA Netherlands found that 92 percent of Dutch IA functions align their work with CSRD, yet only about one-third embed ESG considerations in every audit, underscoring the opportunity for IA to close this gap (IIA Netherlands 2025). Consequently the IAF is now expected to evaluate strategic topics, test sustainability-related controls, collaborate with cross-functional teams and advise boards on emerging risks.
Sections 3 and 4 develop this context in turn, Section 3 traces the regulatory changes that will redefine assurance requirements, while Section 4 analyses how stakeholder expectations in the Netherlands and the wider EU are raising the performance bar for IA.
3. Evolving regulations and the role of Internal Audit
The growing integration of sustainability into the corporate and financial regulatory agenda has transformed ESG from a voluntary reporting practice into a formal compliance issue. IA is increasingly expected to provide assurance over ESG risks, governance, and data accuracy. Nowhere is this more evident than in the European Union (EU), which has emerged as the global frontrunner in mandatory ESG disclosures.
The Corporate Sustainability Reporting Directive (CSRD), adopted in 2022 and effective from 2024, significantly expands the scope and depth of sustainability reporting requirements. Unlike its predecessor, the Non-Financial Reporting Directive (NFRD), the CSRD requires a much broader range of companies to disclose detailed information on environmental, social, and governance matters. These disclosures must be made in accordance with the European Sustainability Reporting Standards (ESRS), developed by the European Financial Reporting Advisory Group (EFRAG). This marks a shift toward standardised, audited, and comparable sustainability reporting across the EU.
A related development is the Omnibus Simplification Package put forward by the European Commission in February 2025. Instead of creating new duties, the package would amend the CSRD, the forthcoming Corporate Sustainability Due Diligence Directive and the EU Taxonomy Regulation to streamline requirements and cut administrative costs, particularly for SMEs. For a reflection on this, see e.g. Bartels (2025)). Key proposals include raising the CSRD employee threshold to 1000 and mandating only a voluntary “VSME” reporting standard for smaller undertakings (European Commission 2025). Although still under negotiation, the initiative signals a political push to balance transparency with competitiveness, a development IA must track closely because the final scope and timetable will shape its assurance work.
Outside the EU, jurisdictions such as the United States, Singapore, and Australia have introduced their own ESG regulations, with varying levels of ambition. The U.S. Securities and Exchange Commission (SEC) has proposed climate disclosure rules, while the International Sustainability Standards Board (ISSB) has issued a global baseline through IFRS S1 and S2 standards. However, these efforts differ in enforcement, materiality thresholds, and assurance requirements, making it more challenging for Internal Audit functions operating across borders. Given these differences, organisations must adapt their IA strategies to regional contexts. While EU-based companies must prepare for mandatory limited assurance under the CSRD, companies in other regions face different timelines and compliance obligations.
The CSRD introduces specific expectations around double materiality. This requires them to assess both how sustainability issues impact the business and how the business impacts people and the environment. This places IA in a critical position to advise on risk management, data readiness, and reporting quality.
The regulatory momentum is clear: IA can no longer treat sustainability as a peripheral issue. As regulatory regimes evolve, IA must enhance its technical literacy, adapt audit methodologies, and align its planning with emerging requirements. Doing so not only supports compliance but strengthens its role as a strategic partner in long-term value creation.
4. Evolving stakeholder expectations and the role of IA
Across sectors and jurisdictions, organisations face increasing scrutiny from a wide range of stakeholders regarding their management of sustainability risks and opportunities. Regulators are tightening ESG disclosure requirements, investors are demanding comparable data, and civil-society actors such as NGOs, coalitions and shareholder activists, are applying pressure for companies to align their operations with environmental and social priorities (United Nations 2023; Deloitte 2024).
Boards are now held accountable for ESG oversight. They are expected to demonstrate how sustainability issues are integrated into their governance, strategy, and risk management processes. Investors, particularly in Europe and North America, have become more active in their engagement, requiring assurance on non-financial metrics to inform capital allocation decisions, as reflected in IFRS Sustainability Disclosure Standards adoption trends and investor consultations (IFRS Foundation 2024). Perceived greenwashing can erode brand trust rapidly, turning culture audits and green-claims validation into strategic assurance topics for IA.
Employees and customers, especially younger demographics, also shape expectations. Deloitte’s 2025 Gen Z and Millennial Survey finds that 70 percent of respondents regard a company’s environmental credentials as important when choosing an employer, and 15 percent of Gen Zs and 13 percent of Millennials have already changed jobs over environmental concerns (Deloitte 2025). This readiness to act makes culture audits and green-claims validation strategic assurance topics for IA.
