Tag Archives: auditing

How to Say “DRC Conflict Free” Without an IPSA

As the SEC conflict minerals filing deadline closes in, companies are carefully assessing what to say in their Form SDs and conflict minerals reports, especially in light of the recent statement from the Commission about enforcement of the filings.  Certainly, part of the internal deliberations concern how – or whether – to describe product determinations.  If a company voluntarily chooses to use the words “DRC Conflict Free” in its Conflict Minerals Report, then an Independent Private Sector Audit (IPSA) is required.

But did you know that the words “DRC Conflict Free” can be used without triggering an IPSA?

Without going into the painful explanatory details, issuers who file only a Form SD can use the specific determination wording in the Form SD without needing an IPSA.  As SEC stated in FAQ #19,

An issuer is only required to obtain an IPSA of its Conflict Minerals Report and not of the disclosures contained in the body of its Form SD.

The basic rationale is that when the RCOI results indicate there is no reason to believe that necessary conflict minerals did or may have originated from a covered country,  only a Form SD is required and additional due diligence is not necessary.  Therefore, a Form SD-only filing means that products are “DRC Conflict Free” by virtue of the absence of materials from a Covered Country.

But be careful – this only applies to Form SD language.  We also caution against claiming DRC Conflict Free in a Form SD that includes the CMR exhibit – but the CMR doesn’t mirror the Form SD.

We are happy to answer any questions you may have.  Feel free to give us a call.

New Comments to SEC Show Ongoing Misunderstanding, Excess Spending for Conflict Minerals Rule

The new public comment period initiated by SEC Acting Chairman Michael Piwowar is now closed and we have reviewed almost all the submittals.  What is surprising is that there still seems to be significant misunderstanding or interpretations of the rule, and some issuers are spending far more than is likely necessary.  The following comments and estimates that caught our attention:

  • Two industry groups cite a company spending $10 million in initial implementation costs and $3 million in ongoing costs (most likely the same company).  We were shocked to see those numbers.  No client of ours, nor any of the many Fortune 500 we have direct or indirect contact with, has expended that much in relation to the Rule.  
  • One company is cited as needing 7 months to survey 300 suppliers.  If that is indeed current information, there are most likely program implementation approaches available that the company is unaware of, or has chosen not to pursue.
  • Another commenter privately disclosed their cost and associated scope of their efforts to us in an email dialogue.  Based on our understanding, that company is expending approximately 90% more effort than needed.  They have received poor guidance on the rule or made a voluntary decision to go down that path.
  • There are multiple references to an estimate of an IPSA costing $250,000 – $350,000 and taking six months.  This estimate appears to reflect the original proposed rule rather than the IPSA objectives and scope of the final rule and the subsequent guidance.  During the proposed rule phase, little guidance was available on the IPSA and the auditing community anticipated full supply chain audits, or audits that confirmed product determinations. The final rule made it abundantly clear that the actual IPSA objectives/scope are far narrower.  

If you think you are spending more than is necessary for your conflict minerals program, give us a call.  We can probably find ways to reduce your effort and costs.

BREAKING: Acting SEC Chair Opens Conflict Minerals Guidance, Rule for Public Comment

UPDATE February 2, 2017:  We have confirmed with SEC Staff that the request for comment does indeed extend to the entire rule, not just the 2014 Guidance.

Acting SEC Chairman Michael Piwowar issued a statement this evening concerning the conflict minerals rule and the April 29, 2014 Guidance from the Commission making the use of specific determination wording voluntary, and thus the Independent Private Sector Audit.  Piwowar is “directing the [SEC] staff to consider whether the 2014 guidance is still appropriate and whether any additional relief is appropriate in the interim.”  The statement includes a 45-day public comment period on the matter.

Although there is ambiguity in this statement that we hope to get clarity on soon, it appears that the statement may only relate to the 2014 guidance and not the rule as a whole.  In addition, it also appears that the outcome of the SEC’s action in relation to Piwowar’s statement applies to filings covering calendar year 2017 and therefore may not impact activities currently underway by issuers preparing for their CY2016 filings.

Updates and additional information will be provided during our webinar to be held Thursday, February 2.  Sponsored by TheCorporateCounsel.net, other panelists include Michael Littenberg, Christine Robinson and Dave Lynn.

