KPMG in Russia and the CIS
kpmg.ru
2018
Compliance in the CIS: Key Challenges & Automation
KPMG presents its second annual survey on the priorities of CIS companies to develop their compliance function in 2017. As in 2016, the survey covers challenges related to organization of the compliance function, its goals and objectives, resource issues, practical implementation of control procedures, and reporting.
This year, we placed greater emphasis on business process automation and its impact on the compliance system. This was made intentionally since the automation of business processes and control procedures are today considered a tool for improving the performance of companies, which are still performing a large number of operations manually. The findings of our survey will help companies operating in the CIS to assess their compliance functions and benchmark the level of their compliance functions from the perspective of process automation practices.
This year we also changed the way we conducted the survey – responses were mostly collected using a confidential online questionnaire instead of the interviews conducted last year. This enabled us to double the number of respondents and thereby deliver more representative results.
The following report is a summary of responses received from respondents. In the appendices, you will find in-depth information for each of these countries: Russia, Ukraine, Kazakhstan and Azerbaijan.
We hope that you will find this report useful as a framework for understanding the current state of CIS compliance functions and substantiating the adoption of management decisions on compliance-related matters.
Best regards, KPMG
Introduction
Contents
About the survey
p. 4
Key findings p. 6
Priority comPliAnce AreAs
p. 10
APPendix 1. Answers by countries
p. 36
orgAnizAtion of the comPliAnce function maturity of the compliance function 15
organizational structure of the compliance function 15
Annual compliance function budget 16
compliance reporting procedure 17
p. 14
comPliAnce throughout the comPAny’s business Processesmonitoring and control 21
Identification of conflicts of interest 22
counterparty due diligence 23
Anti-corruption and right-to-audit clauses 28
hotline 29
p. 18
Key comPliAnce chAllenges p. 32
AutomAtion of business Processes And the comPliAnce function
p. 34
About the survey
goAls & objectives
This survey presents a summary of findings outlined in the following sections:
— respondent information: sector, geographic footprint, revenue, etc.;
— priority compliance areas;
— organization and structural arrangement of the compliance function, including functional subordination, staffing numbers, budget, etc.;
— compliance function in the company’s business processes;
— business process automation in the company and its impact on compliance;
— essential, but missing components of the compliance system.
The main goal of this survey is to analyze specific features of the organization, role and objectives of compliance functions at CIS companies and also the practice of implementing certain business processes and control procedures, including through automation.
methodology
The survey respondents included heads of business units with compliance function mandates: Compliance, Legal, Finance Internal Audit/Internal Control and Security Departments. The survey was conducted using an online questionnaire via web-based platforms that could be supported by interviews further to a request from respondents. This report uses only aggregated survey data and does not contain any personal data related to respondent companies. We also relied on information from public sources.
4
© 2018 KPMG. All rights reserved.
| Compliance in the CIS: Key Challenges & Automation
In total, 98 respondents took part in the survey. KPMG undertook a thorough analysis of all the responses and decided that only 89 respondents met the given criteria and therefore could be considered as relevant. It should be noted that this is almost three times as many as in 2016. As in the previous year, the majority of the respondents operate in the pharmaceuticals and telecommunications sectors (30% in 2017 vs. 36% in 2016). At the same time, we observe a higher percentage of transport companies – 7% in 2017 vs. 3% in 2016. It should also be noted that the banking sector is not represented in the survey due to the specific regulation of its compliance activities.
resPondents Pharmaceuticals
utilities and telecommunications
consumer goods
oil & gas
transportation
Automotive
construction
chemicals
innovation and technology
metals & mining
other
18
9
7
6
6
5
5
5
4
4
20
The figure below provides a breakdown of respondents by geographic footprint.
russia55ukraine18
Azerbaijan5
georgia1 89 companies
Kazakhstan8
turkmenistan1
belarus1
© 2018 KPMG. All rights reserved.
5Compliance in the CIS: Key Challenges & Automation |
46%of respondents have spun off their compliance functions into separate departments.
directly administratively report to the President/CEO of an organization.
Compliance functions at
2–10 people, in 22% of instances only 1 employee is responsible for compliance.
Staff size of Сompliance Departments at
<50,000
Annual budget spent on compliance function at
(national currency equivalent)
61% of respondents prepare compliance reporting at least once a year, another 20% – further to the request of management.
In total, 60% of respondents report on development of the compliance system to the President/CEO.
Priority compliance areas
88%As was the case in 2016 anti-corruption compliance procedures ranked first this year as the top priority area for compliance, according to 88% of respondents.
The share of companies that consider antitrust and occupational health and safety (OHS) compliance a matter of priority has contracted – in 2017 they represented 49% and 37% of the total respectively (in 2016, response rates among Russian respondents were 85% and 91%, among CIS respondents (excluding Russia) – 83% and 63%).
49% 37%&
43%Respondents perform an annual compliance risk assessment; beyond that point, 21% of companies assess compliance risks on a quarterly basis.
Organization of the compliance function
Key findings
In total,
49% of the surveyed companies
46% of respondents.
63% of respondents
In total,
6
© 2018 KPMG. All rights reserved.
| Compliance in the CIS: Key Challenges & Automation
Monitoring and control
According to most respondents, the compliance function is primarily responsible for the following processes:
43% 38%
36%
50%compliance training courses
58%consulting on compliance matters
internal investigations
development and updating of a risk matrix
Processing of reported information and messages, providing a feedback
The compliance function participates in the approval of high-risk business processes:
35%charity and sponsorship
conclusion of major deals and transactions outside of corporate policies and procedures –
respectively
37%,40% &
respectively
Identification of conflicts of interest
of respondents ask new staff to disclose any conflicts of interest at the time of their recruitment,
53%
26%while
require staff to issue an annual conflict of interest disclosure.
of respondents periodically monitor conflicts of interest through in-house resources or by engaging external advisors.
37%
Key findings
each,
In total,In total,
© 2018 KPMG. All rights reserved.
7Compliance in the CIS: Key Challenges & Automation |
Counterparty due diligence
84% of respondents conduct a centralized counterparty due diligence,
analyze their business partners through a peer-review process, which involves several units.
In total, 8% of respondents 65% of respondents have established a set of formalized criteria to assess and measure counterparty risks.
57% of respondents conduct due diligence of all their counterparties.
37% of respondents perform only initial due diligence (i.e. when contracts are concluded for the first time). At the same time, 44% of respondents carry out a counterparty due diligence at least once every three years.
In order to check the background of their business partners, about
in other words, performed by a single business unit, while 32% use their Security Departments.
Anti-corruption and right-to-audit clauses
of respondents incorporate anti-corruption and right-to-audit clauses in their contracts with counterparties.
The surveyed companies include in their contracts one of two options: either anti-corruption (22%), or the right-to-audit clause (2% only).
of respondents have ever exercised the right to audit clause in the past.
Only
21%
Key findings
34%
In total,
26% of respondents outsource due diligence work to third parties.
In total,
In total,
In total,
In total,
8
© 2018 KPMG. All rights reserved.
| Compliance in the CIS: Key Challenges & Automation
Hotline
Business process automation
13%of respondents still do not have a hotline.
administer a hotline internally,
45%
27% outsource them to a third-party provider,
While
and 16% use both resources.
anonymous reporting is possible.
51% of respondents measure performance of their hotline.
of companies with a hotline, 92%
Automation of routine activities:
45%
outgoing payments
fully 33% partially
35%
contract negotiation and approval
fully 29% partially
16%
receiving and handling hotline calls and messages
fully 35% partially
12%
counterparty due diligence
fully 49% partially
of companies
recognize business process automation as a matter of priority for their compliance system.
33% of respondents
plan to automate their processes in the next three years.
30%
Key findings
In total,
In total,
At
In total,
Meanwhile,
© 2018 KPMG. All rights reserved.
9Compliance in the CIS: Key Challenges & Automation |
Priority compliance areas
It must be pointed out that fewer companies consider antitrust and OHS compliance a matter of priority – in 2017 they represented 49% and 37%, respectively (in 2016, response rates among
Russian respondents were 85% and 91%, among the CIS respondents (excluding Russia) – 83% and 63%).
