corporate social responsibility and internal audit

Corporate Social Responsibility and Internal Audit:

What is the role of IA, and what opportunities for improvement exist for IA in the CSR process of an

organization?

Thesis - Executive Internal Audit Program 2012 – 2014

Author: Jamila Geene

Student number: 6020412

Date: 08-08-2014

Coach: Lecturer J.J.M. Laan

CSR and the role of IA| 1

Acknowledgements

In 2012 I started the Executive Internal Audit Program at the University of Amsterdam. With enthusiasm and

pride I present my final thesis on a topic I hold close to my heart: Corporate Social Responsibility. This thesis

marks the end of a wonderful yet challenging two year experience, during which various people have motivated

and supported me. I therefore would like to take this moment to express my utmost appreciation and extreme

gratitude to these wonderful people.

First of all, I would like to thank Bob van Kuijck, Annelies Vethman and my thesis coach, Jan Laan, for their

guidance, useful suggestions and devoted feedback. Secondly, I would like to thank all the participants for

partaking in this research. I much appreciate you for your time and your openness during the interviews which

have led to these interesting and valuable results. Furthermore, I would like to thank my classmates for making

this experience a wonderful one. Jack, Ingrid, Gijs and Friso, special thanks for the fun times, without it this

journey would have been a lot more challenging.

Also, I would like to express my heartfelt gratitude to my beloved parents, brother, extended family and all my

other wonderful friends for their support and compassion. And to my love Johan, there are no words to describe

how thankful I am for the patience, love and support that you have provided me throughout this journey. Thanks

for believing in me…in us.

I hope you will enjoy reading this thesis.

Jamila Geene

Amsterdam, August 08, 2014

The role of the IAF in CSR| 2

Executive Summary

Corporate Social Responsibility (CSR) is defined as the way companies integrate social, environmental and economic

aspects in a transparent and responsible manner into their values, culture, decision, strategy and operations, and therewith

contribute to the society. CSR is becoming increasingly important in the business world as investors and regulators are

increasingly demanding greater visibility into what organizations are doing. As a result organizations need IA to take a

broader mandate within the organization. Far from its traditional compliance roots, IA is increasingly being asked to not

only provide operational business insights to the organization, but also to serve as strategic advisors – helping the

organization to address today’s key business risks. Also, as strategic advisors they are requested to help in preparing for

critical emerging risks, risks that the organization knows are approaching more quickly than ever before based on business

strategy and continued global expansion. Amongst the top of ten of the most important emerging risks that IA is tracking is

climate change and sustainability.

In 2011 the IIA and the NBA published a report based on empirical research on the role of IA in the CSR process. That

research however was only based on results provided by IA functions and largely based on surveys as a method of research.

In this research their findings are critically tested by addressing a different point of view, that of external auditors providing

external verification on these CSR reports, and by using a different research method. Through interviewing subject matter

experts (external auditors) and by performing a multiple case study research, this study aims to contribute to the awareness

of internal auditors on their possible role in the CSR process, and on opportunities to add value and to improve the CSR

process within their organizations. As a result, the following research question is answered: What is the role of IA, and

what opportunities for improvement exist for IA in the CSR process of an organization?

Based on the findings of this research it can be concluded that leading IA functions are involved in the CSR process

through assurance, and consultancy roles. Building on extant literature, this research concludes that the actual role attained

by IA is indeed highly dependent upon the level of maturity of the CSR process. The role of IA tends to shift from a

consultancy, and at times even a managing role, to a more assurance providing role as the CSR process matures from initial

to optimizing. Activities that are decreasingly performed, as the CSR process matures, include advising on the set up and

implementation of the CSR process. These activities make way for the following assurance providing activities: auditing

the CSR report on scope and quality, and auditing the process of translating the strategy to the policies, procedures, models,

management cycle (PDCA), and the final report. Through the development of the maturity model in this research,

awareness is created on the possible activities to be performed by IA at various levels of maturity.

In contrast to the findings in the research by NBA and IIA, this research highlights that the involvement by IA in the CSR

process is generally limited to its assurance role by performing data-centric and system-oriented audits. A role that is

imposed by the external auditor and subsequently passively executed by IA. Also, this research concludes that only 10-15%

of the IA functions are involved in the CSR process. The drastic differences between these findings with that of the IIA and

NBA are either the result of less involvement by IA over the years, participation of IA functions that are front-runners in

the area, or by the research method chosen by the IIA and the NBA. Either way these results directly highlight the most

significant improvement points resulting from this research: increase the active involvement of IA in the CSR process, and

increase the performance of consultancy related activities in the CSR process. Additional improvement points for IA

include: improving IA’s CSR knowledge and skills; increasing the advisory role of IA; ensuring earlier involvement in the

CSR process. Lastly, based on the field research conducted it was concluded that the performance of system-oriented audits

by IA needs to increase and improve. The urge for this improvement lies in the fact that in the CSR process data is

generated and extracted from various independent systems, which are often still Microsoft Excel based or in the beginning

development stages. Combining this with the lower level of maturity of the CSR process, and the low frequency of data

retrieval, it creates one of the biggest current risks in the CSR audit process. To reduce this risk it is important for IA to

perform both data-centric as system-oriented audits to determine the reliability of the data and the systems used.


List of abbreviations

CAE: Chief Audit Executive

CSR: Corporate Social Responsibility

EA: External Audit

ERM: Enterprise Risk Management

IA: Internal Audit

IPPF: International Professional Practice Framework

ISA: Internal Standard on Auditing

KPI: Key Performance Indicator

PDCA: Plan, Do, Check, Act

SME: Subject Matter Expert

SMS: Sustainability Management System

Institutions

CAR: Dutch Council for Annual Reporting

COSO: Committee of Sponsoring Organizations of the Treadway Commission

GRI: Global Reporting Initiative

IAASB: International Auditing and Assurance Standards Board

IIA: Institute of Internal Auditors

NBA: Dutch Institute of Chartered Accountants

NIVRA: Royal Dutch Institute of Charted Accountants

List of tables

Table 2-1: Consulting and Assurance activities for IA

Table 2-2: Activities for IA to ensure good collaboration with EA

Table 3-1: Subject matter experts

Table 3-2: Case Profiles

Table 3-3: Technique(s) applied to enhance credibility

Table 3-4: Interviewees per case

Table 4-1: IA’s current activities in the CSR process

Table 4-2: Role of IA per maturity level

Table 4-3: Collaboration procedures IA and EA

Table 4-4: Risks in auditing the CSR process

Table 4-5: Improvement points for IA

List of figures

Figure 1-1: Research Model

Figure 2-1: Sustainability Management System

Figure 2-2: COSO-CSR model

Figure 2-3: Role of IA in CSR


Table of Contents

Acknowledgements ................................................................................................................................................ 1

Executive Summary............................................................................................................................................... 2

1 Introduction .................................................................................................................................................. 6

1.1 Background ............................................................................................................................................ 6

1.2 Problem Definition and Research Questions ......................................................................................... 7

1.3 Research Design ..................................................................................................................................... 7

1.4 Thesis outline ......................................................................................................................................... 8

2 Literature Review ........................................................................................................................................ 9

2.1 Corporate Social Responsibility ............................................................................................................. 9

2.1.1 Definition of CSR.......................................................................................................................... 9

2.1.2 CSR reporting in the Netherlands ............................................................................................... 10

2.2 CSR process ......................................................................................................................................... 11

2.2.1 Sustainability Management System ............................................................................................ 12

2.3 The role of IA in CSR .......................................................................................................................... 13

2.3.1 Internal Audit and CSR ............................................................................................................... 13

2.3.2 Consulting ................................................................................................................................... 15

2.3.3 Assurance .................................................................................................................................... 15

2.4 Coordination of EA and IA .................................................................................................................. 16

2.4.1 EA and IA ................................................................................................................................... 16

2.4.2 Best practices for IA .................................................................................................................... 17

2.5 Chapter summary ................................................................................................................................. 18

3 Research design .......................................................................................................................................... 21

3.1 Research methodology ......................................................................................................................... 21

3.1.1 Literature ..................................................................................................................................... 21

3.1.2 Subject matter interviews ............................................................................................................ 21

3.1.3 Case Studies ................................................................................................................................ 22

3.1.4 Data Collection ............................................................................................................................ 23

3.3 Data analysis ........................................................................................................................................ 23

3.4 Chapter summary ................................................................................................................................. 24

4 Findings....................................................................................................................................................... 25

4.1 CSR Process ......................................................................................................................................... 25

4.2 The role of IA in CSR .......................................................................................................................... 26

4.3 Coordination of EA and IA .................................................................................................................. 30

4.4 Improvement areas for IA .................................................................................................................... 31

4.5 Chapter summary ................................................................................................................................. 34

5 Discussion ................................................................................................................................................... 36

5.1 Conclusion ........................................................................................................................................... 36

5.2 Limitations and recommendation for future research .......................................................................... 37

6 Reference List ............................................................................................................................................. 39


Appendix A - Introduction email .............................................................................................................. 41

Appendix B - Interview script ................................................................................................................... 42

Appendix C - Maturity Model ................................................................................................................... 48

Appendix D - Case Studies ........................................................................................................................ 50

Appendix E - Coding Table ....................................................................................................................... 52

End Notes ............................................................................................................................................................. 56


1 Introduction

1.1 Background

Considerable interest in Corporate Social Responsibility (CSR) has appeared in academic literature over the past

decade as companies struggle to balance short-term financial viability with long-term strategic goals, and to

build and preserve shareholder value while enabling future generations to meet their own needs. The literature

has overall concluded that businesses should integrate CSR principles into corporate strategic policies and

business processes. This integration is justified by the fact that it affects the triple-bottom line and long-term

profitability of a business and should, therefore, be treated as strategic assets of the business (see, e.g.,

Elkington, 1997; Grant, 1997; Russo and Fouts, 1997; Johnson and Scholes, 1993). Stakeholders expect boards

and management to accept responsibility and implement strategies and controls to manage their impact on

society and the environment, to engage stakeholders in their endeavors, and to inform the public about their

results. As companies are increasingly being evaluated on not only their financial performance, but also non-

financial results related to environmental and social performance, reporting on CSR at the corporate level has

broadened widely and is fast becoming a critical element of reporting for listed and large non-listed companies

at the global level (see, e.g., KPMG, 2008; Owen, 2006; Kolk, 2004, 2003, 2001; Kolk et al., 2001; Gray et al.,

2001).

The amount of regulations on environmental and social aspects is increasing correspondingly. Regulators are

near certain to create an environment in which reporting on sustainable matters will not only become the right

thing to do or the smart thing to do, but also the only thing to do [PWC, 2009]. Companies are preparing to take

on these mandatory and voluntary regulations, and associated challenges, in a proactive manner. The

proliferation of regulation and voluntary standards has made CSR management a complex endeavor for firms in

all industries.

As the social relevance of CSR in large organizations is expected to grow and as companies are continuously

aligning their strategies to adapt to the increased relevance of CSR in their day-to-day business practices, the

involvement of internal audit (IA) in CSR has also increased steadily in the last decade [IIA and NBA, 2011].

Furthermore, IA is expected to give increasing priority to the work field of CSR in the future as well. In this, IA

performs activities with regard to both assurance and consultancy roles when it comes to CSR. The Institute of

Internal Audits (IIA) states that these activities include understanding the risks and controls related to CSR

objectives. In addition, the Chief Audit Executive (CAE) should plan to audit, facilitate control self-

assessments, verify results, and/or consult on the various subjects where appropriate [IIA, 2010].

Extant literature exploring the role of IA with regard to CSR is available [e.g. Nieuwlands, (2006)]. However,

only two research studies [Ambaum (2007); IIA and NBA (2011)] have empirically examined the role of IA

with relevance to CSR in order to identify best practices in the Netherlands and to examine the actual role IA

fulfills in CSR reporting. In their research studies they approached and examined IA functions of respectively

29 and 37 (out of a total of 54) large Dutch firms which have distributed a CSR report, or have visibly

integrated CSR in their annual financial reports. The results indicate that 30-40% of the IA functions

participating in their research are involved through either an assurance role, consultancy role of both in the CSR

process. And that this involvement is only to increase in the coming years. Furthermore, the results conclude

that IA adds significant value in the CSR process through a broad scope of activities including taking on a

consultancy role. Both the research studies from Ambaum (2007) and the IIA and NBA (2011) however, have

inferred conclusions based on results provided solely by IA, and through surveys as the main research method.


Given the professional skepticism an internal auditor is required to have in its work, this research critically

examines the findings in the previous research studies by addressing a different point of view, that of external

audit (EA) providing external verification on these CSR reports, and by using a different research method.

Through this, it aims to identify the areas of improvement for IA, from both IA as EA perspective, when it

comes to the CSR as an audit object.

1.2 Problem Definition and Research Questions

The following eight sub-questions have been constructed in this research:

1. What is the CSR process?

2. What roles can the IA function of organizations play in the CSR process?

3. How can the external auditor and the IA function of an organization work together in the CSR process?

4. What are the opportunities for improvement for IA in the CSR process?

These four sub-questions will depict the theoretical possibilities based on a literature review performed in

Chapter 2. The following four sub-questions depict the actual situation in the business, and are answered by

means of subject matter interviews and case study research.

5. How is the CSR process within organizations structured?

6. What roles does IA attain in the CSR process?

7. How do the external auditor and IA function of an organization work together in the CSR process?

8. What are the improvement areas for IA in the CSR process?

Based on these eight sub-questions this study aims to answer the following main research question:

What is the role of IA, and what opportunities for improvement exist for IA in the CSR process of an

organization?

The results of this research further contribute to the awareness of internal auditors about their opportunities to

add value and improve the CSR process within an organization.

1.3 Research Design

This research can be classified as an exploratory research that maintains a theory-testing approach. A

comprehensive visualization of the research design used to answer the research questions defined above is

shown in figure 1-1.

First, various literature, websites and research studies are examined. Reference is made to Chapter 6, which

provides a list of literature used. Then, the role of IA and improvement points for IA are identified and

discussed by means of subject matter interviews with two accountancy firms (the biggest in the field of CSR

audits in the Netherlands). In order to test the actual role of IA in the CSR process and to reflect on the

improvement points provided by EA a multiple case study research was performed. This research design was

chosen as appropriate on the basis of theoretical replication [Yin, 2009]. To ensure convenience and efficiency,

a small number of four cases are observed. The four companies selected all have CSR reports that are externally

verified; are of similar size; have an IA function that plays a role in the CSR process; and have an external

auditor that relies on the work of the IA function when it comes to the CSR process.


Figure 1-1: Research Model

Triangulation is achieved during data collection as data is collected through the use of CSR reports, interviews

with the IA functions and interviews with the CSR audit departments of the EA firms. The selected companies

are electronically approached, supported by an introduction email. In order to contact the external auditors and

internal auditors, the professional and social network of colleagues and J.J.M. Laan (lecturer of the course

Management Accounting at University of Amsterdam) is used.

1.4 Thesis outline

Chapter 2 of this thesis contains a literature review on the topic of CSR in general, and CSR in the Netherlands

in particular. Through the examination of literature, it identifies the structure of the CSR process, the roles IA

can play when it comes to CSR, and on how EA and IA can work together in this process. This is followed by

Chapter 3, which elaborates on the research design. In Chapter 4, the findings of this research are presented and

analyzed. Chapter 5 concludes on the role of IA and the opportunities for IA for improving the CSR process

within an organization and it also discusses limitations of this research and recommendations for future

research. Please refer to Chapter 6 for a list of all literature used as part of this research.


2 Literature Review

The purpose of this thesis is to identify what the role of IA is in the CSR process, and which opportunities for

improving the CSR process exist for the IA function within an organization. In order to answer this question,

some background literature is presented in this chapter to expand knowledge on the topic of CSR in general and

CSR in the Netherlands in particular. In order to answer sub-questions 1-4 formulated in Chapter 1 it also

discusses existing literature on the structure of the CSR process, the roles IA can play when it comes to CSR

and on the relationship between EA and IA with regard to this process.

2.1 Corporate Social Responsibility

2.1.1 Definition of CSR

Climate change, natural resource depletion, pollution, increased waste, and sweatshops are environmental and

social events that are changing people’s behavior, requirements and business practices. As a result of these

events stakeholders are increasingly focusing on environmental, social and governmental issues, while

expecting a better performance and more disclosure. Stakeholders continuously require transparency and

accountability. This is in accordance with the stakeholder approach that believes that companies are responsible

to all groups that can be affected or are affected by their business, and should therefore balance the large

quantity of interest of these stakeholders [Freeman, 1984; Geene, 2011].

In the beginning organizations denied any responsibility to these societal issues, however increasing regulations

relating to the environment and the workplace are leading organizations to adopt a policy-based compliance

approach to these issues as a cost of doing business. An increasing amount of organizations are even accepting

these new responsibilities as part of daily business operations. They replied by adopting a managerial approach

and are consequently embedding the societal issues into the organization’s core business processes, resulting in

new practices and management systems. Global leaders are even moving at a faster pace; acknowledging the

strategic approach in which the societal issues are integrated into the core business processes as they realize it

provides a competitive edge [Zadek, 2004]. In response, organizations are developing performance targets,

measurement systems, and reporting systems related to CSR strategies.

