This guidance is for auditors at all levels. It provides information on the topic of gender pay, advice on performing a compliance audit and suggestions for extending the topic to add greater assurance value.
Why gender pay should be on the audit plan
Introduction to gender pay
Legislative requirement
Reporting and the GDPR
Skills and experience required
Accountability
Data
Calculations
Reporting
Top tips
Possible risks
Adding value
Conclusion
The majority of organisations have a legal responsibility to report statistics on gender pay. The reported data is important from a reputational perspective as it provides a snapshot of the more intangible issues of diversity and culture.
The audit committee should require assurance firstly that the data being reported is accurate and secondly that the data is being used insightfully to mitigate against inequality going forward.
The gender pay gap differs from equal pay as it is concerned with the differences in the average pay between men and women over a period of time no matter what their roles are. Equal pay deals with the pay differences between men and women who carry out the same or similar jobs.
The government defines gender pay as the difference between the average earnings of men and women, expressed relative to men’s earnings. For example, ‘women earn x% less than men per hour’.
In 2017 an amendment to the Equality Act was introduced to address the specific issue of reporting inequality in gender pay which previous legislation in place since 1970 had not mitigated (1970 Equal Pay Act/2010 Equality Act)
According to the Office of National Statistics the gender pay gap among full-time employees in 2019 was 8.9% only 0.6% less than in 2012. The gap among all employees was 17.3% continuing a downward trend.
The Equality Act 2010 (Gender Pay Gap Information) Regulations 2017 and The Equality Act 2010 (Specific Duties and Public Authorities) Regulations 2017 apply to private, charity and the public sector respectively.
The Equality and Human Rights Commission can enforce any failure to comply with the regulations. The avoidance of negative publicity and ability to attract talent are powerful motivators to comply with the requirement.
The legislation applies to the following:
Note: gender pay reporting will apply to Northern Ireland but going into 2020 legislation was still delayed due to assembly issues, once authorised, it will extend further to include ethnicity and disability reporting in addition to gender. Members in NI are advised to check latest regulatory updates.
Obligated organisations must report gender pay gap data annually.
There are strict rules around what must be reported and how it is calculated. This is explained in detail in the section performing the compliance audit.
In respect to the GDPR (General Data Protection Regulation), gender pay gap reporting does not involve the processing of special category data, but salary information is nevertheless sensitive data. It should be possible for data to be anonymised to avoid any privacy concerns during the audit.
The Data Protection Act 2018 allows organisations to process personal data where it is for the purpose of equality of opportunity or treatment. If an employer is processing personal data to comply with a legal obligation, such as the gender pay gap reporting regulations, then this is also a lawful ground for processing.
Although no special data is required for gender pay reporting, it is good practice for organisations to undertake a DPIA (data processing impact assessment) to consider things such as, how any data will be kept secure, how long it will be kept for and who it will be shared with.
A DPIA should be done when engaging in any new data processing activity and is a mandatory requirement when the processing involves special data on a large scale, such as would be required for ethnicity or disability pay reporting for example.
Best practice is to collect data such as ethnicity, religion, sexual orientation on a genuinely anonymous basis to ensure that it is not identifiable thereby negating any data processing issues.
Some organisations use third parties to collect and process data for equal opportunities monitoring, in such circumstances the organisation remains the data controller with full responsibility for ensuring it is processed in accordance with the GDPR.
The skills, experience and knowledge required by the internal auditor who will be completing the review depends on the type of audit review selected.
For an audit review focused on data and assessing compliance with reporting requirements a basic skill level may be sufficient with appropriate supervision.
There will be sensitivities given the nature of the data that internal audit will have access to; it may be useful to remind those involved of the Institute’s Professional Code of Ethics.
An extended, value add audit review that explores insights for behavioural indicators, however, may be more suited to experienced internal auditors. This type of review will include dealing with senior organisational stakeholders to discuss, assess and challenge policy, values, and behaviours to reach an opinion.
Extending the scope of a compliance audit provides a development opportunity for internal auditors to benefit from coaching or joint-working with a more experienced colleague.
Providing independent assurance to the board that legislation is being complied with is an important role, particularly where non-compliance can lead to financial penalties and/or reputational damage.
The ideal time to carry out the audit review is after the organisation has calculated its statistics but before they have been formally reported. This provides for a window of opportunity to resolve any issues that may arise.
If this is not possible, the review can be carried out at any time of the year with any learnings carried forward to the next reporting cycle.
The following are four essential elements of the review.
An appropriate person, most likely a board member, should have formal accountability for signing the reporting statement and ensuring the submission is made.
There is also operational responsibility for ensuring the statement is prepared. Find out who is responsible for making sure that gender pay gap data is sourced, calculated, and reported. Is it part of their job profile? What happens if they are on long-term sick or unplanned absence at the critical time of year? How many people are able to perform the task?
Organisations are also accountable to their employees in how data is used. There should be a policy specifically for equal opportunities monitoring which explains to employees what is being done with their data, including collection, use, storage, sharing and retention.
Internal auditors will want to provide assurance across a number of aspects of the data being used for reporting.
