Responsible Sourcing Programme Third Party Assurance Guidance
Objective: Effective engagement set-up and efficient administration
The International Standard on Assurance Engagements (ISAE) deals with assurance engagements other than audits or reviews of historical financial information. ISAE 3000 assurance engagements require the Practitioner to evaluate the underlying subject matter against specific criteria. During the engagement acceptance phase, in addition to the requisite independence quality control requirements of the assurance team stipulated by the LBMA and ISAE 3000, the engagement partner should satisfy themselves with:
- the key requirements of the assurance engagement
- the scope, timing, and nature of the assurance engagement and procedures.
This section outlines the key concepts and the application thereof of the ISAE 3000 standard to LBMA responsible sourcing engagements.
2.1 Key requirements of an ISAE 3000 Assurance Engagement
Roles and Responsibilities
An LBMA assurance engagement is a four-party relationship and includes LBMA, the Refiner and the Assurance Provider working together to maintain the integrity of the LBMA Programme, such that the Intended User may place reliance on it.
Role and Responsibility - Establishes and maintains the integrity of the LBMA Programme by:
- Setting GDL standards including Programme requirements and Responsible Sourcing and Assurance Guidance documents
- Approving and monitoring GDL Refiners
- Approving and monitoring Assurance Providers
- Reviewing Refiner’s reporting and assurance deliverables and granting GDL status
- Providing an independent grievance mechanism for stakeholders
- Requesting Refiners to undertake Special Assessments as and when necessary
Role and Responsibility - Manages Programme integrity by:
- Implementing and conforming with Steps 1 to 5 of the Guidance and overall Programme objectives
- Preparing and implementing a Precious Metals Supply Chain policy to identify, manage and report responsible sourcing risks in the supply chain
- Preparing an annual Refiner’s Compliance Report to publicly disclose conformance with the Guidance and Programme objectives
- Appointing an LBMA approved independent Assurance Provider and providing access to all evidence required by the Assurance Provider
- Implementing a Corrective Action Plan for all non-conformances identified
- Submitting the reporting and assurance deliverables to LBMA within three months of the financial year-end
- Undertaking follow-up audits on resolution of high-risk non-compliance within 90 days of the assurance engagement
- Responding to LBMA’s requests for additional information on the assurance engagement or directing Assurance Provider to do so
- Complying with LBMA’s requests for Special Assessments.
Party: Assurance Provider
Role and Responsibility - Supports Programme integrity by:
- Evaluating and reporting on the fair presentation of conformance in the Refiner’s Compliance Report, in accordance with ISAE 3000
- Satisfying LBMA and ISAE 3000’s independent, competency and quality control requirements, and declaring this in the Assurance Report
- Issuing a Management Report to the Refiner to detail non-conformances
- Responding to LBMA’s requests for additional information on specific aspects of the assurance engagement as authorised by the Refiner
- Undertaking Special Assessments requested by LBMA.
Party: Intended users
Role and Responsibility - Places reliance on Programme integrity by:
- Using the Refiner Compliance and Assurance Reports (and in some instances the Management Report) to assess company performance and make decisions.
Assurance Subject Matter
The LBMA assurance subject matter includes the Refiner’s disclosures on its conformance with the Guidance and the underlying management systems used to derive these disclosures, as presented in the Compliance Report and the Country of Origin Annex. For example, Step 5 of the Guidance requires the Refiner to conclude on its overall conformance with the five-step framework. This conclusion, and the internal policies, processes, management systems and controls that support the conclusion, form the subject matter.
ISAE 3000 requires an assurance engagement to be conducted on an appropriate subject matter, qualified as one that is identifiable and capable of consistent evaluation or measurement against identified criteria and that can be subjected to procedures for gathering sufficient appropriate evidence to support an assurance conclusion. In other words, the Refiner should have appropriate procedures and processes in place for a systematic evaluation of risk and supplier due diligence to conclude on their conformance with the Guidance.
