Tag Archives: internal audit

Results from the Auditor QuickQuiz

Our auditor quiz is now closed after a month. The questions were based on existing international non-financial auditing standards, Association of Certified Fraud Examiners (ACFE) fraud identification/examination techniques and US Government Auditing Standards for non-financial audits. There were fewer respondents than we had hoped so we can’t extrapolate beyond our dataset. Even so, some notable trends did emerge.

Of those who responded, 47% were EHS auditors and 27% were CSR auditors. We had hoped more CSR auditors would have participated. Other information about the respondents’ backgrounds:

  • 60% had no certification or “other”
  • 50% have 10 years or less auditing experience
  • 50% have 50 or fewer audits
  • 13% have participated in more than 500 audits during their career
  • 63% spend at least 75% of their time conducting audits

There were only 2 “passing” scores – i.e., greater than 70%. The average score was 49% – far lower than was expected.

Knowledge of standard terminology seems to be lacking, further reflected in poor scores for questions that embedded the terminology within them. For instance, only 30% correctly defined “audit criteria” as meaning the audit protocol. This likely led to 53% of respondents incorrectly answering that QA/QC reviews should include assessing the correctness of the “audit criteria used by the auditor.” QA/QC reviews of auditor working papers should look at how an auditor applied the audit criteria, not the inherent accuracy of the criteria (or audit protocol) used by the auditor. Indeed, only 10% correctly identified that none of the answer options are appropriate for QA/QC reviews.

Only 3% considered interviews better than document reviews when asked directly what type of evidence is strongest. Yet when the question was placed in a practical setting, 73% indicated they would rely on interviews over documentation. Only 26% correctly identified the evidence hierarchy (from strongest to weakest).

On a more positive note, 83% answered that they would decline to develop a document that they audited, meaning 17% did not view this as a conflict of interest. Frankly, we were disappointed that there was not a perfect score in identifying this to be an independence issue.

In answering the question listing possible common evidence problems, just over half (53%) correctly indicated that all of the answer options are common evidence problems.

Finally, 2/3 incorrectly answered that initial determinations of significance/materiality should be made after assessing evidence. It is possible that respondents did not read the question carefully and pick up the word initial.

Certainly more responses would have provided a better representation, but we think there are some valuable take aways from our limited data.  Among them – the gap between EHS/CSR auditor knowledge and existing (and theoretically similar) non-financial audit standards may be larger than previously thought.  As the importance – and liabilities – of sustainability/CSR audits grow, increased auditor training and competence seems warranted.

Last Week for Auditor QuickQuiz

Our auditor QuickQuiz will close at the end of the day September 1.  We hope to see more folks will take a few minutes to answer the questions.  It is painless.

Some of the trends we are seeing are:

  • 67% of the respondents have more than 10 years experience, with 75% or more of that experience doing EHS/CSR audits.
  • Only 15% of the respondents had a passing score.
  • There is a gap in knowledge and application of fundamental audit terminology.
  • There is inconsistency in understanding the strength of evidence types, with an over-reliance on interviews over documentation.

Things are likely to improve when we get more responses.

Fraud in Sustainability/CSR

Fraud is increasingly a topic in our conversations. We have had direct experience with EHS fraud in the past. The most recent occurrence was helping a client unravel an embezzlement scheme using waste disposal as the fraud mechanism. It played out a bit like a made-for-TV movie – not the kind of thing I ever expected to see personally, nor in the 21st century.

New pressures and risks are developing around sustainability/CSR reporting. Although still largely voluntary (certain aspects are mandated in the US, UK and Australia for instance), its business importance has grown dramatically in the past 5 years.

Customers demand more transparency and reporting in their supply chains, and many make procurement decisions based on this information. Many institutional and activist investors carefully review sustainability/CSR disclosures and make decisions using that information. It is now common for shareholder resolutions to be filed related to the disclosures, or lack thereof. Major media outlets have sustainability/CSR desks specifically focused on these matters and who pore over the filings and report on them.

We are finding that there is very little consideration given to fraud assessment or monitoring in this context – so is it even meaningful? We think so, and well known fraud and compliance expert Hui Chen agrees. Let’s apply the Fraud Triangle to supplier CSR performance.

  • Motivation. There is much on the line for businesses and their suppliers in terms of CSR results. As pointed out above, sustainability/CSR disclosures and performance may directly impact revenues, reputation and investor activity. No one wants to be on the wrong end of that. Motivation? Check.
  • Rationalization. It isn’t much of a stretch to see how an individual can rationalize using alternative facts due to the business pressures. In some cases, suppliers in developing countries may rationalize their actions further due to their own cultural setting. But let’s not kid ourselves into thinking that the US is immune itself.
  • Opportunity. There is ample opportunity for motivated suppliers to commit fraud. In some instances, CSR auditors are used to review suppliers. But those hiring audit firms many times severely limit the auditors by imposing minimal scope/effort driven primarily by cost. Suppliers know their customers’ auditors are not enabled to conduct a thorough review, and with pre-scheduled site visits, they have plenty of notice to dress the place up for the auditors.

