L’audit interne en période de pandémie


Dans le cadre de son quinzième anniversaire, le Collège des administrateurs de sociétés (CAS) publiera quinze articles originaux sur des thèmes recoupant des problématiques de gouvernance dans les organisations.

Voici donc une introduction à la publication du quatrième article qui porte sur la place de l’audit interne dans le contexte de la pandémie, et son rôle dans la gouvernance des sociétés.

Dans son article, Mélanie Roussy* aborde trois paramètres-clés afin de cerner la marge de manœuvre d’un comité d’audit en période de grands bouleversements. L’auteure propose les activités suivantes : (1) envisager le ralentissement ou l’arrêt des activités et revoir la planification des travaux de l’audit interne (2) mettre les connaissances et les compétences de l’équipe d’audit interne au service des besoins essentiels, et (3) veiller au retour à la normale, après la période de mouvance.

« Un contexte turbulent comme celui de la pandémie offre au comité d’audit l’occasion de consolider la qualité des travaux futurs de l’audit interne et son utilité comme mécanisme de gouvernance. Pour ce faire, le comité doit s’assurer que les interventions de l’audit interne demeurent pertinentes en période de turbulence ».

Je vous invite à lire l’article de Mélanie.

Bonne lecture !

Audit interne et gouvernance

 

 

L’audit interne est considéré comme un mécanisme de gouvernance au service du comité d’audit et de la haute direction. Ses travaux apportent notamment du confort aux administrateurs quant à l’efficacité de la gestion des risques (financiers ou non) et du contrôle, contribuent à l’amélioration de la reddition de comptes, tout en stimulant l’apprentissage organisationnel. Toutefois, pour que l’audit interne génère les bénéfices escomptés, encore faut-il que ses interventions soient arrimées aux principales préoccupations du comité d’audit et de la haute direction. De plus, il est impératif que l’audit interne soit perçu comme un aidant au sein de l’organisation, sans quoi son efficacité se trouvera limitée.

La crise sanitaire de 2020 provoquée par la pandémie de la COVID-19 a fortement ébranlé la société canadienne, comme plusieurs autres à l’échelle mondiale. Cela a poussé les organisations, tous secteurs confondus, dans une période d’intenses turbulences. Or, en période de turbulences, les préoccupations des administrateurs et de la direction changent face à l’urgence de la situation. Ainsi, peu importe ce qui a causé lesdites turbulences, qu’elles n’affectent qu’une seule organisation, un secteur d’affaires en particulier ou l’économie en général, il est de la responsabilité du comité d’audit de s’assurer que les interventions de l’audit interne demeurent pertinentes dans ces circonstances exceptionnelles. Ces questions se posent alors : (1) que fait-on avec l’audit interne en période de turbulences ? Et (2) quelle est la marge de manœuvre dont dispose le comité d’audit pour ajuster les responsabilités de l’audit interne sans contrevenir au Cadre de référence internationale des pratiques professionnelles de l’audit interne (ci-après : Cadre de référence) de l’Institut des auditeurs internes (The IIA, IPPF 2017) ? La suite de ce texte aborde trois paramètres à considérer en réponse à ces deux questions.

ENVISAGER LE RALENTISSEMENT OU L’ARRÊT DES ACTIVITÉS ET REVOIR LA PLANIFICATION DES TRAVAUX DE L’AUDIT INTERNE

 

La réalisation des travaux de l’audit interne nécessite obligatoirement la collaboration des gestionnaires responsables du processus audité et de leurs équipes. En période de turbulences, ces derniers sont occupés à gérer les services essentiels et à pallier diverses urgences qui surviennent, souvent en cascade. Ainsi, à moins que le comité d’audit estime qu’un mandat en cours est absolument essentiel, et ce malgré la situation qui prévaut, les travaux en cours de l’audit interne devraient être considérablement ralentis ou carrément mis sur la glace le temps que la situation se résorbe et que le cours « normal » des activités de l’organisation ait repris. Cela évitera de surcharger encore davantage les gestionnaires et leurs équipes tout en limitant les irritants.

Une fois les turbulences passées, il serait d’ailleurs approprié de revoir l’ensemble de la planification des travaux de l’audit interne. En effet, il se peut que les priorités de l’organisation et les risques auxquels elle est exposée aient évolué ; rendant ainsi plus ou moins pertinente la planification datant d’avant les évènements.

METTRE LES CONNAISSANCES ET LES COMPÉTENCES DE L’ÉQUIPE D’AUDIT INTERNE AU SERVICE DES BESOINS ESSENTIELS

 

Durant le ralentissement ou l’arrêt des travaux initialement prévus, le comité d’audit peut autoriser le redéploiement des effectifs de l’audit interne à d’autres fins sans contrevenir au Cadre de référence (The IIA, IPPF 2017), et ce, même si cela peut sembler compromettre l’indépendance de la fonction d’audit interne et l’objectivité des auditeurs internes. En effet, le Cadre de référence (The IIA, IPPF 2017, par. 1112) permet au comité d’audit d’autoriser le responsable de l’audit interne, et donc les membres de son équipe, à assumer des responsabilités en dehors du spectre habituel de l’audit interne. Le comité est alors responsable d’autoriser ces interventions particulières et de superviser leur réalisation. Le comité devra également établir les mesures de sauvegarde de l’indépendance de la fonction et de l’objectivité des auditeurs internes. Il est donc possible de mettre l’audit interne au service des besoins essentiels en temps de crise et de redéployer les effectifs en conséquence, à la condition que le comité d’audit l’autorise et en balise les conditions. Par exemple, on peut notamment envisager de miser sur ces forces de l’équipe d’audit interne :

Connaissance fine de l’organisation

Au cours de la planification et de la réalisation des travaux (ex. audit de performance, audit de conformité, services-conseils en tout genre, participation à des comités de travail, etc.), les auditeurs internes développent une connaissance fine de l’organisation. Le président du comité d’audit ne devrait pas hésiter à se servir de ce vecteur de connaissances qu’est l’audit interne pour obtenir rapidement des réponses aux questions qui préoccupent le comité en période de turbulences. Cette connaissance fine peut être également mise à profit par l’équipe de direction en intégrant par exemple le responsable de l’audit interne à la cellule de crise de la haute direction. Cela permet de supporter l’équipe de direction tout en facilitant la circulation rapide de l’information jusqu’au comité d’audit.

Versatilité et agilité des auditeurs internes

De plus, les auditeurs internes sont habitués à passer d’un mandat à l’autre, d’une division à l’autre pour réaliser leurs travaux. Cela fait d’eux des professionnels versatiles et agiles qui peuvent être déployés rapidement comme personnes-ressources dans plusieurs secteurs névralgiques de l’organisation. Il ne s’agit pas de prétendre qu’ils peuvent tout faire, mais simplement de garder en tête qu’ils sont en mesure d’appuyer les gestionnaires là où les besoins se feront le plus sentir ; de prêter main-forte à leurs collègues.

Savoir-faire associé à la pratique de l’audit

Les auditeurs internes développent un savoir-faire particulier associé à la pratique de l’audit ; savoir-faire qui peut s’avérer utile en période de turbulences. Notamment, les auditeurs internes réalisent fréquemment des analyses comparatives sectorielles afin d’identifier les meilleures pratiques associées à la maîtrise d’un risque en particulier. Par exemple, dans le contexte des turbulences induites par la pandémie de la COVID-19, ce savoir-faire aurait pu contribuer à alimenter le comité de travail chargé de concevoir de nouveaux protocoles de santé et sécurité au travail plutôt que d’attendre après-coup pour envoyer les auditeurs internes auditer ce nouveau protocole.

VEILLER AU « RETOUR À LA NORMALE » APRÈS LA PÉRIODE DE TURBULENCES

 

En pleines turbulences, la pertinence des interventions et la solidarité avec l’ensemble de l’organisation prennent le pas sur l’application pure et dure des principes d’indépendance de la fonction d’audit interne et d’objectivité des auditeurs internes. Il est donc important, dans le respect du Cadre de référence (The IIA, 2017), que le comité d’audit prévoie des lignes directrices visant à circonscrire les conditions de retour la normale des travaux de l’audit interne. Ces lignes directrices devraient d’ailleurs être déterminées en collaboration avec la haute direction et le responsable de l’audit interne, afin de s’assurer que les principaux intéressés soient sur la même longueur d’onde.

En conclusion, l’audit interne devrait faire partie de la solution au côté de la direction et des gens de l’organisation lorsque survient une période de turbulences. Ainsi, même si nous souhaiterions l’éviter, un contexte turbulent peut représenter une opportunité de consolider la perception (voire de la transformer si nécessaire) de l’audit interne comme un joueur à part entière de l’équipe, solidaire dans l’adversité. Non seulement les activités de l’audit interne seront contributoires durant la période de turbulences, mais cela pourrait aussi faciliter ses interventions futures en le positionnant comme un aidant des gestionnaires, sans pour autant compromettre son indépendance et sa pertinence pour le comité d’audit. La qualité globale des travaux futurs de l’audit interne et, conséquemment, son utilité comme mécanisme de gouvernance s’en trouveront ainsi renforcées.

_________________________________________

*Mélanie Roussy, PhD, CPA, CA, ASC, professeure titulaire, École de comptabilité, FSA ULaval

 

La réforme de l’audit professionnel | Problèmes persistants et changements suggérés


Voici un excellent article de Lynn E. Turner, ex-comptable en chef à la Securities and Exchange Commission (SEC) des États-Unis, et actuellement conseillère principale chez Hemming Morse LLP.

Dans cet article, l’auteur constate les problèmes persistants de la mauvaise qualité de l’audit. Il identifie de nombreux cas problématiques affectant la crédibilité et la confiance dans la profession d’audit.

Également, l’article présente des avenues de réformes pour rétablir les responsabilités de la profession envers les investisseurs et améliorer la transparence et l’imputabilité.

Il y a toujours des problèmes avec la qualité des audits effectués par les CPA. En octobre 2008, un comité du Trésor américain sur la profession d’audit (ACAP) a publié un rapport contenant de nombreuses recommandations pour la SEC, le PCAOB et la profession d’audit.

Ce comité de chefs d’entreprise, d’investisseurs, d’anciens régulateurs de la SEC et de CPA a étudié la profession pendant un an avant de publier son rapport. Pourtant, aujourd’hui, dix ans plus tard, peu de recommandations ont été suivies par les cabinets d’audit ou leurs régulateurs. En conséquence, il semble que les quatre grands cabinets d’audit soient devenus « Too big to fail ».

Plusieurs comptables qui réglementent les cabinets d’audit à la SEC ou au PCAOB ont rejoint les régulateurs de ces « Big 4 »,  puis ils sont revenus en cabinet, comme l’a souligné la récente action du ministère de la Justice contre les auditeurs de KPMG.

Je vous invite à lire le texte au complet.

Bonne lecture !

Reforms of the Auditing Profession: Improving Quality Transparency, Governance and Accountability

 

Is audit fit for purpose? | Financial Times

Continuing issues affecting the credibility and trust in the auditing profession includes:

  • Lack of Independence—Auditors view management of companies they audit as their “client” not the public. It is important to audit partners that they maintain the “annuity” received from the annual audit fees. Losing an annuity from a large company can impact a partner’s career. As a result, the need to maintain a lack of bias and professional scepticism runs head on into, and conflicts with, the need to maintain the annuity for the firm.
  • Management provides them business opportunities to grow their revenues/profits.
  • Management writes their check.
  • Too often, in reality, audit committee’s delegate hiring and oversight of the auditor to management. Management and Audit Committees have often retained the same auditor for decades, even centuries, continuing to pay the annuity, and receiving “clean” audit reports.
  • Auditors have testified under oath in court, that they do not have an obligation to detect material financial statement fraud and serve the public interest.
  • Management provides the independent auditor with the accounting records and financial statements (numbers) to be audited. Then upon request from the independent auditor, management also provides the auditor with the evidence to support the numbers. When auditors talk of using “Big Data” in an audit, it too often is testing data in a data base created and maintained by management. As such, the numbers, and evidence and support the auditor examines, comes from the party that is the subject of the audit. It is doubtful that management is going to provide evidence that does not support the numbers they have created. Unfortunately, Generally Accepted Auditing Standards (GAAS) do not specifically address the need for the auditor to consider publicly available information that contradicts the information management has provided. And time and time again, it is this type of information that has resulted in analysts and other outside researchers bringing to light errors in financial statements and disclosures. And it is this information that auditors have failed to address in their audits.
  • The government mandates management and the company MUST buy audits, rather than those who actually own the company. In this respect, auditing of publicly listed companies is like a publicly mandated utility.
  • Lack of Transparency with respect to Audit Firm Performance and Audit Quality. Investors are not provided information necessary to inform them as to the quality of the audit of the financial statements and disclosures of the company they invest in and own. In that regard, investors are being asked to vote and ratify the auditor without information necessary to making an informed decision. Investors are consistently told in the audit report that audits have been done in compliance with GAAS set by the Public Company Accounting Oversight Board (PCAOB), a misleading statement in light of the very high deficiencies in compliance with GAAS reporting by the PCAOB and other audit regulators around the globe.
  • Lack of Independent Governance of Audit Firms. The large audit firms, which audit the vast majority of publicly listed companies in the US as well as around the globe, all lack meaningful independent governance. This lack of governance, which is required for publicly listed companies, has resulted in a lack of quality, accountability, transparency, and governance when it comes to audit quality and performance.
  • Very poor audits quality based on inspection reports from around the globe—so bad that the International Forum of Independent Audit Regulators (IFIAR) called senior leadership from each of the six largest firms in to discuss the poor audit quality. IFIAR’s Global Audit Quality (GAQ) Working Group and the GPPC networks undertook an initiative aimed to reduce the frequency of inspection findings. In accordance with a target established by the GAQ Working Group, the GPPC networks seek to improve audit performance, reflected in a decrease of at least 25%, on an aggregate basis across the GPPC networks over four years, in the percentage of their inspected listed PIE audits that have at least one finding. (See https://www.ifiar.org/)
  • The 2016 Inspection report of IFIAR stated: Inspected audits of listed public interest entities (PIEs) with at least one finding remained unacceptably high at 42%.” (See here.)
  • Audit firms often state the deficiency rates are high because the regulators are picking “High Risk” audits which in some, but not all instances, is true. However, one would expect the audit firms to assign these audits to their very best auditors, and as a result, there would be fewer deficiencies.
  • And finally, audit reports have failed to convey to investors—as well as audit committees—concerns of the auditor, even when they know management and companies are violating laws and regulations. Such reports are required for auditors of governments that receive federal funds, but are not required in instances such as seen in recent years, for audits of companies such as Wells Fargo.

Reforms to establish accountability to investors as owners of the company, enhance transparency and accountability

Below are ideas to address the issues with poor audit quality on audits of publicly listed companies. Some of these ideas or recommendations were put forward ten years ago by the U.S. Treasury ACAP.

