Responsible Sourcing Programme Third Party Assurance Guidance

Assurance Process and Key Considerations

The Assurance Provider must undertake several responsibilities throughout the engagement. This includes planning the engagement and conducting an engagement risk assessment, performing testing procedures to gather sufficient appropriate assurance evidence, and completing an overall evaluation of the engagement to form and reporting their conclusion.

In an ISAE 3000 assurance engagement, the detailed testing plan is designed by the Assurance Provider based on the output of their planning and risk assessment procedures. Risks are considered as a reasonable possibility of a material misstatement in the Refiner’s Compliance Report and Country of Origin Annex. The risk assessment is expected to be unique for each engagement and prescribing assurance procedures is therefore not possible.

This section, however, provides guidance on key considerations at each stage of the assurance engagement. Assurance Providers must note that this is not an exhaustive list of ISAE 3000 requirements and assurance considerations, nor should it be considered an assurance programme to be followed for every engagement. Practitioners are expected to incorporate this guidance into their own assurance programmes as relevant.

Assurance Phases

3.1 Planning and Assurance Engagement Risk Assessment

Objective: Assessing the engagement risk and setting the assurance plan

The objective of this phase is to assess the suitability of the assurance criteria and obtain an understanding of the Refiner's business, sector, industry and environment, its reporting policies, practices and performance, and the intended users of its report, to identify the risk of material non-conformances on which to focus the audit procedures. In this phase, the Assurance Provider undertakes desktop research supplemented by other procedures to:

  • Assess the Refiner’s interpretation and application of the Guidance, and evaluate the suitability of the assurance criteria
  • Review the Refiner’s general control environment with respect to responsible sourcing.

Assurance Providers follow the criteria set out in Step 1 of the Guidance: Establish strong company management systems to assess engagement risk. However, while the planning phase is a key step to managing assurance risk and engagement efficiency, the effectiveness of the assurance plan, including the nature, timing and extent of the planned procedures with respect to emerging material non-conformances, should be reconsidered throughout the engagement as an iterative process.

When assessing the suitability of the criteria, the Assurance Provider should be aware of the following:

  • Professional scepticism – the need to maintain an independent and sceptical mindset, and entertain a realistic possibility that management’s assertions may be misstated
  • Management bias – there may be reputational and commercial consequences to non-conformance
  • Cultural considerations – the requirements of the Guidance may not be easy for companies to apply across all their operations, and there may not always be a
    cultural fit with certain territories. The Assurance Provider needs to preserve a mindset that does not consider inconsistent application of the Guidance
    and/or unethical behaviour to be acceptable for certain areas.

Guidance (ISAE 3000 / RGG)

Obtain an understanding of the Refiner’s operating environment
Identify the intended users and their information needs

Key considerations

Business and organisational structure:

  • Parent, subsidiaries, affiliates and their activities and locations
  • Names and locations of refineries, and types of precious metals-bearing material received and processed
  • Base metal refining operations to determine whether precious metals-bearing material could be mining byproducts
  • Units or operations that are actively contributing to precious metals activities, processes and systems, including off-site offices, processing facilities and/or storage areas
  • Material processing method
  • Participation in other precious metals supply chain initiatives and commitment to ESG
  • Publicly available information on business partners and precious metals supply chain practices
  • General industry or market developments that may require specific attention
  • Prior year’s Compliance Report and Assurance Report
  • Prior year’s Management Report and Corrective Action Plan
  • Precious metals supply chain policy and procedures
  • Other internal or external audit / assurance engagement relevant for aspects of the LBMA assurance (e.g., antimoney laundering audits, bribery and corruption audits, ESG audits)
  • Prior and current year (if possible) Country of Origin Annex.

Guidance (ISAE 3000 / RGG)

Adopt and commit to a policy for gold supply chain due diligence

Key considerations

Policy evaluation:

  • Gap assessment of the Refiner’s policy against Step 1.1 of the Guidance including:
    - OECD Annex II risks
    - Environmental, Social and Governance risks
    - Minimum criteria to be addressed in the policy document
  • Policy implementation:
    - Policy implementation and monitoring processes, including:
    o Effective date and formalisation process
    o Frequency of review and update process
    o Internal and external communication
    o Monitoring of policy awareness and understanding
    o Publication of policy
    o Incorporation of previously identified corrective actions where relevant.
  • Note 1: In practice, Refiners may have a suite of policies which cover the Guidance requirements, including codes of conduct, procurement policy, human rights policy, anti-money laundering and cash transactions policy, and anti-bribery and corruption policy. In some cases, the Refiner may have a principles-based policy for external publication with detail referenced in additional internal policies and/or process documents. The auditor should review these collectively to ensure all requisite elements of the Guidance are covered.
  • Note 2: Policies may not always reflect updates to the Guidance or the OECD Due Diligence Guidance. For example, recent additions in the RGG regarding environment and sustainability, and payments of taxes, fees and royalties due to governments in the OECD guidance are frequently missing from Refiners’ policies.
  • Note 3: Refiners may make a policy commitment to de-risk certain sources of gold, e.g., artisanal and small-scale gold or gold from certain jurisdictions. Note that this is not in line with the principles of the Guidance and the OECD Due Diligence Guidance.
  • Note 4: Frequently, supply chain policies are not published. Not only is this a requirement of the Guidance, ISAE 3000 also requires the Assurance Provider to ensure that the policy (or the assurance criteria) is publicly available. In practice, Refiners may publish the high-level principles-based policy document. In this case, the Assurance Provider must ensure that sufficient detail on the policy and processes is included in the Compliance Report for the intended user’s understanding.

