corporate social responsibility and internal audit
TRANSCRIPT
Corporate Social Responsibility and Internal Audit:
What is the role of IA, and what opportunities for improvement exist for IA in the CSR process of an
organization?
Thesis - Executive Internal Audit Program 2012 – 2014
Author: Jamila Geene
Student number: 6020412
Date: 08-08-2014
Coach: Lecturer J.J.M. Laan
CSR and the role of IA| 1
Acknowledgements
In 2012 I started the Executive Internal Audit Program at the University of Amsterdam. With enthusiasm and
pride I present my final thesis on a topic I hold close to my heart: Corporate Social Responsibility. This thesis
marks the end of a wonderful yet challenging two year experience, during which various people have motivated
and supported me. I therefore would like to take this moment to express my utmost appreciation and extreme
gratitude to these wonderful people.
First of all, I would like to thank Bob van Kuijck, Annelies Vethman and my thesis coach, Jan Laan, for their
guidance, useful suggestions and devoted feedback. Secondly, I would like to thank all the participants for
partaking in this research. I much appreciate you for your time and your openness during the interviews which
have led to these interesting and valuable results. Furthermore, I would like to thank my classmates for making
this experience a wonderful one. Jack, Ingrid, Gijs and Friso, special thanks for the fun times, without it this
journey would have been a lot more challenging.
Also, I would like to express my heartfelt gratitude to my beloved parents, brother, extended family and all my
other wonderful friends for their support and compassion. And to my love Johan, there are no words to describe
how thankful I am for the patience, love and support that you have provided me throughout this journey. Thanks
for believing in me…in us.
I hope you will enjoy reading this thesis.
Jamila Geene
Amsterdam, August 08, 2014
The role of the IAF in CSR| 2
Executive Summary
Corporate Social Responsibility (CSR) is defined as the way companies integrate social, environmental and economic
aspects in a transparent and responsible manner into their values, culture, decision, strategy and operations, and therewith
contribute to the society. CSR is becoming increasingly important in the business world as investors and regulators are
increasingly demanding greater visibility into what organizations are doing. As a result organizations need IA to take a
broader mandate within the organization. Far from its traditional compliance roots, IA is increasingly being asked to not
only provide operational business insights to the organization, but also to serve as strategic advisors – helping the
organization to address today’s key business risks. Also, as strategic advisors they are requested to help in preparing for
critical emerging risks, risks that the organization knows are approaching more quickly than ever before based on business
strategy and continued global expansion. Amongst the top of ten of the most important emerging risks that IA is tracking is
climate change and sustainability.
In 2011 the IIA and the NBA published a report based on empirical research on the role of IA in the CSR process. That
research however was only based on results provided by IA functions and largely based on surveys as a method of research.
In this research their findings are critically tested by addressing a different point of view, that of external auditors providing
external verification on these CSR reports, and by using a different research method. Through interviewing subject matter
experts (external auditors) and by performing a multiple case study research, this study aims to contribute to the awareness
of internal auditors on their possible role in the CSR process, and on opportunities to add value and to improve the CSR
process within their organizations. As a result, the following research question is answered: What is the role of IA, and
what opportunities for improvement exist for IA in the CSR process of an organization?
Based on the findings of this research it can be concluded that leading IA functions are involved in the CSR process
through assurance, and consultancy roles. Building on extant literature, this research concludes that the actual role attained
by IA is indeed highly dependent upon the level of maturity of the CSR process. The role of IA tends to shift from a
consultancy, and at times even a managing role, to a more assurance providing role as the CSR process matures from initial
to optimizing. Activities that are decreasingly performed, as the CSR process matures, include advising on the set up and
implementation of the CSR process. These activities make way for the following assurance providing activities: auditing
the CSR report on scope and quality, and auditing the process of translating the strategy to the policies, procedures, models,
management cycle (PDCA), and the final report. Through the development of the maturity model in this research,
awareness is created on the possible activities to be performed by IA at various levels of maturity.
In contrast to the findings in the research by NBA and IIA, this research highlights that the involvement by IA in the CSR
process is generally limited to its assurance role by performing data-centric and system-oriented audits. A role that is
imposed by the external auditor and subsequently passively executed by IA. Also, this research concludes that only 10-15%
of the IA functions are involved in the CSR process. The drastic differences between these findings with that of the IIA and
NBA are either the result of less involvement by IA over the years, participation of IA functions that are front-runners in
the area, or by the research method chosen by the IIA and the NBA. Either way these results directly highlight the most
significant improvement points resulting from this research: increase the active involvement of IA in the CSR process, and
increase the performance of consultancy related activities in the CSR process. Additional improvement points for IA
include: improving IA’s CSR knowledge and skills; increasing the advisory role of IA; ensuring earlier involvement in the
CSR process. Lastly, based on the field research conducted it was concluded that the performance of system-oriented audits
by IA needs to increase and improve. The urge for this improvement lies in the fact that in the CSR process data is
generated and extracted from various independent systems, which are often still Microsoft Excel based or in the beginning
development stages. Combining this with the lower level of maturity of the CSR process, and the low frequency of data
retrieval, it creates one of the biggest current risks in the CSR audit process. To reduce this risk it is important for IA to
perform both data-centric as system-oriented audits to determine the reliability of the data and the systems used.
The role of the IAF in CSR| 3
List of abbreviations
CAE: Chief Audit Executive
CSR: Corporate Social Responsibility
EA: External Audit
ERM: Enterprise Risk Management
IA: Internal Audit
IPPF: International Professional Practice Framework
ISA: Internal Standard on Auditing
KPI: Key Performance Indicator
PDCA: Plan, Do, Check, Act
SME: Subject Matter Expert
SMS: Sustainability Management System
Institutions
CAR: Dutch Council for Annual Reporting
COSO: Committee of Sponsoring Organizations of the Treadway Commission
GRI: Global Reporting Initiative
IAASB: International Auditing and Assurance Standards Board
IIA: Institute of Internal Auditors
NBA: Dutch Institute of Chartered Accountants
NIVRA: Royal Dutch Institute of Charted Accountants
List of tables
Table 2-1: Consulting and Assurance activities for IA
Table 2-2: Activities for IA to ensure good collaboration with EA
Table 3-1: Subject matter experts
Table 3-2: Case Profiles
Table 3-3: Technique(s) applied to enhance credibility
Table 3-4: Interviewees per case
Table 4-1: IA’s current activities in the CSR process
Table 4-2: Role of IA per maturity level
Table 4-3: Collaboration procedures IA and EA
Table 4-4: Risks in auditing the CSR process
Table 4-5: Improvement points for IA
List of figures
Figure 1-1: Research Model
Figure 2-1: Sustainability Management System
Figure 2-2: COSO-CSR model
Figure 2-3: Role of IA in CSR
The role of the IAF in CSR| 4
Table of Contents
Acknowledgements ................................................................................................................................................ 1
Executive Summary............................................................................................................................................... 2
1 Introduction .................................................................................................................................................. 6
1.1 Background ............................................................................................................................................ 6
1.2 Problem Definition and Research Questions ......................................................................................... 7
1.3 Research Design ..................................................................................................................................... 7
1.4 Thesis outline ......................................................................................................................................... 8
2 Literature Review ........................................................................................................................................ 9
2.1 Corporate Social Responsibility ............................................................................................................. 9
2.1.1 Definition of CSR.......................................................................................................................... 9
2.1.2 CSR reporting in the Netherlands ............................................................................................... 10
2.2 CSR process ......................................................................................................................................... 11
2.2.1 Sustainability Management System ............................................................................................ 12
2.3 The role of IA in CSR .......................................................................................................................... 13
2.3.1 Internal Audit and CSR ............................................................................................................... 13
2.3.2 Consulting ................................................................................................................................... 15
2.3.3 Assurance .................................................................................................................................... 15
2.4 Coordination of EA and IA .................................................................................................................. 16
2.4.1 EA and IA ................................................................................................................................... 16
2.4.2 Best practices for IA .................................................................................................................... 17
2.5 Chapter summary ................................................................................................................................. 18
3 Research design .......................................................................................................................................... 21
3.1 Research methodology ......................................................................................................................... 21
3.1.1 Literature ..................................................................................................................................... 21
3.1.2 Subject matter interviews ............................................................................................................ 21
3.1.3 Case Studies ................................................................................................................................ 22
3.1.4 Data Collection ............................................................................................................................ 23
3.3 Data analysis ........................................................................................................................................ 23
3.4 Chapter summary ................................................................................................................................. 24
4 Findings....................................................................................................................................................... 25
4.1 CSR Process ......................................................................................................................................... 25
4.2 The role of IA in CSR .......................................................................................................................... 26
4.3 Coordination of EA and IA .................................................................................................................. 30
4.4 Improvement areas for IA .................................................................................................................... 31
4.5 Chapter summary ................................................................................................................................. 34
5 Discussion ................................................................................................................................................... 36
5.1 Conclusion ........................................................................................................................................... 36
5.2 Limitations and recommendation for future research .......................................................................... 37
6 Reference List ............................................................................................................................................. 39
The role of the IAF in CSR| 5
Appendix A - Introduction email .............................................................................................................. 41
Appendix B - Interview script ................................................................................................................... 42
Appendix C - Maturity Model ................................................................................................................... 48
Appendix D - Case Studies ........................................................................................................................ 50
Appendix E - Coding Table ....................................................................................................................... 52
End Notes ............................................................................................................................................................. 56
The role of the IAF in CSR| 6
1 Introduction
1.1 Background
Considerable interest in Corporate Social Responsibility (CSR) has appeared in academic literature over the past
decade as companies struggle to balance short-term financial viability with long-term strategic goals, and to
build and preserve shareholder value while enabling future generations to meet their own needs. The literature
has overall concluded that businesses should integrate CSR principles into corporate strategic policies and
business processes. This integration is justified by the fact that it affects the triple-bottom line and long-term
profitability of a business and should, therefore, be treated as strategic assets of the business (see, e.g.,
Elkington, 1997; Grant, 1997; Russo and Fouts, 1997; Johnson and Scholes, 1993). Stakeholders expect boards
and management to accept responsibility and implement strategies and controls to manage their impact on
society and the environment, to engage stakeholders in their endeavors, and to inform the public about their
results. As companies are increasingly being evaluated on not only their financial performance, but also non-
financial results related to environmental and social performance, reporting on CSR at the corporate level has
broadened widely and is fast becoming a critical element of reporting for listed and large non-listed companies
at the global level (see, e.g., KPMG, 2008; Owen, 2006; Kolk, 2004, 2003, 2001; Kolk et al., 2001; Gray et al.,
2001).
The amount of regulations on environmental and social aspects is increasing correspondingly. Regulators are
near certain to create an environment in which reporting on sustainable matters will not only become the right
thing to do or the smart thing to do, but also the only thing to do [PWC, 2009]. Companies are preparing to take
on these mandatory and voluntary regulations, and associated challenges, in a proactive manner. The
proliferation of regulation and voluntary standards has made CSR management a complex endeavor for firms in
all industries.
As the social relevance of CSR in large organizations is expected to grow and as companies are continuously
aligning their strategies to adapt to the increased relevance of CSR in their day-to-day business practices, the
involvement of internal audit (IA) in CSR has also increased steadily in the last decade [IIA and NBA, 2011].
Furthermore, IA is expected to give increasing priority to the work field of CSR in the future as well. In this, IA
performs activities with regard to both assurance and consultancy roles when it comes to CSR. The Institute of
Internal Audits (IIA) states that these activities include understanding the risks and controls related to CSR
objectives. In addition, the Chief Audit Executive (CAE) should plan to audit, facilitate control self-
assessments, verify results, and/or consult on the various subjects where appropriate [IIA, 2010].
Extant literature exploring the role of IA with regard to CSR is available [e.g. Nieuwlands, (2006)]. However,
only two research studies [Ambaum (2007); IIA and NBA (2011)] have empirically examined the role of IA
with relevance to CSR in order to identify best practices in the Netherlands and to examine the actual role IA
fulfills in CSR reporting. In their research studies they approached and examined IA functions of respectively
29 and 37 (out of a total of 54) large Dutch firms which have distributed a CSR report, or have visibly
integrated CSR in their annual financial reports. The results indicate that 30-40% of the IA functions
participating in their research are involved through either an assurance role, consultancy role of both in the CSR
process. And that this involvement is only to increase in the coming years. Furthermore, the results conclude
that IA adds significant value in the CSR process through a broad scope of activities including taking on a
consultancy role. Both the research studies from Ambaum (2007) and the IIA and NBA (2011) however, have
inferred conclusions based on results provided solely by IA, and through surveys as the main research method.
The role of the IAF in CSR| 7
Given the professional skepticism an internal auditor is required to have in its work, this research critically
examines the findings in the previous research studies by addressing a different point of view, that of external
audit (EA) providing external verification on these CSR reports, and by using a different research method.
Through this, it aims to identify the areas of improvement for IA, from both IA as EA perspective, when it
comes to the CSR as an audit object.
1.2 Problem Definition and Research Questions
The following eight sub-questions have been constructed in this research:
1. What is the CSR process?
2. What roles can the IA function of organizations play in the CSR process?
3. How can the external auditor and the IA function of an organization work together in the CSR process?
4. What are the opportunities for improvement for IA in the CSR process?
These four sub-questions will depict the theoretical possibilities based on a literature review performed in
Chapter 2. The following four sub-questions depict the actual situation in the business, and are answered by
means of subject matter interviews and case study research.
5. How is the CSR process within organizations structured?
6. What roles does IA attain in the CSR process?
7. How do the external auditor and IA function of an organization work together in the CSR process?
8. What are the improvement areas for IA in the CSR process?
Based on these eight sub-questions this study aims to answer the following main research question:
What is the role of IA, and what opportunities for improvement exist for IA in the CSR process of an
organization?
The results of this research further contribute to the awareness of internal auditors about their opportunities to
add value and improve the CSR process within an organization.
1.3 Research Design
This research can be classified as an exploratory research that maintains a theory-testing approach. A
comprehensive visualization of the research design used to answer the research questions defined above is
shown in figure 1-1.
First, various literature, websites and research studies are examined. Reference is made to Chapter 6, which
provides a list of literature used. Then, the role of IA and improvement points for IA are identified and
discussed by means of subject matter interviews with two accountancy firms (the biggest in the field of CSR
audits in the Netherlands). In order to test the actual role of IA in the CSR process and to reflect on the
improvement points provided by EA a multiple case study research was performed. This research design was
chosen as appropriate on the basis of theoretical replication [Yin, 2009]. To ensure convenience and efficiency,
a small number of four cases are observed. The four companies selected all have CSR reports that are externally
verified; are of similar size; have an IA function that plays a role in the CSR process; and have an external
auditor that relies on the work of the IA function when it comes to the CSR process.
The role of the IAF in CSR| 8
Figure 1-1: Research Model
Triangulation is achieved during data collection as data is collected through the use of CSR reports, interviews
with the IA functions and interviews with the CSR audit departments of the EA firms. The selected companies
are electronically approached, supported by an introduction email. In order to contact the external auditors and
internal auditors, the professional and social network of colleagues and J.J.M. Laan (lecturer of the course
Management Accounting at University of Amsterdam) is used.
1.4 Thesis outline
Chapter 2 of this thesis contains a literature review on the topic of CSR in general, and CSR in the Netherlands
in particular. Through the examination of literature, it identifies the structure of the CSR process, the roles IA
can play when it comes to CSR, and on how EA and IA can work together in this process. This is followed by
Chapter 3, which elaborates on the research design. In Chapter 4, the findings of this research are presented and
analyzed. Chapter 5 concludes on the role of IA and the opportunities for IA for improving the CSR process
within an organization and it also discusses limitations of this research and recommendations for future
research. Please refer to Chapter 6 for a list of all literature used as part of this research.
The role of the IAF in CSR| 9
2 Literature Review
The purpose of this thesis is to identify what the role of IA is in the CSR process, and which opportunities for
improving the CSR process exist for the IA function within an organization. In order to answer this question,
some background literature is presented in this chapter to expand knowledge on the topic of CSR in general and
CSR in the Netherlands in particular. In order to answer sub-questions 1-4 formulated in Chapter 1 it also
discusses existing literature on the structure of the CSR process, the roles IA can play when it comes to CSR
and on the relationship between EA and IA with regard to this process.
2.1 Corporate Social Responsibility
2.1.1 Definition of CSR
Climate change, natural resource depletion, pollution, increased waste, and sweatshops are environmental and
social events that are changing people’s behavior, requirements and business practices. As a result of these
events stakeholders are increasingly focusing on environmental, social and governmental issues, while
expecting a better performance and more disclosure. Stakeholders continuously require transparency and
accountability. This is in accordance with the stakeholder approach that believes that companies are responsible
to all groups that can be affected or are affected by their business, and should therefore balance the large
quantity of interest of these stakeholders [Freeman, 1984; Geene, 2011].
In the beginning organizations denied any responsibility to these societal issues, however increasing regulations
relating to the environment and the workplace are leading organizations to adopt a policy-based compliance
approach to these issues as a cost of doing business. An increasing amount of organizations are even accepting
these new responsibilities as part of daily business operations. They replied by adopting a managerial approach
and are consequently embedding the societal issues into the organization’s core business processes, resulting in
new practices and management systems. Global leaders are even moving at a faster pace; acknowledging the
strategic approach in which the societal issues are integrated into the core business processes as they realize it
provides a competitive edge [Zadek, 2004]. In response, organizations are developing performance targets,
measurement systems, and reporting systems related to CSR strategies.