As stakeholder expectations rise, the IA function is being called upon to play a more strategic and integrated role. IA is now expected to evaluate whether ESG risks are adequately identified, managed, and embedded in business processes. This includes assurance over areas such as double materiality assessments, emissions reporting, greenwashing prevention, and ethical supply chain practices (Otto-Mentz et al. 2022). Moreover, stakeholders expect transparency not only in reporting but in ESG goal-setting and execution. IA can support this by assessing whether ESG goals are realistic, aligned with risk appetite, and are embedded and monitored effectively. This strategic role also involves advising on the governance of ESG data, scenario planning, and integration into enterprise risk management and control frameworks. IA’s unique position as independent yet connected enables it to identify gaps, challenge assumptions, and help management stay ahead of evolving risks.
In leading jurisdictions such as the Netherlands, Germany, and parts of Scandinavia, IA functions have taken on a more embedded role. They contribute to ESG steering committees, conduct pre-assurance readiness reviews for CSRD, and help align risk registers with ESG objectives (IIA Netherlands 2021; Otto-Mentz et al. 2022; IIA Netherlands 2025). In multinational firms, IA has been involved in evaluating ESG training programs, reviewing progress against sustainability KPIs, and assessing whether board-level oversight and control structures are effective and well-informed. Meeting these expanded expectations requires a shift in scope, capability, and mindset. IA teams must become decent in ESG reporting frameworks such as CSRD, GRI, and ISSB and in ESG control frameworks. They must also build partnerships across the first and second lines to ensure a coordinated response. Advisory engagements, pilot reviews, and participation in sustainability governance structures can strengthen IA’s strategic contribution.
The transition from compliance auditor to sustainability partner is not without challenges. Some functions lack the necessary ESG expertise or visibility at the leadership level. However, those that succeed in repositioning themselves can deliver significant value by reducing ESG-related risk exposure and enabling organisations to meet stakeholder expectations with confidence and clarity.
5. What Internal Audit must become: strategic shifts
To deliver meaningful value in the sustainability transformation, IA must expand its remit beyond traditional assurance and set out its future, desired role. Data verification and control testing remain essential. The future IA role also demands strategic-governance insight, forward-looking risk anticipation and support for long-term value creation. That means contributing to ESG-strategy alignment, advising on emerging sustainability risks and assessing how well sustainability considerations are embedded in decision-making and operations (IIA 2021; Otto-Mentz et al. 2022). The next section outlines what IA can do to meet evolving stakeholder expectations, while the later sections will explore how these shifts can be operationalised in practice.
5.1. Reframe the role of IA in ESG
In the ESG context, IA’s responsibilities extend beyond compliance checks and retrospective control reviews. IA must now assess the credibility, governance, and control of sustainability objectives, ensuring that ESG goals are clearly defined, tracked, and aligned with enterprise strategy. This includes evaluating how ESG risks are identified and controlled, and how performance is monitored over time to meet stakeholder expectations (IIA Netherlands 2021).
This broader role draws on IA’s independence, systemic risk perspective, and access across business functions. IA can assess whether ESG objectives are embedded in operational plans and supported by meaningful KPIs and incentives. For example, IA may evaluate whether climate transition plans are backed by capital allocation, or whether human rights commitments are reflected in supplier onboarding procedures.
Rather than acting after the fact, IA becomes a critical enabler of ESG assurance and governance, supporting boards and executive teams in navigating complexity and delivering on sustainability commitments.
5.2. Engage early in ESG strategy and risk management
IA’s influence increases dramatically when it engages early in strategic planning and ESG risk identification. Instead of validating ESG metrics after publication, IA should be involved from the outset in designing policies, selecting KPIs, and shaping governance structures. This might include participating in double materiality assessments, contributing to ESG steering groups, or advising on the integration of ESG into the organisation’s risk appetite framework (ECIIA 2023).
Such early involvement allows IA to identify gaps in risk coverage, suggest control improvements, and ensure that ESG objectives are embedded into core business processes and their controls. It also strengthens the quality of assurance over disclosures, helping management avoid greenwashing and ensuring regulatory alignment. Importantly, early engagement fosters mutual trust between IA and other business units, paving the way for more open dialogue, strategic advisory work, and long-term partnerships.