In short, Corporate Social Responsibility (CSR) is becoming an increasingly crucial concept for businesses

today. The concept of CSR (“Maatschappelijk Verantwoord Ondernemen” in Dutch) however, is one that has

been defined in existing literature in manifold. In literature it appears that there is not one unequivocal definition

of CSR in the literature [McWilliams et al, 2006; IIA and NBA, 2011]. The reason for the diversity in the

definition of CSR is the fact that CSR interfaces with various disciplines resulting in it being viewed through

different perspectives [McWilliams, Siegel and Wright, 2006]. CSR is a topic that is often related with concepts

such as Sustainability, Triple Bottom Line, and Corporate Citizenship. In this research the term Corporate

Social Responsibility will be used. Essential in all these definitions is the statement that a company must look

beyond its own economic interests, as it should be profitable for both the company and the society.

IIA noted that CSR can be interpreted as the way companies integrate social, environmental and economic

aspects in a transparent and responsible manner in their values, culture, decision, strategy and operations, and

therewith contribute to the society [IIA, 2010]. For this research the definition by IIA is used. This definition

connects the three dimensions social, environmental and economic and accentuates how these three dimensions

should be adapted to the needs and expectations of the stakeholders of a company.


2.1.2 CSR reporting in the Netherlands

To demonstrate their stance in being socially responsible, both listed and large non-listed companies at global

level started publishing CSR reports in addition to their financial reports [KPMG, 2008; Owen, 2006; Kolk,

2004, 2003, 2001; Kolk et al., 2001; Gray et al., 2001]. These reports are based on the three elements: social,

environmental and economic performance. A research by KPMG in 2008 stated that in 1999 roughly 39% of the

Global Fortune 250 companies reported on their social, ecological and economic activities, while this number

augmented to 80% in 2008.

The Global Reporting Initiative (GRI) explained the purpose of a CSR report as follows: “Sustainability

reporting is the practice measuring, disclosing and being accountable for organization performance towards the

goal of sustainable development” [GRI, 2002]. A CSR report should provide a balanced and reasonable

representation of the sustainability performance of the reporting organization – including both positive and

negative contributions [Nieuwlands, 2006].

As the importance of CSR has increased globally, the European government has explored regulatory approaches

to CSR reporting. In the Netherlands however, CSR reporting remains voluntary and is not enforced by

legislative requirements. Nevertheless, there are some compulsory CSR reporting prescriptions for annual

reports. In the Dutch Civil code article 2:391 section 1 states that companies are required to give some

information (financial and non-financial) about the environment, employees and risks in their annual reports. It

is mandatory for all listed companies independent of their size and for all large non-listed companies. Further

specification on what kind of information can be disclosed in relation to a company’s CSR is given in the

Annual Reporting Guideline 400 (in Dutch referred to as “Het jaarverslag”) published by the Dutch Council for

Annual Reporting (CAR). CAR also published the Guide to Sustainability Reporting (in Dutch called the

“Handreiking voor Maatschappelijke Verslaggeving”).

The most important institution in the field of international guidelines for reporting is currently the GRI. GRI is

an international, multi-stakeholder process and independent institution founded in 1977 whose function is to

develop and disseminate global sustainability reporting guidelines. The GRI framework provides the principles

and indicators that an organization can use to report on its performance in the field of measuring people, planet

and profit. More than 450 multinationals across 40 countries adhere to the GRI guidelines, including the vast

majority of the companies listed at the AEX - a stock market index composed of Dutch companies that trade on

NYSE Euronext Amsterdam. Initially CSR reports were fragmented and covered only certain aspects, based on

the purpose of these reports, however, through the use of the GRI reporting guidelines the quality of the reports

has increase significantly in de first years of the new millennium [Nieuwlands, 2006].

Standard guidelines may not meet all information needs of all users, and therefore companies should always use

a structured dialogue with stakeholders to further determine specific information needs. The guidelines

AA1000, AA1000APS (Accountability principle standards) and AA1000SES (stakeholder engagement

standards) in particular, are developed specifically for the accountability process in which the dialogue with

stakeholders has an important place. The outcomes of the dialogue define the contents of the CSR report and

topics to be determined within the company and highlights actions that must be taken. The guidelines therefore

place no explicit demands on the contents of the CSR report.

In the Netherlands the number of companies that published CSR reports has gradually increased over recent

years, as well as the number of independently verified CSR reports, however externally verified CSR reports are

still not common practice in the Netherlands. However, a recent article by KPMG shows that getting external

assurance on CSR reports is becoming standard practice. The tipping point has been crossed, with over 59% of


the world of the world’s largest companies (Global 250) now investing in CSR assurance (2012: 46%). As the

largest companies tend to set the trend, it can be presumed that soon the other companies will follow [KPMG,

2013]. However, even when these reports are externally verified the level of assurance provided by the auditor

is mostly limited (i.e. a moderate level of assurance) [Prikken, 2010].

2.2 CSR process

The board and senior management of an organization have overall responsibility for the effectiveness of

governance, risk management and internal control processes. As part of these responsibilities it is also

accountable for guarantying that CSR objectives are established, risks are managed, performance is measured,

and activities are appropriately monitored and reported. Furthermore, management is responsible for ensuring

that the organization’s CSR principles are communicated, understood, and integrated into decision-making

processes [IIA, 2010]. Management however, has trouble ensuring that CSR activities are coordinated and

aligned with strategic initiatives and principles throughout the organization, with appropriate risk/reward

decisions being made. Organizations realized that they need a management system, structuring formerly

scattered elements of CSR information gathering and repairing missing links between them. An advantage of a

management system is that it sets an auditable framework for assuming economic, environmental, and social

responsibility in a systematic, transparent, consistent, and credible manner.

In his book “Sustainability and Internal Auditing” Nieuwlands (2006) informs that setting up a sustainability

management system (SMS) is the best approach to implementing CSR in an organization. The SMS described

contains the following steps as illustrated in figure 2-1:

Figure 2-1: Sustainability Management System (modified by author)

In the research by the IIA and NBA in 2011 the COSO-model is used as the control model for CSR. It is argued

that even though initially used by organizations to control for activities and processes required for meeting the

organizations strategic goals and objectives, this model can be applied to control for CSR activities and

processes required to meet and organization’s CSR goals and objectives as well [IIA and NBA, 2011]. The

COSO-CSR model as described in the IIA and NBA research is illustrated in figure 2-2 [COSO, 2012].


Figure 2-2: COSO-CSR model (modified by author)

Both models can be seen as a loping process in which continuous improvement is strived for and the same

elements are covered in both models. However, based on the fact that Nieuwlands’ SMS is based on the widely

accepted model for management systems, namely Dr. W. Edwards Deming’s Plan-Do-Check-Act (PDCA)

cycle, which consists out of the four steps Plan, Do, Check, and Act, the detailed SMS is expected to be used in

practice. The following proposition is formulated to be tested in this research:

P1: The CSR process within an organization is organized according to the PDCA cycle and therefore strongly

resembles Nieuwlands’ Sustainability Management System.

2.2.1 Sustainability Management System

The start of the management cycle as described by Nieuwlands is (re)formulating a CSR policy and strategy that

is appropriate to the nature, scale and CSR impacts of the organization’s activities, products or service and are

consistent with the organizational strategic plan and other organizational policies. To ensure accuracy of the

documents both the strategy and the policy are to be periodically reviewed and revised if necessary.

The next step includes of a planning phase, a risk management phase, and the setup of information systems and

a CSR management program. The planning phase of the management cycle links the CSR policy and strategy to

predefined objectives and targets. Furthermore, the organization defines roles and responsibilities of employees

based on the CSR policy and strategy. Adequate resources are made available to employees to realize these roles

and responsibilities and relevant objectives and targets. In order to identify aspects that have significant impacts

on CSR performance, the organization establishes and maintains procedures to identify aspects for the entire

lifecycle of a product over which the organization has direct influence. CSR presents significant risks and

opportunities for many organizations and CSR objectives are therefore included in the organization’s risk

managementi process which is often based on the COSO-ERM framework

ii. As part of the risk management

phase, the board and management are responsible for performing a risk assessment and determining what is

important to their organization and the controls they will implement to manage those risks. It is also vital for an

organization to set up a CSR management information system, designed to provide adequate, reliable and timely

information to the organization so it can control the SMS and monitor actual performance against objectives and

targets. Finally, a CSR management program needs to be set up for achieving its objectives and targets. The

program should include the designation of responsibility for achieving objectives and targets at each relevant

function and level of the organization [IIA, 2010; Nieuwlands, 2006].


The third step regards structure and responsibilities, training and awareness, communication and documentation

of the SMS. In order to ensure proper implementation and maintenance of the SMS senior management appoints

a program manager responsible for its establishment, implementation and maintenance, and for reporting on its

performance. All responsibilities and resources related to the SMS are defined and communicated to ensure

effective implementation. The importance of sustainable thinking is communicated both internally as externally

to create awareness within and outside of the firm with regards to the CSR strategy, plans, results and challenges

[IIA, 2010]. To facilitate awareness and to ensure capability amongst its employees, trainings are given and

procedures are defined for creating awareness for the importance of conformance with CSR policies and

procedures. To show an organization’s progress in realizing its CSR objectives management designs a

communication process that sets the objectives of external communication, the information that needs to be

shared, and the channels to be used. The effectiveness of the communication efforts are then measured and

evaluated. The CSR report is the most widely used vehicle to communicate the outcomes and results that

occurred within the reporting period in the context of the organization’s commitments, strategy, and

management approach. The organization described core processes, uses flow charts to enhance understanding,

and clarifies interaction between the different processes. This documentation forms the basis for an external

review and can be used for training purposes [Nieuwlands, 2006].

In order to obtain assurance on the effectiveness and efficiency of the CSR-initiatives in an organization it is key

to continuously monitor (through the three lines of defenseiii) the internal controls relating to CSR/ SMS process

[IIA, 2010]. As part of the fourth step ‘checking and corrective action’, monitoring and measurement processes

are documented so that they are clear and implemented properly. On a periodic basis the adequacy and

effectiveness of the system is monitored based on the objectives and targets set. Timely follow-up and processes

for proactive and corrective actions are designed and implemented. Additionally, the organization set up a

process to ensure that the SMS is subject to a periodic (internal) audit, with the objective to determine whether

the system has been set up adequately and is implemented effectively. The results of this system audit are

communicated to senior management [Nieuwlands, 2006].

Finally, management periodically reviews the SMS to ensure its continuing suitability, adequacy and

effectiveness. Based on the outcome of the management review, management should act to improve the system

and thereby improve CSR performance [IIA, 2010; Nieuwlands, 2006].

2.3 The role of IA in CSR

2.3.1 Internal Audit and CSR

As investors and regulators are increasingly demanding greater visibility into what organizations are doing,

organizations need IA to take a broader mandate within the organization. Far from its traditional compliance

roots, IA is increasingly being asked to not only provide operational business insights to the organization, but

also to serve as strategic advisors – helping the organization to address today’s key business risks and prepare

for critical emerging risks that the organization knows are approaching more quickly than ever before based on

business strategy and continued global expansion [EY, 2013]. Amongst the top of ten of the most important

emerging risks that IA is tracking is climate change and sustainability.

The board and senior management of an organization is responsible for guarantying that CSR objectives are

established, risks are managed, performance is measured, and activities are appropriately monitored and

reported, and for ensuring that the organization’s CSR principles are communicated, understood, and integrated

into decision-making processes [IIA, 2010]. However, as previously mentioned, management has trouble


ensuring that CSR activities are coordinated and aligned with strategic initiatives and principles throughout the

organization. IA is well positioned to support management to implement a SMS and perform system audits after

the implementation phase as long as they maintain their independence and objectivity, and hence they never

assume line-management responsibilities [Nieuwlands, 2006]. Supporting this statement is a research performed

by the Dutch Institute of Chartered Accountants (NBA: “Nederlandse Beroepsorganisatie van Accountants” in

Dutch) and the Institute of Internal auditors (IIA) in the Netherlands (2011) who jointly investigated the

relationship between internal audit and Corporate Social Responsibility (CSR) which highlights that the IA has

an important and growing role to play in the governance of organizations when it comes to CSR. Not only

during the reporting of results but also in embedding CSR throughout the organizations. They conclude that the

IA will be able to add value to the process of defining policies, criteria, standards and controls, and in evaluating

and reporting on the organization’s performance in the field of CSR [IIA and NBA, 2011].

The IIA has developed an International Professional Practice Framework (IPPF) on evaluating CSR in 2010. An

IA function that conforms to this IPPF is qualified to audit and provide assurance to the board and management

on CSR programs and reporting. The IPPF practice guide on evaluating CSR as well as Nieuwlands believe that

in order to express and opinion on the adequacy and effectiveness of the SMS of an organization, IA should

perform work in all phases of the system.

According to the definition of internal auditingiv as defined by the Institute of Internal Auditors (IIA) – the

recognized authority, acknowledged leader and chief advocate of the internal auditing profession – internal

auditing consists out of two services: consultingv and assurance

vi.

The research by the IIA and NBA in 2011, state that IA coordinates its efforts to the maturity level of the CSR

process within the organization. Depending on the maturity of the CSR process within the organization IA will

take up a more supporting, consulting and/ or assurance role, while not jeopardizing their independence and

objectivity. In order to determine the correct role for IA, the IA function considers the expectations of the

Board, management and its stakeholders, the level of expertise within the IA function and within line

management, availability of information regarding the CSR maturity in the industry, and also the involvement

of the external audits or other advisors [IIA and NBA, 2011]. Important to note is that internal audit should

always maintain it objective and independent position, and should therefore not assume management

responsibility of CSR. With regards to this, please refer to in figure 2-2 [IIA, 2010] below visualizing which

roles can be undertaken by IA with or without additional safeguards, and more importantly, which roles IA

should not undertake to maintain its objectivity and independence.

Figure 2-3: Role of the IA in CSR (freely translated by author)


The Business Process Maturity Model describes that processes mature in the following five levels: Initial

(chaotic), Repeatable, Defined, Managed and Optimized. Processes in the initial level are typically

undocumented and in the state of dynamic change, tending to be driven in an ad hoc, uncontrolled, and reactive

manner by users or events. This provides a chaotic or unstable environment for the processes. In the Repeatable

level, some processes are repeatable, possibly with consistent results. Process discipline is unlikely to be

rigorous, but where it exists it may help to ensure that existing processes are maintained during times of stress.

In the Defined level standard processes are defined, documented and established and have been subject to some

degree of improvement over time. These standard processes are in place (i.e., they are the core processes) and

used to establish consistency of process performance across the organization. It is characteristic of processes at

the Managed level that, using process metrics, management can effectively control the core process (e.g., for

software development). In particular, management can identify ways to adjust and adapt the process to

particular projects without measurable losses of quality or deviations from specifications. Process Capability is

established from this level. Finally, the Optimized level, where the focus is on continually improving process

performance through both incremental and innovative technological changes/improvements. Given that

designing, implementing and executing CSR in an organization can also be defined as a process, the following

proposition was constructed based on literature described above:

P2: As the CSR process becomes more mature IA will increasingly take on an assurance role and will less

frequently take on the role of consultant.

2.3.2 Consulting

Standard 2130 on Governance states that “the internal audit activity should assess and make appropriate

recommendations for improving the governance process…”. PA 2130-1 also states that IA should take an active

role in support of the organization’s ethical culture, as they have a high level of trust and integrity within the

organization as well as the skills to be effective advocated of ethical conduct [IIA, 2012]. As CSR is highly

linked to ethics, IA should be involved in the whole process of implementing CSR in an organization

[Nieuwlands, 2006; IIA and NBA, 2011]. The design and implementation of the CSR process within

organization is a difficult task for many organizations as it requires knowledge and experience in multiple areas.

However, as these areas are within the expertise of IA, the IA function fulfills a significant consulting and

supporting role in the implementation of CSR.

The research by the IIA and NBA (2011) highlights that IA is closely involved as consultant in the design of the

CSR process within an organization, as it maintains knowledge of the organization, risks and control of

processes as well as the relating reporting standards and guidelines. As the CSR process matures, IA helps the

organization to take the CSR process up to a higher level by not only fulfilling a consultancy role but also that

of an assessor.

2.3.3 Assurance

IA may choose to evaluate the CSR programs as a whole and determine whether the organization has adequate

controls to achieve its CSR objectives. Generally, the CAE would develop a one-to-three-year plan to obtain

sufficient and reliable information about the various elements of CSR within the organization. Upon completion

of the CSR-related audit programs, an opinion of the overall CSR controls can be developed [IIA, 2010]. In

order to establish a complete and accurate risk-based audit plan, internal audit have to understand the risks

identified by management in the planning and risk assessment phase of CSR and should use that knowledge


when considering and establishing CSR activities in the audit universe, audit plan, and audit approaches [IIA,

2010].

The main activity performed by IA as part of this role is giving assurance on the CSR report, the CSR process,

and other related processes by auditing these processes, and its underlying controls and risks. The results of

these audits provide IA with the opportunity to offer the audit committee with an independent opinion on the

level of control with regard to the CSR objectives of the organization, and will also be able to indicate where

additional oversight is required; and to identify potential process improvements and gaps in control, which are

especially of added value for line management and senior management.

In the research by the IIA and the NBA (2011) several audits are qualified as best practice and should be

included in the audit plan of the IA function. Reference is made to table 2-1 for an overview of activities that

can be performed by IA as part of the two roles: consulting and assurance.

2.4 Coordination of EA and IA

2.4.1 EA and IA

Externally verifying an annual integrated report or individual CSR report increases the credibility of the report.

