Compliance in the CIS: Key Challenges & Automation · 2020-07-25 · KPMG presents its second annual survey on the priorities of CIS companies to develop their compliance function

KPMG in Russia and the CIS

kpmg.ru

2018

Compliance in the CIS: Key Challenges & Automation

http://www.kpmg.com

KPMG presents its second annual survey on the priorities of CIS companies to develop their compliance function in 2017. As in 2016, the survey covers challenges related to organization of the compliance function, its goals and objectives, resource issues, practical implementation of control procedures, and reporting.

This year, we placed greater emphasis on business process automation and its impact on the compliance system. This was made intentionally since the automation of business processes and control procedures are today considered a tool for improving the performance of companies, which are still performing a large number of operations manually. The findings of our survey will help companies operating in the CIS to assess their compliance functions and benchmark the level of their compliance functions from the perspective of process automation practices.

This year we also changed the way we conducted the survey – responses were mostly collected using a confidential online questionnaire instead of the interviews conducted last year. This enabled us to double the number of respondents and thereby deliver more representative results.

The following report is a summary of responses received from respondents. In the appendices, you will find in-depth information for each of these countries: Russia, Ukraine, Kazakhstan and Azerbaijan.

We hope that you will find this report useful as a framework for understanding the current state of CIS compliance functions and substantiating the adoption of management decisions on compliance-related matters.

Best regards, KPMG

Introduction

Contents

About the survey

p. 4

Key findings p. 6

Priority comPliAnce AreAs

p. 10

APPendix 1. Answers by countries

p. 36

orgAnizAtion of the comPliAnce function maturity of the compliance function 15

organizational structure of the compliance function 15

Annual compliance function budget 16

compliance reporting procedure 17

p. 14

comPliAnce throughout the comPAny’s business Processesmonitoring and control 21

Identification of conflicts of interest 22

counterparty due diligence 23

Anti-corruption and right-to-audit clauses 28

hotline 29

p. 18

Key comPliAnce chAllenges p. 32

AutomAtion of business Processes And the comPliAnce function

p. 34

About the survey

goAls & objectives

This survey presents a summary of findings outlined in the following sections:

— respondent information: sector, geographic footprint, revenue, etc.;

— priority compliance areas;

— organization and structural arrangement of the compliance function, including functional subordination, staffing numbers, budget, etc.;

— compliance function in the company’s business processes;

— business process automation in the company and its impact on compliance;

— essential, but missing components of the compliance system.

The main goal of this survey is to analyze specific features of the organization, role and objectives of compliance functions at CIS companies and also the practice of implementing certain business processes and control procedures, including through automation.

methodology

The survey respondents included heads of business units with compliance function mandates: Compliance, Legal, Finance Internal Audit/Internal Control and Security Departments. The survey was conducted using an online questionnaire via web-based platforms that could be supported by interviews further to a request from respondents. This report uses only aggregated survey data and does not contain any personal data related to respondent companies. We also relied on information from public sources.

4

© 2018 KPMG. All rights reserved.

| Compliance in the CIS: Key Challenges & Automation

In total, 98 respondents took part in the survey. KPMG undertook a thorough analysis of all the responses and decided that only 89 respondents met the given criteria and therefore could be considered as relevant. It should be noted that this is almost three times as many as in 2016. As in the previous year, the majority of the respondents operate in the pharmaceuticals and telecommunications sectors (30% in 2017 vs. 36% in 2016). At the same time, we observe a higher percentage of transport companies – 7% in 2017 vs. 3% in 2016. It should also be noted that the banking sector is not represented in the survey due to the specific regulation of its compliance activities.

resPondents Pharmaceuticals

utilities and telecommunications

consumer goods

oil & gas

transportation

Automotive

construction

chemicals

innovation and technology

metals & mining

other

18

9

7

6

6

5

5

5

4

4

20

The figure below provides a breakdown of respondents by geographic footprint.

russia55ukraine18

Azerbaijan5

georgia1 89 companies

Kazakhstan8

turkmenistan1

belarus1


5Compliance in the CIS: Key Challenges & Automation |

46%of respondents have spun off their compliance functions into separate departments.

directly administratively report to the President/CEO of an organization.

Compliance functions at

2–10 people, in 22% of instances only 1 employee is responsible for compliance.

Staff size of Сompliance Departments at

<50,000

Annual budget spent on compliance function at

(national currency equivalent)

61% of respondents prepare compliance reporting at least once a year, another 20% – further to the request of management.

In total, 60% of respondents report on development of the compliance system to the President/CEO.

Priority compliance areas

88%As was the case in 2016 anti-corruption compliance procedures ranked first this year as the top priority area for compliance, according to 88% of respondents.

The share of companies that consider antitrust and occupational health and safety (OHS) compliance a matter of priority has contracted – in 2017 they represented 49% and 37% of the total respectively (in 2016, response rates among Russian respondents were 85% and 91%, among CIS respondents (excluding Russia) – 83% and 63%).

49% 37%&

43%Respondents perform an annual compliance risk assessment; beyond that point, 21% of companies assess compliance risks on a quarterly basis.

Organization of the compliance function

Key findings

In total,

49% of the surveyed companies

46% of respondents.

63% of respondents

In total,

6



Monitoring and control

According to most respondents, the compliance function is primarily responsible for the following processes:

43% 38%

36%

50%compliance training courses

58%consulting on compliance matters

internal investigations

development and updating of a risk matrix

Processing of reported information and messages, providing a feedback

The compliance function participates in the approval of high-risk business processes:

35%charity and sponsorship

conclusion of major deals and transactions outside of corporate policies and procedures –

respectively

37%,40% &

respectively

Identification of conflicts of interest

of respondents ask new staff to disclose any conflicts of interest at the time of their recruitment,

53%

26%while

require staff to issue an annual conflict of interest disclosure.

of respondents periodically monitor conflicts of interest through in-house resources or by engaging external advisors.

37%

Key findings

each,

In total,In total,



Counterparty due diligence

84% of respondents conduct a centralized counterparty due diligence,

analyze their business partners through a peer-review process, which involves several units.

In total, 8% of respondents 65% of respondents have established a set of formalized criteria to assess and measure counterparty risks.

57% of respondents conduct due diligence of all their counterparties.

37% of respondents perform only initial due diligence (i.e. when contracts are concluded for the first time). At the same time, 44% of respondents carry out a counterparty due diligence at least once every three years.

In order to check the background of their business partners, about

in other words, performed by a single business unit, while 32% use their Security Departments.

Anti-corruption and right-to-audit clauses

of respondents incorporate anti-corruption and right-to-audit clauses in their contracts with counterparties.

The surveyed companies include in their contracts one of two options: either anti-corruption (22%), or the right-to-audit clause (2% only).

of respondents have ever exercised the right to audit clause in the past.

Only

21%

Key findings

34%

In total,

26% of respondents outsource due diligence work to third parties.

In total,

In total,

In total,

In total,

8



Hotline

Business process automation

13%of respondents still do not have a hotline.

administer a hotline internally,

45%

27% outsource them to a third-party provider,

While

and 16% use both resources.

anonymous reporting is possible.