In addition, in 2017 respondents recognized two areas of compliance as significantly less relevant to their businesses: human rights compliance in the workplace (67% and 29% of Russian companies found it relevant in 2016 and 2017, respectively), and insider trading compliance (relevant for 28% of Russian companies surveyed in 2017 vs. 61% in 2016).
In 2017, anti-corruption compliance ranked first as the top priority area for compliance practice, according to 88% of the surveyed companies. Respondents place a lot of emphasis on the protection of personal data (61%) and confidential information (57% of companies have included this issue in their compliance programs).
88%
10
© 2018 KPMG. All rights reserved.
| Compliance in the CIS: Key Challenges & Automation
Anti-corruption and ethics compliance
compliance related to the protection of personal data
Compliance related to the protection of confidential information
Antitrust compliance
ohs compliance
Anti-money laundering and counter terrorism financing (AML/CTF)
environmental compliance
compliance in marketing and advertising
compliance with trade sanctions
human rights compliance in the workplace
Prevention of insider trading and market manipulation
other
Priority compliance areas
88%
61%
57%
49%
37%
37%
34%
33%
31%
29%
28%
6%
Source1: KPMG analysis.
Note: 2% of respondents said they were not sure or did not know the answer to this question. This is a multiple-choice question.
1 Hereinafter, the survey findings are based on KPMG analysis.
© 2018 KPMG. All rights reserved.
11Compliance in the CIS: Key Challenges & Automation |
94%Local anti-corruption laws and regulations
APPlicAble Anti-corruPtion legislAtion
4 respondents cited the need for compliance with the EU,
Swiss and Cypriot anti-corruption rules.
48% Foreign Corrupt Practices Act (FCPA, USA)
45% uK bribery Act 2010
6% Sapin II (France)
4% other
3% not applicable
Note: this is a multiple-choice question.
Assessment of comPliAnce And corruPtion risKs
Assess compliance risks on an annual basis
Assess compliance risks on a quarterly basis
Assess compliance risks on an ‘as-needed’ basis
do not assess compliance risks
Note: this is a multiple-choice question.
43%
21%
34%
11%
12
© 2018 KPMG. All rights reserved.
| Compliance in the CIS: Key Challenges & Automation
33% of the surveyed companies have a separate compliance risk map (matrix), while 35% of respondents have a general risk map that, among other things, covers compliance risks.
30% of respondents have formalized their methodologies adopted for the identification and assessment of corruption risk. Another 25% have such methodology in place, but it is not documented in the company’s internal regulations.
ISO 37001:2016 Anti-Bribery Management Systems(ISO 37001) recommends that the bribery risk assessment be reviewed:
— on a regular basis so that changes and new information can be properly assessed based on timing and frequency defined by the organization;
— in the event of a significant change to the structure or activities of the organization.
ISO 19600:2014 Compliance Management Systems
determines that the compliance risks should be reassessed periodically and whenever there are:
— new or changed activities, products or services;
— changes to the structure or strategy of the organization;
— significant external changes, such as financial-economic circumstances, market conditions, liabilities and client relationships;
— changes to compliance obligations;
— noncompliance(s).
© 2018 KPMG. All rights reserved.
13Compliance in the CIS: Key Challenges & Automation |
Го
Organization of the compliance function
Maturity of the compliance function
Organizational structure of the compliance function
Annual compliance function budget
Compliance reporting procedure
14
© 2018 KPMG. All rights reserved.
| Compliance in the CIS: Key Challenges & Automation
At most respondents the compliance function has been operational for more than one year, in particular,
36% – from 1 to 3 years, and 40% – from 3 to 10 years.
The answers disclosed that pharmaceuticals and oil and gas companies are considered ‘compliance pioneers’.
mAturity of the comPliAnce function
It should be noted that the surveyed pharmaceutical companies are primarily foreign-owned subsidiaries, which have introduced compliance practices at the time of their entry into the CIS market,
and vice-versa for oil and gas companies, where compliance is attributable to the access of CIS companies to the international market.
Maturity of the compliance function
more than 10 years
7%
1-3 years36%
less than 1 year 3–10 years40%
11%
orgAnizAtionAl structure of the comPliAnce function
Note: 6% of respondents said they were not sure or did not know the answer to this question.
In terms of the organizational structure of the compliance function, respondents were divided roughly equally in two
groups: companies with a separate Compliance Department (46%) and companies with no special compliance unit (54%), where corresponding functions are assigned to other departments (e.g., Legal Department). It should be noted that a similar proportion of responses was recorded in the 2016 survey.
46% оf respondents
ISO 19600:2014 Compliance Management Systems(ISO 19600) does not provide detailed guidelines on whether it is necessary to establish a separate Compliance Department. The document outlines that organizations may create stand-alone units or delegate compliance functions integrating them to existing departments.
The following issues should be taken into account when creating/transforming a compliance function:
— organizational structure of the company;
— nature of the company’s business;
— total number of staff;
— functions expected within the Compliance Department;
— number and nature of business processes and transactions with high risk of corruption.have a separate Compliance
Department
© 2018 KPMG. All rights reserved.
15Compliance in the CIS: Key Challenges & Automation |
AnnuAl comPliAnce function budget
In 2017, respondent answers to the question about the administrative subordination of their compliance function are relatively similar to the previous survey. Most answers (49%) disclosed that Compliance Departments administratively report directly to the company’s President or CEO.
49%
21%
President/CEO
Vice President/Department Director/Division Manager
Board of Directors and/or board committees
8%
15% other*
Compliance function – administrative subordination
*Local (Regional) Chief Compliance Officer, head of function or business executive (director) in the country, Legal Department.
Note: 7% of respondents said they were not sure or did not know the answer to this question.
Team size in Compliance Departments
>10
2-101
63%
22%
15%
employees
employee
employees
Note: The response rates were calculated for the companies, which replied in the affirmative to the question about a separate Compliance Department.
It should be noted that the staff size of Compliance Departments in respondent companies is weakly correlated with annual revenues and total headcount.
<$50,000$50,000– 167,00046% 10% 10% 7%
Notes: 27% of respondents said they were not sure or did not know the answer to this question. The response rates were calculated for the companies, which replied in the affirmative to the question about a separate Compliance Department.
$167,000– 833,000 >$833,000
16
© 2018 KPMG. All rights reserved.
| Compliance in the CIS: Key Challenges & Automation
comPliAnce rePorting Procedure
Recipients of compliance reports
Note: respondents were asked to choose one or multiple options from a list of possible answers.
President/CEO
board of directors
management of the parent company
Vice President (s) / Deputy CEO (s) responsible for a separate line of business
no reporting is prepared in this respect
reporting is prepared for internal use and compliance function only (it is not submitted to management)
other
60%
31%
30%
17%
10%
4%
7%
Compliance reporting cycle
more than once a year
further to a request from management
At least once a year
no formalized reports
At least once every two years
other
43%
20%18%
4%
2%2%
Note: 11% of respondents said they were not sure or did not know the answer to this question.
As management and executive staff must be kept regularly informed, which is one of the most
important tasks of the compliance function, relevant questions were included in the 2017 survey.
In response to the questions concerning the compliance reporting cycle, 61% of companies answered ‘at least once a year’ and 20% – ‘further to a request from management’.
In total 31% of respondents submit compliance reports to the company’s Board of Directors.
60%report compliance matters directly to the President or CEO
of the surveyed companies
61%At least once a year
© 2018 KPMG. All rights reserved.
17Compliance in the CIS: Key Challenges & Automation |
Compliance throughout the company’s business processes
Monitoring and control
Identification of conflicts of interest
Counterparty due diligence
Anti-corruption and right-to-audit clauses
Hotline
18
© 2018 KPMG. All rights reserved.
| Compliance in the CIS: Key Challenges & Automation
common tyPes of comPliAnce orgAnizAtionAl structures
1
2
3
Centralized
1) The compliance function retains direct control over all compliance-related activities through a separate department/responsible person.
2) In the case of a specific compliance area – all compliance activities and controls are executed through a separate department/responsible person.
Decentralized
1) Compliance functions are embedded in and distributed between several business units/employees in order to manage compliance risks, exercise compliance controls and procedures.
2) In the case of a specific compliance area – all compliance activities and controls are distributed between several business units/employees, which does not involve the creation of a centralized compliance function.