When making decisions regarding the level of assurance, depth and scope of the CSR report, internal audit can

play an essential role by providing their knowledge on the material and organization. Additionally the external

auditor can also add value to the internal audit team by providing industry-wide knowledge and subject matter

expertise. Through collaboration the quality of the CSR process and report will increase significantly. In the

research by IIA and NBA another best practice was highlighted, as follows: “The internal auditor and the

external auditor work closely together, especially when auditing the CSR report. The internal auditor

coordinates his activities with that of the external auditor, and vice versa” [IIA and NBA, 2011]. Based on this

literature, the following proposition is described:

P3: The internal auditor and the external auditor work closely together, especially when auditing the CSR

report. The internal auditor coordinates his activities with that of the external auditor, and vice versa.

Prior to discussing the ways in which these two parties can effectively work together, the relationship and

collaboration with EA is to be discussed in more detail.

The coordination between EA and IA in general is one that has been widely discussed from both IA’s

perspective as that of EA. In many organizations, the activities carried out by IA constitute an important part of

the system of internal controls. If the work performed is adequate for the purpose of the accountant’s audit, the

external auditor may use the work in getting control information. The framework for cooperation between IA

and EA is stated in ‘ISA 610: Using the work of the IA’, but is specific to the audit of financial statements. This

includes using the work of IA in obtaining audit evidence [IAASB, 2013]. The external auditor is allowed to use

the work of IA when the internal auditor is sufficiently objective, proficient and maintains a robust audit

approach.

If EA decides to use the work of the IA, the audit file of the external auditor is required to maintain at a

minimum an evaluation of the objectivity, proficiency and robustness of the IA function, the nature and scope of

the work performed by IA an used by EA, and all procedures performed by EA to evaluate the work performed

by IA on which the external auditor relies [IAASB, 2013].


For IA the IIA Standard 2050 and the accompanying Practice Advisory exist and provides rules for coordination

and exchange of information on the activities of the internal auditor and the external auditor. Included are

measures ensuring an efficient (limited duplication) and effective cooperation between the internal auditor and

the external auditor [IIA, 2012].

2.4.2 Best practices for IA

An article in the Dutch magazine ‘De Accountant’ based on a research performed by the Royal Dutch Institute

of Chartered Accountants (NIVRA: “Koninklijk Nederlands Instituut van Registeraccountants” in Dutch) and

IIA in the Netherlands summarized the following best practices for an efficient and effective coordination

between the internal auditor and the external auditor [Dekker, 2009]. The first best practice mentioned in the

article is full transparency between the IA function and the external auditor and open communication with the

audit teams and stakeholders. Secondly, optimal use of existing knowledge and skills should be aimed for to

ensure the correct attitude. This can be achieved by borrowing expertise from one another, by giving IA an

important role in the selection and appointment of the external auditor, and by requesting advice from EA prior

to the selection and dismissal of the CAE. Another best practice is ensuring an effective audit coverage and

audit impact by developing a shared vision for cooperation and by defining and documenting these objectives on

an annual basis. Critically discussing risk assessments as a basis for audit planning will also contribute to

ensuring an effective audit coverage and impact. The fourth best practice indicated in the article relates to

promoting an even more efficient work performance. Activities that will enhance efficient work performance

includes the use of the same audit methodology, -techniques, -tools and -terminology; evaluating each hour

spend and budgeted; and the use of each other's work when possible. Fifthly, on forehand agreeing on the issues

and reports to be presented to the audit committee and presenting an integrated audit approach and planning to

the audit committee is mentioned as a best practice. These activities will strengthen the relationship with, and

increase support provided to, the audit committee. The sixth best practice stated is further improving the

coordination of the audit work for the organization, which can be achieved by having IA coordinate the internal

and external audit activities, or by critically evaluating the draft management letters and reports prepared by EA.

And lastly, the coordination between IA and EA should be subject to continuous improvement. This can be

achieved by jointly developing a plan to improve the effectiveness and efficiency of the cooperation, and by

informing each other on received complaints and suggestions for improvement. The best practices mentioned in

the article can be transmitted into improvement areas for both the external auditor and the internal auditor when

it comes to the relationship between the two parties.

Improvement areas also exist when looking at specific procedures that can largely be performed by the IA to

contribute to the efficiency and effectiveness of the coordination. Please refer to the Table 2-2 for an overview

of these procedures.

A research performed by Ambaum (2007) where the role of IA with relevance to CSR in the Netherlands was

empirically tested by means of a survey on 29 IA functions it was concluded that there is much potential to add

value as internal auditors when it comes to consulting on CSR related issues as his research shows that only

17% of the IA functions involved performed active market research in the field of CSR and that only 38%

monitored the integration of CSR in the annual risk analysis. This research concludes that not only the

development phase but all phases of the CSR process, including the creation of the design, implementation in

the organization and strengthening the operational effectiveness are ideally suited for a good contribution from

IA by means of a consultancy role.


CSR Process Step Role of IA

(Re)formulating CSR policy and

strategy

-

Information, Risk Management and

Planning

Assessment of the scope of the report (i.e. which entities). Knowledge of the

organization and expertise in the field of accounting can be used and of added

value here

Implementation and operation Support the organization by providing training regarding the verifiability

requirements and design of the audit files;

Advising the Board with respect to the contents of the engagement with the

external auditor, as IA has a broad understanding of the organization and

underlying processes, and its possession of materials and knowledge of work

performed on which the external auditor may be able to rely. Also, IA can advise

on the appointment of the external auditor, where it regards the experience and

expertise in the field of CSR reporting.

Checking and corrective action Perform an assessment of the internal reporting and data collection process;

Assessment of the content of the report, especially with regard to relevance,

materiality and prioritization of the issues being reported. As part of this, the

internal auditor will evaluate and advice on the continuous involvement of

stakeholders, as well as the care for the completeness and prioritization of topics;

Assessment of the quality of the report, where quality features such as balance,

comparability, accuracy, timeliness, clarity and reliability are important;

To achieve efficiency, the internal auditors take over a great part of the data-

centric and system-oriented work from the external auditor. The internal auditors’

in-depth knowledge of the organization and its processes will be embayed here.

The internal auditor will work closely with the external auditors (perhaps in the

form of integrated audit teams). The internal auditor also performs the check on

control guidelines for the organization;

The joint preparation of the (draft) assurance report and management letter;

Monitoring of the follow-up on audit findings.

Management review and continual

improvement

-

Table 2-2: Activities for IA to ensure efficient and effective collaboration with EA

2.5 Chapter summary

Based on existing literature and extant research performed the following propositions are formulated for

practical research.

P1: The CSR process within an organization is organized according to the PDCA cycle and therefore

strongly resembles Nieuwlands’ Sustainability Management System.

P2: As the CSR process becomes more mature IA will increasingly take on an assurance role and will

less frequently take on the role of consultant.

P3: The internal auditor and the external auditor work closely together, especially when auditing the

CSR report. The internal auditor coordinates his activities with that of the external auditor, and vice

versa.

The main focus of empirical research performed in this area has not yet been the improvement areas for IA in

the CSR process. Additional research is therefore required to determine what these improvement areas are.


CSR Process Step Role of IA

Summary Consulting Assurance

(Re)formulating CSR

policy and strategy

Consulting on CSR

developments

Facilitating

identification of

objectives and risks

Identifying relevant CSR-topics with regard to social

developments and adjustments in the field of laws and

regulations [IIA and NBA, 2011].

Consulting on operationalizing of these relevant CSR-topics.

This includes supporting management when defining CSR,

implementing CSR in the strategy (or setting up the CSR policy

and developing the CSR strategy), and defining objectives,

standards and norms [Nieuwlands, 2006; IIA, 2010; IIA and

NBA, 2011].

-

Information, Risk

Management and

Planning

Facilitating

identification of

objectives and risks

Assist management in identifying, evaluating and implementing

risk management methodologies and controls to address CSR

risks [IIA, 2009; IIA and NBA, 2011].

Advising management for setting-up, implementing and

managing an effective SMS and CSR program [Nieuwlands,

2006; IIA and NBA, 2011].

Giving advice on the design of an information system [IIA and

NBA, 2011].

-

Implementation and

operation

Guiding external

assurance

Consulting on CSR

controls

Consulting on CSR-

framework

Act as an advisor to management during the set-up and

implementation of a risk and control framework and effective

control procedures, which are based on an assessment of critical

risk in the field of CSR [IIA, 2009; IIA and NBA, 2011].

Assisting management in determining the evaluation criteria to

measure whether CSR objectives are achieved [IIA and NBA,

2011].

Advising management on the allocation and communication on

roles and responsibilities, and clear guidelines to ensure an

effective SMS. This includes advising management on an

organizational structure, responsibilities and composition

staffing required for the effective CSR organization

[Nieuwlands, 2006; IIA and NBA, 2011].

Consulting management during the selection of the external

verifier of the CSR report, and scope of the CSR report. IA can

-


also guide EA during the external audit to ensure effective and

efficient communication between EA and the CSR department/

manager throughout the audit [IIA and NBA, 2011].

Giving advice on internal and external accountability and

communication regarding CSR-performance, especially when it

regards the implementation of an information system [IIA and

NBA, 2011].

Checking and

corrective action

Assurance of CSR

data

Assurance of CSR

related processes

Evaluate CSR-Risk

Management

Evaluate CSR reports

Review of CSR

management

- Audits on the creation process of the CSR policy [IIA and

NBA, 2011].

Performing separate audits of third party for contractual

compliance with CSR terms and conditions [IIA, 2010].

(System) audits to provide assurance on the translation from

the strategy to the policies, procedures, models, management

cycle (PDCA) and the final report [IIA, 2009; IIA, 2010; IIA,

2011; Nieuwlands, 2006].

Evaluating the extent to which CSR ambitions of the

organization are included in the organization core processes

and management processes [IIA and NBA, 2011].

Audits regarding the adequacy of the internal control and

evaluation mechanisms [IIA and NBA, 2011].

Evaluating the reliability of performance measures [IIA and

NBA, 2011].

Audits on the effectiveness of embedding CSR in the

organization and processes [IIA and NBA, 2011].

Ensuring proper follow-up of the recommendations made as

a result of the internal and external audits.

Management review

and continual

improvement

- - -

Table 2-1: Consulting and Assurance activities for IA


3 Research design

This chapter presents the methodology used in order to answer the research questions that were presented in

Chapter 1. First, the research approach is discussed, and then the data analysis method will be elaborated on.

3.1 Research methodology

The main objective of this research is to contribute to the awareness of internal auditors about their possible

role in the CSR process and about improvement opportunities for IA in the CSR process. Robson (2002)

defined exploratory research as a valuable means of finding out ‘what is happening; to seek new insights; to

ask questions and to assess phenomena in a new light’. This research aims to explore what the role of IA is in

the CSR process and what opportunities for improvement exist in this process for IA. Additionally, it aims to

explore this by obtaining an objective point of view from the external auditors. This research can therefore be

classified as an exploratory research that maintains a theory-testing approach [Geene, 2011].

3.1.1 Literature

Various literature, websites and research studies with regard to the topic of CSR in general are studied in order

to answer the theoretical research sub questions defined in Chapter 1. Reference is made to Chapter 6, which

provides a list of literature used.

3.1.2 Subject matter interviews

Subject matter interviews are selected as a first method of research as it is a valuable manner to easily collect

knowledge in a new and unknown field [Audehoven, 2007]. In this study subject matter interviews are used as

an exploratory approach helping the researcher to gain a better understanding of the CSR process in general

and about the role of IA and its improvement areas in particular. An expert possesses knowledge in three

dimensions: technical knowledge (specific and detailed knowledge in a particular field), process knowledge

(knowledge from direct interaction), and explanatory knowledge (own ideas and subjective opinion)

[Audehoven, 2007]. By means of the interviews with the subject matter experts (SME) the researcher tried to

elicit all three types of knowledge to obtain a thorough insight. For the subject matter interviews, two

interviews are conducted with external verifiers of CSR reports working in two separate accountancy firms.

This selection of accountancy firms is based on the predicted assumption that these two accountancy firms are

the biggest in the field of CSR audits in the Netherlands. These respondents all represent experts as they all

are all highly experienced professionals, with at least ten years of experience in the field CSR. The table

below illustrates the expert interviews conducted. All interviews took place face-to-face.

Table 3-1: Subject matter experts

Company

Interview

ID no

Function CSR

experience

Location Duration Audio-

recording

EA 1 I1 CleanTech & Sustainability

Senior Manager Audit

13 years Groningen 30 minutes Yes

EA 2 I2 Global Head of Sustainability

Assurance

11 years Amsterdam 50 minutes Yes

https://www.linkedin.com/search?search=&title=Global+Head+of+Sustainability+Assurance&sortCriteria=R&keepFacets=true&currentTitle=CP&trk=prof-exp-title

https://www.linkedin.com/search?search=&title=Global+Head+of+Sustainability+Assurance&sortCriteria=R&keepFacets=true&currentTitle=CP&trk=prof-exp-title


3.1.3 Case Studies

As this research is classified as an exploratory research that maintains a theory-testing approach, the following

possible research methods are recommended: case studies, histories and experiments [Yin, 2009]. In this

research study case studies are the method of choice as it evaluates contemporary events that cannot be

manipulated and controlled. Furthermore, case studies have been proposed by authors such as Robert et al

(2006) and Ciliberti et al (2008) as the method to advance the mainstreaming of CSR, as they can be very

effective to study complicated subjects as CSR. Finally, Schramm (1971) stated that “the essence of a case

study, the central tendency among all types of case study, is that it tries to illuminate a decision or set of

decisions: why they were taken, how they were implemented, and with what result”. This statement shows the

close resemblance with the main questions of this research and thus clearly illustrates the choice in the

research method of case study [Geene, 2011].

A multiple-case study design is chosen as the appropriate research design on the basis of theoretical

replication. To ensure convenience and efficiency, a small number of cases are observed. Using multiple cases

increases the robustness of the research, as the evidence from these multiple cases is more compelling, that

that of a single case study [Geene, 2011]. This research involves a field study of four IA functions and their

respective external auditors. The four companies selected all have CSR reports that are externally verified,

have an IA function that is plays a role in the CSR process of their organization; and have an external auditor

that relies on the work of IA when it comes to the CSR audit process.

The sample was restricted to the Netherlands because of practical reasons involved with data collection. For

the case selection the decision was made to focus on companies of only the two biggest external verifiers in

the field of CSR. Furthermore, selected only two of the four largest accountancy firms enables a better cross-

case comparison due to stability in the use of methodologies by the external auditor, while still gaining insight

based on the perspective of more than one external auditor. The large accountancy firms were used as a study

by KPMG International amongst the 250 largest organizations showed that two thirds of the companies that

get their reports externally verified choose to engage a major accountancy firm [KPMG, 2013]. From the six

remaining possible case selections, the following four cases were selected in Table 3-2. These cases were

selected based on their characteristics. It was assumed that companies in Financial Services would have a

more mature CSR process given the pressures to communicate on all types of performance, including CSR

performance. Also, as the Dutch government obligates all organizations of which they are a primary

shareholder to report on CSR, it is therefore assumed that these organizations will have a more mature CSR

process. And finally, as previously mentioned in Chapter 2, AEX listed companies are normally frontrunners

when it comes to CSR. Hence, these companies were selected as it was expected that they have a higher level

of maturity of the CSR process. Furthermore, IA has been involved in the antecedent maturity levels as well.

These cases therefore provide a best practice and hence improvement points for other IA functions in less

mature CSR processes. Reference is made to table 3-2 for the case profiles with characteristics of the

organization. Please refer to Appendix D for a short case description.

Table 3-2: Case Profiles

Company

ID name

Industry CSR in

strategy

Type Shareholders External

auditor

# of auditors in IA

(in CSR audits)

Case A Financial Services Y Niche player Dutch State EA 1 5 (1)

Case B Consumer Products Y Market leader AEX listed EA 2 55 (5)

Case C Transportation Y Market leader Dutch State EA 1 3 (3)

Case D Financial Services Y Market leader Cooperation of

farmers

EA 2 200 (10)


3.1.4 Data Collection

“One of the unique strengths of a case study is its ability to deal with a full variety of evidence – documents, artifacts,

interviews, and observations…” [Yin, 2009].

The data collection aims for triangulation, encouraging the collection of information from multiple sources

while collaborating the same fact. Saunders described data triangulation as: “…the use of different data

collection techniques within one study to ensure that the data are telling you what you think they are telling

you” [Saunders et al., 2009]. The different methods of data collection used include the internal and external

documentation, interviews with the IA functions and interviews with the CSR audit departments of the EA

firms in order to offer a complete picture and to increase construct validity. As part of the case study research

triangulation was also used as a method to obtain the needed information. First, all available internal and

external documents relevant to the research objective were analyzed, these included: CSR reports, company

websites, and/or financial statements of the organizations. Also semi-structured interviews were conducted

with the internal auditor responsible for CSR in the selected cases after which they were requested to fill in a

maturity model (see appendix C) used.

The general description of the research and its purpose were presented to the companies with an introduction

email (see appendix A, to convince them of participation in this research by means of an interview. In order to

contact participants, the professional and social network of colleagues and J.J.M. Laan (lecturer of the course

Management Accounting at University of Amsterdam) and myself were used. All interviews lasted

approximately one hour which enabled the interviewees to speak freely. Interviews ensured an in-depth

understanding of the obstacles for improvement, and underlying reasons for decisions and motives when it

comes to the role of IA in the CSR process. The research model described above is illustrated in figure 1.

