CRF Home > 14 Red Flags > ​​Audits > Red Flag 6

6. Allows the Company or Supplier Being Audited to Pay Directly for and/or Choose the Auditor

  • What this means 
  • Why investors should care
  • What to look for
  • Checklist
<
>
The EU Corporate Sustainability Due Diligence Directive (CSDDD) states that third party verification should be “free from any conflicts of interests and from external influence.”[1] Similarly, one of the key elements of ISO 17065 “Conformity Assessment – Requirements for Bodies Certifying Products, Processes, and Services" is that the “certification body operates impartially and independently from any commercial, financial, or other pressures that could compromise its impartiality.”[2]
 
Conflicts of interests are a real risk within the auditing industry. In fact, many experts would argue that the incentive structure of audits, including the lack of legal liability for incorrect findings, is a fundamental problem with social auditing. For companies to gain insights into how people are being treated in their operations, audits are essential – they are the basis upon which companies make claims about their supply chain sustainability. It makes sense for companies or suppliers to pay for the audits, and most commonly it’s the supplier who wants to demonstrate compliance with a certification scheme that pays. Because of this incentive structure, auditors too frequently permit infractions to slide in the interest of pleasing their clients.[3] A parallel critique of certification schemes is that their dependency on fees from entities seeking certification creates a disincentive for certification schemes to punish member companies for breaching the standard.[4] These practices can undermine the credibility of certification schemes as well as audits more generally.
 
Studies have shown that when enterprises pay for their own audits their quality decreases.[5] Human Rights Watch conducted interviews with auditors who described the tensions they feel when hired directly by suppliers or companies. Specifically, Human Rights Watch found that companies prefer to hire “friendly” auditors, pressure auditors for lenient audits, and demand to hide damaging findings so that they can continue placing orders with a certain supplier.[6] Another study found outright instances of collusion between auditors and suppliers.[7] Moreover, highly competitive market conditions within the auditing industry can lead to auditors cutting corners to reduce costs, keep clients happy, and compete effectively within the industry.[8]
 
While conflicts of interests are difficult to root out, auditors can be insulated from profit interests when there is a firewall between the organization being audited and the one that pays for it. Without a firewall, the risk that auditors will overlook labor abuses in order to keep the business of a company or supplier increases.
 
As noted above, a way to reduce the risk of conflict of interests and produce more reliable audits is by creating dedicated auditing bodies, such as those advocated by the Worker-Driven Social Responsibility Network (WSR). The following WSR model involves farmworkers:​
[An] independent, third-party monitor, created specifically for the WSR program, investigates complaints from farmworkers and conducts field audits on farms. This creates a virtuous constant feedback loop, in which complaint resolutions provide for ongoing monitoring and enforcement complemented by the broader investigations and more expansive changes enabled through audits and corrective action plans.[9]
This approach better positions WSR programs to enforce audit findings and leads to concrete improvements in workers’ lives.
 