5.3. Strengthen governance and controls review
Robust governance and control systems are essential to credible ESG performance. IA should apply its established methodologies to evaluate the adequacy of sustainability-related governance structures and controls (IIA Netherlands 2021, 2025; IIA Spain 2025). This includes testing the reliability of ESG data, reviewing the design of internal reporting systems, and ensuring alignment between risk and performance reporting (IIA 2021; SEC 2024).
As non-financial disclosures become regulated, particularly in Europe, IA must treat ESG data with the same rigour as financial reporting. This means checking for consistency, completeness, and accuracy across multiple reporting streams like sustainability reports, investor communications, and regulatory filings.
Where weaknesses exist, such as fragmented systems or lack of documentation, IA can advise on remediation steps and readiness for third-party assurance. In doing so, IA supports compliance, builds investor trust, and protects reputational value.
5.4. Collaborate with key stakeholders
IA’s value in sustainability assurance depends on strong cross-functional collaboration — but this must evolve to meet ESG-specific demands. While engagement with the external auditor, finance, risk, legal, and compliance teams is already standard in most IA functions, ESG introduces new coordination requirements. For example, IA can play a unique role in bridging silos, aligning reporting efforts, and contributing to ESG steering committees where strategy, controls, and disclosures converge (Otto-Mentz et al. 2022).
IA’s broad view of the organisation enables it to connect fragmented ESG initiatives and offer assurance across both financial and non-financial domains. Co-developing audit scopes with sustainability and operations teams, sharing insights early, and advising on cross-functional risks are increasingly important. Additionally, sustained engagement with the board and audit committee on ESG risks, assurance outcomes, and strategic alignment enhances governance and reaffirms IA’s evolving business role.
5.5. Address barriers to IA engagement
Despite growing momentum, practical barriers might still constrain IA’s ability to contribute meaningfully to ESG transformation. These include limited ESG expertise, resource constraints, unclear mandates, and inconsistent expectations across stakeholders. In addition, uncertainty in the evolving regulatory landscape, particularly around the timing, scope, and enforcement of ESG reporting standards, creates further complexity. Shifting geopolitical dynamics and diverging global priorities can also hinder organisations from setting clear ESG goals, making it more difficult for IA to define its scope of involvement.
To navigate this, IA functions must proactively define and communicate their role in ESG. This may involve updating the IA charter, engaging with executive leadership on ESG risk appetite, and articulating how IA supports the organisation’s sustainability strategy (IIA 2021).
Where resources are limited, prioritisation is critical. Functions may begin with materiality assessments, ESG risk mapping, or readiness reviews, and then gradually scale efforts through targeted training and stakeholder engagement. Strategic use of technology, including automation and ESG analytics, can help overcome capacity gaps and improve audit coverage.
By acknowledging and addressing both internal limitations and external uncertainty, IA can reinforce its relevance and evolve from a reactive function to a proactive partner in ESG transformation.
6. Practical steps and actions
Section 5 identifies the strategic shifts IA must undertake to meet rising expectations, while Section 6 translates those shifts into a roadmap, linking vision to execution. The next section outlines what IA can do to meet evolving stakeholder expectations, while the later sections will explore how these shifts can be operationalised in practice.
6.1. Upskill and resource the function
The ESG landscape is complex and fast-evolving, requiring IA to significantly enhance its capabilities. One of the most urgent priorities for IA leaders is to invest in ESG-specific training and recruitment. Many IA teams still lack deep expertise in sustainability topics such as climate risk, double materiality, human rights due diligence, and non-financial reporting standards and control frameworks (IIA Netherlands 2021, 2025; Otto-Mentz et al. 2022).
Targeted upskilling, delivered through professional development programs, certifications, and workshops, can close these knowledge gaps. Additionally, partnering with sustainability experts, regulatory bodies, and academic institutions can provide the external insights needed to stay abreast of emerging trends. Internal secondments between IA and sustainability functions are also increasingly effective in developing cross-functional understanding and relationships.
By embedding ESG knowledge throughout the audit team, IA functions will be better equipped to evaluate non-financial risks, contribute to sustainability governance, and offer credible assurance on ESG disclosures.
6.2. Define and communicate IA’s ESG mandate
One of the persistent challenges facing IA functions is ambiguity around their role in ESG. To be effective, IA must clearly define what it will and will not do in the context of sustainability. This includes outlining its responsibilities across data assurance, governance review, risk oversight, and advisory support.
Updating the IA charter and risk universe to reflect ESG priorities is a good starting point. These updates should be communicated internally, especially to risk owners, ESG teams, and senior leadership. Clarity builds confidence and ensures IA is engaged appropriately and early.
