internal auditing hotline procedures and · pdf filearamco businesses and operations n...
TRANSCRIPT
Waheed Alkahtani,
CFE, CISA, and ISO Lead Auditor
Saudi Aramco Internal Auditing
March 2012
© Copyright 2012, Saudi Aramco. All rights reserved.
A Wealth of Data
employees who witnessed misconduct at work
46% reported the bad behavior
65%
But it comes with its Risk
• Compliance
• We love tips
R&R
• email,
• websites, telephone
Volume • misheard
• mistreated
Risk
Mining for Hotline Gold, Robert Tie, Fraud Magazine, November/December 2011
Presentation Outline Overview: Understand
your requirements
Belling the cat: The implementation phase
Hotline management and best practices
Section I
Saudi Aramco • We employ almost 55,000 workers and are headquartered in Dhahran in
the Eastern Province. HR
• The Company manages proven oil reserves of 260.1 billion barrels, and the fourth largest gas reserves in the world, 279 trillion cubic feet. Reserves
• Our operations span the Kingdom, with production and product distribution facilities linking all market areas. Operations
• With operations in exploration, production, refining, petrochemicals, marketing and international shipping. Integrated
• Hold significant interests in refining and marketing companies in China, Japan, India, the Netherlands, the Republic of Korea, Singapore, the United Arab Emirates, the United Kingdom and the United States.
International
Challenges with Saudi Aramco Global Presence
Diverse Environment
Wide Range of Services
Business Solution Oriented
The Main Goal The main goal is to establish a mechanism for
reporting noncompliance issues and other unethical behavior.
Best Practices
Oil and Gas
Service Providers
GCC
Gulf Cooperation Council
Oil and Gas Companies Contact us
Contact info
Phone and email info
In-house
Static web page
Simple feedback page
Outsource
Service providers
Multilingual
International office
Service Provider Anonymous reporting mechanisms
24/7
Case Management
Management Reports
Training and Awareness
Available Options
Outsource
In-house
Don’t touch it
Don’t Touch It
If it is not Broken
It is not our problem
Compliance
Management pressure
“The Tone at the Top”
In-House
Cheap, Customized, and One-Stop Shop
Modest , Biased
Outsource IT
Easy, Independent
Costly, Compatibility Culture
Services providers are
More efficient and proficient
Provide flexibility
Allow you to focus
Save time, effort, and costs
Share your business risks
But it may require
Service Level Agreement (SLA)
Legal and confidentiality agreements
It may create potential redundancies
Longer complicated approval process
More agreements to manage
Double-Edged Sword
• Save
• Extra
Cost
• Save
• Extra
Time • Share
• Hidden
Risk
• lack of trust
• Independent
Trust
There is no “One size fits all” Start small and grow over
time.
Fulfill your needs and take the interests of your shareholders into consideration.
Outsourcing is a long-term partnership and you want to partner with the right service provider.
Factors to a Successful Hotline
Communicating
Reacting
Planning Polices and Procedures
Announcements Awareness and Marketing
Campaigns
Section II
The Reporting Mechanisms
Report
Web
Telephone
IVR Fax
IVR Selections
The Website General Goals R
epo
rtin
g
Provides an avenue for individuals to report non-compliance issues and irregularities within the Saudi Aramco Businesses and Operations
Co
mm
un
icat
ion
Provides an effective two-way communication, engaging all employees with the GA regarding case status and feedback M
ark
etin
g
Proactively promotes an ethical workplace, identifies conflicts of interest, and provides policies and procedures on business ethics
The GA eHotline
Simple Independent
Private Secure
The IA Hotline Process
Register
Report
Follow-up
What to Report
Violations of any law or regulation applicable to the Company’s operations
Falsification of records or reports
Violation of the Company’s policies
Other irregularities, including fraud, theft and matters relating to conflicts of interest
Deployment Plan
Intranet
• Home
• Employees
Extranet
• Vendors
• Suppliers
Internet
• Full access
• Everyone
What We Have Done
Web Application
Development
Secure Application
Server
Pilot Phase Final Design Announcement
What’s Next
Awareness
• Meetings
• Announcements
• Posters
Enhancements
• Links
• Extranet
Tracking
• Number of hits
• Reports and logs
Section III
Ask not what the hotline can do for you, ask what you will do with the hotline results
Fire hose Water hose
Ask the following questions What is your scope of work?