  • Remove the current requirement in the Securities Laws that a Company must have an audit by an independent auditor, thereby eliminating the federal government mandate.
  • Replace it with a market based requirement, that every 5 years, a shareholder proposal be included in the annual proxy, asking if the investors want an independent audit of the financial statements by the independent auditors. Accordingly, it would be made clear that independent auditors work for, and serve the public interest of the owners of the company—the investors. I would expect that investors most often would vote for an independent audit, unless they saw little value in having one.
  • If the stockholders do approve the independent audit requirement (and again, I think they almost always would):
    • The audit committee, not management, would select and nominate the auditor. This responsibility could not be delegated to management;
    • The stockholders would then be asked to vote on and approve the auditor;
    • The audit committee, not management, would then be tasked with and responsible for negotiating the fee to be paid to the auditor;
    • The audit committee would submit a bill for the audit fee to the PCAOB as necessary during the course of the audit.
  • The PCAOB would collect a fee from each public company to cover the bill of the auditor for the audit. The PCAOB already has a mechanism in place for collecting fees it is required to get from public companies
  • The PCAOB could require a company to tender their audit for proposal, if the PCAOB found the auditors had engaged in improper professional conduct as defined in SEC Rule 102(e), or had a material weakness in their own internal audit quality controls; or had significant deficiencies on an audit in which the auditor had failed to comply with GAAS as set by the PCAOB.
  • In no event, could the audit firm serve as auditor for a publicly listed company for a period longer than what is permitted today by the EC which is 20 years.
  • The new auditor report adopted by the PCAOB should be required on all audits of public companies. This new audit report will require the auditor to state and discuss in this new form of audit report, “critical audit matters” (commonly referred to as CAMS). The new audit report also requires the auditor to state: “A statement that PCAOB standards require that the auditor plan and perform the audit to obtain reasonable assurance about whether the financial statements are free of material misstatement, whether due to error or fraud.”
  • However, the PCAOB exempted a wide swath of public entities and did not require communication of critical audit matters for audits of emerging growth companies (“EGCs”), brokers and dealers reporting under the Securities Exchange Act of 1934 (the “Exchange Act”) Rule 17a-5; investment companies (e.g., mutual funds), other than business development companies; and employee stock purchase, savings, and similar plans (“benefit plans”).
  • If auditors through their audit work, become aware of a company or management breaking a law or regulation, that could have a material impact on the financial statements or operations of a company, they should be required to disclose it in their report, just as an auditor of a governmental agency subject to the GAO Yellow Book auditing standards is required to do so.
  • In August, 2000, The Panel on Audit Effectiveness (O’Malley Panel) chaired by the former Chairman of PW recommended that each audit include a forensic segment of the audit. Consideration should once again be given to this recommendation including establishing within GAAS, the need for auditors to consider publicly available information that contradicts the evidence management has provided them.
  • Require disclosure of audit quality indicators for each audit on which an opinion of the auditor is provided to investors in the company. These indicators should be disclosed in the Company’s proxy as part of the Company’s audit committee report to investors. Audit committees should also be required to disclose either in the proxy, or in the Charter of the Committee, the committees procedure for periodically tendering the audit. Audit firms should already be measuring audit quality on individual audits if in fact they are managing audit quality. But the audit inspection results from around the globe provide some evidence, that has not be occurring.
  • Improving the transparency of the PCAOB. The PCAOB inspects a very small percentage of the audits of publicly listed companies each year, and provide a public inspection report for each firm with their findings. For those audits inspected, the PCAOB inspection reports are perhaps the best indicator of audit quality today. Yet the PCAOB has refused to provide the name of companies being audited, stating the Sarbanes-Oxley Act of 2002 (SOX) prohibits this. But that is false as there is not language in SOX that prohibits the disclosure of the name of the companies whose audits are inspected. What SOX does prohibit is disclosure of investigations and enforcement actions taken by the PCAOB with respect to a poor audit. Senator Sarbanes agreed to an amendment of the then draft of SOX (May 2002), to include a prohibition on public disclosure, until the PCAOB enforcement action is final, at the request of the audit firms and Senator Enzi who was negotiating on their behalf. Harvey Goldschmid, who would shortly thereafter become an SEC Commissioner, and I, pleaded with the Senator not to make this change, as enforcement actions taken by the SEC are not private, but are in fact public. Senator Jack Reed (D-Rhode Island and Grassley (R-Iowa) have introduced subsequently introduced legislation, supported by the PCAOB in the past, to reverse this change and make the actions public. Unfortunately, in the meantime, the audit firms have used this provision of SOX to hide and appeal and delay the actions until many years have gone by. Then the audit firm always makes a public statement that in essence says a final PCAOB action is years old and should be ignored.
  • Currently the law requires that an audit partner be rotated off as the lead audit partner for a company, after no longer than five years. This is to provide a “fresh set” of eyes to the audit according to the congressional record. Yet there can be a number of audit partners on an audit, and it is not uncommon, to find the lead partner rotated off, and one who has been on the audit in the past, rotated into the lead audit partner position. As a result, there are incentives for partners not to bring up new problems from the past. Given the reforms cited above, this requirement, which has significant costs associated with it, could be eliminated.
  • Require each auditor of public companies to issue an annual report, just as the companies they are required to audit must, containing its:
    • Financial statements prepared in accordance with generally accepting accounting principles (GAAP). This is important to assessing the financial health of these firms as they have become “too big to fail” as demonstrated by actions of law enforcement agencies and regulators.
    • A discussion of the firms quality controls regarding all aspects of the audit including independence, human resources such as hiring, training and supervision, performance of audits, selection and retention of companies they audit, and testing and enforcement of the quality controls.
    • A discussion of the firm wide, as opposed to individual audit engagement, audit quality indicators.
    • A discussion of the firm’s governance structure, process and procedures.
  • The European Commission already requires each of the large audit firms to provide a report with some of this information. The US audit firms do publish an annual report on their own, but it discloses very limited financial information, and limited information on governing structures, accountability of executives, and performance measurement and improvement.
  • Audit firms that audit more than 100 public companies should be required to have independent directors or members on the firm’s governing board.
  • Audit firms need to abandon the “Pyramid”scheme they use for staffing today, and adopt a paraprofessional model used in law firms. The pyramid structure has resulted in talented, but young and inexperienced staff assigned to perform audit procedures, with respect to business transactions the staff are ill prepared to examine and challenge.
  • All CPA’s should be required to have a master’s degree in accountancy. I believe the master of professional accountancy program is sorely needed. The actions of the large audit firms in which they encourage students to leave school and begin their careers before the student receives their master is disappointing in that it Highlights the lack of commitment to education by those firms. Actions speak louder than words.
  • The SEC should revise its definition of what is a financial expert on the audit committee and adopt its initial proposal. The SEC should clarify the audit committee MAY NOT delegate this responsibility to the management of the Company, which is often done today.

Principes de gouvernance qui guident les investissements de BlackRock


BlackRock vient de publier sa position concernant les principes de gouvernance qui doivent guider ses investissements dans les sociétés de rang mondial.

BlackRock est une entreprise pionnière dans la divulgation des critères qu’elle prend en compte avant d’investir dans les organisations. C’est pour cette raison que toutes les personnes intéressées par les questions de gouvernance doivent être bien informées sur les grands principes qui soutiennent ses décisions.

Dans cet article publié par Sandra Boss, responsable mondiale de la gestion des investissements, Michelle Edkins, directrice générale du management des investissements et Shinbo Won, directeur du management des investissements chez BlackRock, inc., les auteurs présentent en détail les règles qui gouvernent les investissements de BlackRock.

Celles-ci sont considérées comme le « Gold standard » dans le monde de la gouvernance.

L’article ci-joint présente la philosophie de placement de l’organisation, ainsi que les principes qui recouvrent les sept thèmes suivants :

    • Conseils et administrateurs
    • Auditeurs et problèmes liés à l’audit
    • Structure du capital, fusions, ventes d’actifs et autres transactions spéciales
    • Rémunération et avantages
    • Problèmes environnementaux et sociaux
    • Questions générales de gouvernance d’entreprise et protection des actionnaires
    • Propositions d’actionnaires

Dans ce billet, je fais référence au premier thème, celui portant sur les principes devant guider la gouvernance des entreprises, notamment les questions relatives à la gouvernance et à la composition des conseils d’administration.

Pour en connaître davantage sur les autres principes, je vous invite à lire l’article au complet.

Bonne lecture !

BlackRock Investment Stewardship Global Principles

 

BlackRock assets reach $7.32T as crisis drives record investments | Fox Business

 

The purpose of this post is to provide an overarching explanation of BlackRock’s approach globally to our responsibilities as a shareholder on behalf of our clients, our expectations of companies, and our commitments to clients in terms of our own governance and transparency.

Introduction to BlackRock

BlackRock’s purpose is to help more and more people experience financial well-being. We manage assets on behalf of institutional and individual clients, across a full spectrum of investment strategies, asset classes, and regions. Our client base includes pension plans, endowments, foundations, charities, official institutions, insurers, and other financial institutions, as well as individuals around the world. As part of our fiduciary duty to our clients, we have determined that it is generally in the best long-term interest of our clients to promote sound corporate governance through voting as an informed, engaged shareholder. This is the responsibility of the Investment Stewardship Team.

Philosophy on investment stewardship

Companies are responsible for ensuring they have appropriate governance structures to serve the interests of shareholders and other key stakeholders. We believe that there are certain fundamental rights attached to shareholding. Companies and their boards should be accountable to shareholders and structured with appropriate checks and balances to ensure that they operate in shareholders’ best interests to create sustainable value. Shareholders should have the right to vote to elect, remove, and nominate directors, approve the appointment of the auditor, and amend the corporate charter or by-laws. Shareholders should be able to vote on matters that are material to the protection of their investment, including but not limited to, changes to the purpose of the business, dilution levels and pre-emptive rights, and the distribution of income and capital structure. In order to make informed decisions, we believe that shareholders have the right to sufficient and timely information. In addition, shareholder voting rights should be proportionate to their economic ownership—the principle of “one share, one vote” helps achieve this balance.

Consistent with these shareholder rights, we believe BlackRock has a responsibility to monitor and provide feedback to companies, in our role as stewards of our clients’ investments. BlackRock Investment Stewardship (“BIS”) does this through engagement with management teams and/or board members on material business issues including environmental, social, and governance (“ESG”) matters and, for those clients who have given us authority, through voting proxies in the best long-term economic interests of our clients. We also participate in the public debate to shape global norms and industry standards with the goal of a policy framework consistent with our clients’ interests as long-term shareholders.

BlackRock looks to companies to provide timely, accurate, and comprehensive reporting on all material governance and business matters, including ESG issues. This allows shareholders to appropriately understand and assess how relevant risks and opportunities are being effectively identified and managed. Where company reporting and disclosure is inadequate or the approach taken is inconsistent with our view of what supports sustainable long-term value creation, we will engage with a company and/or use our vote to encourage a change in practice.

BlackRock views engagement as an important activity; engagement provides us with the opportunity to improve our understanding of the business and ESG risks and opportunities that are material to the companies in which our clients invest. As long-term investors on behalf of clients, we seek to have regular and continuing dialogue with executives and board directors to advance sound governance and sustainable business practices, as well as to understand the effectiveness of the company’s management and oversight of material issues. Engagement is an important mechanism for providing feedback on company practices and disclosures, particularly where we believe they could be enhanced. We primarily engage through direct dialogue but may use other tools such as written correspondence to share our perspectives. Engagement also informs our voting decisions.

We vote in support of management and boards where and to the extent they demonstrate an approach consistent with creating sustainable long-term value. If we have concerns about a company’s approach, we may choose to engage to explain our expectations. Where we consider that a company has failed to address one or more material issues within an appropriate timeframe, we may hold directors accountable or take other voting actions to signal our concerns. We apply our voting guidelines to achieve the outcome we believe is most aligned with our clients’ long-term economic interests.

Key themes

We recognize that accepted standards and norms of corporate governance differ between markets; however, there are sufficient common threads globally to identify this overarching set of principles (the “Principles”) which are anchored in transparency and accountability. At a minimum, we expect companies to observe the accepted corporate governance standards in their domestic market or to explain why not doing so supports sustainable long-term value creation.

Our regional and market-specific voting guidelines explain how these Principles inform our voting decisions in relation to specific ballot items for shareholder meetings.

These Principles cover seven key themes:

  • Boards and directors
  • Auditors and audit-related issues
  • Capital structure, mergers, asset sales, and other special transactions
  • Compensation and benefits
  • Environmental and social issues
  • General corporate governance matters and shareholder protections
  • Shareholder proposals

Boards and directors

The performance of the board is critical to the economic success of the company and the protection of shareholders’ interests. As part of their responsibilities, board members owe fiduciary duties to shareholders in overseeing the strategic direction and operation of the company. For this reason, BlackRock focuses on directors in many of our engagements and sees the election of directors as one of our most important responsibilities in the proxy voting context.

We support boards whose approach is consistent with creating sustainable long-term value. This includes the effective management of strategic, operational, and material ESG factors and the consideration of key stakeholder interests. Our primary focus is on the performance of the board of directors. The board should establish and maintain a framework of robust and effective governance mechanisms to support its oversight of the company’s strategic aims. We look to the board to articulate the effectiveness of these mechanisms in overseeing the management of business risks and opportunities and the fulfillment of the company’s purpose. Disclosure of material issues that affect the company’s long-term strategy and value creation, including material ESG factors, is essential for shareholders to be able to appropriately understand and assess how the board is effectively identifying, managing, and mitigating risks.

Where a company has not adequately disclosed and demonstrated these responsibilities, we will consider withholding our support for the re-election of directors whom we hold accountable. We assess director performance on a case-by-case basis and in light of each company’s particular circumstances, taking into consideration our assessment of their governance, sustainable business practices, and performance. In serving the interests of shareholders, the responsibility of the board of directors includes, but is not limited to, the following:

– Establishing an appropriate corporate governance structure

– Supporting and overseeing management in setting long-term strategic goals, applicable measures of value-creation and milestones that will demonstrate progress, and steps taken if any obstacles are anticipated or incurred

– Providing oversight on the identification and management of material, business operational and sustainability-related risks

– Overseeing the financial resilience of the company, the integrity of financial statements, and the robustness of a company’s Enterprise Risk Management [1] frameworks

– Making decisions on matters that require independent evaluation which may include mergers, acquisitions and disposals, activist situations or other similar cases

– Establishing appropriate executive compensation structures

– Addressing business issues, including environmental and social issues, when they have the potential to materially impact the company’s long-term value

There should be clear definitions of the role of the board, the committees of the board and senior management. We set out below ways in which boards and directors can demonstrate a commitment to acting in the best interests of long-term shareholders. We will seek to engage with the appropriate directors where we have concerns about the performance of the company, board, or individual directors. As noted above, we believe that when a company is not effectively addressing a material issue, its directors should be held accountable.

