Tag: Audit

ESG (Environmental, Social and Governance) is a hot topic. Investors want more reporting and transparency.  Non-financial reporting frameworks expect transparency on issues from climate change to forced labor.  The Board has questions.  And nobody expects it to fade any time soon.

It’s often “all hands on deck.”  But increased activity doesn’t always translate into effectiveness or efficiency.   Even companies that created Chief Sustainability Officer positions years ago are overwhelmed by new requirements, risks and demands.  One poll of over 300 Internal Audit professionals revealed that ESG “lives” in Environmental, Compliance, Investor Relations, or other departments.  There is no consensus on the right home.  Who should lead ESG?  What does “good” look like?  And how will things get done efficiently, effectively, and aligned with business objectives?  Read More

A summary of the workshop Doug Hileman presented at the Institute of Internal Auditors’ (LA) Government Auditing conference on February 8, 2017.

The Generally Accepted Government Auditing Standards (GAGAS, or “Yellow Book”) is the standard for government audits. GAGAS differs from the IIA’s International Professional Practices Framework (IPPF, or “Red Book”) in several significant ways. Government auditors can get frustrated when people don’t appreciate just what is involved in doing audits using the Yellow Book. This includes the audit sponsors, auditees, and even other auditors not familiar with Yellow Book standards.

At the IIA Los Angeles Chapter’s government auditors’ conference on February 8, 2017, attendees came up with a list of “things we wish people knew about the Yellow Book.” This fun, interactive exercise was In the fashion of “Yellow Book Idol.” The top three vote-getters of things they most wished people knew are listed below.

1. We need sufficient, relevant evidence. We wish auditees understood that auditors must compile evidence. Furthermore, auditors need sufficient – and relevant – evidence. Just because you gave us one thing, it might not be enough. If you gave us the wrong thing, it doesn’t help at all.
2. Everything We Do Isn’t an “Audit”. People use the terms “audit”, “review”, “report”, “assessment”, and “evaluation” interchangeably. Unless the exercise (there’s another term) has been done in accordance with professional audit standards – for government auditors, that’s the Yellow Book – it’s not properly an “audit.” We wish people understood the difference between the terms, and would not refer to things as “audits” when they aren’t audits.
3. Know what it takes to do what you’re asking for. Once Internal Auditors have become trusted advisors, there can be a different set of challenges. Sponsors and stakeholders ask for an audit – in a week. Or, they’ll ask to include a few more items in the annual audit plan. Or they’ll ask for “a quick look-see”, and expect that they can get – and rely on – an answer from Internal Audit for their Board meeting next week. We wish that sponsors understood what’s involved in the audit process from start to finish.

Two honorable mentions are listed below.

• Planning for a Yellow Book audit takes more time than for other audits. One attendee with experience in government and private sector internal auditing quipped that, “If I spent as much time on planning at [private sector auditing consultant] as I do on an audit at [government entity], I would have been written up or fired.” The audit planning memo is time-consuming, but it is the basis for all that follows, so it’s important.
• We look at samples – not at everything. So we’re going to miss something. This is a frustration expressed by government and private sector internal auditors alike. Sample sizes may be small, and the auditors may use different sample methodologies. We base our conclusions upon the sample selected. That’s why we spell this out in our reports (“Of the 50 records tested, seven were found to have….”). if a problem arises from a record outside of those 50, then we didn’t see it.

Some of these are distinctive to Yellow Book auditors, and others will sound familiar to everyone. The author provides training in Audit Readiness – a good answer to Item #1. Watch for more in a future newsletter, or another IIA meeting soon.
Doug Hileman led this session at the IIA LA’s Government Auditing conference on February 8, 2017. He is VP Advocacy for the IIA Los Angeles Chapter, and on the (global) Guidance Development Committee. His firm supports compliance and audit efforts in operations, non-financial reporting, and risk management.

Currently, companies are compiling data and information for their 2016 Corporate Social Responsibility (CSR) reports. Here are five tips to get the most value, and to manage risk associated with CSR reporting. These tips will also help embed CSR thinking into all levels in your organization.

Here are the five tips reviewed in this here:
1. Determine what is material for your organization
2. Don’t stop with materiality
3. Compare your reporting parameters with other companies
4. If you can’t support it, don’t report it
5. Use this year’s gaps to plan for next year

1. Determine what is material for your organization. Materiality is now an essential part of CSR reporting. Within just the last five years, this push came from Global Reporting Institute, Sustainability Accounting Standards Board—and even the Securities and Exchange Commission. Materiality has been used in financial reporting for decades; even so, there is still some disagreement (including between auditors and their clients) as to what is “material.” There are several standard risk management frameworks that provide guidance on identifying highest risk areas. Two frameworks are ISO 31000, or COSO’s Enterprise Risk Management framework. Service providers may claim to have the unique way to determine materiality. However, there is no single, “correct” way to perform materiality analysis for CSR reporting parameters. Use an approach that incorporates standard risk assessment principles. As with any other emerging issue, this will be revised over time, so just make sure you document what you did, and your rationale for doing so.

