An audit framework for Corporate Social Responsibility

Richard Hollands

Head of Audit and Risk Review Nacro

A definition
the commitment of business to contribute to sustainable economic development working with employees, their families, the local community and society at large to improve their quality of life.

World Business Council for Sustainable Development, (2000), Corporate Social Responsibility: Making Good Business Sense, p10.

CSR what is it?

CSR is about managing the impacts on society and stakeholders of a organisations operations, processes, behaviour etc. Typically this means an organisations Social, Ethical and Environmental (SEE) activities in the wider world. CSR has a relationship with an organisations financial activities too. CSR is at the core of public service and charity organisations. CSR lies at the heart of reputation management.

CSR defined in more detail

Operating beyond basic legal compliance from the board downwards; Considering the impacts on society and the environment; Managing social, ethical and environmental risks; Having relationships with stakeholders that are responsible, fair, and respect human rights; Responding to the needs and expectations of diverse stakeholder groups; and, Building the above into governance & management systems.

Rayner, J., (2003), Managing Reputational Risk curbing threats, leveraging opportunities, Chichester, England: John Wiley & Sons.

A role for internal auditors

A growing shift of the audit profession beyond the traditional lines of finance and information technology to wider operational practices that respond to client and professional pressures brought about by a growth in the practice of risk management. The IIA definition of internal auditing has broadened its scope to:

providing independent assurance to the Board and Audit Committee that the organisation is managing risk effectively; raising awareness of risk and control matters to improve the risk management in the business of their organisations; and, co-ordinating risk reporting to the Board/Audit Committee.

A changing environment for internal auditors

Corporate scandals; Heightened awareness and knowledge of stakeholders;

Greater scrutiny of social, environmental and ethical performance; and,

Organisational exposure in these areas results in

a growing need for assurance.

The development of CSR auditing

Traditional audits do not address CSR risks; Turnbull risks include health, safety, environmental, reputational and business probity (ie CSR-type risks) resulting in an assurance gap!;

Not risk-based; and, Approaches to date based on external audit-style approach.

Organisational approaches to CSR

CSR activities Traditional activities

Doing responsible things.

Doing responsible things, responsibly.

Doing routine business.

Traditional methods

Doing things responsibly.

Responsible methods

Organisational approaches examples

CSR activities Traditional activities

Recycling campaigns Stakeholder engagement Routine work

Combination

Ethical purchasing Responsible investments

Responsible methods

Traditional methods

Internal audits traditional role

the achievement of objectives; compliance with rules, regulations and legislation; the reliability of records and information; economy, efficiency and effectiveness; and, that assets are safeguarded.

Re-defining internal audits role

the achievement of objectives in a responsible way with adverse impacts upon stakeholders being minimised and positive impacts maximised; compliance with rules, regulations and legislation with stated values that are consistent with responsible practice(s); the reliability of records and information for internal and external (stakeholder) purposes; that the optimum use of resources are employed in a responsible way; and, that assets are safeguarded, including assets external to the organisation such as its investment in society and the environment.

An audit framework - planning

Integrated into risk-based approach: CSR risks considered as part of all relevant risks;

Planned audit activity of CSR where there is no underpinning corporate objective will be difficult to deliver;
Considered for both strategic and individual assignment plans; Re-balancing of resources and priorities; and, Is planned audit coverage proportionate to the risk(s)?

An audit framework audit focus

Adopting the integration principle reduces the potential for an assurance gap and increases the potential for audit adding value; Comparing what is with what should be: is the operational activity being performed in a way that is consistent with responsibility values? Consider the external perception of the CSR risks impact on reputation.

An audit framework stakeholders

Internal Audit should look to assess:

the stakeholder engagement processes adopted by organisations in formulating their plans;

how each stakeholders stake has been determined; and,

the level of stakeholder influence.

This will enable stakeholder prioritisation so that the benefits of key relationships can be assessed.

An audit framework collaborating

Start from the position that all internal audits are a proven and structured process; Recognise that there is a role for specialists in the assurance of CSR; specific issues may require expert resources; Use collaboration to acquire specialist help, and as a basis for developing auditors competency and knowledge of CSR; and, specialist agencies should be considered as part of any audit planning.

Doing responsible things

Internal audit should assess:

contribution to the business aims; alignment with the stated mission and values; consistency with accepted codes of conduct and policies; effect upon stakeholders; costs and benefits of CSR activities have been considered, and; management have considered and taken appropriate measures to manage [CSR] risks.

Doing things responsibly

Internal audit should assess that:

consistency with the organisations values;

effective arrangements for stakeholder management;

CSR risks have been evaluated; business practices promote responsible working;

the costs and benefits of CSR have been considered;

effective reporting that meets legal and other standards; and,

systems to implement and develop the organisations values are effective.

Doing responsible things, responsibly.

This type of audit combines the doing responsible things and doing things responsibly approaches. Internal audit should assess and report upon not only how well activities have delivered against planned benefits but that they have

been done in a responsible way. Key to this is an assessment

of how effectively negative CSR impacts are minimised and CSR opportunities are maximised.

Audit coverage and extent.

Wide coverage Narrow coverage

Shallow but wide

Deep & wide

Shallow & narrow

Deep but narrow

Shallow (audit extent)

Deep (audit extent)

Shallow but wide coverage

Appropriate for reviews of operational units of an organisation. Should be used to confirm any CSR-related issues are working on the ground when there is no specific risk. .

Deep but narrow approach

Employed on single CSR issue of an organisations business such as a CSR-type risk within the risk register.
Or where a specific operational unit has a high exposure to a CSR-type risk and needs to be considered specifically as part of a wider review.

Deep and wide approach

Specific investigations or where a fundamental breakdown in effective risk management and controls has occurred which leaves the organisation open to significant risk.

A role for internal audit a final thought

Knowing that the corporate social responsibility caravan is on the move, but not waiting for the sandstorm of definitions to clear, the internal auditing function has much at its fingertips already. Neither would it need to wait on successors to the Cadbury and Hampel Committees on corporate governance to redefine the scope of internal controls. The auditor knows that the long-term health of the business depends on the management of business risk, the preservation of the de facto and de jure licences to operate, and on the improved understanding of key success factors. Thus the risk of exposure arising from unethical conduct is in triple jeopardy. Rosthorn, J., (2000), Business ethics auditing - more than a stakeholder's toy, Journal of Business Ethics, Vol. 27, No.1/2, pp9-19.