The American Institute of Certified Public Accountants has released some new advice on the independent private-sector audits that will be required for some companies as part of their “conflict minerals” disclosures to the Securities and Exchange Commission.
The audits, which accompany Conflict Minerals Reports (CMRs) are required of companies that describe their products as “DRC Conflict Free.” Two new “Q&As” released by AICPA discuss representation letters a practitioner obtains from management as they perform an independent audit of a CMR. These letters are intended to affirm that representations and assertions are accurate.
The first question: “In an engagement to perform an IPSA, what matters might appear in a representation letter from management?"
Among the representations that may be obtained from management is a confirmation that the company is responsible for the preparation, fair presentation, and overall accuracy of the Form SD disclosure to the SEC, including the Conflict Minerals Report.
Other assurances: that the company complies with the laws and regulations applicable to its activities, including the conflict minerals rule, and will inform the auditor of any known violations; the relevancy and accuracy of the information included in the Form SD and CMR, including the company’s determination of the source or chain of custody of its conflict minerals; designing, implementing, and maintaining effective internal control relevant to the preparation and fair presentation of the Form SD and CMR and that they are free from material misstatement, whether due to fraud or error; the selection of a recognized framework as the criteria for evaluating proper due diligence framework (the assumption is that management will be using the Organisation for Economic Co-operation and Development’s framework, currently the only nationally or internationally recognized one available).
Management should also document that it has provided access to all records, data, and other information related to the due diligence efforts, including related documentation of internal control. The representation letter should confirm and describe all known deficiencies and material weaknesses in the design or operation of the company’s internal controls regarding the reliability and the preparation of the CMR and the related disclosures in the Form SD.
The other question asks: “What is the practitioner's responsibility with respect to gaining an understanding of and testing internal controls in performing an IPSA?”
The practitioner is not required to determine whether the issuer designed or implemented a system of internal control or to test whether control activities operated effectively in order to reduce attestation risk to an acceptably low level, AICPA wrote. The practitioner is required, however, to consider attestation risk when planning an engagement. Attestation risk consists of the risk (consisting of inherent and control risk) that the subject matter or assertion contains deviations or misstatements that could be material and the risk that the practitioner will not detect these misstatements (detection risk).
Gaining an understanding of the process management used to design its due diligence program, and the extent to which management used tools and techniques intended to ensure that all aspects of the criteria set forth in the OECD framework were incorporated in the design, can reduce attestation risk.
Similarly, gaining an understanding of processes developed by the issuer to ensure that the description of due diligence in the Conflict Minerals Report accurately reflects the process can be helpful in assessing the risk that management misstated information. Audit procedures to test the issuer’s processes in each of these areas can be helpful in reducing detection risk.