In short, Corporate Social Responsibility (CSR) is becoming an increasingly crucial concept for businesses
today. The concept of CSR (“Maatschappelijk Verantwoord Ondernemen” in Dutch) however, is one that has
been defined in existing literature in manifold. In literature it appears that there is not one unequivocal definition
of CSR in the literature [McWilliams et al, 2006; IIA and NBA, 2011]. The reason for the diversity in the
definition of CSR is the fact that CSR interfaces with various disciplines resulting in it being viewed through
different perspectives [McWilliams, Siegel and Wright, 2006]. CSR is a topic that is often related with concepts
such as Sustainability, Triple Bottom Line, and Corporate Citizenship. In this research the term Corporate
Social Responsibility will be used. Essential in all these definitions is the statement that a company must look
beyond its own economic interests, as it should be profitable for both the company and the society.
IIA noted that CSR can be interpreted as the way companies integrate social, environmental and economic
aspects in a transparent and responsible manner in their values, culture, decision, strategy and operations, and
therewith contribute to the society [IIA, 2010]. For this research the definition by IIA is used. This definition
connects the three dimensions social, environmental and economic and accentuates how these three dimensions
should be adapted to the needs and expectations of the stakeholders of a company.
The role of the IAF in CSR| 10
2.1.2 CSR reporting in the Netherlands
To demonstrate their stance in being socially responsible, both listed and large non-listed companies at global
level started publishing CSR reports in addition to their financial reports [KPMG, 2008; Owen, 2006; Kolk,
2004, 2003, 2001; Kolk et al., 2001; Gray et al., 2001]. These reports are based on the three elements: social,
environmental and economic performance. A research by KPMG in 2008 stated that in 1999 roughly 39% of the
Global Fortune 250 companies reported on their social, ecological and economic activities, while this number
augmented to 80% in 2008.
The Global Reporting Initiative (GRI) explained the purpose of a CSR report as follows: “Sustainability
reporting is the practice measuring, disclosing and being accountable for organization performance towards the
goal of sustainable development” [GRI, 2002]. A CSR report should provide a balanced and reasonable
representation of the sustainability performance of the reporting organization – including both positive and
negative contributions [Nieuwlands, 2006].
As the importance of CSR has increased globally, the European government has explored regulatory approaches
to CSR reporting. In the Netherlands however, CSR reporting remains voluntary and is not enforced by
legislative requirements. Nevertheless, there are some compulsory CSR reporting prescriptions for annual
reports. In the Dutch Civil code article 2:391 section 1 states that companies are required to give some
information (financial and non-financial) about the environment, employees and risks in their annual reports. It
is mandatory for all listed companies independent of their size and for all large non-listed companies. Further
specification on what kind of information can be disclosed in relation to a company’s CSR is given in the
Annual Reporting Guideline 400 (in Dutch referred to as “Het jaarverslag”) published by the Dutch Council for
Annual Reporting (CAR). CAR also published the Guide to Sustainability Reporting (in Dutch called the
“Handreiking voor Maatschappelijke Verslaggeving”).
The most important institution in the field of international guidelines for reporting is currently the GRI. GRI is
an international, multi-stakeholder process and independent institution founded in 1977 whose function is to
develop and disseminate global sustainability reporting guidelines. The GRI framework provides the principles
and indicators that an organization can use to report on its performance in the field of measuring people, planet
and profit. More than 450 multinationals across 40 countries adhere to the GRI guidelines, including the vast
majority of the companies listed at the AEX - a stock market index composed of Dutch companies that trade on
NYSE Euronext Amsterdam. Initially CSR reports were fragmented and covered only certain aspects, based on
the purpose of these reports, however, through the use of the GRI reporting guidelines the quality of the reports
has increase significantly in de first years of the new millennium [Nieuwlands, 2006].
Standard guidelines may not meet all information needs of all users, and therefore companies should always use
a structured dialogue with stakeholders to further determine specific information needs. The guidelines
AA1000, AA1000APS (Accountability principle standards) and AA1000SES (stakeholder engagement
standards) in particular, are developed specifically for the accountability process in which the dialogue with
stakeholders has an important place. The outcomes of the dialogue define the contents of the CSR report and
topics to be determined within the company and highlights actions that must be taken. The guidelines therefore
place no explicit demands on the contents of the CSR report.
In the Netherlands the number of companies that published CSR reports has gradually increased over recent
years, as well as the number of independently verified CSR reports, however externally verified CSR reports are
still not common practice in the Netherlands. However, a recent article by KPMG shows that getting external
assurance on CSR reports is becoming standard practice. The tipping point has been crossed, with over 59% of
The role of the IAF in CSR| 11
the world of the world’s largest companies (Global 250) now investing in CSR assurance (2012: 46%). As the
largest companies tend to set the trend, it can be presumed that soon the other companies will follow [KPMG,
2013]. However, even when these reports are externally verified the level of assurance provided by the auditor
is mostly limited (i.e. a moderate level of assurance) [Prikken, 2010].
2.2 CSR process
The board and senior management of an organization have overall responsibility for the effectiveness of
governance, risk management and internal control processes. As part of these responsibilities it is also
accountable for guarantying that CSR objectives are established, risks are managed, performance is measured,
and activities are appropriately monitored and reported. Furthermore, management is responsible for ensuring
that the organization’s CSR principles are communicated, understood, and integrated into decision-making
processes [IIA, 2010]. Management however, has trouble ensuring that CSR activities are coordinated and
aligned with strategic initiatives and principles throughout the organization, with appropriate risk/reward
decisions being made. Organizations realized that they need a management system, structuring formerly
scattered elements of CSR information gathering and repairing missing links between them. An advantage of a
management system is that it sets an auditable framework for assuming economic, environmental, and social
responsibility in a systematic, transparent, consistent, and credible manner.
In his book “Sustainability and Internal Auditing” Nieuwlands (2006) informs that setting up a sustainability
management system (SMS) is the best approach to implementing CSR in an organization. The SMS described
contains the following steps as illustrated in figure 2-1:
Figure 2-1: Sustainability Management System (modified by author)
In the research by the IIA and NBA in 2011 the COSO-model is used as the control model for CSR. It is argued
that even though initially used by organizations to control for activities and processes required for meeting the
organizations strategic goals and objectives, this model can be applied to control for CSR activities and
processes required to meet and organization’s CSR goals and objectives as well [IIA and NBA, 2011]. The
COSO-CSR model as described in the IIA and NBA research is illustrated in figure 2-2 [COSO, 2012].
The role of the IAF in CSR| 12
Figure 2-2: COSO-CSR model (modified by author)
Both models can be seen as a loping process in which continuous improvement is strived for and the same
elements are covered in both models. However, based on the fact that Nieuwlands’ SMS is based on the widely
accepted model for management systems, namely Dr. W. Edwards Deming’s Plan-Do-Check-Act (PDCA)
cycle, which consists out of the four steps Plan, Do, Check, and Act, the detailed SMS is expected to be used in
practice. The following proposition is formulated to be tested in this research:
P1: The CSR process within an organization is organized according to the PDCA cycle and therefore strongly
resembles Nieuwlands’ Sustainability Management System.
2.2.1 Sustainability Management System
The start of the management cycle as described by Nieuwlands is (re)formulating a CSR policy and strategy that
is appropriate to the nature, scale and CSR impacts of the organization’s activities, products or service and are
consistent with the organizational strategic plan and other organizational policies. To ensure accuracy of the
documents both the strategy and the policy are to be periodically reviewed and revised if necessary.
The next step includes of a planning phase, a risk management phase, and the setup of information systems and
a CSR management program. The planning phase of the management cycle links the CSR policy and strategy to
predefined objectives and targets. Furthermore, the organization defines roles and responsibilities of employees
based on the CSR policy and strategy. Adequate resources are made available to employees to realize these roles
and responsibilities and relevant objectives and targets. In order to identify aspects that have significant impacts
on CSR performance, the organization establishes and maintains procedures to identify aspects for the entire
lifecycle of a product over which the organization has direct influence. CSR presents significant risks and
opportunities for many organizations and CSR objectives are therefore included in the organization’s risk
managementi process which is often based on the COSO-ERM framework
ii. As part of the risk management
phase, the board and management are responsible for performing a risk assessment and determining what is
important to their organization and the controls they will implement to manage those risks. It is also vital for an
organization to set up a CSR management information system, designed to provide adequate, reliable and timely
information to the organization so it can control the SMS and monitor actual performance against objectives and
targets. Finally, a CSR management program needs to be set up for achieving its objectives and targets. The
program should include the designation of responsibility for achieving objectives and targets at each relevant
function and level of the organization [IIA, 2010; Nieuwlands, 2006].
The role of the IAF in CSR| 13
The third step regards structure and responsibilities, training and awareness, communication and documentation
of the SMS. In order to ensure proper implementation and maintenance of the SMS senior management appoints
a program manager responsible for its establishment, implementation and maintenance, and for reporting on its
performance. All responsibilities and resources related to the SMS are defined and communicated to ensure
effective implementation. The importance of sustainable thinking is communicated both internally as externally
to create awareness within and outside of the firm with regards to the CSR strategy, plans, results and challenges
[IIA, 2010]. To facilitate awareness and to ensure capability amongst its employees, trainings are given and
procedures are defined for creating awareness for the importance of conformance with CSR policies and
procedures. To show an organization’s progress in realizing its CSR objectives management designs a
communication process that sets the objectives of external communication, the information that needs to be
shared, and the channels to be used. The effectiveness of the communication efforts are then measured and
evaluated. The CSR report is the most widely used vehicle to communicate the outcomes and results that
occurred within the reporting period in the context of the organization’s commitments, strategy, and
management approach. The organization described core processes, uses flow charts to enhance understanding,
and clarifies interaction between the different processes. This documentation forms the basis for an external
review and can be used for training purposes [Nieuwlands, 2006].
In order to obtain assurance on the effectiveness and efficiency of the CSR-initiatives in an organization it is key
to continuously monitor (through the three lines of defenseiii) the internal controls relating to CSR/ SMS process
[IIA, 2010]. As part of the fourth step ‘checking and corrective action’, monitoring and measurement processes
are documented so that they are clear and implemented properly. On a periodic basis the adequacy and
effectiveness of the system is monitored based on the objectives and targets set. Timely follow-up and processes
for proactive and corrective actions are designed and implemented. Additionally, the organization set up a
process to ensure that the SMS is subject to a periodic (internal) audit, with the objective to determine whether
the system has been set up adequately and is implemented effectively. The results of this system audit are
communicated to senior management [Nieuwlands, 2006].
Finally, management periodically reviews the SMS to ensure its continuing suitability, adequacy and
effectiveness. Based on the outcome of the management review, management should act to improve the system
and thereby improve CSR performance [IIA, 2010; Nieuwlands, 2006].
2.3 The role of IA in CSR
2.3.1 Internal Audit and CSR
As investors and regulators are increasingly demanding greater visibility into what organizations are doing,
organizations need IA to take a broader mandate within the organization. Far from its traditional compliance
roots, IA is increasingly being asked to not only provide operational business insights to the organization, but
also to serve as strategic advisors – helping the organization to address today’s key business risks and prepare
for critical emerging risks that the organization knows are approaching more quickly than ever before based on
business strategy and continued global expansion [EY, 2013]. Amongst the top of ten of the most important
emerging risks that IA is tracking is climate change and sustainability.
The board and senior management of an organization is responsible for guarantying that CSR objectives are
established, risks are managed, performance is measured, and activities are appropriately monitored and
reported, and for ensuring that the organization’s CSR principles are communicated, understood, and integrated
into decision-making processes [IIA, 2010]. However, as previously mentioned, management has trouble
The role of the IAF in CSR| 14
ensuring that CSR activities are coordinated and aligned with strategic initiatives and principles throughout the
organization. IA is well positioned to support management to implement a SMS and perform system audits after
the implementation phase as long as they maintain their independence and objectivity, and hence they never
assume line-management responsibilities [Nieuwlands, 2006]. Supporting this statement is a research performed
by the Dutch Institute of Chartered Accountants (NBA: “Nederlandse Beroepsorganisatie van Accountants” in
Dutch) and the Institute of Internal auditors (IIA) in the Netherlands (2011) who jointly investigated the
relationship between internal audit and Corporate Social Responsibility (CSR) which highlights that the IA has
an important and growing role to play in the governance of organizations when it comes to CSR. Not only
during the reporting of results but also in embedding CSR throughout the organizations. They conclude that the
IA will be able to add value to the process of defining policies, criteria, standards and controls, and in evaluating
and reporting on the organization’s performance in the field of CSR [IIA and NBA, 2011].
The IIA has developed an International Professional Practice Framework (IPPF) on evaluating CSR in 2010. An
IA function that conforms to this IPPF is qualified to audit and provide assurance to the board and management
on CSR programs and reporting. The IPPF practice guide on evaluating CSR as well as Nieuwlands believe that
in order to express and opinion on the adequacy and effectiveness of the SMS of an organization, IA should
perform work in all phases of the system.
According to the definition of internal auditingiv as defined by the Institute of Internal Auditors (IIA) – the
recognized authority, acknowledged leader and chief advocate of the internal auditing profession – internal
auditing consists out of two services: consultingv and assurance
vi.
The research by the IIA and NBA in 2011, state that IA coordinates its efforts to the maturity level of the CSR
process within the organization. Depending on the maturity of the CSR process within the organization IA will
take up a more supporting, consulting and/ or assurance role, while not jeopardizing their independence and
objectivity. In order to determine the correct role for IA, the IA function considers the expectations of the
Board, management and its stakeholders, the level of expertise within the IA function and within line
management, availability of information regarding the CSR maturity in the industry, and also the involvement
of the external audits or other advisors [IIA and NBA, 2011]. Important to note is that internal audit should
always maintain it objective and independent position, and should therefore not assume management
responsibility of CSR. With regards to this, please refer to in figure 2-2 [IIA, 2010] below visualizing which
roles can be undertaken by IA with or without additional safeguards, and more importantly, which roles IA
should not undertake to maintain its objectivity and independence.
Figure 2-3: Role of the IA in CSR (freely translated by author)
The role of the IAF in CSR| 15
The Business Process Maturity Model describes that processes mature in the following five levels: Initial
(chaotic), Repeatable, Defined, Managed and Optimized. Processes in the initial level are typically
undocumented and in the state of dynamic change, tending to be driven in an ad hoc, uncontrolled, and reactive
manner by users or events. This provides a chaotic or unstable environment for the processes. In the Repeatable
level, some processes are repeatable, possibly with consistent results. Process discipline is unlikely to be
rigorous, but where it exists it may help to ensure that existing processes are maintained during times of stress.
In the Defined level standard processes are defined, documented and established and have been subject to some
degree of improvement over time. These standard processes are in place (i.e., they are the core processes) and
used to establish consistency of process performance across the organization. It is characteristic of processes at
the Managed level that, using process metrics, management can effectively control the core process (e.g., for
software development). In particular, management can identify ways to adjust and adapt the process to
particular projects without measurable losses of quality or deviations from specifications. Process Capability is
established from this level. Finally, the Optimized level, where the focus is on continually improving process
performance through both incremental and innovative technological changes/improvements. Given that
designing, implementing and executing CSR in an organization can also be defined as a process, the following
proposition was constructed based on literature described above:
P2: As the CSR process becomes more mature IA will increasingly take on an assurance role and will less
frequently take on the role of consultant.
2.3.2 Consulting
Standard 2130 on Governance states that “the internal audit activity should assess and make appropriate
recommendations for improving the governance process…”. PA 2130-1 also states that IA should take an active
role in support of the organization’s ethical culture, as they have a high level of trust and integrity within the
organization as well as the skills to be effective advocated of ethical conduct [IIA, 2012]. As CSR is highly
linked to ethics, IA should be involved in the whole process of implementing CSR in an organization
[Nieuwlands, 2006; IIA and NBA, 2011]. The design and implementation of the CSR process within
organization is a difficult task for many organizations as it requires knowledge and experience in multiple areas.
However, as these areas are within the expertise of IA, the IA function fulfills a significant consulting and
supporting role in the implementation of CSR.
The research by the IIA and NBA (2011) highlights that IA is closely involved as consultant in the design of the
CSR process within an organization, as it maintains knowledge of the organization, risks and control of
processes as well as the relating reporting standards and guidelines. As the CSR process matures, IA helps the
organization to take the CSR process up to a higher level by not only fulfilling a consultancy role but also that
of an assessor.
2.3.3 Assurance
IA may choose to evaluate the CSR programs as a whole and determine whether the organization has adequate
controls to achieve its CSR objectives. Generally, the CAE would develop a one-to-three-year plan to obtain
sufficient and reliable information about the various elements of CSR within the organization. Upon completion
of the CSR-related audit programs, an opinion of the overall CSR controls can be developed [IIA, 2010]. In
order to establish a complete and accurate risk-based audit plan, internal audit have to understand the risks
identified by management in the planning and risk assessment phase of CSR and should use that knowledge
The role of the IAF in CSR| 16
when considering and establishing CSR activities in the audit universe, audit plan, and audit approaches [IIA,
2010].
The main activity performed by IA as part of this role is giving assurance on the CSR report, the CSR process,
and other related processes by auditing these processes, and its underlying controls and risks. The results of
these audits provide IA with the opportunity to offer the audit committee with an independent opinion on the
level of control with regard to the CSR objectives of the organization, and will also be able to indicate where
additional oversight is required; and to identify potential process improvements and gaps in control, which are
especially of added value for line management and senior management.
In the research by the IIA and the NBA (2011) several audits are qualified as best practice and should be
included in the audit plan of the IA function. Reference is made to table 2-1 for an overview of activities that
can be performed by IA as part of the two roles: consulting and assurance.
