While I expect that the audits of Conflict Minerals Reports (CMRs) will be pretty rare this year, the AICPA has issued some FAQs regarding the audit process for CMRs that may be useful in preparing the CMR itself.
You may recall that Dodd-Frank requires an independent private sector audit of CMRs unless the company is entitled to and does conclude that its products are "conflict undeterminable," a characterization that may be used only for two years (four years for smaller reporting companies). The two audit objectives are independent of each other.The first audit objective is to determine whether the design of the due diligence framework as described in the CMR materially conforms to the criteria in the OECD Framework (currently the only internationally recognized framework); the objective does not address implementation or effectiveness. The second objective is to determine whether the description in the CMR of the due diligence measures performed by the company is consistent with the due diligence process that the company actually performed, i.e., did the issuer actually do what it said it did. This objective does not address whether the process undertaken and described is consistent with the design of the issuer's due diligence framework or the criteria set forth in the OECD framework. Below are summaries of the most relevant FAQs:
- First a reminder that, while an auditor can audit both an issuer's financial statements and conduct an Independent Private Sector Audit (IPSA) of that client's CMR (under Rule 2-01 of Reg S-X, according to the AICPA and the SEC), the engagement to perform the IPSA would be considered a "nonaudit service" subject to the pre-approval requirements of Rule 2-01(c)(7) of Reg S-X. In addition, the fees related to IPSA would be disclosed under "All Other Fees" in the principal accountant fee disclosures.
- Of course, to the extent that any conflict mineral-related services "involve assuming a management responsibility or performing a management function," they would impair independence not only with regard to the IPSA, but also with regard to the audit of the company's financial statements. The AICPA confirms that conflict minerals-related services such as assessing the company's design of draft policies and procedures, Identifying relevant gaps and making recommendations, providing comments on design, configuration or implementation approaches performed by management or a third party would generally not impair independence so long as the auditor conducts an evaluation under the GAGAS (generally accepted government auditing standards) conceptual framework of any threats to independence. Where threats are significant, appropriate safeguards must be applied; management's skills, knowledge and experience relevant to conflict minerals must be evaluated; the auditor must establish the necessary understanding with management; and applicable documentation requirements must be satisfied. Performing conflict mineral-related services that involve designing or implementing systems or preparing and leading systems training would generally be viewed to impair independence because those services relate to the specific subject matter of the audit engagement (with regard to performing the IPSA) as well as being considered management responsibilities. (For more on the performance by auditors of management functions and the impairment of auditor independence, see my email of 1/27/14.)
- The audit objectives do not include any determination with respect to the accuracy of the conclusions in the CMR. Accordingly, the auditor's examination does not address the company's conclusions about any of the following:
- The conflict minerals necessary to the functionality or production of the product manufactured or contracted to manufactured;
- Which conflict minerals were "outside the supply chain" at January 31, 2013;
- The issuer's products subject to due diligence;
- The source or chain of custody of conflict minerals and the suppliers thereof; or
- Whether the company's products were DRC conflict free undeterminable, DRC conflict free or not found to be DRC conflict free.
- The standard for attest engagements under AT 101 requires that criteria must be suitable and available. For the first objective, the OECD framework is considered to provide suitable and available criteria. With regard to the second objective, for the description in the CMR of the due diligence measures performed to be suitable, the "description must be objective, measurable, complete and relevant." As a result, in preparing the CMR in anticipation of an eventual audit, companies should keep these factors in mind. What do they mean?
- "Objective means the criteria should be free from bias. The description of the due diligence measures performed in the CMR should be objective; subjective language such as best practice or industry standard would not provide suitable criteria for an attestation engagement.
- Measurable means the criteria should permit reasonably consistent measurements of the subject matter; in this context, the words used in the description of the due diligence measures performed in the CMR need to be precise and specific, not vague or subjective in order for the description to provide suitable criteria for an attestation engagement. Inappropriate description of procedures performed would include adjectives such as some, reasonable, substantive, or exhaustive, or phrases such as to the best of our efforts.
- Completeness means that relevant factors that would alter a conclusion about the subject matter are not omitted; in this context, it is not possible for relevant factors to be omitted from the description of the due diligence measures performed that would alter the auditor's conclusion about consistency of the due diligence measures described with the due diligence process undertaken because only the procedures that are actually described will need to be evaluated.
- Relevance means the criteria should be relevant to the subject matter; in this context, the description of the due diligence measures performed should be of the due diligence measures actually performed. Measures that have been included in the design but that have not yet been implemented are not relevant to the description of due diligence measure performed."