The global rise of sustainability and ESG (Environmental, Social, and Governance) presents Internal Audit (IA) with a strategic opportunity to strengthen governance, build trust, and support long-term value creation. As regulatory demands increase and stakeholder scrutiny intensifies, IA is evolving from a compliance-oriented function to a proactive business partner. This paper offers practical guidelines and tools, including a four-stage maturity model, to support IA’s transformation. Drawing on international guidance, case studies, and regional insights, the paper demonstrates how IA can enhance ESG assurance, contribute to integrated risk management, and enable sustainable decision-making. These tools are designed to help IA deliver improved data reliability, clearer ESG insights for the board, and credible assurance that builds stakeholder confidence.

Internal Audit, ESG, sustainability, regulatory reporting, risk management, CSRD, ISSB

This paper equips IA professionals with applied tools and regionally informed strategies to meet growing ESG expectations. It supports audit leaders in enhancing sustainability data assurance, strengthening risk alignment, and collaborating with boards to deliver forward-looking insights. Content is grounded in evolving international standards and stakeholder needs.

Environmental, Social, and Governance (ESG) issues are reshaping the global business environment. Rising climate risks, supply chain disruptions, and social accountability have triggered a wave of new regulations, investor scrutiny, and stakeholder expectations. In response, many organisations are embedding sustainability into core strategy. This transformation is not only driven by values but also by risk management, innovation, and long-term value creation.

The Internal Audit Function (IAF) is directly impacted. Traditionally focused on financial controls and compliance, IA is increasingly expected to provide independent assurance over sustainability-related risks and data. Regulatory developments such as the European Union’s Corporate Sustainability Reporting Directive (CSRD), the standards of the International Sustainability Standards Board (ISSB), and the United States Securities and Exchange Commission (SEC) climate disclosure rules are accelerating demand for credible, auditable ESG reporting (European Commission 2022; IFRS Foundation 2024; SEC 2024).

However, many IAFs are still developing their capacity to address ESG. Current audit methodologies and skill sets may not fully align with the forward-looking, cross-functional, and often qualitative nature of sustainability risks. There is a growing recognition that IA must move beyond its traditional role. As Otto-Mentz et al. (2022) argue, IA can become a business partner and strategic advisor, supporting governance, risk management, and assurance as sustainability expectations evolve.

This paper aims to address the following question: How can IA adapt its role to effectively support sustainability and ESG within a rapidly evolving regulatory and stakeholder landscape? To answer this question the paper draws on international guidance, case studies, and professional insights to identify the concrete steps IA must take to become a credible and strategic partner in the ESG transition.

The evolution of the Internal Audit Function (IAF) mirrors broader changes in organisational governance, risk and control. Initially concerned almost exclusively with financial oversight, IA has become a multidimensional activity that intersects with enterprise-risk management, strategy, sustainability and stakeholder engagement.

In the early 2000s IA’s remit centered on financial controls, operational efficiency and regulatory compliance. The Sarbanes-Oxley Act of 2002, enacted after high-profile corporate failures, intensified regulatory scrutiny and pushed organisations to strengthen internal-control systems (SEC 2024). During the same period the Institute of Internal Auditors (IIA) reinforced the principles of independence, objectivity and risk-based auditing through updates to its International Professional Practices Framework, which still shapes audit professionalism today (IIA 2017).

By the mid-2010s non-financial reporting gained prominence. Companies adopted broader standards such as the standards of the Global Reporting Initiative and the Sustainability Accounting Standards Board, laying early foundations for structured ESG disclosures (GRI 2016; SASB 2017). These frameworks introduced metrics on environmental, social and governance performance and prompted IA to review data quality, reporting processes and alignment with external guidance.

Climate and sustainability risk soon emerged as critical business issues. The Task Force on Climate-related Financial Disclosures encouraged transparency on climate governance, scenario planning and board oversight, bringing new expectations for assurance and accountability (IFRS Foundation 2024).

In the current decade IA is expected to address a wider range of strategic matters, including ESG risk, value-chain sustainability and data governance. Recent research show that IA is moving beyond a control-testing role to act as a business partner contributing to long-term value creation (Otto-Mentz et al. 2022). A 2025 survey by IIA Netherlands found that 92 percent of Dutch IA functions align their work with CSRD, yet only about one-third embed ESG considerations in every audit, underscoring the opportunity for IA to close this gap (IIA Netherlands 2025). Consequently the IAF is now expected to evaluate strategic topics, test sustainability-related controls, collaborate with cross-functional teams and advise boards on emerging risks.

