Tag Archives: internal audit

You Are What Your Suppliers Do: Supplier Actions Make Headlines, Break Business

With companies facing increasing pressure for the actions of every part of their supply chain, demand for – and reliance on – supplier/corporate social responsibility (CSR) audits conducted by third parties has grown rapidly.

Shirts, Phones, Rocks and Shrimp

But there is concern about the quality, reliability and credibility of these audits.

CSR Auditing and Toilet Paper

Is Social Auditing Really Auditing?

Harvard Professor Identifies Factors for Meaningful CSR and Supply Chain Audits

You Don’t Know What Your Suppliers Are Hiding

Companies rely on their CSR audit firm to utilize qualified auditors, employ adequate QA/QC processes and expend adequate time to conduct a reasonable audit. Yet there are no generally-accepted professional CSR audit practitioner standards. Moreover, due to cost pressures, lowest cost audit providers are frequently selected that may not have appropriate auditing skills or training – the largest CSR audit firms conduct tens of thousands of these audits each year. Increasing audit time and costs to improve quality or credibility is typically not realistic – the business model is inherently high-volume, low margin.

Are these audits effective at findings supplier actions that create risks for you? Can a company gain confidence in their CSR audits without adding costs? Is a change in auditors necessary?

Improve Credibility for Disclosures, Media and Customers

Changing audit firms is not necessary, nor is another layer of auditing. Instead, a formalized auditor training program can be a low cost yet effective solution.

The Elm Consulting Group International is expanding our well-proven auditor training program to companies who use CSR/supply chain auditors. The intent of this program is for brands to provide detailed communication and training to their current CSR/supply chain auditors about the company’s requirements for auditor competence, audit quality and processes in order to enhance the credibility of audit information.

Our formalized training for existing CSR auditors builds their client’s confidence in the quality of the work provided. The program is not intended to provide training on specific audit topics such as child labor or worker rights. Instead, the focus is on proven audit techniques such as:

  • Understanding and applying professional skepticism
  • Interviewing and active listening
  • Identifying and responding to non-verbal cues within multi-cultural contexts
  • Evidence sampling methodologies
  • Using information from different sources
  • Verification and recomputation techniques
  • Judging audit evidence quality and limitations
  • Fraud detection
  • Using working papers and audit protocols
  • Writing effective and complete audit findings
  • Audit quality expectations, requirements and processes
  • Maintaining auditor independence, including auditor rotation

Our Qualifications as The Leader in Auditor Training

Our HSE auditor training experience began in the 1980s and we have successfully trained hundreds of external and internal auditors. Elm Principals hold auditor certifications from the US Board of Environmental, Health and Safety Auditor Certification (BEAC, now wholly merged into the Institute of Internal Auditors) and UK Institute of Environmental Management & Assessment, are approved trainers for the IIA EHS auditor certification program and are subject to annual continuing education requirements ourselves. Further, Elm Principals have served in various Board positions in The Auditing Roundtable (merged into the IIA in 2016) and BEAC, including the current BEAC Chair.  More information about our internal audit quality and auditor competence standards is available here.

Give us a call at 678-200-3424 or contact us via email to discuss how we can help you increase confidence in your CSR audits.

Dr. Seuss Essay on Auditing Updated

In the early 1970s, buried in one of his books, Dr Seuss penned a little known essay on auditing. For those not familiar with it, the full text follows:

Oh, the jobs people work at!

Out west near Hawtch-Hawtch
 there’s a Hawtch-Hawtcher Bee-Watcher. His job is to watch…
is to keep both his eyes on the lazy town bee. A bee that is watched will work harder, you see.

Well… he watched and he watched. But, in spite of his watch, 
that bee didn’t work any harder. Not mawtch.

So then somebody said,
“Our old bee-watching man
just isn’t bee-watching as hard as he can. 
He ought to be watched by another Hawtch-Hawtcher!
 The thing that we need
is a Bee-Watcher-Watcher!”

 The Bee-Watcher-Watcher watched the Bee-Watcher.
 He didn’t watch well. So another Hawtch-Hawtcher
had to come in as a Watch-Watcher-Watcher!

And today all the Hawtchers who live in Hawtch-Hawtch are watching on Watch-Watcher-Watchering-Watch,
Watch-Watching the Watcher who’s watching that bee.

You’re not a Hawtch-Watcher. You’re lucky, you see!”

Words of wisdom from an unlikely source.  And for a little amusement, Elm takes Seuss a little further.

We decided to try our own hand at rhyme
And update the story to these current times.

