An Audit Framework for CSR (CATS)

8/3/2019 An Audit Framework for CSR (CATS)

http://slidepdf.com/reader/full/an-audit-framework-for-csr-cats 1/23

An audit framework for

Corporate SocialResponsibility

Richard Hollands

Head of Audit and Risk Review

Nacro



A definition

“the commitment of business to contribute to sustainable economic development working with employees, their families,the local community and society at large to improve their quality

of life.”

World Business Council for Sustainable Development, (2000),Corporate Social Responsibility: Making Good Business Sense , p10.



CSR defined in more detail

Operating beyond basic legal compliance – from the boarddownwards;

Considering the impacts on society and the environment;

Managing social, ethical and environmental risks;

Having relationships with stakeholders that are responsible,fair, and respect human rights;

Responding to the needs and expectations of diversestakeholder groups; and,

Building the above into governance & management systems.

Rayner, J., (2003), Managing Reputational Risk – curbing threats, leveraging opportunities , Chichester, England:John Wiley & Sons.



A role for internal auditors

A growing shift of the audit profession beyond the traditionallines of finance and information technology to wider operationalpractices that respond to client and professional pressuresbrought about by a growth in the practice of risk management.

The IIA definition of internal auditing has broadened its scope to:

providing independent assurance to the Board and AuditCommittee that the organisation is managing risk

effectively; raising awareness of risk and control matters to improve

the risk management in the business of theirorganisations; and,

co-ordinating risk reporting to the Board/Audit Committee.



A changing environment forinternal auditors

Corporate scandals;

Heightened awareness and knowledge of

stakeholders;

Greater scrutiny of social, environmental and

ethical performance; and,

Organisational exposure in these areas results in

a growing need for assurance.



The development of CSRauditing

Traditional audits do not address CSR risks;

„Turnbull‟ risks include health, safety, environmental,

reputational and business probity (ie CSR-type risks) –

resulting in an assurance gap!;

Not risk-based; and,

Approaches to date based on external audit-style approach.



Organisational approaches toCSR

C S R

a c t i v i t i e s

Doing responsiblethings.

Doing responsible things,responsibly.

T r a d i t i on

al

a c t i v i t i e

s

Doing routinebusiness.

Doing things responsibly.

Traditional methods Responsible methods



Organisational approaches -examples

C S R

a c t i v i t i e s

Recycling campaigns

Stakeholderengagement

Combination

T r a d i t i on

al

a c t i v i t i e

s

Routine work

Ethical purchasing

Responsible

investments

Traditional methods Responsible methods



Internal audit’s traditional role

the achievement of objectives;

compliance with rules, regulations and legislation;

the reliability of records and information;

economy, efficiency and effectiveness; and,

that assets are safeguarded.



Re-defining internal audit’s role

the achievement of objectives in a responsible way with adverse impacts upon stakeholders being minimised and positive impacts maximised ;

compliance with rules, regulations and legislation with

stated values that are consistent with responsible practice(s) ;

the reliability of records and information for internal and external (stakeholder) purposes ;

that the optimum use of resources are employed in a

responsible way ; and, that assets are safeguarded, including assets external

to the organisation such as its investment in society and the environment .



An audit framework - planning

Integrated into risk-based approach: CSR risks considered

as part of all relevant risks;

Planned audit activity of CSR where there is no

underpinning corporate objective will be difficult to deliver; Considered for both strategic and individual assignment

plans;

Re-balancing of resources and priorities; and,

Is planned audit coverage proportionate to the risk(s)?



An audit framework – auditfocus

Adopting the integration principle – reduces the potential

for an assurance gap and increases the potential for audit

adding value;

Comparing „what is‟ with „what should be‟: is the

operational activity being performed in a way that is

consistent with „responsibility‟ values?

Consider the external perception of the CSR risks –

impact on reputation.



An audit framework -stakeholders

Internal Audit should look to assess:

the stakeholder engagement processes adopted by

organisations in formulating their plans;

how each stakeholders‟ „stake‟ has been determined; and,

the level of stakeholder influence.

This will enable stakeholder prioritisation so that the

benefits of key relationships can be assessed.



An audit framework -collaborating

Start from the position that all internal audits are a proven

and structured process;

Recognise that there is a role for specialists in the

assurance of CSR;

specific issues may require expert resources;

Use collaboration to acquire specialist help, and as a

basis for developing auditors‟ competency and knowledge

of CSR; and,

specialist agencies should be considered as part of any

audit planning.



Doing responsible things*

Internal audit should assess:

contribution to the business aims;

alignment with the stated mission and values;

consistency with accepted codes of conduct and policies;

effect upon stakeholders;

costs and benefits of CSR activities have been

considered, and;

management have considered and taken appropriate

measures to manage [CSR] risks.



Doing things responsibly*

Internal audit should assess that:

consistency with the organisation‟s values;

effective arrangements for stakeholder management;

CSR risks have been evaluated;

business practices promote responsible working;

the costs and benefits of CSR have been considered;

effective reporting that meets legal and other standards;and,

systems to implement and develop the organisation‟s

values are effective.



Doing responsible things,responsibly.

*

This type of audit combines the „doing responsible things ‟

and „doing things responsibly ‟ approaches. Internal audit

should assess and report upon not only how well activitieshave delivered against planned benefits but that they have

been done in a responsible way. Key to this is an assessment

of how effectively negative CSR impacts are minimised andCSR opportunities are maximised.



Audit coverage and extent.

Wi d e

c ov er a g e

Shallow but wide Deep & wide

N ar r ow

c ov er a g e

Shallow & narrow Deep but narrow

Shallow (audit extent) Deep (audit extent)



Shallow but wide coverage*

Appropriate for reviews of operational units of anorganisation. Should be used to confirm any CSR-related

issues are working „on the ground‟ when there is nospecific risk. .



Deep but narrow approach

Employed on single CSR issue of an organisation‟sbusiness such as a CSR-type risk within the risk register.

Or where a specific operational unit has a high exposureto a CSR-type risk and needs to be considered specificallyas part of a wider review.

*



Deep and wide approach

Specific investigations or where a fundamental breakdown

in effective risk management and controls has occurredwhich leaves the organisation open to significant risk.

*



A role for internal audit – afinal thought

“Knowing that the corporate social responsibility caravan is on the move,

but not waiting for the sandstorm of definitions to clear, the internal

auditing function has much at its fingertips already. Neither would it

need to wait on successors to the Cadbury and Hampel Committees on

corporate governance to redefine the scope of internal controls. The

auditor knows that the long-term health of the business depends on the

management of business risk, the preservation of the de facto and de

jure licences to operate, and on the improved understanding of key

success factors. Thus the risk of exposure arising from unethical

conduct is in triple jeopardy.” Rosthorn, J., (2000 ), Business ethics

auditing - more than a stakeholder's toy , Journal of Business

Ethics, Vol. 27, No.1/2, pp9-19.

An Audit Framework for CSR (CATS)

Documents

Transcript of An Audit Framework for CSR (CATS)