2.4 Coordination of EA and IA
2.4.1 EA and IA
Externally verifying an annual integrated report or individual CSR report increases the credibility of the report.
When making decisions regarding the level of assurance, depth and scope of the CSR report, internal audit can
play an essential role by providing their knowledge on the material and organization. Additionally the external
auditor can also add value to the internal audit team by providing industry-wide knowledge and subject matter
expertise. Through collaboration the quality of the CSR process and report will increase significantly. In the
research by IIA and NBA another best practice was highlighted, as follows: “The internal auditor and the
external auditor work closely together, especially when auditing the CSR report. The internal auditor
coordinates his activities with that of the external auditor, and vice versa” [IIA and NBA, 2011]. Based on this
literature, the following proposition is described:
P3: The internal auditor and the external auditor work closely together, especially when auditing the CSR
report. The internal auditor coordinates his activities with that of the external auditor, and vice versa.
Prior to discussing the ways in which these two parties can effectively work together, the relationship and
collaboration with EA is to be discussed in more detail.
The coordination between EA and IA in general is one that has been widely discussed from both IA’s
perspective as that of EA. In many organizations, the activities carried out by IA constitute an important part of
the system of internal controls. If the work performed is adequate for the purpose of the accountant’s audit, the
external auditor may use the work in getting control information. The framework for cooperation between IA
and EA is stated in ‘ISA 610: Using the work of the IA’, but is specific to the audit of financial statements. This
includes using the work of IA in obtaining audit evidence [IAASB, 2013]. The external auditor is allowed to use
the work of IA when the internal auditor is sufficiently objective, proficient and maintains a robust audit
approach.
If EA decides to use the work of the IA, the audit file of the external auditor is required to maintain at a
minimum an evaluation of the objectivity, proficiency and robustness of the IA function, the nature and scope of
the work performed by IA an used by EA, and all procedures performed by EA to evaluate the work performed
by IA on which the external auditor relies [IAASB, 2013].
The role of the IAF in CSR| 17
For IA the IIA Standard 2050 and the accompanying Practice Advisory exist and provides rules for coordination
and exchange of information on the activities of the internal auditor and the external auditor. Included are
measures ensuring an efficient (limited duplication) and effective cooperation between the internal auditor and
the external auditor [IIA, 2012].
2.4.2 Best practices for IA
An article in the Dutch magazine ‘De Accountant’ based on a research performed by the Royal Dutch Institute
of Chartered Accountants (NIVRA: “Koninklijk Nederlands Instituut van Registeraccountants” in Dutch) and
IIA in the Netherlands summarized the following best practices for an efficient and effective coordination
between the internal auditor and the external auditor [Dekker, 2009]. The first best practice mentioned in the
article is full transparency between the IA function and the external auditor and open communication with the
audit teams and stakeholders. Secondly, optimal use of existing knowledge and skills should be aimed for to
ensure the correct attitude. This can be achieved by borrowing expertise from one another, by giving IA an
important role in the selection and appointment of the external auditor, and by requesting advice from EA prior
to the selection and dismissal of the CAE. Another best practice is ensuring an effective audit coverage and
audit impact by developing a shared vision for cooperation and by defining and documenting these objectives on
an annual basis. Critically discussing risk assessments as a basis for audit planning will also contribute to
ensuring an effective audit coverage and impact. The fourth best practice indicated in the article relates to
promoting an even more efficient work performance. Activities that will enhance efficient work performance
includes the use of the same audit methodology, -techniques, -tools and -terminology; evaluating each hour
spend and budgeted; and the use of each other's work when possible. Fifthly, on forehand agreeing on the issues
and reports to be presented to the audit committee and presenting an integrated audit approach and planning to
the audit committee is mentioned as a best practice. These activities will strengthen the relationship with, and
increase support provided to, the audit committee. The sixth best practice stated is further improving the
coordination of the audit work for the organization, which can be achieved by having IA coordinate the internal
and external audit activities, or by critically evaluating the draft management letters and reports prepared by EA.
And lastly, the coordination between IA and EA should be subject to continuous improvement. This can be
achieved by jointly developing a plan to improve the effectiveness and efficiency of the cooperation, and by
informing each other on received complaints and suggestions for improvement. The best practices mentioned in
the article can be transmitted into improvement areas for both the external auditor and the internal auditor when
it comes to the relationship between the two parties.
Improvement areas also exist when looking at specific procedures that can largely be performed by the IA to
contribute to the efficiency and effectiveness of the coordination. Please refer to the Table 2-2 for an overview
of these procedures.
A research performed by Ambaum (2007) where the role of IA with relevance to CSR in the Netherlands was
empirically tested by means of a survey on 29 IA functions it was concluded that there is much potential to add
value as internal auditors when it comes to consulting on CSR related issues as his research shows that only
17% of the IA functions involved performed active market research in the field of CSR and that only 38%
monitored the integration of CSR in the annual risk analysis. This research concludes that not only the
development phase but all phases of the CSR process, including the creation of the design, implementation in
the organization and strengthening the operational effectiveness are ideally suited for a good contribution from
IA by means of a consultancy role.
The role of the IAF in CSR| 18
CSR Process Step Role of IA
(Re)formulating CSR policy and
strategy
-
Information, Risk Management and
Planning
Assessment of the scope of the report (i.e. which entities). Knowledge of the
organization and expertise in the field of accounting can be used and of added
value here
Implementation and operation Support the organization by providing training regarding the verifiability
requirements and design of the audit files;
Advising the Board with respect to the contents of the engagement with the
external auditor, as IA has a broad understanding of the organization and
underlying processes, and its possession of materials and knowledge of work
performed on which the external auditor may be able to rely. Also, IA can advise
on the appointment of the external auditor, where it regards the experience and
expertise in the field of CSR reporting.
Checking and corrective action Perform an assessment of the internal reporting and data collection process;
Assessment of the content of the report, especially with regard to relevance,
materiality and prioritization of the issues being reported. As part of this, the
internal auditor will evaluate and advice on the continuous involvement of
stakeholders, as well as the care for the completeness and prioritization of topics;
Assessment of the quality of the report, where quality features such as balance,
comparability, accuracy, timeliness, clarity and reliability are important;
To achieve efficiency, the internal auditors take over a great part of the data-
centric and system-oriented work from the external auditor. The internal auditors’
in-depth knowledge of the organization and its processes will be embayed here.
The internal auditor will work closely with the external auditors (perhaps in the
form of integrated audit teams). The internal auditor also performs the check on
control guidelines for the organization;
The joint preparation of the (draft) assurance report and management letter;
Monitoring of the follow-up on audit findings.
Management review and continual
improvement
-
Table 2-2: Activities for IA to ensure efficient and effective collaboration with EA
2.5 Chapter summary
Based on existing literature and extant research performed the following propositions are formulated for
practical research.
P1: The CSR process within an organization is organized according to the PDCA cycle and therefore
strongly resembles Nieuwlands’ Sustainability Management System.
P2: As the CSR process becomes more mature IA will increasingly take on an assurance role and will
less frequently take on the role of consultant.
P3: The internal auditor and the external auditor work closely together, especially when auditing the
CSR report. The internal auditor coordinates his activities with that of the external auditor, and vice
versa.
The main focus of empirical research performed in this area has not yet been the improvement areas for IA in
the CSR process. Additional research is therefore required to determine what these improvement areas are.
CSR and the role of IA| 19
CSR Process Step Role of IA
Summary Consulting Assurance
(Re)formulating CSR
policy and strategy
Consulting on CSR
developments
Facilitating
identification of
objectives and risks
Identifying relevant CSR-topics with regard to social
developments and adjustments in the field of laws and
regulations [IIA and NBA, 2011].
Consulting on operationalizing of these relevant CSR-topics.
This includes supporting management when defining CSR,
implementing CSR in the strategy (or setting up the CSR policy
and developing the CSR strategy), and defining objectives,
standards and norms [Nieuwlands, 2006; IIA, 2010; IIA and
NBA, 2011].
-
Information, Risk
Management and
Planning
Facilitating
identification of
objectives and risks
Assist management in identifying, evaluating and implementing
risk management methodologies and controls to address CSR
risks [IIA, 2009; IIA and NBA, 2011].
Advising management for setting-up, implementing and
managing an effective SMS and CSR program [Nieuwlands,
2006; IIA and NBA, 2011].
Giving advice on the design of an information system [IIA and
NBA, 2011].
-
Implementation and
operation
Guiding external
assurance
Consulting on CSR
controls
Consulting on CSR-
framework
Act as an advisor to management during the set-up and
implementation of a risk and control framework and effective
control procedures, which are based on an assessment of critical
risk in the field of CSR [IIA, 2009; IIA and NBA, 2011].
Assisting management in determining the evaluation criteria to
measure whether CSR objectives are achieved [IIA and NBA,
2011].
Advising management on the allocation and communication on
roles and responsibilities, and clear guidelines to ensure an
effective SMS. This includes advising management on an
organizational structure, responsibilities and composition
staffing required for the effective CSR organization
[Nieuwlands, 2006; IIA and NBA, 2011].
Consulting management during the selection of the external
verifier of the CSR report, and scope of the CSR report. IA can
-
The role of the IAF in CSR| 20
also guide EA during the external audit to ensure effective and
efficient communication between EA and the CSR department/
manager throughout the audit [IIA and NBA, 2011].
Giving advice on internal and external accountability and
communication regarding CSR-performance, especially when it
regards the implementation of an information system [IIA and
NBA, 2011].
Checking and
corrective action
Assurance of CSR
data
Assurance of CSR
related processes
Evaluate CSR-Risk
Management
Evaluate CSR reports
Review of CSR
management
- Audits on the creation process of the CSR policy [IIA and
NBA, 2011].
Performing separate audits of third party for contractual
compliance with CSR terms and conditions [IIA, 2010].
(System) audits to provide assurance on the translation from
the strategy to the policies, procedures, models, management
cycle (PDCA) and the final report [IIA, 2009; IIA, 2010; IIA,
2011; Nieuwlands, 2006].
Evaluating the extent to which CSR ambitions of the
organization are included in the organization core processes
and management processes [IIA and NBA, 2011].
Audits regarding the adequacy of the internal control and
evaluation mechanisms [IIA and NBA, 2011].
Evaluating the reliability of performance measures [IIA and
NBA, 2011].
Audits on the effectiveness of embedding CSR in the
organization and processes [IIA and NBA, 2011].
Ensuring proper follow-up of the recommendations made as
a result of the internal and external audits.
Management review
and continual
improvement
- - -
Table 2-1: Consulting and Assurance activities for IA
CSR and the role of IA| 21
3 Research design
This chapter presents the methodology used in order to answer the research questions that were presented in
Chapter 1. First, the research approach is discussed, and then the data analysis method will be elaborated on.
3.1 Research methodology
The main objective of this research is to contribute to the awareness of internal auditors about their possible
role in the CSR process and about improvement opportunities for IA in the CSR process. Robson (2002)
defined exploratory research as a valuable means of finding out ‘what is happening; to seek new insights; to
ask questions and to assess phenomena in a new light’. This research aims to explore what the role of IA is in
the CSR process and what opportunities for improvement exist in this process for IA. Additionally, it aims to
explore this by obtaining an objective point of view from the external auditors. This research can therefore be
classified as an exploratory research that maintains a theory-testing approach [Geene, 2011].
3.1.1 Literature
Various literature, websites and research studies with regard to the topic of CSR in general are studied in order
to answer the theoretical research sub questions defined in Chapter 1. Reference is made to Chapter 6, which
provides a list of literature used.
3.1.2 Subject matter interviews
Subject matter interviews are selected as a first method of research as it is a valuable manner to easily collect
knowledge in a new and unknown field [Audehoven, 2007]. In this study subject matter interviews are used as
an exploratory approach helping the researcher to gain a better understanding of the CSR process in general
and about the role of IA and its improvement areas in particular. An expert possesses knowledge in three
dimensions: technical knowledge (specific and detailed knowledge in a particular field), process knowledge
(knowledge from direct interaction), and explanatory knowledge (own ideas and subjective opinion)
[Audehoven, 2007]. By means of the interviews with the subject matter experts (SME) the researcher tried to
elicit all three types of knowledge to obtain a thorough insight. For the subject matter interviews, two
interviews are conducted with external verifiers of CSR reports working in two separate accountancy firms.
This selection of accountancy firms is based on the predicted assumption that these two accountancy firms are
the biggest in the field of CSR audits in the Netherlands. These respondents all represent experts as they all
are all highly experienced professionals, with at least ten years of experience in the field CSR. The table
below illustrates the expert interviews conducted. All interviews took place face-to-face.
Table 3-1: Subject matter experts
Company
Interview
ID no
Function CSR
experience
Location Duration Audio-
recording
EA 1 I1 CleanTech & Sustainability
Senior Manager Audit
13 years Groningen 30 minutes Yes
EA 2 I2 Global Head of Sustainability
Assurance
11 years Amsterdam 50 minutes Yes
The role of the IAF in CSR| 22
3.1.3 Case Studies
As this research is classified as an exploratory research that maintains a theory-testing approach, the following
possible research methods are recommended: case studies, histories and experiments [Yin, 2009]. In this
research study case studies are the method of choice as it evaluates contemporary events that cannot be
manipulated and controlled. Furthermore, case studies have been proposed by authors such as Robert et al
(2006) and Ciliberti et al (2008) as the method to advance the mainstreaming of CSR, as they can be very
effective to study complicated subjects as CSR. Finally, Schramm (1971) stated that “the essence of a case
study, the central tendency among all types of case study, is that it tries to illuminate a decision or set of
decisions: why they were taken, how they were implemented, and with what result”. This statement shows the
close resemblance with the main questions of this research and thus clearly illustrates the choice in the
research method of case study [Geene, 2011].
A multiple-case study design is chosen as the appropriate research design on the basis of theoretical
replication. To ensure convenience and efficiency, a small number of cases are observed. Using multiple cases
increases the robustness of the research, as the evidence from these multiple cases is more compelling, that
that of a single case study [Geene, 2011]. This research involves a field study of four IA functions and their
respective external auditors. The four companies selected all have CSR reports that are externally verified,
have an IA function that is plays a role in the CSR process of their organization; and have an external auditor
that relies on the work of IA when it comes to the CSR audit process.
The sample was restricted to the Netherlands because of practical reasons involved with data collection. For
the case selection the decision was made to focus on companies of only the two biggest external verifiers in
the field of CSR. Furthermore, selected only two of the four largest accountancy firms enables a better cross-
case comparison due to stability in the use of methodologies by the external auditor, while still gaining insight
based on the perspective of more than one external auditor. The large accountancy firms were used as a study
by KPMG International amongst the 250 largest organizations showed that two thirds of the companies that
get their reports externally verified choose to engage a major accountancy firm [KPMG, 2013]. From the six
remaining possible case selections, the following four cases were selected in Table 3-2. These cases were
selected based on their characteristics. It was assumed that companies in Financial Services would have a
more mature CSR process given the pressures to communicate on all types of performance, including CSR
performance. Also, as the Dutch government obligates all organizations of which they are a primary
shareholder to report on CSR, it is therefore assumed that these organizations will have a more mature CSR
process. And finally, as previously mentioned in Chapter 2, AEX listed companies are normally frontrunners
when it comes to CSR. Hence, these companies were selected as it was expected that they have a higher level
of maturity of the CSR process. Furthermore, IA has been involved in the antecedent maturity levels as well.
These cases therefore provide a best practice and hence improvement points for other IA functions in less
mature CSR processes. Reference is made to table 3-2 for the case profiles with characteristics of the
organization. Please refer to Appendix D for a short case description.
Table 3-2: Case Profiles
Company
ID name
Industry CSR in
strategy
Type Shareholders External
auditor
# of auditors in IA
(in CSR audits)
Case A Financial Services Y Niche player Dutch State EA 1 5 (1)
Case B Consumer Products Y Market leader AEX listed EA 2 55 (5)
Case C Transportation Y Market leader Dutch State EA 1 3 (3)
Case D Financial Services Y Market leader Cooperation of
farmers
EA 2 200 (10)
The role of the IAF in CSR| 23
3.1.4 Data Collection
“One of the unique strengths of a case study is its ability to deal with a full variety of evidence – documents, artifacts,
interviews, and observations…” [Yin, 2009].
The data collection aims for triangulation, encouraging the collection of information from multiple sources
while collaborating the same fact. Saunders described data triangulation as: “…the use of different data
collection techniques within one study to ensure that the data are telling you what you think they are telling
you” [Saunders et al., 2009]. The different methods of data collection used include the internal and external
documentation, interviews with the IA functions and interviews with the CSR audit departments of the EA
firms in order to offer a complete picture and to increase construct validity. As part of the case study research
triangulation was also used as a method to obtain the needed information. First, all available internal and
external documents relevant to the research objective were analyzed, these included: CSR reports, company
websites, and/or financial statements of the organizations. Also semi-structured interviews were conducted
with the internal auditor responsible for CSR in the selected cases after which they were requested to fill in a
maturity model (see appendix C) used.
The general description of the research and its purpose were presented to the companies with an introduction
email (see appendix A, to convince them of participation in this research by means of an interview. In order to
contact participants, the professional and social network of colleagues and J.J.M. Laan (lecturer of the course
Management Accounting at University of Amsterdam) and myself were used. All interviews lasted
approximately one hour which enabled the interviewees to speak freely. Interviews ensured an in-depth
understanding of the obstacles for improvement, and underlying reasons for decisions and motives when it
comes to the role of IA in the CSR process. The research model described above is illustrated in figure 1.
3.3 Data analysis
The aim of this thesis is to provide an answer to the research question: What is the role of IA, and what
opportunities for improvement exist for IA in the CSR process of an organization?