Auditors watch the things clients do
And also suppliers when they’re in scope too.
They see if the list of everything bought
Was made in conditions just like it was thought
Or from those hoping they’re not getting caught.

The Hawtch-Hawtch bee watcher failed as you know
Since audits alone don’t work, we shall show.
What can we learn from those watching the bee?
I see two things – well, actually three.

The bee – when watched – was supposed to work more
But that’s not what bee itself had in store.
Instead what it did was kept right on doing
Not a thing – the watcher was just cud-chewing.
The town of Hawtch-Hawtch thought things would be fine
As long as an auditor watched all the time.

That, my dear friends, is flaw number 1 –
Audits alone are but one part of the fun,
After the watching, there’s more to be done.

The next wrong expectation in this story I find
Is the scope of the watching is not well defined.
What does it mean to “Watch as hard as you can?”
The watchers weren’t sure – down to the last man.
Had they been told, they could do the job well
And not let past problems fester and swell.

Today, what of CSR, governance and sustainability?
The words are unclear – I think they’re meant to be.
No clarity was given those Hawtch Hawtch bee watchers
So they all failed, got sore feet and bad postures.

And now, my beloved, we’re at flaw number three
Which is simply bad audit and auditor quality.
Bad bee watching – at least supposedly so –
Made the line of watch-watchers grow – grow – grow
That perpetuated the flaws that all went before
Meaning Hawtch-Hawtch kept getting more, more and MORE
Of the same watch watchers already there
Who did nothing more than stare, stare and stare
At the same old thing day after day,
Focused on billable hours, bonus and pay.

Most of them ranked low and were unqualified
To be a watch watcher – they weren’t certified.
Maybe because that would cost a bit more
Than the ineffective work that had been done before.
But Hawtch-Hawtch didn’t care to look into this
Not concerned with things that were possibly missed.

Now Hawtch-Hatwch is not a maker of stuff
That uses slave labor and treats their folks rough
And whose business will shrink when good auditors see
What unscrupulous companies do with glee.

In sum, Seuss told us of things one through three
These things – for auditing – are important and key.
But, I say friend, don’t take it from me
Go back and look that old Hawtch-Hawtch bee.

Apropos: Dia de los Muertos and the Billable Hour

Today is Halloween in the US and Dia de los Muertos in Mexico.  It is a time based on the idea of reflecting on death.  Now we aren’t being morbid here – instead we grinned at the amusing irony of the timing of this article on LinkedIn which is an obituary to the billable hour.

We absolutely agree with the downsides of billable hours.  All of us at Elm, in prior points in our careers, have had ourselves and clients held hostage by the almighty billable hour.  Over the past several years, we decreased our use of hourly rates and billings – instead working on a daily rate or, increasingly, on a fixed fee basis.

Given all that is right with eliminating hourly billing, a reasonable person might ask why doing so remains ubiquitous for consulting/auditing firms?  Yet another irony for those of us who help client organizations in changing their internal culture – because it’s the way it’s been done in the past. 


Harvard Professor Identifies Factors for Meaningful CSR and Supply Chain Audits

Well known Harvard Business School Professor Michael W. Toffel recently published the results of three studies into CSR/social auditing, including what makes an audit valuable and how to help plants actually learn from the audit results.  Prof. Toffel narrates the key insights in this 4-minute video.

Our main takeaways were:

  1. Toffel states that “We assume that most clients want the auditors to tell them the unvarnished truth.  Obtaining accurate information from these auditors is critical to enable brands to manage this risk.”  We are not sure this is universally so and impacts how plants respond to audit findings.
  2. They found a relationship between three aspects of audit team makeup and the number of audit findings reported:
    • Returning auditors tend to have fewer findings than an auditor who has not audited the site previously.
    • More years of auditing experience and training means a higher number of findings than auditors with less experience/training.
    • Female audit team members tend to identify more findings than male auditor team members.
  3. The biggest improvements came when a highly-trained team performed an announced audit.
  4. Audits are a critical method for knowledge transfer “and for knowledge to be transferred effectively, you have to have a knowledgeable auditor, but you also have to have a receptive factory manager.”  The receptiveness of a plant manager is linked to Point #1 above.
  5. Factories in countries with greater press freedom were substantially likelier to improve.
  6. Audit teams seem to have fewer findings where the factory pays rather than the brand. While Toffel suggests this may be a result of conflict of interest, we believe there is another side that is more prevalent.  Factories are subject to enormous cost pressures and tend to select the lowest cost providers, which translates to less experienced/trained auditors not fully prepared to identify complex situations and findings.

