There is more interest in the Independent Private Sector Audit (IPSA) than ever before, and companies should be aware of important considerations in planning their Conflict Minerals Report (CMR) and preparing for IPSAs. Unfortunately, misinformation continues to be spread in the market which can cause issuers to spend more than is necessary for their IPSA.
A consulting firm just announced it “received an independent auditor’s opinion that [the consultant’s] RCOI and due diligence process design and measures performed are in compliance with Step 2 of the OECD Due Diligence Guidance.” The firm explained that “[b]y undergoing an audit of the design and performance of our RCOI and due diligence processes, we simplify the auditing requirements of our clients” because, they continued, “it did not make sense for each of our clients to be audited individually against the same process over and over again.”
This marketing ploy might sound good, but the practical impact is minimal – if anything at all – for companies needing an IPSA.
To begin with, the audit described is specifically limited to OECD Step 2 – the equivalent of the SEC Reasonable Country of Origin (RCOI) process. The SEC staff’s answer to Question 18 of their April 7, 2014 FAQs plainly states that RCOI processes, along with associated procedures under a nationally or internationally recognized due diligence framework (i.e., Step 2 of the 5 Step OECD Due Diligence Guidance) are not within the IPSA scope. So the subject of the consulting firm’s audit is not part of the IPSA audit process. For OECD Step 2 to be relevant in the IPSA, an issuer would have to unnecessarily expand the discussion of due diligence measures undertaken to include RCOI activities.
Second, while GAGAS allows auditors to rely on work done by others, there are conditions associated with this reliance. For Performance Audits, these conditions are covered in Sections 6.40 – 6.44. To sum those up, an IPSA auditor
… should obtain evidence concerning the other auditors’ qualifications and independence and should determine whether the scope, quality, and timing of the audit work performed by the other auditors is adequate for reliance …
Given these conditions, an IPSA auditor may have concerns including:
- As explained above, the scope of the OECD Step 2 audit is not directly relevant to IPSAs of issuers who thoughtfully craft their CMR to exclude RCOI activities and results from their due diligence description.
- The OECD Step 2 audit was conducted by a non-US CPA firm whose experience in conflict minerals, the OECD Framework and/or the United States GAGAS audit standards is unclear.
- There is no indication of the audit criteria or process used, evidence considered in the audit, audit risks and limitations or the independence of the CPA firm.
- With IPSAs being a new concept, scope and use, practitioners are not likely ready to rely on the work of others. We ourselves are not comfortable with doing so without conducting a significant amount of verification work that could offset the anticipated value of the other audit.
Elm has recommended that companies consider a formal evaluation of their RCOI processes, especially for Form SD-only filers. But we did not intend or anticipate that such a review be a formal audit, nor have any specific use in an IPSA context. Because it doesn’t.
Issuers should be aware of the influence they have on the IPSA effort/cost by virtue of the CMR language they develop. When this is recognized, an issuer can craft a CMR that sets the foundation for an efficient IPSA. If you are not sure about the auditability of your CMR, you can engage an experienced consultant/auditor to conduct a readiness assessment, or train your internal audit staff to do the review and provide on-going support. Feel free to contact us about either service if you are interested.