Earlier this month, the American Institute of Certified Public Accountants (“AICPA”) published additional guidance relating to attestation audits under the Conflict Minerals Rule. In this Alert, we summarize and discuss the guidance from the public company perspective. Although written for the audit community, the AICPA guidance also is important for registrants since, among other things, it provides guidance on the content of the Conflict Minerals Report and offers insight into the audit procedures that are likely to be followed by auditors.
The AICPA guidance also confirms the limited scope of the audit, assuaging concerns of some registrants that the audit community might seek to expand the scope of the audit beyond the stated requirements of the Rule, increasing registrant compliance costs.
Scope and Relationship of Audit Objectives
Under the Rule, there are two audit objectives with respect to the calendar year covered by the Conflict Minerals Report. First, whether the design of the registrant’s due diligence framework as set forth in its Conflict Minerals Report is in conformity with, in all material respects, the criteria set forth in the nationally or internationally recognized due diligence framework used by the registrant. At the present time, the only recognized due diligence framework is the OECD’s Due Diligence Guidance for Responsible Supply Chains of Minerals from Conflict-Affected and High-Risk Areas, so this will be the framework that the auditors will audit against. The second audit objective is whether the description in the Conflict Minerals Report of the due diligence measures that the registrant performed is consistent with the due diligence process that it undertook.
The guidance notes that the first audit objective does not address the implementation of the registrant’s due diligence measures — i.e., whether the due diligence measures were placed into operation — or whether they are operating effectively. With respect to the second audit objective, the guidance notes that the audit does not address whether the process undertaken and described by the registrant is consistent with the design of the OECD framework.
The guidance also confirmed that the two audit objectives are independent of each other. Therefore, a registrant could fail one audit objective and satisfy the other. Given the limited scope of the second audit objective, it seems unlikely that a registrant would fail this objective. Therefore, to the extent that there is audit risk, the risk is expected to be around the first objective.
Description in the Conflict Minerals Report of the Due Diligence Measures Performed
In order for the description of the due diligence measures performed to be suitable from an audit perspective, the description must be objective, measurable, complete and relevant. Internal finance and audit personnel will be familiar with these terms and standards, which are discussed in AT 101, Attest Engagements (AICPA, Professional Standards). Each of these terms is discussed below.
To be objective, the criteria should be free from bias. Subjective language such as “best practice” or “industry standard” would not provide suitable criteria for an attestation engagement.
“Measurable” means that the criteria should permit reasonably consistent measurements of the subject matter. In this context, the words used in the Conflict Minerals Report in the description of the due diligence measures performed need to be precise and specific, not vague or subjective. Inappropriate descriptions of procedures performed would include adjectives such as “some,” “reasonable,” “substantive” or “exhaustive,” or phrases such as “to the best of our efforts.”
“Completeness” means that relevant factors that would alter a conclusion about the subject matter are not omitted. The AICPA guidance indicates that, in this context, it is not possible for relevant factors to be omitted from the description of the due diligence measures performed that would alter the auditor’s conclusion about consistency of the due diligence measures described with the due diligence process undertaken because only the procedures that are actually described will need to be evaluated.
Lastly, “relevance” means the criteria should be relevant to the subject matter. The description of the due diligence measures performed should be of the due diligence measures actually performed. Measures that have been included in the design but that have not yet been implemented are not relevant to the description of the due diligence measures performed.
Evaluations Outside of the Scope of the Audit
Consistent with the Rule, the guidance indicates that the audit only relates to those portions of the Conflict Minerals Report that describe the design of the registrant’s due diligence framework and the due diligence measures that the registrant performed.
The guidance clarifies that, among other things, the auditor’s examination would not include an evaluation of: (1) matters relating to the registrant’s reasonable country of origin inquiry, including the design, operating effectiveness and results thereof; (2) the consistency of the due diligence process that the registrant undertook with either the design of its due diligence framework or the OECD framework; (3) the completeness of the registrant’s description or operating effectiveness of the due diligence measures performed; or (4) whether the reader can determine if the due diligence process the registrant undertook is consistent with the OECD framework.
In addition, since the audit objectives relate to the design of the registrant’s due diligence framework and the due diligence measures that it undertook, rather than the registrant’s conclusions, the auditor’s examination does not address the registrant’s conclusions regarding: (1) the conflict minerals necessary to the functionality or production of products that are manufactured or contracted to be manufactured; (2) which conflict minerals were “outside the supply chain;” (3) the registrant’s products that are subject to due diligence; (4) the source or chain of custody of conflict minerals and the suppliers thereof; or (5) the conflict status of the registrant’s products.
The auditor is required to perform procedures that will accumulate sufficient evidence to restrict engagement risk to an appropriately low level.
The AICPA guidance provides examples of appropriate procedures for both audit objectives. Since these are examples, audit firms will not necessarily perform all of these procedures in connection with each audit. They may perform additional procedures as well. However, these examples provide helpful guidance as registrants think about the documentation and due diligence procedures that may be necessary to ensure a successful audit.
