4. Governance impacts

This section covers the effects, risks, opportunities, governance, strategies, actions, and results of Deloitte's identified material governance impacts (refer to page 132 for a summary of our material impacts). The ultimate responsibility for the topics in this section of the report rests with our Chief Quality Officer.

4.1 Quality of services

­

Impacts, risks and opportunities

High quality audit and advisory services are imperative to our license to operate. Without high levels of quality, we would be unable to make an impact on our clients and society. To this end, Quality of services is an important focus area in our ‘Strong Roots Reach Far’ strategy.

Providing social trust by delivering high quality services is crucial for the functioning of reliable economic and social ecosystems, such as financial markets. Hence, our quality ambitions are closely linked to SDG16 (Peace, justice and strong institutions) and are part and parcel of our ‘Strong Roots Reach Far’ strategy. Failure to deliver high quality services to our clients can lead to major economic damage and fines and ultimately, to a loss of social trust in our firm.

We believe the path to undisputed leadership in quality is through high consistent quality of our service delivery, our people and of our unique and integrated transformation solutions. The only way to create this is through differentiation. Differentiating on quality goes beyond technical quality and asks for unique propositions delivered in Deloitte’s own unmatched multidisciplinary model. Through our client work we want to have a tangible impact on the key societal challenges in the Netherlands and beyond. The societal challenges are translated in the ‘Future of’ themes. We build multidisciplinary products and services around the ‘Future of’ themes through which we are able to bring our combined knowledge to the market and make impact. Through our ‘trade corridors’ we aspire to have an impact beyond the Netherlands, as a leading firm within the Deloitte network and as transformation partner in the global business eco-system.

To be leading in quality also presents an opportunity. By being known for high quality services, we are able to generate more business and become a preferred supplier of professional services to our clients. This is also instrumental for maintaining and protecting our Deloitte Brand.

Governance

Our ambition to be the undisputed leader in professional services goes beyond mere volume of our business and includes to be leading in audit and advisory quality, the impact we make, and the position we have in the minds of our clients, stakeholders and people.

We have an overarching system of quality control which incorporates the international quality management standard ISQM1. In addition, we have established a differentiated model around our central commitment to quality that has enabled our success. To achieve our business aspiration to become the undisputed leader and really differentiate on quality, we have initiatives across the different elements of our quality model. Progress on these initiatives is being measured based on a set of (strategic) KPIs.

The importance we place in quality is reflected in our governance, for example in having a Chief Quality & Risk Officer at Executive Board level and a Supervisory Board Quality, Integrity and Risk Committee which seats all supervisory board members. At business level, each business has quality departments which oversee and manage quality, and which operate within global policy frameworks and on the backdrop of quality monitoring and measurement practices and plan-do-check-act cycles. These include Engagement Quality Control and Practice Review procedures.

Policies

Deloitte’s broad and deep advisory expertise in increasing the relevance of our audits, for example in ESG, cyber, fraud, continuity, non-financial information, analytics and artificial intelligence. The developments around ESG bring many challenges to our clients, both in audit and our advisory business. New legislation has brought more external reporting requirements for many companies, and audit requirements on non-financial information are increasing. We are constantly expanding our capabilities to help our clients comply with new regulatory requirements.

For our Advisory Businesses, our Multi Disciplinary Model (MDM) is and remains the preferred strategy for serving clients, bringing together breadth of capabilities aimed at increasing collaboration across all businesses to provide unique propositions across our designated growth platforms. It is a top priority to deliver the quality that both clients and society expect from us in these large and complex end-to-end transformation engagements. In order to guarantee the quality on these complex transformation engagements we have an active monitoring programme in place where periodic in-flight reviews are performed during engagement performance and additional risk mitigation is taken if needed. Additional monitoring of high-risk engagements ensures that the proper measures are taken to ensure these engagements deliver the quality that is expected. Besides that, we closely measure and monitor the client satisfaction scores.

It all comes down to Strong Roots that Reach Far, our call to action and an essential part of the success of our Deloitte strategy. This is more than connecting with clients, partners or suppliers. It also means the connection between our people. And to do so beyond boarders, across geographies and member firms.

At many of our large clients, we provided services from more than one business line. To further improve our collaboration, we continue to move towards an allocation system that stimulates collaboration between service lines, further strengthen training of our Lead Client Service Partners and their account teams, and increase collaboration between service lines through our MDM platforms.