Hybrid
1) The compliance system combines both centralized and decentralized models. The compliance function provides overall direction and oversight in all areas of compliance to ensure a one-size-fits-all approach to compliance risk management, but any detailed compliance activities and controls related to specific compliance areas are exercised by various business units/employees.
2) In the case of a specific compliance area – the compliance function provides methodological guidelines, information advice and support in implementing necessary compliance policies and procedures; consolidates and monitors the progress made on their implementation; reports to management, etc., while the responsibility to perform specific implementation activities, compliance controls and procedures rests with relevant business units/employees.
The involvement of the compliance function in the company’s business processes is of particular interest, as the compliance role depends on its organizational structure: centralized, decentralized or hybrid.
© 2018 KPMG. All rights reserved.
19Compliance in the CIS: Key Challenges & Automation |
The chart below demonstrates the overall response statistics concerning the role of compliance in company’s business processes, which includes its involvement in the execution, approval and monitoring of a specific business process, or the absence of any such involvement.
At most respondents Сompliance Departments are responsible for processes related to compliance training courses (50%) and consulting on compliance matters (58%). A significant percentage of respondents state that their
compliance teams perform internal investigations (43%), develop a risk matrix and keep it up to date (38%), process hotline calls, messages, and provide respective feedback (36%).
According to most respondents, their compliance functions are involved in high-risk processes, such as charity and sponsorship (35% each), the conclusion of major deals (40%) and transactions outside of corporate policies and procedures (37%), contracting with counterparties (46%).
In most cases, the compliance function is involved in approval processes when it comes to the identification of risky counterparties and employees, i.e. counterparty due diligence (36%) and management of conflicts of interest (30%).
What is noticeable is that the compliance functions of 36% of respondents are not involved in the approval of sales discounts and bonuses (they don’t monitor the cited transactions).
Compliance role in a company’s business processes
counterparty due diligence
contracting with counterparties
Provision of sales bonuses and discounts
major deals
m&A
Atypical manual accounting adjustments
Conclusion of deals and transactions outside of corporate policies and procedures (i.e. are not outlined or contravene the provisions of policies and procedures)
giving of business gifts
Acceptance of business gifts, hospitality and other business courtesies
charity and social responsibility
sponsorship
Management of conflicts of interest
compliance training for internal staff
Advising employees on compliance matters
development of a risk matrix and keeping it up to date
receiving and handling hotline calls and messages, and providing a feedback
internal investigations
20% 36% 31% 8% 5%
9% 46% 29% 14% 2%
2% 20% 22% 36% 20%
8% 40% 27% 20% 5%
3% 27% 18% 19% 33%
5% 16% 16% 44% 19%
5% 37% 26% 8% 24%
8% 30% 32% 16% 14%
8% 26% 33% 19% 14%
8% 35% 27% 14% 16%
5% 35% 26% 17% 17%
21% 30% 34% 7% 8%
50% 14% 16% 8% 12%
58% 13% 13% 5% 11%
38% 27% 18% 8% 9%
36% 15% 20% 14% 15%
43% 20% 22% 6% 9%
Execution Approval Monitoring Compliance function is not involved in this process
Don’t know/Process does not exist
20
© 2018 KPMG. All rights reserved.
| Compliance in the CIS: Key Challenges & Automation
In accordance with ISO 19600, the company introduces relevant control procedures in order to reduce and mitigate
compliance risks. To ensure that they are efficient, such procedures are subject to periodic monitoring. The figure below presents the respondents’ answers to a question about the sources of information
monitoring And control
for monitoring purposes and risk communication methods. Even though a significant percentage of respondents (44%) say that their compliance specialists have full access to corporate accounting systems, the Compliance Departments in the majority (53%) of the surveyed companies still have to request the necessary information
from business process owners. Also, it is notable that Compliance Departments have low levels of automation when it comes to reporting on risk operations – 75% of risk communication messages are received from employees orally or via e-mail/hotline.
Information is requested from business units acting as process owners; the Compliance Department cannot access the relevant accounting systems on an anytime basis
sources of informAtion for business Process monitoring
53% 44%the compliance department downloads data directly from the relevant accounting systems
12%the compliance department receives an automatic notification when a risk-related transaction is identified (automated risk identification)7% other
Note: This is a multiple-choice question. 13% of respondents said they were not sure or did not know the answer to this question.
How risk transactions are reported to the Compliance Department
75% 8% 6% 11%risk communication messages are received from employees orally or via e-mail/hotline
Automatically generated notifications are emailed to the compliance department
Automatically generated notifications are delivered to a special platform accessible to the compliance department
other
Note: This is a multiple-choice question. 13% of respondents said they were not sure or did not know the answer to this question
© 2018 KPMG. All rights reserved.
21Compliance in the CIS: Key Challenges & Automation |
identificAtion of conflicts of interest
Summarizing the cases based on the engagement experience of KPMG Forensic in Russia and
the CIS, we see that a significant
number of fraud and corruption schemes are perpetrated through third parties, which are affiliated with company employees (including through suppliers and customers).
Therefore, timely identification and prevention of a potential conflict of interest is key to countering fraud and corruption.
conflicts of interest rePorting
53%At the time of recruitment
17%Reassignment to a different position or transfer to another department
~26%require the completion of an annual declaration disclosing the existence or absence of conflicts of interest, in particular:
(less than half)
periodically monitor conflicts of interest by engaging in-house staff or external advisors, in other words, they do not rely solely on the information provided by employees.
26% with respect to employees in leadership roles and at a senior management level;
15% with respect to all staff;
13%apply a risk-oriented approach, which implies staff members in positions where there is a high risk of fraud or corruption must disclose any conflicts of interest.
37%
Note: This is a multiple-choice question.
22
© 2018 KPMG. All rights reserved.
| Compliance in the CIS: Key Challenges & Automation
counterPArty due diligence
84%of respondents conduct counterparty due diligence using a centralized model, i.e. performed by a single business unit.
In most cases, this role is assigned to the Security Department (33%). The second most common response is that due diligence checks are performed by the business unit benefiting from a potential contract (27%).
In total, 8% of respondents analyze their business partners through a peer-review process, which involves several units.
Counterparty due diligence models
Centralized due diligence One business unit is involved, which is responsible for carrying out background checks of potential and/or existing counterparties under established criteria, with the involvement of selected experts from other departments to analyze any issues of concern that may arise.
Decentralized due diligence Several business units are involved, either simultaneously or sequentially, in order to collect and analyze information regarding various aspects of counterparty activities.
1
2
Who is responsible for counterparty due diligence
*In different combinations, including through the Security Department, Legal Department, Compliance Department, Administrative Department.
Note: 3% of respondents said they were not sure or did not know the answer to this question.
33%
27%
15%
8%
8%
4%
2%
security department
employee of the business unit, which intends to sign a contract with a counterparty
legal department
employee responsible for compliance
Peer review by several departments*
Finance/Accounting Department
other
Measures to mitigate the identified risks
The feasibility and efficiency of a particular model applied by the company largely depends on the number of counterparties under review and the size of a business.
© 2018 KPMG. All rights reserved.
23Compliance in the CIS: Key Challenges & Automation |
According to the survey, a significant portion of respondents perform only initial due diligence –
37%. At the same time, we can see that a large number of companies perform counterparty checks at least once every three years (44%). There are single responses (1%) mentioning the use of automated tools for the continuous monitoring of changes in the counterparty’s activity.
37%Initial due diligence only
36% once every 1–3 years
8% more than once a year
4% less than once every three years
8% other
Note: 7% of respondents said they were not sure or did not know the answer to this question.
Scope of due diligence checks
57%conduct due diligence of all their counterparties 39%Apply a risk-based approach and perform
a counterparty due diligence procedure in accordance with established criteria
Note: 4% of respondents said they were not sure or did not know the answer to this question.
Criteria triggering a counterparty due diligence
Type of services/products
Note: This is a multiple-choice question. 6% of respondents said they were not sure or did not know the answer to this question.
Level of risk identified after the review of a counterparty’s questionnaire
contract value Area of activity/line of business of the counterparty’s company
Frequency of counterparty due diligence
65% 62% 50% 47%
Scope of due diligence checks in procurement
Note: 7% of respondents said they were not sure or did not know the answer to this question.
