Certain companies subject to the conflict minerals rules requirement must commission an independent private sector audit, or IPSA, of certain sections of the conflict minerals report. The IPSA must be conducted using either the Attestation Engagement or Performance Audit standards of the US Government Accountability Office Government Auditing Standards (referred to as “GAGAS” or the “Yellow Book”). The GAGAS includes standards for Attestation Engagements and Performance Audits.
Attestation Engagements can only be performed by CPAs (or those working directly under the supervision/direction of a CPA). The American Institute of Certified Public Accountants (AICPA) and GAGAS both govern Attestation engagements, including those covering CMRs.
Performance Audits must be conducted by appropriately-qualified auditors and are not governed by AICPA.
The Auditing Roundtable, through the Conflict Minerals Interest Group, undertook an initiative to develop auditor guidance for those conducting IPSA Performance Audits, especially auditors in the environmental, health, safety, sustainability and social responsibility auditing (EHSSS) practice area. The guidance is intended to provide a basis for consistency and substantive interpretations and was developed to be consistent with the CPA auditor guidance published by AICPA.
In this regard, it is critical that the IPSA auditor understand key limitations in the audit scope under this objective. In the preamble to the final rule, SEC recognized that this objective “is not as comprehensive as an audit objective requiring an auditor to express an opinion or conclusion as to whether the due diligence measures were effective, or to express an opinion or conclusion as to whether or not the issuer’s necessary conflict minerals are “DRC conflict free.”
Some of the specific limitations are as follows:
- The audit scope/objective does not require that the audit confirm the conflict status or source determinations, such as whether the issuer’s products are “DRC conflict free” as that term is defined.
- The audit scope/objective does not require that the audit confirm or assess the effectiveness of the issuer’s due diligence measures.
- The final release does not require an audit of the entire CMR. The audit is limited only to the sections of the CMR that discuss the design of the issuer’s due diligence framework and the due diligence measures the issuer performed.
- The financial accounting of money to armed groups is not within the scope of the IPSA audit objective.
We’re not saying whether the guidance is good or bad or fulfills everyone’s dreams, just that it exists.
Hat tip to The Elm Consulting Group International LLC for pointing out this development.