By formalising its mandate, IA not only avoids duplication or overreach but positions itself as a strategic partner in the organisation’s sustainability journey.
6.3. Leverage digital tools and analytics
Given the volume and variety of ESG data, digital enablement is essential. IA teams must embrace technology not only to enhance efficiency, but also to improve insight generation and audit quality. This includes using dashboards to visualise ESG performance, employing AI to detect anomalies or outliers in sustainability data, and applying automated controls testing to monitor ESG risk exposures in real time (Otto-Mentz et al. 2022; Deloitte 2024).
Modern ESG audit platforms allow IA to conduct deeper, data-driven reviews across diverse topics, from emissions tracking to supply chain integrity. Integration with enterprise resource planning (ERP) systems also improves the traceability and reliability of non-financial metrics.
In Europe, audit teams in sectors such as financial services and energy have started integrating ESG analytics into their audit universes. These tools support near real-time risk flagging, scenario analysis, and automated testing of ESG data controls. For example, the use of dashboards and predictive analytics helps identify anomalies in emissions reporting and supply chain due diligence (IFRS Foundation 2023).
6.4. Integrate IA into ESG strategy development
Early involvement gives IA the leverage to shape sustainability commitments before they become fixed public promises. In practice this begins with governance documents: Dutch organisations that insert an IA review clause into their ESG policy template report fewer late-cycle control findings during the reporting season (IIA Netherlands 2025).
Once a formal gateway exists, chief audit executives secure observer status on the ESG steering committee; participation at this stage allows IA to test the auditability of proposed key performance indicators and to flag gaps in data ownership and system readiness well ahead of board approval. A further mechanism is a standing checkpoint in the double-materiality workflow, under which management must obtain IA commentary on scoping decisions before disclosures are drafted. Together, these arrangements convert early engagement from a goodwill gesture into a repeatable process that improves data quality and mitigates reputational risk.
6.5. Embed collaboration with governance and teams
Structured collaboration turns isolated audit findings into sustained control improvement. Many Dutch multinationals start by mapping the custodians of critical ESG data, finance for emissions calculations, procurement for supply-chain diligence, sustainability for narrative context, and sharing that matrix with risk owners and the audit committee (IIA Netherlands 2025).
Collaboration can deepen through a quarterly governance forum, supported by IA, where emerging-risk heat maps and control-testing results are reviewed shortly before the audit-committee meeting; the lead time enables management to rectify deficiencies and has cut late-cycle issues by almost one-third.
Finally, short secondments between IA and sustainability or risk teams build mutual fluency, while an annual audit-committee deep dive, co-presented by IA and management on themes such as Scope-3 readiness, signals that assurance and execution are tightly coupled. These measures, when tracked through a collaboration effectiveness KPI, embed IA as an integral partner in the organisation’s sustainability governance architecture.
6.6. Benchmarking and learning from peers
ESG transformation is a shared journey, and IA functions can accelerate their progress by learning from peers. Benchmarking activities, whether formal or informal, can help identify strengths, gaps, and innovation opportunities. European audit functions, particularly in countries like the Netherlands and Germany, often lead the way in ESG assurance and offer practical examples to follow (Otto-Mentz et al. 2022; ECIIA 2023).
Participation in regional or international ESG audit networks enables knowledge exchange and fosters collaboration. Forums such as the Professional Practices network of IIA Netherlands, the European Confederation of Institutes of Internal Auditing (ECIIA), and sector-specific working groups provide platforms to share tools, frameworks, and case studies.
Such collaboration not only improves quality but also strengthens audit credibility in the eyes of regulators and external assurance providers.
6.7. Link IA’s ESG activities to organisational value
Finally, IA must consistently demonstrate how its ESG activities support the organisation’s broader value creation goals. Whether it is through reducing risk exposure, supporting compliance, improving decision-making, or enhancing stakeholder trust, IA must show that its work contributes tangible outcomes.
This could involve tracking metrics such as ESG audit coverage, risk mitigation actions implemented, assurance readiness levels, or improvements in ESG ratings. It may also involve asking for qualitative feedback from boards or business units on IA’s advisory input.
By framing ESG audits in terms of enterprise value, IA builds its strategic case and reinforces its relevance in an increasingly sustainability-focused world.