60%check the background of all parties involved in procurement,
23%check only the leading vendor (winner).
83%counterparty due diligence during procurement procedures,
of respondents perform
10% of respondents do not check counterparties at the procurement stage.
while
In total,of the surveyed companies
and
24
© 2018 KPMG. All rights reserved.
| Compliance in the CIS: Key Challenges & Automation
Counterparty assessment criteria
65%of respondents have established a set of formalized criteria to measure counterparty risk
93%
89%
85%
84%
81%
75%
73%
65%
65%
64%
57%
57%
55%
48%
40%
36%
31%
29%
2%
Date of incorporation and registered office (registration details)
Information on activities, necessary certifications
Pending insolvency proceedings against the counterparty
involvement of a counterparty in unresolved disputes or unsettled court cases related to business activities or legal and regulatory issues
Owners, ultimate beneficiaries and management, including business image and professional integrity
financial indicators
other defamatory or derogatory information published in mass media
Previous background of the counterparty-company relationship
Conflict of interest between the counterparty and the company
Owners, ultimate beneficiaries and management, including involvement in illegal/unethical activity, reported cases of involvement in corrupt and money laundering schemes
Inclusion of the counterparty/its key persons in national and international sanctions lists, blacklists of people and entities suspected of money laundering, terrorist financing and political exposure
Owners, ultimate beneficiaries and management, including ties with politicians or employment at state structures, leveraging of these relations or official position to promote personal business interests
information on instances of illegal or unethical business practices
counterparty’s reputation among national and international regulators and public authorities
materiality of a potential transaction for the counterparty
Participation in political activities (ties with well-known politicians and state institutions, the leveraging of such relations to promote personal business interests)
Owners, ultimate beneficiaries and management, including professional background, professional integrity and business interests
commercial references from other partners
other
Note: This is a multiple-choice question. 2% of respondents said they were not sure or did not know the answer to this question.
© 2018 KPMG. All rights reserved.
25Compliance in the CIS: Key Challenges & Automation |
Counterparty due diligence tools and techniques
80% internet search engines
information provided by the counterparty
databases with paid access (e.g., SPARK, Lexis Nexis, D&B)72%
71%
47%
31%
26%
4% other
security department sources
collection of testimonials and references in the market
external providers, including the outsourcing of due diligence work, providers of business intelligence services, detective agencies
Counterparty assessment tools
Note: This is a multiple-choice question.
Special questionnaire form for initial assessment of counterparty risk
57%use questionnaires
2% use questionnaires only for certain counterparties (e.g., associated with high risk)
30%do not use questionnaires
1
2
3
Note: 11% of respondents said they were not sure or did not know the answer to this question.
26
© 2018 KPMG. All rights reserved.
| Compliance in the CIS: Key Challenges & Automation
Measures to minimize the risks identified in a counterparty due diligence
According to most respondents, the inclusion of special clauses in contracts and
agreements, i.e. an anti-corruption clause, is the most popular measure to mitigate counterparty risks (71%). In total, 44% of respondents prefer to include provisions on limiting the counterparty’s ability to act on behalf of the company.
In total 47% of the surveyed companies review and approve payments made to a counterparty – this tool is used to identify and prevent potential fraud and the transfer of funds through unfair business partners.
Another 20% of respondents rely on the monitoring of payments made by the counterparty acting on the company’s behalf – primarily to prevent corruption risks arising from the use of intermediaries to perform particular operations.
Less than half of the surveyed companies (40%) monitor particular counterparty’s activities in order to prevent and mitigate the associated risks – either by analyzing information on the activities of a business partner in public sources, or conducting field audits at the offices and production facilities of the counterparties.
47%review and approve payments made to the counterparty
20%rely on the monitoring of payments made by the counterparty acting on the company’s behalf
Note: This is a multiple-choice question.
71%
47%
44%
40%
20%
20%
2%
10%
Incorporating specific provisions and clauses in contracts with counterparties (e.g., an anti-corruption clause)
review and approval of payments
limiting the counterparty’s ability to act on behalf of the company
ongoing monitoring of the counterparty’s activities
Regular certification and anti-corruption training courses
review of payments made by the counterparty acting on the company’s behalf
The company does not take any measures to mitigate the identified risks
other
Measures to mitigate the identified risks
© 2018 KPMG. All rights reserved.
27Compliance in the CIS: Key Challenges & Automation |
Anti-corruPtion And right-to-Audit clAuses
An anti-corruption clause is an important tool in the compliance system and a standard clause
incorporated in almost every contract. It has been our experience that contracts are significantly less likely to include provisions for the
right to audit, which is confirmed by the results of our survey.
Incorporation of anti-corruption and right-to-audit clauses in contracts and agreements
10% Anti-corruption and right-to-audit clauses are incorporated in contracts at the request of a counterparty or selectively
9% Only an anti-corruption clause is incorporated in selected contracts
2% Only a right-to-audit clause is incorporated in all contracts
34% Both anti-corruption and right-to-audit clauses are incorporated in all contracts
22% Only an anti-corruption clause is incorporated in all contracts
17% Contracts include neither anti-corruption nor right-to-audit clauses
6% Other
Despite the incorporation of the right-to-audit clause in contracts and agreements, only 21% of all respondents executed the right to audit in their activities, of which 33% were pharmaceutical companies and 15% were companies operating in the automotive sector.
Right-to-audit clause
29%
21%
21%
15%
the company did not execute a right to audit clause and has no plans to execute it in the coming year
A right-to-audit clause is not incorporated in contracts
the company has audited its counterparty in the past two years
the company did not execute the right to audit, but is planning to audit its counterparty in the coming year
Note: 14% of respondents said they were not sure or did not know the answer to this question.
28
© 2018 KPMG. All rights reserved.
| Compliance in the CIS: Key Challenges & Automation
hotline
A survey on the company’s methods of reporting information on suspected compliance or ethics
violations has revealed that a hotline, along with internal audits and compliance checks, is one of
the most common practices used to identify such violations. In total 53% of respondents identify violations via a hotline. At the same time, 13% of respondents still have not set up a hotline at their companies.
How the compliance violations are detected
53%of respondents identify violations via a hotline
internal audits
compliance checks
hotline
security checks
internal control checks
external audits
whistleblowing
Automated it controls
reviews initiated by management
other
62%
54%
53%
37%
33%
30%
29%
27%
24%
2%
Note: This is a multiple-choice question.
© 2018 KPMG. All rights reserved.
29Compliance in the CIS: Key Challenges & Automation |
existing hotline chAnnels
30%
17% Special boxes installed in office spaces and production sites
13% No hotline to report a suspected compliance or ethics violation
78% E-mail
62%
48%
3% Other
2% Web portal
Telephone
Note: This is a multiple-choice question.
one trend observed by KPmg at present, including in engagements involving the establishment and outsourcing of a hotline, is that soon, partially or totally, chatbots will be used as the primary hotline channel instead of calls and e-mail communications, while automatic speech recognition (ASR) technology will replace human resources, i.e. call center operators.
Post
hotline AdministrAtion
45% chose to manage their hotlines internally
27% outsource the hotline management to a third party
16% manage hotlines through combination of internal and third-party (outsourcing) resources
Note: Out of 87% respondents with established hotlines; 12% of respondents said they were not sure or did not know the answer to this question.
92% provide the opportunity of anonymous reporting to the hotline
Note: Out of 87% respondents with established hotlines
Chatbot
30
© 2018 KPMG. All rights reserved.
| Compliance in the CIS: Key Challenges & Automation
The ISO 37001 guidance notes that companies should inform personnel about violations of the reporting mechanism, including their related rights and confidentiality of communications, and also conduct training courses on reporting methods. For this purpose, our respondents most commonly rely on compliance and ethics-related trainings typically taken on an annual basis (73%) and publish information about the hotline on the internal corporate website (69%).
Building and raising awareness of the hotline
To measure the hotline performance, we asked our respondents to provide the overall number of reports collected via the hotline along with the quantity of relevant messages. The response rate for this question is 44%, where 17% of respondents say that only half of all reports are relevant, another 32% cite from 30% to 50% of relevant messages, and the other 34% – less than 30% of relevant messages.
