Beruflich Dokumente
Kultur Dokumente
Table of Contents
Introduction..................................................................................................................1
Executive Summary.......................................................................................................1
CSR Definitions.............................................................................................................2
Responsibility for CSR...................................................................................................2
Risks ............................................................................................................................3
Reputation...........................................................................................................3
Compliance..........................................................................................................3
Liability................................................................................................................3
Operational..........................................................................................................3
Stock Market........................................................................................................3
Employment Market.............................................................................................3
Sales Market........................................................................................................3
External Business Relationships..........................................................................3
CSR Business Activities.......................................................................................4
CSR Reporting......................................................................................................5
Approaches to Evaluating CSR......................................................................................6
Auditing...............................................................................................................6
Facilitating...........................................................................................................7
Consulting............................................................................................................7
Audit Considerations.....................................................................................................7
Use of Audit Opinion.............................................................................................7
Independence and Objectivity..............................................................................7
Skills and Body of Knowledge...............................................................................7
Resources............................................................................................................8
CSR Maturity Model.............................................................................................8
Internal Audit Program Development (Considerations).................................................9
Appendix A Auditing by Element...............................................................................12
Governance........................................................................................................12
Ethics.................................................................................................................12
Environment.......................................................................................................12
Transparency......................................................................................................13
Health, Safety, and Security...............................................................................13
Human Rights and Work Conditions...................................................................13
Community Investment......................................................................................14
Appendix B Auditing by Stakeholder Group............................................................15
Employees and Their Families............................................................................15
The Environment................................................................................................15
Customers..........................................................................................................15
Suppliers............................................................................................................15
Neighboring Communities..................................................................................16
Shareholders and Investors................................................................................16
Appendix C Stakeholder Theory................................................................................17
Appendix D Additional Resources.............................................................................18
Practice Guide Team Members....................................................................................19
www.theiia.org/guidance / B
IPPF Practice Guide
Evaluating Corporate Social Responsibility/Sustainable Development
1. Auditors that conform to the Performance and Program Standards for the Professional Practice of Environmental, Health and Safety Auditing (Board of Environmental Health and Safety
Auditor Certifications) may also be qualified.
www.theiia.org/guidance / 1
IPPF Practice Guide
Evaluating Corporate Social Responsibility/Sustainable Development
www.theiia.org/guidance / 2
IPPF Practice Guide
Evaluating Corporate Social Responsibility/Sustainable Development
www.theiia.org/guidance / 3
IPPF Practice Guide
Evaluating Corporate Social Responsibility/Sustainable Development
1. Determining and communicating policies and pro- Donation and sponsorship amounts.
cedures for areas including corporate governance, Economic benefits to specified regions.
business ethics, human resources and employment, Employee satisfaction.
supply chain management, stakeholder relations, do-
nations and political contributions, the environment, Noncompliance incidents.
and health and wellness. Commitments to stakeholders, reclamation activity.
8. Refer to Appendix C for additional information regarding stakeholder theory and engagement.
www.theiia.org/guidance / 4
IPPF Practice Guide
Evaluating Corporate Social Responsibility/Sustainable Development
www.theiia.org/guidance / 5
IPPF Practice Guide
Evaluating Corporate Social Responsibility/Sustainable Development
Approaches to Evaluating CSR such as COSO,12 ISO,13 etc., or compliance with cus-
tomer expectations (contractual obligations). Typical
CSR elements include:
Definition of internal auditing:
Internal auditing is an independent, objective assurance and Governance.
consulting activity designed to add value and improve an Community investment.
organizations operations. It helps an organization accom- Environment.
plish its objectives by bringing a systematic, disciplined
Ethics.
approach to evaluate and improve the effectiveness of risk
management, control, and governance processes.11 Health, safety, and security.
Transparency.
