brock phillips, cpa, cfe, ccep lou decola, cpa, cia, cfe ... · pdf filebrock phillips, cpa,...
TRANSCRIPT
Brock Phillips, CPA, CFE, CCEP Lou DeCola, CPA, CIA, CFEForensic Accounting Sr. Manager Forensic Accounting Sr. Manager Financial Integrity Unit Financial Integrity UnitMicrosoft Audit Group Microsoft Audit Group
1
CEO
CFOChief Legal
Officer
Office of Legal
Compliance
Chief Audit Executive
Internal Audit (IA)
Enterprise Risk Mgmt
(ERM)
Financial Integrity
Unit (FIU)
Audit Committee
Chief Operating
Officer
Controls & Compliance
VP of Finance
CIO
Controls & Compliance
VP of Finance &
Admin
Financial Compliance
Group
Business Group
Presidents
Business Group
Presidents
Business Group
Presidents
Controls & Compliance
VP of Finance
Controls & Compliance
VP of Finance
Controls & Compliance
VP of Finance
Technology Enabled Continuous Assurance
2Microsoft Confidential
Investigative function within
Internal Audit–
Formed 9/02
14 Employees
12 Different Languages
Professionally trained and experienced
fraud investigators
and
Certified Fraud
Examiners
10 CFEs
2 CPAs
1 JD
Detect, Investigate, and Prevent
fraud
250 Years Professional Experience
More than 70 Years of Microsoft
Experience
Provide thorough and timely results
for management, business, and employment
decisions
Drive continuous
improvement in policies,
internal controls, revenue
protection, and
accountability
Reports to Internal Audit, strong dotted line to Office
of Legal Compliance
Worldwide Charter
Offices in:
Redmond,
Singapore,
Beijing,
Delhi,
Moscow,
Prague
3Microsoft Confidential
Office of Legal Compliance determines if investigation is warranted. Assigns matter to
FIU or other investigative group.
External Parties
Fellow Employees/Managers
Proactive Analysis
• FIU/OLC identifies issuesto be investigated
• FIU/OLC identifies relevant policies, procedures, and documents
• FIU/OLC identifies potential interviewees
• OLC approves investigative plan
• OLC sends notification to management, HR, and LCA
FIU/OLC Prepares Investigative Plan
• FIU preserves, analyzes,and collects documents
• FIU interviews employees
• FIU prepares summary of investigation
• OLC providesreport of investigation
• OLC closes investigation process
Investigation • OLC communicates report of investigation to management,HR, finance, and legal advisors
• Managers review findings, meetwith employee, HR, and LCA
• Manager makes disciplinaryproposal to OLC
• OLC reviews disciplinary proposal
• Manager communicates decisionto relevant parties
Disciplinary Decisions
Concerns Raised
4Microsoft Confidential
Letter from Steven A. Ballmer, Chief Executive Officer Dear Fellow Employee:
Microsoft aspires to be a great company, and our success depends on you. It depends on people who innovate and are committed to growing our business responsibly. People who dedicate themselves to really satisfying customers, helping partners, and improving the communities in which we do business. People
who are accountable for achieving big, bold goals with unwavering integrity. People who are leaders, who appreciate that to be truly great, we
must continually strive to do better ourselves and help others improve.
We must expect the best from ourselves because who we are as a company and as individuals is as important as our ability to deliver the best products and services. How we manage our business internally—and how we think about and work with customers, partners, governments, vendors, and communities—
impacts our productivity and success. It's not enough to just do the right things; we have to do them in the right way.
The Standards of Business Conduct are an extension of Microsoft’s values and the foundation for our business tenets. They reflect our collective commitment to ethical business practices and regulatory compliance, and they provide information about Microsoft's Business Conduct and Compliance Program. At a high level, they summarize, and are supported by, the principles and
policies that govern our global businesses in several important areas: legal and regulatory compliance; trust and respect of consumers, partners, and shareholders; asset protection and stewardship; creation of a cooperative and productive work environment; and commitment to the global community.
These Standards of Business Conduct provide information, education, and resources to help you make good, informed business decisions and to act on them with integrity. In addition, managers should use this resource to foster, manage, and reward a culture of accountability and integrity within
their groups. Working together, we can continuously enhance our culture in ways that benefit customers and partners, and that strengthen our interactions with one another. Then we can truly achieve our mission of enabling people and businesses throughout the world to realize their full potential.
All Microsoft employees are responsible for understanding and complying with the Standards of Business Conduct, applicable government regulations, and Microsoft's policies. As Microsoft employees, you also have a responsibility to raise compliance and ethics concerns through our established channels. This is the way to ensure that Microsoft is and continues to be a great
company of great people.
Steven A. BallmerChief Executive Officer
5Microsoft Confidential
Dedicated team of professionals with SQL and database expertise
Methodology which leverages technology, data analysis, and statistical evaluation techniques
Proactively tests control activities for an entire population of transaction data or across different data sets
Proactive detection of exceptions
Transition to the business
7Microsoft Confidential
The TECA program is creating tools in two ways:Querying in-house tools
Creating new querying tools by linking different data sets in innovative and proactive ways
TECA Team RoleMaintain TECA environment (data, access, working with IT for backups, etc.) and develop queries
Train auditors in use of in-house and developed tools
Proactively provide TECA reports for complex or new query requests to auditors
8Microsoft Confidential
For MicrosoftEffective and efficient controls
Targeted Reviews—T&E auditing, conflicts of interest, corruption, etc.