You Are What Your Suppliers Do: Supplier Actions Make Headlines, Break Business

With companies facing increasing pressure for the actions of every part of their supply chain, demand for – and reliance on – supplier/corporate social responsibility (CSR) audits conducted by third parties has grown rapidly.

Shirts, Phones, Rocks and Shrimp

But there is concern about the quality, reliability and credibility of these audits.

CSR Auditing and Toilet Paper

Is Social Auditing Really Auditing?

Harvard Professor Identifies Factors for Meaningful CSR and Supply Chain Audits

You Don’t Know What Your Suppliers Are Hiding

Companies rely on their CSR audit firm to utilize qualified auditors, employ adequate QA/QC processes and expend adequate time to conduct a reasonable audit. Yet there are no generally-accepted professional CSR audit practitioner standards. Moreover, due to cost pressures, lowest cost audit providers are frequently selected that may not have appropriate auditing skills or training – the largest CSR audit firms conduct tens of thousands of these audits each year. Increasing audit time and costs to improve quality or credibility is typically not realistic – the business model is inherently high-volume, low margin.

Are these audits effective at findings supplier actions that create risks for you? Can a company gain confidence in their CSR audits without adding costs? Is a change in auditors necessary?

Improve Credibility for Disclosures, Media and Customers

Changing audit firms is not necessary, nor is another layer of auditing. Instead, a formalized auditor training program can be a low cost yet effective solution.

The Elm Consulting Group International is expanding our well-proven auditor training program to companies who use CSR/supply chain auditors. The intent of this program is for brands to provide detailed communication and training to their current CSR/supply chain auditors about the company’s requirements for auditor competence, audit quality and processes in order to enhance the credibility of audit information.

Our formalized training for existing CSR auditors builds their client’s confidence in the quality of the work provided. The program is not intended to provide training on specific audit topics such as child labor or worker rights. Instead, the focus is on proven audit techniques such as:

  • Understanding and applying professional skepticism
  • Interviewing and active listening
  • Identifying and responding to non-verbal cues within multi-cultural contexts
  • Evidence sampling methodologies
  • Using information from different sources
  • Verification and recomputation techniques
  • Judging audit evidence quality and limitations
  • Fraud detection
  • Using working papers and audit protocols
  • Writing effective and complete audit findings
  • Audit quality expectations, requirements and processes
  • Maintaining auditor independence, including auditor rotation

Our Qualifications as The Leader in Auditor Training

Our HSE auditor training experience began in the 1980s and we have successfully trained hundreds of external and internal auditors. Elm Principals hold auditor certifications from the US Board of Environmental, Health and Safety Auditor Certification (BEAC, now wholly merged into the Institute of Internal Auditors) and UK Institute of Environmental Management & Assessment, are approved trainers for the IIA EHS auditor certification program and are subject to annual continuing education requirements ourselves. Further, Elm Principals have served in various Board positions in The Auditing Roundtable (merged into the IIA in 2016) and BEAC, including the current BEAC Chair.  More information about our internal audit quality and auditor competence standards is available here.

Give us a call at 678-200-3424 or contact us via email to discuss how we can help you increase confidence in your CSR audits.

Dr. Seuss Essay on Auditing Updated

In the early 1970s, buried in one of his books, Dr Seuss penned a little known essay on auditing. For those not familiar with it, the full text follows:

Oh, the jobs people work at!


Out west near Hawtch-Hawtch
 there’s a Hawtch-Hawtcher Bee-Watcher. His job is to watch…
is to keep both his eyes on the lazy town bee. A bee that is watched will work harder, you see.

Well… he watched and he watched. But, in spite of his watch, 
that bee didn’t work any harder. Not mawtch.

So then somebody said,
“Our old bee-watching man
just isn’t bee-watching as hard as he can. 
He ought to be watched by another Hawtch-Hawtcher!
 The thing that we need
is a Bee-Watcher-Watcher!”

 The Bee-Watcher-Watcher watched the Bee-Watcher.
 He didn’t watch well. So another Hawtch-Hawtcher
had to come in as a Watch-Watcher-Watcher!


And today all the Hawtchers who live in Hawtch-Hawtch are watching on Watch-Watcher-Watchering-Watch,
Watch-Watching the Watcher who’s watching that bee.