Regular accountability

BlackRock believes that directors should stand for re-election on a regular basis, ideally annually. In our experience, annual re-elections allow shareholders to reaffirm their support for board members or hold them accountable for their decisions in a timely manner. When board members are not re-elected annually, we believe it is good practice for boards to have a rotation policy to ensure that, through a board cycle, all directors have had their appointment re-confirmed, with a proportion of directors being put forward for re-election at each annual general meeting.

Effective board composition

Regular director elections also give boards the opportunity to adjust their composition in an orderly way to reflect the evolution of the company’s strategy and the market environment. BlackRock believes it is beneficial for new directors to be brought onto the board periodically to refresh the group’s thinking and in a manner that supports both continuity and appropriate succession planning. We expect companies to keep under regular review the effectiveness of its board (including its size), and assess directors nominated for election or re-election in the context of the composition of the board as a whole. This assessment should consider a number of factors, including the potential need to address gaps in skills or experience, the diversity of the board, and the balance of independent and non-independent directors. We also consider the average tenure of the overall board, where we are seeking a balance between the knowledge and experience of longer-serving members and the fresh perspectives of newer members.

When nominating new directors to the board, there should be detailed information on the individual candidates in order for shareholders to assess the suitability of an individual nominee and the overall board composition. These disclosures should give a clear sense of how the collective experience and expertise of the board aligns with the company’s long-term strategy and business model. We also expect disclosures to demonstrate how diversity is accounted for within the proposed board composition, including demographic factors such as gender, ethnicity, and age; as well as professional characteristics, such as a director’s industry experience, specialist areas of expertise, and geographic location.

We expect there to be a sufficient number of independent directors, free from conflicts of interest or undue influence from connected parties, to ensure objectivity in the decision-making of the board and its ability to oversee management.

Common impediments to independence may include but are not limited to:

  • Current or recent employment at the company or a subsidiary
  • Being, or representing, a shareholder with a substantial shareholding in the company
  • Interlocking directorships
  • Having any other interest, business, or other relationship which could, or could reasonably be perceived to, materially interfere with a director’s ability to act in the best interests of the company

BlackRock believes that the board is able to fulfill its fiduciary duty when there is a clearly independent, senior non-executive director to chair it or, where the chairman is also the CEO (or is otherwise not independent), a lead independent l director. The role of this director is to enhance the effectiveness of the independent members of the board through shaping the agenda, ensuring adequate information is provided to the board and encouraging independent participation in board deliberations. The lead independent director or another appropriate director should be available to shareholders in those situations where an independent director is best placed to explain and justify a company’s approach.

There are matters for which the board has responsibility that may involve a conflict of interest for executives or for affiliated directors. BlackRock believes that objective oversight of such matters is best achieved when the board forms committees comprised entirely of independent directors. In many markets, these committees of the board specialize in audit, director nominations and compensation matters. An ad hoc committee might also be formed to decide on a special transaction, particularly one involving a related party, or to investigate a significant adverse event.

Sufficient capacity

As the role of a director is demanding, directors must be able to commit an appropriate amount of time to board and committee matters. It is important that every director has the capacity to meet all of his/her responsibilities—including when there are unforeseen events—and therefore, he/she should not take on an excessive number of roles that would impair his/her ability to fulfill his/her duties.

Top 10 des billets publiés sur Harvard Law School Forum au 19 novembre 2020


Voici le compte rendu hebdomadaire du forum de la Harvard Law School sur la gouvernance corporative au 19 novembre 2020.

Cette semaine, j’ai relevé les dix principaux billets.

Bonne lecture !

 

Top ten list Stock Photos, Royalty Free Top ten list Images | Depositphotos®

 

  1. Decision Making in 50:50 Joint Ventures
  2. Delaware Reaffirms Director Independence Principle in Founder-Led Company
  3. Shareholders’ Rights & Shareholder Activism 2020
  4. ESG Management and Board Accountability
  5. Financial Institution Regulation Under President Biden
  6. Corporations in 100 Pages
  7. Racial Equity on the Board Agenda
  8. The Rise of the General Counsel
  9. Revealing ESG in Critical Audit Matters
  10. SEC Division of Enforcement 2020 Annual Report

Défis et priorités du comité d’audit au cours des prochains trimestres


Voici un article qui devrait inciter les comités d’audit à poser les bonnes questions en situation de pandémie.

L’article a été publié sur le Forum de Harvard Law School par Krista Parsons, directrice générale du Center for Board Effectiveness et Eric Knachel, associé au département Audit & Assurance, chez Deloitte LLP.

Je vous soumets la version française de l’introduction de la publication, en utilisant l’outil de traduction de Google, lequel est certainement perfectible.

 

Auditors face expertise and risk management challenges.

 

Les comités d’audit ont un rôle essentiel à jouer pour aider les entreprises à évoluer et à prospérer dans cet environnement. Pour assurer une surveillance efficace et aider les dirigeants de l’entreprise à traverser ces temps difficiles, les comités d’audit doivent poser des questions directes et ciblées à la direction pour comprendre quelles alternatives ont été envisagées et choisies pour résoudre les problèmes clés. 

Les comités d’audit doivent être conscients des problèmes prioritaires, des tendances et des problèmes en cours, ainsi que des points de tension, des défis et des solutions alternatives associés à ces problèmes.

Bonne lecture !

Audit Committee Challenges and Priorities in the Upcoming Quarter and Beyond

 

 

Guide des administrateurs 2020 | Deloitte


Le document suivant, publié par Deloitte, est une lecture fortement recommandée pour tous les administrateurs, plus particulièrement pour ceux et celles qui sont des responsabilités liées à l’évaluation de la  performance financière de l’entreprise.

Pour chacun des sujets abordés dans le document, les auteurs présentent un ensemble de questions que les administrateurs pourraient poser :

« Pour que les administrateurs puissent remplir leurs obligations en matière de présentation de l’information financière, ils doivent compter sur l’appui de la direction et poser les bonnes questions.

Dans cette publication, nous proposons des questions que les administrateurs pourraient poser à la direction concernant leurs documents financiers annuels, afin que ceux-ci fassent l’objet d’une remise en question appropriée ».

Je vous invite à prendre connaissance de cette publication en téléchargeant le guide ci-dessous.

Guide des administrateurs 2020

Résultat de recherche d'images pour "guide des administrateurs 2020 Deloitte"

 

Le dilemme d’un administrateur indépendant dans un cas de vol de données


Voici un cas publié sur le site de Julie McLelland qui aborde une situation où Trevor, un administrateur indépendant, croyait que le grand succès de l’entreprise était le reflet d’une solide gouvernance.

Trevor préside le comité d’audit et il se soucie de mettre en place de saines pratiques de gouvernance. Cependant, cette société cotée en bourse avait des failles en matière de gestion des risques numériques et de cybersécurité.

De plus, le seul administrateur indépendant n’a pas été informé qu’un vol de données très sensibles avait été fait et que des demandes de rançons avaient été effectuées.

L’organisation a d’abord nié que les informations subtilisées provenaient de leurs systèmes, avant d’admettre que les données avaient été fichées un an auparavant ! Les résultats furent dramatiques…

Trevor se demande comment il peut aider l’organisation à affronter la tempête !

Le cas a d’abord été traduit en français en utilisant Google Chrome, puis, je l’ai édité et adapté. On y présente la situation de manière sommaire puis trois experts se prononcent sur le cas.

Bonne lecture ! Vos commentaires sont toujours les bienvenus.

Le dilemme d’un administrateur indépendant dans un cas de vol de données

 

 

 

 

 

 

 

 

 

Trevor est administrateur d’une société cotée qui a été un «chouchou du marché». La société fournit des évaluations de crédit et une vérification des données. Les fondateurs ont tous deux une solide expérience dans le secteur et un solide réseau de contacts et à une liste de clients qui comprenait des gouvernements et des institutions financières.

Après l’entrée en bourse, il y a deux ans, la société a atteint ou dépassé les prévisions et Trevor est fier d’être le seul administrateur indépendant siégeant au conseil d’administration aux côtés des deux fondateurs et du PDG. Il préside le comité d’audit et, officieusement, il a été l’initiateur des processus de gouvernance et de sa documentation.

Les fondateurs sont restés très actifs dans l’entreprise et Trevor s’est parfois inquiété du fait que certaines décisions stratégiques n’avaient pas été portées à son attention avant la réunion du conseil d’administration. Comme l’expérience de Trevor est l’audit et l’assurance, il suppose qu’il n’aurait pas ajouté de valeur au-delà de la garantie d’un processus sain et de la tenue de registres.

Il y a trois semaines, tout a changé. Une grande partie des données de l’entreprise ont été subtilisées et transférées sur le « dark web ». Ce vol comprenait les données financières des personnes qui avaient été évaluées ainsi que des données d’identification tels que les numéros de dossier fiscal et les adresses résidentielles. Pire, la société a d’abord affirmé que les informations ne provenaient pas de leurs systèmes, puis a admis avoir reçu des demandes de rançon indiquant que les données avaient été fichées jusqu’à un an avant cette catastrophe.

Plusieurs clients ont fermé leur compte, les actionnaires sont consternés, le cours de l’action est en chute libre et la presse réclame plus d’informations.

Comment Trevor devrait-il aider l’entreprise à surmonter cette tempête ?

Pour prendre connaissance de ce cas, rendez-vous sur www.mclellan.com.au/newsletter.html et cliquez sur « lire le dernier numéro ».

Adam’s Answer

 

This is a critical time for Trevor legally and reputationally, it is also a time when being an independent director carries additional responsibility to the company, the shareholders, the staff and the customers.

All Directors and Executives can only have one response to a blackmail attempt.  That is to immediately report it to the police and not respond to the ransomware demands.  Secondly the company should have had a crisis management plan in place ready for such an eventuality.  In this day and age, no company should operate without a cybercrime contingency plan.

In this case it is unclear, but it appears that the authorities were not informed and that Trevor’s company was unprepared for a data breach or ransomware demands.

There are 2 scenarios open to Trevor:

1) If Trevor was not informed straight away of the ransom demands and the CEO and founding Executive Directors knew but did not brief him on the ransom issue and the company’s response, then his independent status has been compromised and he should resign.

2) If Trevor was informed and the whole Board was involved in the response, then Trevor must remain and help the company ride out the storm.   This will involve working with the police, the ASX and crisis management guidance from external suppliers – technical and PR. 

The rule to follow is full transparency and speedy action. 

Trevor should refer to the recent ransomware attack on Toll Logistics and their response which was exemplary.

Adam Salzer OAM is the Chair and Global Designer for Whitewater Transformations. His other board experience includes Australian Transformation and Turnaround Association (AusTTA), Asian Transformation and Turnaround Association (ATTA), Australian Deafness Council, Bell Shakespeare Company, and NSW Deaf Society. He is based in Sydney, Australia.

Julie’s Answer

 

This is a listed company; Trevor must ensure appropriate disclosure. A trading halt may give the company time to investigate, and respond to, the events and then give the market time to disseminate the information. His customer liaison at the stock exchange should assist with implementing a halt and issuing a brief statement saying what has happened and that the company will issue more information when it becomes available.

This will be a costly and distracting exercise that could derail the company from its current successful track.

Three of the four board members are executives. That doesn’t mean the fourth can rely on their efforts. Trevor must add value by asking intelligent questions that people involved in the operations will possibly not think to ask. This board must work as a team rather than a group of individuals who each contribute their own expertise and then come together to document decisions that were not made rigorously or jointly.

Trevor has now learnt that there is more to good governance than just having meetings and documenting processes. He needs to get involved and truly understand the business. If his fellow directors do not welcome this, he needs to consider whether they are taking him seriously or just using him as window-dressing. He should ensure that the whole board is never again left out of the information flow when something important happens (or even when it perhaps might happen).

He should also take the lead on procuring legal advice (they are going to need it), liaising with the regulators, and establishing crisis communications. Engaging a specialist communications firm may help.

Julie Garland McLellan is a non-executive director and board consultant based in Sydney, Australia.

Jinan’s Answer

 

I recommend three separate parallel streams of work for Trevor. 

1. Immediate public facing actions
Immediately apologize and state your commitment to your customers.  Hire a PR firm and have the most public facing person issue an apology. The person selected to issue the apology has to be selected carefully (cannot be the person responsible for leak, and has potential to become the new trusted CEO)

2. Tactical internal actions
Assess the damage and contain the incident.  Engage an incident response firm to assess how the breach happened, when it happened, what was stolen. Confirm that leak doors are closed. Select your IR firm carefully – the better reputed they are, the better you will look in litigation.
Conduct an immediate audit and investigation. You need to understand who knew, when and why this was buried for a year.
Take disciplinary action against anyone who was part of the breach. Post audit, either allow them to keep their equity or buy them out.

3. Strategic actions
Review and update your cybersecurity incident response process.  This includes your ransomware processes (e.g. will you pay, how you pay, etc.), and how you communicate incidents. 
Build cybersecurity awareness, behavior and culture up, down and across your company.  Ensure that everyone from the board down are educated, enabled and enthusiastic about their own and your company’s cyber-safety. This is a journey not a one-off miracle.
Extend cybersecurity engagement to your customers. Be proactive not only on the status of this incident, but also on how you are keeping their data safe.  Go a step further and offer them help in their own cyber-safety.
Create a forward thinking, business and risk-aligned cybersecurity strategy. Understand your current people, process and technology gaps which led to this decision and how you’ll fix them.
Elevate the role of cybersecurity leadership.  You will need a chief information security officer who is empowered to execute the strategy, and has a regular and independent seat at the board table. 

Jinan Budge is Principal Analyst Serving Security and Risk Professionals at Forrester and a former Director Cyber Security, Strategy and Governance at Transport for NSW. She is based in Sydney, New South Wales, Australia.

Composition et rôles des comités du conseil soutenant la gouvernance


Les conseils d’administration doivent se doter de comités qui soutiennent la gouvernance d’une organisation. La plupart des sociétés nomment au moins les trois comités statutaires suivants : (1) le comité de ressources humaines (2) le  comité de gouvernance et d’éthique (3) le  comité d’audit.

Le conseil peut former tout autre comité qu’il juge essentiel à la bonne gouvernance de l’entreprise, par exemple les comités des technologies de l’information, de gestion des risques, de gestion environnementale, etc.

Plusieurs organisations se questionnent sur la composition et les rôles des trois comités clés qui soutiennent la gouvernance.

Ainsi, dans le cadre de ce billet, je présente les descriptions des tâches généralement dévolues à ces trois principaux comités.

Exemple d’une structure de gouvernance

Résultats de recherche d'images pour « les comités du conseil d'administration »
Exemple d’une structure de gouvernance

Règles générales

 

Les comités sont composés d’au moins trois membres du conseil d’administration. Le président est membre d’office.

Sur invitation, toute autre personne peut assister, en tout ou en partie, à une réunion d’un comité, lorsque ce dernier le juge nécessaire ou souhaitable.

Les comités ont le pouvoir de faire des recommandations au CA sur tout sujet relevant de leur mandat.

Le comité rend compte de ses travaux au conseil en présentant un sommaire des points discutés lors des rencontres.