First Objective: Design of Due Diligence Framework
- Asking management to identify how the design of the registrant’s due diligence framework is set forth in the Conflict Minerals Report.
- Identifying the nationally or internationally recognized due diligence framework used as the basis for the registrant’s due diligence framework. If management has not chosen the OECD framework, appropriate procedures would include reviewing management’s determination that such a framework satisfies the SEC’s criteria contained in the Rule for conducting due diligence.
- Obtaining management’s assertion that the design of the registrant’s due diligence framework, for the period covered by the Conflict Minerals Report, conforms in all material respects to the OECD framework.
- Obtaining from management documentation of the design of the registrant’s due diligence framework with respect to the period covered by the report.
- Inquiring of management how the design of the due diligence framework conforms to the OECD framework.
- Evaluating whether the design is in conformity, in all material respects, with the OECD framework.
- Obtaining management representations that the design of the due diligence framework conforms in all material respects to the OECD framework.
Second Objective: Description of the Due Diligence Measures Performed
- Obtaining management’s assertion that the description of the due diligence measures that the registrant performed is consistent with the due diligence process that the registrant undertook for the period covered by the Conflict Minerals Report.
- Inquiring of management as to, and inspecting documentation identifying, the specific due diligence process undertaken.
- Obtaining documentation supporting the description of the reported due diligence measures disclosed or planned to be disclosed in the Conflict Minerals Report.
- Performing procedures (such as inquiry, recalculation, observation and inspection) and obtaining evidence that the description of the due diligence measures performed was consistent, in all material respects, with the due diligence process that the registrant undertook. The nature and extent of the specific procedures to be performed will be determined, and will vary, based on the description of the due diligence measures.
- Obtaining management representations that the description of the due diligence measures that the registrant performed as set forth in the Conflict Minerals Report, with respect to the period covered by the report, is consistent, in all material respects, with the due diligence process that the registrant undertook.
Takeaways from the AICPA Guidance
The good news for most registrants is that they are unlikely to need an audit for 2013 or 2014. Most registrants are expected to be able to rely on the “DRC conflict undeterminable” audit exception at least through the 2014 compliance period. However, as registrants continue to implement, refine and document their compliance programs and prepare their first Conflict Minerals Reports, we recommend that they take the AICPA guidance into account.
Prepare Your Conflict Minerals Report with an Audit in Mind
This year’s Conflict Minerals Report should be prepared with the same level of rigor and thoughtfulness as the first report that will be subject to an audit. Applicable disclosure should be objective, measurable and relevant within the meaning of AT 101. In addition, since only selected portions of the Conflict Minerals Report will eventually be subject to an audit, the report should be structured to facilitate the efficient completion of the audit. Although templates and forms can be a helpful starting point, companies need to craft their disclosure to fit their particular facts and circumstances, especially as it relates to the second audit objective.
Although the Conflict Minerals Report will continue to evolve as traceability programs and supply chain transparency improve, we recommend that registrants start out on the right foot, with disclosure and a report structure consistent with what they generally intend to provide and follow once an audit is required. This will facilitate comparability of the Conflict Minerals Report from year to year by external constituencies (see our recent Alert for a discussion of some of the external constituencies that will be focused on conflict minerals disclosure). It also is likely to reduce litigation risk. Although we believe that it will be difficult for suits alleging material misstatements or omissions in conflict minerals disclosure to succeed on the merits, we do expect that the plaintiffs’ bar will opportunistically seek to bring claims against some companies. Significantly different disclosure from year to year that is unrelated to compliance developments or changes in facts and circumstances may increase this risk.
Document Your Program
The audit procedure examples in the AICPA guidance underscore the need for adequately documenting both the design of the due diligence framework and the due diligence undertaken by the registrant.
And remember, due diligence must be conducted in conformance with the OECD framework irrespective of whether an audit is required. Separate from audit trail documentation, certain procedures and documentation also must be put in place in furtherance of the OECD framework.
Keep Your Auditors in the Loop
Although independence requirements limit auditor involvement in the design of the due diligence program and the preparation of disclosure, auditors still can serve as a valuable sounding board and resource (in this regard, for further information, see the AICPA’s earlier guidance concerning auditor independence). At a minimum, periodically check in with your auditors on your compliance program and consider seeking their input on significant compliance decisions that could have an impact on the audit. Do not wait until 2015 or later to first engage in conversations with your auditors concerning conflict minerals.
Expect Further Guidance
We expect there to be further clarity and commentary around the audit process before most registrants undergo their first audits. We expect the AICPA to put out additional guidance. More imminently, The Auditing Roundtable, the professional organization for environmental, health and safety auditors, which are able to provide performance audits under the Rule, is expected to put out its first set of Q&As in the coming weeks. The SEC also is likely to issue at some point additional FAQs relevant to the audit. As further guidance is released, we will continue to publish Alerts and post the guidance on the SRZ Online Conflict Minerals Resource Center. Market practice around aspects of compliance relating to the audit also will continue to coalesce between now and when most registrants require their first audits.