51% of respondents measure performance of their hotline.

of companies with a hotline, 92%

Automation of routine activities:

45%

outgoing payments

fully 33% partially

35%

contract negotiation and approval

fully 29% partially

16%

receiving and handling hotline calls and messages

fully 35% partially

12%

counterparty due diligence

fully 49% partially

of companies

recognize business process automation as a matter of priority for their compliance system.

33% of respondents

plan to automate their processes in the next three years.

30%

Key findings

In total,

In total,

At

In total,

Meanwhile,




It must be pointed out that fewer companies consider antitrust and OHS compliance a matter of priority – in 2017 they represented 49% and 37%, respectively (in 2016, response rates among

Russian respondents were 85% and 91%, among the CIS respondents (excluding Russia) – 83% and 63%).

In addition, in 2017 respondents recognized two areas of compliance as significantly less relevant to their businesses: human rights compliance in the workplace (67% and 29% of Russian companies found it relevant in 2016 and 2017, respectively), and insider trading compliance (relevant for 28% of Russian companies surveyed in 2017 vs. 61% in 2016).

In 2017, anti-corruption compliance ranked first as the top priority area for compliance practice, according to 88% of the surveyed companies. Respondents place a lot of emphasis on the protection of personal data (61%) and confidential information (57% of companies have included this issue in their compliance programs).

88%

10



Anti-corruption and ethics compliance

compliance related to the protection of personal data

Compliance related to the protection of confidential information

Antitrust compliance

ohs compliance

Anti-money laundering and counter terrorism financing (AML/CTF)

environmental compliance

compliance in marketing and advertising

compliance with trade sanctions

human rights compliance in the workplace

Prevention of insider trading and market manipulation

other


88%

61%

57%

49%

37%

37%

34%

33%

31%

29%

28%

6%

Source1: KPMG analysis.

Note: 2% of respondents said they were not sure or did not know the answer to this question. This is a multiple-choice question.

1 Hereinafter, the survey findings are based on KPMG analysis.



94%Local anti-corruption laws and regulations

APPlicAble Anti-corruPtion legislAtion

4 respondents cited the need for compliance with the EU,

Swiss and Cypriot anti-corruption rules.

48% Foreign Corrupt Practices Act (FCPA, USA)

45% uK bribery Act 2010

6% Sapin II (France)

4% other

3% not applicable

Note: this is a multiple-choice question.

Assessment of comPliAnce And corruPtion risKs

Assess compliance risks on an annual basis

Assess compliance risks on a quarterly basis

Assess compliance risks on an ‘as-needed’ basis

do not assess compliance risks

Note: this is a multiple-choice question.

43%

21%

34%

11%

12



33% of the surveyed companies have a separate compliance risk map (matrix), while 35% of respondents have a general risk map that, among other things, covers compliance risks.

30% of respondents have formalized their methodologies adopted for the identification and assessment of corruption risk. Another 25% have such methodology in place, but it is not documented in the company’s internal regulations.

ISO 37001:2016 Anti-Bribery Management Systems(ISO 37001) recommends that the bribery risk assessment be reviewed:

— on a regular basis so that changes and new information can be properly assessed based on timing and frequency defined by the organization;

— in the event of a significant change to the structure or activities of the organization.

ISO 19600:2014 Compliance Management Systems

determines that the compliance risks should be reassessed periodically and whenever there are:

— new or changed activities, products or services;

— changes to the structure or strategy of the organization;

— significant external changes, such as financial-economic circumstances, market conditions, liabilities and client relationships;

— changes to compliance obligations;

— noncompliance(s).



Го

Organization of the compliance function

Maturity of the compliance function

Organizational structure of the compliance function

Annual compliance function budget

Compliance reporting procedure

14



At most respondents the compliance function has been operational for more than one year, in particular,

36% – from 1 to 3 years, and 40% – from 3 to 10 years.

The answers disclosed that pharmaceuticals and oil and gas companies are considered ‘compliance pioneers’.

mAturity of the comPliAnce function

It should be noted that the surveyed pharmaceutical companies are primarily foreign-owned subsidiaries, which have introduced compliance practices at the time of their entry into the CIS market,

and vice-versa for oil and gas companies, where compliance is attributable to the access of CIS companies to the international market.

Maturity of the compliance function

more than 10 years

7%

1-3 years36%

less than 1 year 3–10 years40%

11%

orgAnizAtionAl structure of the comPliAnce function

Note: 6% of respondents said they were not sure or did not know the answer to this question.

In terms of the organizational structure of the compliance function, respondents were divided roughly equally in two

groups: companies with a separate Compliance Department (46%) and companies with no special compliance unit (54%), where corresponding functions are assigned to other departments (e.g., Legal Department). It should be noted that a similar proportion of responses was recorded in the 2016 survey.

46% оf respondents

ISO 19600:2014 Compliance Management Systems(ISO 19600) does not provide detailed guidelines on whether it is necessary to establish a separate Compliance Department. The document outlines that organizations may create stand-alone units or delegate compliance functions integrating them to existing departments.

The following issues should be taken into account when creating/transforming a compliance function:

— organizational structure of the company;

— nature of the company’s business;

— total number of staff;

— functions expected within the Compliance Department;

— number and nature of business processes and transactions with high risk of corruption.have a separate Compliance

Department



AnnuAl comPliAnce function budget

In 2017, respondent answers to the question about the administrative subordination of their compliance function are relatively similar to the previous survey. Most answers (49%) disclosed that Compliance Departments administratively report directly to the company’s President or CEO.

49%

21%

President/CEO

Vice President/Department Director/Division Manager

Board of Directors and/or board committees

8%

15% other*

Compliance function – administrative subordination

*Local (Regional) Chief Compliance Officer, head of function or business executive (director) in the country, Legal Department.


Team size in Compliance Departments

>10

2-101

63%

22%

15%

employees

employee

employees

Note: The response rates were calculated for the companies, which replied in the affirmative to the question about a separate Compliance Department.

It should be noted that the staff size of Compliance Departments in respondent companies is weakly correlated with annual revenues and total headcount.

<$50,000$50,000– 167,00046% 10% 10% 7%

Notes: 27% of respondents said they were not sure or did not know the answer to this question. The response rates were calculated for the companies, which replied in the affirmative to the question about a separate Compliance Department.

$167,000– 833,000 >$833,000

16



comPliAnce rePorting Procedure

Recipients of compliance reports

Note: respondents were asked to choose one or multiple options from a list of possible answers.

President/CEO

board of directors

management of the parent company

Vice President (s) / Deputy CEO (s) responsible for a separate line of business

no reporting is prepared in this respect

reporting is prepared for internal use and compliance function only (it is not submitted to management)

other

60%

31%

30%

17%

10%

4%

7%

Compliance reporting cycle

more than once a year

further to a request from management

At least once a year

no formalized reports

At least once every two years

other

43%

20%18%

4%

2%2%


As management and executive staff must be kept regularly informed, which is one of the most

important tasks of the compliance function, relevant questions were included in the 2017 survey.