For Internal AuditImproved audit skill set
Greater risk coverage—doing more with the same
More accurate and efficient testing
For Financial Integrity UnitIdentifying fraud
Substantiating fraud
9Microsoft Confidential
• Expensing of AMEX late fee/delinquency charges is prohibitedPolicy
• Obtained details of AMEX late fee/delinquency chargesCollect Data
• Compared data from internal expense reporting tools, AMEX data feeds, and HR data tablesQueries
• Identified certain potentially fraudulent transactions from “higher than expected” levels within the CompanyAnalyze
• Discussions with Legal, HR, and the Business
• Potential policy changesAction
11
Policy
Collect Data
QueriesAnalysis
Action
All cases of fraud should be taken seriously, even though the overall amount is immaterial
Tone from the top --> can have a pervasive effect
Case-based development of internal tools
Enhancements of future TECA queries
Violation of Company policy
Training for managers—first line of defense
The Potato Chip Theory of Fraud
19
Financial Reporting
Revenue and Accounts Receivable
Anti-Corruption Program—DEMO
Travel and Entertainment
Procurement
Accounts Payable
Tax
Payroll
Human Resources
Logical Access
System Change Management
Fraud Detection
21
• Unusual or inappropriate journal entries are being posted to the general ledgerRisks
• Unusual entries, influenced posters and reviewers, inappropriate reviewers, Benford analysis, billion dollar entries, round dollar entries, poster/reviewer relationship, posted by executives
Tests
• Obtained from the SAP General LedgerData
• Developed queries that create extract tables using SQL backend. For Benfords Analysis, used Excel direct link to review and graph the data
Process
22Microsoft Confidential
• Staff (employees, vendors, contractors) are engaging in activities that may violate company policies related to conflicts of interest, moonlighting, integrity
Risks
• Matches on bank account number and/or address
• Validation of new hires and vendors vs. ineligible-to-hire list
• Charitable contributions (unusual matching patterns, key words)Tests
• Obtained from vendor master file, purchase order and invoice history, general ledger, HRData
• Developed queries that create extract tables using SQL backend and process MS Access queries on the data
Process
23
• Staff (employees, vendors, contractors) are engaging in activities that may violate company policies related to approval limits and financial efficacy
Risks
• Inappropriate PO and invoice approvals, duplicate invoices, non-PO invoices, duplicate vendor tax IDs, 3rd party payments, large or non-standard payments
Tests
• Obtained from vendor master file, purchase order and invoice history, general ledger, HR, disbursements
Data
• Developed queries that create extract tables using SQL backend and process MS Access queries on the data
Process
24
• Staff (employees, vendors, contractors) are engaging in activities that may violate company Anti-Corruption policy requirements
Risks
• Prohibited T&E expenses, prohibited purchases, inappropriate gifts and donations, inappropriate use of investment funds
Tests
• Obtained from Expense report, purchase order, general ledger, HR, licensing, and investment fund tracking systems
Data
• Developed queries that create extract tables using SQL backend and process MS Access queries on the data
Process
26
Built a table with 2,483 unique keywords, including anti-corruption-specific words
94,911 keywords in 25 different languages, 180 related to anti-corruption Includes support for non-Roman character languages
Subsidiary subject matter experts developed keywords Created a list of “prohibited” keywordsQueries are run against the appropriate keywords to identify the following situations:
Meals and entertainment with government officialsBribes paid to government officialsUnusual journal entries, donations, gifts, invoices, T&E expenses, payments, and POs indicating potential FCPA violations
Increase risk coverage, scope, and testing efficiency
• Greater level of assurance through population testing
• Allows investigators and auditors to focus on higher risk, strategic areas
• Shortened investigations and audit cycle times through regular testing of common global activities
Increase investigator and auditor capabilities and data analysis skills
• Proactive identification of issues
• Increased productivity through population testing
• More accurate and quantifiable issue identification
• Increased usage of Internal Reporting Tools, Excel, and Access
29Microsoft Confidential
Before
• Limited data analysis and coverage
• Steep learning curve every quarter
• Underutilizing investigator and auditor skills
• Potential data corruption
• Ineffiencies caused delays
After
• Increased breadth and depth of coverage through review of all 6 million entries per quarter
• Push Button approach allows analysis of all entries
• More reliable results
• Efficient fieldwork and timely reporting with substantiated results
• Maintain database of over 80 million lines to allow trend analysis
30Microsoft Confidential
Enhance management‘s monitoring controls
• Transition TECA tools and methodology to continuous monitoring
• Improved Corporate Governance
• Partner to build controls into existing tools
• Simple implementation of audit recommendations
• Help build trusted advisor role
Frequent testing results in timely identification of control
deficiencies
• Timely resolution of issues
• Greater awareness of global issues
• Increased accountability for issue resolution, especially with global issues
31
Before
• No standard process for auditing T&E Expenses
• Random testing did not target testing to specific types of exceptions
• AP auditors covered quantity of reports rather than targeted review for exceptions
After
• Increased breadth and depth of coverage
• All countries (100+)
• Audit the T&E database across 20 million plus line items
• Push Button approach
• More targeted and economic auditing
• Duplicates
• Prohibited expenses
• Exchange rate issues
• Greater audit recoveries
32
© 2008 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions,
it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
33Microsoft Confidential