Alert AICPA Issues Additional Conflict Minerals Audit Guidance: An Overview and Suggested Action Items for Registrants January 29, 2015 The American Institute of Certified Public Accountants has published additional guidance relating to the independent private sector audit (IPSA) contemplated by the Conflict Minerals Rule. This most recent round of guidance, which is summarized in this Alert, addresses matters that auditors may wish to cover in management representation letters and auditor responsibility with respect to internal controls. Since 2013, the AICPA has published several guidance documents. Prior guidance put out by the AICPA has dealt with, among other things: (1) auditor independence; (2) similarities and differences between attestation engagements and performance audits; (3) the IPSA objectives, criteria for the IPSA as an attestation examination engagement, evaluations outside the scope of the IPSA, sample procedures for the IPSA and subjects relevant to the IPSA; and (4) the form of the audit report. All of the AICPA guidance to date can be accessed through the SRZ Conflict Minerals Resource Center. An Overview of the January 2015 Guidance Management Representations Paragraph .60 of AT 101, Attest Engagements, indicates that an audit practitioner should consider obtaining a representation letter from the responsible party in an attest engagement. As background, the IPSA can take the form of either an attest engagement or a performance audit. Only CPA firms can perform attest engagements. Non-CPAs also can perform performance audits. Although the AICPA guidance is not directed toward performance audits, similar management representations are likely to also be required in connection with these audits. The guidance provides the following examples of representations that an auditor might want to include in a representation letter from management delivered in connection with an IPSA: • Confirmation by management that it is responsible for: o The preparation, fair presentation and overall accuracy of the Form SD, including the Conflict Minerals Report (CMR), in accordance with the Conflict Minerals Rule; o Identifying and ensuring that the registrant complies with the laws and regulations applicable to its activities, including the Conflict Minerals Rule, and informs the auditor of any known violations of such laws and regulations;© 2015 Schulte Roth & Zabel LLP | 2 o The relevancy and accuracy of the information included in the Form SD and the CMR, including the registrant’s determination of the source or chain of custody of its conflict minerals, and determination of those products subject to due diligence; o Designing, implementing and maintaining effective internal control relevant to the preparation and fair presentation of the Form SD and CMR that are free from material misstatement, whether due to fraud or error; o The selection of the OECD Due Diligence Guidance for Responsible Supply Chains of Minerals from Conflict-Affected and High-Risk Areas as the criteria against which the registrant has evaluated the design of its due diligence framework; o The assertion in the CMR that the design of the registrant’s due diligence framework is in conformity with the OECD Guidance framework; o Determining that the OECD Guidance framework represents appropriate criteria for the registrant’s purposes; and o The description of the due diligence measures that the registrant performed, as set forth in the CMR. • The design of the registrant’s due diligence framework is in conformity with the criteria set forth in the OECD Guidance framework, and the registrant’s description of the due diligence measures it performed is consistent with the due diligence process that it undertook for the applicable calendar reporting period. • The CMR and the related disclosures in the Form SD comply with the requirements of the Conflict Minerals Rule for the reporting period. • The registrant is not aware of any matters contradicting its assertion about the design of its due diligence framework or the description of its due diligence measures performed for the reporting period, as set forth in the CMR, nor has it received any communications from regulatory agencies, reporting agencies or others affecting its assertion(s) and disclosures. • There have been no events occurring subsequent to the end of the reporting period and through the date of the representation letter that would have a material effect on the design of the registrant’s due diligence framework or its due diligence measures performed for the reporting period, as set forth in the CMR. • The registrant has communicated to the auditor any changes in the design of its due diligence framework subsequent to the end of the reporting period. • The registrant has provided the auditor with: o Access to all records, data and other information or documentation related to its due diligence framework and the registrant’s due diligence measures performed, including related documentation of internal control; o Support and documentation related to its respective assertions; o Additional information the auditor has requested for purposes of its examination; and o Unrestricted access to persons from whom the auditor determined it was necessary to obtain evidence.© 2015 Schulte Roth & Zabel LLP | 3 • The registrant has disclosed to the auditor all known control deficiencies, including significant deficiencies and material weaknesses, in the design or operation of its internal controls regarding the reliability and the preparation of the CMR and the related disclosures in the Form SD. • The registrant has no knowledge of abuse, fraud or suspected or alleged fraud affecting the registrant involving: o Management; o Employees who have significant roles in internal control over the preparation of the CMR or the related disclosures in the Form SD; or o Others where the fraud could have a material effect on the CMR or the related disclosures in the Form SD. • The registrant has established and maintained a process to address and track the status of the auditor’s findings, conclusions and recommendations. The registrant has provided to the auditor its views on such matters, as well as planned corrective actions to be included in the report. The registrant has also identified and informed the auditor of findings and recommendations from previous audits, attestation engagements or other studies that could have a material effect on the CMR and whether any related recommendations were implemented or corrective actions taken. • The registrant has identified and disclosed to the auditor all laws, regulations, contracts and grant agreements and other matters that have a direct and material effect on the subject matter and instances of noncompliance. The foregoing list of items is not intended to be exhaustive. The representation letter also may contain statements on any additional matters that the engagement team deems appropriate to tailor the representation letter to the circumstances of the engagement. The guidance notes that this may also include representations specific to related non-audit services performed in connection with the conflict minerals examination and representations, if any, needed for an engagement conducted in