There has been an increasing international focus on “conflict minerals,” which are sourced from mines in Central Africa and believed to benefit armed groups that engage in serious human rights abuses. In August 2012, the U.S. Securities and Exchange Commission (SEC 2012) issued a final rule (Release No. 34-67716) related to implementing new disclosures required by the Dodd-Frank Act that are aimed at dissuading publicly-traded companies from engaging in trade that supports conflict minerals. Beginning in 2014, many publicly traded companies will be required to issue Conflict Minerals Reports, and have the reports independently assured. For the first time, there is an SEC audit requirement for corporate social responsibility information. Significant uncertainty surrounds the nature of the requisite audit procedures and the form and content of the audit reports themselves. For example, issuers have the option of engaging auditors for either an attestation engagement or a performance audit. We summarize the SEC's final rule, with particular focus on the audit requirement, and discuss some challenges that audit firms face.
There has been an increasing worldwide focus on “conflict minerals,” which come from mines in the Democratic Republic of the Congo (DRC) and contiguous countries. These conflict minerals are believed to benefit armed groups that engage in serious human rights abuses; consequently, the U.S. Congress enacted Section 1502 of the Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010 (Dodd-Frank Act) (U.S. House of Representatives 2010). Subsequently, the U.S. Securities and Exchange Commission (SEC) issued a final rule to implement the new disclosure requirements required by the Dodd-Frank Act. The new reporting requirements are intended to discourage publicly traded companies (issuers) from engaging in trade that may support conflicts in and around the DRC. Section 1502 defines conflict minerals as cassiterite (tin), columbite-tantalite (tantalum), gold, and wolframite (tungsten). The SEC estimates that about 6,000 issuers will be directly impacted by the rule, mostly in the electronics, communications, aerospace, automotive, jewelry, and industrial products industries, with initial compliance costs ranging between $3 billion and $4 billion, and subsequent annual costs between $207 million and $609 million (SEC 2012).
Issuers with conflict minerals in their supply chain will need to include, in a new SEC filing (Form SD), a Conflict Minerals Report (CMR), which discusses the minerals' country of origin; any efforts made to determine the mine of origin and facilities used to process the minerals; and a description of any products (e.g., coffee cans, cell phones, automobiles) that are not “DRC conflict free.” An independent private sector audit of this report also is required, even for issuers who determine that their minerals are DRC conflict free.1 For the first time, there is an SEC audit requirement for corporate social responsibility information. The SEC estimates that 75 percent of registrants will need to issue a CMR and have it audited by an independent third party (SEC 2012, 318).2 This audit requirement has created a new service opportunity for audit firms and non-CPAs. However, there is significant uncertainty and little consensus regarding what will be required for these audits (Matthews 2013). Central to this ambiguity, issuers have been given the option of engaging auditors for either an attestation engagement or a performance audit (SEC 2012, 214).3 Unlike attestation engagements, performance audits do not need to be performed by CPAs, do not use a standard report form and language and, thereby, allow for more variation, leaving auditors to “fill in the blanks” (Matthews 2013). Regardless of the engagement type, the audit's objectives only are to confirm that the issuer's due diligence program, as described in the CMR materially, conforms to the nationally or internationally recognized framework used by the issuer, and whether the description of the program during the covered annual period, as disclosed in the CMR, is what the issuer did perform (SEC 2012, 285). The objectives are not to audit whether an issuer's products are “conflict free,” or whether the issuer's due diligence program is operating effectively.
Given the potential for continuing revenue streams from audits of CMRs, U.S. audit firms certainly are interested in pursuing this new assurance frontier. Table 1 contains links to reports published by several audit firms, as well as the American Institute of Certified Public Accountants (AICPA). The U.S. websites of several international firms discuss how they can assist in this new assurance service offering. However, this type of assurance is a far cry from the traditional financial statement audit and, consequently, audit firms are facing some challenges. In this paper, we (1) summarize the SEC's final rule, with particular focus on the private sector audit requirement, and (2) discuss some challenges that audit firms face with respect to the audits of CMRs. The remainder of this paper is structured as follows. The second section provides background information on the SEC's final rule on conflict minerals disclosures, with particular focus on the independent audit requirement. The third section discusses challenges audit firms face with respect to audits of CMRs. The final section provides concluding comments.
