An audit framework for Corporate Social Responsibility Richard Hollands Head of Audit and Risk Review Nacro
8/3/2019 An Audit Framework for CSR (CATS)
http://slidepdf.com/reader/full/an-audit-framework-for-csr-cats 1/23
An audit framework for
Corporate SocialResponsibility
Richard Hollands
Head of Audit and Risk Review
Nacro
8/3/2019 An Audit Framework for CSR (CATS)
http://slidepdf.com/reader/full/an-audit-framework-for-csr-cats 2/23
A definition
“the commitment of business to contribute to sustainable economic development working with employees, their families,the local community and society at large to improve their quality
of life.”
World Business Council for Sustainable Development, (2000),Corporate Social Responsibility: Making Good Business Sense , p10.
8/3/2019 An Audit Framework for CSR (CATS)
http://slidepdf.com/reader/full/an-audit-framework-for-csr-cats 3/23
8/3/2019 An Audit Framework for CSR (CATS)
http://slidepdf.com/reader/full/an-audit-framework-for-csr-cats 4/23
CSR defined in more detail
Operating beyond basic legal compliance – from the boarddownwards;
Considering the impacts on society and the environment;
Managing social, ethical and environmental risks;
Having relationships with stakeholders that are responsible,fair, and respect human rights;
Responding to the needs and expectations of diversestakeholder groups; and,
Building the above into governance & management systems.
Rayner, J., (2003), Managing Reputational Risk – curbing threats, leveraging opportunities , Chichester, England:John Wiley & Sons.
8/3/2019 An Audit Framework for CSR (CATS)
http://slidepdf.com/reader/full/an-audit-framework-for-csr-cats 5/23
A role for internal auditors
A growing shift of the audit profession beyond the traditionallines of finance and information technology to wider operationalpractices that respond to client and professional pressuresbrought about by a growth in the practice of risk management.
The IIA definition of internal auditing has broadened its scope to:
providing independent assurance to the Board and AuditCommittee that the organisation is managing risk
effectively; raising awareness of risk and control matters to improve
the risk management in the business of theirorganisations; and,
co-ordinating risk reporting to the Board/Audit Committee.
8/3/2019 An Audit Framework for CSR (CATS)
http://slidepdf.com/reader/full/an-audit-framework-for-csr-cats 6/23
A changing environment forinternal auditors
Corporate scandals;
Heightened awareness and knowledge of
stakeholders;
Greater scrutiny of social, environmental and
ethical performance; and,
Organisational exposure in these areas results in
a growing need for assurance.
8/3/2019 An Audit Framework for CSR (CATS)
http://slidepdf.com/reader/full/an-audit-framework-for-csr-cats 7/23
The development of CSRauditing
Traditional audits do not address CSR risks;
„Turnbull‟ risks include health, safety, environmental,
reputational and business probity (ie CSR-type risks) –
resulting in an assurance gap!;
Not risk-based; and,
Approaches to date based on external audit-style approach.
8/3/2019 An Audit Framework for CSR (CATS)
http://slidepdf.com/reader/full/an-audit-framework-for-csr-cats 8/23
Organisational approaches toCSR
C S R
a c t i v i t i e s
Doing responsiblethings.
Doing responsible things,responsibly.
T r a d i t i on
al
a c t i v i t i e
s
Doing routinebusiness.
Doing things responsibly.
Traditional methods Responsible methods
8/3/2019 An Audit Framework for CSR (CATS)
http://slidepdf.com/reader/full/an-audit-framework-for-csr-cats 9/23
Organisational approaches -examples
C S R
a c t i v i t i e s
Recycling campaigns
Stakeholderengagement
Combination
T r a d i t i on
al
a c t i v i t i e
s
Routine work
Ethical purchasing
Responsible
investments
Traditional methods Responsible methods
8/3/2019 An Audit Framework for CSR (CATS)
http://slidepdf.com/reader/full/an-audit-framework-for-csr-cats 10/23
Internal audit’s traditional role
the achievement of objectives;
compliance with rules, regulations and legislation;
the reliability of records and information;
economy, efficiency and effectiveness; and,
that assets are safeguarded.
8/3/2019 An Audit Framework for CSR (CATS)
http://slidepdf.com/reader/full/an-audit-framework-for-csr-cats 11/23
Re-defining internal audit’s role
the achievement of objectives in a responsible way with adverse impacts upon stakeholders being minimised and positive impacts maximised ;
compliance with rules, regulations and legislation with
stated values that are consistent with responsible practice(s) ;
the reliability of records and information for internal and external (stakeholder) purposes ;
that the optimum use of resources are employed in a
responsible way ; and, that assets are safeguarded, including assets external
to the organisation such as its investment in society and the environment .
8/3/2019 An Audit Framework for CSR (CATS)
http://slidepdf.com/reader/full/an-audit-framework-for-csr-cats 12/23
An audit framework - planning
Integrated into risk-based approach: CSR risks considered
as part of all relevant risks;
Planned audit activity of CSR where there is no
underpinning corporate objective will be difficult to deliver; Considered for both strategic and individual assignment
plans;
Re-balancing of resources and priorities; and,
Is planned audit coverage proportionate to the risk(s)?
