Showing posts with label Audit. Show all posts
Showing posts with label Audit. Show all posts

Tips and example on assurance mapping



Risk is an omnipresent driving force in all business activities. It requires producing information about the probability of different outcomes in the decision-making process. The assurance services improve the quality of this information across business activities (AICPA, 1996). Assurance, provided by internal and external auditors and many other parties, is the objective examination of evidence to perform an independent assessment over business activities. It adds credibility to the information, from the statutory financial reporting to other non-financial information in environmental and social reports. Assurance is the confidence of what needs to be controlled is actually being controlled in practice.


Since the board is responsible for ensuring that there are robust internal control arrangements across the whole organization, assurance is also a key compliance issue. Moreover, most codes for good corporate governance require the board to attest the effectiveness of the internal control and risk management systems.


There are tools to coordinate and to maximize how to provide assurance services. Assurance maps visually link the assurances from all the providers to the risks that affect the organizational objectives. They explain how the assurance activities (x-axis) apply to key risks in sequential business activities (y-axis). The assurance activities are usually arranged by the three lines of defense or the five lines of assurance models. The maps provide a quick and clear view of processes and risks to the board, in order to ensure a consistent management, oversight and reporting under a common methodology and language. Assurance maps promote the collaboration between departments while being cost effective.

Keys to making decisions on assurance


The primary objective of the assurance mapping is to detect areas of gaps and duplications in assurance efforts between departments. These maps quickly reveal the level of assurance oversight to alleviate low-value and redundant auditing efforts. 

In order to join efforts for a strong GRC function, the risk methodology, particularly related to the taxonomy and the rating scales, should be standardize to express a common and holistic view. It allows the coordination and the interaction between business owners and assurance providers.

With the purpose of identifying processes with missing or unnecessary assurance efforts, the risk exposition can be linked to each process to assess if the assurance costs are justified (“reasonable assurance” for the risk tolerance). When too much assurance is concentrated in one process, the causes for these efforts should be understood before reassigning controls and responsibilities across departments.

When combining assurance programs and coordinating activities, the responsibilities defined by the policies or the audit chapter should be updated. The assurance map is a tool to update and coordinate departmental responsibilities, but not a policy by itself.

Besides combining assurance efforts for duplicated tasks, or reassigning controls on gaps, the communication on issues and action plans for remediation should flow across all the departments. Removing a department to assure a process does not imply that it no longer receives information about the trust and quality of the related information and its controls.

An assurance map in practice
As an example, the following map details the process steps and their risks for a simplified financial month-end closing in a SAP company. This process-based map consolidates controls and risks from assurance providers to assess how much coverage is achieved and needed. It combines the three line of defense model with a standard SAP process for a closing compatible for SOX or COSO compliance.


 
The assurance level rating represents the quality and the level of evidence by each department.

H High Assurance: assurance is detailed and cyclically conducted, the amount of audit evidence reduces risks to a low level (eg. low material accounting misstatement risks), controls are in place and adequately mitigate risks, policies are in place and communicated, IT/BI tools are deployed to automatize controls and to report red-flagged transactions, and performance metrics are closely monitored

M Medium Assurance: assurance is not cyclically performed, controls are not in place to cover some risks, policies are not fully in place or communicated, manual controls are not automated

L Low Assurance: low or none assurance, significant concerns over the adequacy of the controls in place in proportion to the risks; few policies in place

Get the latest in corporate governance, risk, and compliance on Twitter
Labels: , , , , ,

Combining internal audits with anti-corruption compliance monitoring


 
Internal Audit Automatic queries tax haven countries Specific anti-bribery controls bribery risk map extra-territorial anti-corruption legislation compliance payments payments Hernan Huwyler


Detecting illegal payments concealed in accounting records is a top priority both for internal audit and anti-bribery compliance. Corruption risk is a significant and growing concern for global companies. Many countries are passing and enforcing extra-territorial anti-corruption legislation, and tips to the authorities are increasing because of financial incentives. Improper payments are difficult to identify. They could be disguised as agent and third party commissions, fees and expenses. Other schemes may be more complicated such as inflated invoices, deceptive commission arrangements, and the use of a complex web of intermediaries, shell companies and bank accounts.


Specific anti-bribery controls, performed by the 3 Lines of Defense, should be proportionate to the risks created by each type of transaction. Compliance and internal audit should agree on the same risk factors and its assessment to combine their scope in testing and monitoring.


The bribery and illegal payment risks are usually linked to:
  • where the service is provided, the payment is requested, and the supplier is domiciled (eg. high perceived corruption or tax haven countries, new market sectors, off-shore jurisdictions)
  • who is involved (eg. public officials, small companies, new vendors, due diligence with comments/red flags, subcontractors, associations and JVs, requirements of associated persons)
  • what service is provided (eg. consultancy, licenses, customs and shipping services, public procurement, complex or new projects, incentives and pressures to complete a project)
  • how the service is contracted and paid (eg. the payment method, pre‐determined flat fee, success fees, commission clauses, reimbursed expenses, deal type)



Risk mapping for corruption should balance “the where”, “the who”, “the what” and “the how”. Many companies often link their bribery risks only to high-corruption countries, and they are missing the general environment for a transaction.