SUMMARY OF THE SEC'S FINAL RULE
Three-Step Disclosure Process
In August 2012, the SEC adopted a rule mandated by the Dodd-Frank Act that requires issuers to publicly disclose their use of conflict minerals emanating from the DRC or an adjoining country (i.e., Central African Republic, The Republic of the Congo, Tanzania, Burundi, Rwanda, Uganda, Angola, Zambia, and South Sudan). The motivation for such disclosures is to dissuade companies from trading practices that contribute to violence and civil rights abuses in Central Africa by funding rebel forces that prey on innocent peoples. The final rule applies to issuers that use minerals from which tantalum, tin, gold, and tungsten are derived, if the minerals are necessary to the functionality or production of a product manufactured or contracted to be manufactured by the issuer (SEC 2012). The rule (SEC 2012) provides for a three-step disclosure process, as follows:4
(1) An issuer must determine whether its manufactured products contain conflict minerals. If so,
(2) An issuer must determine whether the minerals originated in the DRC or an adjoining country. If so,
(3) An issuer with minerals from the DRC or an adjoining country needs to conduct due diligence and potentially issue a CMR.
If conflict minerals are not found in, or necessary to, an issuer's products or production process, the issuer is not required to move to step two. If, however, an issuer uses conflict minerals necessary to the functionality or production of a product manufactured or contracted to be manufactured by the issuer, the issuer must conduct a “reasonable country of origin inquiry” in step two. The actual steps to complete such an inquiry are not described, and they depend on each issuer's facts and circumstances (Ernst & Young 2012). The rule requires that the inquiry be reasonably designed to determine whether any conflict minerals, not from recycled or scrap sources, originated in the DRC or an adjoining country, and it must be performed in good faith (SEC 2012, 25). If an issuer discovers that its conflict minerals did not come from the DRC or a contiguous country, or came from recycled/scrap sources, the company is to provide annual disclosure to this effect, and include a discussion of its inquiry process on a new Form SD. Such issuers do not need to move to step three.
If the inquiry reveals that the issuer has reason to believe that it has used conflict minerals (necessary to the functionality or production of a product manufactured or contracted to be manufactured by the issuer) originating from the DRC or an adjoining country, which did not come from recycled/scrap sources, it must move to step three. Step three requires an issuer to conduct due diligence on its supply chain to determine whether its minerals are DRC conflict free (SEC 2012, 40). The DRC conflict-free designation indicates that the conflict minerals in the product did not benefit an armed group in Central Africa, even if it came from the DRC or an adjoining country. This due diligence must be carried out using a nationally or internationally recognized framework, such as the Organization for Economic Co-operation and Development's (OECD) Due Diligence Guidance for Responsible Supply Chains of Minerals from Conflict-Affected and High-Risk Areas (OECD 2011). If the issuer determines, through its due diligence, that its conflict minerals are not from the DRC or an adjoining country, or are from recycled/scrap sources, it is required to report on its due diligence when it files Form SD, but it is not required to file a CMR.
Conflict Minerals Reports
If the issuer discovers that its minerals are from the DRC or an adjoining country and not from scrap/recycled sources, then it must file a CMR as an exhibit to Form SD, and obtain an independent private sector audit of its CMR. All issuers, both foreign and domestic, must comply with the final rule for the calendar year beginning January 1, 2013, (regardless of their fiscal year) with the first reports due May 31, 2014 (SEC 2012, 2). Through its due diligence, an issuer must attempt to determine which of its products are DRC conflict free or have not been found to be DRC conflict free.5 If an issuer determines that its products are DRC conflict free, it must obtain an independent private sector audit of its CMR, certify that it obtained such an audit, include the audit report as part of the CMR, and identify the auditor (SEC 2012). If any of an issuer's products have not been found to be DRC conflict free, in addition to the audit requirements, the issuer must describe the following in its CMR (SEC 2012):
The products manufactured or contracted to be manufactured that have not been found to be DRC conflict free.
