Mesures à prendre en matière de contrôle interne afin d’éviter les fraudes de cybersécurité

Voici un article qui met l’accent sur les mesures à prendre en matière de contrôle interne afin d’éviter les fraudes de cybersécurité.

Les auteurs, Keith Higgins*et Marvin Tagabanis exposent les résultats de leurs recherches dans un billet publié sur le site de Havard Law School Forum.

Les fraudes dont il est question concernent neuf entreprises qui ont été la cible des arnaques par l’utilisation de courriels.

The nine defrauded companies lost a total of nearly $100 million as a result of the email scams. The companies operated in different business sectors including technology, machinery, real estate, energy, financial, and consumer goods, which the Report suggests “reflect[s] the reality that every type of business is a potential target of cyber-related fraud.” The Report also highlighted the significant economic harm posed by “business email compromises” more broadly, which, based on FBI estimates, has caused over $5 billion in losses since 2013, with an additional $675 million in adjusted losses in 2017—the highest estimated out-of-pocket losses from any class of cyber-facilitated crime during this period.

Les auteurs notent que les escroqueries par le biais des courriels étaient principalement de deux types :

(1) Courriels envoyés par de faux dirigeants ;

(2) Courriels envoyés par de faux vendeurs.

Les auteurs présentent les implications du contrôle interne pour minimiser ces fraudes.

Bonne lecture !

Implementing Internal Controls in Cyberspace—Old Wine, New Skins

On October 16, 2018, the SEC issued a Section 21(a) investigative report (the “Report”), [1]cautioning public companies to consider cyber threats when designing and implementing internal accounting controls. The Report arose out of an investigation focused on the internal accounting controls of nine public companies that were victims of “business email compromises” in which perpetrators posed as company executives or vendors and used emails to dupe company personnel into sending large sums to bank accounts controlled by the perpetrators. In the investigation, the SEC considered whether the companies had complied with the internal accounting controls provisions of the federal securities laws. Although the Report is in lieu of an enforcement action against any of the issuers, the SEC issued the Report to draw attention to the prevalence of these cyber-related scams and as a reminder that all public companies should consider cyber-related threats when devising and maintaining a system of internal accounting controls.

The nine defrauded companies lost a total of nearly $100 million as a result of the email scams. The companies operated in different business sectors including technology, machinery, real estate, energy, financial, and consumer goods, which the Report suggests “reflect[s] the reality that every type of business is a potential target of cyber-related fraud.” The Report also highlighted the significant economic harm posed by “business email compromises” more broadly, which, based on FBI estimates, has caused over $5 billion in losses since 2013, with an additional $675 million in adjusted losses in 2017—the highest estimated out-of-pocket losses from any class of cyber-facilitated crime during this period.

Two types of email scams were employed against the nine companies: (i) emails from fake executives, and (ii) emails from fake vendors.

Emails from Fake Executives. In the first type of scam, perpetrators emailed company finance personnel using spoofed email domains and addresses of an executive (typically the CEO) so that it appeared as if the email were legitimate. The spoofed email directed the employees to work with a purported outside attorney identified in the email, who then directed them to wire large payments to foreign bank accounts controlled by the perpetrators. Common elements among each of these schemes included: (1) the transactions or “deals” were time-sensitive and confidential; (2) the requested funds needed to be sent to foreign banks and beneficiaries in connection with foreign deals or acquisitions; and (3) the spoofed emails typically were sent to midlevel personnel, who were not generally responsible or involved in the deals and rarely communicated with the executives being spoofed.

Emails from Fake Vendors. The second type of scam was more technologically sophisticated than the spoofed executive emails because the schemes typically involved the perpetrators hacking into the email accounts of the companies’ foreign vendors. The perpetrators then requested that the vendors’ banking information be changed so that a company’s payments on outstanding invoices for legitimate transactions were sent to foreign accounts controlled by the perpetrators rather than the real vendors. The Report noted that some spoofed vendor email scams went undetected for an extended period of time because vendors often afforded companies months before considering a payment delinquent.