The direct linkage between qualified auditors and the quality of audit results is a drum have been beating for years, but in the current environmental of increased supply chain transparency – and  liability – companies should rethink the value, make-up and execution of supplier audits.  Call us to discuss our views on this further

Did the Cost of Conflict Minerals Report (CMR) Audits Just Go Up?

In a previous article, we discussed a recent paper published by NGOs the Enough Project and Responsible Sourcing Network/As You Sow (backed by two socially-responsible investment firms) that outline their expectations for annual Form SD and Conflict Minerals Reports (CMR) content.  By doing so, the nature and costs of CMR audits – if triggered by issuers’ individual circumstances – could be impacted directly and even indirectly.

Direct Impacts

Companies may consider employing some of the report’s recommendations.  In doing so, however, companies will directly increase the cost and efforts required for the independent private sector audit of the CMR, if that is triggered.

The audit criteria are established by way of the issuer’s own description of its due diligence activities.  SEC’s regulations are not prescriptive in this way and intentionally allow issuers flexibility in this narrative.  The level of specificity in the narrative, including numerical performance indicators, will drive the level of audit effort required.

The audit effort and cost may not be a key factor to some companies in considering the nature of their CMR report, but they should be aware of this factor as part of their considerations.

Indirect Impacts

In a recent seminar we participated in with Michael Littenberg of Schulte Roth & Zabel, Michael suggested that users/readers of CMRs are less likely to be the financial community typically the audience for SEC filings.  Rather, NGOs will be the primary audience for CMRs, meaning that general expectations for content may indeed differ from the basics of SEC compliance.

The Enough/Responsible Sourcing Network paper supports that position.  With two socially-responsible investment (SRI) funds backing – and participating in – the paper’s position, that could be taken as an indicator of the financial community position on the subject as well (although the position of two investment firms certainly may not be representative of the broader financial community).

There is a possibility that the CMR audit could be impacted in terms of the basis of “significance” or “materiality” – concepts rooted in the users’/readers’ perspective.  Materiality (used in financial statements and the GAO Attestation standard) and significance (used in the GAO Performance Audit standard) are essentially the same in relation to CMR auditing, but for our purposes, we will focus on “significance”/Performance Audits.

In GAO’s Government Auditing Standards (the standards required to be used for CMR audits), Section 6.04 provides the definition/scope of “significance” in a Performance Audit.  Among the relevant components of the concept are

  • the relative importance of a matter within the context in which it is being considered, and
  • the needs and interests of an objective third party with knowledge of the relevant information.

Further, Section 6.11 states that auditors should assess “significance within the context of the audit objective by gaining an understanding of … the needs of potential users of the audit report…”

Given these statements, one could argue that NGO/SRI users of the audit report have established their expectations, therefore drawing a line in the sand on significance which CMR auditors would need to recognize in their audit activities and report.

Our Recommendation

We bring this discussion forward but in reality, it is probably academic rather than practical.  We don’t believe that SEC’s intended scope as reflected in the narrow audit objective for the CMR is likely to be expanded as a result of the paper.  At the same time, issuers should be mindful of the thought.

We continue to recommend that issuers view the CMR as a regulatory filing and not the appropriate place to tell a broader story about social responsibility achievements.  Companies should look to their CSR report to “tell their story” and possibly include indicators/other content sought by NGOs, keeping that separate from the regulatory filings and outside the potential scope of the CMR audit. We suggest that audit costs would be best managed by establishing a bright line between what is to be audited and what is outside those boundaries.  Blurring the lines or setting wider boundaries for the audit will increase the cost and perhaps set a precedent with much wider implications for issuers generally.

Video Demo Released of CMCheckPoint Conflict Minerals Assessment Tool

The 6-minute video demo and brief tutorial of Elm’s CMCheckPoint(sm) is now available, giving an overview of this groundbreaking conflict minerals program/strategy gap analysis tool.

You may view the video on either

In addition to the video, more information and screenshots are available here.

Recent articles and studies have shown that many companies are lagging in the conflict minerals program development efforts and are aggressively seeking low cost compliance approaches.

CMCheckPoint(sm) is unique in that it supports internally-resourced conflict minerals program assessments to be conducted by leveraging third party expertise without the third party cost.  CMCheckPoint(sm) may be able to save companies between 75% – 95% of the cost of having similar program compliance/strategy gap assessment work done by outside consultants.

After viewing the demo, click here to order and download immediately or to learn more.

