Category Archives: Compliance

Conflict Minerals 2017 Reality Check

As 2017 winds down, interest and activity related to the annual SEC conflict minerals filings is heating up. Here is a short reality check for what you should be thinking and doing.

To begin with, Dodd-Frank Section 1502 and the SEC rules requiring the Form SD/Conflict Minerals Report are still in place and remain in effect as of today. Although SEC Commissioner Michael Piwowar issued a statement of non-enforcement earlier this year, that does not change the fact that the legal obligation to file remains intact. Legislation to eliminate Section 1502 was passed by Congress but has not yet been approved by the Senate or sent to the President for signature. Issuers should continue their conflict minerals RCOI, due diligence and Form SD filing preparation activities.

Issuers may still choose to use specific determination wording, or use none at all. However, should an issuer elect to use the words “DRC Conflict Free” to describe one or more product, an Independent Private Sector Audit (IPSA) must be performed by a qualified non-CPA or CPA audit firm. In researching the CY2016 SEC filings, Development International found nine issuers that classified at least one product as “DRC Conflict Free” in their Conflict Minerals Reports (CMR) but did not file an IPSA. We do not recommend that as a filing approach.

In general, issuers should be following the same path and procedures as last year – nothing has changed from a practical filing perspective, including the content requirements for the Form SD and CMR. By now, the following should be underway or completed at a minimum:

  • Previously identified program improvements
  • Overall program reviews, if desired. We continue to see interest in, and are conducting, program reviews
  • Product screening
  • Supplier screening/identification

There continue to be differing views on the timing for supplier outreach activities. Some issuers elect to request supplier CMRTs before the end of the calendar year; some wait until the calendar year is over. Suppliers may not necessarily have their own assessments, due diligence and CMRTs completed early, and delays are common.

There is also a lingering difference of opinion about including smelter/refiner lists in the CMR. We strongly believe it is a requirement to include the list in the filing.

Confusion remains about the Country of Origin as well. The countries listed in the CFSI audited smelter/refiner lists are the countries where the smelters are located. That is NOT the country where “the rocks come out of the ground”, which is what is meant by the country of origin. An often overlooked element of due diligence is ensuring that countries of origin provided by suppliers are plausible countries of origin, meaning they have known ore reserves or active mining. Several countries that are not plausible were listed in CY2016 CMRs.

Filers should also consider countries and entities that are sanctioned by the US Department of Treasury Office of Foreign Asset Control (OFAC) when reviewing countries of origin. Although this is not an issue related to conflict minerals, it is not a matter to be unresolved and reported in a legal filing.

When reviewing the smelter/refiner list from your suppliers, some form of due diligence is required for facilities that are not listed as a facility audited by CFSI or one of the programs with which CFSI has a mutual recognition agreement. Those facilities cannot be ignored simply because they are not on the list of audited smelters/refiners.

As in past years, we continue to support many companies with all aspects of their conflict minerals processes, filings and IPSAs. Please don’t hesitate to contact us with any questions.

Last Week for Auditor QuickQuiz

Our auditor QuickQuiz will close at the end of the day September 1.  We hope to see more folks will take a few minutes to answer the questions.  It is painless.

Some of the trends we are seeing are:

  • 67% of the respondents have more than 10 years experience, with 75% or more of that experience doing EHS/CSR audits.
  • Only 15% of the respondents had a passing score.
  • There is a gap in knowledge and application of fundamental audit terminology.
  • There is inconsistency in understanding the strength of evidence types, with an over-reliance on interviews over documentation.

Things are likely to improve when we get more responses.

Fraud in Sustainability/CSR

Fraud is increasingly a topic in our conversations. We have had direct experience with EHS fraud in the past. The most recent occurrence was helping a client unravel an embezzlement scheme using waste disposal as the fraud mechanism. It played out a bit like a made-for-TV movie – not the kind of thing I ever expected to see personally, nor in the 21st century.

New pressures and risks are developing around sustainability/CSR reporting. Although still largely voluntary (certain aspects are mandated in the US, UK and Australia for instance), its business importance has grown dramatically in the past 5 years.

Customers demand more transparency and reporting in their supply chains, and many make procurement decisions based on this information. Many institutional and activist investors carefully review sustainability/CSR disclosures and make decisions using that information. It is now common for shareholder resolutions to be filed related to the disclosures, or lack thereof. Major media outlets have sustainability/CSR desks specifically focused on these matters and who pore over the filings and report on them.

We are finding that there is very little consideration given to fraud assessment or monitoring in this context – so is it even meaningful? We think so, and well known fraud and compliance expert Hui Chen agrees. Let’s apply the Fraud Triangle to supplier CSR performance.