In order to answer this question based on the interviews held during the multiple case study research pattern
matching is used as a data analysis technique [Sarker, & Lee, 2003; Trochim, 1989]. By means of pattern
matching theoretical patterns are matched with the findings from the case studies (observational patterns).
Pattern Matching is a very strong method to ensure strong internal validity [Yin, 2009; Sarker, & Lee, 2003;
Trochim, 1989; Lee, 1989].
Data organization is an important step in the pattern matching technique. Especially for the interviews it is
important that the information obtained in the interviews is organized and analyzed in a systematic way in
order to make relevant conclusions. Therefore, interview scripts (appendix B) with a consistent topic list were
used. And almost all interviews were audio-recorded and transcribed with the permission of the respondents
(the transcriptions and audio files of the interviews are available upon request). This allowed the interviewer
to listen carefully and to capture all relevant and essential information. Moreover the records and transcripts
keep the entire conversation intact and does not allow for alterations. Consequently it increases the reliability
of the research [Stewart et al., 2007]. One interviewee however did not agree to audio-recording. This
interview was written out immediately after the interview to minimize data loss, and then sent to the
interviewee for verification. All transcriptions were sent back to the interviewee for their consent on
correctness of the data. Thereafter, the transcribed interviews were used to create coding tables, that capture
and group all the important expressions, quotes or sentences by the respondents based on the main issues
addressed in the interviews. These represent the observational patterns. The quotes and expressions presented
The role of the IAF in CSR| 24
in the tables are translations made by the researcher as the interviews were held in Dutch. The coding table
can be found in appendix E.
In summary, this study applies a multiple-case study design that combines interviews with external auditors
and internal auditors to answer the main research question. Various methods and techniques, which are
discussed throughout the chapter, are used to ensure high validity and reliability of the research. A summary
of these methods is provided below in table 3-3. Reference is made to table 3-4 for an overview of the
interviewees:
Table 3-3: Technique(s) applied to enhance credibility
Table 3-4: Interviewees per case
3.4 Chapter summary
The main objective of this research is to contribute to the awareness of internal auditors about their possible
role in the CSR process and about improvement opportunities for IA in the CSR process. As this is an
exploratory research with a theory testing approach, subject matter interviews combined with a multiple case
study research was selected as the appropriate research design. Opportunities identified by external auditors
were obtained through subject matter interviews and were tested and evaluated through interviews with the IA
functions. Through triangulation data was collected by performing a desk research on the cases selected,
interviews with IA functions, and a maturity model survey following up on the interview. The four companies
selected for the case study research all have CSR reports that are externally verified, have an IA function that
plays a role in the CSR process of their organization; and have an external auditor that relies on the work of
IA when it comes to the CSR audit process. By means of a cross case comparison improvement using pattern
matching points are highlighted and conclusions are drawn.
Criterion of enhanced credibility Technique(s) applied
Reliability Audi-recording, consistent topic list, case study database and protocol, use of native
language when possible
Internal validity Pattern matching
External validity Interviews with both IA and EA
Construct validity Triangulation, pilot interviews
Company Interview ID
no.
Function CSR
experience
Location Duration Audio-recording
Case A I3 CAE 4 years The Hague 51 minutes No
Case B I4 Senior Auditor 3 years Amsterdam 53 minutes Yes
Case C I5 Interim CAE 6 years Rotterdam 54 minutes Yes
Case D I6 Account manager
Professional Practice
8 years Utrecht 37 minutes Yes
The role of the IAF in CSR| 25
4 Findings
This chapter aims to answer sub-questions 5-8 formulated in Chapter 1 by presents and analyzes the findings
of this research. By means of the cross-case analysis, in which the results of the four case studies are bundled
and compared, the propositions as defined in Chapter 2 are reflected upon. Additionally, based on the results
of the subject matter interviews the improvement points mentioned by the external auditors are highlighted
and discussed.
4.1 CSR Process
How is the CSR process within organizations structured?
As part of the case study interviews, interviewees were requested to describe how the CSR process was
structured within their organization. Results show that the CSR process within the cases all include the PDCA
cycle allowing the process to improve and mature on a continuous basis. Once presented with the SMS from
Nieuwlands all four case interviewees indicated that the model was a fair representation of the CSR process
within their organization. These statements are evidenced by the following quotes:
“The PDCA cycle is key in this process to ensure that it does not remain a paper execution, but to ensure full integration
into the organization and to ensure continuous improvement of the process.” [I3, Chief Audit Executive. Translated by
the author]
“The CSR process here started with formulating a strategy to include CSR. After that we defined certain specific
objectives, and included CSR in our Risk Management process. Also we have set up a CSR committee with the
responsibility to define and secure KPI’s. This was the start of the implementation of CSR into the organization. We as IA
finally perform audits in which we structurally include CSR and report our findings to management. Looking at the
model from Nieuwlands, I can definitely say that our CSR process indeed looks like this.” [I3, Chief Audit Executive.
Translated by the author]
Unfortunately, when presented with the same question, both SMEs noted that this path is not followed in
practice, as an organization’s initial starting point normally differs. According to the SMEs CSR normally
starts with the organization’s involvement in several loosely correlated CSR initiatives or projects.
“However, what is seen in practice is that it doesn’t always follow this structured path, but that it can be initiated at any
of these process steps. Organizations are often already involved in some lose CSR activities as it is a natural driver for
people to give back to the society. These CSR activities are often initialed on individual level or by low/ middle
management, yet they are bundled and reported on in the organization’s CSR report. However often these initiatives are
not linked to the organizations products and services, and are not implemented into the core business processes. At some
point, usually when top management believes in CSR and is motivated by CSR, are initiatives selected that are more
closely linked to the organization. And only then is CSR implemented in the strategy of that organization”. [I1, Subject
matter expert. Translated by the author]
“What we see in the energy industry is that the CSR process sometimes starts with assigning a CSR officer to write a
CSR report. But these reports are usually inconsistent, lack direction and are not concrete as no CSR strategy is defined.
The CSR officer is asked to report on separate projects the organization is involved in, which are normally in one of the
CSR areas, such as environmental projects. However, at some point they realize that in order to make a difference they
cannot just be involved with uncorrelated project but that a CSR policy needs to be defined. In the CSR policy they
normally expand the CSR range to include other important CSR areas, such as social projects. Finally, we see that
organization then decide that they need to formulate a strategy to determine where they want to be in 5-10 years with
regard to CSR performance, how they want to be perceived, especially in comparison to their competitors. And then of
course implementation and execution of the CSR strategy is next in order to achieve goals. But this can only be
The role of the IAF in CSR| 26
successfully done once CSR is understood and defined within the organization”. [I2, Subject matter expert. Translated by
the author]
Based on these results it can therefore be concluded that CSR within and organization normally starts with the
organization’s involvement in several loosely correlated CSR projects initiated on an individual or low/middle
management level, and that frequently organization start reporting on these projects in the CSR report.
However, as a result these CSR reports often lack context, consistency and coherence with the organization
products, services and strategy. Finally, management realizes that in order to make a meaningful difference a
CSR policy, vision and strategy needs to be defined. Only when awareness and understanding is created in the
organizations does the actual implementation of the CSR process successfully start. The initiation of a CSR in
an organization therefore does not follow the structured path described by Nieuwlands. However, it can be
concluded that once the CSR process is implemented Nieuwlands’ SMS provides a fair representation of a
successful CSR process as it includes the PDCA cycle allowing for continuous improvement. The following
proposition is therefore supported: P1: The CSR process within an organization is organized according to the
PDCA cycle and therefore strongly resembles Nieuwlands’ Sustainability Management System.
4.2 The role of IA in CSR
What roles does IA attain in the CSR process?
Based on literature it was noted that IA can take up assurance, and consultancy roles in the CSR process,
which consist out of various activities (reference is made to figure 2-2), without jeopardizing the IA’s
independence and objectivity.
Results of the case study interviews demonstrate that most of the activities performed by IA relate to its
assurance role, followed by its consultancy role. Also interesting to note is that managing related activities are
also performed by IA functions even though these activities negatively affect (or create the appearance of
negatively affecting) their objectivity and independence. These results are demonstrated in figure 4-1 below.
Upon further inquiry it was noted that the extent to which these activities are performed by IA strongly relate
to the level of maturity of the organization’s CSR process, as expected. In the beginning phases of the CSR
process, IA mainly attains a consultancy role and even a managing role at times. However, as the process
matures these roles are increasingly replaced by an assurance role. This is supported by the following quotes:
"The tasks that we perform as an internal audit function are really dependent on the maturity of the CSR process. In the
beginning we had taken up a more advising role, however at some point we tried to push back some of this consultancy
work in order to focus on our main activity and that is audit. So, I think that we have performed all of these tasks at one
point or another". [I4, Senior Auditor. Translated by the author]
"We have performed each single one of these activities and still do to some extent; especially I still do as the head of the
[internal audit] department. Even those activities that are written as roles that should not be undertaken by the internal
auditor have been attained by us somewhere along the path. Especially in the beginning stages of the CSR
implementation did we perform these managing tasks as well. However, the responsibility for these activities and
decisions remained that of management. Currently I maintained a more consultancy role, whereas the rest of my team
increasingly takes on an assurance role as the CSR process becomes more mature." [I5, Interim Chief Audit Executive.
Translated by the author]
"However as this process was continuously subject to change, the role of the internal accountant was mainly that of
consulting. (…) Our advisory role slowly transformed into more of an assurance role when we started to look at how we
would audit the whole sustainability process including the actual sustainability report". [I6, Account manager
Professional Practice and Sustainability. Translated by the author]
The role of the IAF in CSR| 27
Role Activities I3 I4 I5 I6
AS
SU
RA
NC
E
Assurance on CSR data
Assurance on CSR (related) processes
Evaluate CSR-Risk Management
Evaluate CSR reports
Review of CSR management
CO
NS
UL
TIN
G Guiding external assurance
Facilitating identification of objectives and risks
Consulting in CSR-controls
Consulting on CSR-framework
Consulting on CSR developments
Preparing CSR implementation strategy
MA
NA
GIN
G Managing of CSR processes
Management assurance on CSR
Decision-making regarding CSR
Preparing CSR reports
External accountability regarding CSR
Table 4-1: IA’s current activities in the CSR process
Based on the field research conducted, the maturity model in Table 4-2 was developed in order to determine
how the role of IA changes as the process becomes mature. The model indicates when the activities are mostly
performed by IA at various levels of maturity (as described in Chapter 2) and visualizes the evolution of the
CSR process and the role of IA in it. It should be noted that for the ‘optimized’ maturity level the activities are
selected based on assumptions and expectations, as none of the cases have reached this level of maturity.
In short, IA takes up assurance, consultancy and managing roles in the CSR process. The actual role IA attains
in the CSR process is dependent upon the maturity level of the CSR process. It can be concluded that the role
of IA in the CSR process changes from a consultancy and managing role to a more assurance role as the
process becomes matures. The following proposition is therefore supported in this research: P2: As the CSR
process becomes more mature the IA will increasingly take on an assurance role and will less frequently take
on the role of consultant.
CSR and the role of IA| 28
CSR PROCESS STEP ACTIVITIES MATURITY LEVEL
Initial Repeatable Defined Managed Optimized
(Re)formulating CSR policy and strategy
Identifying relevant CSR-topics with regard to social developments
and adjustments in the field of laws and regulations
Consulting on defining CSR within the organization
Supporting management in implementing CSR in the existing strategy or in developing a CSR strategy, and setting up the CSR policy
Assisting management in defining CSR objectives, standards and
norms
Audits on the creation process of the CSR policy
Reviewing the adequacy of the translation of strategy into operational
objectives
Information, Risk
Management and Planning
Implementation and operation
Assist management in identifying, evaluating and implementing risk management methodologies and controls to address CSR risks
Advising management for setting-up, implementing and managing an
effective SMS and CSR program.
Giving advice on the design of an information system and
communication structure around CSR
Implementation and
operation
Checking and corrective action
Act as an advisor to management during the set-up and
implementation of a risk and control framework and effective control
procedures, which are based on an assessment of critical risk in the field of CSR
Assisting management in determining the evaluation criteria to
measure whether CSR objectives are achieved
Advising management on the allocation and communication on roles
and responsibilities, and clear guidelines to ensure an effective SMS.
This includes advising management on an organizational structure,
responsibilities and composition staffing required for the effective CSR organization
Consulting management during the selection of the external verifier of
the CSR report, and the scope of the CSR report
Guiding the external accountant during the external audit to ensure
effective and efficient communication between the external accountant and the CSR department/manager throughout the audit
Giving advice on internal and external accountability and
communication regarding CSR-performance, especially when it concerns the implementation of an information system
The role of the IAF in CSR| 29
Evaluating the extent to which CSR ambitions of the organization are
included in the organization core processes and management processes
Audits regarding the adequacy of the internal control and evaluation
mechanisms
Evaluating the reliability of performance measures
Audits on the effectiveness of embedding CSR in the organization and
processes
Checking and corrective
action
Performing separate audits of third party for contractual compliance
with CSR terms and conditions
(System) audits to provide assurance on the translation from the
strategy to the policies, procedures, models, management cycle (PDCA) and the final report
Evaluating the extent to which CSR ambitions of the organization are
included in the organization core processes and management processes
Audits regarding the adequacy of the internal control and evaluation
mechanisms
Evaluating the reliability of performance measures
Audits on the effectiveness of embedding CSR in the organization and processes
Ensuring proper follow-up of the recommendations made as a result of
the internal and external audits
Management review and
continuous improvement
-
N/A N/A N/A N/A N/A
Table 4-2: Role of IA per maturity level
CSR and the role of IA| 30
4.3 Coordination of EA and IA
How do the external auditor and IA function of an organization work together in the CSR process?
In the literature review it was learned that 59% of the world’s largest companies (Global 250) now externally
verify CSR reports, however it was also learned that this is still not common practice in the Netherlands.
Additionally, this research found that from the total of companies externally verifying their CSR reports at the
two accountancy firms selected in this research, only a mere 10-15% of the IA functions were involved in the
CSR process. And even then, collaboration between EA and IA in the CSR process is frequently initiated by the
external auditors. In these circumstances EA often divides and defines the roles to be executed by IA, after
which IA merely passively performs those assigned activities. These activities mainly include performing data-
centric and system-oriented audits on CSR data and processes, hence providing EA with substantiation for the
information in the CSR report.
“The collaboration with our clients is one that I can only describe as pleasant. However, as the collaboration is normally
initiated by us, you do see that we usually make the decisions. We tell them what to do and that is exactly what they do, and
these tasks only relate to auditing and not to the other parts of the CSR process. In the financial audit they definitely work
more closely with the internal audit. (...) In my opinion internal audit should be more involved in the CSR process, they
should obtain the internal knowledge in this area that we don't have. Together we can provide a report of higher quality”.
[I1, Subject matter expert. Translated by the author]
This statement is even supported by one of the case study interviewees based on his experience as a consultant:
“At some companies I see that the external accountant decides on the role of the internal auditor, and this irritates me to
the core. It should be the other way around”. [I5, Interim Chief Audit Executive. Translated by the author]
In the research performed by the NBA and IIA (2011) a best practice was highlighted stating that the internal
auditor and the external auditor work closely together, especially when auditing the CSR report. And that the
internal auditor coordinates his activities with that of the external auditor, and vice versa. This best practice is
confirmed as indeed a best practice and ideal situation through the case interviews. In the selected cases – who
are frontrunners in this area – the collaboration is described as a two way relationship, in which IA and EA work
closely together and in which IA coordinates its activities with EA, and vice versa. The following quotes
illustrate this:
"We were one of the first companies to publish an integrated report with reasonable assurance. This was not done before,
and therefore we had a strong collaborative relationship with the external accountant from the start. Together with the
external accountant we discussed throughout the integration process on what the expectations were and what the roles and
responsibilities were going to be”. [I5, Interim Chief Audit Executive. Translated by the author]
"As [Case D] wanted to obtain reasonable assurance on the report from the start, the internal accountant function worked
closely together with the external accountant to discuss and determine the role of the internal accountant function and that
of the external accountant. A plan was made together with the external accountant on how to reach reasonable assurance.
In this, we have closely worked together ever since”. [I6, Account manager Professional Practice and Sustainability.
Translated by the author]
Based on field research it was noted that the following activities are frequently performed together in case of
collaboration between the external auditor and the internal auditor: the preparation and execution of the kick-off
session, the preparation of the resource planning, the division of tasks between the CSR department, EA and IA,
and sometimes interviews with process owners are held together as well. Additionally, the following best
practice procedures as described by the IIA and NBA in Figure 2-2 are performed:
The role of the IAF in CSR| 31
Procedures I1 I2 I3 I4 I5 I6
Support the organization by providing training regarding the verifiability requirements
and design of the audit files
Advising the Board with respect to the contents of the engagement with the external
auditor and advise on the appointment of the external auditor
Perform an assessment of the internal reporting and data collection process;
Assessment of the content of the report (i.e. relevance, materiality and prioritization of
the issues)
Assessment of the scope of the report (i.e. which entities)
Assessment of the quality of the report (i.e. balance, comparability, accuracy,
timeliness, clarity and reliability)
To achieve efficiency, the internal auditor takes over a great part of the data-centric
and system-oriented work from the external auditor, while working closely with the
external auditors
The joint preparation of the (draft) assurance report and management letter
Monitoring of the follow-up on audit findings with regard to CSR
Table 4-3: Collaboration procedures IA and EA
Interesting to note from this table is that according to the SMEs assessing the content and quality of the report is
not an activity which is performed by the IA functions, whereas all four IA functions indicate that this is an
activity performed by them in collaboration with the external auditor. According to the SMEs this finding can be
explained by the fact that the IA functions interviewed as part of this research are all front-runners in the area of
CSR and in having a collaborative relationship with EA in that area. In general however, the assessment of the
CSR report’s content and quality is according to these SMEs, definitely an activity in which IA can contribute
and improve.
