An audit framework for Corporate Social Responsibility Richard Hol ands Head of Audit and Risk Review Nacro
A definition “the commitment of business to contribute to sustainable economic development working with employees, their families, the local community and society at large to improve their quality of life.” World Business Council for Sustainable Development, (2000), Corporate Social Responsibility: Making Good Business Sense, p10.
CSR – what is it? CSR is about managing the impacts on society and stakeholders of a organisation’s operations, processes, behaviour etc. Typical y this means an organisation’s Social, Ethical and Environmental (SEE) activities in the wider world. CSR has a relationship with an organisation’s financial activities too. CSR is at the core of public service and charity organisations. CSR lies at the heart of reputation management.
CSR defined in more detail Operating beyond basic legal compliance – from the board downwards; Considering the impacts on society and the environment; Managing social, ethical and environmental risks; Having relationships with stakeholders that are responsible, fair, and respect human rights; Responding to the needs and expectations of diverse stakeholder groups; and, Building the above into governance & management systems. Rayner, J., (2003), Managing Reputational Risk – curbing threats, leveraging opportunities, Chichester, England: John Wiley & Sons.
A role for internal auditors A growing shift of the audit profession beyond the traditional lines of finance and information technology to wider operational practices that respond to client and professional pressures brought about by a growth in the practice of risk management. The IIA definition of internal auditing has broadened its scope to: providing independent assurance to the Board and Audit Committee that the organisation is managing risk effectively; raising awareness of risk and control matters to improve the risk management in the business of their organisations; and, co-ordinating risk reporting to the Board/Audit Committee.
A changing environment for internal auditors Corporate scandals; Heightened awareness and knowledge of stakeholders; Greater scrutiny of social, environmental and ethical performance; and, Organisational exposure in these areas results in a growing need for assurance.
The development of CSR auditing Traditional audits do not address CSR risks; ‘Turnbul ’ risks include health, safety, environmental, reputational and business probity (ie CSR-type risks) – resulting in an assurance gap!; Not risk-based; and, Approaches to date based on external audit-style approach.
Organisational approaches to CSR CSR ac Doing responsible Doing responsible things, tivi things. responsibly. tiesTraditio Doing routine business. Doing things responsibly. nal activities Traditional methods Responsible methods
Organisational approaches – examples CSR ac Recycling campaigns Combination tivit Stakeholder ies engagement Trad Routine work itio Ethical purchasing nal Responsible investments activities Traditional methods Responsible methods
Internal audit’s traditional role the achievement of objectives; compliance with rules, regulations and legislation; the reliability of records and information; economy, efficiency and effectiveness; and, that assets are safeguarded.
Re-defining internal audit’s role the achievement of objectives in a responsible way with adverse impacts upon stakeholders being minimised and positive impacts maximised; compliance with rules, regulations and legislation with stated values that are consistent with responsible practice(s); the reliability of records and information for internal and external (stakeholder) purposes; that the optimum use of resources are employed in a responsible way; and, that assets are safeguarded, including assets external to the organisation such as its investment in society and the environment.
An audit framework – planning Integrated into risk-based approach: CSR risks considered as part of al relevant risks; Planned audit activity of CSR where there is no underpinning corporate objective wil be difficult to deliver; Considered for both strategic and individual assignment plans; Re-balancing of resources and priorities; and, Is planned audit coverage proportionate to the risk(s)?
An audit framework – audit focus Adopting the integration principle – reduces the potential for an assurance gap and increases the potential for audit adding value; Comparing ‘what is’ with ‘what should be’: is the operational activity being performed in a way that is consistent with ‘responsibility’ values? Consider the external perception of the CSR risks – impact on reputation.
An audit framework – stakeholders Internal Audit should look to assess: the stakeholder engagement processes adopted by organisations in formulating their plans; how each stakeholders’ ‘stake’ has been determined; and, the level of stakeholder influence. This wil enable stakeholder prioritisation so that the benefits of key relationships can be assessed.
An audit framework – collaborating Start from the position that al internal audits are a proven and structured process; Recognise that there is a role for specialists in the assurance of CSR; specific issues may require expert resources; Use col aboration to acquire specialist help, and as a basis for developing auditors’ competency and knowledge of CSR; and, specialist agencies should be considered as part of any audit planning.
* Doing responsible things Internal audit should assess: contribution to the business aims; alignment with the stated mission and values; consistency with accepted codes of conduct and policies; effect upon stakeholders; costs and benefits of CSR activities have been considered, and; management have considered and taken appropriate measures to manage [CSR] risks.
Doing things responsibly * Internal audit should assess that: consistency with the organisation’s values; effective arrangements for stakeholder management; CSR risks have been evaluated; business practices promote responsible working; the costs and benefits of CSR have been considered; effective reporting that meets legal and other standards; and, systems to implement and develop the organisation’s values are effective.
Doing responsible things, * responsibly. This type of audit combines the ‘doing responsible things’ and ‘doing things responsibly’ approaches. Internal audit should assess and report upon not only how wel activities have delivered against planned benefits but that they have been done in a responsible way. Key to this is an assessment of how effectively negative CSR impacts are minimised and CSR opportunities are maximised.
Audit coverage and extent. Wide c Shallow but wide Deep & wide overageNarrow Shallow & narrow Deep but narrow coverage Shal ow (audit extent) Deep (audit extent)
* Shallow but wide coverage Appropriate for reviews of operational units of an organisation. Should be used to confirm any CSR-related issues are working ‘on the ground’ when there is no specific risk. .
Deep but narrow approach * Employed on single CSR issue of an organisation’s business such as a CSR-type risk within the risk register. Or where a specific operational unit has a high exposure to a CSR-type risk and needs to be considered specifical y as part of a wider review.
* Deep and wide approach Specific investigations or where a fundamental breakdown in effective risk management and controls has occurred which leaves the organisation open to significant risk.
A role for internal audit – a final thought “Knowing that the corporate social responsibility caravan is on the move, but not waiting for the sandstorm of definitions to clear, the internal auditing function has much at its fingertips already. Neither would it need to wait on successors to the Cadbury and Hampel Committees on corporate governance to redefine the scope of internal controls. The auditor knows that the long-term health of the business depends on the management of business risk, the preservation of the de facto and de jure licences to operate, and on the improved understanding of key success factors. Thus the risk of exposure arising from unethical conduct is in triple jeopardy.” Rosthorn, J., (2000), Business ethics auditing – more than a stakeholder’s toy, Journal of Business Ethics, Vol. 27, No.1/2, pp9-19.