You’re not a Hawtch-Watcher. You’re lucky, you see!”

Words of wisdom from an unlikely source.  And for a little amusement, Elm takes Seuss a little further.

We decided to try our own hand at rhyme
And update the story to these current times.

Auditors watch the things clients do
And also suppliers when they’re in scope too.
They see if the list of everything bought
Was made in conditions just like it was thought
Or from those hoping they’re not getting caught.

The Hawtch-Hawtch bee watcher failed as you know
Since audits alone don’t work, we shall show.
What can we learn from those watching the bee?
I see two things – well, actually three.

The bee – when watched – was supposed to work more
But that’s not what bee itself had in store.
Instead what it did was kept right on doing
Not a thing – the watcher was just cud-chewing.
The town of Hawtch-Hawtch thought things would be fine
As long as an auditor watched all the time.

That, my dear friends, is flaw number 1 –
Audits alone are but one part of the fun,
After the watching, there’s more to be done.

The next wrong expectation in this story I find
Is the scope of the watching is not well defined.
What does it mean to “Watch as hard as you can?”
The watchers weren’t sure – down to the last man.
Had they been told, they could do the job well
And not let past problems fester and swell.

Today, what of CSR, governance and sustainability?
The words are unclear – I think they’re meant to be.
No clarity was given those Hawtch Hawtch bee watchers
So they all failed, got sore feet and bad postures.

And now, my beloved, we’re at flaw number three
Which is simply bad audit and auditor quality.
Bad bee watching – at least supposedly so –
Made the line of watch-watchers grow – grow – grow
That perpetuated the flaws that all went before
Meaning Hawtch-Hawtch kept getting more, more and MORE
Of the same watch watchers already there
Who did nothing more than stare, stare and stare
At the same old thing day after day,
Focused on billable hours, bonus and pay.

Most of them ranked low and were unqualified
To be a watch watcher – they weren’t certified.
Maybe because that would cost a bit more
Than the ineffective work that had been done before.
But Hawtch-Hawtch didn’t care to look into this
Not concerned with things that were possibly missed.

Now Hawtch-Hatwch is not a maker of stuff
That uses slave labor and treats their folks rough
And whose business will shrink when good auditors see
What unscrupulous companies do with glee.

In sum, Seuss told us of things one through three
These things – for auditing – are important and key.
But, I say friend, don’t take it from me
Go back and look that old Hawtch-Hawtch bee.

CSR Auditing and Toilet Paper

In the 1990s I worked for a large paper company and one of the products we made was a name brand toilet paper. As TP goes, this was nice stuff – 2 ply, thick and soft. We marveled that the product didn’t sell well in markets dominated by products that were thin, had holes and fell apart too easily. It baffled us that so many people didn’t care about what ends up on their hands.

Today there is a surprising demand for third party environmental/safety/social/supply chain audits that are equivalent to cheap TP – thin, single “ply” (i.e., one dimensional) and full of holes.   Yet even in the midst of so much reliance on audits, very few buyers of these audit services seem to be concerned. Its not only us that sees this – a fascinating article published earlier this week called out Amazon, The Children’s Place, Gap, Hanes, J-Crew, JC Penny, Kohl’s, Macy’s, Nike, Pink, Polo, Target, Walmart and Zara for “ineffective … CSR monitoring, corporate codes of conduct and industry ‘social audits’ … in protecting the rights, health and safety of millions of workers in global supply chains.”  This, after a decade of CSR audits, is the author’s conclusion.

The article goes on to discuss related failures and inconsistencies in certifications and audit scopes. Our own experiences support this – all too frequently we have seen companies pursuing various certifications solely in order to have a certificate to frame and hang in their lobby. One unfortunately memorable experience came a week after a client had completed their ISO14001 recertification audit. The ISO auditor passed the site with flying colors and was highly complimentary of their program. However, our compliance audit found – with little effort – criminal environmental violations that resulted in the site environmental manager losing his job and one of the few instances where self-disclosure to EPA was warranted without question. This isn’t necessarily a problem with the standards themselves – the problem rests completely with the auditors responsible for assessing the sites.