3.3 Data analysis

The aim of this thesis is to provide an answer to the research question: What is the role of IA, and what

opportunities for improvement exist for IA in the CSR process of an organization?

In order to answer this question based on the interviews held during the multiple case study research pattern

matching is used as a data analysis technique [Sarker, & Lee, 2003; Trochim, 1989]. By means of pattern

matching theoretical patterns are matched with the findings from the case studies (observational patterns).

Pattern Matching is a very strong method to ensure strong internal validity [Yin, 2009; Sarker, & Lee, 2003;

Trochim, 1989; Lee, 1989].

Data organization is an important step in the pattern matching technique. Especially for the interviews it is

important that the information obtained in the interviews is organized and analyzed in a systematic way in

order to make relevant conclusions. Therefore, interview scripts (appendix B) with a consistent topic list were

used. And almost all interviews were audio-recorded and transcribed with the permission of the respondents

(the transcriptions and audio files of the interviews are available upon request). This allowed the interviewer

to listen carefully and to capture all relevant and essential information. Moreover the records and transcripts

keep the entire conversation intact and does not allow for alterations. Consequently it increases the reliability

of the research [Stewart et al., 2007]. One interviewee however did not agree to audio-recording. This

interview was written out immediately after the interview to minimize data loss, and then sent to the

interviewee for verification. All transcriptions were sent back to the interviewee for their consent on

correctness of the data. Thereafter, the transcribed interviews were used to create coding tables, that capture

and group all the important expressions, quotes or sentences by the respondents based on the main issues

addressed in the interviews. These represent the observational patterns. The quotes and expressions presented


in the tables are translations made by the researcher as the interviews were held in Dutch. The coding table

can be found in appendix E.

In summary, this study applies a multiple-case study design that combines interviews with external auditors

and internal auditors to answer the main research question. Various methods and techniques, which are

discussed throughout the chapter, are used to ensure high validity and reliability of the research. A summary

of these methods is provided below in table 3-3. Reference is made to table 3-4 for an overview of the

interviewees:

Table 3-3: Technique(s) applied to enhance credibility

Table 3-4: Interviewees per case

3.4 Chapter summary

The main objective of this research is to contribute to the awareness of internal auditors about their possible

role in the CSR process and about improvement opportunities for IA in the CSR process. As this is an

exploratory research with a theory testing approach, subject matter interviews combined with a multiple case

study research was selected as the appropriate research design. Opportunities identified by external auditors

were obtained through subject matter interviews and were tested and evaluated through interviews with the IA

functions. Through triangulation data was collected by performing a desk research on the cases selected,

interviews with IA functions, and a maturity model survey following up on the interview. The four companies

selected for the case study research all have CSR reports that are externally verified, have an IA function that

plays a role in the CSR process of their organization; and have an external auditor that relies on the work of

IA when it comes to the CSR audit process. By means of a cross case comparison improvement using pattern

matching points are highlighted and conclusions are drawn.

Criterion of enhanced credibility Technique(s) applied

Reliability Audi-recording, consistent topic list, case study database and protocol, use of native

language when possible

Internal validity Pattern matching

External validity Interviews with both IA and EA

Construct validity Triangulation, pilot interviews

Company Interview ID

no.

Function CSR

experience

Location Duration Audio-recording

Case A I3 CAE 4 years The Hague 51 minutes No

Case B I4 Senior Auditor 3 years Amsterdam 53 minutes Yes

Case C I5 Interim CAE 6 years Rotterdam 54 minutes Yes

Case D I6 Account manager

Professional Practice

8 years Utrecht 37 minutes Yes


4 Findings

This chapter aims to answer sub-questions 5-8 formulated in Chapter 1 by presents and analyzes the findings

of this research. By means of the cross-case analysis, in which the results of the four case studies are bundled

and compared, the propositions as defined in Chapter 2 are reflected upon. Additionally, based on the results

of the subject matter interviews the improvement points mentioned by the external auditors are highlighted

and discussed.

4.1 CSR Process

How is the CSR process within organizations structured?

As part of the case study interviews, interviewees were requested to describe how the CSR process was

structured within their organization. Results show that the CSR process within the cases all include the PDCA

cycle allowing the process to improve and mature on a continuous basis. Once presented with the SMS from

Nieuwlands all four case interviewees indicated that the model was a fair representation of the CSR process

within their organization. These statements are evidenced by the following quotes:

“The PDCA cycle is key in this process to ensure that it does not remain a paper execution, but to ensure full integration

into the organization and to ensure continuous improvement of the process.” [I3, Chief Audit Executive. Translated by

the author]

“The CSR process here started with formulating a strategy to include CSR. After that we defined certain specific

objectives, and included CSR in our Risk Management process. Also we have set up a CSR committee with the

responsibility to define and secure KPI’s. This was the start of the implementation of CSR into the organization. We as IA

finally perform audits in which we structurally include CSR and report our findings to management. Looking at the

model from Nieuwlands, I can definitely say that our CSR process indeed looks like this.” [I3, Chief Audit Executive.

Translated by the author]

Unfortunately, when presented with the same question, both SMEs noted that this path is not followed in

practice, as an organization’s initial starting point normally differs. According to the SMEs CSR normally

starts with the organization’s involvement in several loosely correlated CSR initiatives or projects.

“However, what is seen in practice is that it doesn’t always follow this structured path, but that it can be initiated at any

of these process steps. Organizations are often already involved in some lose CSR activities as it is a natural driver for

people to give back to the society. These CSR activities are often initialed on individual level or by low/ middle

management, yet they are bundled and reported on in the organization’s CSR report. However often these initiatives are

not linked to the organizations products and services, and are not implemented into the core business processes. At some

point, usually when top management believes in CSR and is motivated by CSR, are initiatives selected that are more

closely linked to the organization. And only then is CSR implemented in the strategy of that organization”. [I1, Subject

matter expert. Translated by the author]

“What we see in the energy industry is that the CSR process sometimes starts with assigning a CSR officer to write a

CSR report. But these reports are usually inconsistent, lack direction and are not concrete as no CSR strategy is defined.

The CSR officer is asked to report on separate projects the organization is involved in, which are normally in one of the

CSR areas, such as environmental projects. However, at some point they realize that in order to make a difference they

cannot just be involved with uncorrelated project but that a CSR policy needs to be defined. In the CSR policy they

normally expand the CSR range to include other important CSR areas, such as social projects. Finally, we see that

organization then decide that they need to formulate a strategy to determine where they want to be in 5-10 years with

regard to CSR performance, how they want to be perceived, especially in comparison to their competitors. And then of

course implementation and execution of the CSR strategy is next in order to achieve goals. But this can only be


successfully done once CSR is understood and defined within the organization”. [I2, Subject matter expert. Translated by

the author]

Based on these results it can therefore be concluded that CSR within and organization normally starts with the

organization’s involvement in several loosely correlated CSR projects initiated on an individual or low/middle

management level, and that frequently organization start reporting on these projects in the CSR report.

However, as a result these CSR reports often lack context, consistency and coherence with the organization

products, services and strategy. Finally, management realizes that in order to make a meaningful difference a

CSR policy, vision and strategy needs to be defined. Only when awareness and understanding is created in the

organizations does the actual implementation of the CSR process successfully start. The initiation of a CSR in

an organization therefore does not follow the structured path described by Nieuwlands. However, it can be

concluded that once the CSR process is implemented Nieuwlands’ SMS provides a fair representation of a

successful CSR process as it includes the PDCA cycle allowing for continuous improvement. The following

proposition is therefore supported: P1: The CSR process within an organization is organized according to the

PDCA cycle and therefore strongly resembles Nieuwlands’ Sustainability Management System.

4.2 The role of IA in CSR

What roles does IA attain in the CSR process?

Based on literature it was noted that IA can take up assurance, and consultancy roles in the CSR process,

which consist out of various activities (reference is made to figure 2-2), without jeopardizing the IA’s

independence and objectivity.

Results of the case study interviews demonstrate that most of the activities performed by IA relate to its

assurance role, followed by its consultancy role. Also interesting to note is that managing related activities are

also performed by IA functions even though these activities negatively affect (or create the appearance of

negatively affecting) their objectivity and independence. These results are demonstrated in figure 4-1 below.

Upon further inquiry it was noted that the extent to which these activities are performed by IA strongly relate

to the level of maturity of the organization’s CSR process, as expected. In the beginning phases of the CSR

process, IA mainly attains a consultancy role and even a managing role at times. However, as the process

matures these roles are increasingly replaced by an assurance role. This is supported by the following quotes:

"The tasks that we perform as an internal audit function are really dependent on the maturity of the CSR process. In the

beginning we had taken up a more advising role, however at some point we tried to push back some of this consultancy

work in order to focus on our main activity and that is audit. So, I think that we have performed all of these tasks at one

point or another". [I4, Senior Auditor. Translated by the author]

"We have performed each single one of these activities and still do to some extent; especially I still do as the head of the

[internal audit] department. Even those activities that are written as roles that should not be undertaken by the internal

auditor have been attained by us somewhere along the path. Especially in the beginning stages of the CSR

implementation did we perform these managing tasks as well. However, the responsibility for these activities and

decisions remained that of management. Currently I maintained a more consultancy role, whereas the rest of my team

increasingly takes on an assurance role as the CSR process becomes more mature." [I5, Interim Chief Audit Executive.


"However as this process was continuously subject to change, the role of the internal accountant was mainly that of

consulting. (…) Our advisory role slowly transformed into more of an assurance role when we started to look at how we

would audit the whole sustainability process including the actual sustainability report". [I6, Account manager

Professional Practice and Sustainability. Translated by the author]


Role Activities I3 I4 I5 I6

AS

SU

RA

NC

E

Assurance on CSR data

Assurance on CSR (related) processes

Evaluate CSR-Risk Management

Evaluate CSR reports

Review of CSR management

CO

NS

UL

TIN

G Guiding external assurance

Facilitating identification of objectives and risks

Consulting in CSR-controls

Consulting on CSR-framework

Consulting on CSR developments

Preparing CSR implementation strategy

MA

NA

GIN

G Managing of CSR processes

Management assurance on CSR

Decision-making regarding CSR

Preparing CSR reports

External accountability regarding CSR

Table 4-1: IA’s current activities in the CSR process

Based on the field research conducted, the maturity model in Table 4-2 was developed in order to determine

how the role of IA changes as the process becomes mature. The model indicates when the activities are mostly

performed by IA at various levels of maturity (as described in Chapter 2) and visualizes the evolution of the

CSR process and the role of IA in it. It should be noted that for the ‘optimized’ maturity level the activities are

selected based on assumptions and expectations, as none of the cases have reached this level of maturity.

In short, IA takes up assurance, consultancy and managing roles in the CSR process. The actual role IA attains

in the CSR process is dependent upon the maturity level of the CSR process. It can be concluded that the role

of IA in the CSR process changes from a consultancy and managing role to a more assurance role as the

process becomes matures. The following proposition is therefore supported in this research: P2: As the CSR

process becomes more mature the IA will increasingly take on an assurance role and will less frequently take

on the role of consultant.


CSR PROCESS STEP ACTIVITIES MATURITY LEVEL

Initial Repeatable Defined Managed Optimized

(Re)formulating CSR policy and strategy

Identifying relevant CSR-topics with regard to social developments

and adjustments in the field of laws and regulations

Consulting on defining CSR within the organization

Supporting management in implementing CSR in the existing strategy or in developing a CSR strategy, and setting up the CSR policy

Assisting management in defining CSR objectives, standards and

norms

Audits on the creation process of the CSR policy

Reviewing the adequacy of the translation of strategy into operational

objectives

Information, Risk

Management and Planning

Implementation and operation

Assist management in identifying, evaluating and implementing risk management methodologies and controls to address CSR risks

Advising management for setting-up, implementing and managing an

effective SMS and CSR program.

Giving advice on the design of an information system and

communication structure around CSR

Implementation and

operation

Checking and corrective action

Act as an advisor to management during the set-up and

implementation of a risk and control framework and effective control

procedures, which are based on an assessment of critical risk in the field of CSR

Assisting management in determining the evaluation criteria to

measure whether CSR objectives are achieved

Advising management on the allocation and communication on roles

and responsibilities, and clear guidelines to ensure an effective SMS.

This includes advising management on an organizational structure,

responsibilities and composition staffing required for the effective CSR organization

Consulting management during the selection of the external verifier of

the CSR report, and the scope of the CSR report

Guiding the external accountant during the external audit to ensure

effective and efficient communication between the external accountant and the CSR department/manager throughout the audit

Giving advice on internal and external accountability and

communication regarding CSR-performance, especially when it concerns the implementation of an information system


Evaluating the extent to which CSR ambitions of the organization are

included in the organization core processes and management processes

Audits regarding the adequacy of the internal control and evaluation

mechanisms

Evaluating the reliability of performance measures

Audits on the effectiveness of embedding CSR in the organization and

processes

Checking and corrective

action

Performing separate audits of third party for contractual compliance

with CSR terms and conditions

(System) audits to provide assurance on the translation from the

strategy to the policies, procedures, models, management cycle (PDCA) and the final report

Evaluating the extent to which CSR ambitions of the organization are

included in the organization core processes and management processes

Audits regarding the adequacy of the internal control and evaluation

mechanisms


Audits on the effectiveness of embedding CSR in the organization and processes

Ensuring proper follow-up of the recommendations made as a result of

the internal and external audits

Management review and

continuous improvement

-

N/A N/A N/A N/A N/A

Table 4-2: Role of IA per maturity level


4.3 Coordination of EA and IA

How do the external auditor and IA function of an organization work together in the CSR process?

In the literature review it was learned that 59% of the world’s largest companies (Global 250) now externally

verify CSR reports, however it was also learned that this is still not common practice in the Netherlands.

Additionally, this research found that from the total of companies externally verifying their CSR reports at the

two accountancy firms selected in this research, only a mere 10-15% of the IA functions were involved in the

CSR process. And even then, collaboration between EA and IA in the CSR process is frequently initiated by the

external auditors. In these circumstances EA often divides and defines the roles to be executed by IA, after

which IA merely passively performs those assigned activities. These activities mainly include performing data-

centric and system-oriented audits on CSR data and processes, hence providing EA with substantiation for the

information in the CSR report.

“The collaboration with our clients is one that I can only describe as pleasant. However, as the collaboration is normally

initiated by us, you do see that we usually make the decisions. We tell them what to do and that is exactly what they do, and

these tasks only relate to auditing and not to the other parts of the CSR process. In the financial audit they definitely work

more closely with the internal audit. (...) In my opinion internal audit should be more involved in the CSR process, they

should obtain the internal knowledge in this area that we don't have. Together we can provide a report of higher quality”.

[I1, Subject matter expert. Translated by the author]

This statement is even supported by one of the case study interviewees based on his experience as a consultant:

“At some companies I see that the external accountant decides on the role of the internal auditor, and this irritates me to

the core. It should be the other way around”. [I5, Interim Chief Audit Executive. Translated by the author]

In the research performed by the NBA and IIA (2011) a best practice was highlighted stating that the internal

auditor and the external auditor work closely together, especially when auditing the CSR report. And that the

internal auditor coordinates his activities with that of the external auditor, and vice versa. This best practice is

confirmed as indeed a best practice and ideal situation through the case interviews. In the selected cases – who

are frontrunners in this area – the collaboration is described as a two way relationship, in which IA and EA work

closely together and in which IA coordinates its activities with EA, and vice versa. The following quotes

illustrate this:

"We were one of the first companies to publish an integrated report with reasonable assurance. This was not done before,

and therefore we had a strong collaborative relationship with the external accountant from the start. Together with the

external accountant we discussed throughout the integration process on what the expectations were and what the roles and

responsibilities were going to be”. [I5, Interim Chief Audit Executive. Translated by the author]

"As [Case D] wanted to obtain reasonable assurance on the report from the start, the internal accountant function worked

closely together with the external accountant to discuss and determine the role of the internal accountant function and that

of the external accountant. A plan was made together with the external accountant on how to reach reasonable assurance.

In this, we have closely worked together ever since”. [I6, Account manager Professional Practice and Sustainability.


Based on field research it was noted that the following activities are frequently performed together in case of

collaboration between the external auditor and the internal auditor: the preparation and execution of the kick-off

session, the preparation of the resource planning, the division of tasks between the CSR department, EA and IA,

and sometimes interviews with process owners are held together as well. Additionally, the following best

practice procedures as described by the IIA and NBA in Figure 2-2 are performed:


Procedures I1 I2 I3 I4 I5 I6

Support the organization by providing training regarding the verifiability requirements

and design of the audit files

Advising the Board with respect to the contents of the engagement with the external

auditor and advise on the appointment of the external auditor

Perform an assessment of the internal reporting and data collection process;

Assessment of the content of the report (i.e. relevance, materiality and prioritization of

the issues)

Assessment of the scope of the report (i.e. which entities)

Assessment of the quality of the report (i.e. balance, comparability, accuracy,

timeliness, clarity and reliability)

To achieve efficiency, the internal auditor takes over a great part of the data-centric

and system-oriented work from the external auditor, while working closely with the

external auditors

The joint preparation of the (draft) assurance report and management letter

Monitoring of the follow-up on audit findings with regard to CSR

Table 4-3: Collaboration procedures IA and EA

Interesting to note from this table is that according to the SMEs assessing the content and quality of the report is

not an activity which is performed by the IA functions, whereas all four IA functions indicate that this is an

activity performed by them in collaboration with the external auditor. According to the SMEs this finding can be

explained by the fact that the IA functions interviewed as part of this research are all front-runners in the area of

CSR and in having a collaborative relationship with EA in that area. In general however, the assessment of the

CSR report’s content and quality is according to these SMEs, definitely an activity in which IA can contribute

and improve.

