brock phillips, cpa, cfe, ccep lou decola, cpa, cia, cfe ... · pdf filebrock phillips, cpa,...

33
Brock Phillips, CPA, CFE, CCEP Lou DeCola, CPA, CIA, CFE Forensic Accounting Sr. Manager Forensic Accounting Sr. Manager Financial Integrity Unit Financial Integrity Unit Microsoft Audit Group Microsoft Audit Group 1

Upload: lediep

Post on 07-Feb-2018

218 views

Category:

Documents


3 download

TRANSCRIPT

Brock Phillips, CPA, CFE, CCEP Lou DeCola, CPA, CIA, CFEForensic Accounting Sr. Manager Forensic Accounting Sr. Manager Financial Integrity Unit Financial Integrity UnitMicrosoft Audit Group Microsoft Audit Group

1

CEO

CFOChief Legal

Officer

Office of Legal

Compliance

Chief Audit Executive

Internal Audit (IA)

Enterprise Risk Mgmt

(ERM)

Financial Integrity

Unit (FIU)

Audit Committee

Chief Operating

Officer

Controls & Compliance

VP of Finance

CIO

Controls & Compliance

VP of Finance &

Admin

Financial Compliance

Group

Business Group

Presidents

Business Group

Presidents

Business Group

Presidents

Controls & Compliance

VP of Finance

Controls & Compliance

VP of Finance

Controls & Compliance

VP of Finance

Technology Enabled Continuous Assurance

2Microsoft Confidential

Investigative function within

Internal Audit–

Formed 9/02

14 Employees

12 Different Languages

Professionally trained and experienced

fraud investigators

and

Certified Fraud

Examiners

10 CFEs

2 CPAs

1 JD

Detect, Investigate, and Prevent

fraud

250 Years Professional Experience

More than 70 Years of Microsoft

Experience

Provide thorough and timely results

for management, business, and employment

decisions

Drive continuous

improvement in policies,

internal controls, revenue

protection, and

accountability

Reports to Internal Audit, strong dotted line to Office

of Legal Compliance

Worldwide Charter

Offices in:

Redmond,

Singapore,

Beijing,

Delhi,

Moscow,

Prague

3Microsoft Confidential

Office of Legal Compliance determines if investigation is warranted. Assigns matter to

FIU or other investigative group.

External Parties

Fellow Employees/Managers

Proactive Analysis

• FIU/OLC identifies issuesto be investigated

• FIU/OLC identifies relevant policies, procedures, and documents

• FIU/OLC identifies potential interviewees

• OLC approves investigative plan

• OLC sends notification to management, HR, and LCA

FIU/OLC Prepares Investigative Plan

• FIU preserves, analyzes,and collects documents

• FIU interviews employees

• FIU prepares summary of investigation

• OLC providesreport of investigation

• OLC closes investigation process

Investigation • OLC communicates report of investigation to management,HR, finance, and legal advisors

• Managers review findings, meetwith employee, HR, and LCA

• Manager makes disciplinaryproposal to OLC

• OLC reviews disciplinary proposal

• Manager communicates decisionto relevant parties

Disciplinary Decisions

Concerns Raised

4Microsoft Confidential

Letter from Steven A. Ballmer, Chief Executive Officer Dear Fellow Employee:

Microsoft aspires to be a great company, and our success depends on you. It depends on people who innovate and are committed to growing our business responsibly. People who dedicate themselves to really satisfying customers, helping partners, and improving the communities in which we do business. People

who are accountable for achieving big, bold goals with unwavering integrity. People who are leaders, who appreciate that to be truly great, we

must continually strive to do better ourselves and help others improve.

We must expect the best from ourselves because who we are as a company and as individuals is as important as our ability to deliver the best products and services. How we manage our business internally—and how we think about and work with customers, partners, governments, vendors, and communities—

impacts our productivity and success. It's not enough to just do the right things; we have to do them in the right way.

The Standards of Business Conduct are an extension of Microsoft’s values and the foundation for our business tenets. They reflect our collective commitment to ethical business practices and regulatory compliance, and they provide information about Microsoft's Business Conduct and Compliance Program. At a high level, they summarize, and are supported by, the principles and

policies that govern our global businesses in several important areas: legal and regulatory compliance; trust and respect of consumers, partners, and shareholders; asset protection and stewardship; creation of a cooperative and productive work environment; and commitment to the global community.

These Standards of Business Conduct provide information, education, and resources to help you make good, informed business decisions and to act on them with integrity. In addition, managers should use this resource to foster, manage, and reward a culture of accountability and integrity within

their groups. Working together, we can continuously enhance our culture in ways that benefit customers and partners, and that strengthen our interactions with one another. Then we can truly achieve our mission of enabling people and businesses throughout the world to realize their full potential.

All Microsoft employees are responsible for understanding and complying with the Standards of Business Conduct, applicable government regulations, and Microsoft's policies. As Microsoft employees, you also have a responsibility to raise compliance and ethics concerns through our established channels. This is the way to ensure that Microsoft is and continues to be a great

company of great people.

Steven A. BallmerChief Executive Officer

5Microsoft Confidential

Technology Enabled Continuous Assurance (TECA)

6Microsoft Confidential

Dedicated team of professionals with SQL and database expertise

Methodology which leverages technology, data analysis, and statistical evaluation techniques

Proactively tests control activities for an entire population of transaction data or across different data sets

Proactive detection of exceptions

Transition to the business

7Microsoft Confidential

The TECA program is creating tools in two ways:Querying in-house tools

Creating new querying tools by linking different data sets in innovative and proactive ways

TECA Team RoleMaintain TECA environment (data, access, working with IT for backups, etc.) and develop queries

Train auditors in use of in-house and developed tools

Proactively provide TECA reports for complex or new query requests to auditors

8Microsoft Confidential

For MicrosoftEffective and efficient controls

Targeted Reviews—T&E auditing, conflicts of interest, corruption, etc.