Both compliance and internal audit are aimed in developing effective financial and commercial controls to mitigate bribery risks, as well as, money laundering and occupational fraud in general. Since the control objectives and the bribery risk map are shared, both areas can coordinate their actions to get the same comfort level while being accountable for their specific responsibilities. Internal audit will benefit from sharing its work programs with compliance to be focused on key controls and to avoid any duplication of efforts. As well as, compliance will benefit from receiving the audit reports and monitor the remediation plans to relocate its program to areas of heightened scrutiny.



Compliance and Internal Audit may combine their reviews to detect illicit payments by separating the process into 3 stages: design, control efficiency and monitoring. The following chapters suggest ideas for a collaborative approach.


Testing the control design by Internal Audit

-          Review of segregation of duties in approving new vendors, contracts, service receptions and payments, assuring the appropriate seniority of approvers and their effective counterbalance.

-          Review of  anti‐corruption obligations in contracts with business partners and the appropriate indemnities and warranties clauses.

-          Ensure that the accounting staff is trained to properly book to proper purchasing and payment categories, and to add meaningful and clear descriptions for entries. No auxiliary spreadsheet should support a global journal entry without disclosing itemized information about the service and the supplier.

-          Ensure that the financial controllers are trained about the anti-bribery, travel and expense rules, cash and bank controls, and how to identify red flags.


Substantive testing for control efficiency by Compliance (reassured by Internal Audit)

-          Test the effectiveness of the pre-contract due diligence, the verification of services and the fairness of the paid amount by selecting payments linked to all levels of risk (including any suspiciously unnecessary contracting by non-statistical sampling). Focusing the payment testing only to high-risk transactions or statistical sampling may be ineffective to cover all risks.

-          Audit of third parties (on‐site compliance audits): background checks on executives, owners and assigned employees (party screening); assure the training on extortion and bribery provisions and controls for vendor employees; and confirm the circumstances under the third party was engaged and instructed; check that the service was engaged after the due diligence was finished.

-          Review the existence of enquiries from the approvers to validate the service legitimacy. Approvals should be based on a statement of received services, summarizing the woks and deliveries provided. The review need to cover the disclosed conflicts of interest.


Monitoring by Compliance (quarterly watch-lists to trigger specific reviews by Internal Audit)

-          Automatic queries to list gifts, meals, entertainment, travel expenses, sponsorships, and political and charitable contributions to link them to the approval by sr. executives and limits.

-          Automatic queries to list payments to third parties, including vendors, suppliers, resellers, distributors, agents and consultants (lawyers and accountants).

-          Payments to offshore bank account or in different locations or currencies.

-          Automatic queries to list upfront payments, advances and customer rebates.

-          Out of tendency paid commissions by type of service or versus monthly average.

-          Substantial price increases or decreases.

-          Automatic queries to highlight changes in lease expenses, in particular for equipment.


Get the latest in corporate governance, risk, and compliance on Twitter
Labels: , , , , ,

Business intelligence in governance, risk and compliance

Business intelligence in governance, risk and compliance Audit, Compliance, Risk Mapping, SAP Hernan Huwyler


The importance of risk and compliance has dramatically increased over the last years to improve corporate governance. Organizations are addressing the governance challenges, primarily as a consequence of regulatory requirements, business transformation, emerging risks and large scandals in corporate governance. Many organizations are struggling to focus their risk and compliance programs to meet stakeholders’ expectations.


A large number of GRC services and solutions are currently available from large and niche consulting firms to support an integrated control model. A GRC platform is offered as a transparent system of collaboration to orchestrate control activities across business. While organizations can fairly deal with the “G”, the “R”, and the “C” as independent departments, the integration of them was proven to be difficult, leading to control gaps, redundancies, inefficiencies and conflicts. A plethora of GRC modelling proposals exists both in the commercial arena and in the research community (Racz et al., 2010). Business intelligence has the ability to easily model control objectives and to address holistic risks.


The integration of controls, protocols, key indicators and reports into a GRC platform facilitates the automated detection of risks and the audit of compliance procedures. A major issue about this approach is inflexibility to maintain the control repository for a complex and dynamic environment while using a single solution. The diversity of emerging risks requires a grounded approach to support a “compliance by design” model. Business intelligence allows the GRC departments to model the control framework to produce breach alarms, monitor performance and simply assurance.

The capability to capture and to change control requirements through a common GRC modeling framework facilitates the management of the controls and the enterprise applications. Business process management, as a common framework for business intelligence, allows enforcing corporate compliance and meeting control objectives. It helps to link what need to be done (nominative compliance approach) with how the control activities should be performed by the business process owners (descriptive internal audit approach). It is essential, then, that business, compliance, and control objectives are jointly designed to converge in common rules (Shazia at al., 2007). Regulations, compliance and internal control directives are complex and vague. These mandates of permissions and prohibitions, often written in legalese or technical jargon, are translated by subject experts into rules for a single control repository. These rules can trigger violation alarms and control remediation protocols that may surface at runtime.