This criticism shouldn’t be a surprise to anyone who is familiar with current CSR audits and auditors. Certainly there are excellent and conscientious practitioners in the field, but the pricing model of these audits tends to support minimalism all the way around. In a recent article on this topic, we stated our belief that the pricing of CSR audits is directly in response to severe operating cost pressures placed on the manufacturers by the brands. But that circles back to consumer buying preferences as we pointed out six years ago. If attributes other than price and product performance were truly key buying criteria, then the entire economic ecosystem (eco-ecosystem??) would be different.

We do not offer typical CSR/supplier audits because we flatly refuse to compromise our professionalism in order to be cost competitive in this market. Our respect for clients and concern for the risks they face exceeds our desire to compete for revenue from these services in the current market. But, as evidenced by what the article states is an $80B year CSR industry, many people are okay with using cheap toilet paper and don’t seem to care what will end up on their hands.

A few key things you should do to help prevent continuing CSR audit failures:

  • Ensure the audit scope matches the auditor(s)’ backgrounds.  For example, after Raina Plaza, CSR auditors have been increasingly asked to provide information on structural engineering and local electrical code compliance.  These matters require specific technical knowledge beyond that of a typical CSR auditor.
  • Explore the auditor(s) professional qualifications. Do they hold a relevant third-party certification?  How much continuing education do they require on an annual basis?  What fraud detection training have they had?  What are the audit firm process for ensuring independence of the individual auditors, not just the firm as a whole?  Auditors should consider themselves professionals and hold themselves accountable to appropriate standards for qualifications.  If they don’t, that speaks volumes about their attitude toward their work.
  • Test the auditor(s) technical knowledge beyond their checklist.  Does the auditor understand the applicable requirements beyond what is written in the audit checklist or protocol?  There are few times when reality matches the criteria on paper.  You want a professional who is prepared to apply knowledge and expertise objectively and pragmatically, not just check boxes on paper or a screen.
  • Find out how much time the auditor(s) spend onsite, and on each audit activity.  Generally speaking, one day (or less) total on-site is too little for any credible audit scope.  The auditor should reasonably balance their time between document reviews, interviews and visual observations.  If you don’t feel there is adequate time spent or balance in the activities, make your auditor change their practices.
  • Observe – or get feedback on – the auditors’ bedside manner.  An auditor’s attitude and non-verbal cues have a significant impact on the amount and quality of information they are able to gather from the audited entity, and how that entity responds to the audit and corrective actions.  Interviews conducted by the auditor should be non-threatening.  Using active listening techniques without sounding condescending or like a robot is an art form not easily mastered.
  • Look at audit report findings and the cited evidence.  Are findings based solely on interviews?  While this can be acceptable in some settings/situations, information from interviews should be corroborated with another type of audit evidence such as documentation, recomputation or direct visual observations.  If findings are not based on objective and repeatable evidence, make your auditor change their practices.  Issues based on interviews alone should be brought forward in a mechanism outside the audit report as those don’t meet the requirement for a formal finding.
  • Determine how audit reports are peer reviewed – or are they peer reviewed at all?  Does the review require the auditors’ original notes so the reviewer can confirm that the audit evidence supports the findings?  All audit reports should go through a formal internal quality check.
  • Don’t get swayed by broad company or program certifications such as ISO.  While these certifications can be an indicator of internal process formalization, understanding the reality of auditor performance in your specific need is far more important.
  • When considering an auditor, call client references and discuss their experiences, both positive and negative.  Obviously, references are specifically selected to present a positive image.  Expressly ask the reference to offer comments about matters or situations that are not so positive.

CY2016 Conflict Minerals Reports: Ready… Set… IPSA!!

How many conflict minerals IPSAs will be conducted for the CY2016 SEC filings given that nothing has changed from last year (or the year before) concerning the IPSA trigger?  Certainly you recall the April 29, 2014 Statement from the SEC’s Keith Higgins (who today announced that he will depart the SEC next month) clarifying that, until further specific action by the SEC, an IPSA is required only when an issuer voluntarily chooses to use the wording “DRC Conflict Free” when describing their products.