This is only one example of how fraud can enter into the sustainability/CSR picture. If this isn’t included in your company risk assessments, or considered in the context of CSR/sustainability reporting, it should be.

You Are What Your Suppliers Do: Supplier Actions Make Headlines, Break Business

With companies facing increasing pressure for the actions of every part of their supply chain, demand for – and reliance on – supplier/corporate social responsibility (CSR) audits conducted by third parties has grown rapidly.

Shirts, Phones, Rocks and Shrimp

But there is concern about the quality, reliability and credibility of these audits.

CSR Auditing and Toilet Paper

Is Social Auditing Really Auditing?

Harvard Professor Identifies Factors for Meaningful CSR and Supply Chain Audits

You Don’t Know What Your Suppliers Are Hiding

Companies rely on their CSR audit firm to utilize qualified auditors, employ adequate QA/QC processes and expend adequate time to conduct a reasonable audit. Yet there are no generally-accepted professional CSR audit practitioner standards. Moreover, due to cost pressures, lowest cost audit providers are frequently selected that may not have appropriate auditing skills or training – the largest CSR audit firms conduct tens of thousands of these audits each year. Increasing audit time and costs to improve quality or credibility is typically not realistic – the business model is inherently high-volume, low margin.

Are these audits effective at findings supplier actions that create risks for you? Can a company gain confidence in their CSR audits without adding costs? Is a change in auditors necessary?

Improve Credibility for Disclosures, Media and Customers

Changing audit firms is not necessary, nor is another layer of auditing. Instead, a formalized auditor training program can be a low cost yet effective solution.

The Elm Consulting Group International is expanding our well-proven auditor training program to companies who use CSR/supply chain auditors. The intent of this program is for brands to provide detailed communication and training to their current CSR/supply chain auditors about the company’s requirements for auditor competence, audit quality and processes in order to enhance the credibility of audit information.

Our formalized training for existing CSR auditors builds their client’s confidence in the quality of the work provided. The program is not intended to provide training on specific audit topics such as child labor or worker rights. Instead, the focus is on proven audit techniques such as:

  • Understanding and applying professional skepticism
  • Interviewing and active listening
  • Identifying and responding to non-verbal cues within multi-cultural contexts
  • Evidence sampling methodologies
  • Using information from different sources
  • Verification and recomputation techniques
  • Judging audit evidence quality and limitations
  • Fraud detection
  • Using working papers and audit protocols
  • Writing effective and complete audit findings
  • Audit quality expectations, requirements and processes
  • Maintaining auditor independence, including auditor rotation

Our Qualifications as The Leader in Auditor Training

Our HSE auditor training experience began in the 1980s and we have successfully trained hundreds of external and internal auditors. Elm Principals hold auditor certifications from the US Board of Environmental, Health and Safety Auditor Certification (BEAC, now wholly merged into the Institute of Internal Auditors) and UK Institute of Environmental Management & Assessment, are approved trainers for the IIA EHS auditor certification program and are subject to annual continuing education requirements ourselves. Further, Elm Principals have served in various Board positions in The Auditing Roundtable (merged into the IIA in 2016) and BEAC, including the current BEAC Chair.  More information about our internal audit quality and auditor competence standards is available here.

Give us a call at 678-200-3424 or contact us via email to discuss how we can help you increase confidence in your CSR audits.

Dr. Seuss Essay on Auditing Updated

In the early 1970s, buried in one of his books, Dr Seuss penned a little known essay on auditing. For those not familiar with it, the full text follows:

Oh, the jobs people work at!

Out west near Hawtch-Hawtch
 there’s a Hawtch-Hawtcher Bee-Watcher. His job is to watch…
is to keep both his eyes on the lazy town bee. A bee that is watched will work harder, you see.

Well… he watched and he watched. But, in spite of his watch, 
that bee didn’t work any harder. Not mawtch.

So then somebody said,
“Our old bee-watching man
just isn’t bee-watching as hard as he can. 
He ought to be watched by another Hawtch-Hawtcher!
 The thing that we need
is a Bee-Watcher-Watcher!”

 The Bee-Watcher-Watcher watched the Bee-Watcher.
 He didn’t watch well. So another Hawtch-Hawtcher
had to come in as a Watch-Watcher-Watcher!

And today all the Hawtchers who live in Hawtch-Hawtch are watching on Watch-Watcher-Watchering-Watch,
Watch-Watching the Watcher who’s watching that bee.

You’re not a Hawtch-Watcher. You’re lucky, you see!”

Words of wisdom from an unlikely source.  And for a little amusement, Elm takes Seuss a little further.