  • Motivation. There is much on the line for businesses and their suppliers in terms of CSR results. As pointed out above, sustainability/CSR disclosures and performance may directly impact revenues, reputation and investor activity. No one wants to be on the wrong end of that. Motivation? Check.
  • Rationalization. It isn’t much of a stretch to see how an individual can rationalize using alternative facts due to the business pressures. In some cases, suppliers in developing countries may rationalize their actions further due to their own cultural setting. But let’s not kid ourselves into thinking that the US is immune itself.
  • Opportunity. There is ample opportunity for motivated suppliers to commit fraud. In some instances, CSR auditors are used to review suppliers. But those hiring audit firms many times severely limit the auditors by imposing minimal scope/effort driven primarily by cost. Suppliers know their customers’ auditors are not enabled to conduct a thorough review, and with pre-scheduled site visits, they have plenty of notice to dress the place up for the auditors.

This is only one example of how fraud can enter into the sustainability/CSR picture. If this isn’t included in your company risk assessments, or considered in the context of CSR/sustainability reporting, it should be.

Hui Chen: Applying DOJ’s Compliance Questions to Supplier/Social Responsibility Auditing

By: Hui Chen, former Compliance Counsel Expert, Fraud Section, Department of Justice

Ed. Note:  Hui Chen gained national attention when she made a “noisy withdrawal” from the Department of Justice this past June.  Afterwards, she graciously agreed to write the following for us.  We applaud her deep commitment to integrity and greatly appreciate her making time to pen this article.

In February 2017, the Fraud Section of the Criminal Division of the Department of Justice (“DOJ”) released a document entitled “Evaluation of Corporate Compliance Programs” (“Evaluation Questions”) which makes public the types of questions the Fraud Sections asks in its evaluation of corporate compliance programs in the context of its criminal investigations. The Evaluation Questions immediately gained the attention and interest of anti-fraud compliance professionals as well as global regulators and law enforcement interested in corporate accountability. The Fraud Section, which prosecutes cases involving foreign corruption, financial,  securities  and healthcare fraud, has brought corporate prosecutions with historic fines and penalties and exerts enormous influence in the those areas of compliance. What is often missed in the narrative, however, is the Fraud Section’s leading role in two of the largest environmental criminal prosecutions in history: the Deepwater Horizon and the VW emission scandal. As the Fraud Section’s Compliance Counsel Expert, I had the privilege of being involved in these cases, and they were very much on my mind as I drafted the Evaluation Questions.

Although the Evaluation Questions are set in the context of criminal investigations, one of the intents of the document is to also provide a framework for companies and compliance professionals to design, implement, and test their compliance programs for effectiveness. That framework is every bit as applicable to EHS and sustainability programs as it is for anti-fraud compliance programs.

At its core, the Evaluation Questions center around the following tenets of effectiveness: credibility, measurements, accountability, and continuous improvement. Let’s briefly explore these principles and see how they apply in the context of supplier/social responsibility auditing.

Credibility

The Evaluation Questions probe the credibility of companies’ boards, senior leadership, and compliance and control functions. It specifically names “audit” as one of the “relevant control functions”. It asks whether “compliance and control personnel ha[ve] the appropriate experience and qualifications for their roles and responsibilities.” How companies define that appropriateness tells a lot about the company. For example, companies that define appropriate experience largely in terms of certifications tend to be less sophisticated: they rely on commercial certification bodies to exercise the judgment and evaluation on their behalf. These types of personnel often do not perform impressively when specific questions involving real experience and expertise are posed to them: i.e. “Explain your sample selection methodology”, “How would you handle specific situations”, “What specific red flags do you look for when you are auditing for X”, etc. In this regard, I find Elm’s Auditor QuickQuiz an intriguing and useful concept and tool. My instinct tells me that this quiz may reveal more about auditors’ competency and judgment than most certifications do.

It is important to note that the notion of credibility, as explored by the Evaluation Questions, goes far beyond experience and qualifications. Corporate and professional credibility comes also in the form of visible commitment, demonstrated conduct, soundness of processes, levels of autonomy, strength of empowerment, and responses to risks, all of which are explored throughout the Evaluation Questions.

Applying these questions to supplier/social responsibility auditing, it means companies need to seriously consider factors more than subject matter expertise and cost of the auditors. Companies need to define auditor competency in terms of independence, judgment, field experience, statistical and analytical sophistication, and interpersonal and intercultural skills. Companies should also examine their auditors’ approach closely, asking specific questions about approach, methodology, and plans to identify and prepare for the types of issues that are likely to arise during the audit process.