Guidance (ISAE 3000 / RGG)

Board-level oversight

Key considerations

  • Board composition
  • Experience and qualifications of members to provide sufficient oversight
  • Refiner’s overall performance, improvements and focus areas for supply chain due diligence
  • Relevant statistics on high-risk supply chains. Regular follow-up and monitoring of documented risk mitigation strategies
  • Monitoring of third-party assurance findings and Corrective Action Plans.
  • Note 1: For larger organisations, the Board may delegate oversight of the responsible sourcing programme to a Board sub-committee. It is important for the Assurance Provider to assess whether there is sufficient senior level understanding and decision-making capacity within this committee.
  • Note 2: Assurance Provider should assess whether the Board is carrying out its responsibility as defined in the RGG appropriately. Good governance practice is for the Refiner to have formal Board agendas and meeting minutes, and meet on a regular basis (in line with corporate governance requirements or other Board committee schedules). The Assurance Provider may consider obtaining relevant evidence by inspecting Board minutes or interviewing the Board chair.

Guidance (ISAE 3000 / RGG)

Compliance Officer responsibility

Key considerations

  • Job description, capacity and team composition
    - Compliance Officer’s skills and experience to oversee the supply chain due diligence process
    - Ongoing professional development
    - Day-to-day role
    - Reporting lines
    - Individual and team capacity to fulfil the role.

Guidance (ISAE 3000 / RGG)

Training

Key considerations

  • Skills, experience and ongoing development:
    - Breadth of skills, relevance of experience and capacity of personnel to cover all aspects of the Guidance, including threat finance and ESG factors
    - Quality and frequency of internal training material to ensure all aspects, including money laundering, OECD Annex II, and ESG, are appropriately addressed
    - Training attendance and understanding monitoring.

Guidance (ISAE 3000 / RGG)

Payment through official banking channels

Key considerations

  • Payment’s policy and procedures:
    - Possibility of cash transactions to be undertaken
    - Controls assessment to ensure that all cash transactions made are in line with Refiner policy and LBMA RGG version 9.
  • Accounting entries and reconciliations.
  • Note 1: Some Refiners with retail businesses in certain jurisdictions (e.g., Japan) have long-standing practices of conducting cash transactions with domestic public consumers. These are conducted in line with local regulatory and legislative requirements, and Refiners should be able to demonstrate compliance with these requirements.

Guidance (ISAE 3000 / RGG)

Cooperation with government authorities

Key considerations

  • Regulatory engagement procedures
  • Compliance audits and/or fines
  • Media reports.

Guidance (ISAE 3000 / RGG)

Maintaining records

Key considerations

  • Record retention policy and practice.

Guidance (ISAE 3000 / RGG)

Establish a gold traceability system

Key considerations

  • Determination of origin of different types of precious metals material (LSM, ASM, recycled gold, grandfathered gold, byproducts)
    - Alignment with RGG
    - Type of evidence to support mineral’s origin
    - Minimum categories (mined gold (LSM, ASM, Mining by product), recycled gold (unprocessed, melted or industrial by-product, grandfathered stock).
  • Information management system(s) used to manage precious metals traceability, e.g.:
    - Goods delivery and acceptance
    - Weighing.
  • Process walkthroughs for each of above:
    - Roles, responsibilities, skills and experience
    - Information management systems (IMS) access and other system controls
    - Integration of supplier due diligence and transactions monitoring processes with physical goods delivery
    - Data entry process and review process.
  • Refinery site visit:
    - Any non-conformant precious metals on site
    - Segregation of unverified inventory.
  • Note 1: In practice, supplier risk assessment and due diligence processes are conducted by different personnel to those operating physical metal in the refinery. These processes may therefore lack integration. For example, doré from a suspended high-risk supplier could incorrectly be accepted by the goods-in team at the Refinery. The Assurance Provider should check that all parts of the Refiner’s management system are appropriately integrated with the physical precious metals traceability process.

Guidance (ISAE 3000 / RGG)

Strengthen company engagement with gold - supplying counterparties

Key considerations

  • Engagement with gold-supplying counterparty:
    - Inclusion of policy commitment in contractual agreement
    - Process to promote responsible sourcing within the supply chain.
  • Awareness and understanding of the policy and processes – see also Training, Supplier Engagement and Grievance mechanism considerations.

