Heads of Internal Audit Service Benchmarking Report Corporate Social Responsibility (CSR) Introduction The aim of this survey is to gauge the level of development that organisations have achieved with regard to the reporting and audit of Corporate Social Responsibility (CSR) activities, particularly in the light of the reporting requirements of the Companies Act 2006. The report contains an analysis of results gathered during the 6 day period Thursday 29 to Wednesday 4 June 2008. There were 53 respondents, of which 80% were private sector and 20% public sector. The majority represent quite large organisations - in terms of turnover and employees. 20% have between 5,000 and 10,000 employees; 20% have between 2,500 and 5,000; and 40% have over 1,000. Over 65% have annual turnover in excess of 500m or equivalent. Recognition and management of CSR. 86% of respondents indicated that the reputation of the organisation is key to future corporate success. The same percentage said that CSR is important; and 77% of respondents also said that their organisation has shown a commitment to CSR. This suggests that heads of internal audit are slightly more wiling than their organisations to embrace the importance of this area. Senior managers such as the chief executive (32%) and the company secretary (19%), tend to have lead responsibility for CSR reflecting the profile this has within most organisations. A small number of organisations have taken the step of appointing a Director of CSR to take lead responsibility, while a similar number have assigned responsibility to the Director of Corporate Affairs (as specified in the other field to this question). The importance of CSR is further underlined by approximately 40% of organisations who have stated that they are affected by the CSR reporting requirements introduced in the Companies Act 2006 and prepare an annual CSR report. Respondents for all of these organisations have said that their business has shown a commitment to CSR (strongly agree or agree). However, while there is recognition and commitment to CSR the chart below shows that effective management and reporting is lagging behind. % respondents agreeing with the statements shown 0% 20% 40% 60% 80% 100% Reputation is key to future corporate success CSR is an important issue to organisations in general My organisation is committed to CSR My organisation demonstrates effective CSR management My organisation demonstrates effective CSR reporting My organisation has clearly defined its approach to CSR risk Exec management gives enough time & effort to CSR risk Audit Committee give enough time & effort to CSR risk
Less than half of those surveyed say that management (44%) and reporting (31%) of CSR is effective. A minority of respondents also say that executive management (28%) and the audit committee (15%) devote sufficient time and effort to the management of CSR risk. This may be influenced by the view that relatively few organisations (20%) have clearly defined their approach to managing CSR risks. Nearly 40% have indicated that this has not been achieved, while a further 40% are uncertain. A further chart below shows that CSR does not feature upon the risk registers of 43% of the organisations surveyed. This includes a number of organisations (6 within a total of 20) who form the Companies Act sub group and almost all of the public sector sub group (11 within a 13) half of which say that their organisation is committed to CSR. 6% Does CSR feature on your risk register? 2% No 21% 43% CSR is general risk CSR is specific risk CSR is both opportunity and risk CSR is opportunity 28% Assurance and internal audit. A minority of organisations (20%) employ the services of an independent third party assurance provider in respect of CSR. Where this is done there is limited interaction with internal audit, with one-third having full or partial contact with the internal audit department. Just over 50% of internal audit departments (28 from 53) say that there are no audits currently planned for CSR. Where internal audit is providing assurance upon the management and reporting of CSR risks there is no specific pattern to the scope of audit coverage. The table below provides an indication of the range of activities covered within internal audit plans with health & safety and human resources emerging as the most likely areas to be reviewed. Response: Internal audit provide assurance upon Count % Health & Safety risks 31 58% Human Resources risks 28 53% Environmental risks 20 38% Reputational risk related to CSR issues 18 34% High CSR risks specific to the organisation or industry 16 30% Attendance at appropriate CSR related corporate governance meetings 15 28% The high level CSR control framework 14 26% Supply Chain risks 13 24% The organisation's management of CSR risks. 10 19% Integrity and accuracy of CSR report to outside stakeholders 8 15% Integrity and accuracy of internal CSR reporting 9 17% Page 2