(1) Comité de gouvernance et d’éthique 

 

Le comité de gouvernance et d’éthique assume généralement le mandat suivant :

Effectuer une vigie en matière des pratiques de saine gouvernance ;

Établir les profils de compétence et d’expérience pour les membres du conseil et les membres des comités et les réviser lorsque nécessaire ;

Bâtir une matrice des compétences recherchées pour tout nouveau membre du conseil eu égard aux fonctions requises pour assurer une bonne gouvernance fiduciaire, dans une optique d’optimisation et de complémentarité ;

Recommander au conseil d’administration les nominations des administrateurs aux différents comités du CA ;

Recommander la désignation d’un conseiller en éthique et déontologie ;

Proposer des règles de gouvernance, d’éthique et de déontologie au sein du conseil d’administration et des comités, et les réviser lorsque nécessaire ;

Définir une politique d’accueil et d’intégration des nouveaux administrateurs, laquelle inclut les formations appropriées en éthique et en gouvernance ;

Mettre en place un processus annuel d’évaluation du fonctionnement du conseil d’administration et de ses comités afin de mesurer l’apport de ses administrateurs et proposer, s’il y a lieu, les critères d’évaluation et les plans d’action appropriés ;

Proposer une politique de rémunération des administrateurs et des membres des comités, le tout sous réserve de la réglementation en vigueur ;

Effectuer toute autre tâche que lui confie le conseil d’administration.

(2) Comité des ressources humaines 

 

Voici certaines activités du comité de ressources humaines :

Mettre à jour le profil de compétences du poste de directeur général, recommander l’embauche et les conditions d’emploi ou, le cas échéant, la fin d’emploi du directeur général ;

Mettre en place un mécanisme d’appréciation du rendement, procéder à l’évaluation annuelle du rendement et proposer, s’il y a lieu, les plans d’action appropriés ;

Passer en revue les lignes directrices concernant la rémunération globale des employés, notamment les échelles salariales, et en recommander l’approbation au conseil d’administration ;

S’assurer de la mise en place de politiques concernant les ressources humaines, notamment en matière d’embauche, de formation et de développement des compétences, afin de s’assurer que l’organisation puisse attirer, motiver et retenir un personnel de qualité ;

Examiner les propositions de modifications organisationnelles qui pourraient avoir des effets importants sur la structure interne de l’organisation ;

Être informé des négociations entourant le renouvellement de la convention collective, s’il y a lieu, ainsi que des conditions de travail du personnel non syndiqué ;

En ce sens, le comité doit informer le conseil d’administration de toute situation défavorable et proposer des solutions afin de pallier les manques ;

Veiller à établir un plan de relève aux différents postes de direction ;

Effectuer toute autre tâche que lui confie le conseil d’administration.

(3) Comité d’audit 

 

Enfin, voici les principales tâches du comité d’audit, un comité obligatoire :

Exercer une surveillance rigoureuse de l’information financière ;

S’assurer de la mise en place des processus d’audit internes ;

Superviser l’engagement de l’auditeur externe et l’évaluer ;

Approuver le plan d’audit conçu par l’auditeur externe ;

Examiner, préalablement à son dépôt au conseil, la proposition du budget annuel ;

Faire le suivi des différents postes budgétaires ainsi que des états financiers sur une base trimestrielle ;

Être informé des résultats de l’audit et, s’il y a lieu, du rapport annuel de gestion ;

Passer en revue les résultats de tout audit de la firme de comptabilité, les problèmes importants qui ont retenu son attention, ainsi que la réaction ou le plan d’action de la direction relativement à toute lettre de recommandation de l’auditeur et à toute recommandation importante qui y est énoncée ;

S’assurer de la mise en place d’un plan de gestion des risques, notamment les risques liés aux technologies de l’information et à la cybersécurité ;

Revoir la politique de placement de l’organisation en relation avec le plan de gestion des risques ;

Effectuer toute autre tâche que lui confie le conseil d’administration.

Vos commentaires sont les bienvenus.

Les grandes firmes d’audit sont plus sélectives dans le choix de leurs mandats | En reprise


Voici un article publié par GAVIN HINKS pour le compte de Board Agenda qui montre que les grandes firmes d’audit sont de plus en plus susceptibles de démissionner lorsque les risques leur apparaissent trop élevés.

Les recherches indiquent que c’est particulièrement le cas au Royaume-Uni où l’on assiste à des poursuites plus fréquentes des Big Four. Ces firmes d’audit sont maintenant plus sélectives dans le choix de leurs clients.

Compte tenu de la situation oligopolistique des grandes firmes d’audit, devons-nous nous surprendre de ces décisions de retrait dans la nouvelle conjoncture de risque financier des entreprises britanniques ?

The answer is not really. Over recent years auditors, especially the Big Four (PwC, Deloitte, KPMG and EY) have faced consistent criticism for their work—complaints that they control too much of the market for big company audit and that audit quality is not what it should be.

Le comité d’audit des entreprises est interpellé publiquement lorsque l’auditeur soumet sa résignation. L’entreprise doit souvent gérer une crise médiatique afin de sauvegarder sa réputation.

Pour certains experts de la gouvernance, ces situations requirent des exigences de divulgation plus sévères. Les parties prenantes veulent connaître la nature des problèmes et des risques qui y sont associés.

Également, les administrateurs souhaitent connaître le plan d’action des dirigeants eu égard au travail et aux recommandations du comité d’audit

L’auteur donne beaucoup d’exemples sur les nouveaux comportements des Big Four.

Bonne lecture !

 

Auditor resignations indicate new attitude to client selection

 

 

auditor
Image: Shutterstock

 

The audit profession in Britain is at a turning point as Westminster—Brexit permitting—considers new regulation.

It seems firms may be responding by clearing the decks: the press has spotted a spate of high-profile auditor resignations with audit firms bidding farewell to a clutch of major clients. This includes firms outside the Big Four, such as Grant Thornton, which recently said sayonara to Sports Direct, the retail chain, embroiled in running arguments over its governance.

But Grant Thornton is not alone. KPMG has parted ways with Eddie Stobart, a haulage firm, and Lycamobile, a telecommunications company. PwC meanwhile has said goodbye to Staffline, a recruitment business.

Should we be surprised?

The answer is not really. Over recent years auditors, especially the Big Four (PwC, Deloitte, KPMG and EY) have faced consistent criticism for their work—complaints that they control too much of the market for big company audit and that audit quality is not what it should be.

This came to a head in December 2017 with the collapse of construction and contracting giant Carillion, audited by KPMG. The event prompted a parliamentary inquiry followed by government-ordered reviews of the audit market and regulation.

An examination of the watchdog for audit and financial reporting, the Financial Reporting Council, has resulted in the creation of a brand new regulatory body; a look at the audit market resulted in recommendations that firms separate their audit businesses from other services they provide. A current look at the quality and scope of audit, the Brydon review, will doubtless come up with its own recommendations when it reports later this year.

 

Client selection

 

While it is hard to obtain statistics, the press reports, as well as industry talk, indicate that auditors are becoming more picky about who they choose to work for.

According to Jonathan Hayward, a governance and audit expert with the consultancy Independent Audit, the first step in any risk management for an audit firm is client selection. He says the current environment in which auditors have become “tired of being beaten up” has caused a new “sensitivity” in which auditors may be choosing to be more assiduous in applying client filtering policies.

Application of these policies may have been soft in the past, as firms raced for market share, but perhaps also as they applied what Hayward calls the auditor’s “God complex”: the idea that their judgement must be definitive.

Psychological dispositions are arguable. What may be observed for certain is that the potential downsides are becoming clearer to audit chiefs. Fines meted out in recent times by a newly energised regulator facing replacement include the £5m (discounted to £3.5m) for KPMG for the firm’s work with the London branch of BNY Mellon. Deloitte faced a £6.5m fine (discounted to £4.2m) for its audit of Serco Geografix, an outsourcing business. Last year PwC faced a record breaking £10m penalty for its work on the audit of collapsed retailer BHS.

What those fines have brought home is the thin line auditors tread between profit and and huge costs if it goes wrong. That undermines the attractiveness of being in the audit market.

One expert to draw attention to the economics is Jim Peterson, a US lawyer who blogs on corporate law and has represented accountancy firms.

Highlighting Sports Direct’s need to find a replacement audit firm, Peterson notes Grant Thornton’s fee was £1.4m with an estimated profit of £200,000-£250,000.

“A projection from that figure would be hostage, however, to the doubtful assumption of no further developments,” Peterson writes.

“That is, the cost to address even a modest extension of necessary extra audit work, or a lawsuit or investigative inquiry—legal fees and diverted management time alone—would swamp any engagement profit within weeks.”

He adds: “And that’s without thinking of the potential fines or judgements. Could the revenue justify that risk? No fee can be set and charged that would protect an auditor in the fraught context of Sports Direct—simply impossible.”

Media attention

 

Auditor resignations are not without their own risks. Maggie McGhee, executive director, governance at ACCA, a professional body for accountants, points out that parting with a client can bring unpleasant public attention.

“If auditors use resignation more regularly in a bid to extract themselves from high-risk audits,” says McGhee, “then it is probable that there will be some media interest if issues are subsequently identified at the company. Questions arise, such as did the auditor do enough?”

But as, McGhee adds, resignation has to remain part of the auditor’s armoury, not least as part of maintaining their independence.

For non-executives on an audit committee, auditor resignation is a significant moment. With an important role in hiring an audit firm as well as oversight of company directors, their role will be to challenge management.

“The audit committee is critical in these circumstances,” says McGhee, “and it should take action to understand the circumstance and whether action is required.”

ACCA has told the Sir Donald Brydon review [examining audit quality] that greater disclosure is needed of “the communication and judgements” that pass between auditors and audit committees. McGhee says it would be particularly relevant in the case of auditor resignations.

There have been suggestions that Sir Donald is interested in resignations. ShareSoc and UKSA, bodies representing small shareholders, have called on Sir Donald to recommend that an a regulatory news service announcement be triggered by an auditor cutting ties.

A blog on ShareSoc’s website says: “It seems clear that there is a need to tighten the disclosure rules surrounding auditor resignations and dismissals.”

It seems likely Sir Donald will comment on resignations, though what his recommendations will be remains uncertain. What is clear is that recent behaviour has shone a light on auditor departures and questions are being asked. The need for answers is sure to remain.

Les grandes firmes d’audit sont plus sélectives dans le choix de leurs mandats


Voici un article publié par GAVIN HINKS pour le compte de Board Agenda qui montre que les grandes firmes d’audit sont de plus en plus susceptibles de démissionner lorsque les risques leur apparaissent trop élevés.

Les recherches indiquent que c’est particulièrement le cas au Royaume-Uni où l’on assiste à des poursuites plus fréquentes des Big Four. Ces firmes d’audit sont maintenant plus sélectives dans le choix de leurs clients.

Compte tenu de la situation oligopolistique des grandes firmes d’audit, devons-nous nous surprendre de ces décisions de retrait dans la nouvelle conjoncture de risque financier des entreprises britanniques ?

The answer is not really. Over recent years auditors, especially the Big Four (PwC, Deloitte, KPMG and EY) have faced consistent criticism for their work—complaints that they control too much of the market for big company audit and that audit quality is not what it should be.

Le comité d’audit des entreprises est interpellé publiquement lorsque l’auditeur soumet sa résignation. L’entreprise doit souvent gérer une crise médiatique afin de sauvegarder sa réputation.

Pour certains experts de la gouvernance, ces situations requirent des exigences de divulgation plus sévères. Les parties prenantes veulent connaître la nature des problèmes et des risques qui y sont associés.

Également, les administrateurs souhaitent connaître le plan d’action des dirigeants eu égard au travail et aux recommandations du comité d’audit

L’auteur donne beaucoup d’exemples sur les nouveaux comportements des Big Four.

Bonne lecture !

 

Auditor resignations indicate new attitude to client selection

 

 

auditor
Image: Shutterstock

 

The audit profession in Britain is at a turning point as Westminster—Brexit permitting—considers new regulation.

It seems firms may be responding by clearing the decks: the press has spotted a spate of high-profile auditor resignations with audit firms bidding farewell to a clutch of major clients. This includes firms outside the Big Four, such as Grant Thornton, which recently said sayonara to Sports Direct, the retail chain, embroiled in running arguments over its governance.

But Grant Thornton is not alone. KPMG has parted ways with Eddie Stobart, a haulage firm, and Lycamobile, a telecommunications company. PwC meanwhile has said goodbye to Staffline, a recruitment business.

Should we be surprised?

The answer is not really. Over recent years auditors, especially the Big Four (PwC, Deloitte, KPMG and EY) have faced consistent criticism for their work—complaints that they control too much of the market for big company audit and that audit quality is not what it should be.

This came to a head in December 2017 with the collapse of construction and contracting giant Carillion, audited by KPMG. The event prompted a parliamentary inquiry followed by government-ordered reviews of the audit market and regulation.

An examination of the watchdog for audit and financial reporting, the Financial Reporting Council, has resulted in the creation of a brand new regulatory body; a look at the audit market resulted in recommendations that firms separate their audit businesses from other services they provide. A current look at the quality and scope of audit, the Brydon review, will doubtless come up with its own recommendations when it reports later this year.

 

Client selection

 

While it is hard to obtain statistics, the press reports, as well as industry talk, indicate that auditors are becoming more picky about who they choose to work for.

According to Jonathan Hayward, a governance and audit expert with the consultancy Independent Audit, the first step in any risk management for an audit firm is client selection. He says the current environment in which auditors have become “tired of being beaten up” has caused a new “sensitivity” in which auditors may be choosing to be more assiduous in applying client filtering policies.

Application of these policies may have been soft in the past, as firms raced for market share, but perhaps also as they applied what Hayward calls the auditor’s “God complex”: the idea that their judgement must be definitive.

Psychological dispositions are arguable. What may be observed for certain is that the potential downsides are becoming clearer to audit chiefs. Fines meted out in recent times by a newly energised regulator facing replacement include the £5m (discounted to £3.5m) for KPMG for the firm’s work with the London branch of BNY Mellon. Deloitte faced a £6.5m fine (discounted to £4.2m) for its audit of Serco Geografix, an outsourcing business. Last year PwC faced a record breaking £10m penalty for its work on the audit of collapsed retailer BHS.

What those fines have brought home is the thin line auditors tread between profit and and huge costs if it goes wrong. That undermines the attractiveness of being in the audit market.

One expert to draw attention to the economics is Jim Peterson, a US lawyer who blogs on corporate law and has represented accountancy firms.

Highlighting Sports Direct’s need to find a replacement audit firm, Peterson notes Grant Thornton’s fee was £1.4m with an estimated profit of £200,000-£250,000.

“A projection from that figure would be hostage, however, to the doubtful assumption of no further developments,” Peterson writes.

“That is, the cost to address even a modest extension of necessary extra audit work, or a lawsuit or investigative inquiry—legal fees and diverted management time alone—would swamp any engagement profit within weeks.”

He adds: “And that’s without thinking of the potential fines or judgements. Could the revenue justify that risk? No fee can be set and charged that would protect an auditor in the fraught context of Sports Direct—simply impossible.”