8/3/2019 An Audit Framework for CSR (CATS)
http://slidepdf.com/reader/full/an-audit-framework-for-csr-cats 13/23
An audit framework – auditfocus
Adopting the integration principle – reduces the potential
for an assurance gap and increases the potential for audit
adding value;
Comparing „what is‟ with „what should be‟: is the
operational activity being performed in a way that is
consistent with „responsibility‟ values?
Consider the external perception of the CSR risks –
impact on reputation.
8/3/2019 An Audit Framework for CSR (CATS)
http://slidepdf.com/reader/full/an-audit-framework-for-csr-cats 14/23
An audit framework -stakeholders
Internal Audit should look to assess:
the stakeholder engagement processes adopted by
organisations in formulating their plans;
how each stakeholders‟ „stake‟ has been determined; and,
the level of stakeholder influence.
This will enable stakeholder prioritisation so that the
benefits of key relationships can be assessed.
8/3/2019 An Audit Framework for CSR (CATS)
http://slidepdf.com/reader/full/an-audit-framework-for-csr-cats 15/23
An audit framework -collaborating
Start from the position that all internal audits are a proven
and structured process;
Recognise that there is a role for specialists in the
assurance of CSR;
specific issues may require expert resources;
Use collaboration to acquire specialist help, and as a
basis for developing auditors‟ competency and knowledge
of CSR; and,
specialist agencies should be considered as part of any
audit planning.
8/3/2019 An Audit Framework for CSR (CATS)
http://slidepdf.com/reader/full/an-audit-framework-for-csr-cats 16/23
Doing responsible things*
Internal audit should assess:
contribution to the business aims;
alignment with the stated mission and values;
consistency with accepted codes of conduct and policies;
effect upon stakeholders;
costs and benefits of CSR activities have been
considered, and;
management have considered and taken appropriate
measures to manage [CSR] risks.
8/3/2019 An Audit Framework for CSR (CATS)
http://slidepdf.com/reader/full/an-audit-framework-for-csr-cats 17/23
Doing things responsibly*
Internal audit should assess that:
consistency with the organisation‟s values;
effective arrangements for stakeholder management;
CSR risks have been evaluated;
business practices promote responsible working;
the costs and benefits of CSR have been considered;
effective reporting that meets legal and other standards;and,
systems to implement and develop the organisation‟s
values are effective.
8/3/2019 An Audit Framework for CSR (CATS)
http://slidepdf.com/reader/full/an-audit-framework-for-csr-cats 18/23
Doing responsible things,responsibly.
*
This type of audit combines the „doing responsible things ‟
and „doing things responsibly ‟ approaches. Internal audit
should assess and report upon not only how well activitieshave delivered against planned benefits but that they have
been done in a responsible way. Key to this is an assessment
of how effectively negative CSR impacts are minimised andCSR opportunities are maximised.
8/3/2019 An Audit Framework for CSR (CATS)
http://slidepdf.com/reader/full/an-audit-framework-for-csr-cats 19/23
Audit coverage and extent.
Wi d e
c ov er a g e
Shallow but wide Deep & wide
N ar r ow
c ov er a g e
Shallow & narrow Deep but narrow
Shallow (audit extent) Deep (audit extent)
8/3/2019 An Audit Framework for CSR (CATS)
http://slidepdf.com/reader/full/an-audit-framework-for-csr-cats 20/23
Shallow but wide coverage*
Appropriate for reviews of operational units of anorganisation. Should be used to confirm any CSR-related
issues are working „on the ground‟ when there is nospecific risk. .
8/3/2019 An Audit Framework for CSR (CATS)
http://slidepdf.com/reader/full/an-audit-framework-for-csr-cats 21/23
Deep but narrow approach
Employed on single CSR issue of an organisation‟sbusiness such as a CSR-type risk within the risk register.
Or where a specific operational unit has a high exposureto a CSR-type risk and needs to be considered specificallyas part of a wider review.
*
8/3/2019 An Audit Framework for CSR (CATS)
http://slidepdf.com/reader/full/an-audit-framework-for-csr-cats 22/23
Deep and wide approach
Specific investigations or where a fundamental breakdown
in effective risk management and controls has occurredwhich leaves the organisation open to significant risk.
*
8/3/2019 An Audit Framework for CSR (CATS)
http://slidepdf.com/reader/full/an-audit-framework-for-csr-cats 23/23
A role for internal audit – afinal thought
“Knowing that the corporate social responsibility caravan is on the move,
but not waiting for the sandstorm of definitions to clear, the internal
auditing function has much at its fingertips already. Neither would it
need to wait on successors to the Cadbury and Hampel Committees on
corporate governance to redefine the scope of internal controls. The
auditor knows that the long-term health of the business depends on the
management of business risk, the preservation of the de facto and de
jure licences to operate, and on the improved understanding of key
success factors. Thus the risk of exposure arising from unethical
conduct is in triple jeopardy.” Rosthorn, J., (2000 ), Business ethics
auditing - more than a stakeholder's toy , Journal of Business
Ethics, Vol. 27, No.1/2, pp9-19.