Considerations for Public Companies

In the Report, the SEC advises public companies to “pay particular attention to the obligations imposed by Section 13(b)(2)(B) to devise and maintain internal accounting controls that reasonably safeguard company and, ultimately, investor assets from cyber-related frauds.” Finance and accounting personnel at public companies should be aware that the above-described cyber-related scams exist, and these types of scams should be considered when implementing internal accounting controls.

Although the “cyber” aspect of these scams helps to make them a topic du jour, fake invoices are certainly no recent invention, nor are vendor requests to direct payments to a new address something that is unique to the email era. If the result of the Report is to cause companies to liberally insert “cyber” references into their internal controls, and little more, it will not have accomplished its objective. SEC Enforcement staff observed that the cyber-related frauds succeeded, at least in part, because the responsible personnel at the companies did not sufficiently understand the company’s existing controls or did not recognize indications in the emailed instructions that those communications lacked reliability. For example, in one matter, the accounting employee who received the spoofed email did not follow the company’s dual-authorization requirement for wire payments, directing unqualified subordinates to sign-off on the wires. In another case, the accounting employee misinterpreted the company’s authorization matrix as giving him approval authority at a level reserved for the CFO.

Scams will always be with us, and the Report recognizes that the effectiveness of internal accounting control systems largely depends on having trained personnel to implement, maintain, and follow such controls. Public companies should also consider the following points raised by the actions taken by the defrauded companies following the cyber-related scams:

Review and enhance payment authorization procedures, verification requirements for vendor information changes, account reconciliation procedures and outgoing payment notification processes, particularly to foreign jurisdictions.

Evaluate whether finance and accounting personnel are adequately trained on relevant cyber-related threats and provide additional training on any new policies and procedures implemented as a result of the above step.

The Report confirms that the SEC remains focused on cybersecurity matters and companies should continue to be vigilant against cyber threats. While the SEC stated that it was “not suggesting that every issuer that is the victim of a cyber-related scam is . . . in violation of the internal accounting controls requirements of the federal securities laws,” the Report also noted that “[h]aving internal accounting control systems that factor in such cyber-related threats, and related human vulnerabilities, may be vital to maintaining a sufficient accounting control environment and safeguarding assets.”

_________________________________________________

Endnotes

1Report of Investigation Pursuant to Section 21(a) of the Securities Exchange Act of 1934 Regarding Certain Cyber-Related Frauds Perpetrated Against Public Companies and Related Internal Accounting Controls Requirements, Exchange Act Release No. 84429 (Oct. 16, 2018) (available here).(go back)

*Keith Higgins is chair of the securities and governance practice and Marvin Tagaban is an associate at Ropes & Gray LLP. This post is based on their Ropes & Gray memorandum.

La fonction d’audit interne | de plus en plus incontournable pour assurer une saine gouvernance et l’intégrité du management

Voici le résumé d’un article du Wall Street Journal (Internal Audit Chiefs Gain in Clout, Compensation), publié par Joann S. Lublin, et paru dans le journal The Australian.

Cet article porte sur l’importance accrue accordée au rôle de l’auditeur interne dans la vérification des mécanismes de contrôle interne, de la gestion des risques, notamment des risques de cyberattaques, ainsi que des processus de gouvernance et de conformité.

L’influence du département de l’audit interne prend une place quasi incontournable dans la vaste majorité des grandes sociétés comme en témoignent les statistiques à ce sujet.

Ainsi, 83 % des directions d’audit interne se rapportent au CA ou au comité d’audit du CA ; c’est un accroissement de 76 % en trois ans !

On peut certainement constater que les activités d’audit interne représentent les « yeux et les oreilles du comité d’audit ».

Également, les directeurs des services d’audit interne ont vu leur rémunération augmenter d’environ 30 % au cours des dix dernières années.

Les conseils d’administration accordent maintenant une grande importance à la sélection et à la rémunération des « Chief Audit Executive » (CAE).