Media attention

 

Auditor resignations are not without their own risks. Maggie McGhee, executive director, governance at ACCA, a professional body for accountants, points out that parting with a client can bring unpleasant public attention.

“If auditors use resignation more regularly in a bid to extract themselves from high-risk audits,” says McGhee, “then it is probable that there will be some media interest if issues are subsequently identified at the company. Questions arise, such as did the auditor do enough?”

But as, McGhee adds, resignation has to remain part of the auditor’s armoury, not least as part of maintaining their independence.

For non-executives on an audit committee, auditor resignation is a significant moment. With an important role in hiring an audit firm as well as oversight of company directors, their role will be to challenge management.

“The audit committee is critical in these circumstances,” says McGhee, “and it should take action to understand the circumstance and whether action is required.”

ACCA has told the Sir Donald Brydon review [examining audit quality] that greater disclosure is needed of “the communication and judgements” that pass between auditors and audit committees. McGhee says it would be particularly relevant in the case of auditor resignations.

There have been suggestions that Sir Donald is interested in resignations. ShareSoc and UKSA, bodies representing small shareholders, have called on Sir Donald to recommend that an a regulatory news service announcement be triggered by an auditor cutting ties.

A blog on ShareSoc’s website says: “It seems clear that there is a need to tighten the disclosure rules surrounding auditor resignations and dismissals.”

It seems likely Sir Donald will comment on resignations, though what his recommendations will be remains uncertain. What is clear is that recent behaviour has shone a light on auditor departures and questions are being asked. The need for answers is sure to remain.

Dix erreurs que les conseils peuvent éviter sur les droits de l’homme


Voici un article publié par MAZAR* sur les erreurs les plus fréquentes que commettent les conseils eu égard aux risques associés aux droits de la personne.

Selon les auteurs, la plus grande erreur est de ne pas reconnaître la gravité des risques, mais ce n’est pas le seul danger !

L’article a été publié en anglais. J’ai utilisé le traducteur de Chrome pour produire le texte français ci-dessous. La qualité de la traduction est très bonne et cela facilitera la vie des francophones !

Voici dix erreurs que les conseils peuvent éviter.

Bonne lecture !

Dix erreurs que les conseils peuvent éviter sur les droits de l’homme

 

Résultats de recherche d'images pour « conditions de travail abusives »

 

  1. Identifier et comprendre les risques

Les conseils échouent souvent à identifier et à comprendre les risques graves pour les droits de la personne, tels que les conditions de travail abusives liées aux salaires, aux contrats, à la sécurité, à la santé et au recours au travail des enfants, au travail forcé et à la traite des personnes. Ces pratiques abusives peuvent entraîner des dommages juridiques, financiers et de réputation.

  1. Soyez prêt

Attendre que quelque chose se passe mal avant de s’attaquer aux responsabilités en matière de droits de l’homme sur le lieu de travail et dans les chaînes d’approvisionnement est une voie sûre pour les gros problèmes. Il est essentiel d’établir un plan clair sur la manière de relever les défis et de fournir suffisamment de ressources pour le faire.

  1. Chercher de l’aide par le haut

Essayer de mettre en place de bonnes normes en matière de droits de l’homme dans la culture et la prise de décision de l’entreprise dans toutes les opérations et dans tous les lieux géographiques sans obtenir le soutien des plus grands directeurs échouera.

  1. Réaliser des audits réguliers

Ne présumez pas que les droits de la personne sont respectés dans vos chaînes d’approvisionnement, chez vous ou à l’étranger. Les conseils doivent veiller à ce que des audits et des revues des chaînes soient régulièrement effectués afin de garantir le respect des bonnes pratiques en matière de droits de l’homme. L’exposition tragique des conditions épouvantables des travailleurs de l’industrie textile au Bangladesh et dans d’autres pays a trop souvent fait les gros titres ces dernières années.

  1. Obtenez un expert à bord

Évitez toute attitude arrogante en matière de droits de l’homme et nommez au conseil une personne possédant une solide expertise, notamment en ce qui concerne le respect des exigences réglementaires nationales et internationales, ou formez un membre du conseil à diriger.

  1. Établir des canaux appropriés

Le fait de ne pas mettre en place les canaux adéquats pour permettre aux personnes internes ou externes à l’entreprise de faire part de leurs préoccupations concernant les droits de l’homme et leurs conséquences pour atteindre le conseil d’administration et la haute direction est une erreur courante.

  1. S’attaquer aux fautes professionnelles

Ne soyez pas tenté de nier ou de cacher toute malversation révélée, mais résolvez-le et apportez le changement de manière efficace grâce aux meilleures pratiques.

  1. Assurer l’engagement des parties prenantes

Il faut éviter un faible engagement avec les parties prenantes, car il est important de communiquer clairement sur la manière dont le conseil d’administration traite ses problèmes de droits de l’homme, en particulier si des problèmes se sont posés. Les actionnaires, en particulier, se posent davantage de questions sur les processus de gestion des risques liés aux droits de l’homme et sur la manière dont l’entreprise relève les défis et mesure les progrès.

  1. Ne prenez pas de raccourcis

Il est préférable de ne pas prendre de raccourcis pour remplir les exigences en matière de rapports réglementaires, telles que donner une réponse rapide ou répéter le contenu du rapport de l’année dernière. Les Principes directeurs des Nations Unies indiquent clairement comment rendre compte des questions relatives aux droits de l’homme dans un rapport annuel ou un rapport sur le développement durable.

  1. Évitez la complaisance

Devenir complaisant face au bilan de votre entreprise en matière de droits de l’homme n’est pas une option. De nouveaux systèmes tels que la Workforce Disclosure Initiative dirigée par des investisseurs, qui appelle à davantage de transparence sur la manière dont les entreprises gèrent leurs employés et les employés de la chaîne d’approvisionnement, se développent et mettent les entreprises à la loupe.


*Cet article a été produit par Board Agenda en collaboration avec Mazars, un partenaire de Board Agenda.

Les politiques des Cégeps et la gouvernance créatrice de valeur


Nous publions ici un billet de Danielle Malboeuf* qui nous renseigne sur une gouvernance créatrice de valeur eu égard à la gestion des CÉGEP.

Comme à l’habitude, Danielle nous propose son article à titre d’auteure invitée.

Je vous souhaite bonne lecture. Vos commentaires sont appréciés.

 

Cégeps : politiques et gouvernance

par

Danielle Malboeuf*  

 

Résultats de recherche d'images pour « gouvernance créatrice de valeur »

 

Un enjeu à ne pas négliger

 

Chaque année, des personnes motivées et intéressées investissent leur temps et leur énergie dans les conseils d’administration (CA) des collèges. Elles surveillent particulièrement la gestion financière du collège et assurent une utilisation efficace et efficiente des sommes d’argent qui y sont dédiées. Toutefois, comme j’ai pu le constater lors de mes échanges avec des administrateurs, ces personnes souhaitent jouer un rôle qui va au-delà de celui de « fiduciaire ». Elles veulent avoir une contribution significative à la mission première du Cégep : donner une formation pertinente et de qualité où l’étudiant et sa réussite éducative sont au cœur des préoccupations. Elles désirent ainsi soutenir les cégeps dans leur volonté d’améliorer leur efficacité et leur efficience, de se développer et d’assurer la qualité et la pertinence de leurs services. Le nouveau mode de gouvernance qui est actuellement encouragé dans les institutions tant publiques que privées répond à ces attentes. Il s’agit d’une « gouvernance créatrice de valeurs » (1). Ce mode de gouvernance permet à chacun de contribuer sur la base de ses expériences et compétences au développement de nos collèges.

Pour permettre au CA de jouer pleinement son rôle de « créateur de valeurs », les collèges doivent compter sur des administrateurs compétents qui veillent au respect de ses obligations et à l’atteinte de haut niveau de performance. D’ailleurs, dans la suite de la parution d’un rapport de la vérificatrice générale en 2016 portant sur la gestion administrative des cégeps (2), j’ai rédigé un article dans lequel, je rappelais l’importance d’avoir, au sein des conseils d’administration (CA) des collèges, des administrateurs compétents qui ont, entre autres, une bonne connaissance des politiques, directives et exigences réglementaires en vigueur afin de répondre adéquatement aux attentes formulées dans ce rapport. La vérificatrice générale y recommandait entre autres, au regard des modes de sollicitation, le respect de la réglementation et des politiques internes (3). Il m’apparaît donc essentiel que les administrateurs soient en mesure d’évaluer régulièrement leur pertinence et leur mise en application.

Ainsi, parmi les responsabilités confiées au conseil, on retrouve celles-ci (4) :

  1. s’assurer que l’institution est administrée selon des normes reconnues et en conformité avec les lois.
  2. définir les politiques et les règlements de l’institution, les réviser périodiquement et s’assurer qu’ils sont appliqués.

 

Les collèges ont cinquante ans. Tout au cours de ces années, on a élaboré et mis en œuvre de nombreuses politiques et règlements qui ont été adoptés par les CA. Ces documents sont apparus au fil des ans pour répondre à des exigences légales et ministérielles, mais également à des préoccupations institutionnelles. Pour assurer l’application de ces politiques et règlements, les gestionnaires ont produit des outils de gestion : programmes, directives et procédures. On retrouve donc dans les collèges, des Cahiers de gestion qui regroupent tous ces documents et qui amènent des défis de mise en œuvre, de suivi et de révision.

Des collèges reconnaissent ces défis. En effet, la Commission d’évaluation de l’enseignement collégial (CEEC) fait le constat suivant dans son bilan des travaux portant sur l’évaluation de l’efficacité des systèmes d’assurance qualité. « Certains collèges ont entrepris…, la mise en place d’outils de gestion concertée et intégrée de la qualité ». « Certains collèges estiment toutefois que du travail reste à faire pour améliorer la synergie entre les mécanismes » (5).

Considérant les préoccupations actuelles et les attentes formulées par la Vérificatrice générale, j’invite tous les collèges à se doter de mécanismes au regard des politiques et règlements qui s’inscrivent dans les bonnes pratiques de gouvernance :

  1. Valider la pertinence de toute cette documentation ;

D’abord, les administrateurs doivent connaître le contenu des politiques et règlements, car ils ont, rappelons-le, la responsabilité de s’assurer qu’ils sont appliqués. Ils doivent également valider que tous ces documents sont encore pertinents. Constate-t-on des redondances ? Si c’est le cas, il faut apporter des correctifs.

2. Assurer la cohérence de toute cette documentation ;

À la lecture de documents institutionnels, on constate que les termes politiques, règlements, programmes, directives et procédures n’ont pas la même signification d’un collège à l’autre et à l’intérieur d’un même collège. On note la présence de politiques et de programmes qui sont rattachés au même objet. Alors qu’une politique est un ensemble d’orientation et de principes, un programme est un « ensemble des intentions d’action et des projets que l’institution doit mettre en œuvre pour respecter les orientations gouvernementales ou institutionnelles. »

À titre d’exemple, pour se conformer à une exigence ministérielle, les collèges ont élaboré, il y a plusieurs années, une Politique de gestion des ressources humaines pour le personnel membre d’une association accréditée au sens du Code du travail (on exclut ici les hors-cadre et cadres). Cette politique devait inclure des dispositions concernant l’embauche, l’insertion professionnelle, l’évaluation et le perfectionnement de ces employés. Dans certains collèges, ces dispositions se sont traduites par des programmes et d’autres par des politiques. Dans un même collège, on peut retrouver pour l’évaluation du personnel, un programme pour certaines catégories de personnel et une politique pour d’autres employés. Rappelons encore ici que le CA porte un regard sur les politiques et non les programmes. Cela pose un problème de cohérence, mais également d’équité.

De plus, on peut retrouver dans une politique des modalités de fonctionnement. Rappelons qu’une politique est un « ensemble d’orientations et de principes qui encadrent les actions que doit mettre en œuvre l’institution en vue d’atteindre les principes généraux préalablement fixés par le Ministère ou le CA. » Donc, dans une politique, on ne devrait pas retrouver des actions ou des modalités de fonctionnement qui s’apparentent à des directives ou des procédures. Le CA n’a pas à d’adopter des modalités de fonctionnement, car c’est une responsabilité de la direction générale.

3. Valider l’applicabilité des politiques et règlements en vigueur

Tel que suggéré par l’IGOPP (Institut sur la gouvernance d’organisations privées et publiques), le comité d’audit devrait avoir, entre autres, le mandat de :

Prendre connaissance au moins une fois l’an des mesures de conformité aux lois, règlements et politiques (6).

Un exemple de l’importance pour le CA de s’assurer de l’application des Lois et politiques est celle liée à la gestion contractuelle. La Loi sur les contrats dans les organismes publics demande à chaque collège de nommer un responsable de l’observation des règles contractuelles (RORC). Cette personne doit transmettre au CA et au Secrétariat du Conseil du trésor un rapport qui fait état de ses activités, de ses observations et de ses recommandations. Le but visé est de valider que la gestion contractuelle du collège se conforme à la loi, aux directives et aux règlements (du gouvernement et du collège). Il faut s’assurer que cela soit fait.

4. Procéder à la révision de ces politiques et règlements de façon systématique ;

La majorité des politiques et des règlements prévoient des moments de révision. A-t-on un calendrier de suivi à cet effet ?

J’encourage donc les conseils d’administration des collèges et les gestionnaires à inscrire la validation et l’évolution des politiques et règlements, à leurs priorités institutionnelles. On permet ainsi aux administrateurs de jouer pleinement leur rôle et de participer au développement de nos institutions.


(1) Le modèle de gouvernance « Créatrice de valeurs »®, préconisé par l’Institut sur la gouvernance d’organisations privées et publiques est celui développé par le professeur Yvan Allaire, président exécutif du conseil de l’IGOPP.

(2) Rapport du Vérificateur général du Québec à l’Assemblée nationale pour l’année 2016-2017, Gestion administrative des cégeps, Automne 2016

(3) idem, p.4

(4) Extraits du séminaire sur la gouvernance ; vers une gouvernance « Créatrice de valeurs », IGOPP (Institut sur la gouvernance d’organisations privées et publiques)

(5) Bilan de l’an 3-2016-2017, principaux constats découlant des audits de l’an 3, Évaluation de l’efficacité des systèmes d’assurance qualité des collèges québécois, p.20

(6) Extrait du séminaire sur la gouvernance ; vers une gouvernance « Créatrice de valeurs », IGOPP (Institut sur la gouvernance d’organisations privées et publiques), charte du comité de vérification et de finances.

_____________________________________

*Danielle Malboeuf est consultante et formatrice en gouvernance ; elle possède une grande expérience dans la gestion des CÉGEPS et dans la gouvernance des institutions d’enseignement collégial et universitaire. Elle est CGA-CPA, MBA, ASC, Gestionnaire et administratrice retraitée du réseau collégial et consultante.


