WIXLIB

D E V E L O P I N GAS T R A T E G YF O RP R E V E N T I O N ,D E T E C T I O N ,A N DR E S P O N S E 5Convergence of RegulatoryChallengesGovernments around the world have responded to corporate scandals and fraudulent activity by instituting legislative and regulatory reforms aimed at encouragingcompanies to become more self-governing. In recent years, a variety of laws andregulations have emerged, and the timeline in Figure 1 provides a selection ofimportant global regulations and events.Note also that a summary of relevant regulations appears in “Appendix: SelectedInternational Governance and Antifraud Criteria” beginning on page 24.Figure 1: A onwealthCriminal Code Act1995U.S.SentencingGuidelines1991Financial ServicesAction Plan1999U.S. Departmentof JusticeEnforcementGuidance(Holder Memo)1999AustraliaEuropean Union2001200220032004Corporations Act Sarbanes-Oxley U.S. Department Revised U.S.Act of 2002Sentencing(Including CLERPof JusticeGuidelines9 Amendments)EnforcementProceeds of20042001GuidanceCrime Act 2002(ThompsonMemo)USA PATRIOT Act200320012005RevisedCombinedCode withTurnbull,Smith, andHiggsGuidance2005/2006NYSE andNASDAQ ListingStandards2003The CombinedCode onCorporateGovernance2003The MoneyLaunderingRegulations2003European Councilon EconomicFraud2003United KingdomUnited StatesSource: KPMG LLP (U.S.), 2006Undetected financial fraud is one of the greatest risks to an organization’sviability and corporate reputation, and it has the capacity to draw into itssphere all associated people, not only the guilty.Jeffrey LucyChairman, Australian Securities and Investments CommissionNovember 10, 2005 2006 KPMG International. KPMG International is a Swiss cooperative that serves as a coordinating entity for a network of independent firms operating under the KPMG name. KPMGInternational provides no services to clients. Each member firm of KPMG International is a legally distinct and separate entity and each describes itself as such. All rights reserved. KPMG andthe KPMG logo are registered trademarks of KPMG International.

6 F R A U DR I S KM A N A G E M E N TThe Key Objectives: Prevention,Detection, ResponseAn effective, business-driven fraud and misconduct risk management approach is onethat is focused on three objectives:Prevention Prevention: controls designed to reduce the risk of fraud and misconduct fromoccurring in the first place Detection: controls designed to discover fraud and misconduct when it occursResponse Detection Response: controls designed to take corrective action and remedy the harmcaused by fraud or misconductPutting It All TogetherJust as there is an array of fraud and misconduct risks facing a company, there is anarray of control criteria that various regulatory programs require companies to adopt.The challenge for companies, therefore, is to adopt a comprehensive and integratedapproach that takes all relevant considerations into account and enables them to worktogether. Doing so helps avoid duplicative effort, resource fragmentation, and “slippage between the cracks” associated with a one-off or silo approach.Such an undertaking begins with understanding all of the various control frameworksand criteria that apply to the company (see Figure 2). When this categorization iscomplete, the organization has the information it needs to create a comprehensiveprogram in which the elements of prevention, detection, and response can be integrated and managed.Figure 2: Selected International rporations Act 2001(including CLERP 9Amendments)CanadaThe Multilateral Instrument52-109NetherlandsCorporate GovernanceCode of Conduct 2004Seeks to improve transparency in shareholderand management relations as well as thestructure and accountability of management inthe Netherlands.United KingdomThe Companies Actof 2004Aims to improve the reliability of financialreporting and the independence of auditors andauditor regulation in the United Kingdom.United StatesSarbanes-Oxley Actof 2002Introduced substantial changes to the corporategovernance and financial disclosure requirementsof organizations registered with the Securitiesand Exchange Commission and listed on U.S.stock exchanges.Aims to strengthen the financial reportingframework.Promotes an “internal control culture” forimproving the quality of financial reporting inCanada.PreventionResponse DetectionSource: KPMG LLP (U.S.), 2006 2006 KPMG International. KPMG International is a Swiss cooperative that serves as a coordinating entity for a network of independent firms operating under the KPMG name. KPMGInternational provides no services to clients. Each member firm of KPMG International is a legally distinct and separate entity and each describes itself as such. All rights reserved. KPMG andthe KPMG logo are registered trademarks of KPMG International.