accordance with Generally Accepted Government Auditing Standards, also known as the Yellow Book, established by the Government Accountability Office. Applicability of Internal Control Procedures Relating to the IPSA The second topic addressed in the guidance is the audit practitioner’s responsibility with respect to gaining an understanding of and testing internal controls in performing an IPSA. According to the guidance, the auditor is not required to determine whether the registrant designed or implemented a system of internal control or to test whether control activities operated effectively in order to reduce attestation risk to an acceptably low level. The auditor is required by AT 101.45 to consider attestation risk when planning an attest engagement. As noted in the guidance, attestation risk is the risk that the practitioner may unknowingly fail to appropriately modify his/her attest report on the subject matter or assertion that is materially misstated. Attestation risk consists of: (1) the risk (consisting of inherent and control risk) that the subject matter or assertion contains deviations or misstatements that could be material; and (2) the risk that the practitioner will not detect such deviations or misstatements (detection risk).© 2015 Schulte Roth & Zabel LLP | 4 The guidance indicates that such procedures as gaining an understanding of the process management used to design the registrant’s due diligence program, and the extent to which management used tools and techniques intended to ensure that all aspects of the criteria set forth in the OECD Guidance framework were incorporated in the design, can reduce attestation risk related to the first assertion addressed in the IPSA. This first assertion requires the auditor to express an opinion or conclusion as to whether the design of the registrant’s due diligence measures as set forth in and for the applicable compliance period covered by the CMR conforms with, in all material respects, the criteria set forth in the nationally or internationally recognized due diligence framework used by the registrant, namely the OECD Guidance framework. As further indicated in the guidance, gaining an understanding of processes developed by the registrant to ensure that the description in the CMR of the due diligence measures it performed accurately reflect the relevant aspects of the due diligence process the registrant undertook can be helpful in assessing the risk that management misstates the information that is the subject of the second assertion addressed in the IPSA, i.e., whether the registrant’s description of the due diligence measures it performed, as set forth in the CMR, is consistent with the due diligence process that it undertook. The guidance notes that audit procedures to test the registrant’s processes in each of these areas can be helpful in reducing detection risk. Audit Trends and Suggested Action Items Four companies — out of the roughly 1,000 CMR filers for calendar year 2013 — obtained audits (the calendar year 2013 filings were those made in early June 2014). It was widely expected that there would only be a small number of audits. In its April 29, 2014 Statement on the effect of the April 14, 2014 D.C. Circuit Court of Appeals’ decision on the Conflict Minerals Rule, the Securities and Exchange Commission indicated that, pending further action, an IPSA will not be required unless a registrant voluntarily elects to describe a product as “DRC conflict free” in its CMR. And, even before the April 29 Statement, under the Conflict Minerals Rule and as clarified in a subsequent SEC FAQ, an IPSA was not required during a temporary transition period if, after exercising due diligence over the source and chain of custody of its conflict minerals, the registrant determined that at least one of its products may be described as “DRC conflict undeterminable.” This transition period runs through calendar year 2016 for smaller reporting companies and ran through calendar year 2014 for all other registrants. We expect there to be a small number of IPSAs for calendar year 2014 as well and would not be surprised to see the number remain in the single digits. Although NGOs and socially responsible investors have indicated that they would like to see more independent audits, thus far, most registrants do not appear to be inclined to undergo an audit until they are required to do so. However, registrants should consider undertaking a sufficiently rigorous program assessment to ensure that they will be able to pass an audit when and if required, and we are seeing this as a 2015 action item at an increasing number of registrants. Either internally or with the help of outside advisers, registrants should assess whether the design of their due diligence measures conforms in all material respects with the criteria set forth in the OECD Guidance framework (the first audit assertion) and whether their documentation is sufficient to support both the first audit assertion and the description of the due diligence process that the registrant undertook (the second audit assertion). As part of the assessment process, registrants also should take into account the representations and procedures discussed in the most recent AICPA guidance, as well as relevant aspects of prior AICPA guidance.© 2015 Schulte Roth & Zabel LLP | 5 Authored by Michael R. Littenberg and Farzad F. Damania. If you have any questions concerning this Alert, please contact your attorney at Schulte Roth & Zabel or one of the authors. About SRZ’s Conflict Minerals Compliance Practice SRZ has a leading conflict minerals compliance and responsible sourcing practice, among other things, advising public and private companies and trade associations on the application of the U.S. Conflict Minerals Rule, the OECD framework and other conflict minerals legislation and initiatives. For more information concerning our practice, please contact Michael R. Littenberg at firstname.lastname@example.org or +1 212.756.2524. Subscribe to SRZ’s Conflict Minerals Resource Center SRZ is the only law firm to have an online Conflict Minerals Resource Center. This frequently updated resource contains an extensive collection of SRZ-authored materials, U.S. government and EU resources, NGO materials, industry group resources and form documents to assist in compliance with the Rule. Subscribe to receive conflict minerals information through the SRZ online Conflict Minerals Resource Center at www.srz.com/Conflict_Minerals_Resource_Center. This information has been prepared by Schulte Roth & Zabel LLP (“SRZ”) for general informational purposes only. It does not constitute legal advice, and is presented without any representation or warranty as to its accuracy, completeness or timeliness. Transmission or receipt of this information does not create an attorney-client relationship with SRZ. Electronic mail or other communications with SRZ cannot be guaranteed to be confidential and will not (without SRZ agreement) create an attorney-client relationship with SRZ. Parties seeking advice should consult with legal counsel familiar with their particular circumstances. The contents of these materials may constitute attorney advertising under the regulations of various jurisdictions.