Example: U.S. anti-boycott laws scenario




This scenario shows a set of simple rules to integrate control actions with compliance risks in a company under SAP and business intelligence.

A GRC platform based on business intelligence allows organizations to easily maintain and adjust their compliance requirements to highlight control violations and report key compliance indicators.

Get the latest in corporate governance, risk, and compliance on  Twitter
Labels: , , ,

Corporate compliance and stock volatility in top 35 Spanish companies

Compliance is a major ethical consideration that has an impact on the business strategy to improve the financial performance and to limit the risk of failure to a tolerable level. Compliance risks are today a mainstream issue in Spain after increased exposition to new criminal liabilities and globalization. Spanish companies from all sectors revised their codes of conduct and whistleblowing policies to adapt them to the new business landscape, but the relationship with sustainability risks was not explored.


In order to study the correlation between risk management and compliance, I generated 700 data sets to weigh them according to their relative market capitalization for the 35 public companies that make up Spain's benchmark IBEX 35 index. The compliance maturity was taken from analyzing the code of ethics and other publicly available ethics and corporate governance documents for these factors:

  • corruption, business conduct & gifts,
  • antitrust and market abuse,
  • workers´ protection, discrimination and harassment,
  • environmental and urban planning protection,
  • copyright and intellectual property protection,
  • IT data protection,
  • tax compliance,
  • money laundering,
  • occupational fraud, and
  • whistleblowing policy, available channels and management (30% of total score).
When the code of ethics and related governance policies set standard controls to mitigate the high level compliance risks a complete score was assigned to each factor. Other cases were particularly assessed according to mitigating controls.
The risk level was defined as the historical 250-day return measuring the stock volatility or beta. This indicator spots the risk arising from exposure to general market movements as opposed to idiosyncratic factors.

The market capitalization was taken from the last statistics update published by the Madrid Stock Exchange.The sector classification also followed the Madrid Stock Exchange criteria.

The data analysis revealed a weak negative lineal correlation (r):-0.18 between the compliance maturity and the stock volatility risk. The compliance/risk correlation,  which does not imply causation, is stronger in the retailing and the telecommunications sectors.




On balance, companies with strong and transparent ethics and compliance policies has better risk management in creating stakeholder value.

There are 2 types of outliners in the analysis:
  • Santander Bank, Repsol, OHL and Acciona have a mature compliance model according to the information in this study, but the stock value was highly volatile in the last 250 trading days, and
  • AENA, Endesa, Gas Natural, Dia and Iberdrola have low market value volatility, but opportunities to strengthen their compliance programs.



You can find the supporting data from these links:

MS Access Datasets 
Summary of dataset
Supporting Code of Ethics and Documents

I will do further research to expand the conclusion of this study, by:
- using the OECD Guidelines for Multinational Enterprises to set the compliance factors to assess
- expand the study to other public non-IBEX35 companies
- monitor de evolution in time
- include the effective reporting of compliance and risks information

Do you have any suggestions for improving the study methodology or scope? 

Get the latest in corporate governance, risk, and compliance on  Twitter
Labels: , , ,

The 100 most critical and common segregation of duties conflicts in SAP

The 100 most critical and common segregation of duties conflicts in SAP Hernan Huwyler
 
The most visited post in my blog covers the 20 most critical conflicts that you may find in SAP auditing, SOX testing and user security controls. After several years of fine-tuning  the user conflict matrix and having SAP HANA released, I expand this post by listing the 100 most critical and frequent segregation of duties incompatibilities.  This list helps in simplifying the user reviews by internal auditors, functional roles and access security professionals while explaining the risk which may result in operational fraud.