Guidance (ISAE 3000 / RGG)

Establish a confidential grievance mechanism

Key considerations

  • Grievance process design:
    - Employee awareness of grievance process
    - Accessible by internal and external stakeholders (with respect to technology, language, etc.)
    - Review, escalation and monitoring of concerns raised
    - Number and types of grievances raised
    - Reporting of significant concerns to the Board.
  • Note 1: An anonymous whistleblowing or grievance process is important to encourage employees and stakeholders to report any concerns without any reprisal for doing so. However, in certain jurisdictions, this may not be the legal or acceptable practice. Cultural and legal norms therefore need to be considered when dealing with these matters. The Assurance Provider should then assess whether the grievance process is effective in encouraging internal and external stakeholders to come forth, and what actions management may take to promote reporting, e.g., providing details of the LBMA hotline or using an independent operator to manage the internal process.

References

  • OCED Annex II
  • ISA 610 Considering the Work of Internal Audit
  • ISA 620 Using the Work of an Auditor’s Expert
  • LBMA Mutual Recognition Matrix

3.2 Testing

Objective: Executing procedures to collect sufficient appropriate evidence

In this phase, the Assurance Provider executes procedures to collect sufficient appropriate evidence to determine that:

  • The Refiner’s Step 2 risk assessment and classification procedures, systems and controls are appropriately designed and implemented to prevent and detect illicit precious metals-bearing material in the supply chain
  • The Refiner’s Step 3 risk mitigation procedures, systems and controls are appropriately designed and implemented such that identified risks are appropriately addressed
  • The Refiner’s Step 5 Compliance Report and Country of Origin Annex describes the design, implementation and performance of the processes and controls during the reporting period in line with the Assurance Provider’s understanding.

Key Considerations for Step 2: Risk Assessment and Classification

The RGG version 9 outlines the minimum requirements for Refiner’s due diligence procedures and provides relevant templates in the Refiners Toolkit. Assurance Providers are required to use their experience and subject matter knowledge in assessing whether the Refiner’s processes, systems and controls are appropriately designed, as well as to assess whether these processes, systems and controls have been appropriately implemented.

Guidance (ISAE 3000 / RGG)

Conduct supply chain due diligence to identify potential risks

Key considerations

Location risk assessment:

  • Inclusion of RGG minimum requirements
  • Quality of sources used to inform the risk criteria (external vs internal; recognised vs unknown; third-party independence and reputation)
  • Breadth of sources used to inform the risk criteria (coverage should include conflict risks, sanctions, gold transit routes).
  • Note 1: Country risk assessment sources are continuously updated, the organisation’s process should reflect this
    - Review of suitability of sources (method and frequency).
  • Note 2: Assurance Providers should have knowledge of responsible sourcing challenges in various jurisdictions and provide appropriate challenge to the Refiner’s process and risk assessment results. This can be done through:
    - Conducting own media searches
    - Keeping abreast of the items in the Responsible Sourcing newsletter and other sources
  • Note 3: In circumstances where judgement is applied by the Refiner, the Assurance Provider needs to understand the process the company has followed to be comfortable with the company’s conflict assessment conclusions. For example, consider whether:
    - Other reference sources applied by the company are reliable and appropriately used
    - There is other publicly available information not considered by the company that indicates an operation may be located in a ‘conflict-affected or high-risk’ region (e.g., from recent political instability, performing a media search).

Supplier and type of material risk assessment:

  • Walk-throughs of supplier risk assessment process design:
    - Inclusion of RGG minimum requirements:
    o Use of relevant LBMA KYC Questionnaires and Due Diligence Checklists, or
    o Inclusion of the minimum requirements in the Refiner’s own KYC checklist
    - Process followed for unobtainable supplier information
    - Compliance Officer review and sign-off procedures
    - Access controls over information management systems.
  • Sample testing of supplier files:
    - Verifying supplier list is complete by comparing against formal supplier database or management system
    - KYC and Due Diligence forms completed with all supporting evidence gathered
    - KYC and Due Diligence forms reviewed by Compliance Officer
    - Risk Classification completed correctly as zero-tolerance, high-risk or low-risk per LBMA the Guidance.
  • Note 1: Artisanal and small-scale mines may not always be legalised but should be legitimate. These operations may not have documented policies and procedure documents; however, the Refiner’s due diligence should support that relevant responsible production practices are implemented.
  • Note 2: Owned mines (i.e., mines within the same corporate group as the Refiner) are expected to undergo risk-based due diligence on threat financing as well as ESG factors. An independent internal assessment may be conducted by Refiners on the anti-money laundering, anti-bribery and corruption, and ESG policies and practices of their mines, which may include:
    - Review of cash transactions for suspicious activities
    - Review of the human resources records to assess below minimum age and wage resources
    - ESG performance metrics
    - Known issues with stakeholders (regulators, communities, workers).
  • Note 3: Owned mines may include third-party stock, which may be from high-risk locations or suppliers, and controls to manage third-party stock should be reviewed during the due diligence process.
  • Note 4: For by-products, the RGG makes specific reference to the World Customs Organization’s Revised Kyoto Convention Annex K to determine the point of separation of gold from the mineral base, and hence the origin of the gold by-product. This is interpreted as follows:
    - Goods produced wholly in a given country shall be taken as originating in that country
    - Where two or more countries have taken part in the production of the goods, the origin of the goods should be determined according to the substantial transformation criterion. Regarding the substantial transformation criterion, the ad valorem percentage rule could be used. Such rules are based on the dutiable value/price.
    For example, copper is mined in Chile, the gold is extracted from the copper by a smelter in Japan, purchased by a trader in South Korea and then sent to an LBMA refinery. The country of origin for the LBMA refinery would be Japan as: 1) there are two countries in the production of the gold that is received by the LBMA refinery (Chile and Japan); and 2) the value of the product after smelting in Japan is higher than before processing in Japan. Therefore, the country of origin for the LBMA Refiner is the country of the smelter and not the country of extraction (as the Refiner receives a transformed product and not minerals) and not the country of the trader (who does not add value to the metal).
  • Note 5: While the origin of recycled gold is defined as the point in the gold supply chain where the gold is returned to the Refiner or other downstream intermediate processor or recycler, the Refiner should make all reasonable attempts to evaluate the supply chain as far upstream as possible to determine potential risk. Where there may be potential risk in a supply chain, the Assurance Provider should assess whether the Refiner has made all reasonable efforts to identify and manage this risk.