We think spending 6 minutes to save 75% on consultant costs is a far better return than even 15 minutes for 15% on car insurance.

But then again, we can’t boast a talking lizard spokesman.  Er, spokesreptile.

Our Pick for the Super Bowl 2014 Ad Winners

Ok, we admit it – this post will be completely gratuitous and self serving.

You may have heard about the Super Bowl ad give-away contest sponsored by a well-known small business accounting software company.  CNN recently posted a story on it.

We thought it would be fun to give it a try, so we posted our entry.

Your vote and support would be greatly appreciated.  And we promise to post pictures from the Big Game if you help get us there.


We Haven’t Forgotten What We Do

Although Elm has invested much time and effort into our conflict minerals services over the past three years, we continue to provide our core services of HSE auditing and program development.

We gain new clients and engagements each year with much of that growth outside the US.

Those who have come to know us in the conflict minerals arena, we would be pleased to talk with you about how Elm can assist you with HSE audit program support.

Please do not hesitate to contact us with questions. We look forward to talking with you.

Elm Selected to Lead Development of New Auditor Guidance for Conflict Minerals Performance Audits

Elm has been selected by The Auditing Roundtable to lead their newly formed Working Group to develop a professional auitdor guidance intended for use by non-CPAs in applying the “generally accepted government auditing standards” (also known as “GAGAS” or the Yellow Book) to audits of Conflict Minerals Reports under SEC’s conflict minerals regulations.

Lawrence Heim, CPEA, Director of Elm’s Conflict Minerals services:  “The Board of Directors agreed to take on the challenge of developing this guidance, and doing so as rapidly as possible to serve the regulated community.  I am honored that the Board asked me to play a role in that process.”

Heim continued: “Given the importance, visibility and global impact of of this guidance, the Board recognizes how critical broad-based input and consensus will be.  The Working Group’s first order of business is to present to the Board for their approval two lists: one of recommended professional peer reviewers and one of organizations/entities from whom input will be sought as stakeholders.”

The Working Group will hold its first meeting in conjunction with the Roundtable’s national meeting in San Diego January 28-30, 2013.

Elm has been a vocal proponent of strong auditing and auditor qualification/independence standards in the conflict minerals context since our initial project work in 2010.  The Securities and Exchange Commission solicited our opinion and experiences on the matter during their Conflict Minerals Roundtable in 2011.  The Auditing Roundtable and the Board of Environmental, Health & Safety Auditor Certifications submitted written comments on the use of Performance Audit standards to the SEC during the proposed rule stage, and provided a briefing paper on auditor qualifications/audit standards to the US State Department Office of Central African Affairs in 2011.

The Auditing Roundtable

The Roundtable was founded in January 1982, when managers of ten corporate environmental audit programs met to discuss their auditing programs and practices.  The Roundtable has held regular meetings since that time and has undergone many important changes.  A Code of Ethics and the first formal bylaws, adopted in 1987, opened the Roundtable membership to individuals and provided for the election of a Board of Directors by the membership at large.  Following peer review and vote by the membership, the Roundtable adopted Standards for the Performance of Environmental Audits in 1993.  In 1998, the Roundtable reorganized into its current organizational structure.  Today it is the leading organization for environmental, health and safety auditing professionals in the United States and has formalized relationships/reciprocity with other scientific and auditing professional organizations around the world.

For more information on The Auditing Roundtable, click here.

Board of Environmental, Health & Safety Auditor Certifications

In 1997, The Auditing Roundtable joined with The Institute of Internal Auditors (IIA) to establish the Board of Environmental, Health & Safety Auditor Certifications (BEAC) for the purpose of issuing professional certifications relating to environmental, health, and safety auditing and other scientific fields.  BEAC is a member of the Council of Engineering and Scientific Specialty Boards (CESB), a third-party accreditation board. The CESB has granted full accreditation to BEAC’s Certified Professional Environmental Auditor (CPEA) certification.  BEAC certification is also recognized by

  • American Industrial Hygiene Association
  • American Society of Safety Engineers
  • American Chemistry Council
  • Texas Commission on Environmental Quality
  • Canadian Environmental Auditor Association

For more information about BEAC, click here.

An Epidemic of Conflict Minerals “Experts”

Since the US Securities and Exchange Commission adopted their final conflict minerals rule on August 22, Elm and our Conflict Minerals Consortium partners have seen an explosion in proposals, RFPs and related meetings, which we expected.

Also expected was the concurrent growth of firms marketing themselves as conflict minerals experts or having off-the-shelf technological solutions.