7. Implementing the transformation7.1. Practical maturity model for Internal Audit’s ESG assurance
To turn the operational moves in section 6 into a clear development path, Internal Audit (IA) needs a single instrument that links today’s priorities to tomorrow’s ambitions. The four-stage maturity model, adapted from Otto-Mentz et al. (2022), provides this structure. It labels each stage and the corresponding audit posture, giving boards and chief audit executives a shared language for diagnosis, goal-setting and progress review.
Placing the function on the model (Table 1) starts with an honest review of six areas:
(1) audit-team expertise in ESG,
(2) integration of sustainability risks into enterprise-risk management,
(3) strength of analytics and data-governance tools,
(4) quality of engagement with the board,
(5) breadth of ESG coverage in the audit universe and
(6) alignment with external assurance standards.
Scoring each area on the same one-to-four scale reveals unevenness, for example, strong data capability but only moderate board engagement, and highlights where improvement will yield the greatest benefit.
The four-stage maturity model (adapted from Otto Mentz et al. (2022)).
Stage
Primary focus
IA role
Typical characteristics
1 Follower
Basic ESG compliance
Verifies controls and data
Reactive audits, limited ESG scope, isolated work programs
2 Mature
Risk-aligned assurance
Assesses data and ESG gaps
Risk-based scoping, coordination with ESG teams
3 Leader
ESG embedded across audits
Strategic advisor
Participation in governance forums and policy design
4 Innovator
ESG shapes corporate strategy
Scenario planner and sustainability expert
Forward-looking insight, influence on the ESG agenda
7.2. From diagnosis to action
A maturity assessment gains influence when its findings feed directly into the annual audit plan. Chief audit executives first discuss the results with the audit committee, framing gaps in terms of CSRD milestones and stakeholder expectations. They then convert priorities into a multi-year action plan that links specific measures, targeted training, co-sourcing, adjustments to the audit universe or investment in data platforms, to clear milestones and owners. Progress is reviewed at least once a year, ideally alongside the CSRD-readiness update, to keep resources aligned with strategy and regulation.
<italic>Keeping the model relevant</italic>
The maturity assessment should be repeated annually. Revisiting scores and updating the roadmap in light of new risks or regulations helps the function keep pace with a fast-moving ESG landscape. Regular communication of outcomes to senior leadership confirms Internal Audit’s value and shows that assurance capability is advancing alongside organisational needs.
8. Conclusion: Internal Audit’s role in a sustainable future
As sustainability continues to reshape the regulatory, societal, and strategic landscape, IA is being called to evolve. No longer limited to retrospective assurance, the function now faces growing expectations to engage early in ESG governance, contribute to strategy, and provide credible insights on sustainability risks and performance. This shift reflects both a global convergence in ESG regulation and increasing demands from stakeholders for transparency, resilience, and ethical stewardship.
This paper has argued that IA can and should play a pivotal role in this transformation. With its independence, risk orientation, and enterprise-wide access, IA is well positioned to support the integration of ESG into core business processes. To do so, it must expand its capabilities, strengthen collaboration, and adopt new frameworks and tools that support maturity.
The proposed maturity model offers a practical starting point. They allow IA leaders to assess readiness, set direction, and build the internal structures necessary for impact. Case examples and current practices, especially from leading EU jurisdictions, demonstrate that IA can move quickly when the mandate is clear, leadership is supportive, and capacity is built intentionally.
The path forward will not be uniform. IA functions will face different pressures based on geography, sector, and organisational maturity. Yet the imperative remains the same: to be relevant, credible, and value-adding in an ESG-driven world. This demands courage, capability, and an openness to redefine what it means to serve as a trusted advisor.
In a time of accelerating change, IA’s ability to adapt and to lead will determine not only its future role but its continued contribution to responsible, sustainable business.