To conclude, only a mere 10-15% of the IA functions is involved in the CSR process of its organization,

allowing them to collaborate with the external auditors during the verification of the CSR report. This

collaboration is generally initiated by EA who defined and assigns the roles, after which IA passively perform

the activities assigned to them. This is however not the case for the leaders in the field of CSR. When

extrapolating it to the total population, P3 is rejected as it indicates a two way coordination that is clearly not

common.

4.4 Improvement areas for IA

What are the improvement areas for IA in the CSR process?

The interviewees were asked to highlight improvement areas for IA, to indicate which risks are associated with

auditing the CSR report, and to indicate whether there was a role for IA in reducing those risks. The following

risks and improvements for IA were identified:

Risks SMEs IA functions

Lack of standards I1 I4, I5

High number of systems I1, I2 I4

Low frequency of data retrieval (incidental) I2

Reliability of the information I1, I2 I4, I5

Completeness of the report I2

Balance of the report I2

Insufficient support in the organization I5, I6

Table 4-4: Risks in auditing the CSR process


Improvement points SMEs IA functions

CSR Knowledge and skills I1, I2 I3, I6

System-oriented audits performed by IA I1 I5

Maintaining an consultancy role throughout the

CSR process

I1, I2

Play a more active role in the CSR process I1, I2

Play a role in defining standards I4, I5, I6

Table 4-5: Improvement points for IA

To summarize, the SMEs indicated that there are several risks in auditing the CSR process which should be of

great focus to IA. Mostly these risks are due to the lower level of maturity of the CSR process in comparison to

the financial reporting process.

“The risks in auditing the CSR process are dependent upon the maturity level of the CSR process. In the beginning the

biggest risk is whether there are strategically enough reference points or standards, so to speak, to actually perform the

audit. In the next phase the reliability of the information and systems is a high risk, but also the lack of support in the

organization requires significant attention. Without the support of the organization, and without them seeing the added

value of CSR, it is like flogging a dead horse”. [I5, Interim Chief Audit Executive. Translated by the author]

Furthermore, combining the two tables and other comments made through the interviews the following

important improvement points were identified:

1. Increase proactive involvement in the CSR process: As previously mentioned this research noted that

at a mere 10-15% of IA functions are involved in the CSR process. With CSR being one of the top 10 emerging

risks, and it becoming increasingly important in the business world, IA need to step up and take a more

proactive role in this process. When looking at the empirical research performed in 2007 and 2011, insufficient

strives have been made by the IA in the CSR process. Especially when we bear in mind that in even when IA is

involved, this involvement is frequently initiated by EA and only limits to the tasks assigned by EA.

“I think that the reason that internal audit does not take a more active role in auditing the CSR process is because they are

not aware of what they role in the process could be. We would like to see them take up a more active role, so that they can

actually start to add value". [I2, Subject matter expert. Translated by the author].

In short, a proactive involvement in the CSR process is not only expected but essential for the future success of

the organization. The need for IA’s involvement in the CSR process is highlighted in this research as only IA is

able to provide the internal knowledge that EA cannot otherwise obtain. Through combining the external,

industry, and CSR specific knowledge of the external auditor and the internal, organization specific knowledge

of the internal auditor, a higher quality of the CSR report can be obtained [I1, Subject matter expert].

2. Improve IA’s CSR knowledge and skills: The improvement point most frequently mentioned as a

point of attention is the CSR knowledge and skills of the internal auditors. In order to add value through

consultancy and assurance, the knowledge and skills of the IA function regarding CSR should be of sufficient

level. Additionally obtaining CSR specific knowledge and skills is required to be in accordance with the IIA

professional standard 1210 on proficiencyvii

.

“The main improvement point is CSR knowledge and skills. Their audit skills are fine, but specific knowledge with regards

to CSR is missing. This results in audits focusing and reporting on the wrong issues, and results in incomplete and

unbalanced reports. I am sure that a great part of the internal auditors auditing CSR have not been educated on the topic.

(…) Lack of capacity, knowledge and skills, and lack of intrinsic motivation are all reasons why internal audit is not part of

the CSR process”. [I1, Subject matter expert. Translated by the author]


"My advice to internal audit departments with a less mature CSR process would be to ensure you obtain basic knowledge

regarding CSR through trainings and education. Communication with your internal sustainability department and the

external account is key. You need to first understand the product, developments in this area and what it is that they are

doing in order to provide assurance. You also need to know what the requirements for the sustainability report are in order

to audit it appropriately". [I6, Account manager Professional Practice and Sustainability. Translated by the author]

Lack of CSR knowledge by the internal auditors has resulted in incomplete and unbalanced reports as IA is

frequently not aware of what is written in GRI and hence what should be included in their organization’s CSR

report. This is evidenced by the fact that only two out of the 19 internal auditors in the four cases involved in

CSR have completed a study in the field of CSR. Even though this improvement point was not necessarily

indicates as an improvement point for the selected cases, they indicated that it definitely is a point of constant

attention. It is essential to be continuously be aware that in order to perform audits appropriately, they need to

ensure that their CSR knowledge are up to date through internal trainings and seminars provided as part of their

profession.

Additionally internal auditors need to improve their skill set in order to conduct CSR audits. The CSR audit

process is not one with a fixed set of standards but it is one in which professional judgment and experience is

needed to formulate organization specific standards based on the GRI principles. Currently internal auditors are

stating that auditing in the absence of a reference model is not possible (i.e. in case of soft controls and CSR

audits). It is not the absence of a reference model that is the issue, but the skill of auditing a process without a

checklist that is the issue [I2, Subject matter expert]. A SME described that an auditor with an advisory skill set

is what is needed:

“Another issue it the skill set of the current internal audit functions. Ideally an internal auditor with an advisory skill-set is

needed to audit the CSR process. An internal auditor with a wider perspective, one that can include the relationship with

stakeholders in its decision making, an auditor that can look beyond processes and reference models and can see the real

issue at hand, that is the kind of auditor that is needed. (...) internal auditors need to learn to ask the right questions instead

of relying on a predefined checklist. However this brings us back to the first point of improvement, as in order to ask the

right question auditors need the have up to date CSR knowledge". [I2, Subject matter expert. Translated by the author]

3. Increase the advisory role of IA: Based on field research it is stated that especially the consultancy

role is subject for improvement. As noted in paragraph 4.2, IA takes up assurance, consultancy and managing

roles in the CSR process. However generally stating, IA only contribute to the CSR process through an

assurance role by performing data-centric and system-oriented audits [I1, Subject matter expert; I2, Subject

matter expert].

Also, as the process matures IA increasingly perform assurance related tasks, and decreasingly take on a

consultancy role. A need exists for an IA function that is continuously involved in the (re)design of the CSR

process, and its controls and frameworks through advising on required improvements and needs for change.

4. Earlier involvement in the CSR process: The lack of standards to audit against is highlighted as one

of the most significant risks. Based on field research it was noted that IA finds it difficult to define CSR audit

standards as the GRI guidelines are only principle-based, and as there is no history to benchmark these standards

against. To face this challenge and to reduce this risk, early involvement (in the initial stage of the CSR process,

including in the strategy formulation step) of IA is needed. Especially the role as an advisor is key in the early

stages to ensure an auditable CSR process is implemented.

The cause of most unsuccessful CSR processes and CSR audit processes is described to be due to lack of

implementing CSR in the organization’s strategy, strategy formulation and monitoring. Often a separate CSR


strategy is defined and implemented making it more difficult to define standards to test the CSR process against

[I5, Interim Chief Audit Executive]. The early involvement of IA in the strategy formulation and

implementation can increase the likelihood of an auditable CSR process (which also meets GRI standards) by

playing a significant role in defining CSR and in translating the objectives into auditable KPIs and performance

measures [I4, Senior Auditor]. Essential in this process is however that IA communicates openly with the

internal CSR department (if applicable) and the external auditor to combine the knowledge and to decide upon

strict audit standards.

“In order to get a CSR process resulting in complete and accurate information, a lot needed to be designed before

implementation. A process needed to be defined based on GRI; however it also needed to be auditable. Therefore the

principle-based guidelines needed to be translated into hard company-specific standards to audit against. Early

involvement in the process therefore is key.” [I6, Account manager Professional Practice and Sustainability. Translated by

the author]

Furthermore, a more active involvement of IA in the beginning of the process can help increase the

organizational support needed for the CSR process to be successful. Especially in circumstances where the

support system is under pressure, for example when negative events have occurred, should IA convince the

board of reporting on these negative events [I5, Interim Chief Audit Executive].

5. Increase and improve the performance of system-oriented audits: In the CSR process data is

generated and extracted from various independent systems. Combining this with the lower level of maturity of

the CSR process, and the low frequency of data retrieval, it creates one of the biggest current risks in the CSR

audit process.

“I would say that the fact that CSR is not a continuous process but an incidental one is a risk. The frequency on which data

is retrieved from the systems is often once or maybe twice a year. This increases the changes of errors and affects the

completeness and balance of the CSR report” [I2, Subject matter expert. Translated by the author]

Furthermore, non-financial data is often generated and extracted through end-user-computing files and reports

using Microsoft Excel or through systems that are still in their development stages. As a result non-financial

data tends to be less reliable [I1, Subject matter expert]. To reduce this risk it is important for IA to perform

both data-centric as system-oriented audits to determine the reliability of the data and the systems used.

However, in practice it is seen that these system-oriented audits are not performed by IA to the extend needed.

Often the external auditor needs to encourage IA to perform these audits or to include CSR into the system-

oriented audits that are already being performed as part of the audit plan.

“However, we constantly need to encourage internal audit to perform these system-oriented audits, or to include CSR in

system-oriented audits that are already in their audit plan. This is not usually initiated by the internal audit department

itself”. [I1, Subject matter expert. Translated by the author]

This research suggests IA to integrating CSR into the standard audit plan and into every audit that is being

performed. As a result the frequency of data retrieval increases, making the CSR process a continuous process

instead of an incidental one, which in turn increases the reliability of the non-financial data. For example, when

IA is already performing an audit on the HR process, they can also easily look at non-financial elements of the

HR process such as the number of immigrants working at the company.

4.5 Chapter summary

In Chapter 2 three propositions were identified for further research. Based on the subject matter interviews and

case study research performed the following can be concluded.


P1 was supported: the point of initiation of the CSR process of an organization differs per organization,

however once management has decided that a CSR policy and strategy needs to be formulated the CSR

process is structured in accordance with the PDCA cycle. It was noted that Nieuwlands’ SMS provides

a fair representation of a successful CSR process in practice.

P2 was also supported: IA can take up an assurance, consultancy or managing role in the CSR process.

In general it was concluded that IA attains a more assurance related role than a consultancy role. It was

also noted however, that the role of IA in the CSR process changes to a more assurance role as the

process becomes more mature.

P3 was rejected: mostly the collaboration is initiated by EA who assigns and divides the roles, which are

subsequently performed by IA.

Additionally, various improvement points were mentioned including: increasing proactive involvement in the

CSR process; improving IA’s CSR knowledge and skills; increasing the advisory role of IA; ensuring earlier

involvement in the CSR process; and increase and improving the performance of system-oriented audits.


5 Discussion

“I think that the reason that the internal audit does not take a more active role in auditing the CSR process is because they

are not aware of what they role in the process could be". [I2, Subject matter expert. Translated by the author]

IA departments are increasingly being asked to consult its organization on emerging risks including CSR and to

provide assurance on the extent to which these risks are mitigated in the organization. This research aims to

contribute to the awareness of internal auditors on their possible role in the CSR process, and on opportunities to

add value and to improve the CSR process within their organizations. As a result, the following research

question was formulated: What is the role of IA, and what opportunities for improvement exist for IA in the CSR

process of an organization? In this chapter we will summarize the findings of this research by answering the

main research question.

5.1 Conclusion

As mentioned in Chapter 1, IIA and the NBA published a report in 2011 based on empirical research stating that

of the IA functions participating in their research 30-40% are involved through either an assurance role,

consultancy role or both in the CSR process. And that this involvement is only to increase in the coming years.

Furthermore, the results concluded that IA adds significant value in the CSR process through a broad scope of

activities including taking on a consultancy role. As this research was only based on results provided by IA

functions and largely based on surveys as a method of research, this research aimed to address a different point

of view, that of the external auditor, and a different research method to explore what the current role of IA in the

CSR process is.

Based on the findings of this research it can be concluded that leading IA functions are involved in the CSR

process through assurance, and consultancy roles. Building on extant literature, this research concludes that the

actual role attained by IA is indeed highly dependent upon the level of maturity of the CSR process. The role of

IA tends to shift from a consultancy, and at times even a managing role, to a more assurance providing role as

the CSR process matures from initial to optimizing. Activities that are decreasingly performed, as the CSR

process matures, include advising on the set up and implementation of the CSR process. These activities make

way for the following assurance providing activities: auditing the CSR report on scope and quality, and auditing

the process of translating the strategy to the policies, procedures, models, management cycle (PDCA), and the

final report. Through the development of the maturity model in this research, awareness is created on the

possible activities to be performed by IA at various levels of maturity. Noteworthy is however that in contrast to

the findings in the research by NBA and IIA, this research highlights that the involvement by IA in the CSR

process is generally limited to its assurance role by performing data-centric and system-oriented audits. A role

that is imposed by the external auditor and subsequently passively executed by IA. Also, this research concludes

that only 10-15% of the IA functions are involved in the CSR process.

The significant difference between these findings with that of the IIA and NBA are either the result of less

involvement by IA over the years, participation of IA functions that are front-runners in the area, or by the

research method chosen by the IIA and the NBA. Either way these results directly highlight the most significant

improvement points resulting from this research: increase the active involvement of IA in the CSR process, and

increase the performance of consultancy related activities in the CSR process. These points are of high

importance and subject to immediate improvement, as organizations need IA to take a broader mandate within

the organization and are increasingly being asked to not only provide operational business insights to the

organization, but to also help in addressing key business risks and in preparing for critical emerging risks that


the organization knows are approaching. Amongst the top of ten of the most important emerging risks is climate

change and sustainability (CSR). For IA to add value to its organization, it needs to attain an active role to

consult its organization on these risks and must provide assurance on the extent to which these risks are

mitigated in the organization.

Another significant improvement point resulting from this research is the CSR knowledge and skills of internal

auditors. In line with the IIA standard on proficiency IA needs to collectively have the CSR knowledge and

skills needed to perform CSR related audits. However it is noted that only 11% of the total of internal auditors

in the IA functions of this research have completed CSR related studies, as a result lack of CSR knowledge lead

to an unbalanced and incomplete CSR reports. Also internal auditors are often missing the skillset needed to

perform CSR audits as these audits are often principle-based and do not have a standard checklist to be used.

Auditors with an advisory skill-set, which are able to ask the right questions without having a checklist, are

required.

Also noted is that especially in the beginning stages of the CSR process there is an important consultancy role

for IA to ensure an auditable CSR process is implemented. The early involvement of IA in the strategy

formulation and implementation can increase the likelihood of an auditable CSR process (which also meets GRI

standards) by playing a significant role in defining CSR and in translating the objectives into auditable KPIs and

performance measures. Furthermore, a more active involvement of IA in the beginning of the process can help

increase the organizational support needed for the CSR process to be successful.

Finally, based on the field research conducted it was concluded that the performance of system-oriented audits

by IA needs to increase and improve. The urge for this improvement lies in the fact that in the CSR process data

is generated and extracted from various independent systems, which are often still Microsoft Excel based or in

the beginning development stages. Combining this with the lower level of maturity of the CSR process, and the

low frequency of data retrieval, it creates one of the biggest current risks in the CSR audit process. To reduce

this risk it is important for IA to perform both data-centric as system-oriented audits to determine the reliability

of the data and the systems used. However, in practice it is seen that these system-oriented audits are not

performed by IA to the extend needed. This research suggests IA to integrating CSR into the standard audit plan

and into every audit that is being performed.

5.2 Limitations and recommendation for future research

There are however several limitations in this research. First of all improvement points are highlighted by EA.

EA however might have different incentives and goals than the IA functions. A small possibility also exists that

the decennia-long tension between EA and IA might have affected the results of this research. Furthermore, the

improvement points mentioned by EA are only based on the activities in which they work together with the IA.

Therefore the improvement point listed in this research does not provide a complete list of improvement points

or it might not even provide a list of the most important improvement points. To mitigate this effect, this

research also requested IA for a list of improvement point.

However as the IA functions included in this research are front runners in the field of CSR and the role of IA in

it, the improvement points mentioned by these IA functions are mostly interesting for organizations with a more

mature CSR process. Future research should investigate improvement areas at IA functions of variously levels

of maturity.

It should be noted that when filling in the maturity model, it was filled in based on the interviewee’s best

intuition. These results may therefore be biased by interviewee’s personality treats, their different perceptions


and difference in job tenure. And finally, another limitation of this research design is the fact that these studies

are merely conducted at a specific point in time; it limits the ability to measure the long-term impact and

consequences of implementing CSR [Geene, 2011].