We decided to try our own hand at rhyme
And update the story to these current times.

Auditors watch the things clients do
And also suppliers when they’re in scope too.
They see if the list of everything bought
Was made in conditions just like it was thought
Or from those hoping they’re not getting caught.

The Hawtch-Hawtch bee watcher failed as you know
Since audits alone don’t work, we shall show.
What can we learn from those watching the bee?
I see two things – well, actually three.

The bee – when watched – was supposed to work more
But that’s not what bee itself had in store.
Instead what it did was kept right on doing
Not a thing – the watcher was just cud-chewing.
The town of Hawtch-Hawtch thought things would be fine
As long as an auditor watched all the time.

That, my dear friends, is flaw number 1 –
Audits alone are but one part of the fun,
After the watching, there’s more to be done.

The next wrong expectation in this story I find
Is the scope of the watching is not well defined.
What does it mean to “Watch as hard as you can?”
The watchers weren’t sure – down to the last man.
Had they been told, they could do the job well
And not let past problems fester and swell.

Today, what of CSR, governance and sustainability?
The words are unclear – I think they’re meant to be.
No clarity was given those Hawtch Hawtch bee watchers
So they all failed, got sore feet and bad postures.

And now, my beloved, we’re at flaw number three
Which is simply bad audit and auditor quality.
Bad bee watching – at least supposedly so –
Made the line of watch-watchers grow – grow – grow
That perpetuated the flaws that all went before
Meaning Hawtch-Hawtch kept getting more, more and MORE
Of the same watch watchers already there
Who did nothing more than stare, stare and stare
At the same old thing day after day,
Focused on billable hours, bonus and pay.

Most of them ranked low and were unqualified
To be a watch watcher – they weren’t certified.
Maybe because that would cost a bit more
Than the ineffective work that had been done before.
But Hawtch-Hawtch didn’t care to look into this
Not concerned with things that were possibly missed.

Now Hawtch-Hatwch is not a maker of stuff
That uses slave labor and treats their folks rough
And whose business will shrink when good auditors see
What unscrupulous companies do with glee.

In sum, Seuss told us of things one through three
These things – for auditing – are important and key.
But, I say friend, don’t take it from me
Go back and look that old Hawtch-Hawtch bee.

Apropos: Dia de los Muertos and the Billable Hour

Today is Halloween in the US and Dia de los Muertos in Mexico.  It is a time based on the idea of reflecting on death.  Now we aren’t being morbid here – instead we grinned at the amusing irony of the timing of this article on LinkedIn which is an obituary to the billable hour.

We absolutely agree with the downsides of billable hours.  All of us at Elm, in prior points in our careers, have had ourselves and clients held hostage by the almighty billable hour.  Over the past several years, we decreased our use of hourly rates and billings – instead working on a daily rate or, increasingly, on a fixed fee basis.

Given all that is right with eliminating hourly billing, a reasonable person might ask why doing so remains ubiquitous for consulting/auditing firms?  Yet another irony for those of us who help client organizations in changing their internal culture – because it’s the way it’s been done in the past. 


Harvard Professor Identifies Factors for Meaningful CSR and Supply Chain Audits

Well known Harvard Business School Professor Michael W. Toffel recently published the results of three studies into CSR/social auditing, including what makes an audit valuable and how to help plants actually learn from the audit results.  Prof. Toffel narrates the key insights in this 4-minute video.

Our main takeaways were:

  1. Toffel states that “We assume that most clients want the auditors to tell them the unvarnished truth.  Obtaining accurate information from these auditors is critical to enable brands to manage this risk.”  We are not sure this is universally so and impacts how plants respond to audit findings.
  2. They found a relationship between three aspects of audit team makeup and the number of audit findings reported:
    • Returning auditors tend to have fewer findings than an auditor who has not audited the site previously.
    • More years of auditing experience and training means a higher number of findings than auditors with less experience/training.
    • Female audit team members tend to identify more findings than male auditor team members.
  3. The biggest improvements came when a highly-trained team performed an announced audit.
  4. Audits are a critical method for knowledge transfer “and for knowledge to be transferred effectively, you have to have a knowledgeable auditor, but you also have to have a receptive factory manager.”  The receptiveness of a plant manager is linked to Point #1 above.
  5. Factories in countries with greater press freedom were substantially likelier to improve.
  6. Audit teams seem to have fewer findings where the factory pays rather than the brand. While Toffel suggests this may be a result of conflict of interest, we believe there is another side that is more prevalent.  Factories are subject to enormous cost pressures and tend to select the lowest cost providers, which translates to less experienced/trained auditors not fully prepared to identify complex situations and findings.

The direct linkage between qualified auditors and the quality of audit results is a drum have been beating for years, but in the current environmental of increased supply chain transparency – and  liability – companies should rethink the value, make-up and execution of supplier audits.  Call us to discuss our views on this further

Did the Cost of Conflict Minerals Report (CMR) Audits Just Go Up?