R. de Leeuw – Rob is Partner Internal Audit at Deloitte.
A. de Draaijer – Arjan is European Sustainability Senior Partner at Deloitte.
ReferencesBartelsW (2025) Making sense of the Omnibus Proposal: An interview with Wim Bartels. Coolset Academy. [8 May 2025] https://www.coolset.com/academy/wim-bartels-on-efrag-esrs-and-omnibus-proposalDeloitte (2024) CxO sustainability report 2024: Accelerating the green transition. Amsterdam: Deloitte. https://www.deloitte.com/global/en/issues/climate/cxo-sustainability-report.htmlDeloitte (2025) 2025 Gen Z and Millennial Survey. London: Deloitte. https://www.deloitte.com/content/dam/assets-shared/docs/campaigns/2025/2025-genz-millennial-survey.pdfECIIA [European Confederation of Institutes of Internal Auditing] (2023) The role of internal audit in ESG in industrial and commercial companies. Position paper, September 2023. https://www.iia.nl/SiteFiles/Publicaties/The%20role%20of%20Internal%20Audit%20in%20ESG.pdfEumedion (2024) Stewardship Code – revised 2024. The Hague: Eumedion.European Commission (2014) Directive 2014/95/EU on disclosure of non-financial and diversity information. Official Journal L 330/1. https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32014L0095European Commission (2022) Directive (EU) 2022/2464 (Corporate Sustainability Reporting Directive). Official Journal L 322/15. https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32022L2464European Commission (2023) Commission Delegated Regulation (EU) 2023/2772 of 31 July 2023 supplementing Directive (EU) 2022/2464 as regards European Sustainability Reporting Standards. Official Journal L 378/1. https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32023R2772European Commission (2025) Omnibus I package: Commission simplifies rules on sustainability and EU investments, delivering over € 6 billion in administrative relief. Brussels: European Commission. https://finance.ec.europa.eu/publications/omnibus-i-package-commission-simplifies-rules-sustainability-and-eu-investments-delivering-over-eu6_enGlobal Reporting Initiative (2016) GRI Standards 2016: Consolidated set. Amsterdam: GRI. https://globalreporting.org/how-to-use-the-gri-standards/resource-center/IFRS Foundation (2024) Inaugural Jurisdictional Guide for the adoption or other use of ISSB Standards. London: IFRS Foundation. https://www.ifrs.org/content/dam/ifrs/supporting-implementation/adoption-guide/inaugural-jurisdictional-guide.pdfIIA [Institute of Internal Auditors IIA] (2017) International Professional Practices Framework, 2017 edn. Lake Mary FL: The IAA. https://www.iia.nl/kwaliteit/beroepsnormenIIA Netherlands [Institute of Internal Auditors Netherlands] (2021) Climate Change and Environmental Risk: Challenges and Tools for Internal Audit, 2021 Amsterdam: IIA NL. https://www.iia.nl/kenniscentrum/vaktechnische-publicaties/publicatie/climate-change-and-environmental-risk---challenges-and-tools-for-internal-audit-IIA Netherlands [Institute of Internal Auditors Netherlands] (2025) ESG – Uitdagingen en handvatten voor Internal Audit. Amsterdam: IIA NL. https://www.iia.nl/kenniscentrum/vaktechnische-publicaties/rapport-esg-uitdagingen-en-handvatten-voor-internal-auditIIA Spain [Institute of Internal Auditors Spain] (2025) Internal control over sustainability reporting (ICSR): Essential guide. Madrid: IIA Spain. https://auditoresinternos.es/wp-content/uploads/2025/03/IAIE_Libro_SCIIS_DIGITAL_ING_compressed-comprimido.pdfISSB [International Sustainability Standards Board] (2024) IFRS Accounting Standards. London: IFRS Foundation. https://www.ifrs.org/issued-standards/list-of-standards/NBA & IIA Netherlands (2018) Handreiking ESG-assurance: Praktische gids voor internal auditors en accountants. Amsterdam: NBA / IIA Netherlands.Otto-MentzPVisserTMeijerJ (2022) “Transforming Internal Audit: How to become a sustainability business partner.” Maandblad voor Accountancy en Bedrijfseconomie96(4): 185–194. https://doi.org/10.5117/mab.96.91087SASB [Sustainability Accounting Standards Board] (2017) SASB Standards overview. San Francisco: SASB. https://sasb.ifrs.org/standards/SEC [US Securities and Exchange Commission] (2024) Enhancement and standardisation of climate-related disclosures for investors. Release 34-99678. Washington DC: SEC.TCFD [Task Force on Climate-related Financial Disclosures] (2017) Recommendations of the Task Force on Climate-related Financial Disclosures. Basel: Financial Stability Board. https://www.fsb.org/wp-content/uploads/TCFD-Final-Report-2017.pdfUN Global Compact (2023) UN Global Compact 2023 Annual Report. New York: United Nations Global Compact. https://info.unglobalcompact.nl/l/1015612/2024-07-30/hz385/1015612/1722328449ayeTZIzZ/Annual_Report_2023_v5_1.pdf?_gl=1*loh4t4*_up*MQ..*_ga*MTUyODc0MDgxLjE3NTQ2NDgwNDQ.*_ga_Q193CPTCMD*czE3NTQ2NDgwNDIkbzEkZzAkdDE3NTQ2NDgwNDIkajYwJGwwJGgw