The facilities used to process the conflict minerals in those products.
The country of origin of the conflict minerals in those products.
The efforts to determine the mine or location of origin with the greatest possible specificity.
Independent Private Sector Audit
Objective of the Audit
The SEC estimates that 75 percent of registrants will need to issue a CMR, and have it audited by a third party (SEC 2012, 318). The objective of the audit is not to verify the “conflict- free” status of an issuer's products, but rather to confirm that (1) the design of its due diligence program as described in its CMR conforms to the nationally or internationally recognized due diligence framework used by the issuer, and (2) its activities during the covered year are described appropriately in its CMR. The SEC refers to the OECD framework as the only presently available nationally or internationally recognized framework (SEC 2012, 28). This framework includes supplements that provide specific guidance for supply chain due diligence for conflict minerals. Consequently, we expect this framework to be the most widely used by issuers. The OECD framework includes the following five-step framework that issuers can use to create a responsible supply chain (OECD 2011):
(1) Establish strong company management systems.
(2) Identify and assess risks in the supply chain.
(3) Design and implement a strategy to respond to identified risks.
(4) Carry out independent third-party audits of smelters'/refiners' due diligence practices.
(5) Report on supply chain due diligence.
Examples of steps that companies should take to comply with this framework include establishing a traceability system in order to identify upstream actors in the supply chain, incorporating a supply-chain policy into contracts with suppliers, and establishing a company-level grievance mechanism as an early warning risk awareness system.
Attestation or Performance Audit
There is significant uncertainty and little consensus regarding what will be required for audits of CMRs (Matthews 2013). The GAO informed the SEC that GAGAS (yellow book) will be applicable for independent private sector audits of CMRs (SEC 2012, 214). GAGAS includes standards for both attestation engagements and performance audits—issuers have the option of engaging auditors to complete either an attestation engagement or a performance audit or non-CPAs to conduct performance audits (SEC 2012, 214). Unlike attestation engagements, performance audits need not be performed by CPAs, do not use a standard report form and language, and allow for more report content variation, leaving auditors to “fill in the blanks” (Matthews 2013). One Big 4 firm comments, “some companies may not find such variation desirable and may choose the stricter attestation engagement standards because they want the public to be able to easily compare them with other companies in their industry” (Ernst & Young 2012, 12). GAGAS attestation engagements must be conducted by a licensed public accounting firm, but this is not the case for performance audits. Engineering firms and environmental consultants are likely to be among those competing with accounting firms for this work.
Both CPAs and non-CPAs must comply with the GAO's continuing professional education (CPE) requirements (i.e., yellow book training), independence requirements, and peer review processes. Regardless of whether an attestation engagement or performance audit is conducted, the service scope, actual procedures, and documentation essentially could be the same because the same quality control standards apply.
The SEC does not believe that, if the issuer's independent public accountant also performs the independent private sector audit of the CMR, it would be inconsistent with the independence requirements in Rule 2-01 of Regulation S-X (SEC 2012, 216). This would nevertheless be considered a non-audit service, subject to the audit committee pre-approval requirements of Rule 2-01(c)(7) of Regulation S-X. If the accountant were to provide services that extend beyond the scope of the independent private sector audit, such as readiness and implementation assistance, the accountant would need to consider whether those services are inconsistent with Rule 2-01 of Regulation S-X (SEC 2012, 216) as well as AICPA and GAO independence standards.6
CHALLENGES FOR AUDIT FIRMS7
This section discusses some challenges that audit firms face regarding CMR audits.8 As with any new and non-traditional assurance service line, such as sustainability report audits, CMR audits present audit firms with several significant challenges. One challenge with which audit firms must contend is the natural tendency to “overreact” when reading the final rule. It is instinctive to conclude that the goal of a third-party CMR audit is to determine whether the client's products are DRC conflict free. This might entail organizing security details for auditors who choose to visit mines in Africa. This is not the objective of the CMR audit, however, and site visits are not required. The audit objectives are to determine whether (1) the design of the issuer's due diligence measures is in conformity with the OECD framework, and (2) the description of the issuer's due diligence measures is consistent with the process undertaken by the issuer (in other words, does the issuer's description reflect what they actually did). The rule makes no mention of auditors confirming whether the issuer's due diligence program is operating effectively or even placed into operation—only whether its design conforms to the OECD framework. This scope is much narrower than the scope of internal control over financial reporting audits required under Section 404 of the Sarbanes-Oxley Act (SOX).