There has been no further action on the matter from the SEC.  Yet more companies are already asking us for proposals to conduct an IPSA even where the company doesn’t plan on making a “DRC Conflict Free” determination.  Such an IPSA could do more than meet the SEC audit objectives.  As a voluntary and perhaps “unofficial” audit, the scope can be more flexible and address substantive issues concerning program effectiveness and conformance to the OECD Due Diligence Guide or SEC requirements, helping the company to answer important questions about the quality and robustness of their due diligence program.  This kind of IPSA would provide much more value especially as due diligence programs are rapidly expanding beyond 3TG and the DRC.

It is worth serious consideration.

Another approach was very popular last year – our auditability reviews.  This gives clients a detailed understanding of how an IPSA auditor will likely interpret CMR language and approach an official IPSA.  We have identified much unintended – or unexpected – broadening of the IPSA scope and cost for clients and provided detailed insight as to how an auditor is likely to apply sampling and audit evidence elements of the Performance Audit standards to draft CMR language.  Our IPSA auditability reviews are a low cost, low risk alternative to a mock audit.

And what of those 12 companies called out by name in the Development International report as not filing an IPSA even though they classified at least one product as “DRC Conflict Free”?  We will see.

Apropos: Dia de los Muertos and the Billable Hour

Today is Halloween in the US and Dia de los Muertos in Mexico.  It is a time based on the idea of reflecting on death.  Now we aren’t being morbid here – instead we grinned at the amusing irony of the timing of this article on LinkedIn which is an obituary to the billable hour.

We absolutely agree with the downsides of billable hours.  All of us at Elm, in prior points in our careers, have had ourselves and clients held hostage by the almighty billable hour.  Over the past several years, we decreased our use of hourly rates and billings – instead working on a daily rate or, increasingly, on a fixed fee basis.

Given all that is right with eliminating hourly billing, a reasonable person might ask why doing so remains ubiquitous for consulting/auditing firms?  Yet another irony for those of us who help client organizations in changing their internal culture – because it’s the way it’s been done in the past. 

Hmmmmm.

ALERT – Judge Assigned to Conflict Minerals Remand Case

If you haven’t already seen this alert from Michael Littenberg, the judge in the DC District Court has been assigned for the next (hopefully final) phase of the NAM v SEC case.  In the alert, Michael stated that “the case was randomly assigned to Judge Ketanji Brown Jackson.”  Judge Jackson is not the same judge in the original case (Judge Robert Wilkins).

Michael also indicates that “it is highly unlikely that the mandatory audit requirement will be reinstated for the 2016 compliance year, and the reassignment of the case to a new judge does not necessarily mean that we will see a quick resolution of the case.”

We agree and do not suggest that this be interpreted as a sign that RCOI, due diligence and a Form SD/Conflict Minerals Report will not be required for CY16.

Conflict Minerals IPSA Objectives, Country of Origin Identification Criticized

The highly respected duo of Mike Loch and Dr. Chris Bayer published a pointed article exposing several flaws in company conflict minerals reporting and the Independent Private Sector Audits (IPSAs) for CY15.  Based on their analysis of the findings, companies:

… failed basic plausibility tests concerning the Tin, Tantalum, Tungsten and Gold (3TG) Country of Origin (COO) and the 3TG Smelter or Refiner (SOR) countries.

Examples include references to DRC as the location of smelters/refiners  (“As far as we know, no smelter or refiners processing tin, tungsten, tantalum and gold ore are located in the DRC”).  Further, they found “a considerable number of companies, over 250, cite countries as the source of their 3TG that are highly unlikely to be the actual source.”

In our view, these are legitimate concerns, indicating a widespread over reliance on a single source of smelter/refiner data with no substantive review or consideration given to the data by the issuers themselves.

With regard to the IPSA,

… among the companies submitting implausible COO, four (4) companies made a “DRC conflict free” product determination and underwent an IPSA.  These four IPSA’s were performed by three different audit firms.

These findings illustrate the fact that the two IPSA objectives in the SEC Rule do not take into account the accuracy of the content and conclusions …

At first glance, this may be taken as a critique of the three audit firms – but in reality it is not.  Rather, Mike and Chris point out – as we ourselves have stated many times – the specific IPSA objectives offer very little assurance with respect how thoroughly or how well companies conduct their due diligence.  Other critiques of IPSAs and auditors have incorrectly placed blame on audit firms for following the legally-mandated objectives.  Even though Elm was not one of the three audit firms indicated, we – as do Mike and Chris – do not believe the auditors are at fault in any way.