The LBMA assurance criteria consist of the requirements set out within the Guidance, supplemented by the Refiner’s interpretation and application at a more detailed level through its own policies, procedures and internal controls. It is the Assurance Provider’s responsibility to assess the suitability of the assurance criteria, and hence the Refiner’s precious metals supply chain policy and management systems. It is not necessary for the Assurance Provider to assess whether the Guidance requirements are adequate, only how the Refiner has interpreted and applied them.
The Assurance Provider evaluates the criteria by checking that it is:
- Relevant: The Refiner’s policies and procedures have a logical connection to the LBMA Guidance and Programme objectives.
- Complete: The Refiner’s policies and procedures, including those outlined in their public disclosures, consider all supply chain risks outlined in the Guidance.
- Reliable: The Refiner’s policy and procedures can be consistently applied across all operations and suppliers in scope.
- Neutral: The information sources used to inform the Refiner’s policies and procedures are free from bias.
- Understandable: The Refiner’s policies and procedures are clear and comprehensive, and can be understood by the intended user.
In practice, detailed evaluation of the criteria is likely to take place during the planning and risk assessment phase, and this Guidance provides key considerations for the Assurance Provider to evaluate the Refiner’s policy and procedures in the following section.
In the event that the Assurance Provider‘s assessment indicates the Refiner’s interpretation and application of the Guidance is not suitable, the Assurance Provider should discuss with the Refiner the impact of the required changes to the interpretation and application of the Guidance. If the interpretation and application of the Guidance cannot be altered in time (for coverage over the 12-month period under review), the Practitioner should consider the impact on the Assurance Report, and whether it should issue a qualified conclusion or withdraw from the engagement.
ISAE 3000 requires the criteria to be publicly available for intended users to understand how the subject matter has been derived. The Assurance Provider therefore must ensure that sufficient information is published by the Refiner in its policies and Compliance Report for users to gain an appreciation of the criteria.
2.2 Scope, nature, extent and timing of procedures
The Assurance Provider plans the assurance procedures to be performed to gather sufficient, appropriate evidence to support a reasonable or limited assurance conclusion for the selected scope. To plan the nature, extent and timing of the assurance approach, the Practitioner should consider:
|Assurance Scope||The scope includes factors such as locations, functions, activities, reports, as well as the time period to be covered during the audit.|
|Assurance Engagement Risk||The risk that the Practitioner expresses an inappropriate conclusion on the Refiner’s conformance with the Guidance.|
|Materiality||Information is material if its misstatement, including omission, could influence the decisions of intended users to make sound judgements.|
|Evidence Quantity and Quality||When designing and performing procedures, the Practitioner shall consider the relevance and reliability of the information to be used as evidence.|
|Assurance Level||ISAE 3000 distinguishes between two levels of assurance. There is a greater extent of testing and evidence gathering in a reasonable level of assurance to provide a higher degree of comfort to users of the Compliance Report than in a limited level of assurance.|
|Timing of procedures||Assurance procedures may straddle the year-end or be completed post year-end. Time spent on site will depend on the complexity of the supply chain.|
Implementation of Step 4 of the Guidance is mandatory for all Refiners. Each individual refinery accredited with LBMA must be subject to independent assurance, with the following scope considerations:
- All units involved in the Refiner’s precious metals supply chain, including sales, procurement, marketing, smelting, refining and supply chain risk assessment operations
- Off-site marketing offices which undertake Know your Counterparty (KYC) procedures
Out of scope:
- Refiner’s operations that are not related to precious metals refining
- Locations of the Refiner’s business partners, including suppliers
- All precious metals-bearing material, including mined, recycled or grandfathered sources, received for refining or melting for the production of precious metals product (bars, grains, coins, etc.) within the assurance period
Out of scope:
- Precious metals-bearing material that, due to its properties, presents minimal responsible sourcing risks. For example:
Low precious metals content – low-value industrial by-products such as furnace flue dust, spent crucibles and floor sweepings, or residue cell slimes from the refining of other metals
Where Refiners source multiple metals that are covered under the LBMA and LPPM Responsible Sourcing Programmes and are required to conform to the Responsible Gold Guidance (RGG), Responsible Silver Guidance (RSG) and the Responsible Platinum and Palladium Guidance (RPPG), it may be possible to undertake one multi-metal assurance engagement, if the following criteria are met:
- There is one multi-metal refinery processing all metals in scope
- The Refiner’s supply chain policies and management systems are consistent for all metals in scope
- The RGG is used as the basis for the multi-metal assurance engagement, i.e., all metals in scope should be assessed for conflict and ESG risks for primary supply chain
- Detailed sample testing adequately covers all metals in scope
- Refiners provide sufficient disclosures on each metal in scope in the Compliance Report
- Assurance Providers include sufficient information on each metal in scope in the Assurance Report or provide separate Assurance Reports for each metal in scope.