Bonne lecture !

Chief audit executives gaining clout and higher pay

Top watchdogs inside many companies bark louder these days.

They are known as chief audit executives, or CAEs, and they assess the effectiveness of corporate controls, risk management and governance processes. As boards worry more about cyber attacks, regulatory compliance and personal liability, these executives are gaining clout and commanding higher pay.

CAEs are becoming more visible in part because directors are playing bigger roles in selecting, evaluating and rewarding internal audit chiefs. In North America, 83 per cent of those executives now report to their employer’s full board or audit committee, according to a report by the Institute of Internal Auditors. That’s up from 76 per cent in 2013.

Another sign of their rising influence: this year, for the first time, the proportion of audit leaders who report to their chief executive matched those overseen by the chief financial officer, the report found.

Solid support from audit committees and top company leaders often give CAEs more freedom to raise red flags, experts said. It can also bring them sizeable pay cheques.

“Boards will pay a lot more for CAEs with superior risk-management and business acumen in their company’s industry,’’ said Richard Chambers, IIA president.

Recruiters agree. “Chief audit executives hired by large companies now command total pay packages approaching $US1 million — about 30 per cent more than a decade ago,’’ said Scott Simmons, a managing director at Crist Kolder Associates, which recruited nearly 15 current CAEs.

Sarbanes-Oxley, the sweeping corporate-reform law enacted in 2002, raised boards’ expectations for heads of internal audit, according to Charles Noski, chairman of the audit committee at Microsoft, Priceline Group and Avon Products.

“Internal audit really is the eyes and ears of the audit committee,’’ he said, adding that CAEs today “are stronger executives’’.

Mr Noski makes sure that’s true of candidates who interview for the job. He said he seeks “a strong backbone”, plus effective boardroom presence and communications skills.

Pour une supervision efficace de la fonction audit interne | En rappel

Vous trouverez ci-dessous un document de référence publié par PwC et paru dans la série Audit Committee Excellence. Ce document, partagé par Denis Lefort, CPA, CIA, CRMA, expert-conseil en Gouvernance, audit et contrôle, apporte des réponses très complètes à plusieurs questions que les membres de conseils d’administration se posent eu égard au rôle de la fonction audit interne dans l’organisation.

1. Pourquoi la surveillance de l’audit interne est-elle critique pour les comités d’audit ?

2. Quel est le rôle des administrateurs dans l’optimisation des activités de l’audit interne ?

3. Comment aider l’audit interne à mieux définir sa mission ?

4. Quelles sont les lignes d’autorité et les besoins en ressources de cette activité ?

5. Quel est le processus de révision des résultats de l’audit interne ?

6. Que faire si votre entreprise ne possède pas une fonction d’audit interne ?

Ce document sera donc très utile à tout administrateur soucieux de parfaire ses connaissances sur le rôle très important qu’un service d’audit interne peut jouer.

Voici une introduction au rapport de PwC . Bonne lecture ! Vos commentaires sont les bienvenus.

Effective oversight of the internal audit function | PwC

The audit committee’s role is not getting any easier, but an audit committee has a lot of resources in its arsenal to help meet today’s high expectations. One of these tools is the internal audit function. Directors can, and should, focus on maximizing the value proposition of this group to ensure their own success.

A lot goes on in companies — and a lot can go wrong, even when you have good people and thoughtfully designed processes. That’s why so many audit committees look to internal audit as their eyes and ears — a way to check whether things are working as they should. Some companies staff the function internally, while others choose to outsource some or all of the role. Some do not have an internal audit function at all.

For many audit committees, overseeing internal audit isn’t just the right thing to do, it’s a requirement. At NYSE companies, audit committees have to oversee internal audit’s performance and periodically meet in private sessions. NASDAQ is currently considering whether to require its listed companies to have an internal audit function and what role audit committees should play.