To conclude, only a mere 10-15% of the IA functions is involved in the CSR process of its organization,
allowing them to collaborate with the external auditors during the verification of the CSR report. This
collaboration is generally initiated by EA who defined and assigns the roles, after which IA passively perform
the activities assigned to them. This is however not the case for the leaders in the field of CSR. When
extrapolating it to the total population, P3 is rejected as it indicates a two way coordination that is clearly not
common.
4.4 Improvement areas for IA
What are the improvement areas for IA in the CSR process?
The interviewees were asked to highlight improvement areas for IA, to indicate which risks are associated with
auditing the CSR report, and to indicate whether there was a role for IA in reducing those risks. The following
risks and improvements for IA were identified:
Risks SMEs IA functions
Lack of standards I1 I4, I5
High number of systems I1, I2 I4
Low frequency of data retrieval (incidental) I2
Reliability of the information I1, I2 I4, I5
Completeness of the report I2
Balance of the report I2
Insufficient support in the organization I5, I6
Table 4-4: Risks in auditing the CSR process
The role of the IAF in CSR| 32
Improvement points SMEs IA functions
CSR Knowledge and skills I1, I2 I3, I6
System-oriented audits performed by IA I1 I5
Maintaining an consultancy role throughout the
CSR process
I1, I2
Play a more active role in the CSR process I1, I2
Play a role in defining standards I4, I5, I6
Table 4-5: Improvement points for IA
To summarize, the SMEs indicated that there are several risks in auditing the CSR process which should be of
great focus to IA. Mostly these risks are due to the lower level of maturity of the CSR process in comparison to
the financial reporting process.
“The risks in auditing the CSR process are dependent upon the maturity level of the CSR process. In the beginning the
biggest risk is whether there are strategically enough reference points or standards, so to speak, to actually perform the
audit. In the next phase the reliability of the information and systems is a high risk, but also the lack of support in the
organization requires significant attention. Without the support of the organization, and without them seeing the added
value of CSR, it is like flogging a dead horse”. [I5, Interim Chief Audit Executive. Translated by the author]
Furthermore, combining the two tables and other comments made through the interviews the following
important improvement points were identified:
1. Increase proactive involvement in the CSR process: As previously mentioned this research noted that
at a mere 10-15% of IA functions are involved in the CSR process. With CSR being one of the top 10 emerging
risks, and it becoming increasingly important in the business world, IA need to step up and take a more
proactive role in this process. When looking at the empirical research performed in 2007 and 2011, insufficient
strives have been made by the IA in the CSR process. Especially when we bear in mind that in even when IA is
involved, this involvement is frequently initiated by EA and only limits to the tasks assigned by EA.
“I think that the reason that internal audit does not take a more active role in auditing the CSR process is because they are
not aware of what they role in the process could be. We would like to see them take up a more active role, so that they can
actually start to add value". [I2, Subject matter expert. Translated by the author].
In short, a proactive involvement in the CSR process is not only expected but essential for the future success of
the organization. The need for IA’s involvement in the CSR process is highlighted in this research as only IA is
able to provide the internal knowledge that EA cannot otherwise obtain. Through combining the external,
industry, and CSR specific knowledge of the external auditor and the internal, organization specific knowledge
of the internal auditor, a higher quality of the CSR report can be obtained [I1, Subject matter expert].
2. Improve IA’s CSR knowledge and skills: The improvement point most frequently mentioned as a
point of attention is the CSR knowledge and skills of the internal auditors. In order to add value through
consultancy and assurance, the knowledge and skills of the IA function regarding CSR should be of sufficient
level. Additionally obtaining CSR specific knowledge and skills is required to be in accordance with the IIA
professional standard 1210 on proficiencyvii
.
“The main improvement point is CSR knowledge and skills. Their audit skills are fine, but specific knowledge with regards
to CSR is missing. This results in audits focusing and reporting on the wrong issues, and results in incomplete and
unbalanced reports. I am sure that a great part of the internal auditors auditing CSR have not been educated on the topic.
(…) Lack of capacity, knowledge and skills, and lack of intrinsic motivation are all reasons why internal audit is not part of
the CSR process”. [I1, Subject matter expert. Translated by the author]
The role of the IAF in CSR| 33
"My advice to internal audit departments with a less mature CSR process would be to ensure you obtain basic knowledge
regarding CSR through trainings and education. Communication with your internal sustainability department and the
external account is key. You need to first understand the product, developments in this area and what it is that they are
doing in order to provide assurance. You also need to know what the requirements for the sustainability report are in order
to audit it appropriately". [I6, Account manager Professional Practice and Sustainability. Translated by the author]
Lack of CSR knowledge by the internal auditors has resulted in incomplete and unbalanced reports as IA is
frequently not aware of what is written in GRI and hence what should be included in their organization’s CSR
report. This is evidenced by the fact that only two out of the 19 internal auditors in the four cases involved in
CSR have completed a study in the field of CSR. Even though this improvement point was not necessarily
indicates as an improvement point for the selected cases, they indicated that it definitely is a point of constant
attention. It is essential to be continuously be aware that in order to perform audits appropriately, they need to
ensure that their CSR knowledge are up to date through internal trainings and seminars provided as part of their
profession.
Additionally internal auditors need to improve their skill set in order to conduct CSR audits. The CSR audit
process is not one with a fixed set of standards but it is one in which professional judgment and experience is
needed to formulate organization specific standards based on the GRI principles. Currently internal auditors are
stating that auditing in the absence of a reference model is not possible (i.e. in case of soft controls and CSR
audits). It is not the absence of a reference model that is the issue, but the skill of auditing a process without a
checklist that is the issue [I2, Subject matter expert]. A SME described that an auditor with an advisory skill set
is what is needed:
“Another issue it the skill set of the current internal audit functions. Ideally an internal auditor with an advisory skill-set is
needed to audit the CSR process. An internal auditor with a wider perspective, one that can include the relationship with
stakeholders in its decision making, an auditor that can look beyond processes and reference models and can see the real
issue at hand, that is the kind of auditor that is needed. (...) internal auditors need to learn to ask the right questions instead
of relying on a predefined checklist. However this brings us back to the first point of improvement, as in order to ask the
right question auditors need the have up to date CSR knowledge". [I2, Subject matter expert. Translated by the author]
3. Increase the advisory role of IA: Based on field research it is stated that especially the consultancy
role is subject for improvement. As noted in paragraph 4.2, IA takes up assurance, consultancy and managing
roles in the CSR process. However generally stating, IA only contribute to the CSR process through an
assurance role by performing data-centric and system-oriented audits [I1, Subject matter expert; I2, Subject
matter expert].
Also, as the process matures IA increasingly perform assurance related tasks, and decreasingly take on a
consultancy role. A need exists for an IA function that is continuously involved in the (re)design of the CSR
process, and its controls and frameworks through advising on required improvements and needs for change.
4. Earlier involvement in the CSR process: The lack of standards to audit against is highlighted as one
of the most significant risks. Based on field research it was noted that IA finds it difficult to define CSR audit
standards as the GRI guidelines are only principle-based, and as there is no history to benchmark these standards
against. To face this challenge and to reduce this risk, early involvement (in the initial stage of the CSR process,
including in the strategy formulation step) of IA is needed. Especially the role as an advisor is key in the early
stages to ensure an auditable CSR process is implemented.
The cause of most unsuccessful CSR processes and CSR audit processes is described to be due to lack of
implementing CSR in the organization’s strategy, strategy formulation and monitoring. Often a separate CSR
The role of the IAF in CSR| 34
strategy is defined and implemented making it more difficult to define standards to test the CSR process against
[I5, Interim Chief Audit Executive]. The early involvement of IA in the strategy formulation and
implementation can increase the likelihood of an auditable CSR process (which also meets GRI standards) by
playing a significant role in defining CSR and in translating the objectives into auditable KPIs and performance
measures [I4, Senior Auditor]. Essential in this process is however that IA communicates openly with the
internal CSR department (if applicable) and the external auditor to combine the knowledge and to decide upon
strict audit standards.
“In order to get a CSR process resulting in complete and accurate information, a lot needed to be designed before
implementation. A process needed to be defined based on GRI; however it also needed to be auditable. Therefore the
principle-based guidelines needed to be translated into hard company-specific standards to audit against. Early
involvement in the process therefore is key.” [I6, Account manager Professional Practice and Sustainability. Translated by
the author]
Furthermore, a more active involvement of IA in the beginning of the process can help increase the
organizational support needed for the CSR process to be successful. Especially in circumstances where the
support system is under pressure, for example when negative events have occurred, should IA convince the
board of reporting on these negative events [I5, Interim Chief Audit Executive].
5. Increase and improve the performance of system-oriented audits: In the CSR process data is
generated and extracted from various independent systems. Combining this with the lower level of maturity of
the CSR process, and the low frequency of data retrieval, it creates one of the biggest current risks in the CSR
audit process.
“I would say that the fact that CSR is not a continuous process but an incidental one is a risk. The frequency on which data
is retrieved from the systems is often once or maybe twice a year. This increases the changes of errors and affects the
completeness and balance of the CSR report” [I2, Subject matter expert. Translated by the author]
Furthermore, non-financial data is often generated and extracted through end-user-computing files and reports
using Microsoft Excel or through systems that are still in their development stages. As a result non-financial
data tends to be less reliable [I1, Subject matter expert]. To reduce this risk it is important for IA to perform
both data-centric as system-oriented audits to determine the reliability of the data and the systems used.
However, in practice it is seen that these system-oriented audits are not performed by IA to the extend needed.
Often the external auditor needs to encourage IA to perform these audits or to include CSR into the system-
oriented audits that are already being performed as part of the audit plan.
“However, we constantly need to encourage internal audit to perform these system-oriented audits, or to include CSR in
system-oriented audits that are already in their audit plan. This is not usually initiated by the internal audit department
itself”. [I1, Subject matter expert. Translated by the author]
This research suggests IA to integrating CSR into the standard audit plan and into every audit that is being
performed. As a result the frequency of data retrieval increases, making the CSR process a continuous process
instead of an incidental one, which in turn increases the reliability of the non-financial data. For example, when
IA is already performing an audit on the HR process, they can also easily look at non-financial elements of the
HR process such as the number of immigrants working at the company.
4.5 Chapter summary
In Chapter 2 three propositions were identified for further research. Based on the subject matter interviews and
case study research performed the following can be concluded.
The role of the IAF in CSR| 35
P1 was supported: the point of initiation of the CSR process of an organization differs per organization,
however once management has decided that a CSR policy and strategy needs to be formulated the CSR
process is structured in accordance with the PDCA cycle. It was noted that Nieuwlands’ SMS provides
a fair representation of a successful CSR process in practice.
P2 was also supported: IA can take up an assurance, consultancy or managing role in the CSR process.
In general it was concluded that IA attains a more assurance related role than a consultancy role. It was
also noted however, that the role of IA in the CSR process changes to a more assurance role as the
process becomes more mature.
P3 was rejected: mostly the collaboration is initiated by EA who assigns and divides the roles, which are
subsequently performed by IA.
Additionally, various improvement points were mentioned including: increasing proactive involvement in the
CSR process; improving IA’s CSR knowledge and skills; increasing the advisory role of IA; ensuring earlier
involvement in the CSR process; and increase and improving the performance of system-oriented audits.
The role of the IAF in CSR| 36
5 Discussion
“I think that the reason that the internal audit does not take a more active role in auditing the CSR process is because they
are not aware of what they role in the process could be". [I2, Subject matter expert. Translated by the author]
IA departments are increasingly being asked to consult its organization on emerging risks including CSR and to
provide assurance on the extent to which these risks are mitigated in the organization. This research aims to
contribute to the awareness of internal auditors on their possible role in the CSR process, and on opportunities to
add value and to improve the CSR process within their organizations. As a result, the following research
question was formulated: What is the role of IA, and what opportunities for improvement exist for IA in the CSR
process of an organization? In this chapter we will summarize the findings of this research by answering the
main research question.
5.1 Conclusion
As mentioned in Chapter 1, IIA and the NBA published a report in 2011 based on empirical research stating that
of the IA functions participating in their research 30-40% are involved through either an assurance role,
consultancy role or both in the CSR process. And that this involvement is only to increase in the coming years.
Furthermore, the results concluded that IA adds significant value in the CSR process through a broad scope of
activities including taking on a consultancy role. As this research was only based on results provided by IA
functions and largely based on surveys as a method of research, this research aimed to address a different point
of view, that of the external auditor, and a different research method to explore what the current role of IA in the
CSR process is.
Based on the findings of this research it can be concluded that leading IA functions are involved in the CSR
process through assurance, and consultancy roles. Building on extant literature, this research concludes that the
actual role attained by IA is indeed highly dependent upon the level of maturity of the CSR process. The role of
IA tends to shift from a consultancy, and at times even a managing role, to a more assurance providing role as
the CSR process matures from initial to optimizing. Activities that are decreasingly performed, as the CSR
process matures, include advising on the set up and implementation of the CSR process. These activities make
way for the following assurance providing activities: auditing the CSR report on scope and quality, and auditing
the process of translating the strategy to the policies, procedures, models, management cycle (PDCA), and the
final report. Through the development of the maturity model in this research, awareness is created on the
possible activities to be performed by IA at various levels of maturity. Noteworthy is however that in contrast to
the findings in the research by NBA and IIA, this research highlights that the involvement by IA in the CSR
process is generally limited to its assurance role by performing data-centric and system-oriented audits. A role
that is imposed by the external auditor and subsequently passively executed by IA. Also, this research concludes
that only 10-15% of the IA functions are involved in the CSR process.
The significant difference between these findings with that of the IIA and NBA are either the result of less
involvement by IA over the years, participation of IA functions that are front-runners in the area, or by the
research method chosen by the IIA and the NBA. Either way these results directly highlight the most significant
improvement points resulting from this research: increase the active involvement of IA in the CSR process, and
increase the performance of consultancy related activities in the CSR process. These points are of high
importance and subject to immediate improvement, as organizations need IA to take a broader mandate within
the organization and are increasingly being asked to not only provide operational business insights to the
organization, but to also help in addressing key business risks and in preparing for critical emerging risks that
The role of the IAF in CSR| 37
the organization knows are approaching. Amongst the top of ten of the most important emerging risks is climate
change and sustainability (CSR). For IA to add value to its organization, it needs to attain an active role to
consult its organization on these risks and must provide assurance on the extent to which these risks are
mitigated in the organization.
Another significant improvement point resulting from this research is the CSR knowledge and skills of internal
auditors. In line with the IIA standard on proficiency IA needs to collectively have the CSR knowledge and
skills needed to perform CSR related audits. However it is noted that only 11% of the total of internal auditors
in the IA functions of this research have completed CSR related studies, as a result lack of CSR knowledge lead
to an unbalanced and incomplete CSR reports. Also internal auditors are often missing the skillset needed to
perform CSR audits as these audits are often principle-based and do not have a standard checklist to be used.
Auditors with an advisory skill-set, which are able to ask the right questions without having a checklist, are
required.
Also noted is that especially in the beginning stages of the CSR process there is an important consultancy role
for IA to ensure an auditable CSR process is implemented. The early involvement of IA in the strategy
formulation and implementation can increase the likelihood of an auditable CSR process (which also meets GRI
standards) by playing a significant role in defining CSR and in translating the objectives into auditable KPIs and
performance measures. Furthermore, a more active involvement of IA in the beginning of the process can help
increase the organizational support needed for the CSR process to be successful.
Finally, based on the field research conducted it was concluded that the performance of system-oriented audits
by IA needs to increase and improve. The urge for this improvement lies in the fact that in the CSR process data
is generated and extracted from various independent systems, which are often still Microsoft Excel based or in
the beginning development stages. Combining this with the lower level of maturity of the CSR process, and the
low frequency of data retrieval, it creates one of the biggest current risks in the CSR audit process. To reduce
this risk it is important for IA to perform both data-centric as system-oriented audits to determine the reliability
of the data and the systems used. However, in practice it is seen that these system-oriented audits are not
performed by IA to the extend needed. This research suggests IA to integrating CSR into the standard audit plan
and into every audit that is being performed.
5.2 Limitations and recommendation for future research
There are however several limitations in this research. First of all improvement points are highlighted by EA.
EA however might have different incentives and goals than the IA functions. A small possibility also exists that
the decennia-long tension between EA and IA might have affected the results of this research. Furthermore, the
improvement points mentioned by EA are only based on the activities in which they work together with the IA.
Therefore the improvement point listed in this research does not provide a complete list of improvement points
or it might not even provide a list of the most important improvement points. To mitigate this effect, this
research also requested IA for a list of improvement point.
However as the IA functions included in this research are front runners in the field of CSR and the role of IA in
it, the improvement points mentioned by these IA functions are mostly interesting for organizations with a more
mature CSR process. Future research should investigate improvement areas at IA functions of variously levels
of maturity.
It should be noted that when filling in the maturity model, it was filled in based on the interviewee’s best
intuition. These results may therefore be biased by interviewee’s personality treats, their different perceptions
The role of the IAF in CSR| 38
and difference in job tenure. And finally, another limitation of this research design is the fact that these studies
are merely conducted at a specific point in time; it limits the ability to measure the long-term impact and
consequences of implementing CSR [Geene, 2011].