Refiners may continue to commission separate assurance engagement against the relevant metal Guidance should they chose to.
Where refineries are in different jurisdictions or sites, Refiners must undertake separate audits for each refinery.
In 2020, LBMA released a virtual assurance policy to enable, in limited circumstances, an LBMA GDL Refiner to commission a remote assessment to ensure the safety of Refinery staff as well as the third-party Assurance Provider.
The policy applies to the following types of virtual assurance engagements:
- Gold and combined metals audits being undertaken by the same Assurance Provider in the previous year(s)
- Gold and combined metals limited assurance engagement
- Gold and combined metals follow-up engagement
- Silver-only reasonable, limited and follow-up engagements.
In all other circumstances, on-site assessments remain the only available option.
Virtual assurance can only be commenced with the explicit prior written permission of LBMA. LBMA reserves the right to reject any request to perform virtual assurance and reserves the right to shadow any virtual assurance engagements. Any request to perform a virtual assurance engagement must be jointly submitted by the Refiner and the Approved Assurance Provider.
Assurance Engagement Risk
Assurance engagement risk is the risk faced by the Practitioner of delivering an incorrect opinion on the Refiner’s conformance with the Guidance. In other words, it is the risk that material non-conformances are not identified. It is driven by three key components:
- Inherent risk: Qualitative characteristics of the subject matter (e.g., the geographical spread and complexity of the Refiner’s precious metals supply chains) and the methods used for deriving this information (e.g., systems and processes used by the Refiner to implement the Guidance).
- Control risk: The suitability of the Refiner’s management systems, processes and internal controls to detect or prevent the risk of illicit material entering the Refiner’s supply chain.
- Detection risk: The extent and sufficiency of the Assurance Provider’s procedures to identify material non-conformances in the Refiner’s management systems.
These types of engagements are subject to relatively high inherent risks given the qualitative nature of the subject matter and different means to manage risk in the supply chain. To manage assurance risk, the Practitioner should therefore focus the assurance plan on the quality of the Refiner’s internal controls to identify and manage supply chain risks, and should plan to conduct detailed testing on those areas that may lead to material non-conformances with the Guidance.
Assurance risk may be heightened by:
- A lack of availability of pre-audit information
- The possibility of bias or misreporting of facts
- The number of counterparties assessed to be in a ‘conflict-affected or high-risk’ area
- The trends reported over time, such as a decline in the control environment
- The information needs of users
- Inadequate reporting timelines.
Moreover, the Assurance Provider needs to consider assurance risk at various levels of the engagement and plan procedures accordingly.
Information is material if its misstatement, including omission, could influence the decisions of intended users to make sound judgements. As part of the planning and risk assessment stage, as well as throughout the engagement, the Assurance Provider should consider the risk of material misstatements or level of nonconformances that could arise in the Refiner’s disclosures and underlying management systems. The Assurance Provider uses professional judgement supported by the criteria set out in the Appendix to determine material non-conformances.