Sections 3 and 4 develop this context in turn, Section 3 traces the regulatory changes that will redefine assurance requirements, while Section 4 analyses how stakeholder expectations in the Netherlands and the wider EU are raising the performance bar for IA.

The growing integration of sustainability into the corporate and financial regulatory agenda has transformed ESG from a voluntary reporting practice into a formal compliance issue. IA is increasingly expected to provide assurance over ESG risks, governance, and data accuracy. Nowhere is this more evident than in the European Union (EU), which has emerged as the global frontrunner in mandatory ESG disclosures.

The Corporate Sustainability Reporting Directive (CSRD), adopted in 2022 and effective from 2024, significantly expands the scope and depth of sustainability reporting requirements. Unlike its predecessor, the Non-Financial Reporting Directive (NFRD), the CSRD requires a much broader range of companies to disclose detailed information on environmental, social, and governance matters. These disclosures must be made in accordance with the European Sustainability Reporting Standards (ESRS), developed by the European Financial Reporting Advisory Group (EFRAG). This marks a shift toward standardised, audited, and comparable sustainability reporting across the EU.

A related development is the Omnibus Simplification Package put forward by the European Commission in February 2025. Instead of creating new duties, the package would amend the CSRD, the forthcoming Corporate Sustainability Due Diligence Directive and the EU Taxonomy Regulation to streamline requirements and cut administrative costs, particularly for SMEs. For a reflection on this, see e.g. Bartels (2025)). Key proposals include raising the CSRD employee threshold to 1000 and mandating only a voluntary “VSME” reporting standard for smaller undertakings (European Commission 2025). Although still under negotiation, the initiative signals a political push to balance transparency with competitiveness, a development IA must track closely because the final scope and timetable will shape its assurance work.

Outside the EU, jurisdictions such as the United States, Singapore, and Australia have introduced their own ESG regulations, with varying levels of ambition. The U.S. Securities and Exchange Commission (SEC) has proposed climate disclosure rules, while the International Sustainability Standards Board (ISSB) has issued a global baseline through IFRS S1 and S2 standards. However, these efforts differ in enforcement, materiality thresholds, and assurance requirements, making it more challenging for Internal Audit functions operating across borders. Given these differences, organisations must adapt their IA strategies to regional contexts. While EU-based companies must prepare for mandatory limited assurance under the CSRD, companies in other regions face different timelines and compliance obligations.

The CSRD introduces specific expectations around double materiality. This requires them to assess both how sustainability issues impact the business and how the business impacts people and the environment. This places IA in a critical position to advise on risk management, data readiness, and reporting quality.

The regulatory momentum is clear: IA can no longer treat sustainability as a peripheral issue. As regulatory regimes evolve, IA must enhance its technical literacy, adapt audit methodologies, and align its planning with emerging requirements. Doing so not only supports compliance but strengthens its role as a strategic partner in long-term value creation.

Across sectors and jurisdictions, organisations face increasing scrutiny from a wide range of stakeholders regarding their management of sustainability risks and opportunities. Regulators are tightening ESG disclosure requirements, investors are demanding comparable data, and civil-society actors such as NGOs, coalitions and shareholder activists, are applying pressure for companies to align their operations with environmental and social priorities (United Nations 2023; Deloitte 2024).

Boards are now held accountable for ESG oversight. They are expected to demonstrate how sustainability issues are integrated into their governance, strategy, and risk management processes. Investors, particularly in Europe and North America, have become more active in their engagement, requiring assurance on non-financial metrics to inform capital allocation decisions, as reflected in IFRS Sustainability Disclosure Standards adoption trends and investor consultations (IFRS Foundation 2024). Perceived greenwashing can erode brand trust rapidly, turning culture audits and green-claims validation into strategic assurance topics for IA.

Employees and customers, especially younger demographics, also shape expectations. Deloitte’s 2025 Gen Z and Millennial Survey finds that 70 percent of respondents regard a company’s environmental credentials as important when choosing an employer, and 15 percent of Gen Zs and 13 percent of Millennials have already changed jobs over environmental concerns (Deloitte 2025). This readiness to act makes culture audits and green-claims validation strategic assurance topics for IA.