Effectiveness of department or function dedicated to overseeing CSR activities 5 9% CSR risk is considered as an integral part of every audit 5 9% Products and services meet CSR standards and do not make false claims 4 7% Other (please specify) 2 4% Approximately one quarter of respondents (13 from 53) say that internal auditors in their organisation would not have sufficient skills and experience to apply risk based internal auditing techniques to CSR risk. Some of whom (4 of the 13) are carrying out audits on an as required basis. Conclusions While organisations recognise that failures in relation to CSR can have a damaging effect on their reputation and have made a commitment to CSR there is scope to further develop management and reporting of CSR issues, including processes to identify, evaluate and manage risks. Internal audit is in a position to provide assurance upon the management and reporting of CSR risks but this is not a high priority for half of the audit managers participating in the survey, which may reflect the current level of development of CSR within organisations. Should the profile of CSR increase there is an apparent need for training of internal audit staff. Page 3
Heads of Internal Audit Service Benchmarking Report Copy of survey issued to Service members Corporate Social Responsibility & The Role of Internal Audit The aim of this survey is to gauge the level of development that organisations have achieved with regard to the reporting and audit of Corporate Social Responsibility (CSR) activities, in the light of the reporting requirements of the Companies Act 2006. The questions have been designed to take a snapshot of current state of development of CSR activities and reporting and to gauge the extent to which Internal Audit is involved in the oversight of these. In doing so it is hoped that it will be possible to see if there is either general uniformity or wide variations in approach. The responses to these questions will also provide an insight on the roles and responsibilities that internal auditors have adopted with regard to the management of CSR risk. 1) What is your industry sector (choose one from this list): Banks and building societies Insurance Other financial services Food and drink Manufacturing and engineering Media and leisure Retail Telecommunications Utilities High technology Other private sector Voluntary/charity Education Central government Local government Health Other public sector None of the above 2) How many employees are employed in your entire organisation, including all plants, divisions, branches and subsidiaries? 1-99 100-499 500-999 1,000 4999 5,000 9,999 10,000 or more
3) Is your organisation affected by the CSR reporting requirements introduced in the Companies Act 2006? Yes No Unsure 4) Does your organisation produce a specific CSR Report? (may also be referred to as a Sustainability Report or a Triple Bottom Line Report) Yes No Unsure 5) To what extent do you agree with the following statements? strongly agree agree neither agree disagree or disagree strongly disagree CSR is an important issue to business in general My organisation has a strong commitment towards CSR My organisation demonstrates effective management of CSR issues My organisation demonstrates effective reporting of CSR issues My organisation has clearly defined its approach to managing CSR risk 6) Who has leadership responsibility for CSR issues and associated reporting? Chief Executive Company Secretary Finance Director/Financial Controller Director of Risk/Risk Management Director of Internal Audit/Chief Internal Auditor Page 5
7) Where does CSR fit within the corporate governance structure in your organisation? Reviewed at full Board level Reviewed at divisional Board level Reviewed by a specific CSR Committee Reviewed by a general Risk Committee Reviewed by Environmental Risk Committee 8) Does CSR feature on your organisation s Risk Register? Yes as a specific risk Yes as a general risk Yes as an opportunity Yes as both an opportunity and a risk No 9) Does your organisation utilise the services of an independent third party assurance provider in respect of CSR activities and reporting? Yes a specialist assurance provider is used Yes included within the overall audit by the External Auditors No Unsure 10) If yes, what standard(s) is/are used by the assurance provider to benchmark against? Please specify: 11) What level of interaction is there between Internal Audit and the independent assurance provider? Full interaction a co-ordinated approach to assurance provision with reliance placed by both parties on the work of the other Some interaction Internal Audit place reliance on the work of the independent assurance provider Some interaction The independent assurance provider places reliance on the work of Internal Audit No interaction Page 6