 

Articles sur la gouvernance des CÉGEPS publiés sur mon blogue par l’auteure :

 

(1) LE RÔLE DU PRÉSIDENT DU CONSEIL D’ADMINISTRATION (PCA) | LE CAS DES CÉGEPS

(2) Les grands enjeux de la gouvernance des institutions d’enseignement collégial

(3) L’exercice de la démocratie dans la gouvernance des institutions d’enseignement collégial

(4) Caractéristiques des bons administrateurs pour le réseau collégial | Danielle Malboeuf

(5) La gouvernance des CÉGEPS | Une responsabilité partagée

(6) La gouvernance des Cégeps | Le rapport du Vérificateur général du Québec

Dix sujets « hots » pour les administrateurs en 2019


Voici dix thèmes « chauds » qui devraient préoccuper les administrateurs en 2019.

Ils ont été identifiés par Kerry BerchemChristine LaFollette, et Frank Reddick, associés de la firme Akin Gump Strauss Hauer & Feld.

Le billet est paru aujourd’hui sur le forum du Harvard Law School.

Bonne lecture ! Quels sont vos points de vue à ce sujet ?

 

Top 10 Topics for Directors in 2019

 

 

Résultats de recherche d'images pour « Akin Gump Strauss Hauer & Feld »

 

1. Corporate Culture

The corporate culture of a company starts at the top, with the board of directors, and directors should be attuned not only to the company’s business, but also to its people and values across the company. Ongoing and thoughtful efforts to understand the company’s culture and address any issues will help the board prepare for possible crises, reduce potential liability and facilitate appropriate responses internally and externally.

2. Board Diversity

As advocates and studies continue to highlight the business case for diversity, public companies are facing increasing pressure from corporate governance groups, investors, regulators and other stakeholders to improve gender and other diversity on the board. As a recent McKinsey report highlights, many successful companies regard inclusion and diversity as a source of competitive advantage and, specifically, as a key enabler of growth.

3. #MeToo Movement

A responsible board should anticipate the possibility that allegations of sexual harassment may arise against a C-suite or other senior executive. The board should set the right tone from the top to create a respectful culture at the company and have a plan in place before these incidents occur. In that way, the board is able to quickly and appropriately respond to any such allegations. Any such response plan should include conducting an investigation, proper communications with the affected parties and the implementation of any necessary remedial steps.

4. Corporate Social Responsibility

Corporate social responsibility (CSR) concerns remained a hot-button issue in 2018. Social issues were at the forefront this year, ranging from gun violence, to immigration reform, to human trafficking, to calls for greater accountability and action from the private sector on issues such as climate change. This reflects a trend that likely foretells continued and increased focus on environmental, social and governance issues, including from regulatory authorities.

5. Corporate Strategy

Strategic planning should continue to be a high priority for boards in 2019, with a focus on the individual and combined impacts of the U.S. and global economies, geopolitical and regulatory uncertainties, and mergers and acquisitions activity on their industries and companies. Boards should consider maximizing synergies from recent acquisitions or reviewing their companies’ existing portfolios for potential divestitures.

6. Sanctions

During the second year of the Trump administration, U.S. sanctions expanded significantly to include new restrictions that target transactions with Iran, Russia and Venezuela. Additionally, the U.S. government has expanded its use of secondary sanctions to penalize non-U.S. companies that engage in proscribed activities involving sanctioned persons and countries. To avoid sanctions-related risks, boards should understand how these evolving rules apply to the business activities of their companies and management teams.

7. Shareholder Activism

There has been an overall increase in activism campaigns in 2018 regarding both the number of companies targeted and the number of board seats won by these campaigns. This year has also seen an uptick in traditionally passive and institutional investors playing an active role in encouraging company engagement with activists, advocating for change themselves and formulating express policies for handling activist campaigns.

8. Cybersecurity

With threats of nation-states infiltrating supply chains, and landmark laws being passed, cybersecurity and privacy are critical aspects of director oversight. Directors must focus on internal controls to guard against cyber-threats (including accounting, cybersecurity and insider trading) and expand diligence of third-party suppliers. Integrating both privacy and security by design will be critical to minimizing ongoing risk of cybersecurity breaches and state and federal enforcement.

9. Tax Cuts and Jobs Act

A year has passed since President Trump signed the Tax Cuts and Jobs Act (TCJA) into law, and there will be plenty of potential actions and new faces on the tax landscape in 2019. Both the Senate Finance Committee and the Ways and Means Committee will have new chairs, and Treasury regulations implementing the TCJA will be finalized. President Trump will continue to make middle-class tax cuts a priority heading into next year. Perennial issues, such as transportation, retirement savings and health care, will likely make an appearance, and legislation improving the tax reform bill could be on the table depending on the outcome of the Treasury regulations.

10. SEC Regulation and Enforcement

To encourage public security ownership, the Securities and Exchange Commission (SEC) has adopted and proposed significant revisions to update and simplify disclosure requirements for public companies. It has taken steps to enhance the board’s role in evaluating whether to include shareholder proposals in a company’s proxy statement. It has also solicited comments on the possible reform of proxy advisor regulation, following increasing and competing calls from corporations, investor advocates and congressional leaders to revise these regulations. Boards and companies should monitor developments in this area, as well as possible changes in congressional and administration emphasis following the 2018 midterm elections.

Bonus: Midterm Elections

The 2018 midterm elections are officially over. Americans across the country cast their ballots for candidates for the House of Representatives and the Senate in what was widely perceived to be a referendum on President Trump’s first two years in office. With Democrats taking control of the House, and Republicans maintaining control of the Senate, a return to divided government will bring new challenges for effective governance. Compromise and bipartisanship will be tested by what is expected to be an aggressive oversight push from House Democrats. However, areas where there may be possible compromise include federal data privacy standards, infrastructure development, criminal justice reform and pharmaceutical drug pricing initiatives.

The complete publication is available here.

Enjeux clés concernant les membres des comités d’audit | En rappel


Le récent rapport de KPMG sur les grandes tendances en audit présente sept défis que les membres des CA, notamment les membres des comités d’audit, doivent considérer afin de bien s’acquitter de leurs responsabilités dans la gouvernance des sociétés.

Le rapport a été rédigé par des professionnels en audit de la firme KPMG ainsi que par le Conference Board du Canada.

Les sept défis abordés dans le rapport sont les suivants :

– talent et capital humain ;

– technologie et cybersécurité ;

– perturbation des modèles d’affaires ;

– paysage réglementaire en évolution ;

– incertitude politique et économique ;

– évolution des attentes en matière de présentation de l’information ;

– environnement et changements climatiques.

Je vous invite à consulter le rapport complet ci-dessous pour de plus amples informations sur chaque enjeu.

Bonne lecture !

 

Tendances en audit

 

 

Résultats de recherche d'images pour « tendances en audit »

 

 

Alors que l’innovation technologique et la cybersécurité continuent d’avoir un impact croissant sur le monde des finances et des affaires à l’échelle mondiale, tant les comités d’audit que les chefs des finances reconnaissent le besoin de compter sur des talents de haut calibre pour contribuer à affronter ces défis et à en tirer parti.

Le rôle du comité d’audit est de s’assurer que l’organisation dispose des bonnes personnes possédant l’expérience et les connaissances requises, tant au niveau de la gestion et des opérations qu’au sein même de sa constitution. Il ne s’agit que de l’un des nombreux défis à avoir fait surface dans le cadre de ce troisième numéro du rapport Tendances en audit.

Les comités d’audit d’aujourd’hui ont la responsabilité d’aider les organisations à s’orienter parmi les nombreux enjeux et défis plus complexes que jamais auxquels ils font face, tout en remplissant leur mandat traditionnel de conformité et de présentation de l’information. Alors que les comités d’audit sont pleinement conscients de cette nécessité, notre rapport indique que les comités d’audit et les chefs des finances se demandent dans quelle mesure leur organisation est bien positionnée pour faire face à la gamme complète des tendances actuelles et émergentes.

Pour mettre en lumière cette préoccupation et d’autres enjeux clés, le rapport Tendances en audit se penche sur les sept défis qui suivent :

  1. talent et capital humain;
  2. technologie et cybersécurité;
  3. perturbation des modèles d’affaires;
  4. paysage réglementaire en évolution;
  5. incertitude politique et économique;
  6. évolution des attentes en matière de présentation de l’information;
  7. environnement et changements climatiques.

Au fil de l’évolution des mandats et des responsabilités, ce rapport se révélera être une ressource précieuse pour l’ensemble des parties prenantes en audit.

Indicateurs de mesure de la performance des fonctions d’audit interne


Denis Lefort, CPA, expert-conseil en gouvernance, audit et contrôle, porte à ma connaissance un rapport de recherche de l’IIA qui concerne « les indicateurs de mesure de la performance des fonctions d’audit interne ».

Encore aujourd’hui, les indicateurs utilisés sont souvent centrés sur la performance en interne de la fonction et non sur son réel impact sur l’organisation.

Par exemple, peu de services d’audit interne évaluent leur performance par la réduction des cas de fraude dans l’entreprise, par une meilleure gestion des risques, etc.

On utilise plutôt les indicateurs habituels comme le taux de recommandations implantées, la réalisation du plan d’audit, etc.

Voici, ci-dessous, l’introduction au document de l’IIA. Pour consulter le rapport détaillé, cliquez sur le titre du document.

Bonne lecture. Vos commentaires sont les bienvenus

 

Measuring Internal Audit Value and Performance

 

Résultats de recherche d'images pour « audit interne »

 

In 2010, The IIA recognized a need to capture a simple, memorable, and straightforward way to help internal auditors convey the value of their efforts to important stakeholders, such as boards of directors, audit committees, management, and clients. To that end, the association introduced the Value Proposition for Internal Auditing, which characterizes internal audit’s value as an amalgam of three elements: assurance, insight, and objectivity.

 

But identifying the conceptual elements of value is only part of what needs to be done. How does that construct look in the workplace? What activities does internal audit undertake that deliver the most value? What should be measured to determine that the organization’s expectations of value are being met? How does internal audit organize and structure the information that populates the metrics? And, most critically, do the answers to all these questions align; that is, does internal audit’s perception of its value, as measured and tracked, correlate with what the organization wants and needs from the internal audit function? (Exhibit 1)

Exhibit 1

The Internal Audit Value Proposition

 

1. ASSURANCE = Governance, Risk, Control

Internal audit provides assurance on the organization’s governance, risk management, and control processes to help the organization achieve its strategic, operational, financial, and compliance objectives.

2. INSIGHT = Catalyst, Analyses, Assessments

Internal audit is a catalyst for improving an organization’s effectiveness and efficiency by providing insight and recommendations based on analyses and assessments of data and business process.

3. OBJECTIVITY = Integrity, Accountability, Independence

With commitment to integrity and accountability, internal audit provides value to governing bodies and senior management as an objective source of independent advice.

These are the kinds of questions the CBOK 2015 global practitioner survey posed to chief audit executives (CAEs) from around the world. The activities these CAEs believe bring value to the organization are consistent with the three elements of The IIA’s value proposition. In fact, the nine activities identified by CAEs as adding the most value can be mapped directly to the three elements, as shown in exibit 2

However, in looking at the performance measures and tools used by the organization and the internal audit function, a gap appears to form between value-adding activities and the ways performance is measured. This report explores that gap in greater detail and clarifies the respondents’ view of value-adding activities, preferred performance measures, and the methodologies and tools most commonly used to support internal audit’s quality and performance processes. Where appropriate, responses tabulated by geographic regions and organization types are examined.

Finally, based on the findings, the final chapter of the report provides a series of practical steps that practitioners at all levels can implement to help their internal audit department deliver on its value proposition of assurance, insight, and objectivity.

Exhibit 2

The Internal Audit Value Proposition (mapped to response options from the CBOK Survey)

 

ASSURANCE ACTIVITIES

  1. Assuring the adequacy and effectiveness of the internal control system
  2. Assuring the organization’s risk management processes
  3. Assuring regulatory compliance
  4. Assuring the organization’s governance processes

INSIGHT ACTIVITIES

  1. Recommending business improvement
  2. Identifying emerging risks

OBJECTIVE ADVICE ACTIVITIES

  1. Informing and advising management
  2. Investigating or deterring fraud
  3. Informing and advising the audit committee

Rôle du CA dans l’établissement d’une forte culture organisationnelle | Une référence essentielle


Vous trouverez, ci-dessous, un document partagé par Joanne Desjardins*, qui porte sur le rôle du CA dans l’établissement d’une solide culture organisationnelle.

C’est certainement l’un des guides les plus utiles sur le sujet. Il s’agit d’une référence essentielle en matière de gouvernance.

Je vous invite à lire le sommaire exécutif. Vos commentaires sont appréciés.

 

Managing Culture | A good practical guide – December 2017

 

Résultats de recherche d'images pour « tone at the top »

Executive summary

 

In Australia, the regulators Australian Prudential Regulation Authority (APRA) and Australian Securities and Investments Commission (ASIC) have both signalled that there are significant risks around poor corporate culture. ASIC recognises that culture is at the heart of how an organisation and its staff think and behave, while APRA directs boards to define the institution’s risk appetite and establish a risk management strategy, and to ensure management takes the necessary steps to monitor and manage material risks. APRA takes a broad approach to ‘risk culture’ – includingrisk emerging from a poor culture.

Regulators across the globe are grappling with the issue of risk culture and how best to monitor it. While regulators generally do not dictate a cultural framework, they have identified common areas that may influence an organisation’s risk culture: leadership, good governance, translating values and principles into practices, measurement and accountability, effective communication and challenge, recruitment and incentives. Ultimately, the greatest risk lies in organisations that are believed to be hypocritical when it comes to the espoused versus actual culture.

The board is ultimately responsible for the definition and oversight of culture. In the US, Mary Jo White, Chair of the Securities and Exchange Commission (SEC), recognised that a weak risk culture is the root cause of many large governancefailures, and that the board must set the ‘tone at the top’.

Culture also has an important role to play in risk management and risk appetite, and can pose significant risks that may affect an organisation’s long-term viability.

However, culture is much more about people than it is about rules. This guide argues that an ethical framework – which is different from a code of ethics or a code of conduct – should sit at the heart of the governance framework of an organisation. An ethical framework includes a clearly espoused purpose, supported by values and principles.

There is no doubt that increasing attention is being given to the ethical foundations of an organisation as a driving force of culture, and one method of achieving consistency of organisational conduct is to build an ethical framework in which employees can function effectively by achieving clarity about what the organisation deems to be a ‘good’ or a ‘right’ decision.

Culture can be measured by looking at the extent to which the ethical framework of the organisation is perceived to be or is actually embedded within day-to-day practices. Yet measurement and evaluation of culture is in its early stages, and boards and senior management need to understand whether the culture they have is the culture they want.

In organisations with strong ethical cultures, the systems and processes of the organisation will align with the ethical framework. And people will use the ethical framework in the making of day-to-day decisions – both large and small.