D E V E L O P I N GAS T R A T E G YF O RP R E V E N T I O N ,Figure 3 lists sample elements of a comprehensive program designed to prevent,detect, and respond to fraud.Figure 3: Sample Antifraud Program ElementsPreventionDetectionResponseBoard/audit committee oversightExecutive and line management functionsInternal audit, compliance, and monitoring functions Fraud and misconductrisk assessment Hotlines and whistleblower mechanisms Internal investigationprotocols Code of conduct andrelated standards Auditing and monitoring Enforcement andaccountabilityprotocols Employee and thirdparty due diligence Proactive forensic dataanalysis Communication andtraining Disclosure protocols Remedial actionprotocols Process-specific fraudrisk controlsSource: KPMG LLP (U.S.), 2006The next section spotlights some of the common control elements identified inFigure 3 and offers considerations for their design. 2006 KPMG International. KPMG International is a Swiss cooperative that serves as a coordinating entity for a network of independent firms operating under the KPMG name. KPMGInternational provides no services to clients. Each member firm of KPMG International is a legally distinct and separate entity and each describes itself as such. All rights reserved. KPMG andthe KPMG logo are registered trademarks of KPMG International.D E T E C T I O N ,A N DR E S P O N S E 7

8 F R A U DR I S KM A N A G E M E N TPreventionAssPreventive controls are designed to help reduce the risk offraud and misconduct from occurring in the first place.tluationPreventionResponse DetectionImplementationDesignE vaessmenLeadership and GovernanceBoard/Audit Committee OversightAn organization’s board of directors plays an important role in the oversight andimplementation of controls to mitigate the risk of fraud and misconduct. The board,together with management, is responsible for setting the “tone at the top” andensuring institutional support is established at the highest levels for ethical andresponsible business practices.Directors have not only a fiduciary duty to ensure that an organization has programsand controls in place to address the risk of wrongdoing but also a duty to ensurethat such controls are effective.2As a practical matter, the board may delegate principal oversight for fraud and misconduct risk management to a committee (typically audit), which is tasked with, amongother things: Reviewing and discussing issues raised during the entity’s fraud and misconductrisk assessment Reviewing and discussing with the internal and external auditors findings on thequality of the organization’s antifraud programs and controls Establishing procedures for the receipt and treatment of questions or concernsregarding questionable accounting or auditing matters.3A robust fraud strategy is one that is sponsored at the highest level within afirm and embedded within the culture. Fraud threats are dynamic and fraudsters constantly devise new techniques to exploit the easiest target.Philip RobinsonFinancial Crime Sector Leader, Financial Services AuthorityFebruary 27, 200623In re Caremark Int’l Derivative Litig., Del. Ch., 698 A.2d 959 (1996).A listed company’s audit committee must establish procedures for the receipt, retention, and treatment of complaintsregarding accounting, internal accounting controls, or auditing matters, and allow for the confidential, anonymous submissionby employees of concerns regarding questionable accounting or auditing matters. See Exchange Act section 10A(m)(4) andSEC Rule 10A-3(b)(3), effective April 2003, which may be found at http://www.sec.gov/rules/final/33-8220.htm. 2006 KPMG International. KPMG International is a Swiss cooperative that serves as a coordinating entity for a network of independent firms operating under the KPMG name. KPMGInternational provides no services to clients. Each member firm of KPMG International is a legally distinct and separate entity and each describes itself as such. All rights reserved. KPMG andthe KPMG logo are registered trademarks of KPMG International.