In response to the questions concerning the compliance reporting cycle, 61% of companies answered ‘at least once a year’ and 20% – ‘further to a request from management’.

In total 31% of respondents submit compliance reports to the company’s Board of Directors.

60%report compliance matters directly to the President or CEO

of the surveyed companies

61%At least once a year



Compliance throughout the company’s business processes

Monitoring and control

Identification of conflicts of interest

Counterparty due diligence

Anti-corruption and right-to-audit clauses

Hotline

18



common tyPes of comPliAnce orgAnizAtionAl structures

1

2

3

Centralized

1) The compliance function retains direct control over all compliance-related activities through a separate department/responsible person.

2) In the case of a specific compliance area – all compliance activities and controls are executed through a separate department/responsible person.

Decentralized

1) Compliance functions are embedded in and distributed between several business units/employees in order to manage compliance risks, exercise compliance controls and procedures.

2) In the case of a specific compliance area – all compliance activities and controls are distributed between several business units/employees, which does not involve the creation of a centralized compliance function.

Hybrid

1) The compliance system combines both centralized and decentralized models. The compliance function provides overall direction and oversight in all areas of compliance to ensure a one-size-fits-all approach to compliance risk management, but any detailed compliance activities and controls related to specific compliance areas are exercised by various business units/employees.

2) In the case of a specific compliance area – the compliance function provides methodological guidelines, information advice and support in implementing necessary compliance policies and procedures; consolidates and monitors the progress made on their implementation; reports to management, etc., while the responsibility to perform specific implementation activities, compliance controls and procedures rests with relevant business units/employees.

The involvement of the compliance function in the company’s business processes is of particular interest, as the compliance role depends on its organizational structure: centralized, decentralized or hybrid.



The chart below demonstrates the overall response statistics concerning the role of compliance in company’s business processes, which includes its involvement in the execution, approval and monitoring of a specific business process, or the absence of any such involvement.

At most respondents Сompliance Departments are responsible for processes related to compliance training courses (50%) and consulting on compliance matters (58%). A significant percentage of respondents state that their

compliance teams perform internal investigations (43%), develop a risk matrix and keep it up to date (38%), process hotline calls, messages, and provide respective feedback (36%).

According to most respondents, their compliance functions are involved in high-risk processes, such as charity and sponsorship (35% each), the conclusion of major deals (40%) and transactions outside of corporate policies and procedures (37%), contracting with counterparties (46%).

In most cases, the compliance function is involved in approval processes when it comes to the identification of risky counterparties and employees, i.e. counterparty due diligence (36%) and management of conflicts of interest (30%).

What is noticeable is that the compliance functions of 36% of respondents are not involved in the approval of sales discounts and bonuses (they don’t monitor the cited transactions).

Compliance role in a company’s business processes


contracting with counterparties

Provision of sales bonuses and discounts

major deals

m&A

Atypical manual accounting adjustments

Conclusion of deals and transactions outside of corporate policies and procedures (i.e. are not outlined or contravene the provisions of policies and procedures)

giving of business gifts

Acceptance of business gifts, hospitality and other business courtesies

charity and social responsibility

sponsorship

Management of conflicts of interest

compliance training for internal staff

Advising employees on compliance matters

development of a risk matrix and keeping it up to date

receiving and handling hotline calls and messages, and providing a feedback


20% 36% 31% 8% 5%

9% 46% 29% 14% 2%

2% 20% 22% 36% 20%

8% 40% 27% 20% 5%

3% 27% 18% 19% 33%

5% 16% 16% 44% 19%

5% 37% 26% 8% 24%

8% 30% 32% 16% 14%

8% 26% 33% 19% 14%

8% 35% 27% 14% 16%

5% 35% 26% 17% 17%

21% 30% 34% 7% 8%

50% 14% 16% 8% 12%

58% 13% 13% 5% 11%

38% 27% 18% 8% 9%

36% 15% 20% 14% 15%

43% 20% 22% 6% 9%

Execution Approval Monitoring Compliance function is not involved in this process

Don’t know/Process does not exist

20



In accordance with ISO 19600, the company introduces relevant control procedures in order to reduce and mitigate

compliance risks. To ensure that they are efficient, such procedures are subject to periodic monitoring. The figure below presents the respondents’ answers to a question about the sources of information

monitoring And control

for monitoring purposes and risk communication methods. Even though a significant percentage of respondents (44%) say that their compliance specialists have full access to corporate accounting systems, the Compliance Departments in the majority (53%) of the surveyed companies still have to request the necessary information

from business process owners. Also, it is notable that Compliance Departments have low levels of automation when it comes to reporting on risk operations – 75% of risk communication messages are received from employees orally or via e-mail/hotline.

Information is requested from business units acting as process owners; the Compliance Department cannot access the relevant accounting systems on an anytime basis

sources of informAtion for business Process monitoring

53% 44%the compliance department downloads data directly from the relevant accounting systems

12%the compliance department receives an automatic notification when a risk-related transaction is identified (automated risk identification)7% other

Note: This is a multiple-choice question. 13% of respondents said they were not sure or did not know the answer to this question.

How risk transactions are reported to the Compliance Department

75% 8% 6% 11%risk communication messages are received from employees orally or via e-mail/hotline

Automatically generated notifications are emailed to the compliance department

Automatically generated notifications are delivered to a special platform accessible to the compliance department

other

Note: This is a multiple-choice question. 13% of respondents said they were not sure or did not know the answer to this question



identificAtion of conflicts of interest

Summarizing the cases based on the engagement experience of KPMG Forensic in Russia and

the CIS, we see that a significant

number of fraud and corruption schemes are perpetrated through third parties, which are affiliated with company employees (including through suppliers and customers).

Therefore, timely identification and prevention of a potential conflict of interest is key to countering fraud and corruption.

conflicts of interest rePorting

53%At the time of recruitment

17%Reassignment to a different position or transfer to another department

~26%require the completion of an annual declaration disclosing the existence or absence of conflicts of interest, in particular:

(less than half)

periodically monitor conflicts of interest by engaging in-house staff or external advisors, in other words, they do not rely solely on the information provided by employees.

26% with respect to employees in leadership roles and at a senior management level;

15% with respect to all staff;

13%apply a risk-oriented approach, which implies staff members in positions where there is a high risk of fraud or corruption must disclose any conflicts of interest.

37%

Note: This is a multiple-choice question.

22



counterPArty due diligence

84%of respondents conduct counterparty due diligence using a centralized model, i.e. performed by a single business unit.

In most cases, this role is assigned to the Security Department (33%). The second most common response is that due diligence checks are performed by the business unit benefiting from a potential contract (27%).

In total, 8% of respondents analyze their business partners through a peer-review process, which involves several units.

Counterparty due diligence models

Centralized due diligence One business unit is involved, which is responsible for carrying out background checks of potential and/or existing counterparties under established criteria, with the involvement of selected experts from other departments to analyze any issues of concern that may arise.