73%
69%
51%
47%
35%
31%
31%
12%
5%
Hotline performance
17%more than 50%
of relevant reports
34%less than 30% of relevant messages
32% from 30% to 50% of relevant messages
Note: 17% of respondents mention no relevant messages.
51% measure performance of the hotline
Note: Out of 87% respondents with established hotlines; 27% of respondents said they were not sure or did not know the answer to this question. This is a multiple-choice question.
use internal control department resources25%use internal Audit department resources25%
use security department resources12%rely on external advisors8%
answered ‘other’8%
Measuring hotline performance
Note: Out of 87% respondents with established hotlines. This is a multiple-choice question.
training programs, which cover compliance and ethics-related issues, fraud and corruption prevention topics, typically taken on an annual basis
information about the hotline on the internal corporate website
Posters
e-mail campaign
Communications from top management (i.e., CEO)
Bulletins/brochures
newsletters
nothing
other
© 2018 KPMG. All rights reserved.
31Compliance in the CIS: Key Challenges & Automation |
Key compliance challenges
The surveyed companies note the need for the automation of enterprise-wide (28%) and compliance-related (33%) business processes, and also an electronic approval
procedure for business processes (18%). These results once again confirm that automation of business processes is as relevant today for compliance teams as it has never been.
The most important and relevant challenge Compliance Departments are now facing is the proper understanding of the role and objectives of the compliance function by company employees (according to 36% of respondents).
36%
32
© 2018 KPMG. All rights reserved.
| Compliance in the CIS: Key Challenges & Automation
Key requirements of the compliance function
Note: 13% of respondents said they were not sure or did not know the answer to this question. This is a multiple-choice question.
36%understanding of the role and objectives of the compliance function by company employees
35%Perception by staff members of the compliance role as an advisor, not an inspector
33%Automation of compliance-related business processes
33%methodological support of the compliance function
33%compliance professionals
28%enterprise-wide business process automation
24%support and assistance from senior management of the company
22%Professional development and certification for compliance staff
20%salaries and remuneration of the compliance team
20%Participation of the compliance staff in specialized trainings courses and seminars
20%management communications to all staff covering compliance-related issues, fraud and corruption prevention topics
18%Electronic document workflow and approvals for significant processes
10%Access to corporate accounting systems and data
6%other
4%Procurement and office supplies (premises, office appliances, machines and equipment, Internet access)
1%Access to documents (contracts, supporting documents)
© 2018 KPMG. All rights reserved.
33Compliance in the CIS: Key Challenges & Automation |
Automation of business processes and the compliance functionBased on KPMG’s experience, business process automation will be driven by the following concerns:
A detailed description of automated processes and respective implementation algorithms, including exceptions, to support due performance of work.
A company has labor-intensive iterative processes, which use structured data.
Financial benefit of the process (the average market cost of a license is high; in some cases, the introduction of automation to a business will only prove cost-effective when two or more employees have been replaced). It is often the case that processes suitable for automation are cross-departmental, in other words, they are linked across two or more departments. To derive the maximum benefits from a license, a company should identify all possible iterative processes working with structured data, and prioritize them.
The results of this survey confirm the above statements and demonstrate that automation will largely affect business processes with numerous routine activities, such as:
Outgoing payments:
45% fully automated
33% partially automated
Contract negotiation and approval:
Receiving and handling hotline calls and messages:
Counterparty due diligence:
35% fully automated
29% partially automated
16% fully automated
35% partially automated
12% fully automated
49% partially automated
Note: This is a multiple-choice question.
34
© 2018 KPMG. All rights reserved.
| Compliance in the CIS: Key Challenges & Automation
Business process automation
In general, risky transactions go through a manual approval process, such as transactions beyond the framework of corporate policies and procedures (64%), the acceptance of gifts, corporate hospitality (59%), the giving of gifts (53%), charity and sponsorship (52%).
Lack of automation – key reasons
30%of respondents plan to automate their processes in the next three years.
Note: 11% of respondents said they were not sure or did not know the answer to this question. This is a multiple-choice question.
40%
no need for automation, the process works as is
19% 8%
Lack of funds/financing for automation purposes
other
counterparty due diligence
Approval of contracts with counterparties
Provision of sales bonuses and discounts
outgoing payments
Atypical accounting adjustments
giving of gifts
hospitality expenses
Acceptance of gifts, corporate hospitality
Sponsorship and/or charity
Disclosure of conflicts of interest (including on an annual basis)
staff compliance training
development and updating of a risk matrix
Transactions beyond the framework of corporate policies and procedures (i.e., they are not outlined or contravene existing provisions of such policies and procedures)
receiving and handling hotline calls and messages, providing a feedback
internal investigations
Partially automated process Fully automated process Manual process Process does not exist/Don’t know
49% 12% 33% 6%
29% 35% 30% 6%
26% 9% 29% 36%
33% 45% 4% 18%
15% 11% 34% 40%
12% 5% 53% 30%
26% 13% 43% 18%
9% 3% 59% 29%
20% 7% 52% 21%
29% 9% 43% 19%
39% 9% 32% 20%
20% 1% 52% 27%
9% 3% 64% 24%
35% 16% 25% 24%
23% 3% 65% 9%
© 2018 KPMG. All rights reserved.
35Compliance in the CIS: Key Challenges & Automation |
Appendix 1. Answers by countries
36
© 2018 KPMG. All rights reserved.
| Compliance in the CIS: Key Challenges & Automation
resPondents
Answers
russ
ia
ukra
ine
Kaza
khst
an
Azer
baija
n
What industry sector does your company represent? (only one answer is possible)
Utilities and telecommunications 6 2 1 0
Oil & Gas 4 0 0 2
Pharmaceuticals 11 4 1 0
Innovation and Technology 3 0 0 0
Consumer goods 5 2 0 0
Metals & Mining 2 0 2 0
Transportation 3 0 2 1
Automotive 4 0 0 1
Media 0 0 0 0
Chemicals 4 1 0 0
Retail trade 1 1 0 0
Construction 3 1 0 1
Finance and investment 2 0 1 0
Services 1 1 0 0
Other 6 6 1 0
Priority comPliAnce AreAs
Answersru
ssia
ukra
ine
Kaza
khst
an
Azer
baija
nWhich of the following compliance areas does your company recognize as a priority? (Multiple choice question)
Anti-corruption and ethics compliance 50 15 8 3
Occupational health & safety (OHS) compliance 19 9 4 1
Environmental compliance 17 9 3 1
Antitrust compliance 34 8 1 0
Human rights compliance in the workplace 14 7 3 2
Compliance related to the protection of personal data 36 10 3 3
Compliance related to the protection of confidential information 29 12 5 3
Preventing insider trading and market manipulation 17 6 2 0
Compliance with trade sanctions 22 6 0 0
Anti-money laundering and counter-terrorism financing 20 8 1 4
Compliance in marketing and advertising 19 7 1 0
Other 3 0 0 0
Don’t know/Not sure 0 1 0 1
© 2018 KPMG. All rights reserved.