Conversely, conflicts of interests can also occur when there is an auditor monopoly in a region. The absence of competition can reduce audit performance and result in insufficient oversight. For instance, managers at sugar processors in Maharashtra told researchers commissioned by Bonsucro to study the implementation of the Bonsucro Smallholder Production Standard in India that they questioned the quality checks carried out by the sole auditor servicing the region, Control Union. This led researchers to conclude that "the dependency on Control Union and lack of competition creates little incentive for the auditor to improve, or for more competitive pricing."[10]
[1] European Parliament, Legislative Resolution of 24 April 2024 on the Proposal for a Directive of the
European Parliament and of the Council on Corporate Sustainability Due Diligence and Amending
Directive (EU) 2019/1937, accessed June 5, 2024, https://www.europarl.europa.eu/doceo/document/TA-9-2024-0329_EN.html.
[2] International Organization for Standardization, ISO/IEC 17065:2012 Conformity assessment — Requirements for bodies certifying products, processes and services (last reviewed in 2018), https://www.iso.org/standard/46568.html.
[3] Aruna Kashyap, ‘Obsessed with Audit Tools, Missing the Goal:’ Why Social Audits Can’t Fix Labor Rights Abuses in Global Supply Chains (Human Rights Watch, November 15, 2022), 14, https://www.hrw.org/report/2022/11/15/obsessed-audit-tools-missing-goal/why-social-audits-cant-fix-labor-rights-abuses.
[4] MSI Integrity, Not Fit-for-Purpose: The Grand Experiment of Multi-Stakeholder Initiatives in Corporate Accountability, Human Rights and Global Governance (July 2020), 146, https://www.msi-integrity.org/wp-content/uploads/2020/07/MSI_Not_Fit_For_Purpose_FORWEBSITE.FINAL_.pdf.
[5] John Jiang, Mary Harris Stanford, and Yuan Xie, “Does It Matter Who Pays for Bond Ratings? Historical Evidence,” Journal of Financial Economics 105, no. 3 (September 2012): 607–21, https://doi.org/10.1016/j.jfineco.2012.04.001.; Esther Duflo, et al., “Truth-Telling by Third-Party Auditors and the Response of Polluting Firms: Experimental Evidence from India*,” The Quarterly Journal of Economics 128, no. 4 (November 2013): 1499–1545, https://doi.org/10.1093/qje/qjt024.; Jodi L. Short, Michael W. Toffel, and Andrea R. Hugill, “Monitoring Global Supply Chains,” Strategic Management Journal 37, no. 9 (September 2016): 1878–97, https://doi.org/10.1002/smj.2417.
[6] Aruna Kashyap, ‘Obsessed with Audit Tools, Missing the Goal,' 14-16.
[7] Genevieve LeBaron et al., Forced Labour Evidence Brief: Social Auditing and Ethical Certification (Re:Structure Lab, July 2022), 10, https://static1.squarespace.com/static/6055c0601c885456ba8c962a/t/62d746146f5dc5205a17621c/1658275349325/ReStructureLab_SocialAuditingandEthicalCertification_July2022.pdf.
[8] Ilona M. Kelly et al., Fig Leaf for Fashion. How social auditing protects brands and fails workers (Clean Clothes Campaign, 2019), 38, https://cleanclothes.org/file-repository/figleaf-for-fashion.pdf/view.; Transparentem, Hidden Harm: Audit Deception in Apparel Supply Chains and the Urgent Case for Reform (October 2021), 24, https://transparentem.org/project/hidden-harm/.
[9]  Antonella Angelini and Shauna Curphey, “The Overlooked Advantages of the Independent Monitoring and Complaint Investigation System in the Worker-driven Social Responsibility Model in US Agriculture,” Business and Human Rights Journal 7, no. 3 (October 12, 2022): 497, https://doi.org/10.1017/bhj.2022.25.
[10] Ana Perez Adroher et al., The Impact of Bonsucro on Human Rights in the Sugarcane Sector: A Focus on India (Columbia University School of International and Public Affairs, 2019), 69-70,  https://www.sipa.columbia.edu/sites/default/files/migrated/downloads/Bonsucro%2520Report_FINAL%2520DEC%252017%25202019.pdf.
In 2012, a fire broke out at the Ali Enterprises Factory in Pakistan killing over 250 workers and injuring hundreds more.[1] Three weeks prior to this horrific tragedy, RINA, an Italian social auditing firm, had certified the factory to be compliant with the SA8000 standard set by Social Accountability International (SAI). For factories to be SA8000 certified, they directly contract with an SA8000 certified auditor that performs the necessary audits to achieve accreditation.[2] RINA had ignored multiple safety requirements set both by international standards and the Pakistani government, such as the need for a working fire alarm system and an adequate number of functional emergency exits.[3] The catastrophe resulted in lawsuits against the German retailer KiK Textilien and the auditing body RINA.[4] Specifically, the plaintiffs in Ali Enterprises Factory Fire Affectees Assoc. v. RINA Services S.p.A. claimed that RINA had breached the OECD Guidelines by not refusing “to perform factory audits that are paid for by the factory owner,” and instead establish “a payment system for social audits that avoids conflicts of interest.”[5] In the report “Human Rights Fitness of the Auditing and Certification Industry,” ECCHR and its partners further explain how these conflicts of interests are exacerbated by poor quality control processes: “Although the SA8000 scheme provides elaborate methodological guidance, its accreditation body SAAS [Social Accountability Accreditation Services] does not appear to have ensured that its substantive and methodological standards were actually applied in this case.”[6]