Decentralized due diligence Several business units are involved, either simultaneously or sequentially, in order to collect and analyze information regarding various aspects of counterparty activities.

1

2

Who is responsible for counterparty due diligence

*In different combinations, including through the Security Department, Legal Department, Compliance Department, Administrative Department.


33%

27%

15%

8%

8%

4%

2%

security department

employee of the business unit, which intends to sign a contract with a counterparty

legal department

employee responsible for compliance

Peer review by several departments*

Finance/Accounting Department

other

Measures to mitigate the identified risks

The feasibility and efficiency of a particular model applied by the company largely depends on the number of counterparties under review and the size of a business.



According to the survey, a significant portion of respondents perform only initial due diligence –

37%. At the same time, we can see that a large number of companies perform counterparty checks at least once every three years (44%). There are single responses (1%) mentioning the use of automated tools for the continuous monitoring of changes in the counterparty’s activity.

37%Initial due diligence only

36% once every 1–3 years

8% more than once a year

4% less than once every three years

8% other


Scope of due diligence checks

57%conduct due diligence of all their counterparties 39%Apply a risk-based approach and perform

a counterparty due diligence procedure in accordance with established criteria


Criteria triggering a counterparty due diligence

Type of services/products


Level of risk identified after the review of a counterparty’s questionnaire

contract value Area of activity/line of business of the counterparty’s company

Frequency of counterparty due diligence

65% 62% 50% 47%

Scope of due diligence checks in procurement


60%check the background of all parties involved in procurement,

23%check only the leading vendor (winner).

83%counterparty due diligence during procurement procedures,

of respondents perform

10% of respondents do not check counterparties at the procurement stage.

while

In total,of the surveyed companies

and

24



Counterparty assessment criteria

65%of respondents have established a set of formalized criteria to measure counterparty risk

93%

89%

85%

84%

81%

75%

73%

65%

65%

64%

57%

57%

55%

48%

40%

36%

31%

29%

2%

Date of incorporation and registered office (registration details)

Information on activities, necessary certifications

Pending insolvency proceedings against the counterparty

involvement of a counterparty in unresolved disputes or unsettled court cases related to business activities or legal and regulatory issues

Owners, ultimate beneficiaries and management, including business image and professional integrity

financial indicators

other defamatory or derogatory information published in mass media

Previous background of the counterparty-company relationship

Conflict of interest between the counterparty and the company

Owners, ultimate beneficiaries and management, including involvement in illegal/unethical activity, reported cases of involvement in corrupt and money laundering schemes

Inclusion of the counterparty/its key persons in national and international sanctions lists, blacklists of people and entities suspected of money laundering, terrorist financing and political exposure

Owners, ultimate beneficiaries and management, including ties with politicians or employment at state structures, leveraging of these relations or official position to promote personal business interests

information on instances of illegal or unethical business practices

counterparty’s reputation among national and international regulators and public authorities

materiality of a potential transaction for the counterparty

Participation in political activities (ties with well-known politicians and state institutions, the leveraging of such relations to promote personal business interests)

Owners, ultimate beneficiaries and management, including professional background, professional integrity and business interests

commercial references from other partners

other




Counterparty due diligence tools and techniques

80% internet search engines

information provided by the counterparty

databases with paid access (e.g., SPARK, Lexis Nexis, D&B)72%

71%

47%

31%

26%

4% other

security department sources

collection of testimonials and references in the market

external providers, including the outsourcing of due diligence work, providers of business intelligence services, detective agencies

Counterparty assessment tools


Special questionnaire form for initial assessment of counterparty risk

57%use questionnaires

2% use questionnaires only for certain counterparties (e.g., associated with high risk)

30%do not use questionnaires

1

2

3


26



Measures to minimize the risks identified in a counterparty due diligence

According to most respondents, the inclusion of special clauses in contracts and

agreements, i.e. an anti-corruption clause, is the most popular measure to mitigate counterparty risks (71%). In total, 44% of respondents prefer to include provisions on limiting the counterparty’s ability to act on behalf of the company.

In total 47% of the surveyed companies review and approve payments made to a counterparty – this tool is used to identify and prevent potential fraud and the transfer of funds through unfair business partners.

Another 20% of respondents rely on the monitoring of payments made by the counterparty acting on the company’s behalf – primarily to prevent corruption risks arising from the use of intermediaries to perform particular operations.

Less than half of the surveyed companies (40%) monitor particular counterparty’s activities in order to prevent and mitigate the associated risks – either by analyzing information on the activities of a business partner in public sources, or conducting field audits at the offices and production facilities of the counterparties.

47%review and approve payments made to the counterparty

20%rely on the monitoring of payments made by the counterparty acting on the company’s behalf


71%

47%

44%

40%

20%

20%

2%

10%

Incorporating specific provisions and clauses in contracts with counterparties (e.g., an anti-corruption clause)

review and approval of payments

limiting the counterparty’s ability to act on behalf of the company

ongoing monitoring of the counterparty’s activities

Regular certification and anti-corruption training courses

review of payments made by the counterparty acting on the company’s behalf

The company does not take any measures to mitigate the identified risks

other

Measures to mitigate the identified risks



Anti-corruPtion And right-to-Audit clAuses

An anti-corruption clause is an important tool in the compliance system and a standard clause

incorporated in almost every contract. It has been our experience that contracts are significantly less likely to include provisions for the

right to audit, which is confirmed by the results of our survey.

Incorporation of anti-corruption and right-to-audit clauses in contracts and agreements

10% Anti-corruption and right-to-audit clauses are incorporated in contracts at the request of a counterparty or selectively

9% Only an anti-corruption clause is incorporated in selected contracts

2% Only a right-to-audit clause is incorporated in all contracts

34% Both anti-corruption and right-to-audit clauses are incorporated in all contracts

22% Only an anti-corruption clause is incorporated in all contracts

17% Contracts include neither anti-corruption nor right-to-audit clauses

6% Other

Despite the incorporation of the right-to-audit clause in contracts and agreements, only 21% of all respondents executed the right to audit in their activities, of which 33% were pharmaceutical companies and 15% were companies operating in the automotive sector.

Right-to-audit clause

29%

21%

21%

15%

the company did not execute a right to audit clause and has no plans to execute it in the coming year

A right-to-audit clause is not incorporated in contracts

the company has audited its counterparty in the past two years

the company did not execute the right to audit, but is planning to audit its counterparty in the coming year


28



hotline

A survey on the company’s methods of reporting information on suspected compliance or ethics

violations has revealed that a hotline, along with internal audits and compliance checks, is one of

the most common practices used to identify such violations. In total 53% of respondents identify violations via a hotline. At the same time, 13% of respondents still have not set up a hotline at their companies.