This is the list which you are welcome to get as a MS Excel file,

VA01 Create Sales Order and XD01 Create Customer (Centrally) are incompatible since assets may be disposed at less than the true value.
VA01 Create Sales Order and XD02 Change Customer (Centrally) are incompatible since assets may be disposed at less than the true value.
F.80 Mass reversal of documents and F-60 Maintain Table: Posting Periods are incompatible since the user may open accounting periods previously closed and make postings after month end.
VA01 Create Sales Order and VD01 Create Customer (SD) are incompatible since assets may be disposed at less than the true value.
VA01 Create Sales Order and VD02 Change Customer (SD) are incompatible since assets may be disposed at less than the true value.
VA01 Create Sales Order and FD02 Change Customer (FI) are incompatible since assets may be disposed at less than the true value.
VA01 Create Sales Order and FD01 Create Customer (FI) are incompatible since assets may be disposed at less than the true value.
VA02 Change Sales Order and XD01 Create Customer (Centrally) are incompatible since assets may be disposed at less than the true value.
VA01 Create sales order and F-30 Post with clearing are incompatible since the user may create/change a sales order and process incoming payments inaccurately/fraudulently, potentially resulting in losses to the company.
F.80 Mass reversal of documents and OB52 C FI Maintain Table T001B are incompatible since the user may open accounting periods previously closed and make postings after month end.
VL02N Change outbound delivery and F-22 Enter customer invoice are incompatible since the user may create/change a delivery and create/change an invoice.
XK01 Create Vendor (Centrally) and XD01 Create Customer (Centrally) are incompatible since assets may be sold to non-existent or fraudulent customers.
XD01 Create customer (centrally) and F-30 Post with clearing are incompatible since the user may create a customer and then post payments against the customer.
VA02 Change Sales Order and XD02 Change Customer (Centrally) are incompatible since assets may be disposed at less than the true value.
VA01 Create sales order and VL02N Change outbound delivery are incompatible since the user may create/change sales orders and deliveries to hide the misappropriation of goods.
VF01 Create Billing Document and XD01 Create Customer (Centrally) are incompatible since assets may be disposed at less than the true value.
VL01N Create outbound delivery with order ref and F-22 Enter customer invoice are incompatible since the user may create/change a delivery and create/change an invoice.
VA01 Create sales order and F-32 Clear customer are incompatible since the user may create/change a sales order and process incoming payments inaccurately/fraudulently, potentially resulting in losses to the company.
XK01 Create Vendor (Centrally) and XD02 Change Customer (Centrally) are incompatible since assets may be sold to non-existent or fraudulent customers.
XD02 Change customer (centrally) and F-30 Post with clearing are incompatible since the user may create a customer and then post payments against the customer.
MIGO Goods Movement and MM01 Create Material are incompatible since the user could create or change a fictitious receipt and create/change a material document to hide the deception.

Get the latest in corporate governance, risk, and compliance on  Twitter


Labels: , ,

Simple Tool to Identify Risks


There are several techniques to identify causes for risks in order to map and prioritize risk mitigation efforts. Some techniques are brainstorming, questionnaires, industry scenarios and researches, workshops, audit programs and incident investigations. In this post, I would like to share a simple tool to be used in the process to identify risks when questionnaires are used.

Some techniques to get field information about risks could be time consuming, for instance, to arrange individual interviews with key staff or to organize risk workshops. Other techniques only allow a specific approach (eg. top down or bottom up). Other fails to collect most relevant and meaningful risk control deficiencies. Some alternatives may require a solid IT infrastructure (eg. Microsoft InfoPath). GRC professionals face a real challenge in developing a proper methodology to balance the pros and cons of each alternative.

A simple process would be to distribute a MS Excel file with a predefined risk catalog by email. Then, each survey participant (eg. area managers) can decide that areas to assess. For instance, a finance country manager would assess the finance and compliance areas; or a production manager would assess the operational area. Because this process needs to promote the employee participation, the risk catalog also includes the alternative to report other risks. In other to prevent errors, most of the fields are input from drop down lists.

Once that all questionnaires are completed by key staff for different locations, responses can be compiled by using a macro. Reports to map risks or to get a risk matrix are also easy to obtain. Reports to risk profiling may rank risk by using the common formula frequency/probability (1 to 5) * impact/consequence (1 to 5).

This tool can be downloaded from here:
Generic Risk Assessment Tool.xlsm

The tool requires MS Excel 2007 and habilitated macros. Please let me know if you need this file converted to other formats.

This tool would be simple, fast to complete, open to collect other risks and self-explained.

Notes: The applied risk catalog is a high level collection of potential hazards for the oil industry. This tool is not intended to replace a robust system for risk assessment. This post is not done to cover any methodology for risk estimation or details about other risk techniques.

Get the latest in corporate governance, risk, and compliance on  Twitter


Labels: , ,

Strategic Risk Management


Companies are managing risks to seize opportunities since the Mercantilism. However, a company-wide framework to manage risks was developed few years ago. The first integrated framework for enterprise risk management was published by COSO in 2004. Strategic risks addressing the companies´ ability to archive business objectives within the stakeholders´ risk appetite are still immature. In this post, I will give an overview about strategic risk management.

Risk management and governance can be improved by developing strategic risk management processes. These processes encompass the identification, the assessment and the management of top risks in the business strategies. For a given risk tolerance, strategic risk management can assess internal and external events that potentially affect the company strategy to archive business objectives. This field is a concern of the boards, directors and top management. GRC approach should integrate it to allow align all the different business activities to common objectives. Additionally, ERM approach should include prioritization processes to indentify key risks (which are the input for strategic risks).

This area was not properly developed in an integrated manner, or even resourced by companies. Even though, it deserves attention from upper management and other stakeholders (eg. risk rating agencies). There are increasing cases of catastrophic losses because unaligned strategies to risk appetites (eg. managing debts and investments in 2008 crisis, dealing with cost volatility, poor data loss prevention measures, subordinated debt or lack of geographical diversification). In this world of “continuous surprises”, stakeholders´ value is neither protected nor created. Personally, I get the feeling that, in some cases, a specific control issue may get more attention and resources than indentifying an emerging risk to execute a strategy.

