“X% of our products were sourced from certified suppliers.”
“We conduct regular audits at our production sites and at our subcontractors to ensure compliance with our supplier codes and standards.”
These statements are commonly found in annual sustainability reports. While such activities are commendable for better understanding human rights issues within a company’s supply chain, they do not absolve a company from its human rights due diligence obligations.
That was the conclusion of the first part of this article. There, we discussed that while social audits and certifications can serve as useful tools that support due diligence efforts, they are insufficient on their own to meet corporate sustainability due diligence requirements.
In this second part, we examine what current corporate sustainability due diligence laws say about the use of audits and certifications and suggest ways to maximize their effectiveness as part of your own human rights due diligence process.
What does the EU Corporate Sustainability Due Diligence Directive (CSDDD) say about audit and certification schemes?
Recital 52 of the CSDDD states that companies using independent third-party verification or contractual clauses to support the implementation of due diligence obligations may still be held liable for violations of the CSDDD and damages suffered by victims. Thus, the CSDDD explicitly states that evidence of third-party certifications cannot replace a company’s own duty to conduct due diligence.
The text of the CSDDD further clarifies in its recitals that companies can use independent third-party verification to support due diligence to the extent that such verification is appropriate and the relevant third parties have experience and competence in environmental or human rights matters.
To address the shortcomings of ineffective audits, the EU Commission is mandated to issue official guidance on the criteria and methodology for companies to assess the fitness of third-party verifiers, and monitoring the accuracy, effectiveness and integrity of third-party verification. How the EU Commission can ensure this in practice remains to be seen.
What does the German Supply Chain Act (LkSG) say about audit and certification schemes?
The German Supply Chain Act mentions audits and certifications in connection with appropriate preventive measures to be established for direct suppliers. It states that control mechanisms in supplier contracts may include internal and external audits as well as the use of recognized certification and audit systems. The prerequisite is that these audits and certifications must contribute to appropriate and effective due diligence.
How can companies use audits and certification schemes for effective human rights due diligence?
Under the EU CSDDD, as well as the German LkSG, merely participating in certification schemes or third-party verification is insufficient to meet due diligence obligations. However, they can support the implementation of specific due diligence steps.
In December 2024, the regulator in Germany (BAFA) has published an official guidance to help companies select and use standards, audits, and certifications as tools for fulfilling due diligence obligations under the LkSG.
This latest guidance[1] expressly states that:
- There is no obligation to use standards, audits, or certifications to fulfill the due diligence requirements under the LkSG.
- Companies are not required to use any IT tools or software solutions, but if they do engage external service providers, companies will not become exempt from their due diligence responsibilities for doing so.
- While the use of such mechanisms can be cited in sustainability reports as part of a company’s risk management efforts, they will not replace the company’s own obligation to implement human rights due diligence.
- Companies using audits and certifications must document the rationale for choosing external service providers and regularly review their effectiveness, accuracy and appropriateness for due diligence purposes, for example through their own audits and research.
The German regulator further advises companies to take a structured and targeted approach when selecting standards, audits, and certifications including assessing criteria such as objectives and expectations, past experiences, industry-specific requirements, and resource availability.
The contribution an audit or certification can make to fulfilling a specific due diligence obligation should be part of companies’ decision to employ an auditor or certifier.. The guidance lists examples of how audits and certifications can help different due diligence obligations, such as the duty to conduct risk analyses or to establish preventative and remedial measures.
It also provides a comprehensive list of questions companies can ask themselves for a targeted selection of audits or certification schemes.[2] These questions include:
- What goals are to be achieved with the use of this audit or certification, or which goals might not be achievable?
- What experiences already exist within the company? Does the company already use other standards, audits, or certifications for suppliers, or must similar requirements be met for customers (e.g., as part of quality management)?
- Has the company used standards, audits, or certifications in the past, or deliberately not used them? If so, why was their use stopped or why was a decision made against their use?
- Are there any industry-specific insights, e.g., from other companies or associations, about specific providers?
- Are the experiences and perspectives of stakeholders, particularly those affected on-site, taken into account?
- Are there appropriate standards, audits, certifications, or other industry-specific guidelines that cover all (or especially relevant) protected legal positions included in the law, the respective industry, specific risks, and/or the required scope?
The BAFA guidance further recommends that companies clearly define the requirements they set for auditing and certification schemes and generate internal operational experience and knowledge. It lists several resources that offer an overview of sustainability standards and certifications.
The German law will soon be amended to align with the EU CSDDD. The EU Commission will also issue official guidance on assessing the fitness of third-party auditors and certifiers and the effectiveness of audits and certification schemes used by companies in implementing the CSDDD.
Once that EU guidance is published, we will inform you with a part 3 of this article series. Until then, I leave you with the following takeaway from this piece:
Current corporate sustainability laws do not require the use of social audits or certifications.
These laws highlight that, while audits and certifications can serve as complementary tools to help implement due diligence, they cannot replace a company’s obligation to conduct meaningful human rights and environmental due diligence.
Businesses that choose to utilize audits and certification schemes must assess where and when audits and certifications would be effective mechanisms and know that they remain liable for violations and damages, regardless of their use.
Serra for the CORE team
[1] BAFA Guidance Note: Standards, Audits und Zertifizierungen als Instrumente im Sorgfaltsprozess.
[2] BAFA Guidance Note: Standards, Audits und Zertifizierungen als Instrumente im Sorgfaltsprozess, p.8.