To strengthen partner career management and development, we continued our Partner Life Cycle programme. This programme targets career stages and role/succession development and is catered to fit personal needs. We provide necessary and optional learnings, conversations and guidance to grow into, and successfully transition to different partner roles.

To consistently deliver high-quality services to our clients, we maintain a common engagement approach, as visualised below. For a more detailed description of policies related to Audit Quality, please refer to our Transparency Report .

Our engagement approach

Activities in 2023/2024

In addition to the broad range of quality initiatives we further enhanced our system of quality controls with additional quality enhancing activities, for example with the modernisation of our common storefront, monitoring of high-risk engagements and causal factor analyses.

Adoption of our common storefront

In March 2024, the adoption and simplification our global common storefront was announced, with the objective to serve our clients better through a better alignment of our business model and capabilities. This will help us to enable integration across NSE and leverage our global scale to invest together.

High-risk engagement monitoring

With the increasing size and complexity of our engagements we enhanced our monitoring activities for those engagements that expose us to the highest risks. In addition to solid engagement acceptance procedures, we periodically perform independent reviews on these engagements. Through periodic reporting our Executive Board is informed on a quarterly basis on the development of these engagements.

Causal Factor Analyses

A range of lessons learned activities were centralised and formalised in our Causal Factor Analyses for our Advisory businesses. This proven concept was adopted from our Audit business where successful and less successful engagements will be thoroughly analysed in order to capture lessons learned, further enhancing the quality of our processes.

Results

Progress on our initiatives is being measured based on a set of (strategic) KPIs (see also page 2). These are Regulatory reviews, Client satisfaction and Net promotor score. 

Table 20: Satisfactory regulatory reviews as a percentage of all regulatory reviews issued and communicated in the reporting year

Table 21: Client satisfaction score

Client satisfaction score is based on post-engagement questionnaires that are sent out on discretion of the engagement manager or partner in 30% of engagements (also see Basis of reporting).

Table 22: Net promotor score as measured by Client Service Assessments

Detailed analyses of the reported decline in our NPS score shows that our actual promotors - especially among our strategic clients - is significantly higher (74). The overall decline is partially caused by the way we calculate our NPS; we will re-assess our NPS process to improve the robustness of this indicator going forward.

Following changes in our measurements as compared to previous years, we will set new targets once we have sufficient data. We expect to do so in 2024/2025.

Public policy

Deloitte NL has a centrally coordinated public policy programme in place that supports our organisation in the execution of our strategy and protecting, preserving, and enhancing the Deloitte brand and reputation. With our Public Policy programme, we aim to influence policy developments that could affect our business. Additionally the Public Policy team participates in policy discussions focused on some of today’s most important socio-economic challenges, helping to inform the policy debate and bring clarity to the interconnected challenges facing the world.

We have comprehensive relationship management plans in place for key stakeholders such as NBA,  and Members of Parliament and Cabinet. Last year, the Public Policy team focused on engaging with political stakeholders on key themes such as work, financial health, digital and sustainability. Our key policy focus areas include reporting of Environmental, Social and Governance (ESG) information , underscoring diversity equity and inclusion, measuring social progress, and informing the future of regulation in an era of exponential technological advancement, including artificial intelligence. In response to the shifting political landscape in the Netherlands, the Public Policy team has been adapting the engagement strategy, aiming to organise round tables and meetings that foster dialogue with members of the Dutch parliament (Tweede Kamer) and other key stakeholders. Through these initiatives, we are committed to building (new) relationships. By sharing our knowledge, insights and vision on current and societal issues, we want to take our responsibility and contribute to a strong and sustainable economic future.

We also continued our active stakeholder engagement in relation to Tax and Audit, strengthening relationships with members of parliament. In addition, we maintained an open dialogue on the future of the audit with Kwartiermakers, NBA and regulators. Besides maintaining strong relationships with our key stakeholders, we play an active role in the working groups from the NBA.