37Compliance in the CIS: Key Challenges & Automation |
Answers
russ
ia
ukra
ine
Kaza
khst
an
Azer
baija
n
Which of the following provisions of anti-corruption legislation apply to your company? (Multiple choice question)
Local/national anti-corruption laws and regulations 55 16 6 4
Foreign Corrupt Practices Act (USA) 24 12 3 2
UK Bribery Act 26 8 4 0
Sapin II French Anti-Corruption Law, 2016 4 1 0 0
The provisions of anti-corruption laws and regulations are not applicable to our company 1 1 0 1
Other 4 0 0 0
Does your company perform a compliance risk assessment? (Multiple choice question)
Yes, on an annual basis 25 7 5 0
Yes, on a quarterly basis 13 4 1 0
Yes, on an ‘as-needed’ basis 21 4 1 4
Compliance risk assessment is not performed 4 3 1 1
Other 2 0 0 0
Does the company have a compliance risk matrix/map? (Only one answer is possible)
Yes, the company has a separate risk matrix/map 21 7 1 0
The company has a general risk map that, among other things, covers compliance risks 20 2 5 2
The company does not have a compliance risk matrix/map 13 6 2 3
Don’t know/Not sure 1 3 0 0
Does the company have an established methodology to identify and assess the corruption risk? (Only one answer is possible)
Yes, the company has an established and approved methodology 16 6 2 0
Yes, such methodology is in place, but it is not formalized (i.e. it is not documented in the company's internal regulations) 15 4 2 0
No methodology 16 5 3 5
Don’t know/Not sure 5 2 0 0
Other 3 1 1 0
orgAnizAtion of the comPliAnce function
Answers
russ
ia
ukra
ine
Kaza
khst
an
Azer
baija
n
How mature is your compliance function? Please specify length of time in years (Only one answer is possible)
Less than a year 3 0 3 0
1–3 years 18 9 4 1
3–10 years 22 9 1 1
More than 10 years 9 0 0 1
Don’t know 3 0 0 2
The compliance function in your company – is it a separate business unit/department? (Only one answer is possible)
Yes 26 6 5 2
No 29 12 3 3
38
© 2018 KPMG. All rights reserved.
| Compliance in the CIS: Key Challenges & Automation
Answers
russ
ia
ukra
ine
Kaza
khst
an
Azer
baija
n
In terms of administrative subordination, who does the compliance officer/department report to? (nly one answer is possible)
Only Board of Directors and/or Board committees 1 3 3 0
CEO 28 9 3 3
Vice President/Department Director/Division Manager 14 3 2 0
Head of Department 0 0 0 0
Other 10 2 0 2
Don’t know/Not sure 2 1 0 0
Specify the team size of your Compliance Department (Only one answer is possible)
1 employee 5 1 1 1
2–5 employees 13 4 4 1
6–10 employees 3 0 0 0
More than 10 employees 5 1 0 0
Annual budget of the compliance function – how much do you spend? (Only one answer is possible)
Up to USD 50,000 11 4 3 1
USD 50,000–167,000 4 0 0 0
USD 167,000–833,000 3 0 0 0
More than USD 833,00 2 1 0 0
Don’t know/Not sure 6 1 2 1
Who receives the reporting on the performance of the compliance function? (Multiple choice question)
The Board of Directors 22 2 4 0
President/CEO 37 8 0 3
Vice President (Vice Presidents) / Deputy CEO (CEOs) responsible for separate line of business 13 0 4 0
Management of the parent company 16 7 1 0
Reporting is prepared for internal use and compliance function only (is not submitted to the company's management) 3 1 3 0
No reporting is prepared in this respect 2 3 0 2
Other 3 2 2 0
What is the frequency of compliance reporting (reporting cycle)? (Only one answer is possible)
On a monthly/quarterly basis 23 5 3 0
Twice a year 5 0 1 0
At least once a year 9 5 0 1
At least once every two years 1 0 1 0
Further to a request from management 11 3 2 2
Other 2 0 0 1
Don’t know/Not sure 3 5 1 1
No formalized reports 1 0 0 0
© 2018 KPMG. All rights reserved.
39Compliance in the CIS: Key Challenges & Automation |
orgAnizAtion of the comPliAnce function
Compliance role in a company’s business processes (Multiple choice question)
counterparty due diligence
contracting with counterparties
Provision of sales bonuses and discounts
major deals
m&A
Atypical manual accounting adjustments
Conclusion of deals and transactions outside of corporate policies and procedures (i.e. are not outlined or contravene the provisions of policies and procedures)
giving of business gifts
Acceptance of business gifts, hospitality and other business courtesies
charity and social responsibility
sponsorship
Management of conflicts of interest
compliance training for internal staff
Advising employees on compliance matters
development of risk matrix and keeping it up to date
receiving and handling hotline calls and messages, and providing a feedback
internal investigations
russiA uKrAine
19 30 26 6 4
6 36 18 11 2
1 13 13 25 10
6 29 16 15 4
2 19 11 13 17
2 12 11 27 10
3 25 17 5 15
7 24 23 12 9
8 21 22 14 8
5 26 19 11 10
3 24 17 11 11
23 25 27 2 8
42 12 13 5 7
45 10 12 2 6
32 21 15 7 6
28 12 16 8 10
34 17 17 4 7
5 12 11 1
3 9 9 3
3 5 5 7
2 11 11 3
1 6 7 2 7
1 2 3 7 6
2 8 6 1 7
3 7 9 2 4
2 5 9 3 4
3 10 7 3 4
2 9 6 4 5
3 12 12 4 1
12 5 3 3 3
14 5 2 1 3
11 6 4 3 3
7 3 5 6 3
11 5 7 3 2
Execution Approval Monitoring Compliance function is not involved in this process
Don’t know/Process does not exist
40
© 2018 KPMG. All rights reserved.
| Compliance in the CIS: Key Challenges & Automation
counterparty due diligence
contracting with counterparties
Provision of sales bonuses and discounts
major deals
m&A
Atypical manual accounting adjustments
Conclusion of deals and transactions outside of corporate policies and procedures (i.e. are not outlined or contravene the provisions of policies and procedures)
giving of business gifts
Acceptance of business gifts, hospitality and other business courtesies
charity and social responsibility
sponsorship
Management of conflicts of interest
compliance training for internal staff
Advising employees on compliance matters
development of risk matrix and keeping it up to date
receiving and handling hotline calls and messages, and providing a feedback
internal investigations
KAzAKhstAn AzerbAijAn
2 1 2 3 1
2 5 1 1
1 1 3 3
2 2 3 1
1 2 5
1 4 3
3 2 2 2
2 3 2 2
2 4 2 2
3 4 2 2
3 4 2 2
2 2 5 1 1
5 1 4 3
6 1 2 2
3 4 3 1
5 1 2 2
6 2 3 -
3 2 1
2 5
1 3 2 1
2 5 2
1 1 3
2 1 1 2
2 3 2
1 2 2 1
2 2 1
1 1 1 2
1 2 2 1
2 3 1 1
2 1 2
2 1 2
2 2 1 2
1 1 3
1 1 3
Execution Approval Monitoring Compliance function is not involved in this process
Don’t know/Process does not exist
© 2018 KPMG. All rights reserved.
41Compliance in the CIS: Key Challenges & Automation |
monitoring And control
Answers
russ
ia
ukra
ine
Kaza
khst
an
Azer
baija
n
What kind of data source does the Compliance Department/responsible person in your company use to monitor processes? (Multiple choice question)
For monitoring purposes, the Compliance Department requests the necessary information from authorized employees, with no access to relevant accounting systems on an anytime basis
36 1 5 3
The Compliance Department may access and download data from the necessary accounting systems 30 3 4 0
The company has an established algorithm for detecting risky transactions and, when identified, the Compliance Department receives a notification
6 2 2 1
Other 5 0 0 1
Don’t know/Not sure 0 12 0 0
How is the Compliance Department/responsible person notified of risky transactions (when identified)? (Multiple choice question)
Automatically generated notifications are emailed to the Compliance Department 6 1 0 0
Automatically generated notifications are delivered to a special platform accessible to the Compliance Department 3 1 1 0
Risk communication messages from employees are received orally or via e-mail/hotline 46 6 8 4
Other 9 0 0 1
Don’t know/Not sure 0 12 0 0
identificAtion of conflicts of interest
Answers
russ
ia
ukra
ine
Kaza
khst
an
Azer
baija
n
What is the company’s approach to managing a conflict of interest? (Multiple choice question)
All staff members are required to disclose annually all possible and potential conflicts of interest and must complete a respective conflict of interest form
8 3 1 0
Employees in leadership roles and at a senior management are required to complete annually a declaration disclosing the existence/absence of any conflicts of interest
17 2 4 0
Staff members in positions subject to a high risk of fraud and corruption are required to complete annually a declaration disclosing the existence/absence of any conflicts of interest
8 2 2 0
New staff members are required to disclose any conflicts of interest at the time of their recruitment 30 9 6 0
Staff members reassigned to a different position or transferred to another department are required to disclose any conflicts of interest
12 2 1 0
The company periodically monitors conflicts of interest using in-house resources or engaging external advisors 19 7 3 3
Staff members must disclose any conflict of interest when it arises 37 0 3 1
Other 1 0 0 1
Don’t know/Not sure 3 0 0 0
42
© 2018 KPMG. All rights reserved.