Measurements

The Evaluation Questions are rooted in various prior guidance issued by the DOJ and other regulatory agencies and international organizations. The document, however, does bring a very significant new element: the demand for evidence of effectiveness in the form of measurements and data.   Evidence of results is, after all, a foundation to credibility. Not only do the Evaluation Questions ask about “information or metrics” the company collects and uses to help detect misconduct, but also “how has the company measured the effectiveness” of activities such as training and policy implementation. There are many “how” questions such as “How has the company assessed whether…policies and procedures have been effectively implemented?” or “How has the company evaluated the usefulness of …policies and procedures.” Companies that are able to answer these how questions in measurable metrics and data are regarded with far more credibility than those who answer with unsubstantiated adjectives.

Measurement and data are concepts that are expected to be second nature for auditors. What is important for companies is to make sure they work with their supplier/social responsibility auditors to define what to  measure and how. Whether you are auditing for manufacturing quality, environmental compliance, or safety, it is important that you sit down with your auditors to define what satisfaction looks like, and identify ways to measure it.

Accountability

Compliance programs cannot succeed with accountability. This is why the Evaluation Questions are focused on the accountability of both individual players and the company’s systems and processes. Accountability is about clearly defined roles and responsibilities, and visible consequences for words and actions. In line with this emphasis, the Evaluation Questions elevate the inquiry from the traditional “tone from the top” to “conduct at the top”  and ask about “concrete” and “specific” actions. There are questions about whether supervisors are held accountable for failures in oversight and how the companies train relationship managers on their responsibilities in managing third party risks. More importantly, there are questions about the accountability of the company: what happens when “compliance raise[s] concerns or objections”? “Were there prior opportunities to detect the misconduct in question, such as audit reports identifying relevant control failures…” In other words, when issues and risks are identified, how has the company been accountable in addressing and remediating them?

As both an in-house compliance officer and as the DOJ Compliance Counsel Expert, I have seen numerous instances where companies have failed to address audit-identified issues adequately. In the eyes of prosecutors, regulators, and other stakeholders such as investors, this failure speaks volumes about the company’s commitment to accountability and raises serious questions about the company’s operational competency. It reminds me of the TV commercial where the bank security guard tells customers, in the midst of a robbery, that his job is only to notify people when there is a robbery, not to do anything about it. That is why the Evaluation Questions include questions on how audit findings and remediation progress are reported to the management and the board, and how the management and board follow up on such reports. Finding the problem is not the goal: fixing it is.

Continuous Improvement   

Even the best compliance program would become an obsolete compliance program should it not continuously update itself. Everything from business and operational realities to company culture to regulatory and legal requirements changes constantly, and only a persistently self-critical program regularly seeking improvements can remain top of its game. The Evaluation Questions recognize the necessity for continuous improvement, not only in its questions in Section 9 on audit, testing, and updates, but also in how its focus on root cause analysis and risk assessments. Every instances of breach, whether it resulted in actual harm or not, is an opportunity for learning and improvement.

This same principle applies in the supplier/social responsibility auditing process. It is important for companies to ask how their auditors are keeping up with ongoing trends, regulations, audit practices/standards and realities, as well as themselves how they are learning from the audit findings in not just short-term remediation, but long-term improvements in how they manage suppliers.

———————-

Hui Chen may be contacted at www.HuiChenEthics.com

Auditor QuickQuiz Update

Our short auditor skills QuickQuiz has only been live for a few days and we have logged responses.  The number of respondents is smaller than anticipated but trends are appearing.

The Good:  Respondents understand follow through with sampling plans, are aware of the Fraud Triangle and know the role body language plays in interviews.

The Bad:  Most importantly, respondents have been unable to identify specific threats to auditor independence and they have demonstrated a lower-than-expected understanding evidence corroboration and hierarchy.  Other areas where knowledge improvements seem necessary are materiality determinations, awareness of basic audit terminology and the scope of a QA/QC review.

Keep those responses coming in, and thank you for taking a few minutes to complete it.

RY2016 Conflict Minerals Disclosure Analysis Now Available From Development International

Dr. Chris Bayer, PhD of Development International has released the latest comprehensive analysis of the SEC conflict minerals disclosures for the 2016 reporting year.  Elm Sustainability Partners is pleased to be one of the report’s sponsors this year.

The report is available to download for free.

 

Is 2017 the Time to Think About 2021?