4.2 Ethics and integrity

Impacts, risks and opportunities

Ethics and integrity are deeply embedded in Deloitte’s culture. Our ethics programme works to build trust in our professions and among our professionals, strengthen our reputation and relationships with stakeholders, minimise ethical risk, and help all of our people make the best professional choices. Outcomes and the ethics case trends invite us to a) refocus our target audiences and offer specific support where needed; b) dive deeper into an observed contradiction between increasing general awareness but decreasing ‘I know where to report’; c) To re-state equal ethical standards and the importance of interpersonal communication. We are currently updating our ethics action plan.​

Key findings of our most recent ethics survey are:

• Whilst the survey shows a better understanding of our ethics processes and policies, it also shows a decrease in awareness about where to report, in combination with scepticism about whether everyone is held to the same ethical standards;

• The belief a report is acted upon and addressed is high and improving for NL, and reporters indicate less experience of retaliation; ​

• Our partners' responsibility to lead by example in ethical conduct demonstrates a top-down commitment to our core values. We must continue to encourage and enable our partners to ongoingly and visibly embody and communicate ethical leadership to reinforce the culture and importance of ethical behaviour.

The upward trend in the number of ethics reports continues. We attribute this to the growth and diversification of our organisation, as well as increased societal and media focus on ethical behaviour within the Netherlands. Additionally, the evolving composition of our workforce, especially with the inclusion of Generation Z—known for their candour and assertiveness—adds a layer of complexity to case management.

Deloitte Shared Values

Governance

As of February 1, 2024, we have appointed a new Ethics Leader who succeeded the former leader, who had held the role for nearly five years. The Ethics Leader, together with the ethics team, engages leadership, addresses and resolves ethics reports, consults on complex issues, and communicates the importance of integrity and the reliability of reporting channels to strengthen the “speak-up” culture

Besides the Ethics Leader, the Ethics team consists of a Deputy Ethics Officer, three ethics team members and four confidential counsellors (two internal and two external). Furthermore, in the area of incident management, an independent investigator is available upon request to support the Ethics Leader and Deputy Ethics Officer. The Ethics Leader is directly supported by the Deputy Ethics Officer, who also assists the NSE Ethics Leader in delivering a consistent ethics strategy within NSE. The confidential counsellors are tasked with 1) being the first point of contact for reporters, 2) providing guidance during the investigation process and aftercare, and 3) having a duty of confidentiality in accordance with to the law.

Employees, suppliers, business relations, and other parties can also file a report - if they wish anonymously - using Deloitte Speak Up, our 24/7 system that is run by an independent party.

Thirteen ethics ambassadors (partners and directors) in our businesses help to broaden the scope of the ethics programme, acting as linking pin between the business and the ethics team, and promoting our core values at a business level. On a quarterly basis, the NL Ethics Leader reports on ethics issues, trends and the progress of the ethics programme to the Executive Board and Supervisory Board.

Policies

Our NSE Code of Conduct embodies our DTTL Shared Values and Global Principles of Business Conduct, which are paramount to our reputation and continued success. These principles are ingrained in our operations, influencing how we serve clients, manage our businesses, collaborate as teams, and impact society at large. The Code of Conduct references all pertinent ethics policies, including the Anti-Discrimination and Anti-Harassment Policy, which provides policy and guidance on addressing discrimination and harassment.

Additionally, the Familial and Personal Relationships Policy is highlighted to ensure transparency. It mandates the disclosure of personal relationships with other individuals associated with Deloitte to prevent conflicts of interest that could affect confidentiality, morale, or our culture of inclusiveness.

References are also made to the Anti-Bribery & Corruption Policy, underscoring our firm stance against all forms of corruption. It explicitly states that it is unacceptable for any Deloitte personnel to engage in acts of bribery, including soliciting, accepting, offering, promising, or paying bribes.

Lastly, our commitment to a non-retaliatory environment is reinforced through the Non-Retaliation Policy, which emphasises the organisation's dedication to protecting individuals who report unethical behaviour from retaliation.

Activities in 2023/2024

In December 2023, the Ethics Risk Assessment for the Netherlands was conducted as an integral part of the North South Europe (NSE) Risk Assessment. This process involved collaborative discussions with Business Risk Leaders, the Ethics Leader, and the Risk and Reputation Leader. The resulting risk profile for the Netherlands was identified as 'medium risk' overall. Specifically, four risk scenarios were categorised as 'low to medium' risk, and six as 'medium' risk. Of particular note, the potential for our 'ethical compass' to be influenced by regulatory scrutiny and media coverage – following incidents either within the professional community or our own organisation – was classified as 'high risk' within our ethics framework. Continuous attention is being devoted to implementing and maintaining sufficient mitigating measures to pre-empt ethical risks

In March 2024, we launched two mandatory ethics e-learning courses, designed to be accessible for all partners and professionals. The 'Course-taking Integrity' e-learning provides a concise ten-minute guide that encourages everyone at Deloitte to reflect on the ethical behaviours expected in our learning environment. This serves as an excellent starting point for discussions about integrity, extending beyond course-taking to broader team behaviours.