Guidance (ISAE 3000 / RGG)

Monitoring of Transactions

Key considerations

  • Completeness of supplier list / transactions lists
  • Shipping / transportation document (waybill / airway bill, pro-forma invoice)
  • Note 1: The procurement process may not be integrated with the supply chain due diligence process, e.g., transport of material could be diverted to a high-risk country, but the due diligence process is not updated. Good practice would include the Refiner assessing the security processes around transportation (secure packaging, reputable transportation company, armed guards), reconciliations between goods delivery notes and goods received notes, and requiring prior alerts for any changes to routing.

Guidance (ISAE 3000 / RGG)

Classify supply chains based on risk profiles

Key considerations

  • Note 1: Sample testing should focus on medium- and low-risk classifications to assess under-reporting.
  • Note 2: Large Scale Mines are not automatically considered low risk as they may be situated in high-risk jurisdictions or have high-risk organisational structures.
  • Note 3: Local supply chains may also not always be low risk as the supplying counterparty may have complex organisational structures or supply high-risk material.

Guidance (ISAE 3000 / RGG)

Enhanced Due Diligence

Key considerations

  • On-site visit
    Walk-throughs of on-site visit process:
    - Frequency of site visits (new suppliers and existing)
    - Determination of site visit scope aligned to due diligence findings
    - Subject matter experience of personnel conducting site visits
    - Inclusion of RGG minimum requirements:
    o Use of relevant LBMA Site Visit Reports or
    o Inclusion of minimum requirements in Refiner’s own site visit checklist
    - Process followed for unobtainable information
    - Compliance Officer review procedures
    - Access controls over information management systems.
  • Sample review of Site Visit Reports:
    - Scope and coverage (i.e., all relevant aspects of threat financing and ESG factor risks are covered as identified in
    the initial due diligence)
    - Competency of employee or independence of independent third-party assessor to undertake required scope
    - Follow-up process and internal communication of issues identified
    - Review of On-Site Visit Report.
  • Note 1: Site may not include as assessment of the ESG factors. The scope of the site visit should include all potential risks identified during the initial due diligence.
  • Note 2: Good practice is for Refiners to conduct ongoing site visits on a rotational basis to high-risk suppliers, although not stipulated in the RGG.
  • Additional EDD measures: LBMA minimum requirements have been considered by the Refiner.
  • Note 3: Refiners are expected to obtain an Independent Assurance Report from intermediate refiners with high-risk supply chains, and existing suppliers have been given until July 2023 to commission this assurance to provide sufficient time to establish appropriate systems and processes. In the interim, the Refiner is expected to continue to assess the potential risk in the supply chain and deploy effective measures to manage this. Assurance Providers should discuss interim measures being undertaken by Refiners for these supply chains.

Key Considerations for Step 3: Mitigation Strategies

The risk management strategy is a critical component of the five-step process. Suspension and continuation of the relationship with improvement plans is likely to be more subjective based on the Refiner’s risk appetite. However, the Assurance Provider is required to exercise appropriate judgement based on experience and subject matter knowledge in assessing whether the risk management strategy and any improvement plans are appropriate and meet the objectives of the LBMA Programme.