During this research it became apparent that there is a great need for a CSR maturity model and the possible role
of IA in this model. This research made a start to exploring and developing such a model, however this model
was not validated with external parties. A more extensive, in-depth and validated maturity model should be
developed allowing IA to determine their current state, explore their desired future state and to determine a path
to get to the desired level.
The role of the IAF in CSR| 39
6 Reference List
AMBAUM, B. (2007). De rol van de IAD bij maatschappelijk verantwoord ondernemen als auditobject. Referaat PDO
I/OA, ESAA.
AUDENHOVEN, VAN, L. (2007). Lecture on Expert Interviews and Interview Techniques for Policy Analysis. Vrije
Universiteit Brussel. www.ies.be/files//060313%20Interviews VanAudenhove.pdf.
CILIBERTI, F., PONTRANDOLFO, P., SCOZZI B. (2008). Investigating corporate social responsibility in supply
chains: a SME perspective. Journal of Cleaner Production, 16: 1579-1588.
COMMITTEE OF SPONSORING ORGANIZATIONS OF THE TREADWAY COMMISSION (2004). Enterprise
Risk Management - Integrated Framework.
DEKKER G. (2009). Samenwerking interne en externe auditor kan omhoog. De Accountant, November 2009, p.34 -37.
ELKINGTON, J. (1997). Cannibals with forks. The triple bottom line of 21st century business. Capstone Publishing Ltd.,
Oxford, UK.
EY (2013). Matching Internal Audit talent to organizational needs. Key findings from the Global Internal Audit Survey
2013. EYGM Limited, 2013
FREEMAN, R.E. (1984). Strategic management: A stakeholder approach. Boston MA: Pitman.
GEENE, J.A. (2011). Corporate Social Responsibility in Supply Chains of SMEs: Motives, Practices and Effects. Master
Thesis in Business Administration: MSc BA Accounting & Control – MSc BA Chain Management. RSM Erasmus
University, Rotterdam.
GRANT, R.W. (1997). Contemporary Strategy Analysis: Concepts, Techniques, Applications. Blackwell Business Books,
Oxford.
GRAY, R., JAVARD, M., POWER, D.M., SINCLAIR, D.C. (2001). Social and environmental disclosure and corporate
characteristics: a research note and extension. Journal of Business Finance and Accounting 28: 327–356.
GLOBAL REPORTING INITIATIVE (2002). Sustainability Reporting Guidelines. Global Reporting Initiative, Boston,
MA.
INSTITUTE OF INTERNAL AUDITORS (2009). IIA Position Paper: The role of internal auditing in Enterprise-wide
Risk Management. IIA Inc., Altamonte Springs, Fla., USA.
INSTITUTE OF INTERNAL AUDITORS (2010). IPPF - Practice Guide: Evaluating Corporate Social Responsibility/
Sustainable Development. IIA Inc., Altamonte Springs, Fla., USA. www.theiia.org/guidance.
INSTITUTE OF INTERNAL AUDITORS (2012). International Standards for the Professional Practice of Internal
Auditing (Standards). Standards and Guidance, Altamonte Springs, Fla., USA.
INSTITUTE OF INTERNAL AUDITORS & NEDERLANDSE BEROEPSORGANISATIE VAN ACCOUNTANTS
(2011). Governance in Duurzaamheid: Internal Audit en Corporate Social Responsibility. IIA Nederland,
Naarden. NBA, Amsterdam.
INTERNATIONAL AUDITING AND ASSURANCE STANDARD BOARD (2013). ISA 610 (Revised 2013), Using
the work of internal auditors and Related Conforming Amendments. International Federation of Accountants
(IFAC).
JOHNSON, G., SCHOLES, K. (1993). Exploring Corporate Strategy: Text and Cases. Prentice-Hall International, Hemel
Hempstead.
KOLK, A. (2001). Environmental reporting by the Fortune Global 250: exploring the influence of nationality and sector.
Business Strategy and the Environment 10: 15–28.
KOLK, A. (2003). Het eind van maatschappelijk verantwoord ondernemen, of het begin? Vossiuspers UvA, Amsterdam.
KOLK, A. (2003). Trends in sustainability reporting by the Fortune Global 250. Business Strategy and the Environment
12: 279–291.
KOLK, A. (2004). A decade of sustainability reporting: developments and significance. International Journal of
Environment and Sustainable Development 3: 51–64.
The role of the IAF in CSR| 40
KPMG (2008). International Survey of Corporate Responsibility Reporting 2008.
http://www.kpmg.eu/docs/Corp_responsibility_Survey_2008.pdf [1 June 2010].
KPMG (2013). The KPMG Survey of Corporate Responsibility Reporting 2013. KPMG International Cooperative
[December 2013].
LEE A. S. (1989). A scientific methodology for MIS case studies. MIS quarterly, 33-50.
MCWILLIAMS, A., SIEGEL, D.S., WRIGHT, P.M. (2006). Guest editors’ Introduction Corporate Social
Responsibility: Strategic Implications. Journal of Management Studies, Vol. 43, No. 1, pp. 1-18.
NIEUWLANDS, H. (2006). Sustainability and Internal Auditing. The IIA Research Foundation.
OWEN, D. (2006). Emerging issues in sustainability reporting. Business Strategy and the Environment 15: 217–218.
PRIKKEN, H. (2010). The European Sustainability Reporting Association Report for the Netherlands. ESRA,
http://www.sustainablereporting.eu/netherlands#.
PWC (2009). Internal Audit perspectives: Internal Audit perspectives on sustainability.
ROBERTS, S., LAWSON, R., NICHOLLS, J. (2006). Generating regional-scale improvements in SME corporate social
responsibility performance: lessons from responsibility Northwest. Journal of Business Ethics, 67(3): 275-286.
ROBSON, C. (2002). Real World Research. Second edition. Oxford: Blackwell.
RUSSO, M., FOUTS, P. (1997). A resource-based perspective on corporate environmental performance and profitability.
Academy of Management Journal, Vol. 40, pp. 534-59.
SARKER S., & LEE A. S. (2003). Using a case study to test the role of three key social enablers in ERP implementation.
Information & Management, 40(8), 813-829 .
SAUNDERS, M., LEWIS P., THORNHILL A. (2009). Research methods for business students, Fifth edition. Pearson
Education Limited: Harlow, England.
SCHRAMM, W. (1978). Notes on case studies of instructional media projects. Working paper for the Academy for
Educational Development, Washington, DC.
STEWART, D.W., SHAMDASANI, P.M., & ROOK, D.W. (2007). Focus groups: Theory and practice. London: Sage
publications.
TROCHIM, W. M. (1989). Outcome pattern matching and program theory. Evaluation and Program Planning, 12(4),
355-366.
YIN, R.K. (2009). Case Study Research: Design and Methods. Fourth edition. Thousand Oaks, California: Sage
Publications.
ZADEK, S. (2004). The path to Corporate Responsibility. Harvard Business Review, 82 (12).
The role of the IAF in CSR| 41
Appendix A - Introduction email
The introduction emails are in Dutch, as this is the native language of the interviewees.
---
Beste [geïnterviewde],
Op dit moment doe ik mijn afstudeeronderzoek in het kader van de RO Opleiding aan de Universiteit van
Amsterdam. Via [contactpersoon] ben ik aan uw e-mail adres gekomen. In deze mail zal ik een nadere
toelichting geven op wat ik precies wil onderzoeken.
In mijn onderzoek wil ik aan de hand van interviews met IADs onderzoeken wat de rol van de IAD in het CSR
audit proces is en welke verbetermogelijkheden er nog zijn voor de IAD op dit gebied vanuit het perspectief van
de externe accountant. Het interview is opgedeeld in 6 delen:
1) Introductie;
2) Het CSR proces;
3) Rol van de IAD in het CSR proces;
4) Samenwerking IAD en externe accountant in CSR proces;
5) Verbeterpunten;
6) Afsluiting.
In onderdeel 2 zal er voornamelijk gevraagd worden naar het CSR proces binnen [Bedrijfsnaam], waar
onderdeel 3 en 4 naar de mening en ervaring worden gevraagd over deze concepten: o.a. de huidige rol van de
IAD in het CSR audit proces van [Bedrijfsnaam], de samenwerking van de IAD met [naam accountantskantoor]
in het CSR audit proces, verbetermogelijkheden voor de IAD, en uw mening over de verbetermogelijkheden
aangekaart voor externe accountants.
Ik hoop dat deze uitleg wat meer duidelijkheid heeft gegeven over mijn onderzoek. Het lijkt mij erg leuk om u
hierover te kunnen interviewen. Op verzoek zal alle informatie van dit interview volledig vertrouwelijk worden
behandeld en geanonimiseerd worden in mijn scriptie.
Ik hoor graag wanneer een interview u het beste uitkomt.
Mocht u nog meer vragen hebben, dan kunt u mij ten alle tijden e-mailen.
Alvast bedankt voor uw moeite.
Met vriendelijke groet,
Jamila Geene
[Contactgegevens]
The role of the IAF in CSR| 42
Appendix B - Interview script
The interviews are in Dutch, as this is the native language of the interviewees.
---
Interview Protocol - Experts
Afgenomen op: … / … / 2014 Duur: … minuten
Afgenomen door: Jamila Geene Locatie: …
Interview met: …
Part 0 - Introductie
Introductie van de interviewer: naam, leeftijd, student, werkgever
Introductie van het onderwerp van het onderzoek, het doel en de aanpak.
Op verzoek zal alle informatie van dit interview volledig vertrouwelijk worden behandeld en geanonimiseerd
worden in mijn scriptie. Ik zit hier vanuit de rol als een student en niet vanuit EY. Ik hoop daarom een open
uitwisseling van informatie met u te hebben. Als u vragen heeft gedurende dit interview of ongemakkelijk voelt
bij het beantwoorden van een vraag, laat het dan vooral weten.
1. Gaat u akkoord met dit interview? Ja / Nee
2. Vind u het goed als ik van dit interview een tape opname maak om ervoor te zorgen dat geen informatie
mis en zodat ik in staat ben om de informatie in oorspronkelijke en ware betekenis te gebruiken? Ja /
Nee (Anders zullen er aantekeningen worden gemaakt)
3. Heeft u nog vragen voor we beginnen met het interview?
Deel A – Introductie van de geïnterviewde
1. Hoe lang bent u werkzaam binnen uw organisatie?
2. Wat is uw rol binnen de organisatie?
- Wat zijn u specialiteiten / expertise gebieden?
3. Kunt u aangeven hoeveel jaar ervaring u al heeft op het gebied van CSR?
Deel B – CSR proces
1. Kunt u het CSR proces binnen Nederlandse organisaties beschrijven? Hoe is het geregeld / ingericht?
- Herkent u het CSR proces zoals beschreven voor Hans Nieuwlands?
2. Er wordt gezegd dat er binnen meeste bedrijven niet zo een duidelijk CSR proces te vinden is, maar dat
dit in het begin meer losse delen zijn. Hoe beïnvloedt dit jullie rol binnen het CSR audit proces? En hoe
die van de IAD?
3. Leveren jullie zowel beperkte mate van zekerheid als redelijke mate van zekerheid?
4. Bij hoeveel % van jullie klanten bieden jullie een redelijke mate van zekerheid op het CSR verslag? En
waarom is dit niet bij alle klanten mogelijk?
5. Volgens jullie assurance letters voeren jullie de volgende activiteiten uit, is deze lijst compleet?
The role of the IAF in CSR| 43
A risk-analysis, including media search, to identify relevant CSR issues for the organization in the
reporting period;
Reviewing the suitability of the internal reporting criteria used and its consistent application including
conversion factors used;
Evaluating the design and implementation of the systems and processes for the collection, processing
and control of the information in the CSR report, including the consolidation of the data;
Interviewing management at corporate and business unit level responsible for the CSR compliance and
integrity policies, implementation management, internal controls, monitoring and reporting;
Interviews with relevant staff at corporate and business unit level responsible for providing information
for in the CSR report;
Evaluating internal and external documentation, based on sampling, to determine whether the
information in the CSR report is supported by sufficient evidence;
Joining an audit performed by the IAF;
Reviewing the relevant work of the IAF in respect of the information in the CSR report.
6. Bij het uitvoeren van een CSR audit, welke werkzaamheden voert KPMG additioneel uit om een
redelijke mate van zekerheid te bieden over het CSR rapport?
7. Waar liggen volgens u de voornaamste risico’s bij het auditen van een CSR proces? En wat zijn deze
risico’s?
8. Hoe beperken deze risico’s jullie rol in het CSR audit proces en hoe die van de IAD?
Deel C – Samenwerking met de IAD
1. Hoe zou u de huidige status van de samenwerking tussen de IAD en externe accountant beschrijven?
2. Denk u dat er (nog) ruimte is voor het verder ontwikkelen van deze samenwerking?
- Waarom (niet)?
- Hoe / op welke manier?
- Op welke gebieden?
3. Bij hoeveel CSR klanten (% gemiddeld), werkt [accountantskantoor] samen met de IAD en/of steunt
[accountantskantoor] op de werkzaamheden van de IAD?
4. Waarop baseert [accountantskantoor] de keuze om te steunen op de werkzaamheden van de IAD? En
wat is dus de reden waarom jullie dit bij …% van de klanten niet doen?
5. Door wie en wanneer wordt deze samenwerking geïnitieerd?
6. Wat is de rol van de IAD voornamelijk binnen deze samenwerking? Een adviserende rol of assurance-
gevende rol (door middel van audits)?
7. Indien er gesteund wordt op de werkzaamheden van de IAD, op welke werkzaamheden steunt
[accountantskantoor] dan voornamelijk?
- Binnen welke stappen van het CSR proces?
8. In het onderzoek van de IIA wordt een samenwerking tussen de IAD en de externe accountant op het
gebied van CSR als een ‘best practise’ beschreven. Bent u van mening dat een organisatie profiteert van
zo’n samenwerking? Vraag om toelichting.
9. Welke van deze best practice activiteiten zien jullie in de praktijk terug?
The role of the IAF in CSR| 44
Support the organization by providing training regarding the verifiability requirements and design of the
audit files;
Advising the Board with respect to the contents of the engagement with the external auditor, as the IAF
has a broad understanding of the organization and underlying processes, and its possession of materials
and knowledge of work performed on which the external auditor may be able to rely. Also, the IAF can
advise on the appointment of the external accountant, where it regards the experience and expertise in
the field of CSR reporting.
Perform an assessment of the internal reporting and data collection process;
Assessment of the content of the report, especially with regard to relevance, materiality and
prioritization of the issues being reported. As part of this, the internal auditor will evaluate and advice
on the continuous involvement of stakeholders, as well as the care for the completeness and
prioritization of topics;
Assessment of the scope of the report (i.e. which entities). Knowledge of the organization and expertise
in the field of accounting can be used and of added value here;
Assessment of the quality of the report, where quality features such as balance, comparability, accuracy,
timeliness, clarity and reliability are important;
To achieve efficiency, the internal auditor take over a great part of the data-centric and system-oriented
work from the external auditor. The internal auditors in-depth knowledge of the organization and its
processes will be embayed here. The internal auditor will work closely with the external auditors
(perhaps in the form of integrated audit teams). The internal auditor also performs the check on control
guidelines for the organization;
The joint preparation of the (draft) assurance report and management letter;
Monitoring of the follow-up on audit findings.
Deel D – Verbetermogelijkheden voor de IAD
1. Wat is volgens u op een schaal van 1-10 de volwassenheidsniveau van de IAD op het gebied van CSR?
2. Denkt u dat er verbetermogelijkheden zijn voor de IAD binnen het CSR proces?
- In wat voor opzicht?
- Waar zitten voornamelijk de zwakte punten, waardoor een samenwerking vaak niet gewenst is?
- En wat zijn volgens u dus de verbeterpunten voor de IAD binnen het CSR proces?
- Hoe zou u dit aanpakken als u hoofd IAD was?
Deel E- Afsluiting
1. Is er iets dat niet is behandeld in dit interview dat u wilt delen met mij?
2. Is het mogelijk dat ik contact met u opneem (per telefoon of mail) als ik later in dit onderzoek nog tegen
mogelijke vragen aanloop? Ja / Nee
3. Vind u het goed als ik het transcript van dit interview naar u opstuur ter verificatie? Ja / Nee
4. Zou u het fijn vinden als ik een samenvatting van de resultaten van dit onderzoek met u deel? Ja / Nee
Hartelijke dank voor het deelnemen aan dit interview.
The role of the IAF in CSR| 45
Interview Protocol - IAD
Afgenomen op: … / … / 2014 Duur: … minuten
Afgenomen door: Jamila Geene Locatie: …
Interview met: …
Part 0 - Introductie
Introductie van de interviewer: naam, leeftijd, student, werkgever
Introductie van het onderwerp van het onderzoek, het doel en de aanpak.
Op verzoek zal alle informatie van dit interview volledig vertrouwelijk worden behandeld en geanonimiseerd
worden in mijn scriptie. Ik zit hier vanuit de rol als een student en niet vanuit EY. Ik hoop daarom een open
uitwisseling van informatie met u te hebben. Als u vragen heeft gedurende dit interview of ongemakkelijk voelt
bij het beantwoorden van een vraag, laat het dan vooral weten.
1. Gaat u akkoord met dit interview? Ja / Nee
2. Vind u het goed als ik van dit interview een tape opname maak om ervoor te zorgen dat geen informatie
mis en zodat ik in staat ben om de informatie in oorspronkelijke en ware betekenis te gebruiken? Ja /
Nee (Anders zullen er aantekeningen worden gemaakt)
3. Heeft u nog vragen voor we beginnen met het interview? Ja / Nee
Deel A – Introductie van de geïnterviewde
1. Hoe lang bent u werkzaam binnen uw organisatie?
2. Wat is uw rol binnen de organisatie?
- Wat zijn u specialiteiten / expertise gebieden?
