The word “audit” has been much in the news the past few months, starting with the Enron/Andersen revelations. We have all learned, or relearned, the potential slipperiness of corporate financial audits. So this seems like a good time to take a look at corporate environmental audits.
Let me start with the most obvious point: The two kinds of auditing have a lot more in common than the word. The “stuff” the auditors are auditing – earnings, emissions – is concrete and measurable in principle. But the measurement standards and processes are highly discretionary, owing as much to art as to science, and affording a wide choice of conclusions without necessarily diverging from “accepted” practice. Of course there is also the possibility that auditors will diverge from accepted practice and hope not to get caught. Fraudulent audits can happen, environmental as well as financial. So can not-quite-fraudulent but wildly unconventional audits – which at least in principle can depart from the norm in either direction: excessively permissive or excessively conservative. But the more common problem by far, and ultimately the more important problem as well, is the wide range of results and intepretations achievable without cheating, and without forgoing professional acceptability.
Whenever a fact-finding exercise is as malleable as financial and environmental auditing are, systematic bias will inevitably play some role. This is pretty much a universal truth, I think: If they can, people with a stake in the outcome will tend to find what they want to find. Some will do it intentionally, some unconsciously (the ouija board effect). Only a fool would put unquestioning trust in self-assessments that are highly subjective and highly impactful.
Which is why corporate financial audits are never self-assessments. Here we come to an important difference between the two kinds of auditing. Financial auditing has a much longer history than environmental auditing, and so it is a few centuries ahead in figuring out what credibility requires. In the environmental arena, doing your own audit is still widely considered acceptable. Hiring a consulting firm to do it for you is a fairly recent, fairly impressive improvement.
So what do we make of the recent revelations that financial consulting firms can’t necessarily be trusted to do financial audits? There are actually two issues here:
- Auditors whose conclusions are pleasing to the client are probably likelier to be rehired than auditors whose conclusions cause trouble. This in itself suggests that auditors will consciously or unconsciously tend to bend the rules – at least the bendable ones – in the client’s favor. Auditors’ audits are probably less biased than self-audits, but biased nonetheless.
- Auditors whose auditing business is part of a much larger consulting business are the most vulnerable to bias. The client cares deeply about the audit results, but doesn’t care nearly as much which company it hires for the big consulting contract; the consultant cares far more about the consulting contract, viewing the audit almost as a loss leader. This is virtually a recipe for an overly friendly audit.
Like financial audits, environmental audits have both problems – but the second is the biggie. There are accounting firms that do financial audits and don’t do other sorts of consulting that might constitute a conflict of interest. (Obviously there are more of them than there were a few months ago, and their comparative independence is suddenly a competitive advantage instead of a competitive disadvantage.) External environmental audits, on the other hand, are overwhelmingly in the hands of environmental consulting firms. There are exceptions. When top management wants an external auditor to certify its Corporate Environmental Report, for example, it may well choose an auditor with a modicum of independence. But most of my clients who have brought in outsiders to assess their environmental performance – company-wide, facility-wide, or narrower still – have chosen companies they were already using for major environmental consulting, management, and mitigation projects. The conflict of interest should be obvious.
I am not claiming that environmental consulting firms routinely and intentionally do sweetheart audits for companies that are also their clients or prospective clients on big-money projects. There are several countervailing factors, not least of which is the integrity of most environmental consultants, their firms, and their clients. Where the rules are unambiguous, usually the rules are followed, no matter what the client would prefer. Some clients (the wise ones, I think) make it clear to the auditor that they want a conservative audit – that they want to know about a possible problem even if there is a viable interpretation that could make the problem go away. Some consultants have found that in the long run it is good business to do conservative audits; apart from the credibility benefits, and the value to the client of ample forewarning, the consultant who finds the problem might well be the one hired to fix it.
Nonetheless, the conflict of interest remains ... whether it’s acted out or not. Let’s assume that your outside environmental auditor bends over backwards to protect public health and the environment, making all the judgment calls in a conservative direction. Let’s assume that you like it that way, and your auditor knows you like it that way, so the auditor has no incentive to cut you any slack. How are you going to prove that this is the case when an activist (or just a concerned neighbor or employee) points out – correctly – that your auditor has the same conflict of interest as all those financial auditors we’ve been finding out about in the news? In the wake of the public’s discovery that financial audits aren’t to be trusted, now is a good time to rethink your environmental audits.
What solutions are available? Let’s look at six.
1. Clear rules.
One possibility is to make the rules clearer, harder to bend. In the next few years we’re going to see a lot of effort in this direction with respect to financial audit standards. I’m not optimistic. The rules are flexible because the reality the audit is trying to reflect is complex and incompletely understood. Some rulebook refinements will genuinely prevent abuses. Some (often the same ones) will open up new loopholes for new abuses. Most efforts to make it harder for auditors to cheat will also make it harder for auditors who aren’t cheating to respond flexibly to the complexities of the situation.