The narrow scope of the CMR audit objectives presents other challenges for audit firms, however. Consider the first objective. The issuer may describe a due diligence program design in its CMR that is materially consistent with the OECD framework. The auditor checks the box and moves to the second objective. In its CMR report, the issuer also describes what diligence measures were actually performed, and the auditor must confirm whether the issuer actually did what they say they did. If the issuer did a minimal amount of due diligence (e.g., simply made a couple of phone calls to suppliers), but accurately described these minimal measures in the CMR, the auditor would have to check that box as well, and the issuer would receive a clean audit opinion, regardless of whether the actual procedures it performed are consistent with their design as described in the CMR. This possibility should encourage audit firms to carefully consider how they draft the CMR audit reports. Some firms may wish to go to great lengths in the audit report to describe what they did not do so that expectations gaps are avoided.
Some audit firms that audit an issuer's financial statements also may be interested in conducting the CMR audit for that issuer. A significant challenge that these audit firms may face is convincing audit committees that this is allowed (i.e., that this service does not violate independence requirements or create an appearance that the audit committee wishes to avoid). Contributing to this challenge is the SEC's decision on how issuers are to categorize fees related to the CMR audit in the principal accountant fee disclosures. The final rule states that these fees must appear in the “All Other Fees” category rather than in the audit fees or audit-related fees categories (SEC 2012, 216). Because of independence concerns post-SOX, some audit committees may be hesitant to hire their financial statement auditors for any service for which the fees would appear in the “All Other Fees” category.
Another challenge that audit firms could face relates to CMR audit engagement staffing. Auditors performing the CMR audit must be in compliance with GAO CPE requirements. Many financial statement auditors who do not usually work on audits of governmental entities, private universities, nonprofits, etc. may not have the required yellow book CPE. Auditors who only are involved in performing field work and who charge less than 20 percent of their time annually to audits conducted under GAGAS are required to take 24 hours of yellow book training in each two-year period, but do not have to comply with the remainder of the usual 80-hour GAO CPE requirement (GAO 2005). This CPE requirement may impact audit firms' CMR audit staffing decisions. Some firms may wish to bring the normal issuer engagement teams into compliance with yellow book training, while others may choose to train auditors who are already yellow book compliant on CMR matters, creating special teams that handle all CMR audits. Even within the same firm, different practice offices may take different approaches. An advantage of bringing regular issuer engagement teams up to speed with yellow book training is client familiarity. Clients generally prefer consistency in engagement teams, and may not wish to work with an entirely new set of auditors on the CMR audit. A disadvantage is the significant training costs involved.
Another challenge is the necessity for more senior, rather than junior, auditor time to perform the first audit objective. Evaluating the design of a client's due diligence program is not something that can be performed by staff or perhaps even audit seniors. The significant amount of partner and manager time necessary to carry out the first audit objective may lead to lower leverage audits (i.e., a greater proportion of manager/partner time may be necessary for this type of engagement relative to a traditional audit engagement), which is something with which audit firms will need to contend.