12) How does CSR Risk feature within Internal Audit s planning? CSR risk is addressed as an integral part of every audit CSR risk is addressed annually through pre-planned audits CSR risk is addressed within a rotational audit plan Specific audits are undertaken on an as required basis No audits relating to CSR are currently planned 13) Which methods of assurance provision does your Internal Audit function utilise is respect of CSR activities and associated reporting? (Tick all that apply) Assessment of CSR risks integrated into all audits Audit of High level controls framework Audit/oversight of CSR function Audit/oversight of Health & Safety Audit/oversight of HR related policies (e.g. Equal opportunities) Audit/oversight of Supply Chain CSR Audit/oversight of Environmental performance Audit/oversight of specific High Risk CSR issues Audit/oversight of Reputational Risk related to CSR issues Audit/oversight of products to ensure they meet CSR standards and do not make false claims Audit of CSR Report Continuous auditing oversight of CSR reporting Continuous auditing attendance at appropriate CSR related corporate governance meetings (e.g. CSR, Risk, Environment committees) Continuous auditing assess management of CSR risks through interaction with the business. 14) To what extent do you agree with the following statements? A failure of environmental controls could break the organisation The reputation of the organisation is key to future corporate success Internal auditors in my organisation have sufficient skills & experience to apply risk based internal auditing techniques to CSR risk Executive Management devote sufficient time/efforts to the management of CSR risk The Audit Committee devote sufficient time/efforts to the organisation s management of CSR risk strongly agree agree neither agree disagree strongly or disagree disagree Thank you for completing the survey, your views and opinions are very important. Would you be happy to discuss your responses, to enable a better understanding of issues to be gained? If so, please complete the following: Name Contact Number Page 7
Data Protection Notice Thank you for completing the survey, your views and opinions are very important. Your response will be treated in total confidence. Completed questionnaires will be processed only by the Institute of Internal Auditors - UK and Ireland (IIA) using Vovici EFM Continuum software and will not be disclosed to any other third parties. By submitting this questionnaire you consent to our processing of your sensitive personal data for these purposes Page 8
The Institute of Internal Auditors UK and Ireland (IIA) The IIA has been leading the profession of internal auditing for over 60 years. We are the only body focussed exclusively on internal auditing and we are passionate about supporting, promoting and training the professionals who work in it. Every year we help thousands of internal auditors at every stage of their career with training, qualifications and technical resources enabling them to deliver exceptional results for their organisations. Our International Standards and Code of Ethics unite a global community of over 130,000 IIA internal auditors. These Standards mean that employers can be sure that IIA members across the world operate with integrity and to the highest levels of professional competency. About Heads of Internal Audit Service benchmarking reports The IIA recognises that heads of internal audit need specialist information and support to help them respond to the demands of a competitive and increasingly regulated business climate. The Heads of Internal Audit Service is a complete and exclusive service designed specifically for the leaders of the profession to keep them up to date and to provide them with introductions to their contemporaries and opportunities to discuss successes and concerns in confidence with their peers. Other services include access to technical updates, a quarterly newsletter, a series of professional forums, and specifically commissioned research. The benchmarking reports are designed to help HIAS members make the most of the Service's networking opportunities. Service members can pose a question to other Service members to help them identify best practice on a particular issue. Service members can submit a question for consideration as an Enquiry by emailing chris.baker@iia.org.uk or technical@iia.org.uk Disclaimer This material is not intended to provide definitive answers to specific individual circumstances and as such is intended to be used only as a guide. The IIA recommends that you always seek independent expert advice relating directly to any specific situation. The IIA accepts no responsibility for anyone placing sole reliance on this guidance. www.iia.org.uk The Institute of Internal Auditors UK and Ireland Ltd 13 Abbeville Mews, 88 Clapham Park Road, London SW4 7BX Tel 020 7498 0101 Fax 020 7978 2492 Email technical@iia.org.uk Registered in England and Wales, no. 1474735 Information can be made available in other formats