A management system deficiency may turn out to have multiple causes and the Assurance Provider is expected to exercise substance over form when assessing the risk level of the non-conformance, based on the above criteria. Examples of deficiencies may arise from, but are not limited to:
- Missed or unknown legal requirements
- Non-compliance with applicable law
- Departure from procedure or defined process
- Incomplete or missing documentation
- Ineffective implementation of a control, process or procedure
- Ineffective risk identification and risk assessment
- Inadequate training
- Incorrectly specified equipment and controls
- Ineffective organisational structure
- Lack of resources, time or capacity.
Where the auditor identifies a non-compliance (medium-risk, high-risk or zero-tolerance) as part of their assurance procedures, it is recommended that they communicate this with the Refiner immediately so that the Refiner can start to implement a Corrective Action Plan.
Quality and Quantity of Evidence
When designing and performing procedures, the Practitioner shall consider the sufficiency and appropriateness of the information to be used as evidence to support the assurance conclusion. Sufficiency relates to the quantity of evidence, and appropriateness is a measure of the quality of the evidence. Both are interrelated: quantity of evidence is affected by the risk of material misstatements -- the higher the risk, the more evidence is likely to be required -- and also by the quality of the evidence -- the higher the quality, the less evidence may be required.
Quality of evidence is influenced by its source and by its nature, and is dependent on the circumstances under which it is obtained. For example, evidence is more reliable when:
- It is obtained from third-party sources, e.g., legal permits, licences or other authorisations
- Controls over internally generated evidence are more effective, e.g., exports of transaction records from independently audited financial management systems
- It is obtained directly by the Practitioner, e.g., observing versus inquiry about a control application
- It is in documentary form whether paper, electronic or other media, e.g., compliance committee meeting minutes.
It is important to note that there may be exceptions to the above criteria. For example, ISAE 3000 states that “evidence obtained from an external source may not be reliable if the source is not knowledgeable or objective”. It is therefore important to obtain and corroborate information from different sources or of a different nature. Where evidence obtained from one source is inconsistent with that obtained from another or the Practitioner has doubts about the reliability of information to be used as evidence, the Assurance Provider should determine whether changes or additions to assurance procedures are necessary to resolve the matter, and shall consider the effect of the matter, if any, on other aspects of the engagement.
In a risk-based assurance engagement, the quantity of evidence collected requires some level of sampling, for example, reviewing a representative sample of documents and records. The selected sample must be robust, meaning that it should be of sufficient size in relation to the total population, and be able to objectively support the assurance conclusion. There are several techniques used to determine sample selection. For example, samples may be based on the Assurance Providers professional judgement (e.g., to support a suspicion of a problem) or through probabilistic sampling approaches (e.g., random sampling).
Using the Work of Other Parties
Evidence may also include information prepared by an expert employed or engaged by the Refiner. An internal audit function or other service providers and subject matter specialists (“other parties”) may regularly evaluate the Refiner’s responsible sourcing policy, procedures, processes and controls, or parts thereof. Where possible, the Assurance Provider should consider these existing reviews, confirm the extent to which these may be relied upon and complement them as needed. The Assurance Provider should as a minimum consider:
- The scope of the review to understand how it relates to the scope of the LBMA assurance
- The competencies of the other parties with respect to the subject matter of the review
- Whether the other party has used a systematic and disciplined approach, including quality control, in performing their work.
International Standard on Assurance (ISA) 610 Considering the Work of Internal Audit or ISA 620 Using the Work of an Auditor’s Expert or equivalent provide further guidance.
LBMA is committed to harmonisation of requirements with other responsible sourcing initiatives or anti-money laundering requirements which meet, or exceed, those laid out in the RGG (other initiatives).
Existing Standards or Certifications
LBMA’s intention is not to require duplication nor re-performance of existing auditing arrangements. Independent audit or verification carried out under other initiatives may be used as evidence to assess conformance with relevant aspects of the LBMA Guidance. It must be noted that the scope of these initiatives, however, may differ, as do programme governance requirements, and may not completely address the requirements of the LBMA Guidance. LBMA undertakes an independent assessment of all initiatives wishing to be recognised by LBMA. LBMA will announce recognised schemes separately and Assurance Providers should check LBMA website for up-to-date list of recognised schemes.
