AuditBoard Live Webinar banner advert Diligent One Platform World tour ad April 2024 TeamMate ESG advertising banner 2023

United Nations human rights reporting

The UN Guiding Principles capture the essence of what it means for a business to respect human rights in the twenty-first century.

This guidance will give you an overview of how internal auditors can provide assurance that their organisation is meeting their obligations under the UN requirements. 

Professional competencies
Factors of heightened importance for internal audit when assessing human rights performance
Internal audit conclusions
Further reading


The UN Guiding Principles on Business and Human Rights were endorsed by the United Nations Human Rights Council in June 2011. They set the global standard for business conduct in relation to human rights, with which other international, regional, national and industry and multi-stakeholder standards have aligned. They set out:

  • the state duty to protect human rights against abuse by third parties, including business, through appropriate policies, legislation, regulations and adjudication
  • the corporate responsibility to respect human rights, meaning to act with due diligence to avoid infringing on the rights of others and address adverse impacts with which they are involved
  • the need for greater access to effective remedy, both judicial and non-judicial, for victims of business- related human rights abuse

There is a growing need for companies to be sure of whether and how they are managing risks to human rights effectively across their operations and value chains, and to be sure that they disclose these efforts and their results adequately and accurately. Effective assurance, and internal audit, has a central role to play here. 

The UN Guiding Principles empower stakeholders by providing a blueprint for how companies should deal with human rights challenges. The UN Guiding Principles Reporting Framework not only supports accountability and transparency, but also helps companies adopt and ingrain the UN Guiding Principles into their cultures. Internal audit must embrace its role in helping to make this happen, and this guidance equips them to do so.

Professional competencies

The International Professional Practices Framework (IPPF), issued by IIA Global, sets the competencies required of internal auditors with respect to the undertaking of internal audit assignments. The below list emphasizes those competencies that are likely to be particularly relevant for the undertaking of an engagement that includes an assessment of human rights performance.

1. Independence and impartiality 

The IPPF addresses the requirement for internal auditors to act with independence and impartiality, which is essential to the credibility of any assurance engagement. These principles gain particular importance in the context of human rights assurance processes when being performed by the internal audit function, not least since internal audit may not be assumed to be impartial by people whose human rights are at risk from, or impacted by, the company’s operations and value chain.

2. Specific human rights expertise

Given that the subject matter of human rights is wide-ranging, internal auditors should understand the limits of their knowledge and expertise and ensure that relevant expertise is included in the assurance team from other sources where necessary. Areas of competence that will typically be relevant, in addition to expertise in assurance processes, are:

  • expertise in internationally recognized human rights standards
  • expertise in the UN Guiding Principles on Business and Human Rights
  • expertise in human rights risk assessment
  • expertise in human rights issues typically relevant to the company’s industry and operating contexts
  • expertise in processes for engaging stakeholders, including vulnerable groups and other stakeholders affected by the company’s business

3. Stakeholder engagement

Internal auditors will need expertise to critically review the company’s understanding of who its stakeholders are with regard to human rights risks and impacts. Where necessary, they may need to conduct their own mapping of stakeholders to ensure no key groups have been omitted that might change the company’s understanding of human rights risks. Particular attention should be paid to the inclusion of groups potentially impacted through the company’s operations or value chain.

Internal auditors also need particular skill sets to engage with stakeholders, most notably with those who may be, or have been, impacted through the company’s operations or value chain, as well as expertise in the geographical and cultural contexts where the engagement will be conducted. Alternatively, they may rely on third-party experts for this aspect of the assurance process.

Cost and other resource constraints may limit the ability of internal auditors to engage extensively with the company’s stakeholders as part of the audit process – in particular, affected stakeholder groups who may be remote from the company’s headquarters. Where this occurs, an assessment will need to be made of the impact of the limitation on the assurance that can be provided. At a minimum, engagement with some informed, policy-level stakeholders from NGO, trade union, academic or other expert backgrounds will be important wherever possible.

Factors of heightened importance for internal audit when assessing human rights performance

1. Suitability of the scope of the assurance process

The scope of the internal audit engagement may be limited, for example, because the requesting party wants only to address one particular risk, monitor one particular site or engage with only specifically identified
stakeholders. If so, it is important for the internal auditor to assess whether that limitation would be so far reaching as to render their conclusions potentially meaningless or misleading. In such cases, the internal auditor should explain to the requesting party the impact of such a limitation and how their conclusion may be compromised as a result. Any limitations on scope should be made clear to, and where material, agreed with the audit committee.