For Internal AuditImproved audit skill set

Greater risk coverage—doing more with the same

More accurate and efficient testing

For Financial Integrity UnitIdentifying fraud

Substantiating fraud

9Microsoft Confidential

Policy

Collect Data

QueriesAnalysis

Action

10

• Expensing of AMEX late fee/delinquency charges is prohibitedPolicy

• Obtained details of AMEX late fee/delinquency chargesCollect Data

• Compared data from internal expense reporting tools, AMEX data feeds, and HR data tablesQueries

• Identified certain potentially fraudulent transactions from “higher than expected” levels within the CompanyAnalyze

• Discussions with Legal, HR, and the Business

• Potential policy changesAction

11

Policy

Collect Data

QueriesAnalysis

Action

12

13

14

15

16

17

Some interesting descriptions for late fees . . .

18

All cases of fraud should be taken seriously, even though the overall amount is immaterial

Tone from the top --> can have a pervasive effect

Case-based development of internal tools

Enhancements of future TECA queries

Violation of Company policy

Training for managers—first line of defense

The Potato Chip Theory of Fraud

19

20Microsoft Confidential

Financial Reporting

Revenue and Accounts Receivable

Anti-Corruption Program—DEMO

Travel and Entertainment

Procurement

Accounts Payable

Tax

Payroll

Human Resources

Logical Access

System Change Management

Fraud Detection

21

• Unusual or inappropriate journal entries are being posted to the general ledgerRisks

• Unusual entries, influenced posters and reviewers, inappropriate reviewers, Benford analysis, billion dollar entries, round dollar entries, poster/reviewer relationship, posted by executives

Tests

• Obtained from the SAP General LedgerData

• Developed queries that create extract tables using SQL backend. For Benfords Analysis, used Excel direct link to review and graph the data

Process

22Microsoft Confidential

• Staff (employees, vendors, contractors) are engaging in activities that may violate company policies related to conflicts of interest, moonlighting, integrity

Risks

• Matches on bank account number and/or address

• Validation of new hires and vendors vs. ineligible-to-hire list

• Charitable contributions (unusual matching patterns, key words)Tests

• Obtained from vendor master file, purchase order and invoice history, general ledger, HRData

• Developed queries that create extract tables using SQL backend and process MS Access queries on the data

Process

23

• Staff (employees, vendors, contractors) are engaging in activities that may violate company policies related to approval limits and financial efficacy

Risks

• Inappropriate PO and invoice approvals, duplicate invoices, non-PO invoices, duplicate vendor tax IDs, 3rd party payments, large or non-standard payments

Tests

• Obtained from vendor master file, purchase order and invoice history, general ledger, HR, disbursements

Data

• Developed queries that create extract tables using SQL backend and process MS Access queries on the data

Process

24

• Staff (employees, vendors, contractors) are engaging in activities that may violate company Anti-Corruption policy requirements

Risks

• Prohibited T&E expenses, prohibited purchases, inappropriate gifts and donations, inappropriate use of investment funds

Tests

• Obtained from Expense report, purchase order, general ledger, HR, licensing, and investment fund tracking systems

Data

• Developed queries that create extract tables using SQL backend and process MS Access queries on the data

Process

26

Built a table with 2,483 unique keywords, including anti-corruption-specific words

94,911 keywords in 25 different languages, 180 related to anti-corruption Includes support for non-Roman character languages

Subsidiary subject matter experts developed keywords Created a list of “prohibited” keywordsQueries are run against the appropriate keywords to identify the following situations:

Meals and entertainment with government officialsBribes paid to government officialsUnusual journal entries, donations, gifts, invoices, T&E expenses, payments, and POs indicating potential FCPA violations

TECA and Anti-Corruption

28

Increase risk coverage, scope, and testing efficiency

• Greater level of assurance through population testing

• Allows investigators and auditors to focus on higher risk, strategic areas

• Shortened investigations and audit cycle times through regular testing of common global activities

Increase investigator and auditor capabilities and data analysis skills

• Proactive identification of issues

• Increased productivity through population testing

• More accurate and quantifiable issue identification

• Increased usage of Internal Reporting Tools, Excel, and Access

29Microsoft Confidential

Before

• Limited data analysis and coverage

• Steep learning curve every quarter

• Underutilizing investigator and auditor skills

• Potential data corruption

• Ineffiencies caused delays

After

• Increased breadth and depth of coverage through review of all 6 million entries per quarter

• Push Button approach allows analysis of all entries

• More reliable results

• Efficient fieldwork and timely reporting with substantiated results

• Maintain database of over 80 million lines to allow trend analysis

30Microsoft Confidential

Enhance management‘s monitoring controls

• Transition TECA tools and methodology to continuous monitoring

• Improved Corporate Governance

• Partner to build controls into existing tools

• Simple implementation of audit recommendations

• Help build trusted advisor role

Frequent testing results in timely identification of control

deficiencies

• Timely resolution of issues

• Greater awareness of global issues

• Increased accountability for issue resolution, especially with global issues

31

Before

• No standard process for auditing T&E Expenses

• Random testing did not target testing to specific types of exceptions

• AP auditors covered quantity of reports rather than targeted review for exceptions

After

• Increased breadth and depth of coverage

• All countries (100+)

• Audit the T&E database across 20 million plus line items

• Push Button approach

• More targeted and economic auditing

• Duplicates

• Prohibited expenses

• Exchange rate issues

• Greater audit recoveries

32

© 2008 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions,

it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

33Microsoft Confidential