As part of the risk assessment and audit planning pro-
Working conditions and human rights.
cess, the CAE considers the CSR risks and whether to
include all or part of the processes in its audit universe 2. Audits of CSR programs related to each significant
and audit plans. The CAE also should also be aware of stakeholder group affected by CSR activities that are
CSR issues in order to respond to any special requests by further refined into audits of these subjects at the
the board or senior management. corporate office, subsidiaries, and with external busi-
ness relationships. Stakeholders could include:
Auditing
The internal audit activity may choose to evaluate the Customers.
CSR programs as a whole and determine whether the Employees and their families.
organization has adequate controls to achieve its CSR
The environment.
objectives. This option would likely require a significant
allocation of resources because of the broad scope of the Neighboring communities.
subject. Such an audit is not likely to be done to develop Shareholders.
the first opinion on CSR controls; rather the CAE would
Suppliers.
develop a one- to three-year plan to obtain sufficient and
reliable information about the various elements of CSR Some of these stakeholder groups could include non-
within the organization. governmental organizations (NGOs) and activist groups
that represent the stakeholders or specific interests.
There are many approaches to auditing CSR controls,
including: 3. Bundling of subjects, such as the:
www.theiia.org/guidance / 6
IPPF Practice Guide
Evaluating Corporate Social Responsibility/Sustainable Development
management, product development and testing would be developed based on a risk assessment and results
practices, product stewardship, disclosure prac- in action items for control improvements.
tices, and privacy.
Environment: responsible air, water, land, waste, Consulting
animal, and energy use and regulatory compliance. The internal audit activity may consult on project design
and implementation for CSR programs and reports or
Community: philanthropy, local economic support,
serve as an adviser on CSR governance, risk management,
capacity building, volunteerism, and stakeholder
and internal controls.
engagement.
www.theiia.org/guidance / 7
IPPF Practice Guide
Evaluating Corporate Social Responsibility/Sustainable Development
professional care requirements. If the internal audit activ- Such benefits can include internal auditor training oppor-
ity conforms to the IPPF, then it is qualified to undertake tunities, the lessons learned on the project stay within the
the roles listed above. organization, and the internal auditor can assist the team
in accessing information more efficiently due to his or her
Any internal audit activity that collectively lacks the ap- knowledge of the organization.
propriate skills and knowledge should not undertake an
internal audit, facilitation, or consulting engagement. The organization should evaluate the pros and cons of
Specific CSR competencies could include expertise in using nongovernmental organization (NGO) members
regulations, management systems and best practices re- on an audit or assurance team, including: more time will
lating to the environment,14 health and wellness, safety, be required to train external parties on the audit process;
science and engineering, ethics, community investment, external parties might not be bound by confidentiality
employment, human rights, working conditions, and gov- standards; by their nature, NGOs have special interests,
ernance. Language and other communication skills are and their representatives will not be unbiased and objec-
also important considerations when discussing sensitive tive and may not prioritize issues the same as the organi-
issues, such as working conditions or ethics violations, zation; a report that includes a positive statement from
and for designing surveys. an NGO is deemed to be more credible; new ideas and
fresh observers might help the organization better un-
If the internal audit activity is involved in facilitating a derstand the CSR issues and activities; the NGO would
control self-assessment, facilitation skills are critical. gain a better understanding of the organization.
Auditors who have the IIAs Certification in Control Self-
Assessment designation can be an asset to this process. CSR Maturity Model
The CAE considers the organizations CSR maturity level
Resources at the time of the internal audit, and the level to which the
The number of auditors and skills required depends on organization hopes to progress. This information will help
the audit approach. the auditor frame recommendations as audit findings or as
ideas to help move the organization toward its goal.
Teaming internal auditors with internal subject matter
experts is useful; it provides an opportunity for the audi- A sample maturity scale could include:
tors to learn the subject, and for other employees to learn
more about a logical approach to evaluating process effec- 1. Senior management and the board have not initiated
tiveness and internal controls. The subject matter experts any CSR objectives or strategies.
should not be members of the area being audited. They 2. The CSR strategy is to comply with laws and con-
could be employees in similar departments of subsidiaries tractual commitments.
or other divisions.