2. Time to gather evidence

The qualitative nature of much of the evidence needed to assure a company’s human rights performance depends, in particular, on evidence obtained through observation, inspection, surveys and interviews, and is likely to result in the following:

  • more time needed not only to gather and collate the evidence, but also to plan the engagement given increased levels of communication and engagement
  • more wide-ranging engagement with stakeholders outside the company than is generally the case for other types of assurance
  • enhanced discussions with the requesting party to ensure that there is sufficient time and resources to obtain the evidence necessary to draw robust conclusions

3. Conflicts between local laws and international standards

Under the UN Guiding Principles, where national laws fall below international human rights standards, companies are expected to abide by both; and where applicable laws are in conflict with international human rights standards, companies are expected to honour the principles of the international standards to the greatest extent possible in the circumstances, and to be able to demonstrate their efforts in this regard. Internal auditors should, therefore, be alert to discrepancies between applicable national laws and international human rights standards, and ensure that it is the higher standards – typically, the international standards – that set the reference point for the engagement. Where this is not the case, the internal auditor should bring this to the attention of the management.

4. Professional scepticism and judgment

Professional scepticism and judgment are key attributes of any internal auditor and are defined in the IPPF standards. Given the qualitative nature of much human rights information, assurance processes in this field inevitably involve high levels of individual judgment, making these skills particularly important to arrive at robust expert conclusions by:

  • testing qualitative and subjective information, and
  • seeking corroboration of key assertions

5. Review of salient human rights issues

The UN Guiding Principles make clear that when companies need to prioritize their efforts to address human rights risks:

  • they should prioritize those impacts on people’s human rights that would be most severe: the company’s salient human rights issues, as set out in the UN Guiding Principles Reporting Framework.
  • their formal reporting should focus on operations and operating contexts that pose risks of severe human rights impacts.

Internal auditors should, therefore, assess whether the human rights issues on which the company is focusing its management efforts could reasonably be considered its salient human rights issues. Doing so will enable the auditor to:

  • identify any potential weaknesses in the company’s existing risk assessment processes that require further scrutiny
  • identify any human rights risks and impacts that may be under-recognized and require further scrutiny

6. Engagement with external stakeholders

Broadly speaking, there are three types of stakeholder most relevant to human rights issues:

  • directly affected stakeholders (and their legitimate representatives)
  • proxies for affected stakeholders
  • human rights experts

Due attention should be paid to the different types of insight that different stakeholders can offer. When interviewing stakeholders, the internal auditor should:

  • provide sufficient protection to interviewees such that information they share cannot be attributed back to them unless they freely and expressly agree otherwise
  • be clear about their role when interviewing stakeholders; that it is about obtaining evidence, not expressing a conclusion on the company other than in its final report or statement

The AA1000 Stakeholder Engagement Standard contains valuable additional guidance on engagement with external stakeholders.

7. Retention of evidence

Since human rights assurance processes are likely to involve greater levels of interviews, observation and inspection than is the case for many other subjects, particular attention needs to be paid to how this will be documented. The internal auditor should ensure that they have appropriate means by which to retain this evidence in a manner that:

  • respects individuals’ confidentiality
  • meets their human right to privacy and related legal requirements

8. Subsequent events

Human rights assurance may require a longer period between the end of the evidence-gathering phase and the completion of the internal audit conclusion than other such assurance processes. Prior to approval of the conclusion, the internal auditor should take steps to ensure that:

  • no further evidence has arisen that would alter the conclusion, and that
  • no severe negative impacts have taken place which, if omitted from the conclusion, could render them misleading

If the internal auditor identifies a severe impact during their review which potentially falls outside of their scope, they should discuss their findings with management.

Internal audit conclusions

Sections 2400 to 2600 of the IPPF set out a number of requirements regarding the content of an internal audit conclusion. Conclusions for internal management alone can be tailored to the specific needs of the company, and it is recommended that the conclusion include the following among its principal headings:

  • The human rights competencies of the assurance providers conducting the audit/assessment process
  • The stakeholders/stakeholder groups engaged in the course of the process
  • The appropriateness and effectiveness of the company’s policies and processes that address the human rights issues included in the scope of the engagement
  • Areas of particular progress in the company’s performance
  • Areas of weakness in the company’s performance
  • Recommendations for improvement

Further reading 

Assurance Guidance on Human Rights Performance and Reporting for internal auditors

Guidance: Assurance of Human Rights Performance and Reporting

Content reviewed: 1 February 2023