Over time, real advances in auditing technology (financial or environmental) can take some of the guesswork out of the process, and can thus reduce the “wiggle room” in which conscious distortion, unconscious bias, and random error play out.
But in the short term, it is never a good idea to demand more precise answers than a technology is capable of producing. The insistence that auditors reach definitive conclusions – conclusions that don’t depend on which auditor you ask – is likely to yield more rigid answers but not necessarily more accurate ones. The general trend in risk assessment has been in the other direction: toward specifying assumptions, acknowledging uncertainties, putting error bars around risk estimates, calculating multiple estimates of the same parameters using different methodologies. Clarity about the extent of subjectivity, I think, is a better course than uniformity masquerading as objectivity.
2. Strict punishment.
Inevitably given the stock market meltdown, Congress and the public are enormously attracted to the option of stricter punishment. That’s how outrage works. The fact that Congress is guilty of the same sorts of financial shenanigans only increases its outrage. Ditto for the public’s complicity in the bubble. (Come on, now. We all knew it was largely hype and couldn’t last forever. We just hoped we’d manage to sell before people’s good sense reasserted itself.) Call it hypocrisy or call it projection: We are most outraged by others’ misbehavior when it reminds us of our own.
Our mixed motives notwithstanding, there’s nothing wrong with throwing the book at people who have unambiguously disobeyed what the book says they must do. It looks like some WorldCom managers, for example, broke some pretty clear rules. They’re accused of treating ordinary expenses as capital investments, thus grossly overstating profits. By contrast, the financial machinations conducted by Enron and approved by Andersen were certainly questionable but not so clearly illegal.
Of course outraged people – especially hypocritically outraged people – are likely to want to punish behavior that is questionable (and that did them harm) whether it’s illegal or not. If we punish it by deciding not to buy that stock any more, or not to admire that CEO any more, that’s fine. Sending people to jail for such behavior is more problematic.
There are two important points here for environmental audits. First, you will be punished (maybe not with jail, but at least with reputational damage) if your environmental audits turn out to be questionable but not clearly illegal. And second, stricter punishment does nothing to cure the subjectivity of environmental auditing, and its resulting vulnerability to conflict of interest and to charges of conflict of interest. Stricter punishment may motivate you to find a solution ... but it isn’t a solution itself.
3. Personal accountability.
A much more promising response to the financial auditing crisis of 2002 is the new requirement that corporate CEOs and CFOs personally attest to the integrity of the audit. This sort of affidavit raises all sorts of legal problems. What do we do say to a CEO who claims, reasonably enough, that s/he’s not a skilled accountant and not sure what the finance department and the auditor are talking about, much less able to certify that they’re telling the truth, the whole truth, and nothing but the truth?
But legal quagmires aside, we know beyond a shadow of a doubt that personal honesty tends to be more punctilious than organizational honesty. Making people personally responsible for organizational claims helps clean up the claims.
One of my clients recently began asking middle managers – not just CEOs and VPs, but middle managers – to personally certify their reports on environmental, health, and safety data. Employees are filling out the same forms they were filling out before, but now they are asked to sign an attestation that says, essentially, that they don’t know of any conditions at the plant that might cast doubt on the data reported on the form.
According to the company’s EH&S vice president, the legal meaning of the employee’s signature isn’t clear. “It probably means a lot less than they think it means,” he says. Asked to sign off personally on the forms, employees are scrutinizing them much more skeptically. As one plant manager put it to me, “I’m getting a lot of long ‘footnotes’ about reasons why a some of the information might not be right after all.” In other words, managers who must personally sign off on the data are reporting “yellow flags” they previously had not mentioned – had not thought to mention, perhaps, or had thought it better not to mention.
It remains to be seen whether my client will make these yellow flags public in a systematic way (as I have recommended). But clearly the accountability of the signature requirement goes in both directions. Employees have signed off on the data – and senior managers have been told what their employees’ reservations are. They can’t “unknow” this knowledge, so they are likely to investigate the yellow flags pretty carefully.
What is key here is that employees aren’t just being required to sign a certification that the forms are perfect. They’re being encouraged to qualify the certification by explaining where they think there might be imperfections. This yokes personal accountability to personal expertise in a way that acknowledges uncertainty and subjectivity instead of forcing them underground. Instead of asking CEOs and CFOs to sign an unqualified endorsement of the company finanancial statement, in other words, we should ask them to sign a list of the statement’s possible soft spots. And we should ask the various members of the finance department and the outside auditors to sign similar statements.