Risks |
Potential controls |
Data is inaccurate |
Validation checks at point of entry |
Data is incomplete |
On-line recruitment forms with mandatory sections |
Data is not the right time period |
Automated, scheduled reports |
Data is unreliable |
Exception reports to identify when core data is amended/deleted |
The data sets required cannot be concisely summarised as there is specific data that must be included in calculations.
In respect to GDPR, gender pay gap reporting does not involve the processing of special category data, but salary information is nevertheless sensitive data. It should be possible for data to be anonymised to avoid any privacy concerns during the audit.
The gender pay gap only allows for male or female genders. Employees that do not identify in this way may be excluded from data sets for reporting purposes. The Acas guidance provides further advice on this.
Public bodies are required to report against all protected characteristics not just gender.
When reviewing data, it is important to consider the direction that legislation may take in future, extending pay gap reporting to include ethnicity is under government consultation and the inclusion of disability and a broader gender set is commented on widely in the media. Does your organisation collect sufficient data to do this analysis internally even if external reporting is not yet required?
To enable full compliance assurance, internal audit would need to review the data capture processes themselves to identify any points of data leakage. If time does not allow for this, the audit opinion should be clear on the scope of the review.
There are six calculations that must be performed:
These must be repeated independently by the internal auditor if assurance over their accuracy is to be provided.
This cannot be concisely summarised as there are specific rules for making the calculations.
Organisations are required to submit their calculations to the government using an online reporting tool. The information is public.
You will be able to see the data previously submitted by your organisation.
Many organisations also include a narrative explanation for their gap, this may be a written document or a link to their corporate website where the information is held. You can see these on the public information if you click on the link for what this employer says about their gender pay gap.
The compliance review should also provide assurance that the written statement is accurate. Organisations may site industry norms, employee profiles or geography as the reasons for a gender pay gap. Internal auditors should check the facts, compare it to statements made by other organisations in the industry and evaluate the statement for reasonableness using organisational knowledge.
The written statement must also confirm the accuracy of the data used and be signed by an appropriate person.
Risk based internal auditing (RBIA) links internal auditing to an organisation's overall risk management framework. It allows internal audit to provide assurance to the board that risk management processes are managing risks effectively, in relation to the risk appetite. Where the compliance audit focuses on the accuracy, timeliness and completeness of the data that is utilised for reporting gender pay gap, the risk-based audit is focused on the controls in place to mitigate the risks of outcomes of the reporting, the reputational risks of not reporting, not reporting a wide gender pay gap and/or not reporting a worsening pay gap.
Risks identified by the organisation should include but are not limited to those outlined in the table below.
Risks |
Possible controls |
1. Late publication of pay gap data |
· Nominated accountable person |
2. Rise in claims against the employer – perceived gender discrimination |
· Modelling of data to assess potential claims potential |
3. Impact on attraction/retention of talent due to time to close gap |
· Data capture and analysis of applicants |
4. Financial cost of parity being unsustainable for the organisation |
· Transparent, sustainable parity programme with stakeholder communications |
5. Culture impeding progress/not a board priority |
· Board education/awareness of topic |
6. Lack of diversity at board and leadership positions |
· Board skills/diversity matrix |
7. No momentum to extend reporting to other ‘gaps’ to highlight issue and drive progress |
· Governance leaders raise awareness, including CAE |
8. Reputational risk of publishing figures showing a worsening position |
· Inclusive job profiles/advertisements |
9. Decrease in brand value/ share prices |
· Transparent narrative of issues/actions |
1. Not publishing data within the required timeframe
Should an organisation not publish, the Equality & Human Rights Commission (EHRC) can start enforcement action which could result in an unlimited fine for breaching regulations. In addition, any breach would be publicly available on the EHRC website. Internal audit can assist here by reviewing controls in place to ensure that data is available and in a usable format to produce the calculations required. They can review whether there were any lessons learnt from previous years and how these have been addressed. In addition, the audit can review the governance trail from draft to approving the publication of data. Is it too long-winded? Are the right people reviewing and challenging the data?
2. Perceived gender discrimination leads to a rise in claims against the employer
Publishing data that confirms that there is a disparity between the pay of males to that of females could lead to females reviewing their pay and comparing their salary to that of males in the same role which could lead to claims for equal pay rights. Where the organisation does not already provide analysis, internal audit will have access to (anonymised) salary data which could be assessed to review salaries of those positions where both male and females hold roles. This could identify previously unidentified disparity and provide an opportunity for the organisation to rectify the situation.
3. Talent attraction/retention as a result of gap
When researching organisations who are advertising roles, a widening gender pay gap may put off future employees. In addition, staff working for an organisation where a gap exists and there is no clear ambition or progression towards reducing the gap may find this doesn’t fit with their values and therefore seek alternative employment which shares their values.
Furthermore, where the board do not prioritise reducing the gap accordingly, this will additionally impact the reputation. The internal auditor should be reviewing what data was available across all levels of the organisation
4. Parity being unsustainable due to cost
Organisations may know the cause of a lack of parity however the cost of putting this right may prove prohibitive for them. It may be that traditionally male dominated sectors (construction, technology etc.) require large investment of time and money to attract and train staff. An Internal audit review would have the potential to review the calculation undertaken to assess the cost and perceived benefit by way of “a X percentage decrease in gap will cost Y” and then truly review whether the cost outweighs the benefit.