Separately, The New York Times chronicled the case of auditing firm UL Solutions, which disciplined one of its auditors after he failed three Walgreens suppliers for abusive working conditions in 2017 and 2018. (The report cites the auditor’s “communication style” as the reason given for the discipline.) In 2023, when the same auditor flagged labor issues at a warehouse supplying Costco, UL Solutions barred him from returning, citing the warehouse’s complaints that he was demanding and argumentative. The New York Times reports that the auditor “believed that the supplier objected to his finding 21 violations when the previous audit had found none.”[7] This example again demonstrates that certification schemes that allow buyers or suppliers to pay for auditing can create conflicts of interest and deter auditors from carrying out thorough inspections and accurate reporting, thereby compromising audit quality.
 
The catastrophic collapse of the Brumadinho tailings dam at the Córrego do Feijão mine in 2019, which unleashed a torrent of hazardous mud into surrounding communities, also suggests a possible company-auditor conflict of interest at play, according to a report by ECCHR and its partners. Dam owner Vale directly hired TÜV SÜD to certify the safety of the dam in accordance with Brazilian law.[8] ECCHR alleges “employees inferred TÜV SÜD would lose their business with Vale if they denied the safety of one of the many sedimentation ponds belonging to Vale.”[9] In a separate report, the NGO also asserts that TÜV SÜD , “had a conflict of interest due to a parallel engagement. At the time, it was also negotiating a consulting contract involving the same dam—a contract significantly more valuable than the auditing assignment, and one that required a positive stability declaration.”[10] TÜV SÜD denies the claims that it was under any pressure from Vale and asserts that their audits were conducted “cautiously and were guided solely by technical considerations.”[11] Nonetheless, the Brumadinho Dam catastrophe came with a huge financial cost to the operators: a court-ordered $290 million fine.[12]
 