Guidance (ISAE 3000 / RGG)

Devise a risk management strategy for the identified risk

Key considerations

  • Note 1: The Refiner determines its ESG risk classification to define catastrophic and highly adverse ESG impacts in the same manner as it determines the threat finance risk classification. The Assurance Provider should review whether the definitions are appropriate, and that any judgement applied by the Refiner to reach its decision on risk classification is clearly documented and logical.
  • Note 2: Where the Assurance Provider identifies evidence of zero-tolerance risks which have not been appropriately dealt with by the Refiner, the Assurance Provider should report such instances to the appropriate authorities and to LBMA, where applicable, and in accordance with local and international legal requirements.

Guidance (ISAE 3000 / RGG)

Monitor the improvement plan

Key considerations

  • Documented improvement plan
  • Clear targets and measurement metrics, if applicable
  • Agreed by supplier
  • Assessment process (independent, competency of assessor, timeframe, on-site / remote)
  • Prior year improvement plans which cut over into current assessment period.

Guidance (ISAE 3000 / RGG)

Report findings to the Board

Key considerations

  • The Board is provided with updates on risk mitigation plans.

Guidance (ISAE 3000 / RGG)

Monitor adequacy of risk management strategies

Key considerations

  • Feedback loop in process from Step 3 to Step 2 for continuous monitoring.

References

  • OECD Annex II
  • KYC Questionnaire LBMA Mined Gold
  • KYC Questionnaire LBMA Recycled Gold
  • Due Diligence Checklist Mined Material
  • Due Diligence Checklist Recycled Material
  • Site Visit Report Mined Material
  • Site Visit Report Recycled

Key Considerations for Step 5: Annual Reporting

Ultimately, assurance is provided on the disclosures contained in the Refiner’s Compliance Report and the Country of Origin Annex (Refiner’s Reports). The Assurance Provider is required to assess whether the Refiner’s Reports contain sufficient information regarding the Refiner’s application of the LBMA Responsible Sourcing Guidance, as well as actual performance, in particular the results of the risk assessment and risk mitigations steps during the assurance period.

Guidance (ISAE 3000 / RGG)

Disclosure Guidance: Compliance Report

Key considerations

  • Note 1: LBMA has produced a detailed Disclosure Guidance10 document outlining the minimum information requirements for the Refiner’s Compliance Report. The Assurance Provider’s responsibility therefore is to ensure that:
    - This minimum information is appropriately included in the Refiner’s Compliance Report; and
    - The disclosures provided are:
    o Complete: Omission of key information is a misstatement. The report must provide a true reflection of the practices and performance during the year
    o Accurate: The report should provide reliable information for the intended users to make judgements
    o Consistent: The Compliance Report, Assurance Statement, Management Report and Corrective Action Plans must all be consistent with each other and not display obvious contradictions
    o Timely: The report should contain information for the period in question
    o Balanced: The report should provide a balanced reflection, including challenges and how these are being addressed as well as positive achievements.
  • Note 2: The Disclosure Guidance is aligned to the requirements of the Responsible Gold Guidance (RGG) version 9 and supplements Step 5 of the RGG. As Refiners have until 31 December 2022 to fully implement the new requirements of RGG version 9, the Disclosure Guidance should be implemented for reporting for the year ending 31 December 2022. It is noted, however that Refiners may not have certain systems and processes in place to produce quantitative data, and/or qualitative data that may not be covered in RGG version 9, outlined in the Disclosure Guidance. As such Refiners have until 31 December 2023 to address this aspect of the Guidance.

    For the avoidance of doubt, Step 5 of RGG version 9 (page 38), says: The Country-of-Origin Annex should, as a minimum, meet the requirements outlined in the Disclosure Guidance documents in the Refiners Toolkit. Minimum information includes:

    (a) List of gold sources by country and by type of material sourced and related information
    (b) Total gold sourced by type of material (LSM, ASM, Recycled Gold, Grandfathered Stocks) in the reporting period
    (c)The identity of the Refiner and the local exporter located in high-risk locations should always be disclosed except in cases of disengagement

    This Minimum information is required as part of the RGG version 9 implementation. Refiners will have until 31 December 2023 to meet the additional Country-of-Origin requirements highlighted in the Disclosure Guidance.
  • Note 3: Information can be referred to in the Refiner’s Compliance Report but be disclosed elsewhere (for example, on the company website).

Guidance (ISAE 3000 / RGG)

Disclosure Guidance: Country of Origin Annex

Key considerations

  • List of gold sources by country
  • List of gold sources by type of material sourced (Large Scale Mining, Artisanal and Small-Scale Mining, recycled gold, grandfathered stocks)
  • Consistency with measurement units
  • The identity of the Refiner and the local exporter located in high-risk locations should always be disclosed to LBMA except in cases of disengagement.

10https://www.lbma.org.uk/respon...

References
LBMA Disclosure Guidance document

3.3 Assurance Providers’ Conclusion and Reporting

Objective: Forming the assurance conclusion and preparing the assurance deliverables

The objective of the reporting phase is to evaluate the overall engagement in light of the non-conformances and misstatements identified, to assess whether sufficient, appropriate evidence has been obtained to support the conclusion expressed. The Assurance Provider prepares the assurance deliverables accordingly.