How the compliance violations are detected

53%of respondents identify violations via a hotline

internal audits

compliance checks

hotline

security checks

internal control checks

external audits

whistleblowing

Automated it controls

reviews initiated by management

other

62%

54%

53%

37%

33%

30%

29%

27%

24%

2%




existing hotline chAnnels

30%

17% Special boxes installed in office spaces and production sites

13% No hotline to report a suspected compliance or ethics violation

78% E-mail

62%

48%

3% Other

2% Web portal

Telephone


one trend observed by KPmg at present, including in engagements involving the establishment and outsourcing of a hotline, is that soon, partially or totally, chatbots will be used as the primary hotline channel instead of calls and e-mail communications, while automatic speech recognition (ASR) technology will replace human resources, i.e. call center operators.

Post

hotline AdministrAtion

45% chose to manage their hotlines internally

27% outsource the hotline management to a third party

16% manage hotlines through combination of internal and third-party (outsourcing) resources

Note: Out of 87% respondents with established hotlines; 12% of respondents said they were not sure or did not know the answer to this question.

92% provide the opportunity of anonymous reporting to the hotline

Note: Out of 87% respondents with established hotlines

Chatbot

30



The ISO 37001 guidance notes that companies should inform personnel about violations of the reporting mechanism, including their related rights and confidentiality of communications, and also conduct training courses on reporting methods. For this purpose, our respondents most commonly rely on compliance and ethics-related trainings typically taken on an annual basis (73%) and publish information about the hotline on the internal corporate website (69%).

Building and raising awareness of the hotline

To measure the hotline performance, we asked our respondents to provide the overall number of reports collected via the hotline along with the quantity of relevant messages. The response rate for this question is 44%, where 17% of respondents say that only half of all reports are relevant, another 32% cite from 30% to 50% of relevant messages, and the other 34% – less than 30% of relevant messages.

73%

69%

51%

47%

35%

31%

31%

12%

5%

Hotline performance

17%more than 50%

of relevant reports

34%less than 30% of relevant messages

32% from 30% to 50% of relevant messages

Note: 17% of respondents mention no relevant messages.

51% measure performance of the hotline

Note: Out of 87% respondents with established hotlines; 27% of respondents said they were not sure or did not know the answer to this question. This is a multiple-choice question.

use internal control department resources25%use internal Audit department resources25%

use security department resources12%rely on external advisors8%

answered ‘other’8%

Measuring hotline performance

Note: Out of 87% respondents with established hotlines. This is a multiple-choice question.

training programs, which cover compliance and ethics-related issues, fraud and corruption prevention topics, typically taken on an annual basis

information about the hotline on the internal corporate website

Posters

e-mail campaign

Communications from top management (i.e., CEO)

Bulletins/brochures

newsletters

nothing

other



Key compliance challenges

The surveyed companies note the need for the automation of enterprise-wide (28%) and compliance-related (33%) business processes, and also an electronic approval

procedure for business processes (18%). These results once again confirm that automation of business processes is as relevant today for compliance teams as it has never been.

The most important and relevant challenge Compliance Departments are now facing is the proper understanding of the role and objectives of the compliance function by company employees (according to 36% of respondents).

36%

32



Key requirements of the compliance function


36%understanding of the role and objectives of the compliance function by company employees

35%Perception by staff members of the compliance role as an advisor, not an inspector

33%Automation of compliance-related business processes

33%methodological support of the compliance function

33%compliance professionals

28%enterprise-wide business process automation

24%support and assistance from senior management of the company

22%Professional development and certification for compliance staff

20%salaries and remuneration of the compliance team

20%Participation of the compliance staff in specialized trainings courses and seminars

20%management communications to all staff covering compliance-related issues, fraud and corruption prevention topics

18%Electronic document workflow and approvals for significant processes

10%Access to corporate accounting systems and data

6%other

4%Procurement and office supplies (premises, office appliances, machines and equipment, Internet access)

1%Access to documents (contracts, supporting documents)



Automation of business processes and the compliance functionBased on KPMG’s experience, business process automation will be driven by the following concerns:

A detailed description of automated processes and respective implementation algorithms, including exceptions, to support due performance of work.

A company has labor-intensive iterative processes, which use structured data.

Financial benefit of the process (the average market cost of a license is high; in some cases, the introduction of automation to a business will only prove cost-effective when two or more employees have been replaced). It is often the case that processes suitable for automation are cross-departmental, in other words, they are linked across two or more departments. To derive the maximum benefits from a license, a company should identify all possible iterative processes working with structured data, and prioritize them.

The results of this survey confirm the above statements and demonstrate that automation will largely affect business processes with numerous routine activities, such as:

Outgoing payments:

45% fully automated

33% partially automated

Contract negotiation and approval:

Receiving and handling hotline calls and messages:

Counterparty due diligence:

35% fully automated


16% fully automated


12% fully automated



34




In general, risky transactions go through a manual approval process, such as transactions beyond the framework of corporate policies and procedures (64%), the acceptance of gifts, corporate hospitality (59%), the giving of gifts (53%), charity and sponsorship (52%).

Lack of automation – key reasons

30%of respondents plan to automate their processes in the next three years.


40%

no need for automation, the process works as is

19% 8%

Lack of funds/financing for automation purposes

other


Approval of contracts with counterparties


outgoing payments

Atypical accounting adjustments

giving of gifts

hospitality expenses

Acceptance of gifts, corporate hospitality

Sponsorship and/or charity

Disclosure of conflicts of interest (including on an annual basis)

staff compliance training

development and updating of a risk matrix

Transactions beyond the framework of corporate policies and procedures (i.e., they are not outlined or contravene existing provisions of such policies and procedures)

receiving and handling hotline calls and messages, providing a feedback


Partially automated process Fully automated process Manual process Process does not exist/Don’t know

49% 12% 33% 6%

29% 35% 30% 6%

26% 9% 29% 36%

33% 45% 4% 18%

15% 11% 34% 40%

12% 5% 53% 30%

26% 13% 43% 18%

9% 3% 59% 29%

20% 7% 52% 21%

29% 9% 43% 19%

39% 9% 32% 20%

20% 1% 52% 27%

9% 3% 64% 24%

35% 16% 25% 24%

23% 3% 65% 9%



Appendix 1. Answers by countries

36



resPondents

Answers

russ

ia

ukra

ine

Kaza

khst

an

Azer

baija

n

What industry sector does your company represent? (only one answer is possible)

Utilities and telecommunications 6 2 1 0

Oil & Gas 4 0 0 2

Pharmaceuticals 11 4 1 0

Innovation and Technology 3 0 0 0

Consumer goods 5 2 0 0

Metals & Mining 2 0 2 0

Transportation 3 0 2 1

Automotive 4 0 0 1

Media 0 0 0 0

Chemicals 4 1 0 0

Retail trade 1 1 0 0

Construction 3 1 0 1

Finance and investment 2 0 1 0

Services 1 1 0 0

Other 6 6 1 0

Priority comPliAnce AreAs

Answersru

ssia

ukra

ine

Kaza

khst

an

Azer

baija

nWhich of the following compliance areas does your company recognize as a priority? (Multiple choice question)