As stakeholder expectations rise, the IA function is being called upon to play a more strategic and integrated role. IA is now expected to evaluate whether ESG risks are adequately identified, managed, and embedded in business processes. This includes assurance over areas such as double materiality assessments, emissions reporting, greenwashing prevention, and ethical supply chain practices (Otto-Mentz et al. 2022). Moreover, stakeholders expect transparency not only in reporting but in ESG goal-setting and execution. IA can support this by assessing whether ESG goals are realistic, aligned with risk appetite, and are embedded and monitored effectively. This strategic role also involves advising on the governance of ESG data, scenario planning, and integration into enterprise risk management and control frameworks. IA’s unique position as independent yet connected enables it to identify gaps, challenge assumptions, and help management stay ahead of evolving risks.

In leading jurisdictions such as the Netherlands, Germany, and parts of Scandinavia, IA functions have taken on a more embedded role. They contribute to ESG steering committees, conduct pre-assurance readiness reviews for CSRD, and help align risk registers with ESG objectives (IIA Netherlands 2021; Otto-Mentz et al. 2022; IIA Netherlands 2025). In multinational firms, IA has been involved in evaluating ESG training programs, reviewing progress against sustainability KPIs, and assessing whether board-level oversight and control structures are effective and well-informed. Meeting these expanded expectations requires a shift in scope, capability, and mindset. IA teams must become decent in ESG reporting frameworks such as CSRD, GRI, and ISSB and in ESG control frameworks. They must also build partnerships across the first and second lines to ensure a coordinated response. Advisory engagements, pilot reviews, and participation in sustainability governance structures can strengthen IA’s strategic contribution.

The transition from compliance auditor to sustainability partner is not without challenges. Some functions lack the necessary ESG expertise or visibility at the leadership level. However, those that succeed in repositioning themselves can deliver significant value by reducing ESG-related risk exposure and enabling organisations to meet stakeholder expectations with confidence and clarity.

To deliver meaningful value in the sustainability transformation, IA must expand its remit beyond traditional assurance and set out its future, desired role. Data verification and control testing remain essential. The future IA role also demands strategic-governance insight, forward-looking risk anticipation and support for long-term value creation. That means contributing to ESG-strategy alignment, advising on emerging sustainability risks and assessing how well sustainability considerations are embedded in decision-making and operations (IIA 2021; Otto-Mentz et al. 2022). The next section outlines what IA can do to meet evolving stakeholder expectations, while the later sections will explore how these shifts can be operationalised in practice.

Section 5 identifies the strategic shifts IA must undertake to meet rising expectations, while Section 6 translates those shifts into a roadmap, linking vision to execution. The next section outlines what IA can do to meet evolving stakeholder expectations, while the later sections will explore how these shifts can be operationalised in practice.

As sustainability continues to reshape the regulatory, societal, and strategic landscape, IA is being called to evolve. No longer limited to retrospective assurance, the function now faces growing expectations to engage early in ESG governance, contribute to strategy, and provide credible insights on sustainability risks and performance. This shift reflects both a global convergence in ESG regulation and increasing demands from stakeholders for transparency, resilience, and ethical stewardship.

This paper has argued that IA can and should play a pivotal role in this transformation. With its independence, risk orientation, and enterprise-wide access, IA is well positioned to support the integration of ESG into core business processes. To do so, it must expand its capabilities, strengthen collaboration, and adopt new frameworks and tools that support maturity.

The proposed maturity model offers a practical starting point. They allow IA leaders to assess readiness, set direction, and build the internal structures necessary for impact. Case examples and current practices, especially from leading EU jurisdictions, demonstrate that IA can move quickly when the mandate is clear, leadership is supportive, and capacity is built intentionally.

The path forward will not be uniform. IA functions will face different pressures based on geography, sector, and organisational maturity. Yet the imperative remains the same: to be relevant, credible, and value-adding in an ESG-driven world. This demands courage, capability, and an openness to redefine what it means to serve as a trusted advisor.

In a time of accelerating change, IA’s ability to adapt and to lead will determine not only its future role but its continued contribution to responsible, sustainable business.