In a previous article, we discussed a recent paper published by NGOs the Enough Project and Responsible Sourcing Network/As You Sow (backed by two socially-responsible investment firms) that outline their expectations for annual Form SD and Conflict Minerals Reports (CMR) content.  By doing so, the nature and costs of CMR audits – if triggered by issuers’ individual circumstances – could be impacted directly and even indirectly.

Direct Impacts

Companies may consider employing some of the report’s recommendations.  In doing so, however, companies will directly increase the cost and efforts required for the independent private sector audit of the CMR, if that is triggered.

The audit criteria are established by way of the issuer’s own description of its due diligence activities.  SEC’s regulations are not prescriptive in this way and intentionally allow issuers flexibility in this narrative.  The level of specificity in the narrative, including numerical performance indicators, will drive the level of audit effort required.

The audit effort and cost may not be a key factor to some companies in considering the nature of their CMR report, but they should be aware of this factor as part of their considerations.

Indirect Impacts

In a recent seminar we participated in with Michael Littenberg of Schulte Roth & Zabel, Michael suggested that users/readers of CMRs are less likely to be the financial community typically the audience for SEC filings.  Rather, NGOs will be the primary audience for CMRs, meaning that general expectations for content may indeed differ from the basics of SEC compliance.

The Enough/Responsible Sourcing Network paper supports that position.  With two socially-responsible investment (SRI) funds backing – and participating in – the paper’s position, that could be taken as an indicator of the financial community position on the subject as well (although the position of two investment firms certainly may not be representative of the broader financial community).

There is a possibility that the CMR audit could be impacted in terms of the basis of “significance” or “materiality” – concepts rooted in the users’/readers’ perspective.  Materiality (used in financial statements and the GAO Attestation standard) and significance (used in the GAO Performance Audit standard) are essentially the same in relation to CMR auditing, but for our purposes, we will focus on “significance”/Performance Audits.

In GAO’s Government Auditing Standards (the standards required to be used for CMR audits), Section 6.04 provides the definition/scope of “significance” in a Performance Audit.  Among the relevant components of the concept are

  • the relative importance of a matter within the context in which it is being considered, and
  • the needs and interests of an objective third party with knowledge of the relevant information.

Further, Section 6.11 states that auditors should assess “significance within the context of the audit objective by gaining an understanding of … the needs of potential users of the audit report…”

Given these statements, one could argue that NGO/SRI users of the audit report have established their expectations, therefore drawing a line in the sand on significance which CMR auditors would need to recognize in their audit activities and report.

Our Recommendation

We bring this discussion forward but in reality, it is probably academic rather than practical.  We don’t believe that SEC’s intended scope as reflected in the narrow audit objective for the CMR is likely to be expanded as a result of the paper.  At the same time, issuers should be mindful of the thought.

We continue to recommend that issuers view the CMR as a regulatory filing and not the appropriate place to tell a broader story about social responsibility achievements.  Companies should look to their CSR report to “tell their story” and possibly include indicators/other content sought by NGOs, keeping that separate from the regulatory filings and outside the potential scope of the CMR audit. We suggest that audit costs would be best managed by establishing a bright line between what is to be audited and what is outside those boundaries.  Blurring the lines or setting wider boundaries for the audit will increase the cost and perhaps set a precedent with much wider implications for issuers generally.

Video Demo Released of CMCheckPoint Conflict Minerals Assessment Tool

The 6-minute video demo and brief tutorial of Elm’s CMCheckPoint(sm) is now available, giving an overview of this groundbreaking conflict minerals program/strategy gap analysis tool.

You may view the video on either

In addition to the video, more information and screenshots are available here.

Recent articles and studies have shown that many companies are lagging in the conflict minerals program development efforts and are aggressively seeking low cost compliance approaches.

CMCheckPoint(sm) is unique in that it supports internally-resourced conflict minerals program assessments to be conducted by leveraging third party expertise without the third party cost.  CMCheckPoint(sm) may be able to save companies between 75% – 95% of the cost of having similar program compliance/strategy gap assessment work done by outside consultants.

After viewing the demo, click here to order and download immediately or to learn more.

We think spending 6 minutes to save 75% on consultant costs is a far better return than even 15 minutes for 15% on car insurance.

But then again, we can’t boast a talking lizard spokesman.  Er, spokesreptile.

Our Pick for the Super Bowl 2014 Ad Winners

Ok, we admit it – this post will be completely gratuitous and self serving.

You may have heard about the Super Bowl ad give-away contest sponsored by a well-known small business accounting software company.  CNN recently posted a story on it.

We thought it would be fun to give it a try, so we posted our entry.

Your vote and support would be greatly appreciated.  And we promise to post pictures from the Big Game if you help get us there.