→ Demonstrates: Reputational risk, operational risk, legal risk, direct financial risk
[1] Zia ur-Rehman, Declan Walsh, and Salman Masood, “More Than 300 Killed in Pakistani Factory Fires,” The New York Times, September 12, 2012, https://www.nytimes.com/2012/09/13/world/asia/hundreds-die-in-factory-fires-in-pakistan.html.
[2] “SA8000 Certification: Getting Started,” Social Accountability International, accessed March 7, 2024, https://sa-intl.org/resources/sa8000-getting-started/.; “SA8000: The ‘Gold Standard’ for Failing Workers?,” Worker-Driven Social Responsibility Network, July 17, 2018, https://wsr-network.org/resource/sa8000-the-gold-standard-for-failing-workers/.
[3] “Justice for the Ali Enterprises victims,” Clean Clothes Campaign, accessed March 7, 2024,  https://cleanclothes.org/campaigns/past/ali-enterprises.; “Case Study: Ali Enterprises (Pakistan),” Worker-Driven Social Responsibility Network, accessed March 7, 2024, https://wsr-network.org/what-is-wsr/csr-and-msis/msi-case-study-ali-enterprises-pakistan/.
[4] “KiK: Paying the price for clothing produced in South Asia: Pakistan factory fire victims sued German retailer KiK,” European Center for Constitutional and Human Rights, accessed March 7, 2024, https://www.ecchr.eu/en/case/kik-paying-the-price-for-clothing-production-in-south-asia/.; OECD Watch, Ali Enterprises Factory Fire Affectees Assoc. v. RINA S.p.A (September 11, 2018), https://www.oecdwatch.org/complaint/ali-enterprises-factory-fire-affectees-assoc-v-rina-s-p-a/#printing-Ali%20Enterprises%20Factory%20Fire%20Affectees%20Assoc.%20v.%20RINA%20S.p.A.
[5] OECD Watch, Ali Enterprises Factory Fire Affectees Assoc. v. RINA S.p.A, 23.
[6] Claudia Müller-Hoff, Human rights fitness of the auditing and certification industry? A cross-sectoral analysis of current challenges and possible responses (ECCHR, Brot für die Welt, and MISEREOR, 2021), 46,  https://www.ecchr.eu/en/publication/human-rights-fitness-audits/.
[7] Hannah Dreier, “They’re Paid Billions to Root Out Child Labor in the U.S. Why Do They Fail?” The New York Times, December 28, 2023, https://www.nytimes.com/2023/12/28/us/migrant-child-labor-audits.html.
[8] Dr. Thomas Oberst (of TÜV SÜD), email to author, April 23, 2024.
[9] Müller-Hoff, Human rights fitness of the auditing and certification industry?, 14.; “Three Years on from Brumadinho Dam Disaster TÜV SÜD Face €400 Million Lawsuit,” Pogust Goodhead, February 1, 2022, https://pogustgoodhead.com/three-years-on-from-brumadinho-dam-disaster-tuv-sud-face-e400-million-lawsuit/.
[10] Müller-Hoff, Human rights fitness of the auditing and certification industry?,14.
[11] TÜV SÜD asserts that it "did not have a conflict of interest when auditing Dam B I," noting that the audits by TSB were mandated by Brazilian law. The organization emphasizes that "ensuring independent audits is one of TÜV SÜD's core values," as stated in its Code of Ethics, which underscores the principles of independence, integrity, and legality. TÜV SÜD also disputes the allegations regarding pressure from Vale, affirming that "the engineers of the Brazilian TÜV SÜD company TSB did not yield to any pressure" and that their audits were conducted with caution, based solely on technical considerations. Dr. Thomas Oberst (of TÜV SÜD), email to author, April 23, 2024.
[12] Witold J. Henisz and James McGlinch, “ESG, Material Credit Events, and Credit Risk,” Journal of Applied Corporate Finance 31, no. 2 (2019): 105–17, https://doi.org/10.1111/jacf.12352.
In their engagements, investors can ask what the scheme does to fight against rampant conflicts of interest and corruption in auditing. Good examples of certifications with quality controls:
➔    GoodWeave’s Certification System Overview requires an oversight mechanism for auditors. The policy reads:
The GoodWeave Quality Assurance Unit conducts annual audits of its certification systems to ensure compliance with policies and procedures throughout all country offices. Additionally, GoodWeave is the recipient of external audits by two parties:
  • ISEAL – to maintain our ISEAL Code Compliant Status according to their independent evaluation procedure.
  • Oversight Body – a qualified third-party to ensure GoodWeave follows its own policies and procedures that have been based on core elements of international standards for assurance providers, namely ISO 17065, highlighted above and ISO 19011, Guidance for Auditing Management Systems.[1] 

➔    Electronics Watch, an industry-independent monitoring organization, trains local organizations and independent researchers as their compliance “monitoring partners” to “protect the rights of workers in global supply chains.”[2]

➔    The Marine Stewardship Council’s General Certification Requirements includes an Impartiality Committee, which “conduct[s] a thorough and detailed review of the impartiality of the assessment, audit, certification, and decision-making processes.”[3]
[1] GoodWeave, GoodWeave Certification System Overview (April 2023), https://goodweave.org/wp-content/uploads/2023/05/Appendix-B-Certification-System-Overview-APRIL-2023.pdf.
[2] “Who We Are,” Electronics Watch, accessed March 14, 2024, https://electronicswatch.org/en/who-we-are_783.
[3] Marine Stewardship Council, MSC General Certification Requirements (May 2019), https://www.msc.org/docs/default-source/default-document-library/for-business/program-documents/general-certification-requirements/msc-general-certification-requirements-v2-4.pdf?sfvrsn=d1b5f2f_20.
Does the scheme have a credible firewall to insulate auditing from conflicts of interests?
❐  Yes 
❐  No
❐  Partially

A firewall can be created through, for example:
•  A dedicated independent body that conducts audits and investigates complaints for the scheme
​•  An oversight mechanism that ensures the scheme follows its own policies and procedures

​Notes:
This project is a collaboration among the following organizations:
 This site is maintained by Rights CoLab
Copyright © 2024