There were some current developments to integrate strategies into a holistic approach. Strategic Risk Management can be linked to the ISO 31000:2009 since the top management is responsible to integrate this standard to the decision marking processes (which involves the strategies). Also developed during the last decade, the Return Driven Strategy framework integrates the strategic goals to the risk management goals. Unfortunately, these approaches are not usually carried out to practice by most companies.

Labels: , , ,

Collusive Fraud Schemes and Controls


Risk specialists and auditors often fail to consider collusion in their fraud risk assessments. According to the ACFE, when two or more people are involved in a fraud scheme, the median losses quadrupled those from single perpetrators. In addition, collusive fraud is one of the most difficult types of risks to identify. In this post, I am discussing about collusive schemes and measures to prevent them.

When one employee has permission to make a transaction and other employee has the right to approve the same transaction, fraud may exist if they collude with each other. Some collusive schemes may involve redirecting payments, creating false invoice payments, asset misappropriations or creating non-purchase payments. These schemes can be done “bellow the radar” since insiders usually know well the company controls and loopholes, and they can plan the scheme better.

Besides effective segregation of duties practices, mitigation measures involve disclosure of vendor relationship by directors and employees, monitoring by business intelligence software and reporting unwillingness to share duties.

There are several business intelligence tools to detect and report transactions with collusion risks. Generally, they match the execution of critical transaction codes in SAP or other ERP with email or phone communications between related users in a short time. Some research was recently done to test collusion scenarios and its results were positive to properly identify transactions involving collusion risks. Data mining was also tested to be accurate to detect collusive fraud networks. To be effective, both business intelligence and data mining tools have to link ERP information with other databases (emails, call logs, business directories)

Fraud 2.0 is here to stay.

Get the latest in corporate governance, risk, and compliance on  Twitter

Labels: , , ,

Automation for GRC Management in Microsoft´s New Patent

In this post, I would like to discuss a recently published patent related to GRC. This patented was filled by Microsoft (US Patent # 2011/0112973 A1). It claims a computer-implemented method for compliance management of regulations for entities. The method comprises operations for receiving a set of control objectives and entities to generate test results.

This patent covers a process hierarchy from business objectives and policies to get compliance reports on test results. In the middle, there is a “compliance master framework” to organize control objectives in regulations and IT terms, along with an “abstraction library” and a “configuration management database CMDB” to map compliance programs to entities. The CMDB concept was previously patented by a related team on 2006 (Anthony Baron et al). Some of the terms in this patent seem to be widely defined, for instance, the “abstraction library may support mapping the detailed reality of the real world into abstract layers" (sic).

Microsoft offers GRC management solutions, which incorporate compliance software and risk management software. These solutions are designed to help organizations comply with current regulations, manage their risk, and facilitate required corporate disclosures. This patent shows Microsoft´s interest in continuing developing these solutions.

You can view or download this patent from my Box.net service:
http://www.box.net/shared/uu58jmzqbbv2ap3stdht
 . It is interesting to read.

The inventor is Ashvinkumar J. Sanghvi. He has been filling patents related to automation of policies and procedures for information technology management since a decade ago. He already claimed 44 patents in the USPTO.

Software patenting has a role in GRC to address the automation of controls and tests, and hopeful, to reduce errors and human intervention.

Labels: , ,

SAP and Business Cycle Controls for SOX 404


The IT department is well aware of SOX IT controls. However, this department may also assist in providing information for business cycle testing to comply with SOX. It is important that IT and SAP process owners know that to expect from these audits. Some auditors would not have the access privilege or the knowledge to perform data extractions in SAP. In this case, they need the IT assistance. In this post, I explained that a SOX auditor usually covers in reviewing processes based on SAP.

1- Incompatible SAP Accesses for a Business Process
A SOX auditor would ask for a list of users with access to critical transactions. The definition on critical transactions depends on each company and process. However, most of the critical accesses are related to posting, creating and approving key transactions. Customized transactions (Y and Z) are also reviewed when involving high risk approvals. Manual tasks (eg. signing checks or approving reconciliations) are usually added to this analysis. Please refer to my post listing the most common Segregation of Duties Conflicts in SAP for further details.

2- Inconsistencies in SAP Master Files
A SOX auditor would ask for master files to check inconsistencies. Most of this audit process relates to applying filters in the same table or linking different tables. SOX auditors need to control the standardization of business processes and flows. For instance, SOX auditors would review customer credit limits (RF02L), tolerance keys (T169G), customer/vendor masters (eg. addresses, banks, duplications, payment terms, tax codes), and exchange rates (TCURR).

3- Inconsistencies in SAP Parameters
SOX auditors would ask for some parameters in SAP. Typically, they would need to assure that the 3-way match is set, the posting periods are limited in time, the approval flows are reasonable (parking and approving FI documents), and the approver delegations (FMWF_MDRUL) follow internal guidelines, etc.

4- Inconsistencies in custom interfaces to SAP
SOX auditors would walkthrough and test SAP interfaces with external applications (generally related to eBanking and eBusiness). They would be concerned about data integrity and security.

