Ch. 3 Governance
CSR frameworks
1. Global Reporting Initiative (GRI) 2. ISO 26000
Proaction
The organization takes the initiative in implementing a CSR program that serves as an example for the industry.
Defense
The organization uses legal action or public relations efforts to avoid additional responsibilities.
Responsibility for CSR
1. Board (oversight) 2. Management (establish objectives/assess,manage risks/measure performance/monitor and report) 3. Internal auditor (evaluate) 4. All employees (success of CSR)
To be called socially responsible, the responsibilities include:
1. Economic responsibility to be profitable or do what's required by capitalism 2. Legal responsibility to obey the law or do what's required by stakeholders 3. Ethical responsibility to be ethical in its practices or do what's expected by stakeholders 4. Philanthropic responsibility to be good corporate citizen, or do what's desired by stakeholders
Governance has a range of definitions depending on the circumstance
1. Governance has a range of definitions depending on the circumstance 2. Governance process/system is not static. 3. Governance requirements vary by entity type and regulatory jusrisdiction. (i.e not for profits, publicly traded companies, governments, private companies, stock exchanges) 4. Design & practice varies with size, complexity, life cycle maturity, stakeholder structure, and legal/cultural requirements.
CSR strategies
1. Reaction 2. Defense 3. Accomodation 4. Proaction
Governance principles
1. independent & objective board 2. understanding by senior management & board of the operating structure 3. strategy used to measure organizational & individual performance 4. org structure that supports accomplishing strategic objectives 5. governing policy for operation of key activities 6. clear, enforced lines of responsibility and accountability
Duties of the board
1. selecting and removing officers 2. decisions about capital structure 3. adding, amending, or repealing bylaws 4. initiation of fundamental changes (mergers, acquisitions) 5. decisions to declare and distribute dividends 6. setting of management compensation 7. coordinating audit activities 8. evaluating and managing risk
Senior management determines:
1. where specific risks are managed 2. who are the risk owners 3. how specific risk will be managed
The internal audit activity most directly contributes to the governance process by
Assessing organizational performance management. The internal audit activity must assess and make appropriate recommendations to improve the organization's governance processes for: Making strategic and operational decisions; Overseeing risk management and control; Promoting appropriate ethics and values within the organization; Ensuring effective organizational performance management and accountability; Communicating risk and control information to appropriate areas of the organization; and Coordinating the activities of, and communicating information among, the board, external and internal auditors, other assurance providers, and management (Perf. Std. 2110).
A basic principle of governance is
Assessment of the governance process by an independent internal audit activity.
CSR business activities
Establishing and communicating policies and procedures Setting objectives, performance goals, and strategies Communicating and integrating CSR principles and controls into the business decision-making processes Monitoring, evaluating results, and benchmarking Engaging stakeholders (e.g., through satisfaction surveys, focus groups, and complaint management processes) Auditing (e.g., public disclosures, internal controls, and contractual compliance with CSR terms and conditions) External and internal reporting of results
Risk owners are responsible for
Evaluating the adequacy of the design of risk management activities and the organization's ability to carry them out as designed; Determining whether risk management activities are operating as designed; Establishing monitoring activities; and Ensuring that information to be reported to senior management and the board is accurate, timely, and available.
Corporate governance can be influenced by internal or external mechanisms such as
Internal - corporate charter & bylaws, BOD, IA functions External - laws, regulations, and government regulators who enforce them
Governance does NOT exist independently of risk management and control.
Governance-> risk management -> control are all interrelated.
Risks of failing to implement CSR
Loss of reputation Noncompliance Lawsuits Operational failures Stock market Employment market Sales decline
Reporting CSR
Many organizations use verification and assurance processes for all or parts of the report to increase accountability and reduce the likelihood that the report will appear to be a marketing tool.
Organizational culture is reflected in which of the following?
Measuring performance Specifying accountability Complying with corporate social responsibilities
Governance
The combination of processes and structures implemented by the board to inform, direct, manage, and monitor the activities of the organization toward the achievement of its objectives.
Although corporate social responsibility (CSR) involves the incurrence of certain costs, in what ways can CSR also produce benefits?
Positive public perception on a local, national, and international level Retention of workers Charity as a form of advertising Deductibility of charitable donations
The internal audit activity's independence and objectivity is not impaired if it
Provides advice on the design and implementation of CSR programs or Facilitates a management self-assessment of CSR controls and results.
Benefits of using ISO 14000
Reduced cost of waste management Savings in consumption of energy and materials Lower distribution costs Improved corporate image among regulators, customers, and the public
The internal audit activity periodically assesses the elements of the ethical climate of the organization and its effectiveness in achieving legal and ethical compliance. Internal auditors therefore evaluate the effectiveness of which of the following?
Regular reviews of the processes that undermine the ethical culture Confidential reporting of alleged misconduct Personnel practices that encourage contributions by employees
Strategic direction
Strategic direction determines (1) the business model, (2) overall objectives, (3) the risk appetite, and (4) the limits of organizational conduct. The elements of oversight are (1) the risk management activities of senior management and the board and (2) internal and external assurance activities.
Accommodation
The organization assumes additional responsibilities only when pressured.
Reaction
The organization denies responsibility and tries to maintain the status quo.
The internal audit activity's evaluation of the ethical climate of the organization extends to
The internal audit activity periodically assesses the elements of the ethical climate of the organization and its effectiveness in achieving legal and ethical compliance. As part of this assessment, the internal audit activity evaluates the effectiveness of background checks and of declarations by suppliers about the requirements of ethical behavior. However, defining roles and specifying accountability are management functions.
Corporate Social Responsibility (CSR)
a response to stakeholder expectations. Refers to social responsibility, sustainable development, and corporate citizenship.
IA activity is responsible for
assessing and improving governance processes
Common approaches to auditing CSR
by element and by stakeholder group
Board and management are responsible for
design and implementation of governance processes
components of governance
strategic direction and oversight
Element
governance community investment environment ethics health, safety, security Transparency working conditions & human rights
According to COSO ERM framework, culture is
he attitudes, behaviors, and understanding about risk, both positive and negative, that influence the decisions of management and personnel and reflect the mission, vision, and core values of the organization.
ISO 26000
how to implement and manage a CSR initiative
In a ______ mature system, the internal audit activity emphasizes compliance with policies, procedures, laws, etc. It also addresses the basic risks to the organization.
less
In a _____ mature governance system, the internal audit activity's emphasis is on optimizing structure and practices.
more
Organizational culture that is __________________ is more likely to regard the importance of control within the organization as low. Consequently, engagement risks and controls are _________ likely to be assessed as high.
risk aggressive, more
Organizational culture that is __________________ is more likely to regard the importance of control within the organization as high. Consequently, engagement risks and controls are _________ likely to be assessed as low.
risk averse, less
ISO 14000
set of criteria for certifying an environmental management system set of criteria established by the International Organization for Standardization for an environmental management system. This system is not required but provides standards for implementing and maintaining environmental management systems. Additionally, such systems provide lower costs and improve corporate image.
Corporate governance
set of relationships between a company's management, its board, its shareholders, and other stakeholders. Corporate governance also provides the structure through which the objectives of the company are set, and the means of attaining those objectives and monitoring performance are determined
Who are stakeholders?
shareholders, employees, suppliers, customers, neighbors of the entity's facilities, and government regulators..
GRI
sustainability reporting framework that provides specific guidance on measuring CSR performance against predefined criteria
Despite increasing pressure from stakeholders for organizations to be more socially and environmentally responsible, CSR is largely a _______________ practice.
voluntary Not required to disclose their CSR performance.