Whether a required function or not, we believe it’s critical that audit committees focus on internal audit. Why? PwC’s 2014 State of the internal audit profession study found that about one-third of board members believe internal audit adds less than significant value to the company, and only 64% of directors believe internal audit is performing well at delivering expectations. Even Chief Audit Executives (CAEs) are critical of their functions’ performance, with just two-thirds saying it’s performing well.

Le CA est garant de l’intégrité de l’entreprise

Aujourd’hui, j’ai retenu un article publié par Richard Leblanc* dans le Magazine for Canadian Listed Companies (Listed) qui traite d’un sujet de grande actualité dans toutes les sphères de la vie organisationnelle : La valeur de l’intégrité.

Comme le dit si bien l’auteur, les entreprises sont portées à qualifier certains employés de pommes pourries lorsqu’elles découvrent des manquements à l’éthique. Il est vrai que certains individus sont responsables de plusieurs problèmes reliés au manque d’intégrité et d’honnêteté mais les comportements des employés sont largement dépendants de la culture de l’entreprise, des pratiques en cours, des contrôles internes …

Richard Leblanc croit que les défaillances, en ce qui a trait à l’intégrité des personnes, sont souvent du ressort du conseil d’administration lequel n’exerce pas un fort leadership éthique et n’affiche pas des valeurs claires à ce propos.

Cette affirmation implique que tous les membres d’un conseil d’administration doivent faire preuve d’une éthique exemplaire : « Tone at the Top ». Les membres sont en mesure d’évaluer cette valeur au sein de leur conseil et au sein de l’organisation.

C’est la responsabilité du conseil de veiller à ce que de solides valeurs d’intégrité soient transmises à l’échelle de toute l’organisation, que la direction et les employés connaissent bien les codes de conduites et que l’on s’assure d’un suivi adéquat à cet égard.

Les administrateurs doivent poser les bonnes questions afin de s’assurer de la transmission efficace du code de conduite de l’entreprise.

This lax control environment, where self-interest is pursued and where pressure is applied, is the heart of ethical failure.

Je vous invite à lire ce court article. Bonne lecture. Vos commentaires sont appréciés.

Integrity? The buck stops at the board

La valeur de l’intégrité transmise par le CA

There is not an excuse I have not heard for ethical failure. But when I investigate a company after allegations of fraud, corruption or workplace wrongdoing, I almost always find a complacent, captured or entrenched board that did not take corrective action. In a few cases, boards actually encouraged the wrongdoing.

The first myth is that the board is a “good” board. There is no relationship between the profile of directors and whether the board is “good.” Often times, there is an inverse relationship, as trophy or legacy directors typically lack industry and risk expertise, are not really independent, are coasting and not prepared to put in the work, or they themselves may not possess integrity.

How important is integrity? Extremely. Three factors make for a good director or manager: competence, commitment and integrity, with integrity ranking first. Otherwise, you have the first two working against you.

Integrity needs to be defined, recruited for, and enforced. “Does your colleague possess integrity?” “Yes” is an answer to this perfunctory question. Full marks. But when I define integrity to include avoiding conflicts of interest, consistency between what is said and done, ethical conduct and trustworthiness—and guarantee anonymity—I get a spread of performance scores. Those who do not possess integrity in the eyes of their colleagues are poison and should be extracted from any board or a senior management team. It is a recruitment failure to elect or hire them in the first place.

When fraud, toxic workplaces, bullying, harassment and pressure do occur, the bad news needs to rise. Boards need to ensure that protected, anonymous reporting channels exist and are used—including for a director or executive to speak up in confidence, and for an in- dependent consequential investigation to occur. If a whistleblowing program has any manager as the point of contact, it is not effective.

Frequently, I find ethical design and implementation failure are the culprits, with codes of conduct, conflict of interest policies, whistleblowing procedures, culture and workplace audits, and education and communication being perfunctory at best, overridden by management at worst, and not taken seriously by employees or key suppliers, with minimal assurance and oversight by the board.

