The Business & Human Rights Resource Centre issued a report earlier this week about the need for a mechanism to hold social auditors and sustainability label schemes accountable for failures. Many folks (including me) have long been critical of social audits and certifications so while I think this paper conceptually is on track, it misses on a few important points.
Every audit is performed within constraints and limitations. Like it or not, no audit covers every conceivable topic, data point or contingency – and unfortunately auditors can be fooled by well-executed fraud, misrepresentation or misdirection on the part of the audited entity. Auditors manage constraints and expectations by applying audit procedures, evidence sampling techniques, interviewing skills and defining scope limitations.
I say this not to defend social auditors, but to clarify that limitations are simply inherent in social audits. A meaningful limitation the report downplays is that of audit scope. This point is made abundantly clear by the Rana Plaza example: while the disaster was a horrific event, attempting to hold a social auditor accountable for the building collapse is misguided because social audit scopes do not include structural engineering.
The report acknowledges this (albeit less than it should) in a brief overview of Das v George Weston Limited, the case about the tragedy brought against the audit firm Bureau Veritas in Canadian court. The court held that the auditor was not obligated to assess the structural integrity of the building. Audit scopes are agreed upon in advance with clients and they must be consistent with competencies of auditors performing the audit, and inversely – auditors must have the expertise and knowledge required by the established audit scope.
Oddly, the relevance of individual auditor expertise/competence is not explored in the report. Audit firms are expected to establish and enforce auditor quality/competence standards but sometimes that doesn’t happen. Poorly qualified auditors perform inadequate audits without supervision or proper peer reviews. As the report points out, this risk grows if audit team personnel are subcontractors, which is common in the social audit world. Ultimately, audit quality comes down to expertise and dedication of auditors doing the work.
Conflict of Interest
The authors state there is an inherent conflict of interest when auditors are hired by the company being audited. I disagree that this is automatically a significant risk. Financial audits are performed by auditors hired directly by the audited company and there is not an overwhelming call to change that structure. Audit firms – including the major social audit firms – have conflict of interest policies intended to identify impairment threats and related safeguards. In my experience, conflicts of interest in social auditing tend to arise more frequently from other threats such as involvement in corrective actions.
Suggested Legal Remedies
One conclusion of the report is that creating frameworks for third party liabilities will improve social audit quality:
Mechanisms for auditor liability are vital to ensure those harmed by failed social audits have effective access to legal remedy, including compensation, and to prevent the recurrence of audit failings.
The theory is that auditors legally accountable to those who are audit subjects will be incentivized to provide high quality audits. This may be correct to some extent, but balance is necessary. Liability must be directly related to the audit scope. The report does not address that and implies no limits, meaning any person could potentially take action against a social auditor for any incident. Reasonable professional audit firms will not take on unlimited liability like that or for every contingency – instead, they will eliminate social audits as service offerings. The few firms left standing in the market would either be extremely costly or questionable, which does not serve the market well.
Another part of the liability picture is the purpose the audit serves.
For example, a study by ECCHR points to a lawsuit in Germany against the German auditing firm TÜV Rheinland to illustrate a court may hold that the purpose of an audit contract is a compliance exercise, and not to protect third parties. In this case, the court acknowledged that the purpose of the law under which the audit was conducted is to protect end-users of the audited product (here, breast implants). However, it held that the purpose of the audit contract was only to assure the product’s compliance with EU standards.
This is generally the case for the majority of social audits, so the German court’s finding is widely applicable and a barrier for third party liability claims against auditors.
Sustainability certifications and labels are different. The authors point out “the statements those marks are intended to convey are relied upon by consumers in commercial decisions,” in contrast to social audits intended for internal corporate management use and a limited audience. Companies using sustainability certifications and labels are open to a wide range of potential litigants should there be problems (such as we wrote about here). It is appropriate for issuers of consumer-facing sustainability certifications and labels to have liability to consumers who rely on those marks.
What You Can Do
Until legal liability mandates are established, companies hiring social auditors and engaging sustainability label schemes should consider taking on additional effort to improve the quality and reliability of both. Suggestions include:
- Thoroughly vet the expertise and competence of potential social auditors, including their subcontractors. Conduct periodic reviews/updates to ensure slippage doesn’t occur.
- Establish contractual terms with social audit firms preventing their use of subcontractors unless specifically approved by the company who has engaged the firm, and/or contractually mandate specific competency and expertise standards for any subcontractor used on the company’s engagements.
- Evaluate the audit firm’s procedures for audit process QA/QC, fraud identification, independence/impairment assessment, and continuing education. Consider using your Internal Audit department to help. Conduct periodic reviews/updates to ensure the firm consistently follows it’s established procedures.
- Critically assess industry audit programs and sustainability certifications, including reviewing operating procedures, auditor competence standards and on-going performance monitoring activities. If possible, observe an audit first hand.
- Thoroughly evaluate what would happen if problems with a certification/label arise. Consider establishing contractual liability flow through terms and conditions with the issuing body, as well as terms for recovering direct economic damages attributable to such problems.
- When hiring social auditors, price may be an indicator of quality so the lowest bidder may present the highest risk – consider prioritizing quality factors when selecting a social audit firm.