We offer the following points to consider when evaluating possible business partners for a long, unprecedented, complex – and likely costly – journey.  A little due diligence on your consultants may provide you a smoother due diligence process for conflict minerals.

You may find it worth asking your potential conflict minerals advisors, consultants and solutions providers questions like those below.  Even a 60 second review of Google search results on the expert can be revealing.

  • When did the expert start working on conflict minerals matters?  The issue began to come forward in the electronics industry back in 2008, but gained real momentum in 2010 with the passage of the Dodd-Frank Wall Street Reform and Consumer Protection Act in July 2010.  A very small number of external advisors/consultants have direct experience going back to 2010, or even 2011 for that matter.
  • Did the expert participate in public comment activities during the SEC rule development? Public comments on the proposed rule were submitted by a few consulting firms and accountants.  SEC met in person with hundreds of interested parties between 2011 and 2012.  In October 2011, SEC invited a panel of 16 experts to participate in a detailed question and answer session with the Commissioners and Staff.  Only two of those 16 were from companies that provide external advisory services.
  • What does a project team look like?  How extensive is the network of team members?  Has the team worked together before?  Given the potential breadth of a comprehensive program, a full-service team is likely to require external expertise from areas such as legal, IT, corporate social responsibility (CSR), mining, RoHS, supply chain management and auditing.  External integrated cross-functional teams are already rare, and with the demand for conflict minerals support growing, availability of those limited resources is becoming a concern to many companies.
  • What types of project work has been done?  Narrow project scopes limited to filling out spreadsheets or reviewing product content data can be relevant to an overall conflict minerals management program, but a much wider view is critical to understanding the challenges in developing/implementing this framework.  Other elements include training, strategic advisory and decision-making criteria/contingencies, management systems development and integration and external communications.
  • What industries/business types has the expert worked with?  Although the electronics industry took the lead early, Section 1502 impacts a huge cross section of products, companies and sectors globally.   Force-fitting something potentially considered “the” solution in one sector may be inappropriate or unworkable for another.
  • Has the expert worked with clients that are: large/small, public/private, complex supply chains/simple supply chains?  Each situation presents different challenges – can the expert offer unique insights or discuss potential differences/similarities to your situation?
  • Is the expert directly involved with or supporting existing industry initiatives/solutions, which may create concerns about the expert’s impartiality, independence or approach?  As mentioned above, each company faces different pressures in developing a conflict minerals program.  Experts involved in the development of existing solutions may not offer you alternatives to what they feel is a “standard” approach, or may attempt to enforce efforts beyond what is applicable/cost effective for your situation.
  • Is the expert offering to work on two sides of the fence – such as developing your systems, then auditing the systems they helped you develop?  We don’t believe it is appropriate for auditors to audit work they have done, as this can impair their independence/objectivity.  Generally speaking, auditor codes of ethics and various standards prohibit this as well.
  • If discussing audits, can the expert clarify what role the anticipated audit will play in your project, what standard will be applied and what the objective is?  What auditor qualifications/credentials does the expert offer?  A study conducted last July by the US Government Accountability Office (GAO) stated there are 9 different “conflict minerals audits”, not including the audit of the conflict minerals report that is part of the SEC regulation.  There is a great deal of confusion about what a “conflict minerals audit” really is, and a generic reference to ISO19011 auditor guidelines may not be sufficient.  It is not unreasonable to consider that the credibility of your program and related audits may rest upon the quality and independence of auditors you select.
  • Is the expert suggesting that they provide consulting services to – or audits of – your suppliers on your behalf?  This can create significant concerns about who owns the process, the report/information generated, whether the supplier can then share that information with other customers, and how confidential information is managed.
  • Does the expert seem to have visibility in the marketplace that is commensurate with the level of expertise they portray?  Has the expert published articles on conflict minerals?  Do those articles reflect simply “book knowledge” of the requirements, or are valuable and pragmatic insights offered?  In what venues has the expert published or given public presentations on conflict minerals?  Do speaking engagements extend beyond those sponsored by their own company?
  • Is the subject matter reasonably related to the core competency/expertise of the expert or the company?  We are seeing some interesting service/brand extensions in an attempt to cash in on the topic.
  • Are the expert’s conflict minerals expertise/knowledge being applied to your project in an appropriate manner?  There are certainly experts in the marketplace, but it is worth ensuring that they are not overextending their expertise into areas where they offer no value or are unqualified.  For instance, technical support on scoping/implementing a supply chain IT solution is not typically within the subject matter expertise of an auditor or lawyer.