3. Ad hoc recognition of specific CSR risks and strat-
If the organization hires an external service provider to pro- egies to meet objectives exists in some divisions of
vide assurance on CSR reports, the CAE should consider the organization. The organizations goal is to exceed
the benefits of loaning a member to the assurance team. compliance requirements. Reporting is selective.
14. Such as those having the Certified Professional Environmental Auditor (CPEA) designation.
www.theiia.org/guidance / 8
IPPF Practice Guide
Evaluating Corporate Social Responsibility/Sustainable Development
4. A set of integrated and managed CSR strategies and evaluation and bonuses, leadership training, and stakeholder
performance measures reported to the public relations)? What takes precedence when there are compet-
with governance processes is in place. ing objectives?
5. CSR is a primary feature of the organizations mis-
Is the organizational structure of CSR responsibili-
sion, principles, and performance measures. Formal
ties and authority documented for all elements? Are
reports are produced for the public, stakeholder
responsible positions staffed with experienced and quali-
engagement processes are in place, and CSR fac-
fied individuals?
tors are embedded into business decision-making
processes throughout the organization, including at
Is the organization signatory to voluntary standards
board levels.
of performance? Why or why not? Were the standards
Internal Audit Program adopted by management, or by the board? How are they
integrated into management practices? How is compli-
Development (Considerations) ance monitored in the organization? Standards include:
The following discussion (and information contained in AccountAbility AA1000 principle-based standards
Appendices A and B) include concepts to help internal that provide the basis for improving the sustainability
auditors think through various subjects when developing performance of organizations.
the audit program. Because the audit scope and program Amnesty International focused on protecting and
are based on a risk assessment for the organization, not all championing human rights worldwide.
of the concepts within this guidance will be relevant.
CERES Principles 10 principles covering major
Consider the proliferation of CSR information that environmental concerns.
the organization produces. Are the messages consis- Clean Clothes Campaign (Code of labor) intended
tent and current in public reports, speeches, and hand- to improve working conditions in the garment and
outs/presentation materials and on the organizations sportswear industries.
Web sites? How is disclosure and updating controlled? Electronic Industry Code of Conduct (EICC) stan-
Are the messages relevant to the organizations mission, dards for labor, health, safety, and the environment in
goals, objectives, and commitments? manufacturing and throughout the supply chain.
European Commissions Eco-management and Audit
Has the organization made a decision to report in-
Scheme (EMAS) public reporting on environmen-
formation consistent with reporting standards, such
tal performance.
as the Global Reporting Initiative? Can the informa-
tion be compared with the organizations competitors or Eurosif Transparency Guidelines.
industry peers? Ethical Trading Initiative strives to improve the
lives of workers in global supply chains.
How are CSR strategies and priorities established
Base Code best practices in codes of conduct.
and communicated? How are they integrated into deci-
sion making and approval processes (e.g., budget, appropria- Fair Labor Association (FLA) seeks to improve
tions, mergers, acquisitions, and joint ventures, performance working conditions.
www.theiia.org/guidance / 9
IPPF Practice Guide
Evaluating Corporate Social Responsibility/Sustainable Development
Global Sullivan Principles of Social Responsibility Social Accountability 8000 a global standard to
principles that encourage companies to support eco- make workplaces more humane.
nomic, social, and political justice. United Nations.
Greenhouse Gas Protocol Initiative, International Universal Declaration of Human Rights and related
Chamber of Commerce. instruments.
Business charter for sustainable development. UN Global Compact.
Green-e independent consumer protection pro- Climate Neutral Network.
gram for the sale of renewable energy and green- Principles for Responsible Investing.
house gas reductions in the retail market.
Voluntary Principles on Security and Human Rights
Imagine Canada Advancing knowledge and rela- principles on human rights and security in mining
tionships to foster effective and sustainable chari- and petroleum industries.
table and nonprofit organizations.