5. Culture impeding progress
Specific sectors may find that, culturally, there is no momentum to reduce the gap. An internal auditor in one of these organisations would be already aware of this obstacle and therefore could be seeking to understand what others in the sector are doing to combat this – if anything.
Culture is linked to the ‘Tone at the Top’ and internal audit can focus their attention on how the board and senior management receive the pay gap data. Reviewing agendas for time set aside for discussing the results, if any, and the subsequent minutes to ascertain what was discussed and agreed as well as assessing any actions arising will provide a level of assurance over the engagement of senior management. In addition, workforce surveys may include questions on culture, equality and diversity and may provide some starting points for the auditor to delve into. It might even be possible for the audit to include a survey of staff to establish their thoughts on these – providing targeted, anonymous views on the culture of the organisation which could be analysed across the sexes, age, seniority etc.
6. Lack of diversity at board and senior leadership
Driving improvement and plans to reduce the gap may not necessarily be supported where there is little female representation at the most senior levels of the organisation. Gender pay gap reporting will already be accessing data across all seniority tiers of the organisation and therefore the auditor can access this too, anonymously, identify gaps across defined tiers. A more progressive organisation would already be calculating this and potentially even publishing it alongside the required calculations. Furthermore, they would be looking into root causes of these gaps. However, if the organisation isn’t one of those going beyond the requirements, internal audits results could provide some illuminating statistics and seek to identify reasons for the gaps.
7. Lack of appetite for reporting other ‘gaps’
It has taken time for some organisations to fully get to grips with gender reporting and to be able to collate information in such a way as to be able to publish reliable gap reporting. Many other protected characteristics rely on self-identification in order to obtain, collate and report. Ethnicity requires the applicant/employee to self-identify but they also have option to ‘not say’. Sexual preference is one identifier which is traditionally less often answered and one where employees fear repercussions of truthfully identifying. The low numbers of those identifying make it difficult to garner any meaningful data and therefore publishing information could be misleading. These concerns can make publishing this data unattractive however the internal audit activity can review what is being done to increase self-identification, both in recruitment and for existing employees and provide, through the testing, indicators and suggestions for improvements.
8. Publishing figures showing a widening gap
A widening gap without narrative to explain causes and corrective measures risks turning stakeholders away from the brand/organisation. It highlights that, if measures are being taken to reduce the gap, they are ineffective and therefore a different strategy should be considered. It also may suggest that no measures are being taken. Auditing in this area therefore could include reviewing the analysis phase; Identifying who is responsible for interrogating the figures and ensuring their accuracy; what strategies have been implemented and the review process for those. Establishing what alternative strategies were discussed and worked through and assessing whether the strategies being monitored and reviewed to assess impact are also areas to test. In addition, determining how other organisations appear compared to their data last year? Is this a generic issue or one unique to the organisation are also useful assessments.
9. Decrease in brand value/share price
Loss of stakeholder confidence will most likely lead to a loss of brand value or a fall in share price. This can have a further negative effect on corporate growth, investment in R&D etc. Consider whether data is available to the internal auditor to enable a review of gender pay gap versus share price or brand value over a period of time? The internal auditor can assess the comparisons and should have access to other influential events that may or may not have impacted the gender pay gap.
Firstly, the internal auditor can review the identified risks to establish whether the risk map is comprehensive. Given the risk appetite of the senior management and board, does the risk map sufficiently identify the risks of gender pay gap reporting? The internal auditor is ideally placed to discuss the appetite with senior staff and establish whether any action plans would be likely to mitigate the risk to such appetite. It can provide benchmarking data and evaluate best practise to determine how other, similar organisations are faring and establish any best practise that would support the organisation to move to further pay parity.
An internal audit can also provide a baseline from which future actions and reporting can reliably compare. Having reviewed calculations, accuracy of data published etc. the organisation will know that any issues have been identified and which data is to be relied upon.
In terms of benefit driven by diversity, McKinsey research – Diversity matters, February 2015 looked at the relationship between the level of diversity and company financial performance. The analysis found a significant relationship between more diverse leadership teams and better financial performance. The companies in the top quartile of gender or racial/ ethnic diversity were 15 or 35 percent respectively and more likely to have financial returns that were above their national industry median. Data suggest diversity results in a competitive advantage for these organisations.
The Centre for Talent Innovation found that where leadership lacked diversity fewer promising ideas make it to market.
The scope of a review of gender pay gap reporting is variable depending amongst other things (eg resources, skills, priorities) the days available in the internal audit annual programme of work. A full risk-based review is an opportunity to use root-cause analysis, discuss organisational culture and create insightful actions supported by management.
Chartered IIA Blog – Gender pay gap reporting
Equality Human Rights Commission – Equal pay audit larger organisations
Acas: Gender pay gap reporting and Managing gender pay
Government Equalities Office: Understand your gender pay gap and Evidence based actions for employers
Gov.uk – Actions to close the gap
PwC – Ethnicity pay gap report