Setting and embedding a clear ethical framework is not just the role of the board and senior management – all areas can play a role. This publication provides high-level guidance to these different roles:

The board is responsible for setting the tone at the top. The board should set the ethical foundations of the organisation through the ethical framework. Consistently, the board needs to be assured that the ethical framework is embedded within the organisation’s systems, processes and culture.

Management is responsible for implementing and monitoring the desired culture as defined and set by the board. They are also responsible for demonstrating leadership of the culture.

Human resources (HR) is fundamental in shaping, reinforcing and changing corporate culture within an organisation. HR drives organisational change programs that ensure cultural alignment with the ethical framework of the organisation. HR provides alignment to the ethical framework through recruitment, orientation, training, performance management, remuneration and other incentives.

Internal audit assesses how culture is being managed and monitored, and can provide an independent view of the current corporate culture.

External audit provides an independent review of an entity’s financial affairs according to legislative requirements, and provides the audit committee with valuable, objective insight into aspects of the entity’s governance and internal controls including its risk management.

 

 


*Joanne Desjardins est administratrice de sociétés et consultante en gouvernance. Elle possède plus de 18 années d’expérience comme avocate et comme consultante en gouvernance, en stratégie et en gestion des ressources humaines. Elle est constamment à l’affût des derniers développements en gouvernance et publie des articles sur le sujet.

Mesures à prendre en matière de contrôle interne afin d’éviter les fraudes de cybersécurité


Voici un article qui met l’accent sur les mesures à prendre en matière de contrôle interne afin d’éviter les fraudes de cybersécurité.

Les auteurs, Keith Higgins*et Marvin Tagabanis exposent les résultats de leurs recherches dans un billet publié sur le site de  Havard Law School Forum.

Les fraudes dont il est question concernent neuf entreprises qui ont été la cible des arnaques par l’utilisation de courriels.

The nine defrauded companies lost a total of nearly $100 million as a result of the email scams. The companies operated in different business sectors including technology, machinery, real estate, energy, financial, and consumer goods, which the Report suggests “reflect[s] the reality that every type of business is a potential target of cyber-related fraud.” The Report also highlighted the significant economic harm posed by “business email compromises” more broadly, which, based on FBI estimates, has caused over $5 billion in losses since 2013, with an additional $675 million in adjusted losses in 2017—the highest estimated out-of-pocket losses from any class of cyber-facilitated crime during this period.

Les auteurs notent que les escroqueries par le biais des courriels étaient principalement de deux types :

(1) Courriels envoyés par de faux dirigeants ;

(2) Courriels envoyés par de faux vendeurs.

Les auteurs présentent les implications du contrôle interne pour minimiser ces fraudes.

Bonne lecture !

 

Implementing Internal Controls in Cyberspace—Old Wine, New Skins

 

Résultats de recherche d'images pour « contrôle interne et cybersécurité »

 

On October 16, 2018, the SEC issued a Section 21(a) investigative report (the “Report”), [1]cautioning public companies to consider cyber threats when designing and implementing internal accounting controls. The Report arose out of an investigation focused on the internal accounting controls of nine public companies that were victims of “business email compromises” in which perpetrators posed as company executives or vendors and used emails to dupe company personnel into sending large sums to bank accounts controlled by the perpetrators. In the investigation, the SEC considered whether the companies had complied with the internal accounting controls provisions of the federal securities laws. Although the Report is in lieu of an enforcement action against any of the issuers, the SEC issued the Report to draw attention to the prevalence of these cyber-related scams and as a reminder that all public companies should consider cyber-related threats when devising and maintaining a system of internal accounting controls.

The nine defrauded companies lost a total of nearly $100 million as a result of the email scams. The companies operated in different business sectors including technology, machinery, real estate, energy, financial, and consumer goods, which the Report suggests “reflect[s] the reality that every type of business is a potential target of cyber-related fraud.” The Report also highlighted the significant economic harm posed by “business email compromises” more broadly, which, based on FBI estimates, has caused over $5 billion in losses since 2013, with an additional $675 million in adjusted losses in 2017—the highest estimated out-of-pocket losses from any class of cyber-facilitated crime during this period.

Two types of email scams were employed against the nine companies: (i) emails from fake executives, and (ii) emails from fake vendors.

Emails from Fake Executives. In the first type of scam, perpetrators emailed company finance personnel using spoofed email domains and addresses of an executive (typically the CEO) so that it appeared as if the email were legitimate. The spoofed email directed the employees to work with a purported outside attorney identified in the email, who then directed them to wire large payments to foreign bank accounts controlled by the perpetrators. Common elements among each of these schemes included: (1) the transactions or “deals” were time-sensitive and confidential; (2) the requested funds needed to be sent to foreign banks and beneficiaries in connection with foreign deals or acquisitions; and (3) the spoofed emails typically were sent to midlevel personnel, who were not generally responsible or involved in the deals and rarely communicated with the executives being spoofed.

Emails from Fake Vendors. The second type of scam was more technologically sophisticated than the spoofed executive emails because the schemes typically involved the perpetrators hacking into the email accounts of the companies’ foreign vendors. The perpetrators then requested that the vendors’ banking information be changed so that a company’s payments on outstanding invoices for legitimate transactions were sent to foreign accounts controlled by the perpetrators rather than the real vendors. The Report noted that some spoofed vendor email scams went undetected for an extended period of time because vendors often afforded companies months before considering a payment delinquent.

Considerations for Public Companies

In the Report, the SEC advises public companies to “pay particular attention to the obligations imposed by Section 13(b)(2)(B) to devise and maintain internal accounting controls that reasonably safeguard company and, ultimately, investor assets from cyber-related frauds.” Finance and accounting personnel at public companies should be aware that the above-described cyber-related scams exist, and these types of scams should be considered when implementing internal accounting controls.

Although the “cyber” aspect of these scams helps to make them a topic du jour, fake invoices are certainly no recent invention, nor are vendor requests to direct payments to a new address something that is unique to the email era. If the result of the Report is to cause companies to liberally insert “cyber” references into their internal controls, and little more, it will not have accomplished its objective. SEC Enforcement staff observed that the cyber-related frauds succeeded, at least in part, because the responsible personnel at the companies did not sufficiently understand the company’s existing controls or did not recognize indications in the emailed instructions that those communications lacked reliability. For example, in one matter, the accounting employee who received the spoofed email did not follow the company’s dual-authorization requirement for wire payments, directing unqualified subordinates to sign-off on the wires. In another case, the accounting employee misinterpreted the company’s authorization matrix as giving him approval authority at a level reserved for the CFO.

Scams will always be with us, and the Report recognizes that the effectiveness of internal accounting control systems largely depends on having trained personnel to implement, maintain, and follow such controls. Public companies should also consider the following points raised by the actions taken by the defrauded companies following the cyber-related scams:

Review and enhance payment authorization procedures, verification requirements for vendor information changes, account reconciliation procedures and outgoing payment notification processes, particularly to foreign jurisdictions.

Evaluate whether finance and accounting personnel are adequately trained on relevant cyber-related threats and provide additional training on any new policies and procedures implemented as a result of the above step.

The Report confirms that the SEC remains focused on cybersecurity matters and companies should continue to be vigilant against cyber threats. While the SEC stated that it was “not suggesting that every issuer that is the victim of a cyber-related scam is . . . in violation of the internal accounting controls requirements of the federal securities laws,” the Report also noted that “[h]aving internal accounting control systems that factor in such cyber-related threats, and related human vulnerabilities, may be vital to maintaining a sufficient accounting control environment and safeguarding assets.”

_________________________________________________

Endnotes

1Report of Investigation Pursuant to Section 21(a) of the Securities Exchange Act of 1934 Regarding Certain Cyber-Related Frauds Perpetrated Against Public Companies and Related Internal Accounting Controls Requirements, Exchange Act Release No. 84429 (Oct. 16, 2018) (available here).(go back)

*Keith Higgins is chair of the securities and governance practice and Marvin Tagaban is an associate at Ropes & Gray LLP. This post is based on their Ropes & Gray memorandum.

Le futur code de gouvernance du Royaume-Uni


Je vous invite à prendre connaissance du futur code de gouvernance du Royaume-Uni (R.-U.).

À cet effet, voici un billet de Martin Lipton*, paru sur le site de Harvard Law School Forum on Corporate Governance, qui présente un aperçu des points saillants.

Bonne lecture !

 

The Financial Reporting Council today [July 16, 2018] issued a revised corporate governance code and announced that a revised investor stewardship code will be issued before year-end. The code and related materials are available at www.frc.org.uk.

The revised code contains two provisions that will be of great interest. They will undoubtedly be relied upon in efforts to update the various U.S. corporate governance codes. They will also be used to further the efforts to expand the sustainability and stakeholder concerns of U.S. boards.

First, the introduction to the code makes note that shareholder primacy needs to be moderated and that the concept of the “purpose” of the corporation, as long put forth in the U.K. by Colin Mayer and recently popularized in the U.S. by Larry Fink in his 2018 letter to CEO’s, is the guiding principle for the revised code:

Companies do not exist in isolation. Successful and sustainable businesses underpin our economy and society by providing employment and creating prosperity. To succeed in the long-term, directors and the companies they lead need to build and maintain successful relationships with a wide range of stakeholders. These relationships will be successful and enduring if they are based on respect, trust and mutual benefit. Accordingly, a company’s culture should promote integrity and openness, value diversity and be responsive to the views of shareholders and wider stakeholders.

Second, the code provides that the board is responsible for policies and practices which reinforce a healthy culture and that the board should engage:

with the workforce through one, or a combination, of a director appointed from the workforce, a formal workforce advisory panel and a designated non-executive director, or other arrangements which meet the circumstances of the company and the workforce.

It will be interesting to see how this provision will be implemented and whether it gains any traction in the U.S.

 

 

The UK Corporate Governance Code

 

Résultats de recherche d'images pour « UK Corporate Governance Code 2018 »


Martin Lipton* is a founding partner of Wachtell, Lipton, Rosen & Katz, specializing in mergers and acquisitions and matters affecting corporate policy and strategy. This post is based on a Wachtell Lipton memorandum by Mr. Lipton.

Les sept attentes que les comités d’audit ont envers les chefs des finances


Une bonne relation entre le Président du comité d’Audit et le Vice-président Finance (CFO) est absolument essentielle pour une gestion financière éclairée, fidèle et intègre.

Les auteurs sont liés au Centre for Board Effectiveness de Deloitte. Dans cette publication, parue dans le Wall Street Journal, ils énoncent les sept attentes que les comités d’audit ont envers les chefs des finances.

Cet article sera certainement très utile aux membres de conseils, notamment aux membres des comtés d’audit ainsi qu’à la direction financière de l’entreprise.

Bonne lecture ! Vos commentaires sont les bienvenus.

 

The CFO and the Audit Committee: Building an Effective Relationship

 

 

Résultats de recherche d'images pour « Common Expectations Audit Committee Have of CFOs »

 

 

The evolution of the CFO’s role is effecting a shift in the audit committee’s expectations for the working relationship between the two. By considering their response to seven commonly held expectations audit committees have of CFOs, CFOs can begin to lay the groundwork for a more effective working relationship with their organization’s audit committee.

Typically, CFOs play four key roles within their organizations, but the amount of time CFOs allocate to each role is changing rapidly. “For CFOs high integrity of work, accuracy, and timely financial reporting are table stakes, but increasingly they are being expected to be Strategists and Catalysts in their organization,” says Ajit Kambil, global research director for Deloitte’s CFO Program. “In fact, our research indicates that CFOs are spending about 60% to 70% of their time in those roles, and that shift is both reflecting and driving higher expectations from the CEO as well as the board.”

As in any relationship, a degree of trust between CFOs and audit committee chairs serves as a foundation to an effective communication on critical issues. “In high-functioning relationships between CFOs and audit committee chairs, trust and dialogue are critical. Challenges can occur if a CFO comes to an audit committee meeting unprepared or presents a surprising conclusion to the audit committee without having sought the audit committee chair’s opinion, leaving the audit committee chair without the ability to influence that conclusion,” says Henry Phillips, vice chairman and national managing partner, Center for Board Effectiveness, Deloitte & Touche LLP.

 

Common Expectations Audit Committee Have of CFOs

 

Following are seven key expectations audit committees have of CFOs for both new and established CFOs to bear in mind.

 

(1) No Surprises: 

Audit committees do not welcome any surprises. Or, if surprises occur, the audit committee will want to be apprised of the issue very quickly. Surprises may be inevitable, but the audit committee expects CFOs to take precautions against known issues and to manage the avoidable ones and to inform them very early on when something unexpected occurs. In order to do this well, it is important for the CFO and the audit committee chair — perhaps some of the other board members — to set a regular cadence of meetings, so that they have a relationship and a context within which to work together when challenging issues arise. Don’t leave these meetings to chance. “If the audit committee chair or committee members are hearing about something of significance for the first time in a meeting, that’s problematic. Rather, the CFO should be apprising the audit committee chair as much in advance of a committee meeting as possible and talk through the issues so the audit committee chair is not surprised in the meeting,” says Phillips.

 

(2) Strong partnering with the CEO and other leaders: 

Audit committees want to see the CFO as an effective partner with the CEO, as well as with their peer executives. “The audit committee is carefully observing the CFO and how he or she interacts across the C-suite. At the same time, the audit committee also wants the CFO to be objective and to provide to the board independent perspectives on financial and business issues and not be a ‘yes’ person,” says Deb DeHaas, vice chair and national managing partner, Center for Board Effectiveness at Deloitte. A key for the CFO is to proactively manage CEO and peer relations — especially if there are challenging issues that may be brought up to the board. In that case, the CFO should be prepared to take a clear position on what the board needs to hear from management.

(3) Confidence in finance organization talent: 

 

Audit committees want visibility into the finance organization to ensure that it has the appropriate skills and experience. They also are looking to ensure that the finance organization will be stable over time, that there will be solid succession plans in place and that talent is being developed to create the strongest possible finance organization. CFOs might consider approaching these goals in several ways. One way is to provide key finance team members an opportunity to brief the audit committee on a special topic, for example, a significant accounting policy, a special analysis or another topic that’s on the board agenda. “While I encourage CFOs to give their team members an opportunity to present to the committee, it’s critical to make sure they’re well prepared and ready to address questions,” Phillips notes.

An outside-in view from audit committee members can bring significant value to the CFO — and to the organization.

 

(4) Command of key accounting, finance and business issues: 

 

Audit committees want CFOs to have a strong command of the key accounting issues that might be facing the organization, and given that many CFOs are not CPAs, such command is even more critical for the CFO to demonstrate. Toward that end, steps the CFO can take might include scheduling deep dives with management, the independent auditor, the chief accounting officer and others to receive briefings in order to better understand the organization’s critical issues from an accounting perspective, as well as to get trained up on those issues. In addition, CFOs should demonstrate a deep understanding of the business issues that the organization is confronting. There again, CFOs can leverage both internal and external resources to help them master these issues. Industry briefings are also important, particularly for CFOs who are new to an industry.

