External audits

«Companies cannot just delegate their responsibilities»

A new supply chain act is currently being discussed at EU level, giving rise to an important question: Is it enough for companies to be certified through private auditors to show that they are adequately preventing violations of human rights in their supply chains? A conversation with Matthias Baier, the head of the German Competent Authority - EU Due Diligence Obligations in Mineral Supply Chains (DEKSOR), who has already gained initial experience with such audits.

Claudia Müller-Hoff: First of all: The EU Conflict Minerals Regulation already requires audits since 2021. What is this regulation about and how is it different from the EU supply chain act currently under discussion?

Illustration: Matthias Baier

Matthias Baier: The Conflict Minerals Regulation is primarily concerned with human rights in conflict contexts. Environmental issues or social aspects such as fair wages do not feature in the regulation, which is based on the OECD Due Diligence Guidance for Responsible Supply Chains of Minerals from Conflict-Affected and High-Risk Areas, which contains detailed recommendations for certain metals such as tin, tantalum, tungsten and gold. Transparency and due diligence in the supply chain are meant to prevent armed groups and security forces in conflict and high-risk areas from being able to finance themselves from trade in minerals. And, as is stated in the regulation itself: «Human rights abuses are common in resource-rich conflict-affected and high-risk areas and may include child labour, sexual violence, the disappearance of people, forced resettlement and the destruction of ritually or culturally significant sites.» While the Conflict Minerals Regulation targets one specific sector, the EU supply chain act is intended to apply to all sectors, but will not be as detailed in its requirements.

Let’s take the Rana Plaza factory collapse or the Brumadinho dam failure as examples: faulty audits are said to have been a contributing factor. The underlying causes for incorrect or insufficient audits are often competitive pressure, poor pay and a «race to the bottom». This does not exactly speak well for the effectiveness of these audits. In addition, audit firms are not liable for their audits and thus have no incentive to work with greater care. So why opt for mandatory audits, particularly in a high-risk sector such as conflict minerals?

I could give you plenty more examples of why audits could be viewed critically. For instance, I could ask whether there is enough qualified personnel with knowledge of mineral raw material supply chains to audit all EU importers. But the real question is, what is the alternative? Could a government authority inspect all importers? No. So it helps that companies have to undergo external audits. How good these audits end up being, how reliable, how independent – those are certainly questions that should be asked. And we do scrutinize these audits very critically. The reason that auditing became mandatory for the conflict minerals sector of all sectors lies in the specific characteristics of this supply chain: there are many mining operations and opaque structures, relatively few smelters and refineries, and then again many customers. So it makes sense to audit at the smelter stage. This is an approach that cannot easily be transferred to other sectors, such as the textile industry.

Wouldn’t the quality of audits improve and the risk of fatal errors as with Rana Plaza and Brumadinho significantly decrease if audit companies could be held liable for their work?

If these companies were liable for the consequential damage of a dam failure, for example, they would certainly become insolvent. And experts tell us that no insurance company would want to cover this kind of risk either. It is true, however, that we need as much transparency and verification as possible. So we have to verify the audits.

What exactly do you do to verify the audits?

At present, we perform a quick check on all companies subject to due diligence requirements to determine whether the information on their websites complies with the disclosure obligations. This includes a summary of the audit reports. We use the results of these checks as well as other risk criteria, such as the origin and the transportation routes of an import, to select individual cases which we then subject to more in-depth checks. These include, among other things, a close examination of the detailed audit report.

Why has the European Commission still not fulfilled its mandate to provide a list of recognized audit systems and a list of smelters and refineries that operate responsibly?

You would have to ask the European Commission. There have certainly been delays, not least due to COVID, when nobody could fly to China to perform a smelter audit. But it is also a high hurdle to have a certification system recognized. We were talking about the problems with audits just a moment ago.

Can civil society actors view these audit reports and also the list of importers subject to due diligence at your authority?

If an audit is performed as diligently as we would want it to be, it will contain a lot of trade secrets. As a result, we won’t be making these reports available to the public. However, companies importing these raw materials into the European market are under an obligation to publish a summary report of their audit. The most we could do is make sure that these summaries are accessible. As for the list of importers – it’s rather complex. We calculate the thresholds from over 18,000 customs import data points and the number of importers fluctuates constantly. We have a preliminary table for our own checks but no final list.

Would I be able to query whether a specific company is currently on the list?

I would have that checked by a lawyer.

According to your 2022 annual report, your authority found violations of their obligations at many of the 145 companies required to perform due diligence. There was a lack of disclosure about how companies meet their due diligence obligations, audits were not conducted at all or resulted in audit reports that were not meaningful. Above all, the impression arises that companies rely on third parties such audit firms, software or consulting service providers rather than systematically assessing the risks in their supply chain themselves using their own risk management. How do you explain this high level of lack of care?

Well, I don’t have a crystal ball. But I think it hasn’t really sunk in yet what due diligence means – regardless under which law. We see a lot of outsourcing of due diligence. To some extent, I can understand if a medium-sized company would prefer to invest its energy in an innovative product rather than in scrutinizing supply chains. And there are all sorts of providers who say: «We’ll take care of this for you.»

What needs to change for the situation to improve?

The Conflict Minerals Regulation does state that importers remain responsible for their due diligence obligations, even if they use a system for simplification, for example a supply chain audit. We need a clear change in the way entrepreneurs view this issue. They have to understand that supply chain due diligence means that you really have to look at things in detail and ask critical questions, and that it calls for proper, systematic risk management. We know that this is possible; there are companies that do that. But others haven’t really grasped it yet. They list pretty sustainability goals on their website, but when you take a closer look, you realize that the goals haven’t really arrived in their corporate culture.


The debate

Although it has repeatedly been made clear in the discussions about the EU supply chain act that certification must not be used to relieve companies of their responsibilities, this question remains highly controversial in the Council. The EU Commission’s draft of the Critical Raw Materials Act also stipulates that, with regard to sustainability requirements, the voluntary commitment to obtain certification and preliminary evidence should be sufficient for the EU to provide companies with financial support, among other things – both outside and within Europe. Many civil society actors view this very critically and have repeatedly emphasized that audits overlook numerous issues. For example, the people affected by mining operations would not be heard. Moreover, companies often give preference to low-cost audits over more comprehensive and higher quality audits and certification systems – with corresponding risks for the environment and human rights. Certification thus becomes a mere rubber stamp – and a license to not look any closer.


Matthias Baier is the head of the German Competent Authority - EU Due Diligence Obligations in Mineral Supply Chains (DEKSOR).

Claudia Müller-Hoff (Bogotá, Colombia) is a lawyer specializing in business and human rights.

This article is licensed under Creative Commons License