Microsoft Confidential

Brock Phillips, CPA, CFE, CCEP Forensic Accounting Sr. Manager Financial Integrity Unit Microsoft Audit Group Lou DeCola, CPA, CIA, CFE Forensic Accounting Sr. Manager Financial Integrity Unit Microsoft Audit Group 1

Audit Committee CEO Chief Operating Officer CFO Chief Legal Officer Business Group Business Presidents Group Business Presidents Group Presidents VP of Finance CIO VP of Finance & Admin Chief Audit Executive Office of Legal Compliance VP of Finance VP of Finance VP of Finance Controls & Compliance Controls & Compliance Financial Compliance Group Internal Audit (IA) Enterprise Risk Mgmt (ERM) Technology Enabled Continuous Assurance Financial Integrity Unit (FIU) Controls & Compliance Controls & Compliance Controls & Compliance Microsoft Confidential 2

Investigative function within Internal Audit Formed 9/02 14 Employees 12 Different Languages Professionally trained and experienced fraud investigators and Certified Fraud Examiners 10 CFEs 2 CPAs 1 JD Detect, Investigate, and Prevent fraud 250 Years Professional Experience More than 70 Years of Microsoft Experience Provide thorough and timely results for management, business, and employment decisions Drive continuous improvement in policies, internal controls, revenue protection, and accountability Reports to Internal Audit, strong dotted line to Office of Legal Compliance Worldwide Charter Offices in: Redmond, Singapore, Beijing, Delhi, Moscow, Prague Microsoft Confidential 3

Concerns Raised Fellow Employees /Managers Proactive Analysis External Parties Office of Legal Compliance determines if investigation is warranted. Assigns matter to FIU or other investigative group. FIU/OLC identifies issues to be investigated FIU/OLC identifies relevant policies, procedures, and documents FIU/OLC identifies potential interviewees OLC approves investigative plan OLC sends notification to management, HR, and LCA FIU/OLC Prepares Investigative Plan Investigation OLC communicates report of investigation to management, FIU preserves, analyzes, and collects documents FIU interviews employees FIU prepares summary of investigation OLC provides report of investigation OLC closes investigation process HR, finance, and legal advisors Managers review findings, meet with employee, HR, and LCA Manager makes disciplinary proposal to OLC OLC reviews disciplinary proposal Manager communicates decision to relevant parties Disciplinary Decisions Microsoft Confidential 4

Letter from Steven A. Ballmer, Chief Executive Officer Dear Fellow Employee: Microsoft aspires to be a great company, and our success depends on you. It depends on people who innovate and are committed to growing our business responsibly. People who dedicate themselves to really satisfying customers, helping partners, and improving the communities in which we do business. People who are accountable for achieving big, bold goals with unwavering integrity. People who are leaders, who appreciate that to be truly great, we must continually strive to do better ourselves and help others improve. We must expect the best from ourselves because who we are as a company and as individuals is as important as our ability to deliver the best products and services. How we manage our business internally and how we think about and work with customers, partners, governments, vendors, and communities impacts our productivity and success. It's not enough to just do the right things; we have to do them in the right way. The Standards of Business Conduct are an extension of Microsoft s values and the foundation for our business tenets. They reflect our collective commitment to ethical business practices and regulatory compliance, and they provide information about Microsoft's Business Conduct and Compliance Program. At a high level, they summarize, and are supported by, the principles and policies that govern our global businesses in several important areas: legal and regulatory compliance; trust and respect of consumers, partners, and shareholders; asset protection and stewardship; creation of a cooperative and productive work environment; and commitment to the global community. These Standards of Business Conduct provide information, education, and resources to help you make good, informed business decisions and to act on them with integrity. In addition, managers should use this resource to foster, manage, and reward a culture of accountability and integrity within their groups. Working together, we can continuously enhance our culture in ways that benefit customers and partners, and that strengthen our interactions with one another. Then we can truly achieve our mission of enabling people and businesses throughout the world to realize their full potential. All Microsoft employees are responsible for understanding and complying with the Standards of Business Conduct, applicable government regulations, and Microsoft's policies. As Microsoft employees, you also have a responsibility to raise compliance and ethics concerns through our established channels. This is the way to ensure that Microsoft is and continues to be a great company of great people. Steven A. Ballmer Chief Executive Officer Microsoft Confidential 5

Technology Enabled Continuous Assurance (TECA) Microsoft Confidential 6

Dedicated team of professionals with SQL and database expertise Methodology which leverages technology, data analysis, and statistical evaluation techniques Proactively tests control activities for an entire population of transaction data or across different data sets Proactive detection of exceptions Transition to the business Microsoft Confidential 7

The TECA program is creating tools in two ways: Querying in-house tools Creating new querying tools by linking different data sets in innovative and proactive ways TECA Team Role Maintain TECA environment (data, access, working with IT for backups, etc.) and develop queries Train auditors in use of in-house and developed tools Proactively provide TECA reports for complex or new query requests to auditors Microsoft Confidential 8