Practitioner’s Conclusion

Evaluating Non-Conformances
The materiality of misstatements or non-conformance risk ratings should be considered individually and in aggregate. For example, a group of related, repetitive or persistent medium-risk non-conformances may indicate a company-wide systemic failure or total lack of required controls that may justify a high-risk non-conformance rating.

Non-conformance ratings may be elevated if they are related to other non-conformances due to a common root cause indicating systematic weaknesses in management systems. For example, the nonconformances are:

  • Related in terms of the responsible sourcing topic or activity being controlled
  • Repetitive, bringing up the same issue throughout the business (which is often symptomatic of a systemic failure or absence of controls)
  • Persistent, i.e., occurring again and again because of ineffective corrective action.

Some items may also be material by their omission. The Assurance Provider should maintain a summary of uncorrected misstatements throughout the engagement. Individually or in combination, these considerations should determine whether misstatements may affect the decisions of the intended user of the Refiner’s Compliance Report and the impact on the Assurance Report. Where material misstatements have been identified, the Assurance Provider should question the effectiveness of internal controls and, if deemed necessary, revisit the assurance programme to expand testing and assess whether there are any material concerns and implications for the Assurance Report.

Presentation of Non-Conformances

All non-conformances must include clear and considered details about the non-conforming practice. For all non-conformances, the Assurance Provider should:

  1. Describe the nature of the non-conformance clearly and exactly
  2. Dross-reference the requirement of the Guidance and/or the Refiner’s supply chain policy
  3. Identify the likely underlying cause of the management system deficiency
  4. Support their finding with relevant and verified objective evidence
  5. Provide a risk rating in accordance with the criteria provided in the Appendix.

In all cases, when documenting non-conformance findings, the Assurance Provider should address the underlying causes to identify how to prevent the problem from recurring.

Unmodified Conclusions

To form the overall conclusion on the engagement, the Assurance Provider should evaluate all nonconformances collectively. Conclusions may be unmodified as follows:

Reasonable assurance: The subject matter is prepared, in all material respects, in accordance with the applicable criteria.

“Refiner’s Compliance Report / Country of Origin Annex has been prepared in all material respects in accordance with the Refiner’s supply chain policy and LBMA’s Responsible Gold / Silver Guidance.”

Emphasis of matter: The Assurance Provider feels that a non-conformance disclosed in the Refiner’s Compliance Report is of such importance that it is fundamental to the intended user’s understanding of the subject matter information. A paragraph to draw the user’s attention to the disclosure is included in the Assurance Report.


“Without modifying our conclusion, we draw attention to the description of the nonconformance contained in the Refiner’s Compliance Report. This relates to the…”

Modified Assurance Conclusions

A modified assurance conclusion may result in the following cases:

Limitation of scope: Circumstances preventing an auditor from obtaining sufficient appropriate assurance evidence to provide an unmodified conclusion. This may include restrictions placed upon the assurance testing activities by the Refiner, data gaps or a lack of controls. In this case, the Assurance Provider includes a disclaimer in the Assurance Report.

“Because of the significance of the matter described in the Basis for Disclaimer of Conclusion section of our report, we have not been able to obtain sufficient appropriate evidence to form a conclusion on the Refiner’s disclosures in the Compliance Report. Accordingly, we do not express a conclusion on the Refiner’s Compliance Report.

A disagreement on a material Issue: The Refiner has a material non-conformance, and the Assurance Provider is not satisfied with the disclosure included in the Refiner’s Compliance Report. In this case, the Assurance Provider issues an ‘Except for limited assurance’ conclusion.

“Based on the procedures performed and the evidence obtained, except for the effect of the matter described in the Basis for Qualified Conclusion section of our report, nothing has come to our attention that causes us to believe that the Refiner’s Compliance Report does not present fairly, in all material respects, the entity’s conformance with its supply chain policy and LBMA’s Responsible Gold / Silver Guidance.”

Material and pervasive misstatement: The Refiner has material non-conformances which indicate systematic failure of management systems. Depending on the extent to which a non-conformance exists, it may not be appropriate to issue an unmodified Assurance Report to provide a meaningful conclusion, regardless of the description in the Refiner’s Compliance Report. In this case, the Assurance Provider issues an adverse reasonable assurance conclusion.

“Because of the significance of the matter described in the Basis for Adverse Conclusion section of our report, the Refiner’s Compliance Report does not present fairly the entity’s compliance with its policy and the LBMA Responsible Gold / Silver Guidance.”

Engagement Completion Procedures

Prior to issuing the assurance deliverables, the Practitioner should conduct the following completion procedures:

Corrective Action Plans Review

Where medium-risk, high-risk or zero-tolerance non-conformances with one or more of the requirements of the Guidance have been identified, the Assurance Provider shall review the Refiner’s Corrective Action Plan. For each non-compliance, the Corrective Action Plan must include:

  • Details of the non-conformance presented in the Management Report
  • Details of the corrective actions to be taken by the Refiner
  • The implementation timeline for each corrective action
  • The person responsible for the implementation for each corrective action.