Levels of Assurance
Assurance procedures performed will vary in nature, timing and extent between reasonable and limited levels of assurance. A reasonable assurance engagement is designed to reach a conclusion on whether the subject matter is materially free from misstatement. It is a higher level of assurance, and a positive form of expression.
The procedures performed in a limited assurance engagement are less than those conducted for a reasonable level of engagement. The assurance obtained is therefore substantially lower than for a reasonable assurance engagement.
A key difference between reasonable and limited assurance is that during a reasonable assurance engagement, the Practitioner is expected to evaluate the design of the Refiner’s internal controls to detect and prevent material risks of non-conformance prior to testing the implementation of these controls. For example, the Assurance Provider is required to consider whether the Refiner’s:
- CAHRA classification is suitable to identify high-risk suppliers, based on the full suite of responsible sourcing risks outlined in the Guidance
- Compliance team has sufficient and appropriately skilled resources to identify and manage potential risks resulting from due diligence
- Key processes are sufficiently integrated to prevent risks from materialising
- Information management systems have sufficient and appropriate access controls such that records can be trusted.
A limited assurance engagement is still required to deliver a meaningful level of assurance. ISAE 3000 suggests emphasis on management inquiry, analytical reviews and limited detail testing in select areas (for example, transactions monitoring or supplier due diligence). Considerations for materiality, assurance risk and the quality of evidence remain relevant in the limited assurance approach.
Whether sufficient appropriate evidence has been obtained on which to deliver a meaningful conclusion is a matter of professional judgement. In practice, where the evidence gathered is not deemed sufficient or appropriate for a meaningful conclusion for a limited assurance engagement, the Assurance Provider will be required to extend the work performed.
Where possible, evidence gathering should be aligned to the Refiner’s existing processes, controls and systems to reduce the burden on the Refiner of providing significant additional information that may not be part of the normal course of operating a site in accordance with good practice. Examples of the types of evidence-gathering activities that an Assurance Provider may perform include:
- Inspection e.g., reviewing a sample of Know Your Counterparty files to ensure relevant information has been obtained
- Observation e.g., reviewing internal control procedures during refinery site visits
- Confirmation e.g., performing walkthroughs of key processes and documents to confirm understanding
- Inquiry e.g., conducting management and key stakeholder interviews to gather information
- Re-performance e.g., checking the correct risk classification of counterparties
- Re-calculation e.g., checking the accuracy of the quantitative Country of Origin Annex information
- Analytical procedures e.g., conducting trend analysis on volumes supplied by counterparties.
Timing of Assurance Procedures
When determining the time necessary to complete the assurance engagement for each Refiner, the Assurance Provider is recommended to use the following Guidance criteria:
- The geographical location of each site (more time is required for the on-site audit of locations in conflict-affected or high-risk areas)
- Size and complexity of operations for each site, e.g.,
o the number and risk level of counterparties and the overall size of operations
o the number of transactions in the audit period
- Multi-Site Assessments.
In practice, engagement may start pre-year-end and procedures may focus on testing up to nine months of the year in review. ‘Top-up’ testing for the remaining three months should then be carried out post year-end to ensure the entire period under review has been covered. New engagements may benefit from this approach. It allows the Assurance Provider more time to evaluate both the design and operation of key processes and controls, as well as providing the Refiner with sufficient time to resolve assurance findings, where possible, prior to reporting.
Alternatively, depending on geographies and accessibility, it may be more efficient to conduct the full engagement post year-end.
In addition, ISAE 3000 requires the Assurance Provider to exercise professional scepticism in the conduct of the engagement. Professional scepticism is necessary to question inconsistent evidence, the reliability of management systems and controls, and responses to enquiries. It also includes consideration of the sufficiency and appropriateness of evidence obtained. The Assurance Provider should also take into account cultural considerations and local regulatory or good practice requirements during the conduct of the engagement.