Anti-corruption and ethics compliance 50 15 8 3

Occupational health & safety (OHS) compliance 19 9 4 1

Environmental compliance 17 9 3 1

Antitrust compliance 34 8 1 0

Human rights compliance in the workplace 14 7 3 2

Compliance related to the protection of personal data 36 10 3 3

Compliance related to the protection of confidential information 29 12 5 3

Preventing insider trading and market manipulation 17 6 2 0

Compliance with trade sanctions 22 6 0 0

Anti-money laundering and counter-terrorism financing 20 8 1 4

Compliance in marketing and advertising 19 7 1 0

Other 3 0 0 0

Don’t know/Not sure 0 1 0 1



Answers

russ

ia

ukra

ine

Kaza

khst

an

Azer

baija

n

Which of the following provisions of anti-corruption legislation apply to your company? (Multiple choice question)

Local/national anti-corruption laws and regulations 55 16 6 4

Foreign Corrupt Practices Act (USA) 24 12 3 2

UK Bribery Act 26 8 4 0

Sapin II French Anti-Corruption Law, 2016 4 1 0 0

The provisions of anti-corruption laws and regulations are not applicable to our company 1 1 0 1

Other 4 0 0 0

Does your company perform a compliance risk assessment? (Multiple choice question)

Yes, on an annual basis 25 7 5 0

Yes, on a quarterly basis 13 4 1 0

Yes, on an ‘as-needed’ basis 21 4 1 4

Compliance risk assessment is not performed 4 3 1 1

Other 2 0 0 0

Does the company have a compliance risk matrix/map? (Only one answer is possible)

Yes, the company has a separate risk matrix/map 21 7 1 0

The company has a general risk map that, among other things, covers compliance risks 20 2 5 2

The company does not have a compliance risk matrix/map 13 6 2 3


Does the company have an established methodology to identify and assess the corruption risk? (Only one answer is possible)

Yes, the company has an established and approved methodology 16 6 2 0

Yes, such methodology is in place, but it is not formalized (i.e. it is not documented in the company's internal regulations) 15 4 2 0

No methodology 16 5 3 5


Other 3 1 1 0

orgAnizAtion of the comPliAnce function

Answers

russ

ia

ukra

ine

Kaza

khst

an

Azer

baija

n

How mature is your compliance function? Please specify length of time in years (Only one answer is possible)

Less than a year 3 0 3 0

1–3 years 18 9 4 1

3–10 years 22 9 1 1

More than 10 years 9 0 0 1

Don’t know 3 0 0 2

The compliance function in your company – is it a separate business unit/department? (Only one answer is possible)

Yes 26 6 5 2

No 29 12 3 3

38



Answers

russ

ia

ukra

ine

Kaza

khst

an

Azer

baija

n

In terms of administrative subordination, who does the compliance officer/department report to? (nly one answer is possible)

Only Board of Directors and/or Board committees 1 3 3 0

CEO 28 9 3 3

Vice President/Department Director/Division Manager 14 3 2 0

Head of Department 0 0 0 0

Other 10 2 0 2


Specify the team size of your Compliance Department (Only one answer is possible)

1 employee 5 1 1 1

2–5 employees 13 4 4 1

6–10 employees 3 0 0 0

More than 10 employees 5 1 0 0

Annual budget of the compliance function – how much do you spend? (Only one answer is possible)

Up to USD 50,000 11 4 3 1

USD 50,000–167,000 4 0 0 0

USD 167,000–833,000 3 0 0 0

More than USD 833,00 2 1 0 0


Who receives the reporting on the performance of the compliance function? (Multiple choice question)

The Board of Directors 22 2 4 0

President/CEO 37 8 0 3

Vice President (Vice Presidents) / Deputy CEO (CEOs) responsible for separate line of business 13 0 4 0

Management of the parent company 16 7 1 0

Reporting is prepared for internal use and compliance function only (is not submitted to the company's management) 3 1 3 0

No reporting is prepared in this respect 2 3 0 2

Other 3 2 2 0

What is the frequency of compliance reporting (reporting cycle)? (Only one answer is possible)

On a monthly/quarterly basis 23 5 3 0

Twice a year 5 0 1 0

At least once a year 9 5 0 1

At least once every two years 1 0 1 0

Further to a request from management 11 3 2 2

Other 2 0 0 1


No formalized reports 1 0 0 0



orgAnizAtion of the comPliAnce function

Compliance role in a company’s business processes (Multiple choice question)




major deals

m&A






sponsorship




development of risk matrix and keeping it up to date



russiA uKrAine

19 30 26 6 4

6 36 18 11 2

1 13 13 25 10

6 29 16 15 4

2 19 11 13 17

2 12 11 27 10

3 25 17 5 15

7 24 23 12 9

8 21 22 14 8

5 26 19 11 10

3 24 17 11 11

23 25 27 2 8

42 12 13 5 7

45 10 12 2 6

32 21 15 7 6

28 12 16 8 10

34 17 17 4 7

5 12 11 1

3 9 9 3

3 5 5 7

2 11 11 3

1 6 7 2 7

1 2 3 7 6

2 8 6 1 7

3 7 9 2 4

2 5 9 3 4

3 10 7 3 4

2 9 6 4 5

3 12 12 4 1

12 5 3 3 3

14 5 2 1 3

11 6 4 3 3

7 3 5 6 3

11 5 7 3 2



40






major deals

m&A






sponsorship




development of risk matrix and keeping it up to date



KAzAKhstAn AzerbAijAn

2 1 2 3 1

2 5 1 1

1 1 3 3

2 2 3 1

1 2 5

1 4 3

3 2 2 2

2 3 2 2

2 4 2 2

3 4 2 2

3 4 2 2

2 2 5 1 1

5 1 4 3

6 1 2 2

3 4 3 1

5 1 2 2

6 2 3 -

3 2 1

2 5

1 3 2 1

2 5 2

1 1 3

2 1 1 2

2 3 2

1 2 2 1

2 2 1

1 1 1 2

1 2 2 1

2 3 1 1

2 1 2

2 1 2

2 2 1 2

1 1 3

1 1 3





monitoring And control

Answers

russ

ia

ukra

ine

Kaza

khst

an

Azer

baija

n

What kind of data source does the Compliance Department/responsible person in your company use to monitor processes? (Multiple choice question)

For monitoring purposes, the Compliance Department requests the necessary information from authorized employees, with no access to relevant accounting systems on an anytime basis

36 1 5 3

The Compliance Department may access and download data from the necessary accounting systems 30 3 4 0

The company has an established algorithm for detecting risky transactions and, when identified, the Compliance Department receives a notification

6 2 2 1

Other 5 0 0 1


How is the Compliance Department/responsible person notified of risky transactions (when identified)? (Multiple choice question)

Automatically generated notifications are emailed to the Compliance Department 6 1 0 0

Automatically generated notifications are delivered to a special platform accessible to the Compliance Department 3 1 1 0

Risk communication messages from employees are received orally or via e-mail/hotline 46 6 8 4

Other 9 0 0 1


identificAtion of conflicts of interest

Answers

russ

ia

ukra

ine

Kaza

khst

an

Azer

baija

n

What is the company’s approach to managing a conflict of interest? (Multiple choice question)