Corrective actions identified shall be specific, measurable, achievable, timely, appropriate and effective in addressing the root cause of the non-conformance. The timeframe to begin implementation of corrective actions must be realistic and cannot exceed:

  • Three months or any medium-risk non-conformance
  • One month for any high-risk non-conformance
  • Immediate for any zero-tolerance non-conformance.

Subsequent Events Review

Conduct and document the results of a desktop review to identify any significant matters arising post the reporting year-end, but prior to the signing of the Assurance Report, which may have an impact on the meaningfulness of the assurance conclusion for the reporting period. Any such significant matter should be discussed with the Refiner and brought to LBMA’s attention.

Management Representation Letters

Prior to issuing the Assurance Report, Practitioners should request written representation from the Refiner which sets out the Refiner’s responsibilities and includes explicit statements that the Refiner has:

  • Established appropriate processes and controls to satisfy that it conforms to the Guidance and meets the objectives of the Programme
  • Provided the Assurance Provider with all necessary and known information relevant to the engagement
  • Provided a complete, accurate and balanced view of the relevant activities in the reporting period in the Compliance Report.

In addition, the Assurance Provider may request representations on specific matters that arose during the engagement, where necessary. This must be to support other evidence obtained, and the Assurance Provider should evaluate the reasonableness and consistency of such representations with other evidence obtained.

Engagement Quality Control Review

The assurance engagement documentation shall be reviewed by an Engagement Quality Control Reviewer (EQCR). The EQCR’s roles is to objectively validate:

  • The independence and core competencies of the team members involved in the assurance engagement
  • Any areas of significant judgement exercised by the Engagement Partner and evaluate whether suitable appropriate evidence has been obtained to support the conclusion over the subject matter and the overall engagement
  • That assurance engagement completion procedures have been appropriately completed
  • The completeness of and consistency between the Compliance, Assurance, and Management Reports.

Assurance Deliverables

The assurance deliverables should include three key reports, as described below.

1. Independent Assurance Report on the Refiner’s Compliance Report (Public)

This report is addressed to the Refiner’s Board of Directors and states the Assurance Providers conclusion on the Refiner’s Compliance Report. This Assurance Report must be publicly disclosed alongside the Refiner’s Compliance Report or it should be made clear how it can be accessed by intended users.

2. Independent Assurance Report on the Refiner’s Country of Origin Annex (Confidential)

This report is also addressed to the Refiner’s Board of Directors and states the Assurance Provider’s conclusion on the information included in the Country of Origin Annex. As the Country of Origin Annex is a private document, the corresponding Assurance Report will also be a private report for the Refiner and LBMA. It may be shared with other stakeholders at the Refiner’s discretion.

3. Assurance Provider’s Report to Management (Confidential)

A Management Report issued by the Assurance Provider to the Refiner is the formal mechanism for communicating the detailed findings of the assurance engagement to the Refiner. This is a private document for the Refiner and LBMA. It may be shared with other stakeholders at the Refiner’s discretion.

Reporting and Assurance Deliverables:

Refiner Assurance Provider
Refiner’s Compliance Report Independent Assurance Report (Public)
Country of Origin Annex (Confidential) Independent Assurance Report (Confidential)
Corrective Action Plan prepared by the Refiner, if required (Confidential) Report to Management (Confidential)

In accordance with the mandatory ISAE 3000 disclosures, the assurance statement should include, but not be limited to, the following:

  • Reference to the scope and subject matter of the assurance engagement: Reasonable / limited assurance of the Refiner’s Compliance Report / Country of Origin Annex
  • Reference to the assurance criteria: Refiner’s supply chain policy, aligned to the Guidance, and how it can be accessed
  • A statement that the engagement was performed in accordance with ISAE 3000 (revised)
  • A declaration that the auditor satisfies competency and quality requirements, specifically with respect to the ISQC 1 standard and IESBA Code requirements
  • A statement on inherent limitations associated with the measurement or evaluation of the underlying subject matter against the applicable criteria
  • A statement to identify the responsible party and the measurer or evaluator if different, and to describe their responsibilities and the Practitioner’s responsibilities
  • A summary of the assurance procedures performed
  • Assurance conclusion in accordance with the examples presented in the previous section
  • All zero tolerance and high-risk non-conformances, per the guidance outlined in the Practitioner’s Conclusion section above.
    The Practitioner’s signature and location and date of the Assurance Report.

Assurance Providers Report to Management (Confidential)

A Management Report issued by the Assurance Provider to the Refiner is the formal mechanism for communicating the detailed findings of the assurance engagement to the Refiner. This is a private document to be shared with the Refiner and LBMA. It may be shared with other stakeholders at the Refiner’s discretion to meet emerging supply chain due diligence regulations and industry requirements for additional transparency.