The 'Ethics Biennial Refresher' e-learning is divided in two 30-minute modules focusing on 'Being an Active Bystander' and 'Advocating Respect and Fair Treatment.' This e-learning serves as a key reminder of the behaviours expected at Deloitte, and offers guidance on how to handle ethical dilemmas and where to seek support. All Deloitte partners and employees are expected to follow these mandatory courses.

Additionally, in September 2023, we launched the highly interactive monthly ethics onboarding programme with in-person education for all newly joining partners and professionals across all businesses. Our ethics ambassadors are instrumental in facilitating these sessions, which are designed to build ethical awareness, deepen understanding of Deloitte’s Shared Values and Global Principles of Business Conduct, and emphasise the importance of recognising ethical dilemmas and taking appropriate action.

Finally, in 2023/2024, our Ethics team supported the investigation into our internal learning culture and the remedial actions taken in this context (see pages 7 and 168 of this Integrated Annual Report). 

Results

Table 23: Incidents: number of reported occurrence

In 2023/2024, no incidents of corruption were reported through our internal reporting systems. In parallel, no legal cases were brought forward implicating Deloitte in any (alleged) incident of corruption.

Going forward

As part of our ethics operational plan we have defined several focus areas to describe our vision for Deloitte NL as collaborative ethical organisation. They include:

• Promoting a speak up culture by creating awareness for our ethics team and ethics process by periodically planned awareness training and communication;

• Enabling leaders to setting strong tone at the top, and;

• Providing effective, timely, and independent case management.

Anti-Corruption has always been part of Deloitte’s ethical principles. We are against corruption in all its forms and we are committed to staying compliant with all relevant laws and regulations, both in spirit and intent. This aligns with Deloitte’s values, purpose and public interest commitment. 

At Deloitte, we recognise the profound impact of corruption on global commerce, economic stability and trust in financial systems. Upholding the principles of honesty, transparency and accountability, we stand unwavering in our commitment to anti-corruption in all its forms.

Our fully implemented and comprehensive Anti-Corruption Framework consists of seven different elements that mitigate the risk of corruption within Deloitte and supports our employees and partners with guidelines to report corruption if needed. These elements include:

• Governance;

• Policies, procedures and guidelines;

• Training & communication;

• Risk assessment, testing & monitoring;

• Third party due diligence,

• Consultation and incident response and

• Investigations, for which we have the ethics reporting channels in place.

It is evident that we ensure rigorous compliance with both local and international regulations, including the Foreign Practices Act (FCPA) and the UK Bribery Act. We have also woven anti-corruption measures into the very fabric of our operations, from client onboarding to ongoing project execution.

The Anti-Corruption programme strategy and objectives are determined by our Anti-Corruption Committee and the progress of our operational plan is regularly discussed within this committee. Together with our Reputation & Risk Leader, the Committee is responsible for actively overseeing the Anti-Corruption programme.

In 2023/2024, we have further enhanced the collaboration within the three financial crime pillars being anti-corruption, anti money laundering and trade controls.

Every two years, a mandatory Financial Crime e-learning is launched to remind our partners and employees of expectations related to anti-corruption and financial crime (including anti-competition) compliance, how to identify potential corruption and financial crime risks, and how to address these risks. Per the end of 2023/2024, the completion rate of our anti-corruption training was more than 95%. Compliance by Supervisory Board, Executive Board and Executive Committee members with the training requirement amounted to 100%.

Going forward, we will continue to maintain and align within the three Financial Crime pillars to enhance full compliance with all regulatory and other requirements.

4.3 Data security

Companies gather a considerable amount of data. Making sure that data is safe, is an onerous task. We use the data from our clients to deliver our services and support them in more inclusive and responsive decision-making. Our clients will only trust us with their data if they are convinced that their data is secure with us. The prevention of data breaches is therefore a top priority as data breach can harm our clients and our reputation as a trusted business partner and can lead to significant monetary fines and loss of revenues.

Apart from being a risk, data security is also an opportunity for us. We help our clients with their digital transformations and have developed services to identify and manage their data, infrastructure and cyber risks, and keep their systems free from unwanted interference.

