Our internal control system is designed to provide reasonable assurance in safeguarding our assets, preventing and detecting frauds and irregularities, providing reliable financial information as well as ensuring compliance with applicable law and regulations. The system is designed to manage, rather than eliminate, the risk of failure to achieve our business objectives, and it aims to provide a reasonable, as opposed to an absolute, assurance in this respect.
Our board acknowledges its overall responsibilities to establish, maintain, and review the effectiveness of our internal control system to ensure our shareholders’ investment and assets are safeguarded on the one hand, and to enhance operational efficiency and effectiveness, promote corporate governance and ensure proper implementation of risk assessment and risk management measures on the other hand.
Our management is responsible for designing and implementing the internal control system of Alibaba.com to achieve the
abovementioned objectives. Our management delegates to our internal control department responsibility of strengthening our internal control system in respect of financial reporting and regulatory compliance. Our internal control department also helps management to improve our existing business processes to achieve higher operational efficiency and effectiveness. In addition, our management monitors the effectiveness of our internal controls through control self assessment. In 2010, we revised and improved our internal control manuals. The revision and improvement were made to reflect the changes in our organizational structure, the emerging new product lines and the inclusion of new control procedures relating to our website operation, online transaction management, anti-fraud management, customer service and training.
Note: CP denotes a code provision and RBP denotes a recommendated best practice
We firmly believe that a sound control environment stems from having the right tone at the top together with concerted action from our senior management. Therefore, we adopted a code of business conduct that applies to all our directors, officers and employees.
All directors, officers and employees, whether existing or newly joined, are required to read and sign off to confirm their commitment to abide by this code of conduct and behave in accordance with our policies, guidelines and procedures. We have also continued to improve our internal reporting system which encourages our staff to report situations where employees, including directors and senior management, may be in breach of our rules.
Processes Applied for Review of Internal Control System
Under its terms of reference, our audit committee performs review of our internal control system covering financial, operational and compliance controls and risk management procedures. Regular communications are maintained among our board, audit committee, management and internal control department to address various areas of our internal control system. Also, our internal audit team, which reports directly to the audit committee, provides independent assessment as to the existence and effectiveness of our internal control system, mainly through conducting the annual internal audit, validation of our control self assessment results and audit on various operational projects.
We have adopted the Committee of Sponsoring Organizations of the Treadway Commission (COSO) – Internal Control Framework as the standard for the internal control assessment with the internal control testing guidelines directed by the Audit Standard No. 5 issued by the Public Company Accounting Oversight Board. Our internal control assessment is conducted by our management who are directly involved in business function, and the independent validation assessment is conducted by our internal audit team. In accordance with the Alibaba.com Control Self-Assessment Guidelines, our management monitors and evaluates the effectiveness of our internal controls through control self assessment. These Guidelines provide appropriate assessment procedures which are in compliance with the relevant requirements.
With our internal control department’s coordination, management conducted internal control documentation update, key control rationalization, self-assessment on all significant cycles and analysis on the impact of deficiencies in internal control. These actions were based on an independent risk assessment provided by our internal audit team which also validate the results on our control self assessment. Quarterly reports on the results of the assessment will be submitted to our senior management and our audit committee.
Our management will rectify any deficiencies found in the assessment.
The control self assessment program has helped enhance our management’s awareness and competency in monitoring controls. Since we have started this practice in the beginning of 2009, we have now established a virtual team that consists of 140 control assessment personnel, of which 70% are from operating and IT departments, and 30% are from financial and legal departments.
While our established control self assessment program provides assurance on key financial data and operating effectiveness, our internal audit team also performs in-depth operation reviews to identify potential improvements which may provide better customer experiences as well as enhanced management efficiency. In order to provide feasible solutions to management, our internal audit team analyzes the associated risks and resources and communicates the result thoroughly with management.