After ethical failure happens, executives argue that it is a lone rogue employee or an isolated incident. Nothing could be further from the truth. It is an employee who reflects the true and actual culture, internal control environment and practices of the organization, and who is attracted to and flourishes within them. There is no such thing as a rogue employee. It is a board that approved the conditions that management proposed within which employees operate.

This lax control environment, where self-interest is pursued and where pressure is applied, is the heart of ethical failure.

Nowhere is there a more shocking lack of internal controls over employee and agent behaviour than in some corrupt jurisdictions where Western firms do business. Not only is the potential for fraud rampant, but the costs of compliance wind up being borne by companies that do not bribe and have proper controls. They are penalized for doing things right, and forced to compete on an unequal playing field.

This is why Western governments are seeking to put their countries and companies in the most competitive position possible. They are enforcing anti-corruption laws using long arms of justice to prosecute bribery. They are also debarring companies from government contracts who commit ethical breaches. This debarment is a powerful motivator to spur investment to internalize the costs of internal controls over integrity.

Western industry will mistakenly argue that integrity laws will disadvantage them or cost their industry jobs, but the reality is the opposite. Tough integrity laws will prevent substandard competitors from offering bribes, will reduce recipients’ incentive to receive bribes, and will strengthen Western companies that compete on the basis of price, quality and service.

__________________________________

*Richard Leblanc is an associate professor, governance, law & ethics, at York University’s Faculty of Liberal Arts and Professional Studies and a member of the Ontario Bar. E-mail: rleblanc@yorku.ca.

Le rôle de l’audit interne dans la compréhension de la culture organisationnelle

Vous trouverez, ci-après, un document de l’Institut de l’audit interne (IIA) du Royaume-Uni (UK) partagé par Denis Lefort, expert conseil en gouvernance, audit interne et contrôle, qui porte sur le rôle de l’audit interne sur la culture organisationnelle.

Auditer la culture organisationnelle est une activité qui peut s’avérer complexe mais qui peut apporter néanmoins une grande valeur ajoutée. Le présent guide de l’IIA UK saura vous apporter un éclairage intéressant et utile à cet égard.

Le document de l’IIA est très intéressant car il expose clairement la problématique d’intervention de l’audit interne dans ce domaine, tout en agrémentant les actions à entreprendre de plusieurs exemples concrets d’intervention.

Bonne lecture !

Culture and the role of internal audit

Looking below the surface

The approach taken by IIA report on culture is reflected in the new (September 2014) FRC Corporate Governance Code, which says « One of the key roles for the board includes establishing the culture, values and ethics of the company. It is important that the board sets the correct ‘tone from the top’. »

The accompanying FRC guidance on risk management – exercising responsibilities says “The board should establish the tone for risk management and internal control and put in place appropriate systems to enable it to meet its responsibilities effectively”

“In deciding what arrangements are appropriate the board should consider, amongst other things:

The culture it wishes to embed in the company, and whether this has been achieved.

What assurance the board requires, and how this is to be obtained.”

How should internal audit support boards in giving assuarance on culture?

Foreword

Public trust in business has ebbed and flowed over recent years but a significant minority (circa 40%) of those questioned by Ipsos MORI believe companies are ‘not very’ or ‘not at all’ ethical in the way they behave. Responsibility and ownership for addressing this lies with those who sit in the boardroom. This is supported by regulators in the way that they now monitor and review the culture of organisations.

Internal audit is a unique function within an organisation with its independence and access to give assurance to those in the boardroom. This can provide confidence that there is a strong commitment to good conduct and that it is actually being translated into everyday behaviours, but also, more importantly, where it is not. To have this information allows the board an opportunity to mitigate the risk of integrity failure.

Leaders need to send a message and show by example that culture and values matter, demonstrating this by putting in place all the necessary measures. I believe this report will support boards and audit committees to help rebuild public trust by making the best use of internal audit as they develop their thinking around how to improve ethical conduct for the benefit of customers, employees, all other stakeholders and for business itself.

Philippa Foster Back CBE
Director
Institute of Business Ethics

Pour une supervision efficace de la fonction audit interne | PwC