For Microsoft Effective and efficient controls Targeted Reviews T&E auditing, conflicts of interest, corruption, etc. For Internal Audit Improved audit skill set Greater risk coverage doing more with the same More accurate and efficient testing For Financial Integrity Unit Identifying fraud Substantiating fraud Microsoft Confidential 9

Policy Action Collect Data Analysis Queries 10

Policy Action Collect Data Analysis Queries Policy Expensing of AMEX late fee/delinquency charges is prohibited Collect Data Obtained details of AMEX late fee/delinquency charges Queries Analyze Action Compared data from internal expense reporting tools, AMEX data feeds, and HR data tables Identified certain potentially fraudulent transactions from higher than expected levels within the Company Discussions with Legal, HR, and the Business Potential policy changes 11

12

13

14

15

16

17

Some interesting descriptions for late fees... 18

All cases of fraud should be taken seriously, even though the overall amount is immaterial Tone from the top --> can have a pervasive effect Case-based development of internal tools Enhancements of future TECA queries Violation of Company policy Training for managers first line of defense The Potato Chip Theory of Fraud 19

Microsoft Confidential 20

Financial Reporting Revenue and Accounts Receivable Anti-Corruption Program DEMO Travel and Entertainment Procurement Accounts Payable Tax Payroll Human Resources Logical Access System Change Management Fraud Detection 21

Risks Unusual or inappropriate journal entries are being posted to the general ledger Tests Unusual entries, influenced posters and reviewers, inappropriate reviewers, Benford analysis, billion dollar entries, round dollar entries, poster/reviewer relationship, posted by executives Data Obtained from the SAP General Ledger Process Developed queries that create extract tables using SQL backend. For Benfords Analysis, used Excel direct link to review and graph the data Microsoft Confidential 22

Risks Staff (employees, vendors, contractors) are engaging in activities that may violate company policies related to conflicts of interest, moonlighting, integrity Tests Matches on bank account number and/or address Validation of new hires and vendors vs. ineligible-to-hire list Charitable contributions (unusual matching patterns, key words) Data Obtained from vendor master file, purchase order and invoice history, general ledger, HR Process Developed queries that create extract tables using SQL backend and process MS Access queries on the data 23

Risks Tests Data Process Staff (employees, vendors, contractors) are engaging in activities that may violate company policies related to approval limits and financial efficacy Inappropriate PO and invoice approvals, duplicate invoices, non-po invoices, duplicate vendor tax IDs, 3 rd party payments, large or non-standard payments Obtained from vendor master file, purchase order and invoice history, general ledger, HR, disbursements Developed queries that create extract tables using SQL backend and process MS Access queries on the data 24

Risks Tests Data Process Staff (employees, vendors, contractors) are engaging in activities that may violate company Anti- Corruption policy requirements Prohibited T&E expenses, prohibited purchases, inappropriate gifts and donations, inappropriate use of investment funds Obtained from Expense report, purchase order, general ledger, HR, licensing, and investment fund tracking systems Developed queries that create extract tables using SQL backend and process MS Access queries on the data 26

Built a table with 2,483 unique keywords, including anticorruption-specific words 94,911 keywords in 25 different languages, 180 related to anticorruption Includes support for non-roman character languages Subsidiary subject matter experts developed keywords Created a list of prohibited keywords Queries are run against the appropriate keywords to identify the following situations: Meals and entertainment with government officials Bribes paid to government officials Unusual journal entries, donations, gifts, invoices, T&E expenses, payments, and POs indicating potential FCPA violations

TECA and Anti-Corruption 28

Increase risk coverage, scope, and testing efficiency Greater level of assurance through population testing Allows investigators and auditors to focus on higher risk, strategic areas Shortened investigations and audit cycle times through regular testing of common global activities Increase investigator and auditor capabilities and data analysis skills Proactive identification of issues Increased productivity through population testing More accurate and quantifiable issue identification Increased usage of Internal Reporting Tools, Excel, and Access Microsoft Confidential 29

Before Limited data analysis and coverage Steep learning curve every quarter Underutilizing investigator and auditor skills Potential data corruption Ineffiencies caused delays After Increased breadth and depth of coverage through review of all 6 million entries per quarter Push Button approach allows analysis of all entries More reliable results Efficient fieldwork and timely reporting with substantiated results Maintain database of over 80 million lines to allow trend analysis Microsoft Confidential 30

Enhance management s monitoring controls Transition TECA tools and methodology to continuous monitoring Improved Corporate Governance Partner to build controls into existing tools Simple implementation of audit recommendations Help build trusted advisor role Frequent testing results in timely identification of control deficiencies Timely resolution of issues Greater awareness of global issues Increased accountability for issue resolution, especially with global issues 31

Before No standard process for auditing T&E Expenses Random testing did not target testing to specific types of exceptions AP auditors covered quantity of reports rather than targeted review for exceptions After Increased breadth and depth of coverage All countries (100+) Audit the T&E database across 20 million plus line items Push Button approach More targeted and economic auditing Duplicates Prohibited expenses Exchange rate issues Greater audit recoveries 32

2008 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION. Microsoft Confidential 33