Personal accountability can improve the integrity, reliability, and credibility of environmental audits. When your company collects its own environmental data, ask employees to sign off on the report, and to specify what reservations they might have. When an outside auditor is hired – which is better, obviously – ask both the auditors and your own employees to sign such a statement. Conscious cheaters may hesitate to cheat when their signatures are required. But that’s probably the least important benefit. A far greater gain is the signature’s strength as a bulwark against less obvious rule-bending and unconscious bias. And the greatest gain is the list of yellow flags – doubts, reservations, concerns – that tend to surface when a personal endorsement is called for.
4. Don’t choose your own auditor.
A large portion of the auditor’s conflict of interest results from the auditor’s natural desire for more work. Even if the firm just wants to keep the auditing contract, the conflict is real. As we have discussed, the conflict is greater if the audit firm is looking for big environmental consulting, management, and mitigation contracts.
The first conflict – wanting more auditing work – disappears if the company doesn’t choose its own auditor. The choice could be random, from a list of approved firms. Or if you want to get fancy, let the company strike from the list a few firms it has a bad history with, let activists or regulators strike from the list a few firms it has a sweetheart history with, and choose randomly among those that are left.
The second conflict – wanting non-auditing contracts – requires an additional rule that, for a few years, the firm that does the audit is ineligible for other sorts of contracts with the company. That would eliminate from contention firms that already work for the company in other capacities and firms that want to do so. Presumably there would be plenty of firms left on the list. If not, their absence would open up a new market opportunity for specialized environmental auditing firms that don’t do other sorts of consulting.
Of course there’s no need to make the choice random; it just has to be taken out of the company’s hands. Leave it to regulators. Or for still greater credibility, create a role for the company’s activist critics. Here’s a proposal, one among many that might work: State government, advised by a professional association, provides a long list of approved “environmental audit vendors”; from that list, activists choose five they would find acceptable; the company can eliminate up to two it doesn’t like; the choice among the three remaining is random; the firm that is chosen can’t do other work for the company for three years.
A company doesn’t have to wait for a procedure like this to become law. At the moment, companies have the right to choose who will assess their environmental performance. They can do it themselves, or they can bring in the external auditor of their choice. That means they have the right to devise whatever process they like for making the choice. Think about a process that minimizes the auditor’s conflict of interest, and thus maximizes the credibility of the audit.
5. Don’t over-supervise the auditor.
However an auditor is chosen, the depth and frequency with which that auditor interacts with company officials (especially top company officials) is probably a good measure of the audit’s vulnerability to bias. The more closely you supervise your auditor, in other words, the less reason the rest of us have to trust the audit’s independence.
Of course it’s possible to carry a hands-off policy too far. Auditors (financial or environmental) need access; they need to ask questions; they need to understand what you did and why you did it. Distinguishing undue influence from useful background information is extraordinarily difficult. We can’t do it on the outside because we don’t know enough about the situation. You can’t do it on the inside because you know too much, and care too much. Our judgment is ignorant; yours is distorted.
For now, at least, the pendulum is way over to one side. Insufficiently briefed auditors are a logical possibility, but excessively compromised auditors are a frequent reality. A recurring theme in the recent financial scandals is a record of too much back-and-forthing between companies and their auditors. Too often auditors have been talked out of their objections. That might be acceptable if the dialogue were on the record, if the audit report included lists of concerns the auditors had surfaced that management had persuaded them to abandon ... so the rest of us could know where the yellow flags were and could make an independent judgment of the auditors’ independent judgment. But of course this company-auditor negotiation is normally confidential, at least until there’s a scandal. So if you’re not going to publish your dialogue with the auditors, then limit it.
Another possibility here is to encourage your environmental auditors to balance their potentially bias-prone discussions with you by consulting with your critics as well. A spectacular example of this occurred during the Brent Spar controversy of 1995–96. Shell had proposed to sink its no-longer-useful Brent Spar oil platform (owned jointly with Exxon) into the North Sea. Greenpeace objected, claiming that hydrocarbons still polluting the platform would be disastrous for marine wildlife. After the battle had escalated badly, Shell asked DNV, a prestigious Norwegian research organization, to do a definitive assessment of the toxicity of the Brent Spar’s contents. What was unusual was Shell’s insistence that DNV consult with all relevant stakeholders, including Greenpeace, on everything from study methodology to data interpretation. Except for paying the bills, it told DNV to treat Shell no differently from the other stakeholders involved.
In a normal disagreement between a company’s technical consultant and an activist group, the public is quite likely to believe the activist group. Shell’s unusual contract with DNV earned rare public credibility for DNV’s environmental assessment. In the face of an audit of the Brent Spar’s toxicity that it couldn’t easily discount as biased, Greenpeace nearly abandoned its claim that sinking the Brent Spar would be an eco-catastrophe. Shell and Exxon still didn’t get to sink the platform. But the dynamic of the controversy was significantly changed by Shell’s willingness to commission an audit that was as open to activist influence as to corporate influence.