It is recommended that the Management Report include the following information:

  • Name of the Refiner and reporting period subject to assurance
  • Professional qualifications and experience of the Assurance Practitioners involved in the engagement
  • Confirmation of the Assurance Providers’ adherence to LBMA’s independence and core competency requirements
  • Assurance scope, including level of assurance and subject matter
  • Assurance criteria applied and confirmation that this is publicly available
  • Any significant or inherent limitations or areas not covered
  • An overview of the engagement process (timing, remote or on-site work, number of days on and off site)
  • Summary of assurance procedures, including list of interviewees, documentation reviewed, sample sizes for controls and transactions review and a description of how samples were selected (random, risk focused)
  • Positive observations on good practice or improvements from prior years
  • Presentation of current year’s non-conformances, risk rating and actions for improvement
  • Status of non-conformance improvement actions from prior years
  • Assurance conclusion (or reference to the conclusion within the independent Assurance Report).

A copy of all assurance deliverables should be provided to the LBMA Executive by the Refiner or the Assurance Provider, as delegated to by the Refiner.

Key Insights

Assurance Reports

  • Assurance Reports should clearly reference the corresponding subject matter reports. As the Compliance Report is publicly available, it is usually satisfactory for the Assurance Report to refer to the Compliance Report for the relevant reporting period. Where the Country of Origin Annex is a private report, it is usually included as an appendix to the Assurance Report to ensure that the intended user associates the conclusion to the correct subject matter.

Management Report and Corrective Action Plans

  • Non-conformances should not be presented as observations for improvement and should be correctly presented as low-risk, medium-risk or high-risk non-conformances in accordance with the criteria provided in the Third-Party Assurance Guidance.
  • Low-risk non-conformances included in the Management Report do not need to be presented in the Corrective Action Plan (nor in the Refiner’s Compliance Report). The Refiner should address any lowrisk non-conformances as part of normal business practice and continuous improvement commitments
  • Preparing, implementing and submitting the Corrective Action Plan to LBMA is the responsibility of the Refiner. The Assurance Provider’s responsibility extends to identifying and reporting the nonconformances in the current reporting period and reviewing progress of the Corrective Action Plan in the following assurance engagement. In practice, the Corrective Action Plan may be incorporated (either as an appendix to or within) in the Management Report.

Consistency in reporting

  • The Assurance Provider should ensure appropriate alignment in the non-conformances presented in the assurance deliverables. Typically:
    - All non-conformances, including low-risk non-conformances should be included in the Management Report
    - The Refiner should include medium-risk and high-risk non-conformances in the Compliance Report and conclude with a ‘non-compliance’ statement for the relevant step of the Guidance in the Compliance Report
    - The Assurance Report may include details on the medium-risk and high-risk nonconformances in line with the modified / unmodified conclusions presented above.

Deliverables to Refiner

  • Assurance Report on Compliance Report
  • Assurance Report on Country of Origin Annex
  • Management Report

Deliverables to LBMA (if authority delegated to the Assurance Provider by the Refiner)

  • Deliverables to the Refiner
  • Compliance Report
  • Country of Origin Annex
  • Corrective Action Plan

Follow-up Audits

The LBMA Executive may at its discretion request of the Refiner that a reasonable assurance engagement is performed more regularly than the usual frequency.

Follow-up Audits
Where the Refiner has any high-risk non-compliances, LBMA recommends that a ‘follow-up’ engagement is completed within ninety (90) days after the release of the Refiner’s Compliance Report with the following scope:

  • Assurance subject matter: Refiner’s status update on implementation progress for corrective actions
  • Assurance criteria: Refiner’s corrective actions to address the high-risk non-conformance
  • Assurance level: reasonable assurance
  • Assurance deliverables: The Refiner’s Corrective Action Plan and a separate independent Assurance Report must be made available to the LBMA Executive.

Special Assessments

LBMA may request the Refiner to undertake a Special Assessment on specific aspects of the Refiner’s management system or precious metals supply chain. Special Assessments will be conducted as an “agreed upon procedure”11 engagement, which involves reporting factual findings based upon procedures agreed with the Refining party and LBMA, rather than issuing an independent conclusion. Specific scope and timing for Special Assessments will be discussed with Assurance Providers when necessary.

Failure to adequately address high-risk non-compliances and/or failure to complete corrective actions for high-risk non-compliances by the second follow-up assessment must be communicated by the Assurance Provider to the LBMA Chief Executive within 24 hours. Any instances of zero-tolerance non-compliance should be reported by the Assurance Provider to those charged with governance at the Refiner within 24 hours and communicated to the LBMA Chief Executive. The LBMA Executive will review each case in a timely and objective manner, and may suspend or delist the Refiner concerned from the List of accredited Good Delivery Precious Metals Refiners.

11 ISRS 4400, Engagements to Perform Agreed-Upon Procedures Regarding Financial Information, and ISRS 4410, Compilation Engagement

Engagement Acceptance

Find out more

Appendix: Non-Conformance Risk Levels

Find out more