Chances are that your company hasn’t yet put too much thought into the Independent Private Sector Audit requirement included in the Securities and Exchange Commission’s conflict minerals rule.

While a wide range of companies had to develop programs to detect the presence of tin, tungsten, tantalum, and gold in their products—ultimately to determine whether those minerals were sourced in the war-torn Democratic Republic of the Congo—as the June 1 deadline approaches for the second year of required filings, few have conducted those audits.

The reason is simple: The audits are only necessary if you declare your products “conflict-free,” and an ongoing constitutional challenge to the SEC’s rule has allowed companies to hedge their bets on disclosures when filing the required Form SD or accompanying Conflict Minerals Report.

Among more than 1,300 companies that submitted conflict mineral filings last year, only four conducted an audit: Intel, Phillips, Signet Jewelers, and Kemet. As more companies see the competitive advantage to declaring themselves free of conflict minerals, however, more will need to audit those conflict minerals reports (CMRs). Those audits will focus on two high-level items: the design of their conflict minerals program, and the execution of it.

“Auditors are going to look at the conflict minerals programs a company designed, with a review of whether it comports with an internationally recognized framework for due diligence,” says Michael Rohwer, program director of Conflict-Free Sourcing Initiative, a consortium of more than 200 companies and associations. The framework part is pretty straightforward: Only the Organization for Economic Co-operation and Development has published a framework that qualifies as internationally recognized.

The second element of the audit will look at what the company actually did, versus the claims it made. “Be very clear when developing your CMR in terms of what you actually did and make sure you have documentation to support it,” Rohwer says. “One of the hardest things about this audit is having the supporting materials to prove what you say. If you say you surveyed 100,000 of your suppliers, you had better have evidence that you did.”

Rohwer stresses that the audit, as described in the SEC rulemaking, “doesn’t have a qualitative element for assessing whether you did a good job or not … It is really only auditing whether your program comports to the framework,” he says.

“It is really only auditing whether your program comports to the framework.”
Michael Rohwer, Program Director, Conflict-Free Sourcing Initiative

Knowing that an audit may be in your future should prod companies to start early on each year’s conflict minerals reports and filings. “To conduct the due diligence necessary to withstand an audit requires proper design and documentation to support claims that your approach meets the OECD framework,” says Lina Ramos, chief business officer for Source Intelligence, a consultancy with a large conflict minerals practice. “You need to anticipate the time needed to conduct the audit and start with the end in mind.”

Different companies will have different goals, Ramos says. Some want to be able to claim they are conflict-free; others just want to comply with the law in the most minimalist way possible. “We are seeing, however, an evolution from those just trying to comply with the law, to companies that see ethical and legal sourcing as a competitive advantage; not just global brands, but their suppliers as well,” she says. Fueling pressure on suppliers is that top tech companies, including Apple and Intel, are threatening to sever relationships for non-compliance.

Details, Details

Companies must also decide whether to obtain a performance audit or an attestation, both of which satisfy SEC requirements and should yield similar results. Attestations, performed by certified public accountants, use standardized formats and language. A performance audit allows an independent auditor to structure objectives, scope, and methodology as he or she sees fit and is often presented in narrative form.

“Companies should prepare by conducting mock audits, using either internal resources or outside firms depending on the scope of your program, and benchmarking their programs against other companies in their industry,” advises Jonathan Hughes, director of Assent Compliance, a consultant with a conflict minerals practice. For companies beginning to contemplate an audit, he suggests a checklist for launching the process:

CONFLICT MINERALS REPORT AUDIT

The following, from a Conflict-Free Sourcing Initiative white paper, “Five Practical Steps to Support SEC Conflict Minerals Disclosure,” looks at Independent Private Sector Audits.
The SEC Final Rule requires that SEC reporting companies obtain IPSAs, in the circumstances discussed above, and that audits conducted in conformance with the Final Rule satisfy the Organisation for Economic Co-operation and Development’s recommendation.
As of the date of this paper’s publication the SEC Final Rule remains under litigation. That litigation has drawn open the question as to whether it is constitutional to require companies to classify their products as “Not Found to be DRC Conflict Free.” Different interpretations exist as to what labels, if any, a company is required to apply to its products. If a company holds the legal opinion that it is not required to label its products in the explicit terms in the Final Rule, the audit requirement is also subject to interpretation. Therefore, not all of the practices identified below may apply to your company.
Companies may consider the practices set out below in selecting auditors and managing audits of their due diligence practices and reporting:

Determine whether or not an audit is required by legislation or otherwise desired by the company.

Identify the scope and form of the audit. Companies should affirmatively assert the scope and form of audit in line with their objectives.

Select and engage audit firms while taking into account independence requirements.

Assign a “responsible person” to oversee the audit engagement, agree on criteria to be used and provide any written representations that may be necessary.

Rely on industry-wide processes for auditing SORs and upstream due diligence activities, where possible, and limit the company’s audit scope to the scope contemplated by the SEC rule and any additional guidance on scope from the SEC regarding downstream due diligence processes.
Source: The Conflict-Free Sourcing Initiative.

Describe your company’s management systems for conflict minerals. What evidence would you be able to show to someone outside the company that these systems exist and were used last year?

Describe how you identify and assess conflict minerals risk in your supply chain. Can you show examples of identifications and assessments?

Describe your strategy for responding to identified risks. Show examples of these responses using communications to suppliers.

Describe how you work with either third parties, industry groups, or directly with smelters to procure and review smelter audits. Document any applicable memberships, partnerships, or results from direct smelter outreach if applicable.

“The way that a company prepares its conflict minerals report can make the audit go that much more smoothly,” says Ahava Goldman, senior technical manager for the American Institute of CPAs. “By crafting the CMR appropriately the company can avoid making things that might not be otherwise be subjected to the audit, subjected to it.” She suggests segregating information under appropriate headings in the CMR, compartmentalizing auditable data and claims.

“You want to make sure that the language you use to describe what you did is easily and readily verifiable,” Goldman says. “Be objective and not subjective in your wording. Subjective statements, like, ‘We surveyed our most important suppliers,’ raises questions of what ‘most important’ means. It is better to say, for example, that you surveyed five suppliers that cover 50 percent of your products. That is a much more objective measure.”

The AICPA’s Conflict Minerals Task Force recently issued guidance for both companies and the auditors they retain. In particular, it stresses management’s responsibilities when engaging an audit. Among the representations that may be obtained by the auditor from management is a confirmation that the company is responsible for the preparation, fair presentation, and overall accuracy of the Form SD disclosure to the SEC, including the conflict minerals report.

Other assurances: that the company complies with the laws and regulations applicable to its activities, including the conflict minerals rule, and will inform the auditor of any known violations; the relevancy and accuracy of the information included in the Form SD and CMR, including the company’s determination of the source or chain of custody of its conflict minerals; and designing, implementing, and maintaining effective internal controls for the preparation of Form SD and the CMR so they are free from material mis-statements, whether due to fraud or error.

Management should also document that it has provided access to all records, data, and other information related to the due diligence efforts, including related documentation of internal control. The company, in its representation letter, should confirm and describe all known deficiencies and material weaknesses in the design or operation of the company’s internal controls regarding the reliability and the preparation of the CMR and the related disclosures in the Form SD.