We recently supported a client as they were undergoing a conflict minerals audit conducted by a third party hired by a customer – one of the world’s most recognizable brands. We previously wrote about customer audits of supplier conflict minerals programs, indicating that we believe audits of this type will become more common in the coming months.
The biggest surprise to everyone involved in the audit concerns the use of the specific commercial IT system used by our client. Our client’s customer (the brand) required our client have copies of the most current CMRT from suppliers. Fair enough – or so we thought. Our client printed out the appropriate number of the most current supplier CMRTs from their IT system and the auditor proceeded to find numerous issues with those CMRTs, resulting in at least two audit findings.
Why are there problems if the most current CMRTs were pulled directly from the system? How did these nonconforming suppliers/CMRTs make it through the RCOI process? We figured out what happened and think this is a potential problem for users of any conflict minerals IT system. Read this and do your own check up on your system to find out if this situation applies to you.
You know the story – you send out a data request to your suppliers. They respond with either their CMRT, or they enter the data directly into the IT system. The data is screened for omissions and errors, and the supplier is prompted to make corrections – typically directly into the data system. Once the data is fully approved, it is accepted into the system and the supplier information is current and correct.
So far, so good. But maybe not.
The requirement for this particular major brand is that all suppliers must have updated CMRTs available from their suppliers – updated data in the IT system doesn’t count. What we found is that the original CMRTs from suppliers are not updated along with the data; they retain their original content as a permanent record. When our client printed out CMRTs for the auditor, those documents did not reflect the revised data that had the benefit of the reviews and corrections. The auditor found outdated CMRTs that did not conform to the audit criteria, resulting in the findings.
Two things should be learned from this experience: make sure you know what criteria a customer will use in auditing you, and make certain that you can produce the specific data requested – which means understanding your conflict minerals IT system in detail to know its relevant limitations.