Current Developments in Compliance Management System (CMS) Structures and Auditing. June 2010

Transcription

1 Current Developments in Compliance Management System (CMS) Structures and Auditing June 2010

2 Principles of the Implementation and Certification of Compliance Management Systems Protection of corporate management and supervisory boards from civil and criminal liability in cases of non-compliance by employees Alignment of Compliance Management Systems with national and international standards, such as IDW EPS 980 (Audit of Compliance Management Systems) or the OCEG (US) Focusing on the prevention of offences against civil and criminal laws, such as the German Art. 130 OwiG or the US Sentencing Guidelines Focusing on the prevention of personal civil and criminal liability Sustainable implementation of all elements of the systems, i.e. prevent, detect and response as well as Tone from the Top and regular auditing

3 Requirements on the Design of a Compliance Management Systems As of today, there are no mandatory requirements regarding the design of Compliance Management Systems. A draft of the German IDW Standard on Auditing Principles of Compliance Management System Audits (IDW EPS 980) was published in March A standard comparable in other countries does exist. The standard summarizes the fundamental elements of a Compliance Management System and recommends to consider generally accepted CMS-frameworks. The draft refers to the following (quasi-) standards Foundation Guidelines Red Book of the Open Compliance and Ethics Group (OCEG) US Federal Sentencing Guidelines Manual, Chapter 8, Sentencing of Organizations, Part B Remedying Harm from Criminal Conduct, and Effective Compliance and Ethics Program Australian Standard (AS) Compliance Programs Over the past years international companies have developed Leading Practices that also need to be considered in auditing Compliance Management Systems.

4 Leading Practice for Compliance Management Systems Compliance Culture, Compliance Goals, Compliance Organization Prevent Detect Respond Rules and Regulations Risk Analysis Investigation Trainings Whistleblower System Sanctions Coaching and Consulting Integrity Barometer Remediation Incentive System Compliance Detection Audits Communication Audits of the System

5 Elements of a Compliance Management System* Compliance goals & Risks CoC, Policies & Guidelines Compliance Responsibility & Organization Communication & Training Controls & Monitoring Compliance goals which are derived from business goals on company level Regular performed risk analysis to identify compliance risks; countermeasures and controls Code of Conduct Policies, guidelines and procedures on compliance issues Responsibility for compliance issues lays with one member of the management board Compliance Committee, Compliance Officer and local managers responsible for compliance management with appropriate resources and competencies Whistleblowing system (e.g. Ombudsman, Hotline) Fraud response plan Compliance issues are reflected within HR processes Compliance Management components are integrated in the corporate risk management / Internal Control System Controls within business processes to ensure proper conduct and to avoid misconduct (e.g. Due Diligence for Business Partner, authorization concept and regulations) Tone from the Top and zero tolerance culture Internal communication of corporate Code Of Conduct and guidelines Implementation of a compliance reporting system Trainings for management and employees in defined risk areas External communication of the corporate Code Of Conduct Audit of the implementation and efficiency of compliance controls within business processes Audit of the implementation and efficiency of CMS Execution of results from CMS audit and investigation processes Documentation to support the (a) controls and (b) monitoring processes as well as (c) provide evidences * Esp. Follows USSG, Australien Standards, ZfW Standards, OECG

6 Approach on Auditing Compliance Management Systems Assessment of CMS Effectiveness The assessments are based on the IDW CMS-Auditing-Standard and the USSG. Assessment of CMS Implementation Assessment of CMS Concept Type 1 Type 2 Type 3 The IDW Standard requires compliance processes to be implemented and running before the audit types 2 and 3 can be performed. Thus we have designed a 2 step approach. Due to the similarity of the documentation, audit type 2 and 3 will be performed simultaneously. March April May June July Aug. Sept. Oct. Nov. Dec. 20XX Step 1: Concept Audit (Type 1), Certificate for CMS Concept Step 2: Implementation & Effectiveness Audit (Type 2 & 3), Certificate for CMS Implementation & Effectiveness

7 Questions?

8 MANAGING COMPLIANCE Well I know I had that legal training warning me against inducements...its just that I need this deal... Maybe this might help your decision??? humm...very interesting. The deal on the table might just sway me... FOR INTERNAL USE ONLY SYMANTEC CONFIDENTIAL

9 Symantec s Compliance Program Making Compliance HOW we do Business AWARENESS Training, Online Resources and People Resources Online mandatory training for all employees In person training with internal and external counsel in priority regions with regional focus Programmatic guidelines that interface with our business models CORPORATE GOVERNANCE AND ETHICS Ethics Hotline and Mailbox Code of Conduct: Online policy, links to key information, and training Ethics and Compliance Office Hotline Consistent guidelines Making Ethics and Compliance part of the company FOR INTERNAL USE ONLY SYMANTEC CONFIDENTIAL

10 WHAT IS COMPLIANCE? Policy and Process Checkpoints Red Flag Indicators Order Process and Procedures (including Signature Authority) Code of Conduct and other Internal Policies IT Automation Points of law Legal requirements Policy stating a company s intent and interpretation, at times Risk Analysis Interpretation of law Standardization of process for control Repercussions for failure to comply fines/penalties/criminal action Benchmarking Mitigation and Follow Through -What do we do to ensure that we comply? Training is critical Audit, Reporting, Escalations FOR INTERNAL USE ONLY SYMANTEC CONFIDENTIAL 3

11 SECURITY = TRUST Ethisphere Magazine - Worlds Most Ethical Companies, In recognition of its commitment to ethical leadership, Symantec was named in Ethisphere Magazine's second-annual listing of the Worlds Most Ethical Companies. DATA PRIVACY/PROTECTION Protecting our Employees and our Customer s Personal and Private information = We CARE about Security We are THE leading security company Our brand is all about trust Customers look to us as the example Risk from hackers, spyware FOR INTERNAL USE ONLY SYMANTEC CONFIDENTIAL 4

12 The Counsel s Role in the Global Ethics and Compliance Programme Enrique Aznar Chief Ethics & Compliance Officer Nokia Siemens Networks

13 NSN will only conduct its business worldwide with the highest ethical and integrity standards and will lead others in the industry to embrace equally high standards Rajeev Suri, CEO, NSN

14 Zero tolerance to non-compliance

15 NSN Board of Directors Nokia Audit Committee NSN Executive Board CEO Business Managers Sales and Marketing Nokia Chief Legal Officer CFO Chief Ethics & Compliance Officer Regional Compliance Counsel General Counsel Legal & Compliance Team Internal Audit Finance & Controls Nokia F&C

16 Vision Mission Companies competing fairly and meeting their duties to their stakeholders and Society We support NSN employees to make decisions that are ethical, legal and consistent with NSN s values and drive industry participants to embrace equally high ethical standards Strategy Prevention Detection Correction Interaction Foundation Tone at the Top Relentless Drive, Leadership & Determination Lean and efficient organisation

17 Compliance Principles Compliance with Ethics and the Law Avoidance of Conflicts of Interest Accurate Books and Records No acceptance or paying of Bribes Appropriate Internal Controls Reporting of Violations Anti-Corruption Compliance Training and Compliance Office Assistance

18 Compliance Numbers 2009 Code of Conduct Training: 82% completion rate online training Anti-Bribery Training Sessions: 100+ More than 500 questions or reports through reporting lines Total Compliance investigations: 137 At least 19 employees terminated theft, fraud, conflict of interest and misuse of company assets Of these 19, criminal action was initiated against 3 employees In addition, other 18 employees received a written warning, 1 employee was demoted, 1 promotion was frozen and several employees received oral warnings.

19 Vivian Robinson QC General Counsel

20 Introducing the Serious Fraud Office Function Involvement in business ethics 2 SFO 2010.

21 New UK Bribery Act Specific corporate offence Defence of adequate procedures Link to business ethics Governmental guidance Suggested compliance essentials 3 SFO 2010.

22 What does good ethical leadership look like? Ethical responsibility at all levels of management Demonstrable commitment to ethical standards of behaviour Employee engagement and support 4 SFO 2010.

23 The role of in house counsel Cultivate an ethics based mindset Be proactive in asking questions at all levels Focus on wider issues to develop a virtuous circle Be brave 5 SFO 2010.

24 Vivian Robinson QC General Counsel