D E V E L O P I N GAS T R A T E G YF O RP R E V E N T I O N ,D E T E C T I O N ,A N DR E S P O N S ESenior Management OversightTo help ensure that fraud and misconduct controls remain effective and in line withgovernmental standards, responsibility for the organization’s fraud and misconductrisk management approach should be shared at senior levels (i.e., individuals withsubstantial control or a substantial role in policy-making). This critical oversightbegins with prevention and must also be part of detection and response efforts.The chief executive officer is ideally positioned to influence employee actions throughhis or her executive leadership, specifically by setting the ethical tone of the organization and playing a crucial role in fostering a culture of high ethics and integrity. ForAchieving good corporate governance is not solely the responsibility of the directors, investorsand regulators; it should be acore objective of senior management. Poor corporate governance weakens a company’spotential and at the worst canpave the way for financial difficulties and even fraud.instance, the chief executive can lead by example, allocating resources to antifraudefforts and holding senior management accountable for compliance violations.Direct responsibility for antifraud efforts should reside with a senior leader, oftena chief compliance officer who works together with internal audit staff and designated subject matter experts. The chief compliance officer is responsible for coordinating the organization’s approach to fraud and misconduct prevention, detection,and response. When fraud and misconduct issues arise, this individual can drawtogether the right resources to deal with the problem and make necessary operational changes. The chief compliance officer may also chair a committee of crossfunctional managers who: Coordinate the organization’s risk assessment efforts Establish policies and standards of acceptable business practice Oversee the design and implementation of antifraud programs and controls Report to the board and/or the audit committee on the results of the organization’s fraud risk management activities.Other business leaders such as department heads (e.g., product development,marketing, regulatory affairs, human resources) should also participate in responsibilities under the organization’s antifraud strategy; they oversee areas of daily operations in which risks arise. Such department heads can serve as subject matter expertsto assist the chief compliance officer with respect to their particular areas of expertise or responsibility. 2006 KPMG International. KPMG International is a Swiss cooperative that serves as a coordinating entity for a network of independent firms operating under the KPMG name. KPMGInternational provides no services to clients. Each member firm of KPMG International is a legally distinct and separate entity and each describes itself as such. All rights reserved. KPMG andthe KPMG logo are registered trademarks of KPMG International.Bill WitherellDirector for Financial andEnterprise AffairsOrganisation for EconomicCo-operation and DevelopmentCFO Strategies: CorporateAccountability Forum 2004,May 17, 2004 9

1 0 F R A U DR I S KM A N A G E M E N TInternal Audit FunctionThe modern organization’s internal audit function is a key participant in antifraud activities, supporting management’s approach to preventing, detecting, and responding tofraud and misconduct. KPMG’s 2003 Fraud Survey notes that 65 percent of respondents indicated that frauds were uncovered through the work of internal audit. Suchresponsibilities represent a change from the more traditional role of internal audit(that is, examining the effectiveness of the entity’s controls). In general, internal auditshould be responsible for: Planning and conducting the evaluation of design and operating effectiveness ofantifraud controls Assisting in the organization’s fraud risk assessment and helping draw conclusionsas to appropriate mitigation strategies Reporting to the audit committee on internal control assessments, audits, investigations, and related activities.Fraud and Misconduct Risk AssessmentAll organizations typically face a variety of fraud and misconduct risks. Like a moreconventional entity-wide risk assessment, a fraud and misconduct risk assessmenthelps management understand the risks that are unique to its business, identifygaps or weaknesses in control to mitigate those risks, and develop a practical planfor targeting the right resources and controls to reduce risk.Management should ensure that such an assessment is conducted across theentire organization, taking into consideration the entity’s significant business units,processes, and accounts.With input from control owners as to the relevant risks to achieving organizationalobjectives, a fraud and misconduct risk assessment includes the steps listed inFigure 4.Figure 4: Fraud Risk Assessment ProcessSource: KPMG LLP (U.S.), 2006 2006 KPMG International. KPMG International is a Swiss cooperative that serves as a coordinating entity for a network of independent firms operating under the KPMG name. KPMGInternational provides no services to clients. Each member firm of KPMG International is a legally distinct and separate entity and each describes itself as such. All rights reserved. KPMG andthe KPMG logo are registered trademarks of KPMG International.