Get the latest in corporate governance, risk, and compliance on  Twitter
 

Labels: , ,

Audit Procedures for FCPA Testing



FCPA compliance programs that require periodic testing of the anti-bribery controls are useful for revealing issues or areas of vulnerability. In this post, I detailed some common audit procedures for FCPA testing.

High Level Controls

Review the existence of:
1. clearly articulated FCPA policies and procedures for company personnel, directors, and intermediaries,
2. proper FCPA policy communication to all levels of employees including translations for overseas employees,
3. mandatory training for FCPA awareness (especially to sales, legal, internal auditing, accounting, and management teams; when necessary also to agents, sub-agents and business partners),
4. a compliance hotline or other effective whistleblower process,
5. assignment of responsibility to one or more senior corporate executives with responsibility to monitor FCPA compliance,
6. appropriate disciplinary procedures to address violations, and
7. a facilitation payments account.

Work with legal advisors and business managers to indentify international business agreements, contracts are not competitively offered, governmental disputes, tax deficiencies, or any commercial litigation in foreign courts.

Commercial Cycle

Indentify and audit transactions with customers, suppliers and distributors which are public companies or involve an one-time payment.

Review discounts, rebates, refunds, promotional programs or other invoice “adjustments.”

Perform audits for key agents or distributors.

Analyze commission and finder’s fee payments.

Audit government contracts.

Review standard provisions in agreements, contracts, and renewals for compliance with the company’s policies and the requirements of the FCPA.

Evaluate favorable or abnormal credit terms or lower than fair market prices.

Indentify unusual duties taxes or involving excessive processing or shipping charges.

Services and Fees Cycle

Scrutinize payments made to consultants, sales representatives, agents, attorneys, lobbyists, marketers (red flag unspecified services and lack of deliveries). Ensure they are fulfilling a legitimate business need and there is a written rationale for their use. Check if their qualifications and resources allow performing the services billed.

Confirm that commissions and bonuses are in expected and reasonable ranges.

Audit accounts related to FCPA risks: gifts, hospitality, entertainment, travel, rebates, refunds, commissions, donations, professional fees, event expenses, credit card advances, logistics and shipping expenses, and so forth.

Query transactions with related keywords in different languages (eg. commission, fee, discount, charitable, bonus, pay to play, comps, expedite).

Treasury Cycle

Flag unusual payments or financial arrangements (eg, involving consultants, to offshore holding companies, to countries where the company does not operate).

Review cash payments and back transactions with rounded values.

Monitor charitable and political contributions.

Review employee expense reports and track high risk expenses (eg. entretaiment) for government employees. Check that expense reports or direct invoices are submitted to A/P.

Risk Mapping Indicators

FCPA risk by country (history of corruption, Corruption Perceptions Index by Transparency International).

Nature of company products (higher risks in oil & gas, energy, infrastructure, communications, medical equipment and relating to regulated markets).

Known red flags

Joint ventures, partial ownership, and collaborative arrangements with governmental entities.

Sales channels involving contacting with government officials or requiring to use third Parties (before and after sales).

Transactions involving regulators.

Useful Reference for a FCPA Audit Program

Get the latest in corporate governance, risk, and compliance on  Twitter
 

Labels: , ,

Do all failed SOX controls have to be remediated?


It is clear that Management is not required to test all controls in all the business units for SOX 404 compliance. Only those which affect significant accounts and disclosures in the financial statements or involve significant risks are scoped. However, it is commonly believed that all failed controls have to be remediated at fiscal year end.

Management and business process owners can choose to not remediate failed low-risk exceptions because the improvement plan is not practical or cost effective in the long term. For several companies, the remediation phase is where significant effort and money is spent. This decision should be informed to the auditors to get their feedback.

Some aspects of the unremediated deficiencies should be considered, including the effect on the overall risk matrix if a failed control is compensating others, or whether individual deficiencies are aggregated to produce a greater weakness. In other words, unremediated control deficiencies should not rise to the level of a significant deficiency. Less frequent controls or control on processes (as different from entity level controls) may indicate that the remediation plan could be postponed.

Conversely, general control deficiencies that have been properly communicated to Management and the Audit Committee and remain uncorrected after some reasonable period of time are a strong indicator of a material weakness.

Get the latest in corporate governance, risk, and compliance on  Twitter
 

Labels: ,

Do you want to see how your country compares to others for FCPA interest?

I am particularly interested in the impact of FCPA compliance in different countries. I am trying to calculate an indicator to link the compliance risk with the interest in anti-bribery by the local news for each country. In my last attempt, I selected 3 words that would be highly related to an article about this issue. I selected the keywords: fcpa, bribery and whistleblower. Then, I used the regional filter in the Google advanced search menu to get the number of hits for those keywords (both in English and the national language). Based on my interests, I covered 16 countries in this research. Finally, I compared the number of FCPA related hits by country with the sum of imports and exports to the US in closed months in 2011.

You can see my results here: http://www.box.net/files#/files/0/f/89454416/1/f_766231804


According to this method, it seems that most of the relative interest in FCPA is coming from Saudi, UK, Australia and Germany. I would expect lesser risk of anti-bribery compliance in those countries. On the opposite side, we have Mexico, China, Japan and Canada. In the middle interest areas, we have (in this order) Canada, France, South Africa, Russia, Brazil, Turkey, Spain and India.


