The UN Guiding Principles capture the essence of what it means for a business to respect human rights in the twenty-first century.
This guidance will give you an overview of how internal auditors can provide assurance that their organisation is meeting their obligations under the UN requirements.
The UN Guiding Principles on Business and Human Rights were endorsed by the United Nations Human Rights Council in June 2011. They set the global standard for business conduct in relation to human rights, with which other international, regional, national and industry and multi-stakeholder standards have aligned. They set out:
There is a growing need for companies to be sure of whether and how they are managing risks to human rights effectively across their operations and value chains, and to be sure that they disclose these efforts and their results adequately and accurately. Effective assurance, and internal audit, has a central role to play here.
The UN Guiding Principles empower stakeholders by providing a blueprint for how companies should deal with human rights challenges. The UN Guiding Principles Reporting Framework not only supports accountability and transparency, but also helps companies adopt and ingrain the UN Guiding Principles into their cultures. Internal audit must embrace its role in helping to make this happen, and this guidance equips them to do so.
The International Professional Practices Framework (IPPF), issued by IIA Global, sets the competencies required of internal auditors with respect to the undertaking of internal audit assignments. The below list emphasizes those competencies that are likely to be particularly relevant for the undertaking of an engagement that includes an assessment of human rights performance.
The IPPF addresses the requirement for internal auditors to act with independence and impartiality, which is essential to the credibility of any assurance engagement. These principles gain particular importance in the context of human rights assurance processes when being performed by the internal audit function, not least since internal audit may not be assumed to be impartial by people whose human rights are at risk from, or impacted by, the company’s operations and value chain.
Given that the subject matter of human rights is wide-ranging, internal auditors should understand the limits of their knowledge and expertise and ensure that relevant expertise is included in the assurance team from other sources where necessary. Areas of competence that will typically be relevant, in addition to expertise in assurance processes, are:
Internal auditors will need expertise to critically review the company’s understanding of who its stakeholders are with regard to human rights risks and impacts. Where necessary, they may need to conduct their own mapping of stakeholders to ensure no key groups have been omitted that might change the company’s understanding of human rights risks. Particular attention should be paid to the inclusion of groups potentially impacted through the company’s operations or value chain.
Internal auditors also need particular skill sets to engage with stakeholders, most notably with those who may be, or have been, impacted through the company’s operations or value chain, as well as expertise in the geographical and cultural contexts where the engagement will be conducted. Alternatively, they may rely on third-party experts for this aspect of the assurance process.
Cost and other resource constraints may limit the ability of internal auditors to engage extensively with the company’s stakeholders as part of the audit process – in particular, affected stakeholder groups who may be remote from the company’s headquarters. Where this occurs, an assessment will need to be made of the impact of the limitation on the assurance that can be provided. At a minimum, engagement with some informed, policy-level stakeholders from NGO, trade union, academic or other expert backgrounds will be important wherever possible.
The scope of the internal audit engagement may be limited, for example, because the requesting party wants only to address one particular risk, monitor one particular site or engage with only specifically identified
stakeholders. If so, it is important for the internal auditor to assess whether that limitation would be so far reaching as to render their conclusions potentially meaningless or misleading. In such cases, the internal auditor should explain to the requesting party the impact of such a limitation and how their conclusion may be compromised as a result. Any limitations on scope should be made clear to, and where material, agreed with the audit committee.
The qualitative nature of much of the evidence needed to assure a company’s human rights performance depends, in particular, on evidence obtained through observation, inspection, surveys and interviews, and is likely to result in the following:
Under the UN Guiding Principles, where national laws fall below international human rights standards, companies are expected to abide by both; and where applicable laws are in conflict with international human rights standards, companies are expected to honour the principles of the international standards to the greatest extent possible in the circumstances, and to be able to demonstrate their efforts in this regard. Internal auditors should, therefore, be alert to discrepancies between applicable national laws and international human rights standards, and ensure that it is the higher standards – typically, the international standards – that set the reference point for the engagement. Where this is not the case, the internal auditor should bring this to the attention of the management.
Professional scepticism and judgment are key attributes of any internal auditor and are defined in the IPPF standards. Given the qualitative nature of much human rights information, assurance processes in this field inevitably involve high levels of individual judgment, making these skills particularly important to arrive at robust expert conclusions by:
The UN Guiding Principles make clear that when companies need to prioritize their efforts to address human rights risks:
Internal auditors should, therefore, assess whether the human rights issues on which the company is focusing its management efforts could reasonably be considered its salient human rights issues. Doing so will enable the auditor to:
Broadly speaking, there are three types of stakeholder most relevant to human rights issues:
Due attention should be paid to the different types of insight that different stakeholders can offer. When interviewing stakeholders, the internal auditor should:
The AA1000 Stakeholder Engagement Standard contains valuable additional guidance on engagement with external stakeholders.
Since human rights assurance processes are likely to involve greater levels of interviews, observation and inspection than is the case for many other subjects, particular attention needs to be paid to how this will be documented. The internal auditor should ensure that they have appropriate means by which to retain this evidence in a manner that:
Human rights assurance may require a longer period between the end of the evidence-gathering phase and the completion of the internal audit conclusion than other such assurance processes. Prior to approval of the conclusion, the internal auditor should take steps to ensure that:
If the internal auditor identifies a severe impact during their review which potentially falls outside of their scope, they should discuss their findings with management.
Sections 2400 to 2600 of the IPPF set out a number of requirements regarding the content of an internal audit conclusion. Conclusions for internal management alone can be tailored to the specific needs of the company, and it is recommended that the conclusion include the following among its principal headings: