Les grandes firmes d’audit sont plus sélectives dans le choix de leurs mandats


Voici un article publié par GAVIN HINKS pour le compte de Board Agenda qui montre que les grandes firmes d’audit sont de plus en plus susceptibles de démissionner lorsque les risques leur apparaissent trop élevés.

Les recherches indiquent que c’est particulièrement le cas au Royaume-Uni où l’on assiste à des poursuites plus fréquentes des Big Four. Ces firmes d’audit sont maintenant plus sélectives dans le choix de leurs clients.

Compte tenu de la situation oligopolistique des grandes firmes d’audit, devons-nous nous surprendre de ces décisions de retrait dans la nouvelle conjoncture de risque financier des entreprises britanniques ?

The answer is not really. Over recent years auditors, especially the Big Four (PwC, Deloitte, KPMG and EY) have faced consistent criticism for their work—complaints that they control too much of the market for big company audit and that audit quality is not what it should be.

Le comité d’audit des entreprises est interpellé publiquement lorsque l’auditeur soumet sa résignation. L’entreprise doit souvent gérer une crise médiatique afin de sauvegarder sa réputation.

Pour certains experts de la gouvernance, ces situations requirent des exigences de divulgation plus sévères. Les parties prenantes veulent connaître la nature des problèmes et des risques qui y sont associés.

Également, les administrateurs souhaitent connaître le plan d’action des dirigeants eu égard au travail et aux recommandations du comité d’audit

L’auteur donne beaucoup d’exemples sur les nouveaux comportements des Big Four.

Bonne lecture !

 

Auditor resignations indicate new attitude to client selection

 

 

auditor
Image: Shutterstock

 

The audit profession in Britain is at a turning point as Westminster—Brexit permitting—considers new regulation.

It seems firms may be responding by clearing the decks: the press has spotted a spate of high-profile auditor resignations with audit firms bidding farewell to a clutch of major clients. This includes firms outside the Big Four, such as Grant Thornton, which recently said sayonara to Sports Direct, the retail chain, embroiled in running arguments over its governance.

But Grant Thornton is not alone. KPMG has parted ways with Eddie Stobart, a haulage firm, and Lycamobile, a telecommunications company. PwC meanwhile has said goodbye to Staffline, a recruitment business.

Should we be surprised?

The answer is not really. Over recent years auditors, especially the Big Four (PwC, Deloitte, KPMG and EY) have faced consistent criticism for their work—complaints that they control too much of the market for big company audit and that audit quality is not what it should be.

This came to a head in December 2017 with the collapse of construction and contracting giant Carillion, audited by KPMG. The event prompted a parliamentary inquiry followed by government-ordered reviews of the audit market and regulation.

An examination of the watchdog for audit and financial reporting, the Financial Reporting Council, has resulted in the creation of a brand new regulatory body; a look at the audit market resulted in recommendations that firms separate their audit businesses from other services they provide. A current look at the quality and scope of audit, the Brydon review, will doubtless come up with its own recommendations when it reports later this year.

 

Client selection

 

While it is hard to obtain statistics, the press reports, as well as industry talk, indicate that auditors are becoming more picky about who they choose to work for.

According to Jonathan Hayward, a governance and audit expert with the consultancy Independent Audit, the first step in any risk management for an audit firm is client selection. He says the current environment in which auditors have become “tired of being beaten up” has caused a new “sensitivity” in which auditors may be choosing to be more assiduous in applying client filtering policies.

Application of these policies may have been soft in the past, as firms raced for market share, but perhaps also as they applied what Hayward calls the auditor’s “God complex”: the idea that their judgement must be definitive.

Psychological dispositions are arguable. What may be observed for certain is that the potential downsides are becoming clearer to audit chiefs. Fines meted out in recent times by a newly energised regulator facing replacement include the £5m (discounted to £3.5m) for KPMG for the firm’s work with the London branch of BNY Mellon. Deloitte faced a £6.5m fine (discounted to £4.2m) for its audit of Serco Geografix, an outsourcing business. Last year PwC faced a record breaking £10m penalty for its work on the audit of collapsed retailer BHS.

What those fines have brought home is the thin line auditors tread between profit and and huge costs if it goes wrong. That undermines the attractiveness of being in the audit market.

One expert to draw attention to the economics is Jim Peterson, a US lawyer who blogs on corporate law and has represented accountancy firms.

Highlighting Sports Direct’s need to find a replacement audit firm, Peterson notes Grant Thornton’s fee was £1.4m with an estimated profit of £200,000-£250,000.

“A projection from that figure would be hostage, however, to the doubtful assumption of no further developments,” Peterson writes.

“That is, the cost to address even a modest extension of necessary extra audit work, or a lawsuit or investigative inquiry—legal fees and diverted management time alone—would swamp any engagement profit within weeks.”

He adds: “And that’s without thinking of the potential fines or judgements. Could the revenue justify that risk? No fee can be set and charged that would protect an auditor in the fraught context of Sports Direct—simply impossible.”

Media attention

 

Auditor resignations are not without their own risks. Maggie McGhee, executive director, governance at ACCA, a professional body for accountants, points out that parting with a client can bring unpleasant public attention.

“If auditors use resignation more regularly in a bid to extract themselves from high-risk audits,” says McGhee, “then it is probable that there will be some media interest if issues are subsequently identified at the company. Questions arise, such as did the auditor do enough?”

But as, McGhee adds, resignation has to remain part of the auditor’s armoury, not least as part of maintaining their independence.

For non-executives on an audit committee, auditor resignation is a significant moment. With an important role in hiring an audit firm as well as oversight of company directors, their role will be to challenge management.

“The audit committee is critical in these circumstances,” says McGhee, “and it should take action to understand the circumstance and whether action is required.”

ACCA has told the Sir Donald Brydon review [examining audit quality] that greater disclosure is needed of “the communication and judgements” that pass between auditors and audit committees. McGhee says it would be particularly relevant in the case of auditor resignations.

There have been suggestions that Sir Donald is interested in resignations. ShareSoc and UKSA, bodies representing small shareholders, have called on Sir Donald to recommend that an a regulatory news service announcement be triggered by an auditor cutting ties.

A blog on ShareSoc’s website says: “It seems clear that there is a need to tighten the disclosure rules surrounding auditor resignations and dismissals.”

It seems likely Sir Donald will comment on resignations, though what his recommendations will be remains uncertain. What is clear is that recent behaviour has shone a light on auditor departures and questions are being asked. The need for answers is sure to remain.

Dix erreurs que les conseils peuvent éviter sur les droits de l’homme


Voici un article publié par MAZAR* sur les erreurs les plus fréquentes que commettent les conseils eu égard aux risques associés aux droits de la personne.

Selon les auteurs, la plus grande erreur est de ne pas reconnaître la gravité des risques, mais ce n’est pas le seul danger !

L’article a été publié en anglais. J’ai utilisé le traducteur de Chrome pour produire le texte français ci-dessous. La qualité de la traduction est très bonne et cela facilitera la vie des francophones !

Voici dix erreurs que les conseils peuvent éviter.

Bonne lecture !

Dix erreurs que les conseils peuvent éviter sur les droits de l’homme

 

Résultats de recherche d'images pour « conditions de travail abusives »

 

  1. Identifier et comprendre les risques

Les conseils échouent souvent à identifier et à comprendre les risques graves pour les droits de la personne, tels que les conditions de travail abusives liées aux salaires, aux contrats, à la sécurité, à la santé et au recours au travail des enfants, au travail forcé et à la traite des personnes. Ces pratiques abusives peuvent entraîner des dommages juridiques, financiers et de réputation.

  1. Soyez prêt

Attendre que quelque chose se passe mal avant de s’attaquer aux responsabilités en matière de droits de l’homme sur le lieu de travail et dans les chaînes d’approvisionnement est une voie sûre pour les gros problèmes. Il est essentiel d’établir un plan clair sur la manière de relever les défis et de fournir suffisamment de ressources pour le faire.

  1. Chercher de l’aide par le haut

Essayer de mettre en place de bonnes normes en matière de droits de l’homme dans la culture et la prise de décision de l’entreprise dans toutes les opérations et dans tous les lieux géographiques sans obtenir le soutien des plus grands directeurs échouera.

  1. Réaliser des audits réguliers

Ne présumez pas que les droits de la personne sont respectés dans vos chaînes d’approvisionnement, chez vous ou à l’étranger. Les conseils doivent veiller à ce que des audits et des revues des chaînes soient régulièrement effectués afin de garantir le respect des bonnes pratiques en matière de droits de l’homme. L’exposition tragique des conditions épouvantables des travailleurs de l’industrie textile au Bangladesh et dans d’autres pays a trop souvent fait les gros titres ces dernières années.

  1. Obtenez un expert à bord

Évitez toute attitude arrogante en matière de droits de l’homme et nommez au conseil une personne possédant une solide expertise, notamment en ce qui concerne le respect des exigences réglementaires nationales et internationales, ou formez un membre du conseil à diriger.

  1. Établir des canaux appropriés

Le fait de ne pas mettre en place les canaux adéquats pour permettre aux personnes internes ou externes à l’entreprise de faire part de leurs préoccupations concernant les droits de l’homme et leurs conséquences pour atteindre le conseil d’administration et la haute direction est une erreur courante.

  1. S’attaquer aux fautes professionnelles

Ne soyez pas tenté de nier ou de cacher toute malversation révélée, mais résolvez-le et apportez le changement de manière efficace grâce aux meilleures pratiques.

  1. Assurer l’engagement des parties prenantes

Il faut éviter un faible engagement avec les parties prenantes, car il est important de communiquer clairement sur la manière dont le conseil d’administration traite ses problèmes de droits de l’homme, en particulier si des problèmes se sont posés. Les actionnaires, en particulier, se posent davantage de questions sur les processus de gestion des risques liés aux droits de l’homme et sur la manière dont l’entreprise relève les défis et mesure les progrès.

  1. Ne prenez pas de raccourcis

Il est préférable de ne pas prendre de raccourcis pour remplir les exigences en matière de rapports réglementaires, telles que donner une réponse rapide ou répéter le contenu du rapport de l’année dernière. Les Principes directeurs des Nations Unies indiquent clairement comment rendre compte des questions relatives aux droits de l’homme dans un rapport annuel ou un rapport sur le développement durable.

  1. Évitez la complaisance

Devenir complaisant face au bilan de votre entreprise en matière de droits de l’homme n’est pas une option. De nouveaux systèmes tels que la Workforce Disclosure Initiative dirigée par des investisseurs, qui appelle à davantage de transparence sur la manière dont les entreprises gèrent leurs employés et les employés de la chaîne d’approvisionnement, se développent et mettent les entreprises à la loupe.


*Cet article a été produit par Board Agenda en collaboration avec Mazars, un partenaire de Board Agenda.

Les politiques des Cégeps et la gouvernance créatrice de valeur


Nous publions ici un billet de Danielle Malboeuf* qui nous renseigne sur une gouvernance créatrice de valeur eu égard à la gestion des CÉGEP.

Comme à l’habitude, Danielle nous propose son article à titre d’auteure invitée.

Je vous souhaite bonne lecture. Vos commentaires sont appréciés.

 

Cégeps : politiques et gouvernance

par

Danielle Malboeuf*  

 

Résultats de recherche d'images pour « gouvernance créatrice de valeur »

 

Un enjeu à ne pas négliger

 

Chaque année, des personnes motivées et intéressées investissent leur temps et leur énergie dans les conseils d’administration (CA) des collèges. Elles surveillent particulièrement la gestion financière du collège et assurent une utilisation efficace et efficiente des sommes d’argent qui y sont dédiées. Toutefois, comme j’ai pu le constater lors de mes échanges avec des administrateurs, ces personnes souhaitent jouer un rôle qui va au-delà de celui de « fiduciaire ». Elles veulent avoir une contribution significative à la mission première du Cégep : donner une formation pertinente et de qualité où l’étudiant et sa réussite éducative sont au cœur des préoccupations. Elles désirent ainsi soutenir les cégeps dans leur volonté d’améliorer leur efficacité et leur efficience, de se développer et d’assurer la qualité et la pertinence de leurs services. Le nouveau mode de gouvernance qui est actuellement encouragé dans les institutions tant publiques que privées répond à ces attentes. Il s’agit d’une « gouvernance créatrice de valeurs » (1). Ce mode de gouvernance permet à chacun de contribuer sur la base de ses expériences et compétences au développement de nos collèges.

Pour permettre au CA de jouer pleinement son rôle de « créateur de valeurs », les collèges doivent compter sur des administrateurs compétents qui veillent au respect de ses obligations et à l’atteinte de haut niveau de performance. D’ailleurs, dans la suite de la parution d’un rapport de la vérificatrice générale en 2016 portant sur la gestion administrative des cégeps (2), j’ai rédigé un article dans lequel, je rappelais l’importance d’avoir, au sein des conseils d’administration (CA) des collèges, des administrateurs compétents qui ont, entre autres, une bonne connaissance des politiques, directives et exigences réglementaires en vigueur afin de répondre adéquatement aux attentes formulées dans ce rapport. La vérificatrice générale y recommandait entre autres, au regard des modes de sollicitation, le respect de la réglementation et des politiques internes (3). Il m’apparaît donc essentiel que les administrateurs soient en mesure d’évaluer régulièrement leur pertinence et leur mise en application.

Ainsi, parmi les responsabilités confiées au conseil, on retrouve celles-ci (4) :

  1. s’assurer que l’institution est administrée selon des normes reconnues et en conformité avec les lois.
  2. définir les politiques et les règlements de l’institution, les réviser périodiquement et s’assurer qu’ils sont appliqués.

 

Les collèges ont cinquante ans. Tout au cours de ces années, on a élaboré et mis en œuvre de nombreuses politiques et règlements qui ont été adoptés par les CA. Ces documents sont apparus au fil des ans pour répondre à des exigences légales et ministérielles, mais également à des préoccupations institutionnelles. Pour assurer l’application de ces politiques et règlements, les gestionnaires ont produit des outils de gestion : programmes, directives et procédures. On retrouve donc dans les collèges, des Cahiers de gestion qui regroupent tous ces documents et qui amènent des défis de mise en œuvre, de suivi et de révision.

Des collèges reconnaissent ces défis. En effet, la Commission d’évaluation de l’enseignement collégial (CEEC) fait le constat suivant dans son bilan des travaux portant sur l’évaluation de l’efficacité des systèmes d’assurance qualité. « Certains collèges ont entrepris…, la mise en place d’outils de gestion concertée et intégrée de la qualité ». « Certains collèges estiment toutefois que du travail reste à faire pour améliorer la synergie entre les mécanismes » (5).

Considérant les préoccupations actuelles et les attentes formulées par la Vérificatrice générale, j’invite tous les collèges à se doter de mécanismes au regard des politiques et règlements qui s’inscrivent dans les bonnes pratiques de gouvernance :

  1. Valider la pertinence de toute cette documentation ;

D’abord, les administrateurs doivent connaître le contenu des politiques et règlements, car ils ont, rappelons-le, la responsabilité de s’assurer qu’ils sont appliqués. Ils doivent également valider que tous ces documents sont encore pertinents. Constate-t-on des redondances ? Si c’est le cas, il faut apporter des correctifs.

2. Assurer la cohérence de toute cette documentation ;

À la lecture de documents institutionnels, on constate que les termes politiques, règlements, programmes, directives et procédures n’ont pas la même signification d’un collège à l’autre et à l’intérieur d’un même collège. On note la présence de politiques et de programmes qui sont rattachés au même objet. Alors qu’une politique est un ensemble d’orientation et de principes, un programme est un « ensemble des intentions d’action et des projets que l’institution doit mettre en œuvre pour respecter les orientations gouvernementales ou institutionnelles. »

À titre d’exemple, pour se conformer à une exigence ministérielle, les collèges ont élaboré, il y a plusieurs années, une Politique de gestion des ressources humaines pour le personnel membre d’une association accréditée au sens du Code du travail (on exclut ici les hors-cadre et cadres). Cette politique devait inclure des dispositions concernant l’embauche, l’insertion professionnelle, l’évaluation et le perfectionnement de ces employés. Dans certains collèges, ces dispositions se sont traduites par des programmes et d’autres par des politiques. Dans un même collège, on peut retrouver pour l’évaluation du personnel, un programme pour certaines catégories de personnel et une politique pour d’autres employés. Rappelons encore ici que le CA porte un regard sur les politiques et non les programmes. Cela pose un problème de cohérence, mais également d’équité.

De plus, on peut retrouver dans une politique des modalités de fonctionnement. Rappelons qu’une politique est un « ensemble d’orientations et de principes qui encadrent les actions que doit mettre en œuvre l’institution en vue d’atteindre les principes généraux préalablement fixés par le Ministère ou le CA. » Donc, dans une politique, on ne devrait pas retrouver des actions ou des modalités de fonctionnement qui s’apparentent à des directives ou des procédures. Le CA n’a pas à d’adopter des modalités de fonctionnement, car c’est une responsabilité de la direction générale.

3. Valider l’applicabilité des politiques et règlements en vigueur

Tel que suggéré par l’IGOPP (Institut sur la gouvernance d’organisations privées et publiques), le comité d’audit devrait avoir, entre autres, le mandat de :

Prendre connaissance au moins une fois l’an des mesures de conformité aux lois, règlements et politiques (6).

Un exemple de l’importance pour le CA de s’assurer de l’application des Lois et politiques est celle liée à la gestion contractuelle. La Loi sur les contrats dans les organismes publics demande à chaque collège de nommer un responsable de l’observation des règles contractuelles (RORC). Cette personne doit transmettre au CA et au Secrétariat du Conseil du trésor un rapport qui fait état de ses activités, de ses observations et de ses recommandations. Le but visé est de valider que la gestion contractuelle du collège se conforme à la loi, aux directives et aux règlements (du gouvernement et du collège). Il faut s’assurer que cela soit fait.

4. Procéder à la révision de ces politiques et règlements de façon systématique ;

La majorité des politiques et des règlements prévoient des moments de révision. A-t-on un calendrier de suivi à cet effet ?

J’encourage donc les conseils d’administration des collèges et les gestionnaires à inscrire la validation et l’évolution des politiques et règlements, à leurs priorités institutionnelles. On permet ainsi aux administrateurs de jouer pleinement leur rôle et de participer au développement de nos institutions.


(1) Le modèle de gouvernance « Créatrice de valeurs »®, préconisé par l’Institut sur la gouvernance d’organisations privées et publiques est celui développé par le professeur Yvan Allaire, président exécutif du conseil de l’IGOPP.

(2) Rapport du Vérificateur général du Québec à l’Assemblée nationale pour l’année 2016-2017, Gestion administrative des cégeps, Automne 2016

(3) idem, p.4

(4) Extraits du séminaire sur la gouvernance ; vers une gouvernance « Créatrice de valeurs », IGOPP (Institut sur la gouvernance d’organisations privées et publiques)

(5) Bilan de l’an 3-2016-2017, principaux constats découlant des audits de l’an 3, Évaluation de l’efficacité des systèmes d’assurance qualité des collèges québécois, p.20

(6) Extrait du séminaire sur la gouvernance ; vers une gouvernance « Créatrice de valeurs », IGOPP (Institut sur la gouvernance d’organisations privées et publiques), charte du comité de vérification et de finances.

_____________________________________

*Danielle Malboeuf est consultante et formatrice en gouvernance ; elle possède une grande expérience dans la gestion des CÉGEPS et dans la gouvernance des institutions d’enseignement collégial et universitaire. Elle est CGA-CPA, MBA, ASC, Gestionnaire et administratrice retraitée du réseau collégial et consultante.


 

Articles sur la gouvernance des CÉGEPS publiés sur mon blogue par l’auteure :

 

(1) LE RÔLE DU PRÉSIDENT DU CONSEIL D’ADMINISTRATION (PCA) | LE CAS DES CÉGEPS

(2) Les grands enjeux de la gouvernance des institutions d’enseignement collégial

(3) L’exercice de la démocratie dans la gouvernance des institutions d’enseignement collégial

(4) Caractéristiques des bons administrateurs pour le réseau collégial | Danielle Malboeuf

(5) La gouvernance des CÉGEPS | Une responsabilité partagée

(6) La gouvernance des Cégeps | Le rapport du Vérificateur général du Québec

Dix sujets « hots » pour les administrateurs en 2019


Voici dix thèmes « chauds » qui devraient préoccuper les administrateurs en 2019.

Ils ont été identifiés par Kerry BerchemChristine LaFollette, et Frank Reddick, associés de la firme Akin Gump Strauss Hauer & Feld.

Le billet est paru aujourd’hui sur le forum du Harvard Law School.

Bonne lecture ! Quels sont vos points de vue à ce sujet ?

 

Top 10 Topics for Directors in 2019

 

 

Résultats de recherche d'images pour « Akin Gump Strauss Hauer & Feld »

 

1. Corporate Culture

The corporate culture of a company starts at the top, with the board of directors, and directors should be attuned not only to the company’s business, but also to its people and values across the company. Ongoing and thoughtful efforts to understand the company’s culture and address any issues will help the board prepare for possible crises, reduce potential liability and facilitate appropriate responses internally and externally.

2. Board Diversity

As advocates and studies continue to highlight the business case for diversity, public companies are facing increasing pressure from corporate governance groups, investors, regulators and other stakeholders to improve gender and other diversity on the board. As a recent McKinsey report highlights, many successful companies regard inclusion and diversity as a source of competitive advantage and, specifically, as a key enabler of growth.

3. #MeToo Movement

A responsible board should anticipate the possibility that allegations of sexual harassment may arise against a C-suite or other senior executive. The board should set the right tone from the top to create a respectful culture at the company and have a plan in place before these incidents occur. In that way, the board is able to quickly and appropriately respond to any such allegations. Any such response plan should include conducting an investigation, proper communications with the affected parties and the implementation of any necessary remedial steps.

4. Corporate Social Responsibility

Corporate social responsibility (CSR) concerns remained a hot-button issue in 2018. Social issues were at the forefront this year, ranging from gun violence, to immigration reform, to human trafficking, to calls for greater accountability and action from the private sector on issues such as climate change. This reflects a trend that likely foretells continued and increased focus on environmental, social and governance issues, including from regulatory authorities.

5. Corporate Strategy

Strategic planning should continue to be a high priority for boards in 2019, with a focus on the individual and combined impacts of the U.S. and global economies, geopolitical and regulatory uncertainties, and mergers and acquisitions activity on their industries and companies. Boards should consider maximizing synergies from recent acquisitions or reviewing their companies’ existing portfolios for potential divestitures.

6. Sanctions

During the second year of the Trump administration, U.S. sanctions expanded significantly to include new restrictions that target transactions with Iran, Russia and Venezuela. Additionally, the U.S. government has expanded its use of secondary sanctions to penalize non-U.S. companies that engage in proscribed activities involving sanctioned persons and countries. To avoid sanctions-related risks, boards should understand how these evolving rules apply to the business activities of their companies and management teams.

7. Shareholder Activism

There has been an overall increase in activism campaigns in 2018 regarding both the number of companies targeted and the number of board seats won by these campaigns. This year has also seen an uptick in traditionally passive and institutional investors playing an active role in encouraging company engagement with activists, advocating for change themselves and formulating express policies for handling activist campaigns.

8. Cybersecurity

With threats of nation-states infiltrating supply chains, and landmark laws being passed, cybersecurity and privacy are critical aspects of director oversight. Directors must focus on internal controls to guard against cyber-threats (including accounting, cybersecurity and insider trading) and expand diligence of third-party suppliers. Integrating both privacy and security by design will be critical to minimizing ongoing risk of cybersecurity breaches and state and federal enforcement.

9. Tax Cuts and Jobs Act

A year has passed since President Trump signed the Tax Cuts and Jobs Act (TCJA) into law, and there will be plenty of potential actions and new faces on the tax landscape in 2019. Both the Senate Finance Committee and the Ways and Means Committee will have new chairs, and Treasury regulations implementing the TCJA will be finalized. President Trump will continue to make middle-class tax cuts a priority heading into next year. Perennial issues, such as transportation, retirement savings and health care, will likely make an appearance, and legislation improving the tax reform bill could be on the table depending on the outcome of the Treasury regulations.

10. SEC Regulation and Enforcement

To encourage public security ownership, the Securities and Exchange Commission (SEC) has adopted and proposed significant revisions to update and simplify disclosure requirements for public companies. It has taken steps to enhance the board’s role in evaluating whether to include shareholder proposals in a company’s proxy statement. It has also solicited comments on the possible reform of proxy advisor regulation, following increasing and competing calls from corporations, investor advocates and congressional leaders to revise these regulations. Boards and companies should monitor developments in this area, as well as possible changes in congressional and administration emphasis following the 2018 midterm elections.

Bonus: Midterm Elections

The 2018 midterm elections are officially over. Americans across the country cast their ballots for candidates for the House of Representatives and the Senate in what was widely perceived to be a referendum on President Trump’s first two years in office. With Democrats taking control of the House, and Republicans maintaining control of the Senate, a return to divided government will bring new challenges for effective governance. Compromise and bipartisanship will be tested by what is expected to be an aggressive oversight push from House Democrats. However, areas where there may be possible compromise include federal data privacy standards, infrastructure development, criminal justice reform and pharmaceutical drug pricing initiatives.

The complete publication is available here.

Enjeux clés concernant les membres des comités d’audit | En rappel


Le récent rapport de KPMG sur les grandes tendances en audit présente sept défis que les membres des CA, notamment les membres des comités d’audit, doivent considérer afin de bien s’acquitter de leurs responsabilités dans la gouvernance des sociétés.

Le rapport a été rédigé par des professionnels en audit de la firme KPMG ainsi que par le Conference Board du Canada.

Les sept défis abordés dans le rapport sont les suivants :

– talent et capital humain ;

– technologie et cybersécurité ;

– perturbation des modèles d’affaires ;

– paysage réglementaire en évolution ;

– incertitude politique et économique ;

– évolution des attentes en matière de présentation de l’information ;

– environnement et changements climatiques.

Je vous invite à consulter le rapport complet ci-dessous pour de plus amples informations sur chaque enjeu.

Bonne lecture !

 

Tendances en audit

 

 

Résultats de recherche d'images pour « tendances en audit »

 

 

Alors que l’innovation technologique et la cybersécurité continuent d’avoir un impact croissant sur le monde des finances et des affaires à l’échelle mondiale, tant les comités d’audit que les chefs des finances reconnaissent le besoin de compter sur des talents de haut calibre pour contribuer à affronter ces défis et à en tirer parti.

Le rôle du comité d’audit est de s’assurer que l’organisation dispose des bonnes personnes possédant l’expérience et les connaissances requises, tant au niveau de la gestion et des opérations qu’au sein même de sa constitution. Il ne s’agit que de l’un des nombreux défis à avoir fait surface dans le cadre de ce troisième numéro du rapport Tendances en audit.

Les comités d’audit d’aujourd’hui ont la responsabilité d’aider les organisations à s’orienter parmi les nombreux enjeux et défis plus complexes que jamais auxquels ils font face, tout en remplissant leur mandat traditionnel de conformité et de présentation de l’information. Alors que les comités d’audit sont pleinement conscients de cette nécessité, notre rapport indique que les comités d’audit et les chefs des finances se demandent dans quelle mesure leur organisation est bien positionnée pour faire face à la gamme complète des tendances actuelles et émergentes.

Pour mettre en lumière cette préoccupation et d’autres enjeux clés, le rapport Tendances en audit se penche sur les sept défis qui suivent :

  1. talent et capital humain;
  2. technologie et cybersécurité;
  3. perturbation des modèles d’affaires;
  4. paysage réglementaire en évolution;
  5. incertitude politique et économique;
  6. évolution des attentes en matière de présentation de l’information;
  7. environnement et changements climatiques.

Au fil de l’évolution des mandats et des responsabilités, ce rapport se révélera être une ressource précieuse pour l’ensemble des parties prenantes en audit.

Indicateurs de mesure de la performance des fonctions d’audit interne


Denis Lefort, CPA, expert-conseil en gouvernance, audit et contrôle, porte à ma connaissance un rapport de recherche de l’IIA qui concerne « les indicateurs de mesure de la performance des fonctions d’audit interne ».

Encore aujourd’hui, les indicateurs utilisés sont souvent centrés sur la performance en interne de la fonction et non sur son réel impact sur l’organisation.

Par exemple, peu de services d’audit interne évaluent leur performance par la réduction des cas de fraude dans l’entreprise, par une meilleure gestion des risques, etc.

On utilise plutôt les indicateurs habituels comme le taux de recommandations implantées, la réalisation du plan d’audit, etc.

Voici, ci-dessous, l’introduction au document de l’IIA. Pour consulter le rapport détaillé, cliquez sur le titre du document.

Bonne lecture. Vos commentaires sont les bienvenus

 

Measuring Internal Audit Value and Performance

 

Résultats de recherche d'images pour « audit interne »

 

In 2010, The IIA recognized a need to capture a simple, memorable, and straightforward way to help internal auditors convey the value of their efforts to important stakeholders, such as boards of directors, audit committees, management, and clients. To that end, the association introduced the Value Proposition for Internal Auditing, which characterizes internal audit’s value as an amalgam of three elements: assurance, insight, and objectivity.

 

But identifying the conceptual elements of value is only part of what needs to be done. How does that construct look in the workplace? What activities does internal audit undertake that deliver the most value? What should be measured to determine that the organization’s expectations of value are being met? How does internal audit organize and structure the information that populates the metrics? And, most critically, do the answers to all these questions align; that is, does internal audit’s perception of its value, as measured and tracked, correlate with what the organization wants and needs from the internal audit function? (Exhibit 1)

Exhibit 1

The Internal Audit Value Proposition

 

1. ASSURANCE = Governance, Risk, Control

Internal audit provides assurance on the organization’s governance, risk management, and control processes to help the organization achieve its strategic, operational, financial, and compliance objectives.

2. INSIGHT = Catalyst, Analyses, Assessments

Internal audit is a catalyst for improving an organization’s effectiveness and efficiency by providing insight and recommendations based on analyses and assessments of data and business process.

3. OBJECTIVITY = Integrity, Accountability, Independence

With commitment to integrity and accountability, internal audit provides value to governing bodies and senior management as an objective source of independent advice.

These are the kinds of questions the CBOK 2015 global practitioner survey posed to chief audit executives (CAEs) from around the world. The activities these CAEs believe bring value to the organization are consistent with the three elements of The IIA’s value proposition. In fact, the nine activities identified by CAEs as adding the most value can be mapped directly to the three elements, as shown in exibit 2

However, in looking at the performance measures and tools used by the organization and the internal audit function, a gap appears to form between value-adding activities and the ways performance is measured. This report explores that gap in greater detail and clarifies the respondents’ view of value-adding activities, preferred performance measures, and the methodologies and tools most commonly used to support internal audit’s quality and performance processes. Where appropriate, responses tabulated by geographic regions and organization types are examined.

Finally, based on the findings, the final chapter of the report provides a series of practical steps that practitioners at all levels can implement to help their internal audit department deliver on its value proposition of assurance, insight, and objectivity.

Exhibit 2

The Internal Audit Value Proposition (mapped to response options from the CBOK Survey)

 

ASSURANCE ACTIVITIES

  1. Assuring the adequacy and effectiveness of the internal control system
  2. Assuring the organization’s risk management processes
  3. Assuring regulatory compliance
  4. Assuring the organization’s governance processes

INSIGHT ACTIVITIES

  1. Recommending business improvement
  2. Identifying emerging risks

OBJECTIVE ADVICE ACTIVITIES

  1. Informing and advising management
  2. Investigating or deterring fraud
  3. Informing and advising the audit committee

Rôle du CA dans l’établissement d’une forte culture organisationnelle | Une référence essentielle


Vous trouverez, ci-dessous, un document partagé par Joanne Desjardins*, qui porte sur le rôle du CA dans l’établissement d’une solide culture organisationnelle.

C’est certainement l’un des guides les plus utiles sur le sujet. Il s’agit d’une référence essentielle en matière de gouvernance.

Je vous invite à lire le sommaire exécutif. Vos commentaires sont appréciés.

 

Managing Culture | A good practical guide – December 2017

 

Résultats de recherche d'images pour « tone at the top »

Executive summary

 

In Australia, the regulators Australian Prudential Regulation Authority (APRA) and Australian Securities and Investments Commission (ASIC) have both signalled that there are significant risks around poor corporate culture. ASIC recognises that culture is at the heart of how an organisation and its staff think and behave, while APRA directs boards to define the institution’s risk appetite and establish a risk management strategy, and to ensure management takes the necessary steps to monitor and manage material risks. APRA takes a broad approach to ‘risk culture’ – includingrisk emerging from a poor culture.

Regulators across the globe are grappling with the issue of risk culture and how best to monitor it. While regulators generally do not dictate a cultural framework, they have identified common areas that may influence an organisation’s risk culture: leadership, good governance, translating values and principles into practices, measurement and accountability, effective communication and challenge, recruitment and incentives. Ultimately, the greatest risk lies in organisations that are believed to be hypocritical when it comes to the espoused versus actual culture.

The board is ultimately responsible for the definition and oversight of culture. In the US, Mary Jo White, Chair of the Securities and Exchange Commission (SEC), recognised that a weak risk culture is the root cause of many large governancefailures, and that the board must set the ‘tone at the top’.

Culture also has an important role to play in risk management and risk appetite, and can pose significant risks that may affect an organisation’s long-term viability.

However, culture is much more about people than it is about rules. This guide argues that an ethical framework – which is different from a code of ethics or a code of conduct – should sit at the heart of the governance framework of an organisation. An ethical framework includes a clearly espoused purpose, supported by values and principles.

There is no doubt that increasing attention is being given to the ethical foundations of an organisation as a driving force of culture, and one method of achieving consistency of organisational conduct is to build an ethical framework in which employees can function effectively by achieving clarity about what the organisation deems to be a ‘good’ or a ‘right’ decision.

Culture can be measured by looking at the extent to which the ethical framework of the organisation is perceived to be or is actually embedded within day-to-day practices. Yet measurement and evaluation of culture is in its early stages, and boards and senior management need to understand whether the culture they have is the culture they want.

In organisations with strong ethical cultures, the systems and processes of the organisation will align with the ethical framework. And people will use the ethical framework in the making of day-to-day decisions – both large and small.

Setting and embedding a clear ethical framework is not just the role of the board and senior management – all areas can play a role. This publication provides high-level guidance to these different roles:

The board is responsible for setting the tone at the top. The board should set the ethical foundations of the organisation through the ethical framework. Consistently, the board needs to be assured that the ethical framework is embedded within the organisation’s systems, processes and culture.

Management is responsible for implementing and monitoring the desired culture as defined and set by the board. They are also responsible for demonstrating leadership of the culture.

Human resources (HR) is fundamental in shaping, reinforcing and changing corporate culture within an organisation. HR drives organisational change programs that ensure cultural alignment with the ethical framework of the organisation. HR provides alignment to the ethical framework through recruitment, orientation, training, performance management, remuneration and other incentives.

Internal audit assesses how culture is being managed and monitored, and can provide an independent view of the current corporate culture.

External audit provides an independent review of an entity’s financial affairs according to legislative requirements, and provides the audit committee with valuable, objective insight into aspects of the entity’s governance and internal controls including its risk management.

 

 


*Joanne Desjardins est administratrice de sociétés et consultante en gouvernance. Elle possède plus de 18 années d’expérience comme avocate et comme consultante en gouvernance, en stratégie et en gestion des ressources humaines. Elle est constamment à l’affût des derniers développements en gouvernance et publie des articles sur le sujet.

Mesures à prendre en matière de contrôle interne afin d’éviter les fraudes de cybersécurité


Voici un article qui met l’accent sur les mesures à prendre en matière de contrôle interne afin d’éviter les fraudes de cybersécurité.

Les auteurs, Keith Higgins*et Marvin Tagabanis exposent les résultats de leurs recherches dans un billet publié sur le site de  Havard Law School Forum.

Les fraudes dont il est question concernent neuf entreprises qui ont été la cible des arnaques par l’utilisation de courriels.

The nine defrauded companies lost a total of nearly $100 million as a result of the email scams. The companies operated in different business sectors including technology, machinery, real estate, energy, financial, and consumer goods, which the Report suggests “reflect[s] the reality that every type of business is a potential target of cyber-related fraud.” The Report also highlighted the significant economic harm posed by “business email compromises” more broadly, which, based on FBI estimates, has caused over $5 billion in losses since 2013, with an additional $675 million in adjusted losses in 2017—the highest estimated out-of-pocket losses from any class of cyber-facilitated crime during this period.

Les auteurs notent que les escroqueries par le biais des courriels étaient principalement de deux types :

(1) Courriels envoyés par de faux dirigeants ;

(2) Courriels envoyés par de faux vendeurs.

Les auteurs présentent les implications du contrôle interne pour minimiser ces fraudes.

Bonne lecture !

 

Implementing Internal Controls in Cyberspace—Old Wine, New Skins

 

Résultats de recherche d'images pour « contrôle interne et cybersécurité »

 

On October 16, 2018, the SEC issued a Section 21(a) investigative report (the “Report”), [1]cautioning public companies to consider cyber threats when designing and implementing internal accounting controls. The Report arose out of an investigation focused on the internal accounting controls of nine public companies that were victims of “business email compromises” in which perpetrators posed as company executives or vendors and used emails to dupe company personnel into sending large sums to bank accounts controlled by the perpetrators. In the investigation, the SEC considered whether the companies had complied with the internal accounting controls provisions of the federal securities laws. Although the Report is in lieu of an enforcement action against any of the issuers, the SEC issued the Report to draw attention to the prevalence of these cyber-related scams and as a reminder that all public companies should consider cyber-related threats when devising and maintaining a system of internal accounting controls.

The nine defrauded companies lost a total of nearly $100 million as a result of the email scams. The companies operated in different business sectors including technology, machinery, real estate, energy, financial, and consumer goods, which the Report suggests “reflect[s] the reality that every type of business is a potential target of cyber-related fraud.” The Report also highlighted the significant economic harm posed by “business email compromises” more broadly, which, based on FBI estimates, has caused over $5 billion in losses since 2013, with an additional $675 million in adjusted losses in 2017—the highest estimated out-of-pocket losses from any class of cyber-facilitated crime during this period.

Two types of email scams were employed against the nine companies: (i) emails from fake executives, and (ii) emails from fake vendors.

Emails from Fake Executives. In the first type of scam, perpetrators emailed company finance personnel using spoofed email domains and addresses of an executive (typically the CEO) so that it appeared as if the email were legitimate. The spoofed email directed the employees to work with a purported outside attorney identified in the email, who then directed them to wire large payments to foreign bank accounts controlled by the perpetrators. Common elements among each of these schemes included: (1) the transactions or “deals” were time-sensitive and confidential; (2) the requested funds needed to be sent to foreign banks and beneficiaries in connection with foreign deals or acquisitions; and (3) the spoofed emails typically were sent to midlevel personnel, who were not generally responsible or involved in the deals and rarely communicated with the executives being spoofed.

Emails from Fake Vendors. The second type of scam was more technologically sophisticated than the spoofed executive emails because the schemes typically involved the perpetrators hacking into the email accounts of the companies’ foreign vendors. The perpetrators then requested that the vendors’ banking information be changed so that a company’s payments on outstanding invoices for legitimate transactions were sent to foreign accounts controlled by the perpetrators rather than the real vendors. The Report noted that some spoofed vendor email scams went undetected for an extended period of time because vendors often afforded companies months before considering a payment delinquent.

Considerations for Public Companies

In the Report, the SEC advises public companies to “pay particular attention to the obligations imposed by Section 13(b)(2)(B) to devise and maintain internal accounting controls that reasonably safeguard company and, ultimately, investor assets from cyber-related frauds.” Finance and accounting personnel at public companies should be aware that the above-described cyber-related scams exist, and these types of scams should be considered when implementing internal accounting controls.

Although the “cyber” aspect of these scams helps to make them a topic du jour, fake invoices are certainly no recent invention, nor are vendor requests to direct payments to a new address something that is unique to the email era. If the result of the Report is to cause companies to liberally insert “cyber” references into their internal controls, and little more, it will not have accomplished its objective. SEC Enforcement staff observed that the cyber-related frauds succeeded, at least in part, because the responsible personnel at the companies did not sufficiently understand the company’s existing controls or did not recognize indications in the emailed instructions that those communications lacked reliability. For example, in one matter, the accounting employee who received the spoofed email did not follow the company’s dual-authorization requirement for wire payments, directing unqualified subordinates to sign-off on the wires. In another case, the accounting employee misinterpreted the company’s authorization matrix as giving him approval authority at a level reserved for the CFO.

Scams will always be with us, and the Report recognizes that the effectiveness of internal accounting control systems largely depends on having trained personnel to implement, maintain, and follow such controls. Public companies should also consider the following points raised by the actions taken by the defrauded companies following the cyber-related scams:

Review and enhance payment authorization procedures, verification requirements for vendor information changes, account reconciliation procedures and outgoing payment notification processes, particularly to foreign jurisdictions.

Evaluate whether finance and accounting personnel are adequately trained on relevant cyber-related threats and provide additional training on any new policies and procedures implemented as a result of the above step.

The Report confirms that the SEC remains focused on cybersecurity matters and companies should continue to be vigilant against cyber threats. While the SEC stated that it was “not suggesting that every issuer that is the victim of a cyber-related scam is . . . in violation of the internal accounting controls requirements of the federal securities laws,” the Report also noted that “[h]aving internal accounting control systems that factor in such cyber-related threats, and related human vulnerabilities, may be vital to maintaining a sufficient accounting control environment and safeguarding assets.”

_________________________________________________

Endnotes

1Report of Investigation Pursuant to Section 21(a) of the Securities Exchange Act of 1934 Regarding Certain Cyber-Related Frauds Perpetrated Against Public Companies and Related Internal Accounting Controls Requirements, Exchange Act Release No. 84429 (Oct. 16, 2018) (available here).(go back)

*Keith Higgins is chair of the securities and governance practice and Marvin Tagaban is an associate at Ropes & Gray LLP. This post is based on their Ropes & Gray memorandum.

Le futur code de gouvernance du Royaume-Uni


Je vous invite à prendre connaissance du futur code de gouvernance du Royaume-Uni (R.-U.).

À cet effet, voici un billet de Martin Lipton*, paru sur le site de Harvard Law School Forum on Corporate Governance, qui présente un aperçu des points saillants.

Bonne lecture !

 

The Financial Reporting Council today [July 16, 2018] issued a revised corporate governance code and announced that a revised investor stewardship code will be issued before year-end. The code and related materials are available at www.frc.org.uk.

The revised code contains two provisions that will be of great interest. They will undoubtedly be relied upon in efforts to update the various U.S. corporate governance codes. They will also be used to further the efforts to expand the sustainability and stakeholder concerns of U.S. boards.

First, the introduction to the code makes note that shareholder primacy needs to be moderated and that the concept of the “purpose” of the corporation, as long put forth in the U.K. by Colin Mayer and recently popularized in the U.S. by Larry Fink in his 2018 letter to CEO’s, is the guiding principle for the revised code:

Companies do not exist in isolation. Successful and sustainable businesses underpin our economy and society by providing employment and creating prosperity. To succeed in the long-term, directors and the companies they lead need to build and maintain successful relationships with a wide range of stakeholders. These relationships will be successful and enduring if they are based on respect, trust and mutual benefit. Accordingly, a company’s culture should promote integrity and openness, value diversity and be responsive to the views of shareholders and wider stakeholders.

Second, the code provides that the board is responsible for policies and practices which reinforce a healthy culture and that the board should engage:

with the workforce through one, or a combination, of a director appointed from the workforce, a formal workforce advisory panel and a designated non-executive director, or other arrangements which meet the circumstances of the company and the workforce.

It will be interesting to see how this provision will be implemented and whether it gains any traction in the U.S.

 

 

The UK Corporate Governance Code

 

Résultats de recherche d'images pour « UK Corporate Governance Code 2018 »


Martin Lipton* is a founding partner of Wachtell, Lipton, Rosen & Katz, specializing in mergers and acquisitions and matters affecting corporate policy and strategy. This post is based on a Wachtell Lipton memorandum by Mr. Lipton.

Les sept attentes que les comités d’audit ont envers les chefs des finances


Une bonne relation entre le Président du comité d’Audit et le Vice-président Finance (CFO) est absolument essentielle pour une gestion financière éclairée, fidèle et intègre.

Les auteurs sont liés au Centre for Board Effectiveness de Deloitte. Dans cette publication, parue dans le Wall Street Journal, ils énoncent les sept attentes que les comités d’audit ont envers les chefs des finances.

Cet article sera certainement très utile aux membres de conseils, notamment aux membres des comtés d’audit ainsi qu’à la direction financière de l’entreprise.

Bonne lecture ! Vos commentaires sont les bienvenus.

 

The CFO and the Audit Committee: Building an Effective Relationship

 

 

Résultats de recherche d'images pour « Common Expectations Audit Committee Have of CFOs »

 

 

The evolution of the CFO’s role is effecting a shift in the audit committee’s expectations for the working relationship between the two. By considering their response to seven commonly held expectations audit committees have of CFOs, CFOs can begin to lay the groundwork for a more effective working relationship with their organization’s audit committee.

Typically, CFOs play four key roles within their organizations, but the amount of time CFOs allocate to each role is changing rapidly. “For CFOs high integrity of work, accuracy, and timely financial reporting are table stakes, but increasingly they are being expected to be Strategists and Catalysts in their organization,” says Ajit Kambil, global research director for Deloitte’s CFO Program. “In fact, our research indicates that CFOs are spending about 60% to 70% of their time in those roles, and that shift is both reflecting and driving higher expectations from the CEO as well as the board.”

As in any relationship, a degree of trust between CFOs and audit committee chairs serves as a foundation to an effective communication on critical issues. “In high-functioning relationships between CFOs and audit committee chairs, trust and dialogue are critical. Challenges can occur if a CFO comes to an audit committee meeting unprepared or presents a surprising conclusion to the audit committee without having sought the audit committee chair’s opinion, leaving the audit committee chair without the ability to influence that conclusion,” says Henry Phillips, vice chairman and national managing partner, Center for Board Effectiveness, Deloitte & Touche LLP.

 

Common Expectations Audit Committee Have of CFOs

 

Following are seven key expectations audit committees have of CFOs for both new and established CFOs to bear in mind.

 

(1) No Surprises: 

Audit committees do not welcome any surprises. Or, if surprises occur, the audit committee will want to be apprised of the issue very quickly. Surprises may be inevitable, but the audit committee expects CFOs to take precautions against known issues and to manage the avoidable ones and to inform them very early on when something unexpected occurs. In order to do this well, it is important for the CFO and the audit committee chair — perhaps some of the other board members — to set a regular cadence of meetings, so that they have a relationship and a context within which to work together when challenging issues arise. Don’t leave these meetings to chance. “If the audit committee chair or committee members are hearing about something of significance for the first time in a meeting, that’s problematic. Rather, the CFO should be apprising the audit committee chair as much in advance of a committee meeting as possible and talk through the issues so the audit committee chair is not surprised in the meeting,” says Phillips.

 

(2) Strong partnering with the CEO and other leaders: 

Audit committees want to see the CFO as an effective partner with the CEO, as well as with their peer executives. “The audit committee is carefully observing the CFO and how he or she interacts across the C-suite. At the same time, the audit committee also wants the CFO to be objective and to provide to the board independent perspectives on financial and business issues and not be a ‘yes’ person,” says Deb DeHaas, vice chair and national managing partner, Center for Board Effectiveness at Deloitte. A key for the CFO is to proactively manage CEO and peer relations — especially if there are challenging issues that may be brought up to the board. In that case, the CFO should be prepared to take a clear position on what the board needs to hear from management.

(3) Confidence in finance organization talent: 

 

Audit committees want visibility into the finance organization to ensure that it has the appropriate skills and experience. They also are looking to ensure that the finance organization will be stable over time, that there will be solid succession plans in place and that talent is being developed to create the strongest possible finance organization. CFOs might consider approaching these goals in several ways. One way is to provide key finance team members an opportunity to brief the audit committee on a special topic, for example, a significant accounting policy, a special analysis or another topic that’s on the board agenda. “While I encourage CFOs to give their team members an opportunity to present to the committee, it’s critical to make sure they’re well prepared and ready to address questions,” Phillips notes.

An outside-in view from audit committee members can bring significant value to the CFO — and to the organization.

 

(4) Command of key accounting, finance and business issues: 

 

Audit committees want CFOs to have a strong command of the key accounting issues that might be facing the organization, and given that many CFOs are not CPAs, such command is even more critical for the CFO to demonstrate. Toward that end, steps the CFO can take might include scheduling deep dives with management, the independent auditor, the chief accounting officer and others to receive briefings in order to better understand the organization’s critical issues from an accounting perspective, as well as to get trained up on those issues. In addition, CFOs should demonstrate a deep understanding of the business issues that the organization is confronting. There again, CFOs can leverage both internal and external resources to help them master these issues. Industry briefings are also important, particularly for CFOs who are new to an industry.

 

(5) Insightful forecasting and earnings guidance: 

 

Forecasts and earnings guidance will likely not always be precise. However, audit committees expect CFOs to not only deliver reliable forecasts, but also to articulate the underlying drivers of the company’s future performance, as well as how those drivers might impact outcomes. When CFOs lack a thorough understanding of critical assumptions and drivers, they can begin to lose support of key audit committee members. For that reason, it is important that CFOs have an experienced FP&A group to support them. In addition,audit committees and boards want to deeply understand the guidance that is being put forward, the ranges, and confidence levels. As audit committee members read earnings releases and other information in the public domain, they tend to focus on whether the information merely meets the letter of the law in terms of disclosures, or does it tell investors what they need to know to make informed decisions. This is where an outside-in view from audit committee members can bring significant value to the CFO — and to the organization. Moreover, audit committees are increasingly interested in the broader macroeconomic issues that can impact the organization, such as interest rates, oil prices, and geographic instability.

 

(6) Effective risk management: 

 

CFOs are increasingly held accountable for risk management, even when there is a chief risk officer. Further, audit committees want CFOs to provide leadership not only on traditional financial accounting and compliance risk matters, but also on some of the enterprise operational macro-risk issues — and to show how that might impact the financial statement. It is important for CFOs to set the tone at the top for compliance and ethics, oversee the control environment and ensure that from a compensation perspective, the appropriate incentives and structures are in place to mitigate risk. A key to the CFO’s effectiveness at this level is to find time to have strategic risk conversations at the highest level of management, as well as with the board.

 

(7) Clear and concise stakeholder communications: 

 

Audit committees want CFOs to be very effective on how they communicate with key stakeholders, which extend beyond the board and the audit committees. They want CFOs to be able to articulate the story behind the numbers and provide insights and future trends around the business, and to effectively communicate to the Street. CFOs can expect board members to listen to earnings calls and to observe how they interact with the CEOs, demonstrate mastery of the company’s financial and business issues, and communicate those to the Street. Moreover, a CFO who is very capable from an accounting and finance perspective should exercise the communication skills that are necessary to be effective with different stakeholders.

 

“Communication is the cornerstone for a strong CFO-audit committee chair relationship,” notes DeHaas. “Although the CFO might be doing other things very well, if there is not effective communication and a trusting relationship with the audit committee, the CFO will likely not be as effective.”

Conséquences à la non-divulgation d’une cyberattaque majeure


Quelles sont les conséquences de ne pas divulguer une intrusion importante du système de sécurité informatique ?

Les auteurs, Matthew C. Solomon* et Pamela L. Marcogliese, dans un billet publié sur le forum du HLS, ont étudié de près la situation des manquements à la sécurité informatique de Yahoo et ils nous présentent les conséquences de la non-divulgation d’attaques cybernétiques et de bris à la sécurité des informations des clients.

Ils exposent le cas très clairement, puis ils s’attardent aux modalités des arrangements financiers avec la Securities and Exchange Commission (SEC). 

Comme ce sont des événements susceptibles de se produire de plus en plus, il importe que les entreprises soient bien au fait de ce qui les attend en cas de violation des obligations de divulgation.

Les auteurs font les cinq (5) constats suivants eu égard à la situation vécue par Yahoo :

 

— First, public companies should take seriously the SEC’s repeated warnings that one of its top priorities is ensuring that public companies meet their obligations to adequately disclose material cybersecurity incidents and risks. This requires regular assessment of cyber incidents and risks in light of the company’s disclosures, with the assistance of outside counsel and auditors as appropriate, and ensuring that there are adequate disclosure controls in place for such incidents and risks.

— Second, the SEC’s recently released interpretive guidance on cybersecurity disclosure is an important guidepost for all companies with such disclosure obligations. The guidance specifically cited the fact that the SEC views disclosure that a company is subject to future cybersecurity attacks as inadequate if the company had already suffered such incidents. Notably, the Yahoo settlement specifically faulted the company for this precise inadequacy in its disclosures. Similarly, the recent guidance encouraged companies to adopt comprehensive policies and procedures related to cybersecurity and to assess their compliance regularly, including the sufficiency of their disclosure controls and procedures as they relate to cybersecurity disclosure. The Yahoo settlement also found that the company had inadequate such controls.

— Third, at the same time the SEC announced the settlement, it took care to emphasize that “[w]e do not second-guess good faith exercises of judgment about cyber-incident disclosure.” [7] The SEC went on to note that Yahoo failed to meet this standard with respect to the 2014 Breach, but by articulating a “good faith” standard the SEC likely meant to send a message to the broader market that it is not seeking to penalize companies that make reasonable efforts to meet their cyber disclosure obligations.

— Fourth, it is also notable that the SEC charges did not include allegations that Yahoo violated securities laws with respect to the 2013 Breach. Yahoo had promptly disclosed the 2013 Breach after learning about it in late 2016, but updated its disclosure almost a year later with significant new information about the scope of the breach. The SEC’s recent guidance indicated that it was mindful that some material facts may not be available at the time of the initial disclosure, as was apparently the case with respect to the 2013 Breach. [8] At the same time, the SEC cautioned that “an ongoing internal or external investigation – which often can be lengthy – would not on its own provide a basis for avoiding disclosures of a material cybersecurity incident.” [9]

— Finally, it is worth noting that the Commission did not insist on settlements with any individuals. Companies, of course, can only commit securities violations through the actions of their employees. While it is not unusual for the Commission to settle entity-only cases on a “collective negligence” theory, the SEC Chair and the Enforcement Division’s leadership have emphasized the need to hold individuals accountable in order to maximize the deterrent impact of SEC actions. [10]

 

Bonne lecture !

 

Failure to Disclose a Cybersecurity Breach

 

 

Résultats de recherche d'images pour « yahoo data breach »

 

 

On April 24, 2018, Altaba, formerly known as Yahoo, entered into a settlement with the Securities and Exchange Commission (the “SEC”), pursuant to which Altaba agreed to pay $35 million to resolve allegations that Yahoo violated federal securities laws in connection with the disclosure of the 2014 data breach of its user database. The case represents the first time a public company has been charged by the SEC for failing to adequately disclose a cyber breach, an area that is expected to face continued heightened scrutiny as enforcement authorities and the public are increasingly focused on the actions taken by companies in response to such incidents. Altaba’s settlement with the SEC, coming on the heels of its agreement to pay $80 million to civil class action plaintiffs alleging similar disclosure violations, underscores the increasing potential legal exposure for companies based on failing to properly disclose cybersecurity risks and incidents.

Background

As alleged, Yahoo learned in late 2014 that it had recently suffered a data breach affecting over 500 million user accounts (the “2014 Breach”). Yahoo did not disclose the 2014 Breach until September 2016. During the time period Yahoo was aware of the undisclosed breach, it entered into negotiations to be acquired by Verizon and finalized a stock purchase agreement in July 2016, two months prior to the disclosure of the 2014 Breach. Following the disclosure in September 2016, Yahoo’s stock price dropped 3% and it later renegotiated the stock purchase agreement to reduce the price paid for Yahoo’s operating business by $350 million.

In or about late 2016, following its disclosure of the 2014 Breach, Yahoo learned about a separate breach that had taken place in August 2013 and promptly announced that such breach had affected 1 billion users (the “2013 Breach”). In October 2017, Yahoo updated its disclosure concerning the 2013 Breach, announcing that it now believed that all 3 billion of its accounts had been affected.

The Settlement

Altaba’s SEC settlement centered on the 2014 Breach only. The SEC found that despite learning of the 2014 Breach in late 2014—which resulted in the theft of as many as 500 million of its users’ Yahoo usernames, email addresses, telephone numbers, dates of birth, hashed passwords, and security questions and answers, referred to internally as Yahoo’s “crown jewels”— Yahoo failed to timely disclose the material cybersecurity incident in any of its public securities filings until September 2016. Although Yahoo senior management and relevant legal staff were made aware of the 2014 Breach, according to the SEC, they “did not properly assess the scope, business impact, or legal implications of the breach, including how and where the breach should have been disclosed in Yahoo’s public filings or whether the fact of the breach rendered, or would render, any statements made by Yahoo in its public filings misleading.” [1] The SEC also faulted Yahoo’s senior management and legal staff because they “did not share information regarding the breach with Yahoo’s auditors or outside counsel in order to assess the company’s disclosure obligations in its public filings.” [2]

Among other things, the SEC found that Yahoo’s risk factor disclosures in its annual and quarterly reports from 2014 through 2016 were materially misleading in that they claimed the company only faced the risk of potential future data breaches, without disclosing that “a massive data breach” had in fact already occurred. [3]

The SEC also alleged that Yahoo management’s discussion and analysis of financial condition and results of operations (“MD&A”) in those reports was also misleading to the extent it omitted known trends or uncertainties with regard to liquidity or net revenue presented by the 2014 Breach. [4]Finally, the SEC further found that Yahoo did not maintain adequate disclosure controls and procedures designed to ensure that reports from Yahoo’s information security team raising actual incidents of the theft of user data, or the significant risk of theft of user data, were properly and timely assessed to determine how and where data breaches should be disclosed in Yahoo’s public filings. [5]

Based on these allegations, the SEC found that Yahoo violated Sections 17(a)(2) and 17(a)(3) of the Securities Act and Section 13(a) of the Securities Exchange Act. [6] To settle the charges, Altaba, without admitting or denying liability, agreed to cease and desist from any further violations of the federal securities laws and pay a civil penalty of $35 million.

Takeaways

There are several important takeaways from the settlement:

— First, public companies should take seriously the SEC’s repeated warnings that one of its top priorities is ensuring that public companies meet their obligations to adequately disclose material cybersecurity incidents and risks. This requires regular assessment of cyber incidents and risks in light of the company’s disclosures, with the assistance of outside counsel and auditors as appropriate, and ensuring that there are adequate disclosure controls in place for such incidents and risks.

— Second, the SEC’s recently released interpretive guidance on cybersecurity disclosure is an important guidepost for all companies with such disclosure obligations. The guidance specifically cited the fact that the SEC views disclosure that a company is subject to future cybersecurity attacks as inadequate if the company had already suffered such incidents. Notably, the Yahoo settlement specifically faulted the company for this precise inadequacy in its disclosures. Similarly, the recent guidance encouraged companies to adopt comprehensive policies and procedures related to cybersecurity and to assess their compliance regularly, including the sufficiency of their disclosure controls and procedures as they relate to cybersecurity disclosure. The Yahoo settlement also found that the company had inadequate such controls.

— Third, at the same time the SEC announced the settlement, it took care to emphasize that “[w]e do not second-guess good faith exercises of judgment about cyber-incident disclosure.” [7] The SEC went on to note that Yahoo failed to meet this standard with respect to the 2014 Breach, but by articulating a “good faith” standard the SEC likely meant to send a message to the broader market that it is not seeking to penalize companies that make reasonable efforts to meet their cyber disclosure obligations.

— Fourth, it is also notable that the SEC charges did not include allegations that Yahoo violated securities laws with respect to the 2013 Breach. Yahoo had promptly disclosed the 2013 Breach after learning about it in late 2016, but updated its disclosure almost a year later with significant new information about the scope of the breach. The SEC’s recent guidance indicated that it was mindful that some material facts may not be available at the time of the initial disclosure, as was apparently the case with respect to the 2013 Breach. [8] At the same time, the SEC cautioned that “an ongoing internal or external investigation – which often can be lengthy – would not on its own provide a basis for avoiding disclosures of a material cybersecurity incident.” [9]

— Finally, it is worth noting that the Commission did not insist on settlements with any individuals. Companies, of course, can only commit securities violations through the actions of their employees. While it is not unusual for the Commission to settle entity-only cases on a “collective negligence” theory, the SEC Chair and the Enforcement Division’s leadership have emphasized the need to hold individuals accountable in order to maximize the deterrent impact of SEC actions. [10]

_________________________________________________________________________

Endnotes

1Altaba Inc., f/d/b/a Yahoo! Inc., Securities Act Release No. 10485, Exchange Act Release No. 83096, Accounting and Auditing Enforcement Release No. 3937, Administrative Proceeding File No. 3937 (Apr. 24, 2018) at ¶ 14.(go back)

2Idat ¶ 15.(go back)

3Idat ¶¶ 2, 16.(go back)

4Id.(go back)

5Idat ¶ 15.(go back)

6Idat ¶¶ 22-23.(go back)

7Press Release, SEC, Altaba, Formerly Known As Yahoo!, Charged With Failing to Disclose Massive Cybersecurity Breach; Agrees To Pay $35 Million (Apr. 24, 2018), https://www.sec.gov/news/press-release/2018-71.(go back)

8As we have previously discussed, the federal securities laws do not impose a general affirmative duty on public companies to continuously disclose material information and, as acknowledged in Footnote 37 of the interpretive guidance, circuits are split on whether a duty to update exists. However, in circuits where a duty to update has been found to exist, a distinction has often been drawn between statements of a policy nature that are within the company’s control and statements describing then current facts that would be expected to change over time. The former have been held subject to a duty to update while the latter have not. See In re Advanta Corp. Securities Litigation, 180 F.3d 525, 536 (3d Cir. 1997) (“[T]he voluntary disclosure of an ordinary earnings forecast does not trigger any duty to update.”); In re Burlington Coat Factory Securities Litigation, 114 F.3d 1410, 1433 (3d Cir. 1997); In re Duane Reade Inc. Securities Litigation, No. 02 Civ. 6478 (NRB), 2003 WL 22801416, at *7 (S.D.N.Y. Nov. 25, 2003), aff’d sub nom. Nardoff v. Duane Reade, Inc., 107 F. App’x 250 (2d Cir. 2004) (“‘company has no duty to update forward–looking statements merely because changing circumstances have proven them wrong.’”).(go back)

9See SEC, Commission Statement and Guidance on Public Company Cybersecurity Disclosures, 83 Fed. Reg 8166, 8169 (Feb. 26, 2018), https://www.federalregister.gov/documents/2018/02/26/2018-03858/commission-statement-and-guidance-on-public- company-cybersecurity-disclosures.(go back)

10See, e.g., Steven R. Peikin, Co-Director, Div. Enf’t., SEC, Reflections on the Past, Present, and Future of the SEC’s Enforcement of the Foreign Corrupt Practices Act, Keynote Address at N.Y.U. Program on Corporate Law and Enforcement Conference: No Turning Back: 40 Years of the FCAP and 20 Years of the OECD Anti-Bribery Convention Impacts, Achievements, and Future Challenges (Nov. 9, 2017), https://www.sec.gov/news/speech/speech-peikin2017-11-09;
SEC Div. Enf’t., Annual Report A Look Back at Fiscal Year 2017, at 2 (Nov. 15, 2017), https://www.sec.gov/files/enforcement-annual-report2017.pdf.(go back)

_______________________________________________________________________

*Matthew C. Solomon and Pamela L. Marcogliese are partners and Rahul Mukhi is counsel at Cleary Gottlieb Steen & Hamilton LLP. This post is based on a Cleary Gottlieb publication by Mr. Solomon, Ms. Marcogliese, Ms. Mukhi, and Kal Blassberger.

Douze questions qu’un administrateur doit se poser afin de cerner l’efficacité de son CA


J’ai trouvé très intéressantes les questions qu’un nouvel administrateur pourrait se poser afin de mieux cerner les principaux facteurs liés à la bonne gouvernance d’un conseil d’administration.

Bien sûr, ce petit questionnaire peut également être utilisé par un membre de CA qui veut évaluer la qualité de la gouvernance de son propre conseil d’administration.

Les administrateurs peuvent interroger le président du conseil, les autres membres du conseil et le secrétaire corporatif.

Les douze questions énumérées ci-dessous ont fait l’objet d’une discussion lors d’une table ronde organisée par INSEAD Directors Forum du campus asiatique de Singapore.

Cet article a été publié par Noelle Ahlberg Kleiterp* sur le site de la Harvard Law School Forum on Corporate Governance.

Chaque question est accompagnée de quelques réflexions utiles pour permettre le passage à l’acte.

Bonne lecture ! Vos commentaires sont les bienvenus.

 

Twelve questions to determine board effectiveness

 

 

In many countries, boards of directors (particularly those of large organisations) have functioned too long as black boxes. Directors’ focus has often—and understandably so—been monopolised by a laundry list of issues to be discussed and typically approved at quarterly meetings.

The board’s own performance, effectiveness, processes and habits receive scant reflection. Many directors are happy to leave the corporate secretary with the task of keeping sight of governance best practices; certainly they do not regard it as their own responsibility.

It occurred to me later that these questions could be of broader use to directors as a framework for beginning a reassessment of their board role.

Résultats de recherche d'images pour « questions de gouvernance »

However, increased regulatory pressures are now pushing boards toward greater responsibility, transparency and self-awareness. In some countries, annual board reviews have become compulsory. In addition, mounting concerns about board diversity provide greater scope for questioning the status quo.

Achieving a more heterogeneous mix of specialisations, cultures and professional experiences entails a willingness to revise some unwritten rules that, in many instances, have governed board functions. And that is not without risk.

At the same time, the “diversity recruits” wooed for board positions may not know the explicit, let alone the implicit, rules. Some doubtless never anticipated they would be asked to join a board. Such invitations often come out of the blue, with little motivation or clarity about what is expected from the new recruit. No universal guidelines are available to aid candidates as they decide whether to accept their invitation.

Long-standing directors and outliers alike could benefit from a crash course in the fundamentals of well-run boards. This was the subject of a roundtable discussion held in February 2017 as part of the INSEAD Directors Forum on the Asia campus.

As discussion leader, I gave the participants, most of whom were recent recipients of INSEAD’s Certificate in Corporate Governance, a basic quiz designed to prompt reflection about how their board applies basic governance principles. It occurred to me later that these questions could be of broader use to directors as a framework for beginning a reassessment of their board role.

 

Questions and reflections

 

Q1) True/False: My board maintains a proper ratio of governing vs. executing.

Reflection: Recall basic principles of governance. If you are executing, who is maintaining oversight over you? Why aren’t the executive team executing and the board governing?

 

Q2) True/False: My board possesses the required competencies to fulfil its duties.

Reflection: Competencies can be industry-specific or universal (such as being an effective director). Many boards are reluctant to replace members, yet the needs of the organisation shift and demand new competencies, particularly in the digital age. Does your board have a director trained in corporate governance who could take the lead? Or does it adopt the outdated view of governance as a matter for the corporate secretary, perhaps in consultation with owners?

 

Q3) True/False: The frequency and duration of my board meetings are sufficient.

Reflection: Do you cover what you must cover and have ample time for strategy discussions? Are discussions taking place at the table that should be conducted prior to meetings?

 

Q4) How frequently does your chairperson meet with management: weekly, fortnightly, monthly, or otherwise?

Reflection: Meetings can be face-to-face or virtual. An alternative question is: Consider email traffic between the chair/board and management—is correspondence at set times (e.g. prior to scheduled meetings/calls) or random in terms of topic and frequency?

 

Q5) Is this frequency excessive, adequate or insufficient?

Reflection: Consider what is driving the frequency of the meetings (or email traffic). Is there a pressing topic that justifies more frequent interactions? Is there a lack of trust or lack of interest driving the frequency?

 

Q6) True/False: My board possesses the ideal mix of competencies to handle the most pressing issue on the agenda.

Reflection: If one issue continually appears on the agenda (e.g. marketing-related), there could be reason to review the board’s effectiveness with regards to this issue, and probably the mix of skills within the current board. If the necessary expertise were present at the table, could the board have resolved the issue?

 

Q7) True/False: The executive team is competent/capable. If “false”, is your board acting on this?

Reflection: At this point in the quiz, you should be considering whether incompetency is the issue. If so, is it being addressed? How comfortable are you, for example, that your executive team is capable of addressing digitisation?

 

Q8) True/False: My chairperson is effective.

Reflection: Perhaps incompetency rests with the chairperson or with a few board members. Are elements within control of the chairperson well managed? Does your board function professionally? If not, does the chair intervene and improve matters? Are you alone in your views regarding board effectiveness? A “false” answer here should lead you to take an activist role at the table to guide the chair and the board to effectiveness.

 

Q9) Yes/No: Does your board effectively make use of committees? If “yes”, how many and for which topics? If “no”, why not?

Reflection: Well-defined committees (e.g. audit, nomination, risk) improve the efficiency of board meetings and are a vital component of governance. In the non-profit arena, use of board committees is less common. However, non-profit boards can equally benefit from this basic guiding principle of good governance.

 

Q10) True/False: Recruitment/nomination of new board members adheres to a robust process.

Reflection: When are openings posted? Who reviews/targets potential candidates? How are candidate criteria determined?  And is there a clear “on-boarding” process that is regularly revisited?

 

Q11) True/False: My board performs a board review annually.

Reflection: A board review will touch on many elements mentioned in previous questions. Obtaining buy-in for the first review might prove painful. Thereafter knowledge of an annual review will undoubtedly lead to more conscious governance and opportunities to introduce improvements (including replacement of board members). Procedurally, the review of the board as a whole should precede the review of individuals.

 

Q12) Think of a tough decision your board has made. Recall how the decision was reached and results were monitored. Was “fair process leadership” (FPL) at play?

Reflection: Put yourself in the shoes of a fellow board member, perhaps the one most dissatisfied with the outcome of a particular decision. Would that person agree that fair process was adhered to, despite his or her own feelings? Boards that apply fair process move on—as a team—from what is perceived to be a negative outcome for an individual board member. If decisions are made rashly and lack follow-up, FPL is not applied. Energies will quickly leave the room.

 

From reflection to action

 

Roundtable participants agreed that these questions should be applied in light of the longevity of the organisation concerned. Compared with most mature organisations, a start-up will need many more board meetings and more interactions between the board and the management team. The “exit” phase of an organisation (or a sub-part of the organisation) is another time in the lifecycle that requires intensified board involvement.

Particularly in the non-profit sector, where directors commonly work pro bono, passion for the organisational mission should be a prerequisite for all prospective board members. However, passion—in the form of a determination to see the organisation’s strategy succeed—should be a consideration for all board members and nominees, regardless of the sector.

Directors who apply the above framework and are dissatisfied with what they discover could seek solutions in their professional networks, corporate governance textbooks or a course such as INSEAD’s International Directors Programme.

If you are considering a board role, you could use the 12 questions, tweak them for your needs and evaluate your answers. Speak not only with the chair, but also with as many board members and relevant executive team members as you can. Understand your comfort level with how the board operates and applies governance principles before accepting a mandate.


Noelle Ahlberg Kleiterp, MBA, IDP-C, has worked for 25 years across three continents with companies including GE, KPMG, Andersen Consulting and Atradius. Noelle owns a sole proprietorship in Singapore and serves as a board member on a non-profit organisation in Singapore.

Enjeux clés concernant les membres des comités d’audit | KPMG


Le récent rapport de KPMG sur les grandes tendances en audit présente sept défis que les membres des CA, notamment les membres des comités d’audit, doivent considérer afin de bien s’acquitter de leurs responsabilités dans la gouvernance des sociétés.

Le rapport a été rédigé par des professionnels en audit de la firme KPMG ainsi que par le Conference Board du Canada.

Les sept défis abordés dans le rapport sont les suivants :

– talent et capital humain ;

– technologie et cybersécurité ;

– perturbation des modèles d’affaires ;

– paysage réglementaire en évolution ;

– incertitude politique et économique ;

– évolution des attentes en matière de présentation de l’information ;

– environnement et changements climatiques.

Je vous invite à consulter le rapport complet ci-dessous pour de plus amples informations sur chaque enjeu.

Bonne lecture !

 

Tendances en audit

 

 

Résultats de recherche d'images pour « tendances en audit »

 

 

Alors que l’innovation technologique et la cybersécurité continuent d’avoir un impact croissant sur le monde des finances et des affaires à l’échelle mondiale, tant les comités d’audit que les chefs des finances reconnaissent le besoin de compter sur des talents de haut calibre pour contribuer à affronter ces défis et à en tirer parti.

Le rôle du comité d’audit est de s’assurer que l’organisation dispose des bonnes personnes possédant l’expérience et les connaissances requises, tant au niveau de la gestion et des opérations qu’au sein même de sa constitution. Il ne s’agit que de l’un des nombreux défis à avoir fait surface dans le cadre de ce troisième numéro du rapport Tendances en audit.

Les comités d’audit d’aujourd’hui ont la responsabilité d’aider les organisations à s’orienter parmi les nombreux enjeux et défis plus complexes que jamais auxquels ils font face, tout en remplissant leur mandat traditionnel de conformité et de présentation de l’information. Alors que les comités d’audit sont pleinement conscients de cette nécessité, notre rapport indique que les comités d’audit et les chefs des finances se demandent dans quelle mesure leur organisation est bien positionnée pour faire face à la gamme complète des tendances actuelles et émergentes.

Pour mettre en lumière cette préoccupation et d’autres enjeux clés, le rapport Tendances en audit se penche sur les sept défis qui suivent :

  1. talent et capital humain;
  2. technologie et cybersécurité;
  3. perturbation des modèles d’affaires;
  4. paysage réglementaire en évolution;
  5. incertitude politique et économique;
  6. évolution des attentes en matière de présentation de l’information;
  7. environnement et changements climatiques.

Au fil de l’évolution des mandats et des responsabilités, ce rapport se révélera être une ressource précieuse pour l’ensemble des parties prenantes en audit.

Rôle du CA dans l’établissement d’une forte culture organisationnelle | Un guide pratique


Vous trouverez, ci-dessous, un document partagé par Joanne Desjardins*, qui porte sur le rôle du CA dans l’établissement d’une solide culture organisationnelle.

C’est certainement l’un des guides les plus utiles sur le sujet. Il s’agit d’une référence essentielle en matière de gouvernance.

Je vous invite à lire le sommaire exécutif. Vos commentaires sont appréciés.

 

Managing Culture | A good practical guide – December 2017

 

Résultats de recherche d'images pour « tone at the top »

Executive summary

 

In Australia, the regulators Australian Prudential Regulation Authority (APRA) and Australian Securities and Investments Commission (ASIC) have both signalled that there are significant risks around poor corporate culture. ASIC recognises that culture is at the heart of how an organisation and its staff think and behave, while APRA directs boards to define the institution’s risk appetite and establish a risk management strategy, and to ensure management takes the necessary steps to monitor and manage material risks. APRA takes a broad approach to ‘risk culture’ – includingrisk emerging from a poor culture.

Regulators across the globe are grappling with the issue of risk culture and how best to monitor it. While regulators generally do not dictate a cultural framework, they have identified common areas that may influence an organisation’s risk culture: leadership, good governance, translating values and principles into practices, measurement and accountability, effective communication and challenge, recruitment and incentives. Ultimately, the greatest risk lies in organisations that are believed to be hypocritical when it comes to the espoused versus actual culture.

The board is ultimately responsible for the definition and oversight of culture. In the US, Mary Jo White, Chair of the Securities and Exchange Commission (SEC), recognised that a weak risk culture is the root cause of many large governancefailures, and that the board must set the ‘tone at the top’.

Culture also has an important role to play in risk management and risk appetite, and can pose significant risks that may affect an organisation’s long-term viability.

However, culture is much more about people than it is about rules. This guide argues that an ethical framework – which is different from a code of ethics or a code of conduct – should sit at the heart of the governance framework of an organisation. An ethical framework includes a clearly espoused purpose, supported by values and principles.

There is no doubt that increasing attention is being given to the ethical foundations of an organisation as a driving force of culture, and one method of achieving consistency of organisational conduct is to build an ethical framework in which employees can function effectively by achieving clarity about what the organisation deems to be a ‘good’ or a ‘right’ decision.

Culture can be measured by looking at the extent to which the ethical framework of the organisation is perceived to be or is actually embedded within day-to-day practices. Yet measurement and evaluation of culture is in its early stages, and boards and senior management need to understand whether the culture they have is the culture they want.

In organisations with strong ethical cultures, the systems and processes of the organisation will align with the ethical framework. And people will use the ethical framework in the making of day-to-day decisions – both large and small.

Setting and embedding a clear ethical framework is not just the role of the board and senior management – all areas can play a role. This publication provides high-level guidance to these different roles:

The board is responsible for setting the tone at the top. The board should set the ethical foundations of the organisation through the ethical framework. Consistently, the board needs to be assured that the ethical framework is embedded within the organisation’s systems, processes and culture.

Management is responsible for implementing and monitoring the desired culture as defined and set by the board. They are also responsible for demonstrating leadership of the culture.

Human resources (HR) is fundamental in shaping, reinforcing and changing corporate culture within an organisation. HR drives organisational change programs that ensure cultural alignment with the ethical framework of the organisation. HR provides alignment to the ethical framework through recruitment, orientation, training, performance management, remuneration and other incentives.

Internal audit assesses how culture is being managed and monitored, and can provide an independent view of the current corporate culture.

External audit provides an independent review of an entity’s financial affairs according to legislative requirements, and provides the audit committee with valuable, objective insight into aspects of the entity’s governance and internal controls including its risk management.

 

 


*Joanne Desjardins est administratrice de sociétés et consultante en gouvernance. Elle possède plus de 18 années d’expérience comme avocate et comme consultante en gouvernance, en stratégie et en gestion des ressources humaines. Elle est constamment à l’affût des derniers développements en gouvernance et publie des articles sur le sujet.

Indicateurs de mesure de la performance des fonctions d’audit interne


Denis Lefort, CPA, expert-conseil en gouvernance, audit et contrôle, porte à ma connaissance un rapport de recherche de l’IIA qui concerne « les indicateurs de mesure de la performance des fonctions d’audit interne ».

Encore aujourd’hui, les indicateurs utilisés sont souvent centrés sur la performance en interne de la fonction et non sur son réel impact sur l’organisation.

Par exemple, peu de services d’audit interne évaluent leur performance par la réduction des cas de fraude dans l’entreprise, par une meilleure gestion des risques, etc.

On utilise plutôt les indicateurs habituels comme le taux de recommandations implantées, la réalisation du plan d’audit, etc.

Voici, ci-dessous, l’introduction au document de l’IIA. Pour consulter le rapport détaillé, cliquez sur le titre du document.

Bonne lecture. Vos commentaires sont les bienvenus

Measuring Internal Audit Value and Performance

 

In 2010, The IIA recognized a need to capture a simple, memorable, and straightforward way to help internal auditors convey the value of their efforts to important stakeholders, such as boards of directors, audit committees, management, and clients. To that end, the association introduced the Value Proposition for Internal Auditing, which characterizes internal audit’s value as an amalgam of three elements: assurance, insight, and objectivity.

opsione-audit-assistance-audit-interne2

But identifying the conceptual elements of value is only part of what needs to be done. How does that construct look in the workplace? What activities does internal audit undertake that deliver the most value? What should be measured to determine that the organization’s expectations of value are being met? How does internal audit organize and structure the information that populates the metrics? And, most critically, do the answers to all these questions align; that is, does internal audit’s perception of its value, as measured and tracked, correlate with what the organization wants and needs from the internal audit function? (Exhibit 1)

Exhibit 1

The Internal Audit Value Proposition

 

1. ASSURANCE = Governance, Risk, Control

Internal audit provides assurance on the organization’s governance, risk management, and control processes to help the organization achieve its strategic, operational, financial, and compliance objectives.

2. INSIGHT = Catalyst, Analyses, Assessments

Internal audit is a catalyst for improving an organization’s effectiveness and efficiency by providing insight and recommendations based on analyses and assessments of data and business process.

3. OBJECTIVITY = Integrity, Accountability, Independence

With commitment to integrity and accountability, internal audit provides value to governing bodies and senior management as an objective source of independent advice.

These are the kinds of questions the CBOK 2015 global practitioner survey posed to chief audit executives (CAEs) from around the world. The activities these CAEs believe bring value to the organization are consistent with the three elements of The IIA’s value proposition. In fact, the nine activities identified by CAEs as adding the most value can be mapped directly to the three elements, as shown in exibit 2

However, in looking at the performance measures and tools used by the organization and the internal audit function, a gap appears to form between value-adding activities and the ways performance is measured. This report explores that gap in greater detail and clarifies the respondents’ view of value-adding activities, preferred performance measures, and the methodologies and tools most commonly used to support internal audit’s quality and performance processes. Where appropriate, responses tabulated by geographic regions and organization types are examined.

Finally, based on the findings, the final chapter of the report provides a series of practical steps that practitioners at all levels can implement to help their internal audit department deliver on its value proposition of assurance, insight, and objectivity.

Exhibit 2

The Internal Audit Value Proposition (mapped to response options from the CBOK Survey)

 

ASSURANCE ACTIVITIES

  1. Assuring the adequacy and effectiveness of the internal control system
  2. Assuring the organization’s risk management processes
  3. Assuring regulatory compliance
  4. Assuring the organization’s governance processes

INSIGHT ACTIVITIES

  1. Recommending business improvement
  2. Identifying emerging risks

OBJECTIVE ADVICE ACTIVITIES

  1. Informing and advising management
  2. Investigating or deterring fraud
  3. Informing and advising the audit committee

Réflexions sur les bénéfices d’une solide culture organisationnelle


Quels sont les bénéfices d’une solide culture organisationnelle ?

C’est précisément la question abordée par William C. Dudley, président et CEO de la Federal Reserve Bank de New York, dans une allocution présentée à la Banking Standards Board de Londres.

Dans sa présentation, il évoque trois éléments fondamentaux pour l’amélioration de la culture organisationnelle des entreprises du secteur financier :

 

  1. Définir la raison d’être et énoncer des objectifs clairs puisque ceux-ci sont nécessaires à l’évaluation de la performance ;
  2. Mesurer la performance de la firme et la comparer aux autres du même secteur ;
  3. S’assurer que les mesures incitatives mènent à des comportements en lien avec les buts que l’organisation veut atteindre.

 

Selon M. Dudley, il y a plusieurs avantages à intégrer des pratiques de bonne culture dans la gestion de l’entreprise. Il présente clairement les nombreux bénéfices à retirer lorsque l’organisation a une saine culture.

Vous trouverez, ci-dessous, les principales raisons pour lesquelles il est important de se soucier de cette dimension à long terme. Je n’avais encore jamais vu ces raisons énoncées aussi explicitement dans un texte.

L’article a paru aujourd’hui sur le site de la Harvard Law School Forum on Corporate Governance.

Bonne lecture !

 

Résultats de recherche d'images pour « culture organisationnelle d'une entreprise »
WordPress.com

 

Reforming Culture for the Long Term

 

I am convinced that a good or ethical culture that is reflected in your firm’s strategy, decision-making processes, and products is also in your economic best interest, for a number of reasons:

Good culture means fewer incidents of misconduct, which leads to lower internal monitoring costs.

Good culture means that employees speak up so that problems get early attention and tend to stay small. Smaller problems lead to less reputational harm and damage to franchise value. And, habits of speaking up lead to better exchanges of ideas—a hallmark of successful organizations.

Good culture means greater credibility with prosecutors and regulators—and fewer and lower fines.

Good culture helps to attract and retain good talent. This creates a virtuous circle of higher performance and greater innovation, and less pressure to cut ethical corners to generate the returns necessary to stay in business.

Good culture builds a strong organizational story that is a source of pride and that can be passed along through generations of employees. It is also attractive to clients.

Good culture helps to rebuild public trust in finance, which could, in turn, lead to a lower burden imposed by regulation over time. Regulation and compliance are expensive substitutes for good stewardship.

Good culture is, in short, a necessary condition for the long-term success of individual firms. Therefore, members of the industry must be good stewards and should seek to make progress on reforming culture in the near term.

Un document complet sur les bonnes pratiques de gouvernance et de gestion d’un CA | The Directors Toolkit 2017 de KPMG


Voici la version 4.0 du document « The Directors’Toolkit 2017 » de KPMG, très bien conçu, qui répond clairement aux questions que tous les administrateurs de sociétés se posent en cours de mandat.

Même si la publication est dédiée à l’auditoire australien de KPMG, je crois que la réalité réglementaire nord-américaine est trop semblable pour se priver d’un bon « kit » d’outils qui peut aider à constituer un Board efficace.

C’est un formidable document électronique interactif. Voyez la table des matières ci-dessous.

J’ai demandé à KPMG de me procurer une version française du même document, mais il ne semble pas en exister.

Bonne lecture !

The Directors’ Toolkit 2017 | KPMG

 

 

Now in its fourth edition, this comprehensive guide is in a user friendly electronic format. It is designed to assist directors to more effectively discharge their duties and improve board performance and decision-making.

Key topics

  1. Duties and responsibilities of a director
  2. Oversight of strategy and governance
  3. Managing shareholder and stakeholder expectations
  4. Structuring an effective board and sub-committees
  5. Enabling key executive appointments
  6. Managing productive meetings
  7. Better practice terms of reference, charters and agendas
  8. Establishing new boards.

What’s new in 2017

In this latest version, we have included newly updated sections on:

  1. managing cybersecurity risks
  2. human rights in the supply chain.

Register

Register here for your free copy of the Directors’ Toolkit.

Facteurs qui influencent la rémunération des dirigeants d’OBNL ?


Qu’est-ce qui influence la rémunération des dirigeants d’organisation sans but lucratif. C’est la question à laquelle Elizabeth K. Keating et Peter Frumkin ont tenté de répondre dans une recherche scientifique notoire, dont un résumé est publié dans la revue Nonprofit Quaterly.

L’établissement d’une juste rémunération dans toute organisation est un domaine assez complexe. Mais, dans les entreprises à but non lucratif, c’est souvent un défi de taille et un dilemme !

Lorsque l’on gère l’argent qui vient, en grande partie, du public, on est souvent mal à l’aise pour offrir des rémunérations comparables au secteur privé. Les comparatifs ne sont pas faciles à établir…

Cependant, il faut que l’organisation paie une rémunération convenable ; sinon, elle ne pourra pas retenir les meilleurs talents et faire croître l’entreprise.

Bien sûr, la situation a beaucoup évolué au cours des 30 dernières années. On conçoit plus facilement maintenant que les services rendus pour gérer de telles organisations doivent être rémunérés à leur juste valeur. Mais, le secteur des OBNL est encore dominé par des salaires relativement bas et par la contribution de généreux bénévoles…

 

Résultats de recherche d'images pour « rémunération dirigeants OBNL »
Publications de Gouvernance Expert – Gestion PME et OBNL

Contrairement à la plupart des entreprises privées, les OBNL rémunèrent leur personnel selon un salaire fixe. Cependant, les comparaisons avec le secteur privé ont amené plusieurs OBNL à offrir des rémunérations basées sur la performance (ex. : les résultats de la collecte de fonds, la compression des dépenses, les surplus dégagés).

Dans la plupart des OBNL, les augmentations de salaires des dirigeants demeurent des sujets chauds… très chauds, étant donné les moyens limités de ces organisations, la propension à faire appel au bénévolat et les contraintes liées aux missions sociales.

Les auteurs de l’étude ont développé trois hypothèses pour expliquer les comportements de rémunération dans le secteur des entreprises à but non lucratif :

  1. Les PDG qui gèrent des organisations de grandes tailles seront mieux rémunérés ;
  2. Les rémunérations des PDG d’OBNL ne seront pas basées sur la performance financière de leurs organisations ;
  3. Les rémunérations des PDG d’OBNL ne seront pas déterminées par la liquidité financière.

En résumé, les recherches montrent que les hypothèses retenues sont validées dans presque tous les secteurs étudiés. C’est vraiment la taille et la croissance de l’organisation qui sont les facteurs déterminants dans l’établissement des rémunérations des hauts dirigeants. Dans ce secteur, la bonne performance ne doit pas être liée directement à la rémunération.

La plupart des administrateurs de ces organisations ne sont pas rémunérés, souvent pour des raisons de valeurs morales. Cependant, je crois que, si l’entreprise en a les moyens, elle doit prévoir une certaine forme de rémunération pour les administrateurs qui ont les mêmes responsabilités fiduciaires que les administrateurs des entreprises privées.

Je crois personnellement qu’une certaine compensation est de mise, même si celle-ci n’est pas élevée. Les administrateurs se sentiront toujours plus redevables s’ils retirent une rémunération pour leur travail. Même si la rétribution est minimale, elle contribuera certainement à les mobiliser davantage.

Cette citation résume assez bien les conclusions de l’étude :

One final implication of our analysis bears on the enduring performance-measurement quandary that confronts so many nonprofit organizations. We believe that nonprofits may rely on organizational size to make compensation decisions, drawing on free cash flows when available, rather than addressing the challenge of defining, quantifying, and measuring the social benefits that they produce. Nonprofits typically produce services that are complex and that generate not only direct outputs but also indirect, long-term, and societal benefits. These types of services often make it difficult to both develop good outcome measures and establish causality between program activity and impact. In the absence of effective metrics of social performance and mission accomplishment, many organizations rely on other factors in setting compensation. Perhaps, once better measures of mission fulfillment are developed and actively implemented, nonprofits will be able to structure CEO compensation in ways that provide appropriate incentives to managers who successfully advance the missions of nonprofit organizations, while respecting the full legal and ethical implications of the nondistribution constraint.

Pour plus d’information concernant le détail de l’étude, je vous conseille de prendre connaissance des extraits suivants.

Bonne lecture !

What Drives Nonprofit Executive Compensation?

 

To test our first hypothesis, we relied on two variables: lagged total fixed assets and lagged total program expenses. We chose total fixed assets as a proxy for scale of operations and total program expenses as a measure of the annual budget.15 To test our second hypothesis, we developed two variables associated with pay-for-performance compensation: administrative efficiency and dollar growth in contributed revenue.16 To test our third hypothesis, we selected three variables that determine whether an organization is cash constrained or has free cash flows: lagged commercial revenue, liquid assets to expenses measure, and investment portfolio to total assets measure.17

Since the nonprofit industry is quite heterogeneous, we explored the compensation question in the major subsectors: arts, education, health, human services, “other,” and religion.18

Arts

The compensation of arts CEOs increases more rapidly relative to program expenses than in the other subsectors, and the remuneration of arts CEOs is negatively associated with commercial revenue share. This stands in contrast to the positive relation of this factor in the remaining subsectors.

Greater administrative efficiency, higher liquidity, and a more extensive endowment are associated with higher compensation, but generating additional contributions is not. Overall, the organizational-size variables explain a substantially greater proportion of the variation in compensation for arts CEOs than the other two factors combined.

Education

While arts executive pay is closely related to program expenses, CEOs at educational institutions receive compensation that is significantly associated with fixed assets. These organizations include primary and secondary schools, as well as colleges and universities. Unlike the arts CEOs, educational leaders are better compensated when their organizations have growth in contributions but not when they are more administratively efficient.

Health

Due to the competition in the health subsector between for-profit and nonprofit firms, one might expect that compensation would be more heavily weighted toward the pay-for-performance variables. Instead, we found that CEO compensation in this subsector is strongly related to organizational size. It is weakly tied to administrative efficiency, and is not significantly related to growth in contributions. From these results, we concluded that compensation in the health subsector is not closely tied to classic pay-for-performance measures.

With regard to free cash flows, we found that the sensitivity of CEO remuneration to increases in the commercial revenue share is highest in the health subsector. Health CEO remuneration is also quite sensitive to the relative size of the endowment. We found no significant relation between health CEO compensation and liquidity. Overall, the organization-size variables explain a greater portion of the variation in pay in the health subsector than the pay-for-performance and free cash flow variables combined.

Human Services and “Other”

CEO compensation in the human-services and “other” subsectors exhibit considerable similarities in the magnitude of the coefficients. Total program expenses are significantly related to compensation, with a $10–$11 gain in compensation for each $1,000 increase in program expenses. In neither case are total fixed assets significantly associated with remuneration. CEOs in both subsectors can expect to be financially rewarded for greater administrative efficiency and when the share of commercial revenue is higher and the relative size of the investment portfolio is larger. One striking difference is that CEOs in the other subsectors receive substantially higher compensation when contributions are increased, while CEOs of human-service providers oddly receive significantly lower compensation when liquidity is higher. In both subsectors, the organizational-size variables had more power to explain compensation than the other two variable groups combined.

Religion

Compensation for religious leaders differs substantially from the other sectors. First, “base” pay and both organizational-size variables are insignificant. In the area of pay-for-performance, the regression results indicate that compensation is not directly associated with growth in contributions. More unusually, it is negatively related to administrative efficiency. In one regard, the CEOs of religious organizations are similar to their counterparts: their compensation is significantly associated with the commercial-revenue share and the relative size of the investment portfolio. For CEOs of this subsector, the size hypothesis was most strongly supported, but it did not dominate the other two hypotheses combined.

Conclusions

We found that nonprofit CEOs are paid a base salary, and many CEOs also receive additional pay associated with larger organizational size. Our results indicate that while pay-for-performance is a factor in determining compensation, it is not prominent. In fact, in all the subsectors we studied, CEO compensation is more sensitive to organizational size and free cash flows than to performance. While our analysis suggests that nonprofits may not literally be violating the nondistribution constraint, we did find evidence that CEO compensation is significantly higher in the presence of free cash flows. In only one subsector (education), however, did we find evidence that free cash flow is a central factor.

___________________________________________

*This article is adapted from “The Price of Doing Good: Executive Compensation in Nonprofit Organizations,” an article by the authors published in the August 2010 issue (volume 29, issue 3) of Policy and Society, an Elsevier/ ScienceDirect publication. The original report can be accessed here.

Réflexions sur les bénéfices d’une solide culture organisationnelle


Quels sont les bénéfices d’une solide culture organisationnelle ?

C’est précisément la question abordée par William C. Dudley, président et CEO de la Federal Reserve Bank de New York, dans une allocution présentée à la Banking Standards Board de Londres.

Dans sa présentation, il évoque trois éléments fondamentaux pour l’amélioration de la culture organisationnelle des entreprises du secteur financier :

 

  1. Définir la raison d’être et énoncer des objectifs clairs puisque ceux-ci sont nécessaires à l’évaluation de la performance ;
  2. Mesurer la performance de la firme et la comparer aux autres du même secteur ;
  3. S’assurer que les mesures incitatives mènent à des comportements en lien avec les buts que l’organisation veut atteindre.

 

Selon M. Dudley, il y a plusieurs avantages à intégrer des pratiques de bonne culture dans la gestion de l’entreprise. Il présente clairement les nombreux bénéfices à retirer lorsque l’organisation a une saine culture.

Vous trouverez, ci-dessous, les principales raisons pour lesquelles il est important de se soucier de cette dimension à long terme. Je n’avais encore jamais vu ces raisons énoncées aussi explicitement dans un texte.

L’article a paru aujourd’hui sur le site de la Harvard Law School Forum on Corporate Governance.

Bonne lecture !

 

Résultats de recherche d'images pour « culture organisationnelle d'une entreprise »
WordPress.com

 

Reforming Culture for the Long Term

 

I am convinced that a good or ethical culture that is reflected in your firm’s strategy, decision-making processes, and products is also in your economic best interest, for a number of reasons:

Good culture means fewer incidents of misconduct, which leads to lower internal monitoring costs.

Good culture means that employees speak up so that problems get early attention and tend to stay small. Smaller problems lead to less reputational harm and damage to franchise value. And, habits of speaking up lead to better exchanges of ideas—a hallmark of successful organizations.

Good culture means greater credibility with prosecutors and regulators—and fewer and lower fines.

Good culture helps to attract and retain good talent. This creates a virtuous circle of higher performance and greater innovation, and less pressure to cut ethical corners to generate the returns necessary to stay in business.

Good culture builds a strong organizational story that is a source of pride and that can be passed along through generations of employees. It is also attractive to clients.

Good culture helps to rebuild public trust in finance, which could, in turn, lead to a lower burden imposed by regulation over time. Regulation and compliance are expensive substitutes for good stewardship.

Good culture is, in short, a necessary condition for the long-term success of individual firms. Therefore, members of the industry must be good stewards and should seek to make progress on reforming culture in the near term.

The Directors Toolkit 2017 | Un document complet de KPMG sur les bonnes pratiques de gouvernance et de gestion d’un CA


Voici la version 4.0 du document australien de KPMG, très bien conçu, qui répond clairement aux questions que tous les administrateurs de sociétés se posent dans le cours de leurs mandats.

Même si la publication est dédiée à l’auditoire australien de KPMG, je crois que la réalité réglementaire nord-américaine est trop semblable pour se priver d’un bon « kit » d’outils qui peut aider à constituer un Board efficace.

C’est un formidable document électronique interactif. Voyez la table des matières ci-dessous.

J’ai demandé à KPMG de me procurer une version française du même document, mais il ne semble pas en exister.

Bonne lecture !

The Directors’ Toolkit 2017 | KPMG

 

 

 

Now in its fourth edition, this comprehensive guide is in a user friendly electronic format. It is designed to assist directors to more effectively discharge their duties and improve board performance and decision-making.

Key topics

  1. Duties and responsibilities of a director
  2. Oversight of strategy and governance
  3. Managing shareholder and stakeholder expectations
  4. Structuring an effective board and sub-committees
  5. Enabling key executive appointments
  6. Managing productive meetings
  7. Better practice terms of reference, charters and agendas
  8. Establishing new boards.

What’s new in 2017

In this latest version, we have included newly updated sections on:

  1. managing cybersecurity risks
  2. human rights in the supply chain.

Register

Register here for your free copy of the Directors’ Toolkit.