| Compliance in the CIS: Key Challenges & Automation
counterPArty due diligence
Answers
russ
ia
ukra
ine
Kaza
khst
an
Azer
baija
n
Who is responsible for the counterparty due diligence at your company? (Only one answer is possible)
Employee of the business unit, which intends to sign a contract with a counterparty 16 4 1 2
Legal Department 6 5 1 1
Security Department 20 6 1 0
Finance/Accounting Department 2 1 0 1
Employee responsible for risk management 0 1 0 0
Employee responsible for compliance 5 0 2 0
Don’t know/Not sure 1 0 0 1
Other 5 1 3 0
How often do you perform a counterparty due diligence at your company? (Only one answer is possible)
Perform only initial due diligence 17 7 4 3
More than once a year 4 3 0 0
Once every 1-3 years 25 4 1 1
Less than once every three years 3 1 0 0
Don’t know/Not sure 4 1 1 1
Other 2 2 2 0
Who is covered in a counterparty due diligence? (Only one answer is possible)
The company checks the background of all counterparties 33 12 3 2
The company performs a counterparty due diligence procedure in accordance with established criteria 20 6 3 3
Don’t know/Not sure 2 0 2 0
Does the company have a set of certain formalized criteria to measure counterparty risk? (Only one answer is possible)
Yes 39 10 3 3
The company has not yet established a set of formalized criteria to measure identified risks; a decision on the risk level is made on a case-by-case basis
14 7 4 2
Don’t know/Not sure 2 0 0 0
Other 0 1 1 0
At the stage of supplier selection (prior to concluding/signing a contract), who is covered during the counterparty due diligence procedure? (Only one answer is possible)
Leading vendor (winner) of the competitive procurement procedure 13 6 1 0
All participants in the competitive procurement procedure 33 10 4 4
Counterparty due diligence is not carried out at this stage 5 1 3 0
Don’t know/Not sure 4 1 0 1
© 2018 KPMG. All rights reserved.
43Compliance in the CIS: Key Challenges & Automation |
Answers
russ
ia
ukra
ine
Kaza
khst
an
Azer
baija
n
Which of the following details (information) are reviewed as part of the counterparty due diligence? (Multiple choice question)
Date of incorporation and registered office (registration details) 53 16 8 3
Information on the activities, necessary certifications 50 15 7 4
Owners, ultimate beneficiaries and management, including business image and professional integrity 47 17 3 3
Owners, ultimate beneficiaries and management, including professional background, professional integrity and business interests
25 0 3 0
Owners, ultimate beneficiaries and management, including involvement in illegal/unethical activity, reported instances of involvement in corrupt and money laundering schemes
38 13 4 1
Owners, ultimate beneficiaries and management, including ties with politicians or employment at state structures, the leveraging of such relations or official position to promote personal business interests
31 13 4 1
Financial indicators 46 12 5 1
Counterparty's reputation among national and international regulators and public authorities 27 8 4 2
Information on instances of illegal or unethical business practice 33 9 3 2
Inclusion of the counterparty/key persons in national and international sanctions lists, blacklists of individuals and entities suspected of money laundering, the financing of terrorism and political connections
34 11 3 1
Involvement of a counterparty in unresolved disputes or unsettled court cases related to business activities or legal and regulatory issues
49 15 6 2
Pending insolvency proceedings against the counterparty 51 15 5 2
Participation in political activities (ties with well-known politicians and state institutions, the leveraging of such relations to promote personal business interests)
18 9 3 1
Other defamatory or derogatory information published in the mass media 40 15 5 2
Conflict of interests between the counterparty and the company 37 12 6 2
Materiality of potential transactions for the counterparty 26 6 2 1
Previous background of the counterparty-company relationship 39 9 5 3
Commercial references from other partners 15 6 2 1
Other 1 0 1 0
Don’t know/Not sure 1 0 0 1
What criteria are used to identify the need to undertake a counterparty due diligence? (Multiple choice question)
Level of risk identified at the time of the review of the counterparty’s questionnaire 13 3 0 1
Area of activity/line of business of the counterparty's company 10 4 1 1
Type of services/products under the contemplated contract 15 4 1 1
Contract value 15 1 2 1
Don’t know/Not sure 0 1 0 1
Specify the sources of information used by the company for the counterparty due diligence purposes (Multiple choice question)
Internet search engines 44 14 7 5
Databases with paid access (e.g., SPARK, Lexis Nexis, D&B) 52 9 2 0
Information provided by the counterparty 45 9 5 4
Collecting testimonials and references in the market 16 6 1 4
Detective agencies 2 1 0 0
Security Department sources 30 8 1 2
Third-party providers of counterparty due diligence work (outsourcing) 10 5 1 1
Providers of business intelligence services 3 0 0 0
Other 2 1 0 0
44
© 2018 KPMG. All rights reserved.
| Compliance in the CIS: Key Challenges & Automation
Answers
russ
ia
ukra
ine
Kaza
khst
an
Azer
baija
n
Do you use the questionnaire completed by the counterparty as the first step to assess associated risks? (Only one answer is possible)
Yes 34 7 6 3
No 14 8 2 1
Don’t know/Not sure 6 2 0 1
Other 1 1 0 0
Which of the following measures does your company take to mitigate the risks identified in a counterparty due diligence? (Multiple choice question)
Incorporation of specific provisions and clauses in contracts with counterparties (e.g. the anti-corruption clause) 42 13 5 1
Limitations on the counterparty's ability to act on behalf of the company 25 7 3 3
Ongoing monitoring of the counterparty's activities 21 9 3 2
Regular certification and anti-corruption training courses 12 3 1 0
Review and approval of payments made to the counterparty 27 7 3 3
Review of payments made by the counterparty acting on the company's behalf 12 2 1 2
The company does not take any measures to mitigate the identified risks 2 0 0 0
Other 4 4 1 0
Anti-corruPtion And right-to-Audit clAuses
Answers
russ
ia
ukra
ine
Kaza
khst
an
Azer
baija
n
The company contracts, do they include anti-corruption and right-to-audit clauses? (Only one answer is possible)
Yes, both anti-corruption and right-to-audit clauses are included in all contracts 19 8 2 0
Yes, anti-corruption and right-to-audit clauses are included in contracts further to the request of the counterparty or selectively
7 1 1 0
Only an anti-corruption clause is incorporated in all contracts 13 3 3 1
Only a right-to-audit clause is incorporated in all contracts 1 0 0 1
Only an anti-corruption clause is incorporated in selected contracts 6 2 0 0
Only a right-to-audit clause is incorporated in selected contracts 1 0 0 0
No, the contracts include neither anti-corruption nor right-to-audit clauses 7 3 2 3
Other 1 1 0 0
Has your company ever conducted a counterparty audit pursuant to the right-to-audit clause? (Only one answer is possible)
A right-to-audit clause is not incorporated in contracts 13 3 2 0
Yes, the company has audited its counterparty in the past two years 13 4 0 1
No, the company did not execute the right to audit, but plans to audit its counterparty in the coming year 8 3 4 0
No, the company did not execute the right to audit and has no plans to execute it in the coming year 14 5 2 3
Don’t know/Not sure 7 3 0 1
© 2018 KPMG. All rights reserved.
