- The following discussion is closed. Please do not modify it. Subsequent comments should be made in a new section. A summary of the conclusions reached follows.
- This conversation precedes the final agreement of the document. Please begin new sections for future conversations. Thank you. --Maggie Dennis (WMF) (talk) 18:56, 27 June 2012 (UTC)
After a quick read (and before having received any comment from a lawyer), I see a problem with the way the audits are described:
- WMF may, in its discretion, audit (or have its auditors audit) the financial and fundraising operations of the Chapter upon reasonable notice to the Chapter, but no more then once a year, unless there is a reasonable suspicion of misappropriation of donations or improper disclosure of donor information (in which case there is no limitation on the number of audits).
Performing such an audit would mean giving access to accounting data to the WMF or its auditors, something that is likely not compatible with data protection laws. Such an audit should probably be done by an independent Swiss auditor (in the case of Wikimedia CH), under terms that would have to be discussed -- but basically, the auditor would get the fundraiser agreement and other documents, it would work with WM CH to perform the audit, and then provide a short summary indicating any potential problem (if any). This would provide the control that is requested by the WMF, while safeguarding privacy. (again, to be discussed when we have comments from our lawyer). Schutz (talk) 11:23, 22 May 2012 (UTC)
- This would still mean giving access to private data to entities that are not subject to (in our case Swiss) data protection law, or laws that offer an equivalent protection (e.g. EU). Making sure that the auditors are actually subject to the relevant law would make the problem disappear. Or is there any reason why it should be the WMF itself or a non-local company which should actually perform the audit ? Schutz (talk) 18:42, 23 May 2012 (UTC)
- If WMF were to do this type of audit, no access to identifiable personal or employment data is required to perform this type of audit. It my understanding that as long as personal or employment data is not involved or identifiable, then access to accounting data is permitted and not covered by the "Swiss Data Protection Act". If we request KPMG, our audit firm, to conduct the audit they are listed as an independent Swiss auditor and conduct independent audits of non profit organizations in Switzerland.--Gbyrd (talk) 21:51, 23 May 2012 (UTC)
- Then I must admit I am not exactly sure about what "this type of audit" means. If the goal is to look at control and procedures, then I can understand that there would be little need to access private data. But as soon as you need to look at any financial information, we may have a problem: all donor information actually comes printed on our bank statements [or in the relevant electronic files], for example. So maybe I need a bit more detail (although, it goes without saying, but it should probably be specified, that the audit applies only to operations related to the fundraiser and use of money as distributed by the FDC, and not to the whole operation of the chapter).
- It's indeed convenient if your auditor has a branch in Switzerland, as this would solve many issues. Is there anything that prevents this to be specified in the agreement ? Schutz (talk) 06:18, 25 May 2012 (UTC)
- We use UHY a major accountancy firm registered under all the UK and European laws imaginable. Surely this evidence should satisfy? Jon Davies WMUK (talk) 15:11, 30 May 2012 (UTC)
- Note that the 'UHY' that Jon refers to is UHY Hacker Young. Mike Peel (talk) 16:38, 31 May 2012 (UTC)
- I have edited the agreement to make it clear that the audit will either be conducted in a manner that does not disclose personal information of donors or will be done in compliance with applicable EU privacy regulations. Kkay (talk) 11:46, 4 June 2012 (UTC)
- Since your auditor is one of the big firms which has a local branch about everywhere, would it be possible to specifiy that the entity performing the audit must be subject to Swiss privacy laws (or EU). That would mean that no data would ever leave its current legal framework, and it would make everything much easier (that the audit is done in compliance with applicate EU privacy regulations is a good step, but if some data is stored outside of CH/EU following the audit, the legal protections would disappear). Since Geoff indicate above that you would indeed use an auditor that has a Swiss branch, that should not be a problem. Schutz (talk) 13:27, 13 June 2012 (UTC)
Also, I realize that the audit is for "financial and fundraising operations of the chapter". I guess this was not intended to be this wide, as it should only cover the money raised through WMF sites (and not money raised from other sources). Could it be modified accordingly ? Schutz (talk) 13:27, 13 June 2012 (UTC)
- The above discussion is preserved as an archive. Please do not modify it. Subsequent comments should be made in a new section.