Public companies subject to the SEC’s conflict minerals reporting requirements must file their first Conflict Minerals Report (CMR) by June 2, 2014. During the next several months, companies will need to make decisions concerning the content and wording of these new reports. An important factor in those decisions will be the position that auditors and others will take with respect to the criteria governing management’s disclosures and due diligence efforts. While many companies will not need to obtain an independent audit this year, companies should be aware of the conflict minerals audit requirement so that they will be in a position to obtain an audit for subsequent reports.
On January 14, 2014, the American Institute of Certified Public Accountants issued guidance that contains key information about the independent private sector audit (IPSA) requirement in the conflict minerals reporting rules. Public companies that retain CPAs, such as their financial statement auditor, to perform the IPSA will need to make sure that their report satisfies the AICPA's requirements for “auditability”. Companies will also need to be prepared to furnish their IPSA auditor with the documentation and management representations described in the AICPA’s guidance.
The SEC’s rules create an unusual situation in which companies are not required to use the services of a CPA to perform this new audit. Companies may chose between an IPSA “attestation engagement” by a CPA or a “performance audit” which can be conducted by a qualified person who is not a CPA. While the AICPA’s guidance does not apply to performance audits, as a practical matter, such audits are likely to be generally similar.
Background – Conflict Minerals Reporting
The SEC’s conflict minerals reporting rule, adopted in 2012 in response to Section 1502 of the Dodd-Frank Act, requires public companies to disclose whether certain “conflict minerals” originating in the Democratic Republic of the Congo and adjoining countries are necessary to the functionality or production of the company’s products. These minerals are cassiterite, columbite-tantalite, wolframite, and metals derived from them (tin, tantalum and tungsten), and gold.
To comply with this new reporting requirement, a company must first determine whether it manufactures, or contracts for manufacture of, products that contain conflict minerals. If not, no reporting is necessary.
If the company does manufacture, or contract for the manufacture of, products that contain conflict minerals, it must perform a reasonable country of origin inquiry (RCOI) to determine whether its conflict minerals originated in the relevant countries. If the company is able to determine, based on its RCOI, that its conflict minerals did not originate in the DRC or its neighbors (or came from recycled or scrap sources) -- or if it has no reason to believe that its conflict minerals may have originated in those countries (or reasonably believes that its conflict minerals are from recycled or scrap sources) – its due diligence responsibilities end. The company need only file a Form SD briefly describing its RCOI and the results.
However, if, based on the RCOI, the company knows that its conflict minerals originated in the DRC or its neighbors (and did not come from recycled or scrap sources) -- or if the company has reason to believe that the minerals may have originated in those countries -- then the company must perform due diligence (in accordance with a due diligence framework, as described below) on the source and chain of custody of its conflict minerals. If this due diligence reveals that the conflict minerals originated in the covered countries, or if the company cannot determine the source of its conflict minerals, the company must submit a CMR as an exhibit to Form SD. If due diligence reveals that the conflict minerals did not originate in the DRC countries, no CMR is required, although the company must still file Form SD describing its review.
Where a CMR is required, it must include, among other things, a description of the due diligence taken on the source and chain of custody of conflict minerals, an IPSA, and a description of the products that have not been found to be DRC conflict free. The report must also describe the facilities used to process the conflict minerals, the country of origin of those conflict minerals, and its efforts to determine the mine or location of origin with the greatest possible specificity.
Independent Private Sector Audit Requirement
The conflict minerals report IPSA, which must be performed by an independent third party, has two objectives –
- To determine whether the design of the company’s due diligence framework as set forth in its CMR conforms, in all material respects, to the criteria set forth in the nationally or internationally recognized due diligence framework used by the company. At present, the only available due diligence framework meeting this requirement is the framework issued by the Organisation for Economic Cooperation and Development.
- To determine whether the description in the CMR of the due diligence measures the company performed is consistent with the due diligence process that the company undertook—that is, whether the company actually did what it said it did with respect to due diligence.
During the first two years of conflict minerals reporting, a company is not required to obtain an IPSA if, after the RCOI and due diligence, the company is unable to determine whether its conflict minerals originated in the DRC or neighboring countries. The minerals are then considered “DRC conflict undeterminable.” For smaller public companies, the “undeterminable” is available for the first four years of reporting.
The purpose of the AICPA’s guidance is to give direction to CPAs that are retained to perform IPSAs. Three aspects of this guidance are especially relevant to companies.
1. Objectives of the IPSA
The AICPA emphasizes that the objectives of the IPSA are narrow. As noted above, the first objective is to address whether the company’s due diligence framework is designed in conformity with a nationally or internationally recognized due diligence framework. This aspect of the audit considers design only – it does not address implementation of the due diligence measures or whether those measures are effective.
