Senior executives of organizations worldwide are increasingly integrating worker health and safety, environmental protection, community development, and other social welfare objectives into their overall strategic and operating plans. Now that corporate social responsibility (CSR) is a new norm for many of today’s organizations, new guidance from The Institute of Internal Auditors (IIA) explains that related risks should be carefully controlled and closely monitored.
“Board-level directives to become socially responsible and environmentally conscious are more commonly driving shareholder value and positively impacting the bottom line. But these efforts aren’t simple,” says IIA President and CEO Richard Chambers, CIA, CGAP, CCSA. “Issues such as the global maze of complex and sometimes conflicting laws and regulations that may apply to organizations striving to implement CSR initiatives introduce a wide variety of significant risks. Although the board and senior management is ultimately responsible for assessing the upside and downside risks, and implementing effective controls to manage them, internal auditors can add significant value to those efforts.”
A newly released IIA Practice Guide, "Evaluating Corporate Social Responsibility/Sustainable Development," can help internal audit executives and their stakeholders alike successfully meet this additional risk identification and management challenges at a time when organizations may be overwhelmed by market, credit, human resources, and other huge governance risk issues coming out of the recent financial crisis.
The 24-page Practice Guide, which is classified as strongly recommended under The Institute’s International Professional Practices Framework, explores upside and downside CSR risks that chief audit executives should consider when crafting their audit plans and procedures. Those risks include:
- Reputation. The organization’s brand or reputation could be damaged due to violations of laws or principles, errors or omissions in disclosing CSR information, under-performance compared with objectives/targets, or the appearance of indifference to social issues.
- Compliance. Organizations may fail to comply due to the complexity and volume of regulations relating to the environment, health and safety, employment, governance, political contributions, conflict of interest, fraud, etc. Compliance risk may also arise from contractual obligations with third parties such as customers, unions, or employees and from voluntary adoption of standards.
- Operational. Risks could arise from CSR “pressure points” for the organization’s manufacturing processes, products, services and impact on the environment. Other examples of potential operational risk scenarios include under-performance of other targets due to inappropriate CSR strategies or over-emphasis on CSR strategies, failure to integrate CSR objectives into processes, or to educate staff appropriately, failure to develop well-controlled systems for CSR initiatives, and inadequate reporting of CSR activities and results.
- Stock Market. Organizations could lose investors or limit their access to other capital if they do not qualify for inclusion in Socially Responsible Investment or similar funds.
- Employment Market. Employees want to work for organizations that respect their rights, have a culture of integrity, and commit to social and community concerns.
- External Business Relationships. Customers, suppliers, or partners could violate CSR terms and conditions, principles, or laws, yet the organization could be included as a wrongdoer by association.
Evaluating Corporate Social Responsibility/Sustainable Development also is intended to help internal auditors better understand alternative approaches to evaluating CSR activities, including auditing, facilitating, and consulting; audit considerations such as use of the audit opinion, independence and objectivity, and types of resources; and considerations in developing an internal audit program, including how management communicates and sets CSR strategic priorities.