 

(5) Insightful forecasting and earnings guidance: 

 

Forecasts and earnings guidance will likely not always be precise. However, audit committees expect CFOs to not only deliver reliable forecasts, but also to articulate the underlying drivers of the company’s future performance, as well as how those drivers might impact outcomes. When CFOs lack a thorough understanding of critical assumptions and drivers, they can begin to lose support of key audit committee members. For that reason, it is important that CFOs have an experienced FP&A group to support them. In addition,audit committees and boards want to deeply understand the guidance that is being put forward, the ranges, and confidence levels. As audit committee members read earnings releases and other information in the public domain, they tend to focus on whether the information merely meets the letter of the law in terms of disclosures, or does it tell investors what they need to know to make informed decisions. This is where an outside-in view from audit committee members can bring significant value to the CFO — and to the organization. Moreover, audit committees are increasingly interested in the broader macroeconomic issues that can impact the organization, such as interest rates, oil prices, and geographic instability.

 

(6) Effective risk management: 

 

CFOs are increasingly held accountable for risk management, even when there is a chief risk officer. Further, audit committees want CFOs to provide leadership not only on traditional financial accounting and compliance risk matters, but also on some of the enterprise operational macro-risk issues — and to show how that might impact the financial statement. It is important for CFOs to set the tone at the top for compliance and ethics, oversee the control environment and ensure that from a compensation perspective, the appropriate incentives and structures are in place to mitigate risk. A key to the CFO’s effectiveness at this level is to find time to have strategic risk conversations at the highest level of management, as well as with the board.

 

(7) Clear and concise stakeholder communications: 

 

Audit committees want CFOs to be very effective on how they communicate with key stakeholders, which extend beyond the board and the audit committees. They want CFOs to be able to articulate the story behind the numbers and provide insights and future trends around the business, and to effectively communicate to the Street. CFOs can expect board members to listen to earnings calls and to observe how they interact with the CEOs, demonstrate mastery of the company’s financial and business issues, and communicate those to the Street. Moreover, a CFO who is very capable from an accounting and finance perspective should exercise the communication skills that are necessary to be effective with different stakeholders.

 

“Communication is the cornerstone for a strong CFO-audit committee chair relationship,” notes DeHaas. “Although the CFO might be doing other things very well, if there is not effective communication and a trusting relationship with the audit committee, the CFO will likely not be as effective.”

Conséquences à la non-divulgation d’une cyberattaque majeure


Quelles sont les conséquences de ne pas divulguer une intrusion importante du système de sécurité informatique ?

Les auteurs, Matthew C. Solomon* et Pamela L. Marcogliese, dans un billet publié sur le forum du HLS, ont étudié de près la situation des manquements à la sécurité informatique de Yahoo et ils nous présentent les conséquences de la non-divulgation d’attaques cybernétiques et de bris à la sécurité des informations des clients.

Ils exposent le cas très clairement, puis ils s’attardent aux modalités des arrangements financiers avec la Securities and Exchange Commission (SEC). 

Comme ce sont des événements susceptibles de se produire de plus en plus, il importe que les entreprises soient bien au fait de ce qui les attend en cas de violation des obligations de divulgation.

Les auteurs font les cinq (5) constats suivants eu égard à la situation vécue par Yahoo :

 

— First, public companies should take seriously the SEC’s repeated warnings that one of its top priorities is ensuring that public companies meet their obligations to adequately disclose material cybersecurity incidents and risks. This requires regular assessment of cyber incidents and risks in light of the company’s disclosures, with the assistance of outside counsel and auditors as appropriate, and ensuring that there are adequate disclosure controls in place for such incidents and risks.

— Second, the SEC’s recently released interpretive guidance on cybersecurity disclosure is an important guidepost for all companies with such disclosure obligations. The guidance specifically cited the fact that the SEC views disclosure that a company is subject to future cybersecurity attacks as inadequate if the company had already suffered such incidents. Notably, the Yahoo settlement specifically faulted the company for this precise inadequacy in its disclosures. Similarly, the recent guidance encouraged companies to adopt comprehensive policies and procedures related to cybersecurity and to assess their compliance regularly, including the sufficiency of their disclosure controls and procedures as they relate to cybersecurity disclosure. The Yahoo settlement also found that the company had inadequate such controls.

— Third, at the same time the SEC announced the settlement, it took care to emphasize that “[w]e do not second-guess good faith exercises of judgment about cyber-incident disclosure.” [7] The SEC went on to note that Yahoo failed to meet this standard with respect to the 2014 Breach, but by articulating a “good faith” standard the SEC likely meant to send a message to the broader market that it is not seeking to penalize companies that make reasonable efforts to meet their cyber disclosure obligations.

— Fourth, it is also notable that the SEC charges did not include allegations that Yahoo violated securities laws with respect to the 2013 Breach. Yahoo had promptly disclosed the 2013 Breach after learning about it in late 2016, but updated its disclosure almost a year later with significant new information about the scope of the breach. The SEC’s recent guidance indicated that it was mindful that some material facts may not be available at the time of the initial disclosure, as was apparently the case with respect to the 2013 Breach. [8] At the same time, the SEC cautioned that “an ongoing internal or external investigation – which often can be lengthy – would not on its own provide a basis for avoiding disclosures of a material cybersecurity incident.” [9]

— Finally, it is worth noting that the Commission did not insist on settlements with any individuals. Companies, of course, can only commit securities violations through the actions of their employees. While it is not unusual for the Commission to settle entity-only cases on a “collective negligence” theory, the SEC Chair and the Enforcement Division’s leadership have emphasized the need to hold individuals accountable in order to maximize the deterrent impact of SEC actions. [10]

 

Bonne lecture !

 

Failure to Disclose a Cybersecurity Breach

 

 

Résultats de recherche d'images pour « yahoo data breach »

 

 

On April 24, 2018, Altaba, formerly known as Yahoo, entered into a settlement with the Securities and Exchange Commission (the “SEC”), pursuant to which Altaba agreed to pay $35 million to resolve allegations that Yahoo violated federal securities laws in connection with the disclosure of the 2014 data breach of its user database. The case represents the first time a public company has been charged by the SEC for failing to adequately disclose a cyber breach, an area that is expected to face continued heightened scrutiny as enforcement authorities and the public are increasingly focused on the actions taken by companies in response to such incidents. Altaba’s settlement with the SEC, coming on the heels of its agreement to pay $80 million to civil class action plaintiffs alleging similar disclosure violations, underscores the increasing potential legal exposure for companies based on failing to properly disclose cybersecurity risks and incidents.

Background

As alleged, Yahoo learned in late 2014 that it had recently suffered a data breach affecting over 500 million user accounts (the “2014 Breach”). Yahoo did not disclose the 2014 Breach until September 2016. During the time period Yahoo was aware of the undisclosed breach, it entered into negotiations to be acquired by Verizon and finalized a stock purchase agreement in July 2016, two months prior to the disclosure of the 2014 Breach. Following the disclosure in September 2016, Yahoo’s stock price dropped 3% and it later renegotiated the stock purchase agreement to reduce the price paid for Yahoo’s operating business by $350 million.

In or about late 2016, following its disclosure of the 2014 Breach, Yahoo learned about a separate breach that had taken place in August 2013 and promptly announced that such breach had affected 1 billion users (the “2013 Breach”). In October 2017, Yahoo updated its disclosure concerning the 2013 Breach, announcing that it now believed that all 3 billion of its accounts had been affected.

The Settlement

Altaba’s SEC settlement centered on the 2014 Breach only. The SEC found that despite learning of the 2014 Breach in late 2014—which resulted in the theft of as many as 500 million of its users’ Yahoo usernames, email addresses, telephone numbers, dates of birth, hashed passwords, and security questions and answers, referred to internally as Yahoo’s “crown jewels”— Yahoo failed to timely disclose the material cybersecurity incident in any of its public securities filings until September 2016. Although Yahoo senior management and relevant legal staff were made aware of the 2014 Breach, according to the SEC, they “did not properly assess the scope, business impact, or legal implications of the breach, including how and where the breach should have been disclosed in Yahoo’s public filings or whether the fact of the breach rendered, or would render, any statements made by Yahoo in its public filings misleading.” [1] The SEC also faulted Yahoo’s senior management and legal staff because they “did not share information regarding the breach with Yahoo’s auditors or outside counsel in order to assess the company’s disclosure obligations in its public filings.” [2]

Among other things, the SEC found that Yahoo’s risk factor disclosures in its annual and quarterly reports from 2014 through 2016 were materially misleading in that they claimed the company only faced the risk of potential future data breaches, without disclosing that “a massive data breach” had in fact already occurred. [3]

The SEC also alleged that Yahoo management’s discussion and analysis of financial condition and results of operations (“MD&A”) in those reports was also misleading to the extent it omitted known trends or uncertainties with regard to liquidity or net revenue presented by the 2014 Breach. [4]Finally, the SEC further found that Yahoo did not maintain adequate disclosure controls and procedures designed to ensure that reports from Yahoo’s information security team raising actual incidents of the theft of user data, or the significant risk of theft of user data, were properly and timely assessed to determine how and where data breaches should be disclosed in Yahoo’s public filings. [5]

Based on these allegations, the SEC found that Yahoo violated Sections 17(a)(2) and 17(a)(3) of the Securities Act and Section 13(a) of the Securities Exchange Act. [6] To settle the charges, Altaba, without admitting or denying liability, agreed to cease and desist from any further violations of the federal securities laws and pay a civil penalty of $35 million.

Takeaways

There are several important takeaways from the settlement:

— First, public companies should take seriously the SEC’s repeated warnings that one of its top priorities is ensuring that public companies meet their obligations to adequately disclose material cybersecurity incidents and risks. This requires regular assessment of cyber incidents and risks in light of the company’s disclosures, with the assistance of outside counsel and auditors as appropriate, and ensuring that there are adequate disclosure controls in place for such incidents and risks.

— Second, the SEC’s recently released interpretive guidance on cybersecurity disclosure is an important guidepost for all companies with such disclosure obligations. The guidance specifically cited the fact that the SEC views disclosure that a company is subject to future cybersecurity attacks as inadequate if the company had already suffered such incidents. Notably, the Yahoo settlement specifically faulted the company for this precise inadequacy in its disclosures. Similarly, the recent guidance encouraged companies to adopt comprehensive policies and procedures related to cybersecurity and to assess their compliance regularly, including the sufficiency of their disclosure controls and procedures as they relate to cybersecurity disclosure. The Yahoo settlement also found that the company had inadequate such controls.

— Third, at the same time the SEC announced the settlement, it took care to emphasize that “[w]e do not second-guess good faith exercises of judgment about cyber-incident disclosure.” [7] The SEC went on to note that Yahoo failed to meet this standard with respect to the 2014 Breach, but by articulating a “good faith” standard the SEC likely meant to send a message to the broader market that it is not seeking to penalize companies that make reasonable efforts to meet their cyber disclosure obligations.

— Fourth, it is also notable that the SEC charges did not include allegations that Yahoo violated securities laws with respect to the 2013 Breach. Yahoo had promptly disclosed the 2013 Breach after learning about it in late 2016, but updated its disclosure almost a year later with significant new information about the scope of the breach. The SEC’s recent guidance indicated that it was mindful that some material facts may not be available at the time of the initial disclosure, as was apparently the case with respect to the 2013 Breach. [8] At the same time, the SEC cautioned that “an ongoing internal or external investigation – which often can be lengthy – would not on its own provide a basis for avoiding disclosures of a material cybersecurity incident.” [9]

— Finally, it is worth noting that the Commission did not insist on settlements with any individuals. Companies, of course, can only commit securities violations through the actions of their employees. While it is not unusual for the Commission to settle entity-only cases on a “collective negligence” theory, the SEC Chair and the Enforcement Division’s leadership have emphasized the need to hold individuals accountable in order to maximize the deterrent impact of SEC actions. [10]

_________________________________________________________________________

Endnotes

1Altaba Inc., f/d/b/a Yahoo! Inc., Securities Act Release No. 10485, Exchange Act Release No. 83096, Accounting and Auditing Enforcement Release No. 3937, Administrative Proceeding File No. 3937 (Apr. 24, 2018) at ¶ 14.(go back)

2Idat ¶ 15.(go back)

3Idat ¶¶ 2, 16.(go back)

4Id.(go back)

5Idat ¶ 15.(go back)

6Idat ¶¶ 22-23.(go back)

7Press Release, SEC, Altaba, Formerly Known As Yahoo!, Charged With Failing to Disclose Massive Cybersecurity Breach; Agrees To Pay $35 Million (Apr. 24, 2018), https://www.sec.gov/news/press-release/2018-71.(go back)

8As we have previously discussed, the federal securities laws do not impose a general affirmative duty on public companies to continuously disclose material information and, as acknowledged in Footnote 37 of the interpretive guidance, circuits are split on whether a duty to update exists. However, in circuits where a duty to update has been found to exist, a distinction has often been drawn between statements of a policy nature that are within the company’s control and statements describing then current facts that would be expected to change over time. The former have been held subject to a duty to update while the latter have not. See In re Advanta Corp. Securities Litigation, 180 F.3d 525, 536 (3d Cir. 1997) (“[T]he voluntary disclosure of an ordinary earnings forecast does not trigger any duty to update.”); In re Burlington Coat Factory Securities Litigation, 114 F.3d 1410, 1433 (3d Cir. 1997); In re Duane Reade Inc. Securities Litigation, No. 02 Civ. 6478 (NRB), 2003 WL 22801416, at *7 (S.D.N.Y. Nov. 25, 2003), aff’d sub nom. Nardoff v. Duane Reade, Inc., 107 F. App’x 250 (2d Cir. 2004) (“‘company has no duty to update forward–looking statements merely because changing circumstances have proven them wrong.’”).(go back)

9See SEC, Commission Statement and Guidance on Public Company Cybersecurity Disclosures, 83 Fed. Reg 8166, 8169 (Feb. 26, 2018), https://www.federalregister.gov/documents/2018/02/26/2018-03858/commission-statement-and-guidance-on-public- company-cybersecurity-disclosures.(go back)

10See, e.g., Steven R. Peikin, Co-Director, Div. Enf’t., SEC, Reflections on the Past, Present, and Future of the SEC’s Enforcement of the Foreign Corrupt Practices Act, Keynote Address at N.Y.U. Program on Corporate Law and Enforcement Conference: No Turning Back: 40 Years of the FCAP and 20 Years of the OECD Anti-Bribery Convention Impacts, Achievements, and Future Challenges (Nov. 9, 2017), https://www.sec.gov/news/speech/speech-peikin2017-11-09;
SEC Div. Enf’t., Annual Report A Look Back at Fiscal Year 2017, at 2 (Nov. 15, 2017), https://www.sec.gov/files/enforcement-annual-report2017.pdf.(go back)

_______________________________________________________________________

*Matthew C. Solomon and Pamela L. Marcogliese are partners and Rahul Mukhi is counsel at Cleary Gottlieb Steen & Hamilton LLP. This post is based on a Cleary Gottlieb publication by Mr. Solomon, Ms. Marcogliese, Ms. Mukhi, and Kal Blassberger.