The second audit objective addresses whether the company actually performed the due diligence measures described in its CMR. This objective does not address whether the process undertaken and described in the CMR is consistent with the design of the company’s due diligence framework or with the national or international due diligence framework used by the company.
The AICPA notes that the two audit objectives “are independent of each other.” The auditor might, for example, conclude that the design of the company’s diligence procedures conformed to the OECD framework, but also conclude that the company did not actually perform all of the procedures described in its CMR. Conversely, the auditor might conclude that the procedures performed were as described, even though the company’s framework was inconsistent with the OECD framework.
2. CMR Criteria for an IPSA Attestation Engagement
The AICPA’s guidance lays out criteria that the company’s description of its due diligence measures must meet in order for a CPA to perform an IPSA. A CPA’s engagement to perform an IPSA will be govern by the AICPA’s attestation standards. Those standards require objective, measurable, complete and relevant criteria against which the auditor can perform his or her evaluation. Accordingly, companies will have to draft their CMRs to provide those four criteria. Under the AICPA’s guidance --
- Objective means free from bias. The AICPA states that “subjective language” in the CMR such as “best practice” or “industry standard” would not provide suitable criteria for an attestation engagement.
- Measurable means the criteria should permit reasonably consistent measurements of the subject matter. Words used in the CMR description of the due diligence measures performed need to be “precise and specific, not vague or subjective.” The guidance states that descriptions that include such adjectives as “some”, “reasonable”, “substantive”, or “exhaustive”, or phrases such as “to the best of our efforts” would be inappropriate.
- Completeness means that all factors relevant to a conclusion about the consistency of the due diligence measures described with the due diligence process undertaken must be included in the CMR description “because only the procedures that are actually described will need to be evaluated.”
- Relevance means that the description of the due diligence measures should not include any steps that were not performed. “Measures that have been included in the design but that have not yet been implemented are not relevant to the description of due diligence measures performed.”
3. Sample Audit Procedures
The AICPA’s guidance also contains suggested audit procedures. Many of these suggested procedures involve obtaining particular information or documentation from management and therefore implicitly create management requirements.
As to the first audit objective, the AICPA’s suggested audit procedures include –
- Reviewing management’s determination that the due diligence framework it selected (if it is other than the OECD framework) satisfies the SEC’s criteria for due diligence on the source and chain of custody of conflict minerals and is nationally or internationally recognized.
- Obtaining management’s documentation of the design of its due diligence framework.
- Inquiring of management how the design of its due diligence framework conforms to the OECD (or other) framework.
- Obtaining management representations that the design of its due diligence framework conforms, in all material respects, to the national or internationally recognized framework it selected.
As to the second audit objective, the AICPA’s suggested procedures include –
- Inquiring of management as to, and inspecting documentation identifying, the specific due diligence process undertaken.
- Obtaining documentation supporting the description of the due diligence measures disclosed in the CMR.
- Performing procedures (such as inquiry, recalculation, observation, and inspection) and obtaining evidence that the description of the due diligence measures performed was consistent, in all material respects, with the due diligence process the company undertook.
- Obtaining management representations that the description in the CMR of the due diligence measures performed is consistent, in all material respects, with the due diligence process that the company undertook.
Lessons for Public Companies
- Draft the CMR with the AICPA’s Criteria in Mind. As noted above, the AICPA guidance is quite specific about terminology that could render an CMR unauditable – for example, because particular words and phrases are not objective or measureable. Even companies that are relying on the “DRC conflict undetermined” exception to avoid obtaining an IPSA this year should follow this guidance so that they will not have to substantially re-write their CMRs in subsequent years.
- Be Prepared to Provide Complete Documentation. Management should document the design of its due diligence framework and its implementation of its due diligence processes with an eye to the documentation that the AICPA has directed auditors to review. Lack of appropriate documentation could delay or complicate the IPSA. As in the case of CMR drafting, putting appropriate documentation protocols in place is important to creating a repeatable due diligence process, even if the company will not need to obtain an IPSA in the first year.
- Be Prepared to Provide the Necessary Representations. Similarly, in designing its due diligence framework and implementing its due diligence procedures, management should be aware of the representations the auditor will request concerning management’s work.
- Determine the Specific Expectations of the Company’s Auditor. The AICPA’s guidance underscores the inter-connection between management’s CMR processes and the audit. Since this is a new area in which audit procedures are not yet established, and may vary from firm to firm, it is important to select an IPSA auditor as early as possible and to communicate with the auditor regarding the auditor’s expectations as to documentation, representations, and other matters. While there are independence-related limitations on the ability of the auditor to give management guidance, conflict mineral-related services such as assessing, recommending, and commenting on management’s plans are generally permissible.