2. Don’t stop with materiality. Materiality is a concept that allows organizations to focus on what matters the most. The challenge with materiality as applied to CSR is: material to whom? Many CSR materiality discussions are driven by the needs of the investment community. One prominent framework proposes six to eight CSR parameters as being “material” for inclusion in financial filings. Does this mean that companies should not report on other parameters?

Other issues can still matter to key organizational stakeholders. Some CSR issues may include regulatory requirements, with information already a matter of public record via reports submitted to agencies. Some CSR parameters can enhance an organization’s reputation. Other parameters could be standard practice for some key stakeholders. For example, an organization with locations in some cities may be expected to have programs that encourage ridesharing or cycling to work. A company with any presence in drought-stricken Southwest would be expected to conserve water. If the organization does not include these parameters in CSR reports, it can send the wrong signal to prospective employees, neighbors, or other key stakeholders.

3. Compare your sustainability reporting parameters to other companies’. Investors and other stakeholders are comparing your CSR reports to other companies’. Shouldn’t you? Organizations can learn much by reviewing CSR reports of financial peers to see what they report on, and how much detail they provide. Many CSR performance issues are now being embedded into requirements of the supply chain. It is also useful to compare your CSR report to those of key customers. You can select other companies to get traction with the executives who provide you with resources. If there is an executive at your company who is relatively new, compare your CSR report to the one of their prior company. The C-suite should want their new organization’s CSR report to be at least as good as the company they just left.

4. If you can’t support it, don’t report it. Stakeholders use the social and environmental information in CSR reports to help them make many decisions, such as: whether buy or sell your stock; whether to add or retain you as a vendor; or whether to work for your organization. These decisions can have direct financial impact on your organization. Other consequences can include how easily you can obtain permits to expand operation, or effects on your brand’s reputation. Stakeholders can find out if you report data that is incorrect or unsupported. Media can provide coverage, and social media is quick to spread opinions about these errors. The rigor of data collection and management for CSR information doesn’t match that for financial reporting. After all, financial reporting has a head start of several decades! There are valid reasons for data inconsistencies and errors: different units of measure; different reporting periods; or simple lack of data. Reporting invalid data is worse than not reporting data at all.

5. Use this year’s gaps to plan for next year. It is common to want to present only the good stuff in CSR reports. It’s also common to present only the good stuff to senior management. This can backfire on your CSR program. Most CSR reports are signed by an executive. Use this as an opportunity to get the resources you need for next year. Nobody has all the CSR data and information they would like for their CSR reports. Many stakeholders respect companies that are candid about their performance, including areas where they have fallen short. Senior management respects candor, too. Don’t hide the gaps. Consider the risks they pose to your organization. Develop a plan to address them, and estimate the resources you’ll need. When you get the sign-off on this year’s CSR report, ask senior management for what you need for next year’s CR efforts—so you can return with a more robust CSR report next year.

This post originally appeared in CR Magazine, January 2017.

The U.S. Securities and Exchange Commission (SEC) published final rules for Dodd-Frank Conflict Minerals (DFCM) on August 22, 2012. “Conflict minerals” are

• tantalum
• tin
• tungsten
• gold

These metals are used in electronics, jewelry, and many other products. The rules will be effective for 2013 for most affected companies. This SEC rule affects many functions: accounting, audit, environmental, investor relations, legal, marketing, operations, risk management, and others. Much of what’s been written so far discusses the potential effect on one or two functions. An enterprise-wide focus offers a different perspective.

Here are 5 myths about the Dodd-Frank Conflict Minerals final rule.

1. Environmental, social, and financial folks are finally on the same page.

DFCM is important to each, but there continue to be differences:

Environmental regulations tend to be prescriptive and exact.
Social standards seek equitable changes in the fabric of society.
Accounting rules emphasize process, materiality, support, and documentation.

2. Our supplier said “OK”, so we’re done.

Suppliers may use different systems, controls, criteria, or standards.
A supplier may have different materiality for your company than it does for others.
Your company may change specifications, or the supplier may change their operations.

3. That other group will take care of it.

Product components (including conflict minerals) touch many functional groups. Whoever is leading the DFCM effort — Legal, Accounting, or Supply Chain — cannot understand the perspectives, needs, and capabilities of other groups if they are not at the table. Cross-functional teams work best.

4. The audit will make sure everything is fine.

Many companies’ evaluations will end with the Country of Origin Inquiry (COI) effort, and the appropriate disclosures – no audit will be performed.
When audits are required, the audit objective is very limited, and does not provide the assurance that many stakeholders asked for in comments.

5. After we do this, we’re done.

DFCM requires annual updates.

Similar information is requested via standard global Sustainability reporting frameworks, investor requests, proxy filings, and other means. Requests are likely to broaden to other geographies (Indonesia) and other minerals.

This posting originally appeared in the EHS Journal on Oct. 29, 2012.
Photo Credit: Steve Ford. Elliott