45Compliance in the CIS: Key Challenges & Automation |
hotline
Answers
russ
ia
ukra
ine
Kaza
khst
an
Azer
baija
n
Which of the following are the most effective ways to identify violations at your company? (Multiple choice question)
Hotline 31 8 4 1
Internal audits 34 11 6 2
External audits 17 2 5 3
Internal control checks 17 5 3 3
Compliance checks 30 10 4 3
Security Department checks 22 5 3 2
Reviews initiated by management 11 5 2 3
Tip 17 4 3 0
Automated IT controls 15 6 1 2
Other 1 1 0 0
Which of the following hotline channels are used to report a suspected compliance or ethics violation at your company? (Multiple choice question)
There is no hotline to report a suspected compliance or ethics violation 3 4 2 3
Telephone 35 12 4 2
E-mail 48 14 5 1
Web portal 30 7 3 0
Post 19 4 2 1
Special boxes installed in office spaces and production sites 11 3 1 0
Chatbot 1 0 0 1
Other 3 0 0 0
Do you engage any third-parties providers to administer the hotline, or use in-house resources? (Only one answer is possible)
The hotline is managed internally 25 4 3 1
The hotline is outsourced to a third-party 9 6 2 1
The company manages its hotline through combination of internal and third-party (outsourcing) resources 9 1 1 0
Don’t know/Not sure 6 2 0 0
Other 1 1 0 0
Does your company provide the opportunity for anonymous reporting to the hotline? (Only one answer is possible)
Yes 49 11 6 2
No 3 3 0 0
46
© 2018 KPMG. All rights reserved.
| Compliance in the CIS: Key Challenges & Automation
Answers
russ
ia
ukra
ine
Kaza
khst
an
Azer
baija
n
Which of the following tools and techniques does your company use to build and raise awareness of its hotline? (Multiple choice question)
Training programs, which cover compliance and ethics-related issues, fraud and corruption prevention topics, typically taken on an annual basis
35 12 5 0
E-mail campaign 23 8 1 0
Bulk messaging (SMS) 1 0 0 0
Newsletters 17 3 1 0
Information about the hotline on the internal corporate website 39 7 4 0
Posters 25 7 3 1
Bulletins/brochures 15 4 2 0
Communications from top management (i.e., CEO) 21 3 1 0
Financial incentives for the reported information 1 0 0 0
Nothing 6 1 1 1
Other 1 1 0 0
Specify the rate of relevant reports on suspected compliance or ethics violation collected via the hotline in the previous 12 months (Only one answer is possible)
More than 50% of the relevant messages 4 1 1 -
30-50% of the relevant messages 9 2 - -
Less than 30% of the relevant messages 7 3 - -
Don’t know/Not sure 29 6 4 2
Other 3 2 1 0
Does the company assess the hotline performance on a regular basis? (Multiple choice question)
Yes, using Internal Control Department resources 14 3 2 0
Yes, using Internal Audit Department resources 14 3 1 0
Yes, using Security Department resources 7 1 0 0
Yes, through external advisors 4 1 1 0
No 12 1 1 2
Don’t know/Not sure 12 8 0 0
Other 2 3 1 0
© 2018 KPMG. All rights reserved.
47Compliance in the CIS: Key Challenges & Automation |
Key comPliAnce chAllenges
Answers
russ
ia
ukra
ine
Kaza
khst
an
Azer
baija
n
In your opinion, what does the compliance function at your company lack at present? (Multiple choice question)
Compliance professionals 14 6 4 3
Communications from the company’s management to all staff covering compliance-related issues, fraud and corruption prevention topics
13 3 2 0
Support and assistance from the company's top management 16 3 0 1
Methodological support of the compliance function 17 4 4 3
Professional development and certification for the compliance staff 11 4 1 2
Participation of compliance team members in specialized trainings and seminars 6 6 2 2
Salaries and remuneration of the compliance team 10 6 1 0
Procurement and office supplies (premises, office appliances, machines and equipment, Internet access) 2 1 0 1
Access to corporate accounting systems and data 7 1 0 1
Electronic document workflow and approval procedures covering all material processes 10 4 2 0
Access to documents (contracts, supporting documents) 1 0 0 0
Enterprise-wide business process automation 14 4 3 3
Automation of compliance-related business process 19 4 2 3
Employee perception of the compliance role as an advisor, and not as an inspector/auditor 17 7 3 2
Understanding of the role and objectives of the compliance function by company employees 19 6 3 2
Other 3 2 0 0
Don’t know 8 4 0 0
48
© 2018 KPMG. All rights reserved.
| Compliance in the CIS: Key Challenges & Automation
AutomAtion of business Processes And comPliAnce functions
Answers
russ
ia
ukra
ine
Kaza
khst
an
Azer
baija
n
What are the main reasons for the lack of automation? (Multiple choice question)
No need for automation, the current process works OK 23 7 3 3
Lack of financing for automation 14 1 1 1
Process automation is expected in the next three years 14 6 5 1
Other 4 3 1 0
Don’t know/Not sure 6 1 0 0
© 2018 KPMG. All rights reserved.
49Compliance in the CIS: Key Challenges & Automation |
counterparty due diligence
Approval of contracts with counterparties
Provision of sales bonuses and discounts
outgoing payments
Atypical accounting adjustments
giving of gifts
hospitality expenses
Acceptance of gifts, corporate hospitality
Sponsorship and/or charity
Disclosure of conflicts of interest (including on an annual basis)
staff compliance training
development and updating of risk matrix
Transactions beyond the framework of corporate policies and procedures (i.e., they are not outlined or contravene existing provisions of such policies and procedures)
receiving and handling hotline calls and messages, and providing a feedback
internal investigations
Business process automation
8 29 17 1
21 21 12 1
6 17 14 18
27 16 2 10
6 9 21 19
1 8 34 12
11 13 24 7
7 36 12
3 12 28 12
5 18 25 7
4 25 18 8
12 33 10
2 6 34 13
5 25 16 9
1 14 35 5
2 11 5
6 5 7
1 3 8 6
8 8 2
2 3 5 8
2 3 5 8
1 7 5 5
2 1 8 7
1 5 10 2
2 5 7 4
3 6 5 4
3 7 8
1 14 3
6 2 3 7
1 3 14
russiA uKrAine
Partially automated process Fully automated process Manual process Process does not exist/Don’t know
50
© 2018 KPMG. All rights reserved.
| Compliance in the CIS: Key Challenges & Automation
counterparty due diligence
Approval of contracts with counterparties
Provision of sales bonuses and discounts
outgoing payments
Atypical accounting adjustments
giving of gifts
hospitality expenses
Acceptance of gifts, corporate hospitality
Sponsorship and/or charity
Disclosure of conflicts of interest (including on an annual basis)
staff compliance training
development and updating of risk matrix
Transactions beyond the framework of corporate policies and procedures (i.e., they are not outlined or contravene existing provisions of such policies and procedures)
receiving and handling hotline calls and messages, and providing a feedback
internal investigations
3 2 3
2 3 3
1 7
3 1 1 3
1 1 6
1 2 5
1 4 3
1 2 5
1 1 3 3
1 1 2 4
1 2 2 3
1 1 3 3
1 4 3
2 2 1 3
1 1 4 2
4 1
1 3 1
1 3 1
1 2 1 1
1 2 2
4 1
4 1
4 1
4 1
3 2
1 2 2
1 1 3
3 2
1 1 3
3 2
counterparty due diligence
Approval of contracts with counterparties
Provision of sales bonuses and discounts
outgoing payments
Atypical accounting adjustments
giving of gifts
hospitality expenses
Acceptance of gifts, corporate hospitality
Sponsorship and/or charity
Disclosure of conflicts of interest (including on an annual basis)
staff compliance training
development and updating of risk matrix
Transactions beyond the framework of corporate policies and procedures (i.e., they are not outlined or contravene existing provisions of such policies and procedures)
receiving and handling hotline calls and messages, and providing a feedback
internal investigations
KAzAKhstAn AzerbAijAn
Partially automated process Fully automated process Manual process Process does not exist/Don’t know
© 2018 KPMG. All rights reserved.
51Compliance in the CIS: Key Challenges & Automation |
ContactsIgor LebedevRisk ConsultingKPMG in Russia and the CISPartner
T: +7 495 937 4477 E: [email protected]
The information contained herein is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavor to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act on such information without appropriate professional advice after a thorough examination of the particular situation.
© 2018 KPMG. KPMG refers to JSC “KPMG”, “KPMG Tax and Advisory” LLC, companies incorporated under the Laws of the Russian Federation, and KPMG Limited, a company incorporated under The Companies (Guernsey) Law, as amended in 2008. All rights reserved.
The KPMG name and logo are registered trademarks or trademarks of KPMG International.
kpmg.ru kpmg.com/app
Veronika IvanovaRisk consultingKPMG in Russia and the CISSenior Manager
T: +7 495 937 4477 E: [email protected]
Irina BurdikovaRisk ConsultingKPMG in Russia and the CISDirector
T: +7 495 937 4477 E: [email protected]
Liubov MartynovaRisk ConsultingKPMG in Russia and the CISDirector
T: +7 495 937 4477 E: [email protected]