Worldwide Responsible Apparel Production
Ethical Program fundraising and financial account- (WRAP) 12 standards of labor practices, factory
ability standards. conditions, and environmental and customs com-
Caring Company Program providing guidance and pliance.
standards that help members become better corpo-
rate citizens. How does the organization manage compliance with
local and international laws?
Interfaith Center on Corporate Responsibility (ICCR).
International Organization for Standardization (ISO) Does your organization meet standards required
14000 a family of standards for creating environ- for inclusion in environmental or social investment
mental management systems. funds? Why or why not? Screening agencies include:
International Labor Organization Conventions (ILO Dow Jones Sustainability World Index (DJSI).
Tripartite Convention) 28 recommendations con-
Morningstar Socially Responsible Investment Index.
cerning multinational enterprises and social policy.
FTSE 4 Good Global Indexes.
Kyoto Protocol.
EIRiS Ethical investment Research Services.
OECD Guidelines for Multinational Enterprises
addressing a comprehensive range of responsibil- Jantzi Social Index.
ity issues.
Can the CSR especially environmental or human
Natural Step framework and principles. rights activities of external business relationships
Convention for combating bribery. impact the organizations reputation? If yes, then
Principles of corporate governance. contracts should include CSR performance terms and con-
ditions, and compliance should be tested. The internal audit
Responsible Care initiative (chemical industry). activity may be involved in such tests or receive reports on
results of tests done by others.
www.theiia.org/guidance / 10
IPPF Practice Guide
Evaluating Corporate Social Responsibility/Sustainable Development
Can the CSR activities of customers impact the orga- Has the organization asked for feedback? What
nizations reputation? Would the organization refrain from did the feedback say, and what was the organiza-
selling products to organizations with irresponsible or unsus- tions response?
tainable practices? Does it provide programs to encourage or
facilitate customers to be responsible with its products?
www.theiia.org/guidance / 11
IPPF Practice Guide
Evaluating Corporate Social Responsibility/Sustainable Development
15. Conflict risk exists when war, civil unrest, labor unrest, or activism could impede achievement of the organizations goals and objectives, including CSR goals. In a conflict risk impact
assessment an organization analyzes the characteristics of a proposed investment and the potential impacts (negative and positive, intended and unintended) it may have on tensions in
the region or community.
www.theiia.org/guidance / 12
IPPF Practice Guide
Evaluating Corporate Social Responsibility/Sustainable Development
Do risk assessments consider air (greenhouse gas and Are incidents reported, communicated, managed, and
other emissions, climate change, and carbon footprint), resolved appropriately? Are the results of incident inves-
water (use and effluent), land (reclamation, recreation- tigations and resolution appropriately reported with the
al spaces, garbage and disposal of hazardous wastes, recognition of personal information protection?
conservancy, and stewardship), and animals (product Are health and safety program performance measures
testing, ecosystems, and biodiversity)? and metrics maintained and reported? Are benchmark-
Do environmental emergency plans exist? Do these ing and trend analysis also performed and reported to
plans balance privacy of personal information with ac- senior management and the board?
cess to information for employees and the community? Are results of audits internal, regulators, and exter-
Does the organization calculate its carbon footprint nal reviewed and commitments monitored and
and does it have offset programs in place? If so, are tracked to completion?
calculations accurate and complete, and are the strate- Are stakeholders provided sufficient information to
gies effective? make informed decisions about health and safety risks?
www.theiia.org/guidance / 13
IPPF Practice Guide
Evaluating Corporate Social Responsibility/Sustainable Development
Community Investment
What philanthropy (donations and charitable giving)
practices are in place, and how are decisions made?
An example would be adopting voluntary giving stan-
dards, (e.g., the Imagine program in Canada, where sig-
natories donate 1 percent of profits each year).
Have the cost and benefits of foundations been con-
sidered (e.g., tax benefits, focused giving)?
Has the organization distinguished the cost/benefits of
sponsorships compared with philanthropy?