During this research it became apparent that there is a great need for a CSR maturity model and the possible role

of IA in this model. This research made a start to exploring and developing such a model, however this model

was not validated with external parties. A more extensive, in-depth and validated maturity model should be

developed allowing IA to determine their current state, explore their desired future state and to determine a path

to get to the desired level.


6 Reference List

AMBAUM, B. (2007). De rol van de IAD bij maatschappelijk verantwoord ondernemen als auditobject. Referaat PDO

I/OA, ESAA.

AUDENHOVEN, VAN, L. (2007). Lecture on Expert Interviews and Interview Techniques for Policy Analysis. Vrije

Universiteit Brussel. www.ies.be/files//060313%20Interviews VanAudenhove.pdf.

CILIBERTI, F., PONTRANDOLFO, P., SCOZZI B. (2008). Investigating corporate social responsibility in supply

chains: a SME perspective. Journal of Cleaner Production, 16: 1579-1588.

COMMITTEE OF SPONSORING ORGANIZATIONS OF THE TREADWAY COMMISSION (2004). Enterprise

Risk Management - Integrated Framework.

DEKKER G. (2009). Samenwerking interne en externe auditor kan omhoog. De Accountant, November 2009, p.34 -37.

ELKINGTON, J. (1997). Cannibals with forks. The triple bottom line of 21st century business. Capstone Publishing Ltd.,

Oxford, UK.

EY (2013). Matching Internal Audit talent to organizational needs. Key findings from the Global Internal Audit Survey

2013. EYGM Limited, 2013

FREEMAN, R.E. (1984). Strategic management: A stakeholder approach. Boston MA: Pitman.

GEENE, J.A. (2011). Corporate Social Responsibility in Supply Chains of SMEs: Motives, Practices and Effects. Master

Thesis in Business Administration: MSc BA Accounting & Control – MSc BA Chain Management. RSM Erasmus

University, Rotterdam.

GRANT, R.W. (1997). Contemporary Strategy Analysis: Concepts, Techniques, Applications. Blackwell Business Books,

Oxford.

GRAY, R., JAVARD, M., POWER, D.M., SINCLAIR, D.C. (2001). Social and environmental disclosure and corporate

characteristics: a research note and extension. Journal of Business Finance and Accounting 28: 327–356.

GLOBAL REPORTING INITIATIVE (2002). Sustainability Reporting Guidelines. Global Reporting Initiative, Boston,

MA.

INSTITUTE OF INTERNAL AUDITORS (2009). IIA Position Paper: The role of internal auditing in Enterprise-wide

Risk Management. IIA Inc., Altamonte Springs, Fla., USA.

INSTITUTE OF INTERNAL AUDITORS (2010). IPPF - Practice Guide: Evaluating Corporate Social Responsibility/

Sustainable Development. IIA Inc., Altamonte Springs, Fla., USA. www.theiia.org/guidance.

INSTITUTE OF INTERNAL AUDITORS (2012). International Standards for the Professional Practice of Internal

Auditing (Standards). Standards and Guidance, Altamonte Springs, Fla., USA.

INSTITUTE OF INTERNAL AUDITORS & NEDERLANDSE BEROEPSORGANISATIE VAN ACCOUNTANTS

(2011). Governance in Duurzaamheid: Internal Audit en Corporate Social Responsibility. IIA Nederland,

Naarden. NBA, Amsterdam.

INTERNATIONAL AUDITING AND ASSURANCE STANDARD BOARD (2013). ISA 610 (Revised 2013), Using

the work of internal auditors and Related Conforming Amendments. International Federation of Accountants

(IFAC).

JOHNSON, G., SCHOLES, K. (1993). Exploring Corporate Strategy: Text and Cases. Prentice-Hall International, Hemel

Hempstead.

KOLK, A. (2001). Environmental reporting by the Fortune Global 250: exploring the influence of nationality and sector.

Business Strategy and the Environment 10: 15–28.

KOLK, A. (2003). Het eind van maatschappelijk verantwoord ondernemen, of het begin? Vossiuspers UvA, Amsterdam.

KOLK, A. (2003). Trends in sustainability reporting by the Fortune Global 250. Business Strategy and the Environment

12: 279–291.

KOLK, A. (2004). A decade of sustainability reporting: developments and significance. International Journal of

Environment and Sustainable Development 3: 51–64.

http://www.theiia.org/guidance


KPMG (2008). International Survey of Corporate Responsibility Reporting 2008.

http://www.kpmg.eu/docs/Corp_responsibility_Survey_2008.pdf [1 June 2010].

KPMG (2013). The KPMG Survey of Corporate Responsibility Reporting 2013. KPMG International Cooperative

[December 2013].

LEE A. S. (1989). A scientific methodology for MIS case studies. MIS quarterly, 33-50.

MCWILLIAMS, A., SIEGEL, D.S., WRIGHT, P.M. (2006). Guest editors’ Introduction Corporate Social

Responsibility: Strategic Implications. Journal of Management Studies, Vol. 43, No. 1, pp. 1-18.

NIEUWLANDS, H. (2006). Sustainability and Internal Auditing. The IIA Research Foundation.

OWEN, D. (2006). Emerging issues in sustainability reporting. Business Strategy and the Environment 15: 217–218.

PRIKKEN, H. (2010). The European Sustainability Reporting Association Report for the Netherlands. ESRA,

http://www.sustainablereporting.eu/netherlands#.

PWC (2009). Internal Audit perspectives: Internal Audit perspectives on sustainability.

ROBERTS, S., LAWSON, R., NICHOLLS, J. (2006). Generating regional-scale improvements in SME corporate social

responsibility performance: lessons from responsibility Northwest. Journal of Business Ethics, 67(3): 275-286.

ROBSON, C. (2002). Real World Research. Second edition. Oxford: Blackwell.

RUSSO, M., FOUTS, P. (1997). A resource-based perspective on corporate environmental performance and profitability.

Academy of Management Journal, Vol. 40, pp. 534-59.

SARKER S., & LEE A. S. (2003). Using a case study to test the role of three key social enablers in ERP implementation.

Information & Management, 40(8), 813-829 .

SAUNDERS, M., LEWIS P., THORNHILL A. (2009). Research methods for business students, Fifth edition. Pearson

Education Limited: Harlow, England.

SCHRAMM, W. (1978). Notes on case studies of instructional media projects. Working paper for the Academy for

Educational Development, Washington, DC.

STEWART, D.W., SHAMDASANI, P.M., & ROOK, D.W. (2007). Focus groups: Theory and practice. London: Sage

publications.

TROCHIM, W. M. (1989). Outcome pattern matching and program theory. Evaluation and Program Planning, 12(4),

355-366.

YIN, R.K. (2009). Case Study Research: Design and Methods. Fourth edition. Thousand Oaks, California: Sage

Publications.

ZADEK, S. (2004). The path to Corporate Responsibility. Harvard Business Review, 82 (12).

http://www.kpmg.eu/docs/Corp_responsibility_Survey_2008.pdf

http://www.sustainablereporting.eu/netherlands


Appendix A - Introduction email

The introduction emails are in Dutch, as this is the native language of the interviewees.

---

Beste [geïnterviewde],

Op dit moment doe ik mijn afstudeeronderzoek in het kader van de RO Opleiding aan de Universiteit van

Amsterdam. Via [contactpersoon] ben ik aan uw e-mail adres gekomen. In deze mail zal ik een nadere

toelichting geven op wat ik precies wil onderzoeken.

In mijn onderzoek wil ik aan de hand van interviews met IADs onderzoeken wat de rol van de IAD in het CSR

audit proces is en welke verbetermogelijkheden er nog zijn voor de IAD op dit gebied vanuit het perspectief van

de externe accountant. Het interview is opgedeeld in 6 delen:

1) Introductie;

2) Het CSR proces;

3) Rol van de IAD in het CSR proces;

4) Samenwerking IAD en externe accountant in CSR proces;

5) Verbeterpunten;

6) Afsluiting.

In onderdeel 2 zal er voornamelijk gevraagd worden naar het CSR proces binnen [Bedrijfsnaam], waar

onderdeel 3 en 4 naar de mening en ervaring worden gevraagd over deze concepten: o.a. de huidige rol van de

IAD in het CSR audit proces van [Bedrijfsnaam], de samenwerking van de IAD met [naam accountantskantoor]

in het CSR audit proces, verbetermogelijkheden voor de IAD, en uw mening over de verbetermogelijkheden

aangekaart voor externe accountants.

Ik hoop dat deze uitleg wat meer duidelijkheid heeft gegeven over mijn onderzoek. Het lijkt mij erg leuk om u

hierover te kunnen interviewen. Op verzoek zal alle informatie van dit interview volledig vertrouwelijk worden

behandeld en geanonimiseerd worden in mijn scriptie.

Ik hoor graag wanneer een interview u het beste uitkomt.

Mocht u nog meer vragen hebben, dan kunt u mij ten alle tijden e-mailen.

Alvast bedankt voor uw moeite.

Met vriendelijke groet,

Jamila Geene

[Contactgegevens]


Appendix B - Interview script

The interviews are in Dutch, as this is the native language of the interviewees.

---

Interview Protocol - Experts

Afgenomen op: … / … / 2014 Duur: … minuten

Afgenomen door: Jamila Geene Locatie: …

Interview met: …

Part 0 - Introductie

Introductie van de interviewer: naam, leeftijd, student, werkgever

Introductie van het onderwerp van het onderzoek, het doel en de aanpak.

Op verzoek zal alle informatie van dit interview volledig vertrouwelijk worden behandeld en geanonimiseerd

worden in mijn scriptie. Ik zit hier vanuit de rol als een student en niet vanuit EY. Ik hoop daarom een open

uitwisseling van informatie met u te hebben. Als u vragen heeft gedurende dit interview of ongemakkelijk voelt

bij het beantwoorden van een vraag, laat het dan vooral weten.

1. Gaat u akkoord met dit interview? Ja / Nee

2. Vind u het goed als ik van dit interview een tape opname maak om ervoor te zorgen dat geen informatie

mis en zodat ik in staat ben om de informatie in oorspronkelijke en ware betekenis te gebruiken? Ja /

Nee (Anders zullen er aantekeningen worden gemaakt)

3. Heeft u nog vragen voor we beginnen met het interview?

Deel A – Introductie van de geïnterviewde

1. Hoe lang bent u werkzaam binnen uw organisatie?

2. Wat is uw rol binnen de organisatie?

- Wat zijn u specialiteiten / expertise gebieden?

3. Kunt u aangeven hoeveel jaar ervaring u al heeft op het gebied van CSR?

Deel B – CSR proces

1. Kunt u het CSR proces binnen Nederlandse organisaties beschrijven? Hoe is het geregeld / ingericht?

- Herkent u het CSR proces zoals beschreven voor Hans Nieuwlands?

2. Er wordt gezegd dat er binnen meeste bedrijven niet zo een duidelijk CSR proces te vinden is, maar dat

dit in het begin meer losse delen zijn. Hoe beïnvloedt dit jullie rol binnen het CSR audit proces? En hoe

die van de IAD?

3. Leveren jullie zowel beperkte mate van zekerheid als redelijke mate van zekerheid?

4. Bij hoeveel % van jullie klanten bieden jullie een redelijke mate van zekerheid op het CSR verslag? En

waarom is dit niet bij alle klanten mogelijk?

5. Volgens jullie assurance letters voeren jullie de volgende activiteiten uit, is deze lijst compleet?


A risk-analysis, including media search, to identify relevant CSR issues for the organization in the

reporting period;

Reviewing the suitability of the internal reporting criteria used and its consistent application including

conversion factors used;

Evaluating the design and implementation of the systems and processes for the collection, processing

and control of the information in the CSR report, including the consolidation of the data;

Interviewing management at corporate and business unit level responsible for the CSR compliance and

integrity policies, implementation management, internal controls, monitoring and reporting;

Interviews with relevant staff at corporate and business unit level responsible for providing information

for in the CSR report;

Evaluating internal and external documentation, based on sampling, to determine whether the

information in the CSR report is supported by sufficient evidence;

Joining an audit performed by the IAF;

Reviewing the relevant work of the IAF in respect of the information in the CSR report.

6. Bij het uitvoeren van een CSR audit, welke werkzaamheden voert KPMG additioneel uit om een

redelijke mate van zekerheid te bieden over het CSR rapport?

7. Waar liggen volgens u de voornaamste risico’s bij het auditen van een CSR proces? En wat zijn deze

risico’s?

8. Hoe beperken deze risico’s jullie rol in het CSR audit proces en hoe die van de IAD?

Deel C – Samenwerking met de IAD

1. Hoe zou u de huidige status van de samenwerking tussen de IAD en externe accountant beschrijven?

2. Denk u dat er (nog) ruimte is voor het verder ontwikkelen van deze samenwerking?

- Waarom (niet)?

- Hoe / op welke manier?

- Op welke gebieden?

3. Bij hoeveel CSR klanten (% gemiddeld), werkt [accountantskantoor] samen met de IAD en/of steunt

[accountantskantoor] op de werkzaamheden van de IAD?

4. Waarop baseert [accountantskantoor] de keuze om te steunen op de werkzaamheden van de IAD? En

wat is dus de reden waarom jullie dit bij …% van de klanten niet doen?

5. Door wie en wanneer wordt deze samenwerking geïnitieerd?

6. Wat is de rol van de IAD voornamelijk binnen deze samenwerking? Een adviserende rol of assurance-

gevende rol (door middel van audits)?

7. Indien er gesteund wordt op de werkzaamheden van de IAD, op welke werkzaamheden steunt

[accountantskantoor] dan voornamelijk?

- Binnen welke stappen van het CSR proces?

8. In het onderzoek van de IIA wordt een samenwerking tussen de IAD en de externe accountant op het

gebied van CSR als een ‘best practise’ beschreven. Bent u van mening dat een organisatie profiteert van

zo’n samenwerking? Vraag om toelichting.

9. Welke van deze best practice activiteiten zien jullie in de praktijk terug?


Support the organization by providing training regarding the verifiability requirements and design of the

audit files;

Advising the Board with respect to the contents of the engagement with the external auditor, as the IAF

has a broad understanding of the organization and underlying processes, and its possession of materials

and knowledge of work performed on which the external auditor may be able to rely. Also, the IAF can

advise on the appointment of the external accountant, where it regards the experience and expertise in

the field of CSR reporting.


Assessment of the content of the report, especially with regard to relevance, materiality and

prioritization of the issues being reported. As part of this, the internal auditor will evaluate and advice

on the continuous involvement of stakeholders, as well as the care for the completeness and

prioritization of topics;

Assessment of the scope of the report (i.e. which entities). Knowledge of the organization and expertise

in the field of accounting can be used and of added value here;

Assessment of the quality of the report, where quality features such as balance, comparability, accuracy,

timeliness, clarity and reliability are important;

To achieve efficiency, the internal auditor take over a great part of the data-centric and system-oriented

work from the external auditor. The internal auditors in-depth knowledge of the organization and its

processes will be embayed here. The internal auditor will work closely with the external auditors

(perhaps in the form of integrated audit teams). The internal auditor also performs the check on control

guidelines for the organization;



Deel D – Verbetermogelijkheden voor de IAD

1. Wat is volgens u op een schaal van 1-10 de volwassenheidsniveau van de IAD op het gebied van CSR?

2. Denkt u dat er verbetermogelijkheden zijn voor de IAD binnen het CSR proces?

- In wat voor opzicht?

- Waar zitten voornamelijk de zwakte punten, waardoor een samenwerking vaak niet gewenst is?

- En wat zijn volgens u dus de verbeterpunten voor de IAD binnen het CSR proces?

- Hoe zou u dit aanpakken als u hoofd IAD was?

Deel E- Afsluiting

1. Is er iets dat niet is behandeld in dit interview dat u wilt delen met mij?

2. Is het mogelijk dat ik contact met u opneem (per telefoon of mail) als ik later in dit onderzoek nog tegen

mogelijke vragen aanloop? Ja / Nee

3. Vind u het goed als ik het transcript van dit interview naar u opstuur ter verificatie? Ja / Nee

4. Zou u het fijn vinden als ik een samenvatting van de resultaten van dit onderzoek met u deel? Ja / Nee

Hartelijke dank voor het deelnemen aan dit interview.


Interview Protocol - IAD

Afgenomen op: … / … / 2014 Duur: … minuten

Afgenomen door: Jamila Geene Locatie: …

Interview met: …

Part 0 - Introductie

Introductie van de interviewer: naam, leeftijd, student, werkgever

Introductie van het onderwerp van het onderzoek, het doel en de aanpak.

Op verzoek zal alle informatie van dit interview volledig vertrouwelijk worden behandeld en geanonimiseerd

worden in mijn scriptie. Ik zit hier vanuit de rol als een student en niet vanuit EY. Ik hoop daarom een open

uitwisseling van informatie met u te hebben. Als u vragen heeft gedurende dit interview of ongemakkelijk voelt

bij het beantwoorden van een vraag, laat het dan vooral weten.

1. Gaat u akkoord met dit interview? Ja / Nee

2. Vind u het goed als ik van dit interview een tape opname maak om ervoor te zorgen dat geen informatie

mis en zodat ik in staat ben om de informatie in oorspronkelijke en ware betekenis te gebruiken? Ja /

Nee (Anders zullen er aantekeningen worden gemaakt)

3. Heeft u nog vragen voor we beginnen met het interview? Ja / Nee

Deel A – Introductie van de geïnterviewde

1. Hoe lang bent u werkzaam binnen uw organisatie?

2. Wat is uw rol binnen de organisatie?

- Wat zijn u specialiteiten / expertise gebieden?