I think that this method can be improved (eg. I need to check translations). However, It would be an effective analysis to get tendencies and risks. Any thoughts?





Bribery & Corruption Perception World Map * Transparency International 2010
Labels: , ,

The top 20 most critical segregation of duties conflicts in SAP

SOX audits require checking that incompatible tasks and system rights are assigned to different individuals in order to avoid any conflict of duties. Segregation of duties (SOD) has always been an important component of the control environment because its impact in fraud prevention and the alignment between IT and the business. SOD enhances the IT principle of minimal privilege. Both manual tasks (eg. approvals by signature) and system roles should be included in these audits. The type and number of conflicts between transactions are always a challenge for SOX scoping . For instance, there are more than 150 high risk incompatibilities reported by SAP. In the business practice, it may be hard to understand the risks associated to a reported conflict.

Even SAP provides an extensive framework for maintaining role-based security (eg. RSUSR008, RSUSR009), several tools to simplify the audit process have been launched (eg. Virsa, Approva and CSI). All these complexity was a challenge for the compliance function to create solid policies and to educate staff regarding SOD.

I created a list with the top 20 most critical segregation of duties conflicts in SAP to help in this process. I included both the incompatibility of transactions and the fraud/error risk for SOX compliance. I selected the most sensitive transactions, the riskier and more frequent situations and their reported incompatibilities.

For the complete list of high risk SOD conflicts in SAP: http://www.box.net/shared/am4bsvi8i5

CR04 Process CRM Sales Order + SD02 Delivery Processing = A user could create a fictitious sales order to cover up an unauthorized shipment.
CR04 Process CRM Sales Order + CR07 CRM Billing = Inappropriately create or change sales documents and generate the corresponding billing document in CRM.
CR05 Service Order Processing + CR06 Service Confirmation = Enter fictitious service orders for personal use and accept the services through service acceptance. The user could prompt fraudulent payments. In addition spare parts could be fraudulently issued from inventory as a result of the confirmation.
SR01 EBP / SRM Vendor Master + SR03 EBP / SRM Invoicing = Maintain a fictitious vendor and enter an invoice to be included in the automatic payment run.
FI03 Bank Reconciliation + SR03 EBP / SRM Invoicing = A user can hide differences between bank payments and posted AP records.
SR01 EBP / SRM Vendor Master + SR07 EBP / SRM PO Approval = Create a fictitious vendor or change existing vendor master data and approve purchases to this vendor.
SR01 EBP / SRM Vendor Master + SR09 EBP / SRM Maintain Org Structure = Create or maintain fictitious vendor and manipulate the organizational structure to bypass approvals or secondary checks.
AR02 Cash Application + FI03 Bank Reconciliation = Allows differences between cash deposited and cash collections posted to be covered up.
MM04 Goods Movements + MM02 Enter Counts – IM + MM04 Clear Differences – IM = Accept goods via goods receipts and perform an IM physical inventory adjustment afterwards.
MM04 Goods Movements + MM03 Enter Counts & Clear Diff - IM = Accept goods via goods receipts and perform an IM physical inventory adjustment afterwards.
PR01 Vendor Master Maintenance + AP02 Process Vendor Invoices = Maintain a fictitious vendor and enter a Vendor invoice for automatic payment.
PR01 Vendor Master Maintenance + PR02 Maintain Purchase Order = Create a fictitious vendor and initiate purchases to that vendor.
PR02 Maintain Purchase Order + MM03 Enter Counts & Clear Diff - IM = Inappropriately procure an item and manipulating the IM physical inventory counts to hide.
FI03 Bank Reconciliation + AP02 Process Vendor Invoices = Can hide differences between bank payments & posted AP records.
PR04 PO Approval + MM02 Enter Counts - IM + MM04 Clear Differences – IM = Release a non bona-fide purchase order and the action remain undetected by manipulating the IM physical inventory counts.
PR01 Vendor Master Maintenance + PR05 Purchasing Agreements = Risk of entry of fictitious Purchasing Agreements and the entry of fictitious Vendor or modification of existing Vendor especially account data.
AP01 AP Payments + FI03 Bank Reconciliation = Risk of entering unauthorized payments and reconcile with the bank through the same person.
PR02 Maintain Purchase Order + MM02 Enter Counts - IM = Inappropriately procure an item and manipulating the IM physical inventory counts to hide.
PR04 PO Approval + MM03 Enter Counts & Clear Diff - IM = Release a non bona-fide purchase order and the action remain undetected by manipulating the IM physical inventory counts
AP04 Manual Check Processing + FI03 Bank Reconciliation = Risk of entering unauthorized manual payments and reconcile with the bank through the same person.
SD01 Maintain Customer Master Data + AR01 AR Payments = Create a fictitious customer and initiate payment to the unauthorized customer.
SD01 Maintain Customer Master Data + AR05 Maintain Billing Documents = User can create a fictitious customer and then issue invoices to the customer.
Labels: , ,

Success Factors in Risk Management

Enterprise risk management (ERM) requires continuous monitoring of internal and external factors to seize opportunities to archive and exceed company’s objectives. In this post, I collected some success practices to facilitate this process.