All staff members are required to disclose annually all possible and potential conflicts of interest and must complete a respective conflict of interest form

8 3 1 0

Employees in leadership roles and at a senior management are required to complete annually a declaration disclosing the existence/absence of any conflicts of interest

17 2 4 0

Staff members in positions subject to a high risk of fraud and corruption are required to complete annually a declaration disclosing the existence/absence of any conflicts of interest

8 2 2 0

New staff members are required to disclose any conflicts of interest at the time of their recruitment 30 9 6 0

Staff members reassigned to a different position or transferred to another department are required to disclose any conflicts of interest

12 2 1 0

The company periodically monitors conflicts of interest using in-house resources or engaging external advisors 19 7 3 3

Staff members must disclose any conflict of interest when it arises 37 0 3 1

Other 1 0 0 1


42



counterPArty due diligence

Answers

russ

ia

ukra

ine

Kaza

khst

an

Azer

baija

n

Who is responsible for the counterparty due diligence at your company? (Only one answer is possible)

Employee of the business unit, which intends to sign a contract with a counterparty 16 4 1 2

Legal Department 6 5 1 1

Security Department 20 6 1 0

Finance/Accounting Department 2 1 0 1

Employee responsible for risk management 0 1 0 0

Employee responsible for compliance 5 0 2 0


Other 5 1 3 0

How often do you perform a counterparty due diligence at your company? (Only one answer is possible)

Perform only initial due diligence 17 7 4 3

More than once a year 4 3 0 0

Once every 1-3 years 25 4 1 1

Less than once every three years 3 1 0 0


Other 2 2 2 0

Who is covered in a counterparty due diligence? (Only one answer is possible)

The company checks the background of all counterparties 33 12 3 2

The company performs a counterparty due diligence procedure in accordance with established criteria 20 6 3 3


Does the company have a set of certain formalized criteria to measure counterparty risk? (Only one answer is possible)

Yes 39 10 3 3

The company has not yet established a set of formalized criteria to measure identified risks; a decision on the risk level is made on a case-by-case basis

14 7 4 2


Other 0 1 1 0

At the stage of supplier selection (prior to concluding/signing a contract), who is covered during the counterparty due diligence procedure? (Only one answer is possible)

Leading vendor (winner) of the competitive procurement procedure 13 6 1 0

All participants in the competitive procurement procedure 33 10 4 4

Counterparty due diligence is not carried out at this stage 5 1 3 0




Answers

russ

ia

ukra

ine

Kaza

khst

an

Azer

baija

n

Which of the following details (information) are reviewed as part of the counterparty due diligence? (Multiple choice question)

Date of incorporation and registered office (registration details) 53 16 8 3

Information on the activities, necessary certifications 50 15 7 4

Owners, ultimate beneficiaries and management, including business image and professional integrity 47 17 3 3

Owners, ultimate beneficiaries and management, including professional background, professional integrity and business interests

25 0 3 0

Owners, ultimate beneficiaries and management, including involvement in illegal/unethical activity, reported instances of involvement in corrupt and money laundering schemes

38 13 4 1

Owners, ultimate beneficiaries and management, including ties with politicians or employment at state structures, the leveraging of such relations or official position to promote personal business interests

31 13 4 1

Financial indicators 46 12 5 1

Counterparty's reputation among national and international regulators and public authorities 27 8 4 2

Information on instances of illegal or unethical business practice 33 9 3 2

Inclusion of the counterparty/key persons in national and international sanctions lists, blacklists of individuals and entities suspected of money laundering, the financing of terrorism and political connections

34 11 3 1

Involvement of a counterparty in unresolved disputes or unsettled court cases related to business activities or legal and regulatory issues

49 15 6 2

Pending insolvency proceedings against the counterparty 51 15 5 2

Participation in political activities (ties with well-known politicians and state institutions, the leveraging of such relations to promote personal business interests)

18 9 3 1

Other defamatory or derogatory information published in the mass media 40 15 5 2

Conflict of interests between the counterparty and the company 37 12 6 2

Materiality of potential transactions for the counterparty 26 6 2 1

Previous background of the counterparty-company relationship 39 9 5 3

Commercial references from other partners 15 6 2 1

Other 1 0 1 0


What criteria are used to identify the need to undertake a counterparty due diligence? (Multiple choice question)

Level of risk identified at the time of the review of the counterparty’s questionnaire 13 3 0 1

Area of activity/line of business of the counterparty's company 10 4 1 1

Type of services/products under the contemplated contract 15 4 1 1

Contract value 15 1 2 1


Specify the sources of information used by the company for the counterparty due diligence purposes (Multiple choice question)

Internet search engines 44 14 7 5

Databases with paid access (e.g., SPARK, Lexis Nexis, D&B) 52 9 2 0

Information provided by the counterparty 45 9 5 4

Collecting testimonials and references in the market 16 6 1 4

Detective agencies 2 1 0 0

Security Department sources 30 8 1 2

Third-party providers of counterparty due diligence work (outsourcing) 10 5 1 1

Providers of business intelligence services 3 0 0 0

Other 2 1 0 0

44



Answers

russ

ia

ukra

ine

Kaza

khst

an

Azer

baija

n

Do you use the questionnaire completed by the counterparty as the first step to assess associated risks? (Only one answer is possible)

Yes 34 7 6 3

No 14 8 2 1


Other 1 1 0 0

Which of the following measures does your company take to mitigate the risks identified in a counterparty due diligence? (Multiple choice question)

Incorporation of specific provisions and clauses in contracts with counterparties (e.g. the anti-corruption clause) 42 13 5 1

Limitations on the counterparty's ability to act on behalf of the company 25 7 3 3

Ongoing monitoring of the counterparty's activities 21 9 3 2

Regular certification and anti-corruption training courses 12 3 1 0

Review and approval of payments made to the counterparty 27 7 3 3

Review of payments made by the counterparty acting on the company's behalf 12 2 1 2

The company does not take any measures to mitigate the identified risks 2 0 0 0

Other 4 4 1 0

Anti-corruPtion And right-to-Audit clAuses

Answers

russ

ia

ukra

ine

Kaza

khst

an

Azer

baija

n

The company contracts, do they include anti-corruption and right-to-audit clauses? (Only one answer is possible)

Yes, both anti-corruption and right-to-audit clauses are included in all contracts 19 8 2 0

Yes, anti-corruption and right-to-audit clauses are included in contracts further to the request of the counterparty or selectively

7 1 1 0

Only an anti-corruption clause is incorporated in all contracts 13 3 3 1

Only a right-to-audit clause is incorporated in all contracts 1 0 0 1

Only an anti-corruption clause is incorporated in selected contracts 6 2 0 0

Only a right-to-audit clause is incorporated in selected contracts 1 0 0 0

No, the contracts include neither anti-corruption nor right-to-audit clauses 7 3 2 3

Other 1 1 0 0

Has your company ever conducted a counterparty audit pursuant to the right-to-audit clause? (Only one answer is possible)