3. Kunt u aangeven hoeveel jaar ervaring u al heeft op het gebied van CSR?

4. Hoe groot is uw IAD? En hoeveel van deze werknemers houden zich bezig met CSR?

5. Hoeveel van deze medewerkers hebben een studie gedaan op gebied van CSR? Of hebben hiervoor een

inhoudelijke training gevolgd?

Deel B – CSR proces

1. Kunt u het CSR proces binnen uw organisaties beschrijven? Hoe is het geregeld / ingericht?

- Herkent u het CSR proces zoals beschreven voor Hans Nieuwlands?

2. Levert deze inrichting beperkingen op voor de IAD en de rol die de IAD daarin zou willen spelen?

3. Waar liggen volgens u de voornaamste risico’s bij het auditen van een CSR proces? En wat zijn deze

risico’s?

4. Hoe beperken deze risico’s jullie rol in het CSR audit proces en hoe die van de IAD?

Deel C – Rol IAD binnen CSR

1. Wat is voornamelijk de rol die uw IAD uitvoert binnen het CSR proces? Adviserend of assurance-

gevend?

2. Welke werkzaamheden voert uw IAD uit op het gebied van CSR? En welke werkzaamheden vooral

niet?


Deel D – Samenwerking met de externe accountant

1. Hoe zou u de huidige status van de samenwerking tussen de IAD en externe accountant beschrijven? En

waarom?

2. Door wie en wanneer is deze samenwerking geïnitieerd?

3. Wat is de rol van de IAD binnen deze samenwerking? Een adviserende rol of assurance-gevende rol

(door middel van audits)?

4. Welke van deze best practice activiteiten worden door uw IAF uitgevoerd?

Support the organization by providing training regarding the verifiability requirements and design of the

audit files;

Advising the Board with respect to the contents of the engagement with the external auditor, as the IAF

has a broad understanding of the organization and underlying processes, and its possession of materials

and knowledge of work performed on which the external auditor may be able to rely. Also, the IAF can

advise on the appointment of the external accountant, where it regards the experience and expertise in

the field of CSR reporting.


Assessment of the content of the report, especially with regard to relevance, materiality and

prioritization of the issues being reported. As part of this, the internal auditor will evaluate and advice

on the continuous involvement of stakeholders, as well as the care for the completeness and

prioritization of topics;

Assessment of the scope of the report (i.e. which entities). Knowledge of the organization and expertise

in the field of accounting can be used and of added value here;

Assessment of the quality of the report, where quality features such as balance, comparability, accuracy,

timeliness, clarity and reliability are important;

To achieve efficiency, the internal auditor take over a great part of the data-centric and system-oriented

work from the external auditor. The internal auditors in-depth knowledge of the organization and its

processes will be embayed here. The internal auditor will work closely with the external auditors


(perhaps in the form of integrated audit teams). The internal auditor also performs the check on control

guidelines for the organization;



5. Op welke werkzaamheden steunt de externe accountant voornamelijk?

- Binnen welke stappen van het CSR proces?

6. Denk u dat er (nog) ruimte is voor het verder ontwikkelen van deze samenwerking?

- Waarom (niet)?

- Hoe / op welke manier?

- Op welke gebieden?

7. In het onderzoek van de IIA wordt een samenwerking tussen de IAD en de externe accountant op het

gebied van CSR als een ‘best practise’ beschreven. Bent u van mening uw organisatie profiteert van

zo’n samenwerking? Vraag om toelichting.

Deel E - Verbetermogelijkheden voor de IAD

1. Wat is volgens u op een schaal van 1-10 de volwassenheidsniveau van uw IAD op het gebied van CSR?

En waarom dat cijfer?

2. Wat zijn de verbetermogelijkheden voor uw IAD binnen het CSR proces? En zo ja, welke?

- In wat voor opzicht?

- Hoe wenst u dit cijfer te verhogen?

- Wat zijn hierbij de uitdagingen die ertoe hebben geleid dat deze nog niet zijn opgepakt?

3. De externe accountantskantoren hebben de volgende verbeterpunten aangegeven voor de IAD binnen

het CSR proces:

1. Kennis en kunde van de IAF op gebied van CSR

2. De kwantiteit en kwaliteit van het uitvoeren van systeem-gerichte controles door de IAD

3. Het behouden van een adviserende rol ook na de opzet van een CSR proces.

- Herkent u deze verbeterpunten?

- Wat is uw mening hierover?

- Zijn deze verbeterpunten haalbaar?

- Wat zijn de obstakels hierin?

Deel F- Afsluiting

1. Is er iets dat niet is behandeld in dit interview dat u wilt delen met mij? Ja / Nee

2. Is het mogelijk dat ik contact met u opneem (per telefoon of mail) als ik later in dit onderzoek nog tegen

mogelijke vragen aanloop? Ja / Nee

3. Vind u het goed als ik het transcript van dit interview naar u opstuur ter verificatie? Ja / Nee

4. Zou u het fijn vinden als ik een samenvatting van de resultaten van dit onderzoek met u deel? Ja / Nee

Hartelijke dank voor het deelnemen aan dit interview.


Appendix C - Maturity Model

The email is in Dutch as this is the native language of the interviewees.

---

Beste [geïnterviewde],

Nogmaals hartelijk dank voor het meewerken aan mijn afstudeeronderzoek in het kader van mijn RO studie. Uit

de verschillende interviews kwam al snel naar voren dat de rol van de IAD erg verandert naar mate het CSR

proces in een organisatie volwassen wordt. Op basis van deze inzichten heb ik een volwassenheidmodel

gebouwd voor het MVO (CSR) proces.

Als basis voor dit model zijn de volwassenheidsfasen van een regulier proces genomen en zijn deze CSR

specifiek gemaakt, namelijk:

Initial CSR (related) processes are typically undocumented and in the state of dynamic change, tending

to be driven in an ad hoc, uncontrolled, and reactive manner by users or events. This provides a

chaotic or unstable environment for the processes.

Repeatable Some CSR (related) processes are repeatable, possibly with consistent results. Process discipline is

unlikely to be rigorous, but where it exists it may help to ensure that existing processes are

maintained during times of stress.

Defined The most important CSR (related) processes are defined, documented and established and have

been subject to some degree of improvement over time. These processes are in place and used to

establish consistency of process performance across the organization.

Managed Using process metrics, management can effectively control the CSR (related) processes. In

particular, management can identify ways to adjust and adapt the process without measurable

losses of quality or deviations from specifications. Process Capability is established from this

level.

Optimized Focus is on continually improving CSR (related) process performance through both incremental

and innovative changes/improvements.

Om helder te krijgen welke rollen er in de verschillende volwassenheidfasen van het CSR proces worden

uitgevoerd wil ik jou daarom vragen 10-15 minuten de tijd te nemen om komende week dit model in te vullen.

Jouw bijdrage gaat mij helpen om meer inzicht te krijgen in de rol die de IAD speelt in het CSR proces, maar

zal mij vooral de mogelijkheid geven om eventuele verbeterpunten te identificeren voor andere IADs die in dit

proces betrokken willen raken. Het model is in de bijlage van deze email toegevoegd.

Ik stel je response enorm op prijs. Mocht je nog vragen hebben, neem dan gerust contact met me op.

Met vriendelijke groet,

Jamila Geene

[Contactgegevens]

QUESTIONS

Dropdown

Rating Definition1 No2 Little3 Average4 Considerable5 Extensive

Initial Repeatable Defined Managed Optimized

CSR Process Step

Description CSR (related) processes are typically undocumented and in the stateof dynamic change, tending to be driven in an ad hoc, uncontrolled,and reactive manner by users or events. This provides a chaotic orunstable environment for the processes.

Some CSR (related) processes are repeatable, possibly withconsistent results. Process discipline is unlikely to be rigorous, butwhere it exists it may help to ensure that existing processes aremaintained during times of stress.

The most important CSR (related) processes are defined,documented and established and have been subject to some degreeof improvement over time. These processes are in place and used toestablish consistency of process performance across theorganization.

Using process metrics, management can effectively control the CSR(related) processes. In particular, management can identify ways toadjust and adapt the process without measurable losses of quality ordeviations from specifications. Process Capability is established fromthis level.

Focus is on continually improving CSR (related) processperformance through both incremental and innovativechanges/improvements.

CSR PROCESS STEP PROCEDURESIdentifying relevant CSR-topics with regard to social developments and adjustments in the field of laws andregulations

Consulting on defining CSR within the organization

Supporting management in implementing CSR in the existing strategy or in developing a CSR strategy, andsetting up the CSR policy

Assisting management in defining CSR objectives, standards and norms

Audits on the creation process of the CSR policy

Reviewing the adequacy of the translation of strategy into operational objectives

Assist management in identifying, evaluating and implementing risk management methodologies and controls toaddress CSR risks

Advising management for setting-up, implementing and managing an effective SMS and CSR program.

Giving advice on the design of an information system and communication structure around CSR

Act as an advisor to management during the set-up and implementation of a risk and control framework andeffective control procedures, which are based on an assessment of critical risk in the field of CSR

Assisting management in determining the evaluation criteria to measure whether CSR objectives are achieved

Advising management on the allocation and communication on roles and responsibilities, and clear guidelines toensure an effective SMS. This includes advising management on an organizational structure, responsibilities andcomposition staffing required for the effective CSR organization

Consulting management during the selection of the external verifier of the CSR report, and the scope of theCSR report

Guiding the external accountant during the external audit to ensure effective and efficient communicationbetween the external accountant and the CSR department/manager throughout the audit

Giving advice on internal and external accountability and communication regarding CSR-performance, especiallywhen it concerns the implementation of an information system

Evaluating the extent to which CSR ambitions of the organization are included in the organization coreprocesses and management processes

Audits regarding the adequacy of the internal control and evaluation mechanisms



Performing separate audits of third party for contractual compliance with CSR terms and conditions

(System) to provide assurance on the translation from the strategy to the policies, procedures, models,management cycle (PDCA) and the final report

Evaluating the extent to which CSR ambitions of the organization are included in the organization coreprocesses and management processes

Audits regarding the adequacy of the internal control and evaluation mechanisms



Ensuring proper follow-up of the recommendations made as a result of the internal and external audits

Management review andcontinuous improvement

- N/A N/A N/A N/A N/A

(Re)formulating CSR policyand strategy

MATURITY LEVEL

Information, RiskManagement and Planning

Implementation andoperation

Checking and correctiveaction

Maturity Level

1. Please familiarize yourself with the various (CSR) process maturity levels. Select the current level of maturity of your organizations CSR process from the dropdown menu below:

2. For the procedures mentioned in the table below, please indicate the extent (on a scale from 1-5) to which your IAF performs (or has performed) this procedure during the various maturity levels of the CSR process.


Appendix D - Case Studies

This appendix reports on the four cases selected based on the data collected through interviews and the desk

research.

Case A

Case A is a company operating in a niche market of the financial service industry. It is bank focused on

governments and institutions for the public interest. The mission of the bank is to contribute sustainably by

keeping the cost of social services for citizens low. Case A’s shareholders are exclusively governments. The

Dutch state holds half of the shares, the other half is owned by municipalities, provinces and the water board.

CSR is of great importance to Case A as it only has clients in the social sectors that have a link with the

government. The clients are predominantly governments and institutions in the areas of housing, healthcare,

education and public utilities. The CSR vision of the company is refined into five themes: a secure bank

(reliable banking with social value); responsible growth (indirectly serving the interests of the citizens);

involved employees (investing in their people and maintaining an open culture); environmental friendly internal

operations (where possible, introducing environmental friendly improvements); and social commitment

(promoting artistic and cultural activities that are important for municipalities). The high level of maturity of the

CSR process is supported by the adaption of CSR into the core business processes and mission of the

organization. The company decided to report on the CSR performance of the organization given it is a critical

element of the organization mission, but also because of compliance to laws and regulations. As a company

operating in the financial service industry Case A receives significant pressure to report on its CSR

performance, furthermore the Dutch State obligates all companies of which they are shareholder to report on

their CSR performance. The set-up of the CSR process, was therefore motivated both top-down as bottom-up.

Case B

Case B is a market leader and global organization operating in the consumer products industry. As a market

leader, Case B sees corporate social responsibility as an essential element of their business. They therefore

developed and formulated a sustainability strategy based on global trends together with their stakeholders. The

aim of their strategy is to add sustainable value for their company, for the society and for the planet. It plays a

fundamental role in how they do business. The sustainability strategy of Case B focuses on four important areas

on which they can make a difference: Water, Sourcing, Responsible consumption and CO2. These areas are

supported by the values identified within Case B. To improve their CSR performance they take action along the

entire value chain. At each stage of the chain, they assess the impact they have on energy, water and CO2

consumption. For each of these areas Case B has identified specific long and short term goals, pushing them to

improve.


Case C

Case C is an independent company with two shareholders, the municipality of city they operate in and the Dutch

state, established to develop its harbor. The vision of Case C is to continuously improve the port to the most

secure, efficient and sustainable in the world. For its customers, it wishes to create value by developing chains,

networks and clusters, both in Europe and in emerging markets worldwide. Case C as an entrepreneurial port

developer, is the best partner for world-class customers in petrochemical, energy, and transport & logistics. This

vision which is closely linked to CSR has been integrated in the company’s strategy and values. Together with

their partners, they focus on a versatile, durable, safe and attractive port that meets the high demands of society.

In 2007 Case C distributed its first CSR report, not long after it distributed an integrated report in 2010. This

integrated report with reasonable assurance on both its financial and CSR aspects highlights the high level of

maturity of the integrated strategy process (which includes the integrated CSR elements). The company decided

to report on the CSR performance of the organization given it is a critical element of the organization vision.

Additionally, as a company with the Dutch State as a shareholder it is obligated to report on its CSR

performance.

Case D

Case D is an international financial services provider operating on the basis of cooperative principles. It offers

retail banking, wholesale banking, asset management, leasing and real estate services. Focus is on all-finance

services in the Netherlands and on retail and wholesale banking, and food & agri internationally. It believes that

sustainable growth in prosperity and well-being requires careful nurturing of natural resources and the living

environment, and it aims to contribute to this development with its activities. Case D respects the culture and

traditions of the countries where it operates without losing sight of its own objectives and values. It really takes

its place in society, all the while adhering to the core values that are embedded in the mission and ambition:

respect, integrity, professionalism and sustainability. Case D presented a new policy framework in 2013 for the

way in which it seeks to implement sustainability. Its sustainability agenda builds on existing activities and is an

essential element in its strategy up to the end of 2016.


Appendix E - Coding Table

This appendix shows the coding table used for pattern matching. As all interviews were conducted in Dutch, all

the quotes have been translated by the author for the purpose of this study.

Open Coding Content description Interview ID Quotes per interviewI1 I have been working for [EA1] for 12 year now as RA, where I started in the financial audit. I increasingly started to be involved in the verification of sustainability reports, which I am not doing for 70% of my time. In 2006 I also successfully

completed the post master CSR managing and auditing at the Erasmus University. Together with the partner, I am not responsible for the sustainability department of [EA1]. For the other 30% of my time I still perform financial audits, I dothis to stay up to date on developments in the financial audit, which I in turn try to translate to the CSR audit practice".

I2 "I have been with [EA2] for 24 years, of which 11 at Sustainability Assurance. I work mostly with listed companies in the NL but also in Denmark, Norway, Germany, Belgium and the US. I studied accountancy and therefore started at [EA2]in financial audit which I did for 5 years. I then continued on to Forensic - our fraud investigation department. I am also globally responsible for Sustainability Assurance within [EA2]".

I3 "I am head of internal audit here at [Case A] for over 5,5 years now. My team consists out of 11 employees, divided into internal control and internal audit".I4 "I started working here at [Case B] three years ago at the Global Internal Audit department. I am senior auditor in the Africa, Middle East team. For 30% of my time I am involved and responsible for the audit on the Sustainability Report of

[Case B]. Before this I use to work for the global internal audit team of [other company], where I was also involved in the audit on the sustainability process".

I5 "In 2006, I joined [Case C] as the interim head of internal audit, where I stayed till May this year after finishing the last CSR report. (…) In 2008 we published out first CSR report, and the year after that we already decided to publish anIntegrated Report. These reports were published with limited assurance, in 2010 we obtained reasonable assurance on our Integrated Report. Our internal audit department was involved in this process right from the start".

I6 "I have been working for the internal accountant function of [Case D] for over 20 years now. (...)About 5 to 6 years ago I became responsible for professional practice within the internal audit function of [Case D] This includes providingtrainings, performing reviews and data analytics. However, 8 to 9 years ago I also became involved in the sustainability process for which I remain responsible. We perform special audits in the area of sustainability and perform audits on thesustainability report".

I3 "Neither of us has done a study in the field of CSR, however we have participated in trainings and seminars in order to remain up to date on developments in this area".I4 "None of the audits here, including myself, have done a study in the field of CSR. Of course I try to stay up to date on developments in the area of CSR and on new GRI guidelines".I5 "I have finished the CSR post master at Erasmus, but no trainings were followed by my internal audit department in the field of CSR".I6 "The option exist for internal accountants to follow the CSR master program at the Erasmus University, I successfully completed this program for example. But what we also do is provide annual trainings to the entire internal audit

department on developments in audit, and in sustainability. In these trainings we also discuss the difference between auditing the sustainability report and auditing the financial statements. For all the RA's within the internal accountantfunction, we also provide trainings in which they can obtain PE-points. Sustainability was once a theme in one of these trainings, which are provided by external accountants firms."