1- Internal Audit (IA) or ERM group needs to formally update its risk assessment at least annually. Risks areas should include at least the following areas: Strategic & Marketing, Fraud, Financial, Treasury & Credit, Operational, Legal & Regulatory and External & Environmental.
2- ERM needs to be integrated into the budget and business planning processes. Its metrics needs to be used for reward analysis.
3- Only involve the stakeholders and locations that need to be part of the risk assessment process depending on the current risk tolerance, company position and attitudes.
4- I recommend both the top-down and bottom-up risk assessments to identify, understand, share, and value emerging risks. Both approaches should be balanced to cover both concrete risk details and abstract mindsets. A common risk language needs to be shared through the organization. Risks identified in previous audit reviews and other external sources (eg. industry information or publications from the Corporate Executive Board) also need to be included.
5- Select a proper information channel within your company to indentify and follow up risks (eg. Questionnaires, web forms, focus groups, interviews). Efficient communication throughout this process is a must. Lead the risk identification process by relating information from different areas, indicating detected weaknesses and questioning about your suspicions. Look for any “snowball effects”.
6- Include not only risk likelihood and impact, but also risk velocity and control environment in the assessments.
7- Risk inventories needs to be frequently updated to include the new emerging risks.
8- Executive Management and the Audit Committee need to be presented of those assessments by prioritizing and consolidating risk areas (based on the internal risk-ranking methodology and shown in a heat map)
9- The IA or ERM group formally monitors risks and reviews the organization's top risks with the Board on a quarterly basis
10- Establish ownership for each risk and action plans. Define objectives and expected outcomes for risks for both the short and long terms. Indentify strategies to deal with key risk and apply them consistently. Also, include contingency plans at this stage.
11- Follow up the risk status and the owner responses on periodic basis.
12- Internal audit efforts (if feasible as well as SOX audits) should be linked to key risk to ensure efficient coverage.
13- Effectiveness of the taken actions needs to be reviewed (cost-benefits analysis).

Risk Management
Labels: , ,

Challenges for Operational Risk Modeling

Typical models for operational risk quantification capture management forecasts of risk event likelihood (probability) and its impact (dollar cost).
Today, there are new challenges for these assessments:
1) to support resource allocation decisions (investments), and
2) to become integrated into company risk reporting and management.
Additionally, assessments can used be to identify root causes of lagging performance. In my future posts, I will cover how operative risk assessments can early detect warnings of potential problems.

These risk models are classified into activities and functions. Functions are related to core operations, transaction support, customer service, trading management, and finance & accounting. Activities typically included are marketing & sales, financial processing, infrastructure, external, corporate event, and client intake.

Significant risk events can be identified by analyzing historical trends in the past function/activity patterns. These historical trends can be compiled from booked costs (eg. Legal provisions) and can create a more defensible rationale for this assessment. It can also be done by reviewing the historical KPIs and dashboards. More precisely, dashboards can be aligned to the risk management practice and its strategic agenda. Several indicators can track operational performance by using broad set of metrics on financial performance (ROI, growth), operational performance (product excellence, market share), and human talent (leadership, rotation, job satisfaction).

By adding historical costs trends and metrics (as KPIs and dashboards), the operational risk mapping can support decisions for new investment and to be integrated into the company reporting systems.
Labels: , ,

Value Of An Active FCPA Compliance Program

The Foreign Corrupt Practices Act (FCPA) was passed by Congress in 1977 and outlaws bribery (so-called facilitating payments) of foreign government officials by companies (inc. SEC regulated) seeking to obtain business deals abroad. Though hardy ever enforced until mid-90s, international business expansion (especially in developing countries) and more government prosecution have increased the likelihood of FCPA violations. Global companies must heed recent FCPA enforcement trends in order to adjust the compliance efforts accordingly. It is equally important that “books and records” provisions are affected by bribery schemes.

Generally FCPA violations take place on the front line, but they can reach upper levels in some cases. It increases the corporate reputational risk. Prosecution of companies almost always entails out-of-court plea agreements to minimize this risk.

Compliance audit has a mayor role in this area to minimize the impact. In the past years, the Department of Justice has persistently prosecuted companies that maintain poor compliance programs. If active and comprehensive compliance programs and independent investigations of suspicious activities can not be demonstrated by prosecuted Companies, the Department of Justice has considerable leverage to make harsher punishments since most cases are plea-bargained. Therefore, it is favorable that Companies actively investigate incidents even founded on constructive knowledge.

I have prepared a table with the cost impact for the three major FCPA fines applied (Siemens, Baker Hughes and Willbros Group). In average, it shows that the total allegations costs rose to 5.33 times the prosecuted facilitating payment.





Labels: , ,
Subscribe to: Posts (Atom)