6. Choose a “hostile auditor.”
If you’re going to keep choosing your own auditor, think about choosing one that strikes the rest of us as unlikely to want to do you any favors. That is, commission a “hostile audit.”
Here’s a list of environmental auditors, from least credible to most credible:
- An environmental consulting firm that gets a lot of business from you.
- An environmental consulting firm that doesn’t get business from you yet.
- An environmental auditing firm that doesn’t do consulting.
- An academic or other professional who doesn’t need the environmental auditing business either.
- An academic or other professional who is allied more with activists than with industry.
Until the last entry, progress down this list is mostly a matter of reducing the auditor’s economic conflict of interest. The last entry has more to do with the auditor’s underlying values and allegiances. There is a conflict-of-interest issue here, too, but it is more ideological, emotional, and even social than economic.
Imagine dividing experts into four quadrants:
- the ones who are so much on your side, and so unethical, that they will violate professional standards to help you;
- the ones who put professional standards first, but will tend to make the close judgment calls in your favor;
- the ones who put professional standards first, but will tend to make the close judgment calls against you; and
- the ones who are so against you, and so unethical, that they will violate professional standards to condemn you.
(Built into this schema is the assumption that truly neutral experts are rare.)
Notice that which of these four categories someone puts a particular expert into depends in part on which category that someone inhabits. Dedicated activists tend to have trouble telling the difference between the first two categories; they are likely to see industry-leaning experts as dishonorable sellouts. Industry has the same problem with the last two categories, tending to see activist-leaning experts as dishonorable ideologues. For similar reasons, each side is inclined to see as strictly neutral the experts who lean in that side’s favor
My clients usually choose their environmental auditors (and their environmental consultants too) from the second category. Much is to be gained – not just in credibility, but also in knowledge about yellow flags – by choosing from the third category instead. Or if that makes chills run down your spine, how about choosing one of each, and requiring them to work together on their audit?
A few years ago, it was briefly popular for American activists to demand that companies agree to “third-party” environmental audits – that is, that they open up their manufacturing facilities to activist-leaning experts. Most companies were aghast – outraged at what they apparently saw as a flagrant infringement on their right to self-regulation. Even companies that ran model operations and had little to fear from an activist-leaning expert tended to reflexively reject the demand. In some cases, no doubt, rejection was the response activists were seeking. (As an organizing tool, nothing beats making a demand that sounds reasonable to everybody except the company that turns it down.) In other cases, the activists genuinely suspected a corporate whitewash and wanted to get their own expert inside the gates to uncover it.
Some companies swallowed hard and actually agreed to third-party audits. In the cases I know about, the activist-leaning expert wasn’t able to find any smoking guns ... just yellow flags. The companies involved found the process terrifying but ultimately helpful. Typically, the company’s willingness to let the activists’ expert in was reassuring to the public and credibilty-building for the company; the sorts of problems the activists’ expert found were themselves more reassuring than otherwise; the company was willing and able to address many of the activists’ expert’s concerns. Perhaps this has something to do with the decline in activist demands for third-party environmental audits.
And perhaps it is time for companies to initiate such audits on their own. If so, here are a few tips coming out of the third-party audit experience.
- Don’t try to choose your own “hostile auditors” – that’s a self-contradiction. But do insist on appropriate professional credentials.
- The entire process should be supervised jointly by your company and an appropriate critic – typically an activist group. Don’t choose too moderate a group, or more extreme groups will find it easy to discredit the audit. You’ll know you’ve chosen wisely if you have trouble persuading the activist group to work with you. After all, they are taking some real risks – especially the risk of finding little or nothing and the risk of looking overly cooperative with you.
- Work hard on jointly developing an audit protocol. That is, you, the activist group, and the auditors should agree in advance on what the auditors will be looking for, and how they’ll know if they found it.
- Consider negotiating the interpretion of audit results before the audit is conducted. “If we find X, the company concedes in advance that this particular problem is serious and promises to take specified remedial steps. If we find Y, the activist group concedes in advance that this particular problem is minor and promises to drop demands to fix it.” Of course there may well be a middle ground between X and Y, where you agree in advance to keep disagreeing.
- Audit results should be public – whether they confirm activists’ concerns or management’s reassurances. Both management and the activist group should have a chance to comment on a draft of the audit report, and should be entitled to write a response to the final report that is included as an appendix.
- Issues such as logistics, the risk of disruption, auditor safety, insurance, and the like shouldn’t be allowed to prevent a hostile audit. They are thorny and will take work, but others have resolved them and so can you.
Copyright © 2002 by Peter M. Sandman