This may sound like a US presidential election campaign, but thankfully it’s not. The EU conflict minerals directive is now final and reporting is required beginning January 1, 2021 – three and a half years from now. If you aren’t familiar with the upcoming EU conflict minerals due diligence and reporting obligations, take a moment to read what we think is a good, plain-language overview.

We have had many conversations about what the EU Directive means for companies right now. Below is a table of the more common discussion points that may be helpful to those grappling with whether to begin program development and implementation now or wait until the deadline is closer.

Pros

Cons

Third party service provider costs are low at this time due to maturity of conflict minerals reporting in US Program implementation costs and effort not yet necessary
Limited incremental costs for EU companies already reporting conflict minerals information to US customers or the SEC Program implementation costs and effort not yet necessary; regulatory uncertainty exists until member states adopt their own supporting mandates.
Flexibility in reporting Reporting format unknown at this time; regulatory uncertainty exists until member states adopt their own supporting mandates.
Potential competitive advantage may be gained with customers and corporate reputation Market awareness may be low currently, so investment now may not show a return
Acquire experience and correct program errors and gaps in advance of legal deadline, reduce risk of fines, penalties, customer pressure and reputational damage Further options and third party information sources likely to develop and improve over time, leading to better reporting at legal deadline

 

Feel free to contact us with any questions.

New Advanced Auditor Training Program for HSE/CSR Auditors

Elm Sustainability Partners and Elm Consulting Group International have launched a new training module for senior-level and experienced health, safety, environmental and social auditors seeking to improve their auditing skills and get updates on timely topics related to non-financial auditing and technology.

It is also relevant to those buying HSE/CSR audit services who are looking to improve the quality of audits they receive.  After this course, buyers can identify specific areas of audit practice improvements to request of their providers.  Alternatively, these buyers may wish to require their external HSE/CSR auditor to complete this training themselves.

A partial list of what is covered includes detailed review and practicum concerning:

  • auditor independence standards and managing impairment threats
  • audit criteria requirements
  • audit and evidence limitations
  • evidence hierarchy, weighting and corroboration
  • fraud, forgery and tampering – including new concerns brought about by technology
  • interviewing skills including fraud examination and FBI techniques
  • discussions of US Department of Justice Criminal Division Evaluation of Compliance Program criteria (2017), the June 1, 2017 US Public Company Accounting Oversight Board (“PCAOB”) auditor reporting standard on Critical Audit Matters and EU Non-financial reporting rule
  • audit QA/QC considerations

Each participant will take a pre-test to establish a knowledge baseline and identify specific areas for improvements.  Exercises are administered throughout and a post-test will conclude the session demonstrating the advanced competencies gained.  HSE/CSR regulatory and other technical topics will not be covered as this is not a regulatory update session.

Elm Principals are BEAC Certified Professional Environmental/Health/Safety Auditors (CPEA), have served on the Board of Directors of The Auditing Roundtable (recently merged into the Institute of Internal Auditors (IIA)) and BEAC, and have trained thousands of internal and external HSE auditors over the past three decades.

Contact us to learn how you and your team can take advantage of this unique program.

New Social Auditor Certification in the Works

We have been vocal in our concerns and criticisms concerning social/CSR auditing.  And we have ourselves been criticized for that. Fair enough.

The Association for Professional Social Compliance Auditors (APSCA) has released for public comment its draft Code of Conduct and Auditor Competency Standards – available here.

We support APSCA and its work towards improving the entire “ecosystem” of CSR auditing.  Anyone with a dog in this hunt should click on the link above and submit comments.  APSCA is keen to obtain input from as wide a range of stakeholders as possible to help become as credible as possible.  Given the breath of subject matter that is being demanded of CSR auditors by buyers of their services, there is a great deal of overlap in APSCA’s draft into environmental health, safety, transportation and other technical areas.

No Indication of Conflict Minerals Cutbacks in SEC FY2018 Budget

SEC Chairman Jay Clayton presented the FY2018 budget for the Securities and Exchange Commission to Congress today.  The conflict minerals disclosure was not specifically mentioned but the budget did contain some interesting details:

  • More than half of the Commission’s total headcount is assigned to enforcement activities of various types.
  • The SEC has not launched any new research initiatives to gather feedback from investors on the usefulness of disclosures since FY2012.  Apparently, the actions of Michael Piwowar concerning the conflict minerals disclosure were not based on formal research from the SEC itself about investor views.
  • The number of filings reviewed by the Division of Corporation Finance for CY2017 was 4900, and is expected to remain the same for CY2018.  Sarbanes-Oxley requires the SEC to review company filings at least every three years, so perhaps there is some level of review by the SEC of conflict minerals disclosures, even if no enforcement actions have (or apparently will) resulted.