Our Risk & Reputation Leadership Office (RRL) is committed to maintain the quality of governing policies and procedures, with the credo “Protecting the Brand” in any possible way. The RRL Office has several areas of expertise and focusses mainly on risk management and compliance. Every are of expertise is responsible for maintaining, coordinating and communicating their policies, such as. Engagement Opportunity Screening, Ethics, General Data Protection Regulation (GDPR), ISO standards, the cybersecurity compliance framework SOC2, and the EU Artificial Intelligence Act compliance.

These policies, frameworks & principles are applicable to all Deloitte colleagues and the services that we offer to our clients.

The RRL Confidentiality, Privacy & Security Office is charged with compliance with the principles and regulations regarding  Data and Privacy. This office operates under the reponsibility of our Reputation & Risk Leader.

In order to safeguard and address Deloitte’s privacy compliance, strategy and governance, several policies are in place and maintained, such as our privacy policy, which is maintained by Deloitte’s Internal Privacy Office that  operates on behalf of our RRL Office.

The Privacy Office is – among other responsibilities – tasked with examining privacy aspects of processes and systems through our internal Data Privacy Impact Assessment (DPIA). In addition, Deloitte has appointed Privacy and Cyber Champions both within our business and in our Support Organisation. These champions are trained to be the first line of defence in the organisation concerning privacy and confidentiality aspects that arise within the business. By making use of Privacy and Cyber Champions, Deloitte creates privacy and security awareness within the organisation. Having the Privacy and Cyber Champions as the first line, the Privacy Office as the second line, the Data Protection Officer as the third line of defence, and a robust internal audit Member Firm Standard programme in place, enables Deloitte to operate in a privacy and GDPR compliant manner. Lastly, Deloitte organises a quarterly “Privacy committee” in which multiple key topics regarding privacy and confidentiality are discussed at a high level. Examples are the privacy strategy, trends and other possible attention points.

New Global tools and vendors go through an extensive Data Risk Assessment Service (DRAS) to provide NSE privacy and confidentiality subject matter experts (SMEs) all the information needed for their approval or rejection. Local software tools and vendors are assessed through the Global Technology Operating Model (GTOM) process, meaning all relevant SMEs will review the application in one meeting from a privacy, security and IT perspective. This way Deloitte only cooperates with vendors that ensure the same level of data protection and confidentiality as Deloitte.

New assets that Deloitte develops for clients are subject to the Certify to Sell process which also includes privacy, confidentiality and security assessments. Moreover, to ensure employees operate in a privacy and confidentiality minded manner, privacy and security awareness is at the top of Deloitte’s training agenda. This is reflected in the “Secure the Future” privacy & security training that all employees must complete.

Deloitte Group Support Center is ISO: IEC 27001:2013 (Information security) certified. Conformity with this standard means that we have put an information security management system (ISMS) in place to manage risks related to the security of data owned or handled by Deloitte, and that this system respects all the best practices and principles enshrined in this International Standard.

Deloitte follows a well-defined data breach procedure in order to adequately address any data breach.

In 2022, we became ISO: IEC 22301 certified (Security & resilience). This is the international standard for Business Continuity Management (BCM). This framework helps us to prevent, prepare for, react and recover from disruptive incidents.

Activities in 2023/2024

As an emerging technology trend, the world has noticed the potential of Generative Artificial Intelligence (GenAI) such as OpenAI's ChatGPT, This global development will have impact on our way of working and service delivery. Throughout the reporting year, the RRL Confidentiality Privacy & Security office contributed to Deloitte’s trustworthy AI framework as our AI initiatives require adherence to the EU AI Act. The principles described in the EU AI Act are woven into our Trustworthy AI framework.

With a continuous development & improvement mindset, the RRL Confidentiality, Privacy & Security Office maintains the privacy policy, Record of Processing Activities (RoPA), and increases the robustness on the Privacy Champions Framework and Data Protection.

We are maintaining the ISO: IEC 27001:2013 & ISO: IEC 22301 controls and are currently preparing for the upcoming NIS2 (Incident reporting), DORA (Digital operational resilience) directives.

We continue to investigate other emerging technologies like Quantum Encryption to determine how these technologies will impact our data security and are looking into the maturity of post-quantum encryption algorithms.

Results

Despite our efforts, in 2023/2024, 76 incidents were internally reported of which 28 concerned personal data incidents. We received no complaints regarding breaches of client privacy or loss of customer data. In one instance, we notified personal data breaches to the supervisory authority in conformity with the legal requirements of the ‘Wet meldplicht datalekken’ (Law on mandatory reporting of data leaks).