Does the organization encourage volunteerism? What
programs are in place?
Does the organization facilitate employee or cus-
tomer philanthropy, or match employee or customer
philanthropy?
Are social and environmental impact assessments per-
formed? How are community stakeholders engaged in
these assessments?
Is there a complaint management system for the com-
munity to report issues or concerns? Are the com-
plaints managed and resolved effectively?
Are there quotas or similar efforts to support local,
indigenous, or special interest suppliers?
Have strategic partnerships been established within
the community?
How does the organization contribute to local eco-
nomic development (e.g., purchasing in the local,
regional markets; local education and training to
reduce unemployment; and supporting infrastructure
that the presence of the organization may stress)?
How are community investment strategies measured,
monitored, and evaluated? By whom?
www.theiia.org/guidance / 14
IPPF Practice Guide
Evaluating Corporate Social Responsibility/Sustainable Development
www.theiia.org/guidance / 15
IPPF Practice Guide
Evaluating Corporate Social Responsibility/Sustainable Development
Neighboring Communities
Philanthropy (donations and charitable giving).
Safe operations and emergency response programs.
Community relations, community satisfaction.
Local capability programs.
Partnering to build skills and cost effectiveness with
local businesses.
Local economic support programs.
Privacy of personal information; access to information.
Involvement of, and respect for, indigenous people.
Conflict risk and impact assessment methodology.
Complaint management system.
Community quality of life projects.
Striving to balance the impacts of the business and
create communities where the employees and their
neighbors are happy to live. This could include parks,
charitable giving campaigns, etc.
Community education.
www.theiia.org/guidance / 16
IPPF Practice Guide
Evaluating Corporate Social Responsibility/Sustainable Development
www.theiia.org/guidance / 17
IPPF Practice Guide
Evaluating Corporate Social Responsibility/Sustainable Development
Appendix D
Additional Resources
For more information on ethics and compliance audits,
measurements and metrics, see the Open Compliance and
Ethics Group at www.oceg.org.
IIA Guidance
Practice Guide: Auditing External Business Rela-
tionships.
Practice Guide: Formulating and Expressing Internal
Audit Opinions.
PA-2130.A1-2: Evaluating an Organizations Privacy
Framework.
Managing the Business Risk of Fraud, A Practical
Guide.
IIA seminar: Evaluating Organizational Ethics.
IIA seminar: Evaluating Social Responsibility and Sus-
tainable Development.
www.theiia.org/guidance / 18
IPPF Practice Guide
Evaluating Corporate Social Responsibility/Sustainable Development
www.theiia.org/guidance / 19
About the Institute Disclaimer
Established in 1941, The Institute of Internal The IIA publishes this document for information-
Auditors (IIA) is an international professional as- al and educational purposes. This guidance mate-
sociation with global headquarters in Altamonte rial is not intended to provide definitive answers
Springs, Fla., USA. The IIA is the internal audit to specific individual circumstances and as such
professions global voice, recognized authority, ac- is only intended to be used as a guide. The IIA
knowledged leader, chief advocate, and principal recommends that you always seek independent
educator. expert advice relating directly to any specific situ-
ation. The IIA accepts no responsibility for any-
About Practice Guides one placing sole reliance on this guidance.
Practice guides embody an IIA statement to as-
sist a wide range of interested parties, including Copyright
those not in the internal audit profession, in un- The copyright of this practice guide is held by The
derstanding significant governance, risk, or con- IIA. For permission to reproduce, please contact
trol issues and in delineating the related roles and The IIA at guidance@theiia.org.
responsibilities of internal auditors on a signifi-
cant issue. Practice guides are part of The IIAs
International Professional Practices Framework.
As part of the Strongly Recommended category
of guidance, compliance is not mandatory, but
it is strongly recommended and the guidance is
endorsed by The IIA through formal review and
approval process. For other authoritative guid-
ance materials provided by The IIA please visit
our Web site, www.theiia.org/guidance.