D E V E L O P I N GAS T R A T E G YF O RP R E V E N T I O N ,D E T E C T I O N ,While management is responsible for performing a targeted risk assessment processand considering its results in evaluating control effectiveness, the audit committeetypically has an oversight role in this process. The audit committee is responsible forreviewing management’s risk assessment, ensuring that it remains an ongoing effort,and interacting with the entity’s independent auditor to ensure that assessmentresults are properly communicated.Code of Conduct52%An organization’s code of conduct is oneof the most important communicationsvehicles that management can use tocommunicate to employees on key standards that define acceptable businessconduct. A well-written and communicated code goes beyond restatingPercentage of U.S. employeeswho reported that their codes ofconduct are not taken seriously.KPMG Forensic Integrity Survey2005 – 2006company policies—such a code sets thetone for the organization’s overall controlculture, raising awareness of management’s commitment to integrity and theresources available to help employees achieve management’s compliance goals.4A well-designed code of conduct typically includes: High-level endorsement from the organization’s leadership, underscoring acommitment to integrity Simple, concise, and positive language that can be readily understood by allemployees Topical guidance based on each of the company’s major policies or compliancerisk areas Practical guidance on risks based on recognizable scenarios or hypotheticalexamples A visually inviting format that encourages readership, usage, and understanding Ethical decision-making tools to assist employees in making the right choices A designation of reporting channels and viable mechanisms that employees canuse to report concerns or seek advice without fear of retribution.I submit that having a code of ethics that is not vigorously implemented isworse than not having a code of ethics. It smacks of hypocrisy.Roel C. CamposCommissioner, U.S. Securities and Exchange CommissionOctober 16, 20024Both the NYSE and the NASDAQ have adopted corporate governance rules that require U.S.-listed companies to adopt anddisclose codes of conduct for directors, officers, and employees, and disclose code waivers for directors or executive officers. NYSE Rule 303A(1) may be found at www.nyse.com/about/listed/1101074746736.html, and NASDAQ Rule 4350(n) maybe found at l?rbid 1189&element id 1159000635. 2006 KPMG International. KPMG International is a Swiss cooperative that serves as a coordinating entity for a network of independent firms operating under the KPMG name. KPMGInternational provides no services to clients. Each member firm of KPMG International is a legally distinct and separate entity and each describes itself as such. All rights reserved. KPMG andthe KPMG logo are registered trademarks of KPMG International.A N DR E S P O N S E 1 1

1 2 F R A U DR I S KM A N A G E M E N TEmployee and Third-Party Due DiligenceAn important part of an effective fraud and misconduct prevention strategy is the useof due diligence in the hiring, retention, and promotion of employees, agents, vendors,and other third parties. Such due diligence may be especially important for thoseemployees identified as having authorityover the financial reporting process.The scope and depth of the due diligence process typically varies basedon the organization’s identified risks,the individual’s job function and/or levelof authority, and the specific laws ofthe country in which the organizationresides.549%Percentage of U.S. employeeswho reported that they wouldbe rewarded based on results,not the means used to achievethem.KPMG Forensic Integrity Survey2005 – 2006There are certain situations wherescreening third parties may be valid. Forexample, management may wish to screen agents, consultants, or temporary workers who may access confidential information or acquisition targets that may haveregulatory or integrity risks that can materially affect the value of the transaction.Due diligence begins at the start of an employment or business relationship andcontinues throughout. For instance, taking into account behavioral considerations—such as adherence to the organization’s core values—in performance evaluationsprovides a powerful signal that management cares about not only what employeesachieve but also that those achievements were made in a manner consistent withthe company’s values and standards.Communication and TrainingMaking employees aware of their obligations concerning fraud and misconductcontrol begins with practical communication and training. While many organizations communicate on such issues inan ad hoc manner, efforts taken withoutplanning and prioritization may fail toprovide employees with a clear messagethat their control responsibilities are to55%Percentage of U.S. employeeswho reported that they lackedunderstanding of the standardsof conduct that apply to theirjobs.KPMG Forensic Integrity Survey2005 – 2006be taken seriously.5One of the minimum requirements announced by the sentencing guidelines for organizational defendants calls for the organization to use reasonable efforts and exercise due diligence to exclude individuals from positions of substantial authority whohave engaged in illegal activitie

KPMG International is a Swiss cooperative that serves as a coordinating entity for a network of independent firms operating under the KPMG name. KPMG . † Fraudulent financial reporting (e.g., improper revenue recognition, overstatement of assets, understatement of liabilities) † Misappropriation of assets (e.g., embezzlement, payroll .