Who will manage the hotline and who will administer it?
How will you handle a call or a tip?
Who will report it?
Call Handling
• The Hotline IVR system answers the hotline and forwards the calls to SAD auditors who interview the callers about their allegations
Income
• Calls will be directed to Arabic and English speakers according to the caller selection
Redirect
• “Saudi Aramco General Auditor Hotline.
• This is “YOUR NAME”, how can I help you?”
Greeting
• The call coordinator should log the call manually to IA e-hotline/log system while or after completing the call
Logging
Call Handling
• Questions should be constructed around when, where and how
Gathering
• Logs the information, fills the e-hotline form, and generates a reference number
Document
• Reference number
Closing
• A Complaint Report is emailed to the GA
After the call
Overview
• Emails
• Fax
• e-Hotline
• Phone
Combine
• Communicate items with the GA
Analysis • Special Audit
• Normal Audit
• HR or other
Dispatch
• Call categories
• Sources and allegation types
Report
Useful Measures Type
Allegation
Inquiries
Identity
Anonymous
Named
Source
Group
Location
Business lines
Level of employees
Management
Professionals
Education
Reporting methods
Online
Phone
Fax
Walk in
Other Useful Measures
Life cycle
Actions
Substation rates
Geographic distribution
Trends against prior years
Questions
Appreciation
Wrong Number
Statistics on the Hotline
•30%
•Grievances
•Performance Management
•Discrimination
•20/12/2010
•380 calls
• 1-2 calls/day
•26% Phone Call
•24% Email
•3% Fax
•35% e-Hotline
• 12% Others
Inbox Figures
Other HR
Hotline Main Categories
Fin
ance
Accounting, Auditing and Financial Statement
Bu
sin
ess
Eth
ics Fraud, Conflicts
of interest, and Bribes
Mis
use
Vehicle Use, Employee Theft and Time-Clock Abuse
Hu
man
Res
ou
rces
Discrimination, Harassment and Compensation O
ther
Environmental, Health and Safety
Call Volumes Company risk areas
Organization culture and work climate
Workforce break down and staffing
Advertisements and marketing mechanism
Alternatives and other channels
What May Cause Changes
News and Media
Regulatory Changes
Awareness and Training
A Real Problem
Hotline Trends
• 7:00 to 4:00 versus 24/7 Working Hours
• Hotline with multiple reporting mechanisms, requires well-defined logging procedure and consolidation efforts.
Consolidation
• Many occasions require coordinating acts between various entities in the organization. Follow-up
• Companies with global presence and multinational employees have to consider multiple interfaces and translation issues.
Languages
Challenges
Other Challenges
Cal
l A
nal
ysis
So much data, but not always clear
Ben
chm
ark
ing
The need to demonstrate the hotline’s effectiveness
Rep
ort
ing
The need to report meaningful and actionable data to management
Hotline Kills Discouraging callers with questions or requests for advice
Long investigation cycle
Failure to publish sanitized outcomes for employees
Neglecting trends and benchmarks
Final Thought
Why don’t
people report?
The fear of retaliation
Who cares? Nothing
will happen
Conclusion N
ow
Reaction
Complex
Collective
65% L
AT
ER
Prevision
Simple
Awareness
75%
Thank you [email protected]
“Association of Certified Fraud Examiners,”
“Certified Fraud Examiner,” “CFE,” “ACFE,”
and the ACFE Logo are trademarks owned by
the Association of Certified Fraud Examiners,
Inc. The contents of this paper may not be
transmitted, re-published, modified,
reproduced, distributed, copied, or sold without
the prior consent of the author.