A right-to-audit clause is not incorporated in contracts 13 3 2 0

Yes, the company has audited its counterparty in the past two years 13 4 0 1

No, the company did not execute the right to audit, but plans to audit its counterparty in the coming year 8 3 4 0

No, the company did not execute the right to audit and has no plans to execute it in the coming year 14 5 2 3




hotline

Answers

russ

ia

ukra

ine

Kaza

khst

an

Azer

baija

n

Which of the following are the most effective ways to identify violations at your company? (Multiple choice question)

Hotline 31 8 4 1

Internal audits 34 11 6 2

External audits 17 2 5 3

Internal control checks 17 5 3 3

Compliance checks 30 10 4 3

Security Department checks 22 5 3 2

Reviews initiated by management 11 5 2 3

Tip 17 4 3 0

Automated IT controls 15 6 1 2

Other 1 1 0 0

Which of the following hotline channels are used to report a suspected compliance or ethics violation at your company? (Multiple choice question)

There is no hotline to report a suspected compliance or ethics violation 3 4 2 3

Telephone 35 12 4 2

E-mail 48 14 5 1

Web portal 30 7 3 0

Post 19 4 2 1

Special boxes installed in office spaces and production sites 11 3 1 0

Chatbot 1 0 0 1

Other 3 0 0 0

Do you engage any third-parties providers to administer the hotline, or use in-house resources? (Only one answer is possible)

The hotline is managed internally 25 4 3 1

The hotline is outsourced to a third-party 9 6 2 1

The company manages its hotline through combination of internal and third-party (outsourcing) resources 9 1 1 0


Other 1 1 0 0

Does your company provide the opportunity for anonymous reporting to the hotline? (Only one answer is possible)

Yes 49 11 6 2

No 3 3 0 0

46



Answers

russ

ia

ukra

ine

Kaza

khst

an

Azer

baija

n

Which of the following tools and techniques does your company use to build and raise awareness of its hotline? (Multiple choice question)

Training programs, which cover compliance and ethics-related issues, fraud and corruption prevention topics, typically taken on an annual basis

35 12 5 0

E-mail campaign 23 8 1 0

Bulk messaging (SMS) 1 0 0 0

Newsletters 17 3 1 0

Information about the hotline on the internal corporate website 39 7 4 0

Posters 25 7 3 1

Bulletins/brochures 15 4 2 0

Communications from top management (i.e., CEO) 21 3 1 0

Financial incentives for the reported information 1 0 0 0

Nothing 6 1 1 1

Other 1 1 0 0

Specify the rate of relevant reports on suspected compliance or ethics violation collected via the hotline in the previous 12 months (Only one answer is possible)

More than 50% of the relevant messages 4 1 1 -

30-50% of the relevant messages 9 2 - -

Less than 30% of the relevant messages 7 3 - -


Other 3 2 1 0

Does the company assess the hotline performance on a regular basis? (Multiple choice question)

Yes, using Internal Control Department resources 14 3 2 0

Yes, using Internal Audit Department resources 14 3 1 0

Yes, using Security Department resources 7 1 0 0

Yes, through external advisors 4 1 1 0

No 12 1 1 2


Other 2 3 1 0



Key comPliAnce chAllenges

Answers

russ

ia

ukra

ine

Kaza

khst

an

Azer

baija

n

In your opinion, what does the compliance function at your company lack at present? (Multiple choice question)

Compliance professionals 14 6 4 3

Communications from the company’s management to all staff covering compliance-related issues, fraud and corruption prevention topics

13 3 2 0

Support and assistance from the company's top management 16 3 0 1

Methodological support of the compliance function 17 4 4 3

Professional development and certification for the compliance staff 11 4 1 2

Participation of compliance team members in specialized trainings and seminars 6 6 2 2

Salaries and remuneration of the compliance team 10 6 1 0

Procurement and office supplies (premises, office appliances, machines and equipment, Internet access) 2 1 0 1

Access to corporate accounting systems and data 7 1 0 1

Electronic document workflow and approval procedures covering all material processes 10 4 2 0

Access to documents (contracts, supporting documents) 1 0 0 0

Enterprise-wide business process automation 14 4 3 3

Automation of compliance-related business process 19 4 2 3

Employee perception of the compliance role as an advisor, and not as an inspector/auditor 17 7 3 2

Understanding of the role and objectives of the compliance function by company employees 19 6 3 2

Other 3 2 0 0

Don’t know 8 4 0 0

48



AutomAtion of business Processes And comPliAnce functions

Answers

russ

ia

ukra

ine

Kaza

khst

an

Azer

baija

n

What are the main reasons for the lack of automation? (Multiple choice question)

No need for automation, the current process works OK 23 7 3 3

Lack of financing for automation 14 1 1 1

Process automation is expected in the next three years 14 6 5 1

Other 4 3 1 0







outgoing payments


giving of gifts






development and updating of risk matrix





8 29 17 1

21 21 12 1

6 17 14 18

27 16 2 10

6 9 21 19

1 8 34 12

11 13 24 7

7 36 12

3 12 28 12

5 18 25 7

4 25 18 8

12 33 10

2 6 34 13

5 25 16 9

1 14 35 5

2 11 5

6 5 7

1 3 8 6

8 8 2

2 3 5 8

2 3 5 8

1 7 5 5

2 1 8 7

1 5 10 2

2 5 7 4

3 6 5 4

3 7 8

1 14 3

6 2 3 7

1 3 14

russiA uKrAine


50






outgoing payments


giving of gifts










3 2 3

2 3 3

1 7

3 1 1 3

1 1 6

1 2 5

1 4 3

1 2 5

1 1 3 3

1 1 2 4

1 2 2 3

1 1 3 3

1 4 3

2 2 1 3

1 1 4 2

4 1

1 3 1

1 3 1

1 2 1 1

1 2 2

4 1

4 1

4 1

4 1

3 2

1 2 2

1 1 3

3 2

1 1 3

3 2




outgoing payments


giving of gifts










KAzAKhstAn AzerbAijAn




ContactsIgor LebedevRisk ConsultingKPMG in Russia and the CISPartner

T: +7 495 937 4477 E: [email protected]

The information contained herein is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavor to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act on such information without appropriate professional advice after a thorough examination of the particular situation.

© 2018 KPMG. KPMG refers to JSC “KPMG”, “KPMG Tax and Advisory” LLC, companies incorporated under the Laws of the Russian Federation, and KPMG Limited, a company incorporated under The Companies (Guernsey) Law, as amended in 2008. All rights reserved.

The KPMG name and logo are registered trademarks or trademarks of KPMG International.

kpmg.ru kpmg.com/app

Veronika IvanovaRisk consultingKPMG in Russia and the CISSenior Manager


Irina BurdikovaRisk ConsultingKPMG in Russia and the CISDirector


Liubov MartynovaRisk ConsultingKPMG in Russia and the CISDirector


Documents

Compliance in the CIS: Key Challenges & Automation · 2020-07-25 · KPMG presents its second annual survey on the priorities of CIS companies to develop their compliance function