3. Kunt u aangeven hoeveel jaar ervaring u al heeft op het gebied van CSR?
4. Hoe groot is uw IAD? En hoeveel van deze werknemers houden zich bezig met CSR?
5. Hoeveel van deze medewerkers hebben een studie gedaan op gebied van CSR? Of hebben hiervoor een
inhoudelijke training gevolgd?
Deel B – CSR proces
1. Kunt u het CSR proces binnen uw organisaties beschrijven? Hoe is het geregeld / ingericht?
- Herkent u het CSR proces zoals beschreven voor Hans Nieuwlands?
2. Levert deze inrichting beperkingen op voor de IAD en de rol die de IAD daarin zou willen spelen?
3. Waar liggen volgens u de voornaamste risico’s bij het auditen van een CSR proces? En wat zijn deze
risico’s?
4. Hoe beperken deze risico’s jullie rol in het CSR audit proces en hoe die van de IAD?
Deel C – Rol IAD binnen CSR
1. Wat is voornamelijk de rol die uw IAD uitvoert binnen het CSR proces? Adviserend of assurance-
gevend?
2. Welke werkzaamheden voert uw IAD uit op het gebied van CSR? En welke werkzaamheden vooral
niet?
The role of the IAF in CSR| 46
Deel D – Samenwerking met de externe accountant
1. Hoe zou u de huidige status van de samenwerking tussen de IAD en externe accountant beschrijven? En
waarom?
2. Door wie en wanneer is deze samenwerking geïnitieerd?
3. Wat is de rol van de IAD binnen deze samenwerking? Een adviserende rol of assurance-gevende rol
(door middel van audits)?
4. Welke van deze best practice activiteiten worden door uw IAF uitgevoerd?
Support the organization by providing training regarding the verifiability requirements and design of the
audit files;
Advising the Board with respect to the contents of the engagement with the external auditor, as the IAF
has a broad understanding of the organization and underlying processes, and its possession of materials
and knowledge of work performed on which the external auditor may be able to rely. Also, the IAF can
advise on the appointment of the external accountant, where it regards the experience and expertise in
the field of CSR reporting.
Perform an assessment of the internal reporting and data collection process;
Assessment of the content of the report, especially with regard to relevance, materiality and
prioritization of the issues being reported. As part of this, the internal auditor will evaluate and advice
on the continuous involvement of stakeholders, as well as the care for the completeness and
prioritization of topics;
Assessment of the scope of the report (i.e. which entities). Knowledge of the organization and expertise
in the field of accounting can be used and of added value here;
Assessment of the quality of the report, where quality features such as balance, comparability, accuracy,
timeliness, clarity and reliability are important;
To achieve efficiency, the internal auditor take over a great part of the data-centric and system-oriented
work from the external auditor. The internal auditors in-depth knowledge of the organization and its
processes will be embayed here. The internal auditor will work closely with the external auditors
The role of the IAF in CSR| 47
(perhaps in the form of integrated audit teams). The internal auditor also performs the check on control
guidelines for the organization;
The joint preparation of the (draft) assurance report and management letter;
Monitoring of the follow-up on audit findings.
5. Op welke werkzaamheden steunt de externe accountant voornamelijk?
- Binnen welke stappen van het CSR proces?
6. Denk u dat er (nog) ruimte is voor het verder ontwikkelen van deze samenwerking?
- Waarom (niet)?
- Hoe / op welke manier?
- Op welke gebieden?
7. In het onderzoek van de IIA wordt een samenwerking tussen de IAD en de externe accountant op het
gebied van CSR als een ‘best practise’ beschreven. Bent u van mening uw organisatie profiteert van
zo’n samenwerking? Vraag om toelichting.
Deel E - Verbetermogelijkheden voor de IAD
1. Wat is volgens u op een schaal van 1-10 de volwassenheidsniveau van uw IAD op het gebied van CSR?
En waarom dat cijfer?
2. Wat zijn de verbetermogelijkheden voor uw IAD binnen het CSR proces? En zo ja, welke?
- In wat voor opzicht?
- Hoe wenst u dit cijfer te verhogen?
- Wat zijn hierbij de uitdagingen die ertoe hebben geleid dat deze nog niet zijn opgepakt?
3. De externe accountantskantoren hebben de volgende verbeterpunten aangegeven voor de IAD binnen
het CSR proces:
1. Kennis en kunde van de IAF op gebied van CSR
2. De kwantiteit en kwaliteit van het uitvoeren van systeem-gerichte controles door de IAD
3. Het behouden van een adviserende rol ook na de opzet van een CSR proces.
- Herkent u deze verbeterpunten?
- Wat is uw mening hierover?
- Zijn deze verbeterpunten haalbaar?
- Wat zijn de obstakels hierin?
Deel F- Afsluiting
1. Is er iets dat niet is behandeld in dit interview dat u wilt delen met mij? Ja / Nee
2. Is het mogelijk dat ik contact met u opneem (per telefoon of mail) als ik later in dit onderzoek nog tegen
mogelijke vragen aanloop? Ja / Nee
3. Vind u het goed als ik het transcript van dit interview naar u opstuur ter verificatie? Ja / Nee
4. Zou u het fijn vinden als ik een samenvatting van de resultaten van dit onderzoek met u deel? Ja / Nee
Hartelijke dank voor het deelnemen aan dit interview.
The role of the IAF in CSR| 48
Appendix C - Maturity Model
The email is in Dutch as this is the native language of the interviewees.
---
Beste [geïnterviewde],
Nogmaals hartelijk dank voor het meewerken aan mijn afstudeeronderzoek in het kader van mijn RO studie. Uit
de verschillende interviews kwam al snel naar voren dat de rol van de IAD erg verandert naar mate het CSR
proces in een organisatie volwassen wordt. Op basis van deze inzichten heb ik een volwassenheidmodel
gebouwd voor het MVO (CSR) proces.
Als basis voor dit model zijn de volwassenheidsfasen van een regulier proces genomen en zijn deze CSR
specifiek gemaakt, namelijk:
Initial CSR (related) processes are typically undocumented and in the state of dynamic change, tending
to be driven in an ad hoc, uncontrolled, and reactive manner by users or events. This provides a
chaotic or unstable environment for the processes.
Repeatable Some CSR (related) processes are repeatable, possibly with consistent results. Process discipline is
unlikely to be rigorous, but where it exists it may help to ensure that existing processes are
maintained during times of stress.
Defined The most important CSR (related) processes are defined, documented and established and have
been subject to some degree of improvement over time. These processes are in place and used to
establish consistency of process performance across the organization.
Managed Using process metrics, management can effectively control the CSR (related) processes. In
particular, management can identify ways to adjust and adapt the process without measurable
losses of quality or deviations from specifications. Process Capability is established from this
level.
Optimized Focus is on continually improving CSR (related) process performance through both incremental
and innovative changes/improvements.
Om helder te krijgen welke rollen er in de verschillende volwassenheidfasen van het CSR proces worden
uitgevoerd wil ik jou daarom vragen 10-15 minuten de tijd te nemen om komende week dit model in te vullen.
Jouw bijdrage gaat mij helpen om meer inzicht te krijgen in de rol die de IAD speelt in het CSR proces, maar
zal mij vooral de mogelijkheid geven om eventuele verbeterpunten te identificeren voor andere IADs die in dit
proces betrokken willen raken. Het model is in de bijlage van deze email toegevoegd.
Ik stel je response enorm op prijs. Mocht je nog vragen hebben, neem dan gerust contact met me op.
Met vriendelijke groet,
Jamila Geene
[Contactgegevens]
QUESTIONS
Dropdown
Rating Definition1 No2 Little3 Average4 Considerable5 Extensive
Initial Repeatable Defined Managed Optimized
CSR Process Step
Description CSR (related) processes are typically undocumented and in the stateof dynamic change, tending to be driven in an ad hoc, uncontrolled,and reactive manner by users or events. This provides a chaotic orunstable environment for the processes.
Some CSR (related) processes are repeatable, possibly withconsistent results. Process discipline is unlikely to be rigorous, butwhere it exists it may help to ensure that existing processes aremaintained during times of stress.
The most important CSR (related) processes are defined,documented and established and have been subject to some degreeof improvement over time. These processes are in place and used toestablish consistency of process performance across theorganization.
Using process metrics, management can effectively control the CSR(related) processes. In particular, management can identify ways toadjust and adapt the process without measurable losses of quality ordeviations from specifications. Process Capability is established fromthis level.
Focus is on continually improving CSR (related) processperformance through both incremental and innovativechanges/improvements.
CSR PROCESS STEP PROCEDURESIdentifying relevant CSR-topics with regard to social developments and adjustments in the field of laws andregulations
Consulting on defining CSR within the organization
Supporting management in implementing CSR in the existing strategy or in developing a CSR strategy, andsetting up the CSR policy
Assisting management in defining CSR objectives, standards and norms
Audits on the creation process of the CSR policy
Reviewing the adequacy of the translation of strategy into operational objectives
Assist management in identifying, evaluating and implementing risk management methodologies and controls toaddress CSR risks
Advising management for setting-up, implementing and managing an effective SMS and CSR program.
Giving advice on the design of an information system and communication structure around CSR
Act as an advisor to management during the set-up and implementation of a risk and control framework andeffective control procedures, which are based on an assessment of critical risk in the field of CSR
Assisting management in determining the evaluation criteria to measure whether CSR objectives are achieved
Advising management on the allocation and communication on roles and responsibilities, and clear guidelines toensure an effective SMS. This includes advising management on an organizational structure, responsibilities andcomposition staffing required for the effective CSR organization
Consulting management during the selection of the external verifier of the CSR report, and the scope of theCSR report
Guiding the external accountant during the external audit to ensure effective and efficient communicationbetween the external accountant and the CSR department/manager throughout the audit
Giving advice on internal and external accountability and communication regarding CSR-performance, especiallywhen it concerns the implementation of an information system
Evaluating the extent to which CSR ambitions of the organization are included in the organization coreprocesses and management processes
Audits regarding the adequacy of the internal control and evaluation mechanisms
Evaluating the reliability of performance measures
Audits on the effectiveness of embedding CSR in the organization and processes
Performing separate audits of third party for contractual compliance with CSR terms and conditions
(System) to provide assurance on the translation from the strategy to the policies, procedures, models,management cycle (PDCA) and the final report
Evaluating the extent to which CSR ambitions of the organization are included in the organization coreprocesses and management processes
Audits regarding the adequacy of the internal control and evaluation mechanisms
Evaluating the reliability of performance measures
Audits on the effectiveness of embedding CSR in the organization and processes
Ensuring proper follow-up of the recommendations made as a result of the internal and external audits
Management review andcontinuous improvement
- N/A N/A N/A N/A N/A
(Re)formulating CSR policyand strategy
MATURITY LEVEL
Information, RiskManagement and Planning
Implementation andoperation
Checking and correctiveaction
Maturity Level
1. Please familiarize yourself with the various (CSR) process maturity levels. Select the current level of maturity of your organizations CSR process from the dropdown menu below:
2. For the procedures mentioned in the table below, please indicate the extent (on a scale from 1-5) to which your IAF performs (or has performed) this procedure during the various maturity levels of the CSR process.
The role of the IAF in CSR| 50
Appendix D - Case Studies
This appendix reports on the four cases selected based on the data collected through interviews and the desk
research.
Case A
Case A is a company operating in a niche market of the financial service industry. It is bank focused on
governments and institutions for the public interest. The mission of the bank is to contribute sustainably by
keeping the cost of social services for citizens low. Case A’s shareholders are exclusively governments. The
Dutch state holds half of the shares, the other half is owned by municipalities, provinces and the water board.
CSR is of great importance to Case A as it only has clients in the social sectors that have a link with the
government. The clients are predominantly governments and institutions in the areas of housing, healthcare,
education and public utilities. The CSR vision of the company is refined into five themes: a secure bank
(reliable banking with social value); responsible growth (indirectly serving the interests of the citizens);
involved employees (investing in their people and maintaining an open culture); environmental friendly internal
operations (where possible, introducing environmental friendly improvements); and social commitment
(promoting artistic and cultural activities that are important for municipalities). The high level of maturity of the
CSR process is supported by the adaption of CSR into the core business processes and mission of the
organization. The company decided to report on the CSR performance of the organization given it is a critical
element of the organization mission, but also because of compliance to laws and regulations. As a company
operating in the financial service industry Case A receives significant pressure to report on its CSR
performance, furthermore the Dutch State obligates all companies of which they are shareholder to report on
their CSR performance. The set-up of the CSR process, was therefore motivated both top-down as bottom-up.
Case B
Case B is a market leader and global organization operating in the consumer products industry. As a market
leader, Case B sees corporate social responsibility as an essential element of their business. They therefore
developed and formulated a sustainability strategy based on global trends together with their stakeholders. The
aim of their strategy is to add sustainable value for their company, for the society and for the planet. It plays a
fundamental role in how they do business. The sustainability strategy of Case B focuses on four important areas
on which they can make a difference: Water, Sourcing, Responsible consumption and CO2. These areas are
supported by the values identified within Case B. To improve their CSR performance they take action along the
entire value chain. At each stage of the chain, they assess the impact they have on energy, water and CO2
consumption. For each of these areas Case B has identified specific long and short term goals, pushing them to
improve.
The role of the IAF in CSR| 51
Case C
Case C is an independent company with two shareholders, the municipality of city they operate in and the Dutch
state, established to develop its harbor. The vision of Case C is to continuously improve the port to the most
secure, efficient and sustainable in the world. For its customers, it wishes to create value by developing chains,
networks and clusters, both in Europe and in emerging markets worldwide. Case C as an entrepreneurial port
developer, is the best partner for world-class customers in petrochemical, energy, and transport & logistics. This
vision which is closely linked to CSR has been integrated in the company’s strategy and values. Together with
their partners, they focus on a versatile, durable, safe and attractive port that meets the high demands of society.
In 2007 Case C distributed its first CSR report, not long after it distributed an integrated report in 2010. This
integrated report with reasonable assurance on both its financial and CSR aspects highlights the high level of
maturity of the integrated strategy process (which includes the integrated CSR elements). The company decided
to report on the CSR performance of the organization given it is a critical element of the organization vision.
Additionally, as a company with the Dutch State as a shareholder it is obligated to report on its CSR
performance.
Case D
Case D is an international financial services provider operating on the basis of cooperative principles. It offers
retail banking, wholesale banking, asset management, leasing and real estate services. Focus is on all-finance
services in the Netherlands and on retail and wholesale banking, and food & agri internationally. It believes that
sustainable growth in prosperity and well-being requires careful nurturing of natural resources and the living
environment, and it aims to contribute to this development with its activities. Case D respects the culture and
traditions of the countries where it operates without losing sight of its own objectives and values. It really takes
its place in society, all the while adhering to the core values that are embedded in the mission and ambition:
respect, integrity, professionalism and sustainability. Case D presented a new policy framework in 2013 for the
way in which it seeks to implement sustainability. Its sustainability agenda builds on existing activities and is an
essential element in its strategy up to the end of 2016.
The role of the IAF in CSR| 52
Appendix E - Coding Table
This appendix shows the coding table used for pattern matching. As all interviews were conducted in Dutch, all
the quotes have been translated by the author for the purpose of this study.
Open Coding Content description Interview ID Quotes per interviewI1 I have been working for [EA1] for 12 year now as RA, where I started in the financial audit. I increasingly started to be involved in the verification of sustainability reports, which I am not doing for 70% of my time. In 2006 I also successfully
completed the post master CSR managing and auditing at the Erasmus University. Together with the partner, I am not responsible for the sustainability department of [EA1]. For the other 30% of my time I still perform financial audits, I dothis to stay up to date on developments in the financial audit, which I in turn try to translate to the CSR audit practice".
I2 "I have been with [EA2] for 24 years, of which 11 at Sustainability Assurance. I work mostly with listed companies in the NL but also in Denmark, Norway, Germany, Belgium and the US. I studied accountancy and therefore started at [EA2]in financial audit which I did for 5 years. I then continued on to Forensic - our fraud investigation department. I am also globally responsible for Sustainability Assurance within [EA2]".
I3 "I am head of internal audit here at [Case A] for over 5,5 years now. My team consists out of 11 employees, divided into internal control and internal audit".I4 "I started working here at [Case B] three years ago at the Global Internal Audit department. I am senior auditor in the Africa, Middle East team. For 30% of my time I am involved and responsible for the audit on the Sustainability Report of
[Case B]. Before this I use to work for the global internal audit team of [other company], where I was also involved in the audit on the sustainability process".
I5 "In 2006, I joined [Case C] as the interim head of internal audit, where I stayed till May this year after finishing the last CSR report. (…) In 2008 we published out first CSR report, and the year after that we already decided to publish anIntegrated Report. These reports were published with limited assurance, in 2010 we obtained reasonable assurance on our Integrated Report. Our internal audit department was involved in this process right from the start".
I6 "I have been working for the internal accountant function of [Case D] for over 20 years now. (...)About 5 to 6 years ago I became responsible for professional practice within the internal audit function of [Case D] This includes providingtrainings, performing reviews and data analytics. However, 8 to 9 years ago I also became involved in the sustainability process for which I remain responsible. We perform special audits in the area of sustainability and perform audits on thesustainability report".