I1 “The process starts with creating awareness, after which (re)formulating the strategy to include CSR is key. In order to ensure that this strategy will be implemented successfully, the strategy needs to be translated into KPI’s. Only after this isdone can an organization report on its CSR performance and obtain assurance on this report. Justly, this process is indeed a circle. However, what is seen in practice is that it doesn’t always follow this structured path, but that it can beinitiated at any of these process steps. Organizations are often already involved in some lose CSR activities as it is a natural driver for people to give back to the society. These CSR activities are often initialed on individual level or by low/middle management, yet they are bundled and reported on in the organization’s CSR report. However often these initiatives are not linked to the organizations products and services, and are not implemented into the core business processes.At some point, usually when top management believes in CSR and is motivated by CSR, are initiatives selected that are more closely linked to the organization. And only then is CSR implemented in the strategy of that organization”.

“However, what is seen in practice is that it doesn’t always follow this structured path, but that it can be initiated at any of these process steps. Organizations are often already involved in some lose CSR activities as it is a natural driver forpeople to give back to the society. These CSR activities are often initialed on individual level or by low/ middle management, yet they are bundled and reported on in the organization’s CSR report. However often these initiatives are notlinked to the organizations products and services, and are not implemented into the core business processes. At some point, usually when top management believes in CSR and is motivated by CSR, are initiatives selected that are more closelylinked to the organization. And only then is CSR implemented in the strategy of that organization”.

I2 “What we see in the energy industry is that the CSR process sometimes start with assigning a CSR officer to write a CSR report. But these reports are usually inconsistent, lack direction and are not concrete as no CSR strategy is defined. TheCSR officer is asked to report on separate projects the organization is involved in, which are normally in one of the CSR areas, such as environmental projects. However, at some point they realize that in order to make a difference theycannot just be involved with uncorrelated project but that a CSR policy needs to be defined. In the CSR policy they normally expand the CSR range to include other important CSR areas, such as social projects. Finally, we see thatorganization then decide that they need to formulate a strategy to determine where they want to be in 5-10 years with regard to CSR performance, how they want to be perceived, especially in comparison to their competitors. And then ofcourse implementation and execution of the CSR strategy is next in order to achieve goals. But this can only be successfully done once CSR is understood and defined within the organization”.

I3 “The CSR process here started with formulating a strategy to include CSR. After that we defined certain specific objectives, and included CSR in our Risk Management process. Also we have set up a CSR committee with the responsibility todefine and secure KPI’s. This was the start of the implementation of CSR into the organization. We as IA finally perform audits in which we structurally include CSR and report our findings to management. Looking at the model fromNieuwlands, I can definitely say that our CSR process indeed looks like this".

“The PDCA cycle is key in this process to ensure that it does not remain a paper execution, but to ensure full integration into the organization and to ensure continuous improvement of the process".

I4 “Our goal is to really imbed CSR into the organization and its functions, and to not set it up as a separate process but to integrate it into the core business processes. We followed all these process steps, which are all linked here at [Case B]to the corporate strategy and defined objectives. These strategy and objectives all include CSR and are communicated down to management bonuses, KPI’s, and are integrated into information systems and the standard management systems.Global Audit plays a role in all of these process steps”.

I5 "The process described by Nieuwlands is the standard process, a standard PDCA process needed for any strategic process".I6 "Sustainability has been an important factor for [Case D] for a long time, this resulted in [Case D] being one of the frontrunners on publishing a verified sustainability report (with reasonable assurance), and in having a sustainability policy

and strategy. And in actually going through all of these steps shown here in this model from Nieuwlands".

CSR process Description of how theCSR process isstructured (reflectionagainst Nieuwlands'SMS)

Job description Description of theircareer and current job

CSR trainingsand education

Trainings andeducation on CSRwithin the IA function

Open Coding Content description Interview ID Quotes per interviewI1 “In the CSR process, data is collected and extracted through various independent systems of which the reliability is often yet to be determined. Most of these systems are in their development stages and are frequently Excel based, resulting in

data that is less reliable”.

“However, we constantly need to encourage internal audit to perform these system-oriented audits, or to include CSR in system-oriented audits that are already in their audit plan. This is not usually initiated by the internal audit departmentitself”.

I2 “I would say that the fact that CSR is not a continuous process but an incidental one is a risk. The frequency on which data is retrieved from the systems is often once or maybe twice a year. This increases the changes of errors and effects thecompleteness and balance of the CSR report. Also, given the limited and voluntary regulations with a limited content, the completeness of the report remains an issue. Organizations have the tendency to not include CSR related failures thatdid happened throughout the year, and which did not reach publicity. There are no hard guidelines telling you what to include in the report. Finding the right balance between the good an organization has conducted and the bad that itencountered therefore also remains a challenge”.

I3 -I4 "It is new data, and since we have no history and no benchmark, you can audit as much as you want, however there is still a possibility that you will overlook the black swans. This is different when compared to financial audit with given

standards and one information system. In CSR with all the different information systems, one should always keep in mind that the CSR report is an organizations best effort to make the data as reliable as possible. (...) I would not call itsubjective, however I do understand that other people would call it that. Here in [Case B] we were involved in defining CSR within the organization. We were therefore all in sync about what it is that we were auditing. Also given that GRI isnot always clear, the process can be called subjective. However, in order to make it less subjective you really need to benchmark yourself with other firms".

I5 “The risks in auditing the CSR process are dependent upon the maturity level of the CSR process. In the beginning the biggest risk is whether there are strategically enough reference points or standards, so to speak, to actually perform theaudit. In the next phase the reliability of the information and systems is a high risk, but also the lack of support in the organization requires significant attention. Without the support of the organization, and without them seeing the addedvalue of CSR, it is like flogging a dead horse”.

I6 "A risk is lack of organizational support for CSR. Not everybody sees the added value of reporting on CSR, and as a result you will be challenged with multiple dilemmas throughout the implementation of CSR. Tone at the top is critical in itssuccess".

I1 “Internal audit mainly attain an assurance role. Of course this differs per client, however what you often see is that they play a part in the data-centric audits. Sometimes they also do system-oriented audits together with us during our interimwork, we do notice then that they are much stronger in this area as the work more resembles their field of expertise. However, we constantly need to encourage internal audit to perform these system-oriented audits, or to include CSR insystem-oriented audits that are already in their audit plan. This is not usually initiated by internal audit itself”.

I2 "Assurance on CSR data, Assurance on CSR processes and Consulting on CSR controls is something I have seen before as well".I3 "We mostly have an assurance role. In our audit universe we have included CSR aspects, and we therefore perform audits which include these aspects as well. We also perform governance audits on strategic level in which we audit the

implementation process of the CSR strategy in the organization. Additionally we perform both data-oriented as system-oriented audits on the information in the CSR report".

I4 "The tasks that we perform as an internal audit function are really dependent on the maturity of the CSR process. In the beginning we had taken up a more advising role, however at some point we tried to push back some of this consultancywork in order to focus on our main activity and that is audit. So, I think that we have performed all of these tasks at one point or another".

I5 "We have performed each single one of these activities and still do to some extent; especially I still do as the head of the [internal audit] department. Even those activities that are written as roles that should not be undertaken by the internalauditor have been attained by us somewhere along the path. Especially in the beginning stages of the CSR implementation did we perform these managing tasks as well. However, the responsibility for these activities and decisions remainedthat of management. Currently I maintained a more consultancy role, whereas the rest of my team increasingly takes on an assurance role as the CSR process becomes more mature."

I6 "In the beginning of the sustainability process, 8 years ago, the internal accountant function was approached by the Supervisory Board of Sustainability to encourage involvement of the internal accountants function in the sustainabilityprocess. However as this process was continuously subject to change, the role of the internal accountant was mainly that of consulting. (...) Also collaborating with the external accountant on how to reach our goal of reasonable assurancewas an important role for us in the beginning. Our advisory role slowly transformed into more of an assurance role when we started to look at how we would audit the whole sustainability process including the actual sustainability report.This was also done in collaboration with the external accountant".

I1 “The collaboration with our clients is one that I can only describe as pleasant. However, as the collaboration is normally initiated by us, you do see that we usually make the decisions. We tell them what to do and that is exactly what they do,and these tasks only relate to auditing and not to the other parts of the CSR process. In the financial audit they definitely work more closely with the internal audit. (...) In my opinion internal audit should be more involved in the CSR process,they should obtain the internal knowledge in this area that we don't have. Together we can provide a report of higher quality”.

I2 “When we do work with internal audit, they usually only do as asked by us. (…) We are normally the initiative taker for a collaboration. (…) I think that the reason that internal audit does not take a more active role in auditing the CSRprocess is because they are not aware of what they role in the process could be. We would like to see them take up a more active role, so that they can actually start to add value".

"The added value of a collaboration is in the combination of external expertise knowledge and internal knowledge. Internal audit knows the organization, it knows the processes and the culture. Additionally, cost efficiency is another element.In the end it is more cost efficient for an organization to use its internal audit resources".

I3 "The collaboration with the external auditor is the result of a natural growing relationship. We as internal audit department were already involved in CSR related processes, so when we decided to get the report externally verified, weimmediately discussed with the external accountant regarding the division of our roles and responsibilities. (...) The external accountant mainly relies on our data-oriented and system-oriented audits. We basically are responsible forproviding the external accountant with substantiation for what is written in the CSR report. (...) This relationship is definitely of added value for the organization as it reduces duplication, reduced the external accountancy fees, but mostimportantly increases the quality of the CSR report as two strengths are combined".

Risks of theCSR process

Description of the mainrisks in auditing theCSR process

Role of IA Description of the roleof IA in the CSRprocess

Collaborationwith EA

The extent to which IAand EA work togetherand rely on each others'work

Open Coding Content description Interview ID Quotes per interviewI4 "In the beginning the external accountant did everything, but then we started to discuss with the external accountant on the division of tasks. (...) In the transition we looked at how we could pull a part of the assurance activities with regard to

the CSR report under the responsibility of internal audit. The external accountant could in turn also take on a different role where they rely more on our work when verifying the CSR report. (...) The great thing is that we have the internalknowledge: we are better aware of the risks on local level, hence which reports are less reliable etc. (...) They [external audit] on the other hand have more experience with other firms and can therefore better benchmark us against thesefirms. They are also better aware of developements and rules".

I5 "We were one of the first companies to publish an integrated report with reasonable assurance. This was not done before, and therefore we had a strong collaborative relationship with the external accountant from the start. Together with theexternal accountant we discussed throughout the integration process on what the expectations were and what the roles and responsibilities were going to be. At some companies I see that the external accountant decides on the role of theinternal auditor, and this irritates me to the core. It should be the other way around. (...) We are now growing into a maturity level were we are responsible for performing audits and the external accountant is responsible for the control onthe integrated report. We do provide the external accountant internal knowledge on possible problem areas to discuss how these areas can be approached, and in the circumstance that we do not know how to deal with a problem, we do usethe external accountant as a big stick".

I6 "As [Case D] wanted to obtain reasonable assurance on the report from the start, the internal accountant function worked closely together with the external accountant to discuss and determine the role of the internal accountant function andthat of the external accountant. A plan was made together with the external accountant on how to reach reasonable assurance. In this, we have closely worked together ever since. First, we perform a kick-off together with the externalaccountant, then we make a resource planning together with the external accountant and divide the tasks accordingly. And in that the external accountant indeed relies on the work performed by us when verifying the report. This closerelationship will most likely change in the near future, given the stricter rules regarding the independence of the external accountant."

I1 “The main improvement point is CSR knowledge and skills. Their audit skills are fine, but specific knowledge with regards to CSR is missing. This results in audits focusing and reporting on the wrong issues, and results in incomplete andunbalanced reports. I am sure that a great part of the internal auditors auditing CSR have not been educated on the topic. I also think that this is one of the reasons why only in 10-15% of organizations reporting on CSR the internal auditdepartment is involved. Lack of capacity, knowledge and skills, and lack of intrinsic motivation are all reasons why internal audit is not part of the CSR process”.

I2 "The lack of CSR knowledge in the internal audit function is the main improvement point. Most internal audit departments do not have CSR specialists in their team. A good internal auditor can audit operational and financial processes,however the minute that these processes are not thorough enough the internal auditor fails to audit appropriate as they cannot fall back on their CSR knowledge. If there is no defined processes for example, external accountants will continueto audit the process through reperformance as we know how the calculations should be made and can therefore verify whether it is correct. This is where the lack of knowledge within the internal audit department fails them to properlyconduct an audit. (...). Another issue it the skill set of the current internal audit functions. Ideally an internal auditor with an advisory skill-set is needed to audit the CSR process. An internal auditor with a wider perspective, one that caninclude the relationship with stakeholders in its decision making, an auditor that can look beyond processes and reference models and can see the real issue at hand, that is the kind of auditor that is needed. (...) internal auditors need to learnto ask the right questions instead of relying on a predefined checklist. However this brings us back to the first point of improvement, as in order to ask the right question auditors need the have up to date CSR knowledge".

"In order to reach a higher maturity level of internal audit in the CSR process, the understanding of CSR needs to be higher. But also, internal audit needs to provide strategic recommendations and add value to operational processimprovement".

I3 "I would not necessarily call it an improvement point, but definitely an attention point, is our CSR knowledge and skills. We need to ensure that this maintains at a sufficiently high level to perform the audits appropriately. We need to remainup to date on what is going on in the field of CSR through trainings and seminars".

I4 "Data validation is one thing, but we need to start making the step towards the strategy".

"CSR knowledge and skills is an improvement point that sounds familiar, however it is not applicable to Group Audit. (...) however we do work with local auditors as well, and there you see the same thing. You need to ensure that no checklistis used in CSR audits as you will otherwise miss crucial things. A difference in the results and reports as output are then noted. From a critical and experienced auditor you get a report with findings and advice aimed at improvement ofprocesses. Less experienced auditors however only say that they checked something and that they noted one finding".

I5 "Ensure that the awareness is created within the organization and that added value and impact of reporting on the CSR process is understood within the organization. Only then can systems and information be made reliable. Especially incircumstances where the support system is under pressure, for example when negative events have occurred. It is then the responsibility of internal audit to convince the board of reporting on these negative events".

"Looking at other firms, I think that the problem of an unsuccessful CSR process, and CSR audit process is the lack of intrinsic motivation. The PDCA cycle should be a part of every strategic process, and in our organization CSR is a naturaland essential element of that strategy. That is where it frequently goes wrong at other organization, as they formulate a separate CSR strategy instead of implementing it into the existing strategy formulation and monitoring processes. As aresult it is more difficult to define standards to test the CSR process against".

"Quality of people is always an issue, and it not specifically related to CSR. In my opinion you need to have audit skills, and a willingness to explore the field of CSR".

"We should continue to standardize our audit process, especially documentation process even further, and possibly integrate it into one CSR system".

I6 "We need to perform special sustainability related audits on a more frequent basis, as we are currently doing those once every couple of years".

"My advice to internal audit departments with a less mature CSR process would be to ensure you obtain basic knowledge regarding CSR through trainings and education. Communication with your internal sustainability department and theexternal account is key. You need to first understand the product, developments in this area and what it is that they are doing in order to provide assurance. You also need to know what the requirements for the sustainability report are inorder to audit it appropriately. The aim should be to include CSR in the entire audit process, and determine the areas to audit through a risk-based approach. You will be surprised by the areas to audit as a result of this approach".

“In order to get a CSR process resulting in complete and accurate information, a lot needed to be designed before implementation. A process needed to be defined based on GRI; however it also needed to be auditable. Therefore the principle-based guidelines needed to be translated into hard company-specific standards to audit against. Early involvement in the process therefore is key.”

Improvementpoints

Description of theimprovement points forIA


End Notes

i Risk management is defined as “a process, effected by an entity’s board of directors, management and

other personnel, applied in strategy setting and across the enterprise, designed to identify potential

events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable

assurance regarding the achievement of entity objectives” [COSO, 2004].

ii The COSO-ERM framework consists out of the following components: internal environment, objective

setting, event identification, risk assessment, risk response, control activities, information and

communication and monitoring [COSO, 2004].

iii Three lines of defense: 1) Management; 2) Control-, risk management and compliance departments; 3)

Internal audit.

iv Internal auditing is an “independent, objective assurance and consulting activity designed to add value

and improve an organization's operations. It helps an organization accomplish its objectives by

bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk

management, control, and governance processes” [IIA, 2012].

v Consultancy is defined as “advisory and related client service activities, the nature and scope of which

are agreed with the client and which are intended to add value and improve and organization’s

governance, risk management, and control processes without the internal auditor assuming

management responsibility” [IIA, 2012]. vi Assurance services are defined as “an objective examination of evidence for the purpose of providing an

independent assessment on governance, risk management, and control processes for the organization”

[IIA, 2012].

vii IIA standard 1210: Internal Auditors must possess the knowledge, skills and other competencies needed

to perform their individual responsibilities. The internal audit activity collectively must possess or

obtain the knowledge, skills and competencies needed to perform its responsibilities [IIA, 2012].

corporate social responsibility and internal audit

Documents