In addition, pricing CMR audits may prove difficult as 100 percent of the CMR audit will involve the nature of information that appears in the client's CMR, and currently there are not many examples of CMRs. Consequently, developing detailed audit procedures for CMR audits is currently very challenging for audit firms, if not impossible. The specific audit procedures will depend on what information issuers put in their CMRs, and there likely will be substantial variation in such reports from issuer to issuer. For example, some issuers may take a risk-based approach in evaluating their supply chain for conflict minerals and target only higher-volume suppliers that are more likely to be using conflict minerals. Audit firms must determine if their approach is reasonable. Also, audit firms must determine if the design of the issuer's program for identifying products that may contain conflict minerals is effective. Conflict minerals may be present in products less obvious than coffee cans, such as medical supplies containing polyvinyl chloride (PVC). Some audit firms may develop general audit programs, with the opportunity for individual engagement teams to insert the specific steps they developed and conducted when performing the CMR audit for a particular issuer. This “custom” audit approach may prove challenging and lead to some variation in audit conduct and perhaps quality across CMR audits, depending on the approaches taken by individual engagement teams. Although audit quality could also vary across traditional financial audits, the tailored nature of CMR audits may exacerbate this concern.
Step four in the OECD framework for creating a responsible supply chain instructs issuers to carry out independent third-party audits of smelters/refiners' due diligence practices (OECD 2011). This step may be very challenging for issuers and, consequently, for audit firms. An issuer may work with several smelters in various countries and, unless the issuer reviews credible audit reports for 100 percent of these smelters, questions will persist as to whether this step can be considered accomplished. Although there is some pressure on smelters to comply with conflict-free programs, which include audits, not all smelters do this.9 The audit firm must determine if the issuer's design of efforts in applying step four are reasonable. For example, if the issuer reviews credible audit reports for 30 percent of the smelters they work with, is this design reasonable? These and similar questions may pose significant challenges for auditors.
The SEC's final rule on the required disclosures for CMRs and related independent audits beginning in 2014 has opened the door for a new opportunity for assurance services provided by U.S. audit firms. For the first time, there is an SEC audit requirement for corporate social responsibility information. These engagements provide audit firms with the potential for an ongoing new revenue stream. Notwithstanding this upside, audit firms are faced with substantial challenges in developing and executing this new type of assurance service. Significant uncertainty surrounds the nature of the requisite audit procedures and the form and content of the audit reports themselves. In this paper, we summarized the SEC's final rule, with particular focus on the private sector audit requirement, and outlined some challenges that audit firms may face when conducting CMR audits.
The SEC uses the term “private sector audit” in the final rule to indicate that the audit may not be performed by a governmental or quasi-governmental agency (SEC 2012).
The SEC has deferred to the Government Accountability Office's (GAO) generally accepted government accounting standards (GAGAS) for audits of CMRs. GAGAS often is referred to as the “yellow book.” The third-party auditor must be independent under GAGAS.
We discuss this choice further in a subsequent section. For the sake of simplicity, both types of engagements are referred to in this paper as audits, except where a distinction is necessary. Consequently, we caution that our use of the term “audit” in this paper may not necessarily correspond to the traditional use of the term.
We present the SEC's flowchart summary of the final rule in Appendix A.
Some issuers that, despite their due diligence efforts, are unable to determine whether their products are DRC conflict free are allowed to describe their products as “DRC conflict undeterminable” for a transitional period (2013 and 2014 for larger issuers, and 2013 through 2016 for smaller issuers). An independent audit is not required for issuers for which all products are “DRC conflict undeterminable” during this transition period (SEC 2012, 29–30).
An AICPA task force developed a flowchart to aid in CMR auditor independence considerations. The flowchart is available at: http://www.aicpa.org/InterestAreas/FRC/DownloadableDocuments/Conflict_Minerals/FRC_Conflict_Minerals_IPSA_Independence_Flowchart.pdf
We thank Dorsey Baskin for his helpful assistance with this section.
Although non-CPAs may conduct performance audits, our discussion is primarily directed toward audit firms.
Organizations such as the Electronic Industry Citizenship Coalition and Global e-Sustainability Initiative maintain online databases of smelters that are in compliance with their conflict-free smelter program. See, http://www.conflictfreesmelter.org/cfshome.htm
We thank Rich Houston and Dorsey Baskin (editors) for their helpful comments and suggestions.