I3 "Neither of us has done a study in the field of CSR, however we have participated in trainings and seminars in order to remain up to date on developments in this area".I4 "None of the audits here, including myself, have done a study in the field of CSR. Of course I try to stay up to date on developments in the area of CSR and on new GRI guidelines".I5 "I have finished the CSR post master at Erasmus, but no trainings were followed by my internal audit department in the field of CSR".I6 "The option exist for internal accountants to follow the CSR master program at the Erasmus University, I successfully completed this program for example. But what we also do is provide annual trainings to the entire internal audit
department on developments in audit, and in sustainability. In these trainings we also discuss the difference between auditing the sustainability report and auditing the financial statements. For all the RA's within the internal accountantfunction, we also provide trainings in which they can obtain PE-points. Sustainability was once a theme in one of these trainings, which are provided by external accountants firms."
I1 “The process starts with creating awareness, after which (re)formulating the strategy to include CSR is key. In order to ensure that this strategy will be implemented successfully, the strategy needs to be translated into KPI’s. Only after this isdone can an organization report on its CSR performance and obtain assurance on this report. Justly, this process is indeed a circle. However, what is seen in practice is that it doesn’t always follow this structured path, but that it can beinitiated at any of these process steps. Organizations are often already involved in some lose CSR activities as it is a natural driver for people to give back to the society. These CSR activities are often initialed on individual level or by low/middle management, yet they are bundled and reported on in the organization’s CSR report. However often these initiatives are not linked to the organizations products and services, and are not implemented into the core business processes.At some point, usually when top management believes in CSR and is motivated by CSR, are initiatives selected that are more closely linked to the organization. And only then is CSR implemented in the strategy of that organization”.
“However, what is seen in practice is that it doesn’t always follow this structured path, but that it can be initiated at any of these process steps. Organizations are often already involved in some lose CSR activities as it is a natural driver forpeople to give back to the society. These CSR activities are often initialed on individual level or by low/ middle management, yet they are bundled and reported on in the organization’s CSR report. However often these initiatives are notlinked to the organizations products and services, and are not implemented into the core business processes. At some point, usually when top management believes in CSR and is motivated by CSR, are initiatives selected that are more closelylinked to the organization. And only then is CSR implemented in the strategy of that organization”.
I2 “What we see in the energy industry is that the CSR process sometimes start with assigning a CSR officer to write a CSR report. But these reports are usually inconsistent, lack direction and are not concrete as no CSR strategy is defined. TheCSR officer is asked to report on separate projects the organization is involved in, which are normally in one of the CSR areas, such as environmental projects. However, at some point they realize that in order to make a difference theycannot just be involved with uncorrelated project but that a CSR policy needs to be defined. In the CSR policy they normally expand the CSR range to include other important CSR areas, such as social projects. Finally, we see thatorganization then decide that they need to formulate a strategy to determine where they want to be in 5-10 years with regard to CSR performance, how they want to be perceived, especially in comparison to their competitors. And then ofcourse implementation and execution of the CSR strategy is next in order to achieve goals. But this can only be successfully done once CSR is understood and defined within the organization”.
I3 “The CSR process here started with formulating a strategy to include CSR. After that we defined certain specific objectives, and included CSR in our Risk Management process. Also we have set up a CSR committee with the responsibility todefine and secure KPI’s. This was the start of the implementation of CSR into the organization. We as IA finally perform audits in which we structurally include CSR and report our findings to management. Looking at the model fromNieuwlands, I can definitely say that our CSR process indeed looks like this".
“The PDCA cycle is key in this process to ensure that it does not remain a paper execution, but to ensure full integration into the organization and to ensure continuous improvement of the process".
I4 “Our goal is to really imbed CSR into the organization and its functions, and to not set it up as a separate process but to integrate it into the core business processes. We followed all these process steps, which are all linked here at [Case B]to the corporate strategy and defined objectives. These strategy and objectives all include CSR and are communicated down to management bonuses, KPI’s, and are integrated into information systems and the standard management systems.Global Audit plays a role in all of these process steps”.
I5 "The process described by Nieuwlands is the standard process, a standard PDCA process needed for any strategic process".I6 "Sustainability has been an important factor for [Case D] for a long time, this resulted in [Case D] being one of the frontrunners on publishing a verified sustainability report (with reasonable assurance), and in having a sustainability policy
and strategy. And in actually going through all of these steps shown here in this model from Nieuwlands".
CSR process Description of how theCSR process isstructured (reflectionagainst Nieuwlands'SMS)
Job description Description of theircareer and current job
CSR trainingsand education
Trainings andeducation on CSRwithin the IA function
Open Coding Content description Interview ID Quotes per interviewI1 “In the CSR process, data is collected and extracted through various independent systems of which the reliability is often yet to be determined. Most of these systems are in their development stages and are frequently Excel based, resulting in
data that is less reliable”.
“However, we constantly need to encourage internal audit to perform these system-oriented audits, or to include CSR in system-oriented audits that are already in their audit plan. This is not usually initiated by the internal audit departmentitself”.
I2 “I would say that the fact that CSR is not a continuous process but an incidental one is a risk. The frequency on which data is retrieved from the systems is often once or maybe twice a year. This increases the changes of errors and effects thecompleteness and balance of the CSR report. Also, given the limited and voluntary regulations with a limited content, the completeness of the report remains an issue. Organizations have the tendency to not include CSR related failures thatdid happened throughout the year, and which did not reach publicity. There are no hard guidelines telling you what to include in the report. Finding the right balance between the good an organization has conducted and the bad that itencountered therefore also remains a challenge”.
I3 -I4 "It is new data, and since we have no history and no benchmark, you can audit as much as you want, however there is still a possibility that you will overlook the black swans. This is different when compared to financial audit with given
standards and one information system. In CSR with all the different information systems, one should always keep in mind that the CSR report is an organizations best effort to make the data as reliable as possible. (...) I would not call itsubjective, however I do understand that other people would call it that. Here in [Case B] we were involved in defining CSR within the organization. We were therefore all in sync about what it is that we were auditing. Also given that GRI isnot always clear, the process can be called subjective. However, in order to make it less subjective you really need to benchmark yourself with other firms".
I5 “The risks in auditing the CSR process are dependent upon the maturity level of the CSR process. In the beginning the biggest risk is whether there are strategically enough reference points or standards, so to speak, to actually perform theaudit. In the next phase the reliability of the information and systems is a high risk, but also the lack of support in the organization requires significant attention. Without the support of the organization, and without them seeing the addedvalue of CSR, it is like flogging a dead horse”.
I6 "A risk is lack of organizational support for CSR. Not everybody sees the added value of reporting on CSR, and as a result you will be challenged with multiple dilemmas throughout the implementation of CSR. Tone at the top is critical in itssuccess".
I1 “Internal audit mainly attain an assurance role. Of course this differs per client, however what you often see is that they play a part in the data-centric audits. Sometimes they also do system-oriented audits together with us during our interimwork, we do notice then that they are much stronger in this area as the work more resembles their field of expertise. However, we constantly need to encourage internal audit to perform these system-oriented audits, or to include CSR insystem-oriented audits that are already in their audit plan. This is not usually initiated by internal audit itself”.
I2 "Assurance on CSR data, Assurance on CSR processes and Consulting on CSR controls is something I have seen before as well".I3 "We mostly have an assurance role. In our audit universe we have included CSR aspects, and we therefore perform audits which include these aspects as well. We also perform governance audits on strategic level in which we audit the
implementation process of the CSR strategy in the organization. Additionally we perform both data-oriented as system-oriented audits on the information in the CSR report".
I4 "The tasks that we perform as an internal audit function are really dependent on the maturity of the CSR process. In the beginning we had taken up a more advising role, however at some point we tried to push back some of this consultancywork in order to focus on our main activity and that is audit. So, I think that we have performed all of these tasks at one point or another".
I5 "We have performed each single one of these activities and still do to some extent; especially I still do as the head of the [internal audit] department. Even those activities that are written as roles that should not be undertaken by the internalauditor have been attained by us somewhere along the path. Especially in the beginning stages of the CSR implementation did we perform these managing tasks as well. However, the responsibility for these activities and decisions remainedthat of management. Currently I maintained a more consultancy role, whereas the rest of my team increasingly takes on an assurance role as the CSR process becomes more mature."
I6 "In the beginning of the sustainability process, 8 years ago, the internal accountant function was approached by the Supervisory Board of Sustainability to encourage involvement of the internal accountants function in the sustainabilityprocess. However as this process was continuously subject to change, the role of the internal accountant was mainly that of consulting. (...) Also collaborating with the external accountant on how to reach our goal of reasonable assurancewas an important role for us in the beginning. Our advisory role slowly transformed into more of an assurance role when we started to look at how we would audit the whole sustainability process including the actual sustainability report.This was also done in collaboration with the external accountant".
I1 “The collaboration with our clients is one that I can only describe as pleasant. However, as the collaboration is normally initiated by us, you do see that we usually make the decisions. We tell them what to do and that is exactly what they do,and these tasks only relate to auditing and not to the other parts of the CSR process. In the financial audit they definitely work more closely with the internal audit. (...) In my opinion internal audit should be more involved in the CSR process,they should obtain the internal knowledge in this area that we don't have. Together we can provide a report of higher quality”.
I2 “When we do work with internal audit, they usually only do as asked by us. (…) We are normally the initiative taker for a collaboration. (…) I think that the reason that internal audit does not take a more active role in auditing the CSRprocess is because they are not aware of what they role in the process could be. We would like to see them take up a more active role, so that they can actually start to add value".
"The added value of a collaboration is in the combination of external expertise knowledge and internal knowledge. Internal audit knows the organization, it knows the processes and the culture. Additionally, cost efficiency is another element.In the end it is more cost efficient for an organization to use its internal audit resources".
I3 "The collaboration with the external auditor is the result of a natural growing relationship. We as internal audit department were already involved in CSR related processes, so when we decided to get the report externally verified, weimmediately discussed with the external accountant regarding the division of our roles and responsibilities. (...) The external accountant mainly relies on our data-oriented and system-oriented audits. We basically are responsible forproviding the external accountant with substantiation for what is written in the CSR report. (...) This relationship is definitely of added value for the organization as it reduces duplication, reduced the external accountancy fees, but mostimportantly increases the quality of the CSR report as two strengths are combined".
Risks of theCSR process
Description of the mainrisks in auditing theCSR process
Role of IA Description of the roleof IA in the CSRprocess
Collaborationwith EA
The extent to which IAand EA work togetherand rely on each others'work
Open Coding Content description Interview ID Quotes per interviewI4 "In the beginning the external accountant did everything, but then we started to discuss with the external accountant on the division of tasks. (...) In the transition we looked at how we could pull a part of the assurance activities with regard to
the CSR report under the responsibility of internal audit. The external accountant could in turn also take on a different role where they rely more on our work when verifying the CSR report. (...) The great thing is that we have the internalknowledge: we are better aware of the risks on local level, hence which reports are less reliable etc. (...) They [external audit] on the other hand have more experience with other firms and can therefore better benchmark us against thesefirms. They are also better aware of developements and rules".
I5 "We were one of the first companies to publish an integrated report with reasonable assurance. This was not done before, and therefore we had a strong collaborative relationship with the external accountant from the start. Together with theexternal accountant we discussed throughout the integration process on what the expectations were and what the roles and responsibilities were going to be. At some companies I see that the external accountant decides on the role of theinternal auditor, and this irritates me to the core. It should be the other way around. (...) We are now growing into a maturity level were we are responsible for performing audits and the external accountant is responsible for the control onthe integrated report. We do provide the external accountant internal knowledge on possible problem areas to discuss how these areas can be approached, and in the circumstance that we do not know how to deal with a problem, we do usethe external accountant as a big stick".
I6 "As [Case D] wanted to obtain reasonable assurance on the report from the start, the internal accountant function worked closely together with the external accountant to discuss and determine the role of the internal accountant function andthat of the external accountant. A plan was made together with the external accountant on how to reach reasonable assurance. In this, we have closely worked together ever since. First, we perform a kick-off together with the externalaccountant, then we make a resource planning together with the external accountant and divide the tasks accordingly. And in that the external accountant indeed relies on the work performed by us when verifying the report. This closerelationship will most likely change in the near future, given the stricter rules regarding the independence of the external accountant."
I1 “The main improvement point is CSR knowledge and skills. Their audit skills are fine, but specific knowledge with regards to CSR is missing. This results in audits focusing and reporting on the wrong issues, and results in incomplete andunbalanced reports. I am sure that a great part of the internal auditors auditing CSR have not been educated on the topic. I also think that this is one of the reasons why only in 10-15% of organizations reporting on CSR the internal auditdepartment is involved. Lack of capacity, knowledge and skills, and lack of intrinsic motivation are all reasons why internal audit is not part of the CSR process”.
I2 "The lack of CSR knowledge in the internal audit function is the main improvement point. Most internal audit departments do not have CSR specialists in their team. A good internal auditor can audit operational and financial processes,however the minute that these processes are not thorough enough the internal auditor fails to audit appropriate as they cannot fall back on their CSR knowledge. If there is no defined processes for example, external accountants will continueto audit the process through reperformance as we know how the calculations should be made and can therefore verify whether it is correct. This is where the lack of knowledge within the internal audit department fails them to properlyconduct an audit. (...). Another issue it the skill set of the current internal audit functions. Ideally an internal auditor with an advisory skill-set is needed to audit the CSR process. An internal auditor with a wider perspective, one that caninclude the relationship with stakeholders in its decision making, an auditor that can look beyond processes and reference models and can see the real issue at hand, that is the kind of auditor that is needed. (...) internal auditors need to learnto ask the right questions instead of relying on a predefined checklist. However this brings us back to the first point of improvement, as in order to ask the right question auditors need the have up to date CSR knowledge".
"In order to reach a higher maturity level of internal audit in the CSR process, the understanding of CSR needs to be higher. But also, internal audit needs to provide strategic recommendations and add value to operational processimprovement".
I3 "I would not necessarily call it an improvement point, but definitely an attention point, is our CSR knowledge and skills. We need to ensure that this maintains at a sufficiently high level to perform the audits appropriately. We need to remainup to date on what is going on in the field of CSR through trainings and seminars".
I4 "Data validation is one thing, but we need to start making the step towards the strategy".
"CSR knowledge and skills is an improvement point that sounds familiar, however it is not applicable to Group Audit. (...) however we do work with local auditors as well, and there you see the same thing. You need to ensure that no checklistis used in CSR audits as you will otherwise miss crucial things. A difference in the results and reports as output are then noted. From a critical and experienced auditor you get a report with findings and advice aimed at improvement ofprocesses. Less experienced auditors however only say that they checked something and that they noted one finding".
I5 "Ensure that the awareness is created within the organization and that added value and impact of reporting on the CSR process is understood within the organization. Only then can systems and information be made reliable. Especially incircumstances where the support system is under pressure, for example when negative events have occurred. It is then the responsibility of internal audit to convince the board of reporting on these negative events".
"Looking at other firms, I think that the problem of an unsuccessful CSR process, and CSR audit process is the lack of intrinsic motivation. The PDCA cycle should be a part of every strategic process, and in our organization CSR is a naturaland essential element of that strategy. That is where it frequently goes wrong at other organization, as they formulate a separate CSR strategy instead of implementing it into the existing strategy formulation and monitoring processes. As aresult it is more difficult to define standards to test the CSR process against".
"Quality of people is always an issue, and it not specifically related to CSR. In my opinion you need to have audit skills, and a willingness to explore the field of CSR".
"We should continue to standardize our audit process, especially documentation process even further, and possibly integrate it into one CSR system".
I6 "We need to perform special sustainability related audits on a more frequent basis, as we are currently doing those once every couple of years".
"My advice to internal audit departments with a less mature CSR process would be to ensure you obtain basic knowledge regarding CSR through trainings and education. Communication with your internal sustainability department and theexternal account is key. You need to first understand the product, developments in this area and what it is that they are doing in order to provide assurance. You also need to know what the requirements for the sustainability report are inorder to audit it appropriately. The aim should be to include CSR in the entire audit process, and determine the areas to audit through a risk-based approach. You will be surprised by the areas to audit as a result of this approach".
“In order to get a CSR process resulting in complete and accurate information, a lot needed to be designed before implementation. A process needed to be defined based on GRI; however it also needed to be auditable. Therefore the principle-based guidelines needed to be translated into hard company-specific standards to audit against. Early involvement in the process therefore is key.”
Improvementpoints
Description of theimprovement points forIA
The role of the IAF in CSR| 56
End Notes
i Risk management is defined as “a process, effected by an entity’s board of directors, management and
other personnel, applied in strategy setting and across the enterprise, designed to identify potential
events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable
assurance regarding the achievement of entity objectives” [COSO, 2004].
ii The COSO-ERM framework consists out of the following components: internal environment, objective
setting, event identification, risk assessment, risk response, control activities, information and
communication and monitoring [COSO, 2004].
iii Three lines of defense: 1) Management; 2) Control-, risk management and compliance departments; 3)
Internal audit.
iv Internal auditing is an “independent, objective assurance and consulting activity designed to add value
and improve an organization's operations. It helps an organization accomplish its objectives by
bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk
management, control, and governance processes” [IIA, 2012].
v Consultancy is defined as “advisory and related client service activities, the nature and scope of which
are agreed with the client and which are intended to add value and improve and organization’s
governance, risk management, and control processes without the internal auditor assuming
management responsibility” [IIA, 2012]. vi Assurance services are defined as “an objective examination of evidence for the purpose of providing an
independent assessment on governance, risk management, and control processes for the organization”
[IIA, 2012].
vii IIA standard 1210: Internal Auditors must possess the knowledge, skills and other competencies needed
to perform their individual responsibilities. The internal audit activity collectively must possess or
obtain the knowledge, skills and competencies needed to perform its responsibilities [IIA, 2012].