Annual Review of Effectiveness
Internal investigation on intrusion of fraud on our international marketplace
As disclosed in our announcement dated February 21, 2011, an internal investigation led by our independent non-executive director, KWAN Ming Sang, Savio, with the assistance of our internal audit team, came to the following preliminary findings:
• A total of 1,219 and 1,107 China Gold Supplier customers who signed up in 2009 and 2010 respectively had engaged in fraudulent acts against our buyers and we had terminated all the storefronts of these suppliers.
• About 100 sales people (out of a field sales force of about 5,000) as well as a number of supervisors and sales managers were
58 CORPORATE GOVERNANCE REPORT
Alibaba.com Limited Annual Report 2010
Our assessment in light of this internal investigation
When assessing the effectiveness and adequacy of internal control at the year end, our board took into account the following key considerations and measures taken by us in so far as prevention and detection of fraudulent China Gold Suppliers are concerned:
• A blacklist policy in respect of fraudulent suppliers has been adopted since February 2008, and a team of quality control personnel were designated to regularly investigate and follow up fraud-related cases arising from China Gold Suppliers with buyers.
• Our salespeople were required to conduct periodic personal visits to customers and understand their businesses and operations before a contract is entered into and during the contracted service period. A blacklist checking mechanism as well as an independent third party verification on business registration and authorization of company representative have also been in place.
• In 2008, a special task force was established to focus on tackling fraudulent China Gold Suppliers on our marketplace. Certain detective control measures, including the development of a fraud detection model and monitoring system and an internal fraud reporting system on suspected suppliers, were adopted. These measures became effective as we were able to identify fraudulent activities more systematically and efficiently for us to shut down the storefronts of the fraudulent suppliers when they were identified.
• Following the noticeable increase of fraud claims in late 2009, management has made good faith efforts to address the problem by continuing to strengthen the detection and monitoring system and has taken immediate action against fraudulent suppliers. There have also been periodic alerts to the sales management and website operating management on cases of fraudulent suppliers.
• There has been regular reporting to the audit committee on cases of fraud and misconduct committed by employees.
As a result of the above detection measures, we were able to identify and terminated more than 2,300 fraudulent China Gold Suppliers on our international marketplace in 2009 and 2010. We consider our internal control system in terms of fraud detection were effective on the whole, although there were flaws in terms of fraud prevention.
Effective internal control over financial reporting calls for a combination of preventive and detective controls. Due to the effectiveness of our detective controls on fraud, the fraudulent activities and our reaction to them have already been appropriately provided for in the relevant reported financial periods, and there was no material financial impact on our Company for the respective financial periods arising from this internal investigation.
Conclusion on effectiveness
In respect of 2010, our board, through our audit committee as well as by the directors themselves, has reviewed the effectiveness of our Group’s internal control system, covering all material financial, operational and compliance controls and risk management functions.
In assessing the effectiveness of such internal control system, our board has considered all the relevant control processes and measures that our Group has adopted, as well as any deficiencies highlighted by the internal investigation described above. Our board is generally satisfied that our Group’s internal control system was effective. Our board is also satisfied with the adequacy of resources, qualifications and experience of staff of our accounting and financial reporting function, and their training programs and budget.
Additional Information
Processes and actions taken and being taken to enhance a safe and trustworthy marketplace and integrity of employees Fraud exists in many businesses to a certain degree, even businesses that have world class controls and systems. Moreover, in the area of e-commerce in particular, sophisticated and determined fraudsters are always thinking of new ways to get around whatever controls and systems are in place. Nevertheless, we recognize that there will be further improvements and measures that we can adopt to prevent the fraudulent activities in the future and to promote the trust and safety of our marketplace in the long term. For example:
• Through data mining we will continue to identify additional suppliers who we believe to have a high risk of fraud and we will shut down their storefronts on our marketplaces.
• Deeper supplier background checks and verifications will significantly enhance barriers to entry for criminals.
• More training on safety practices will be provided to our buyers and sellers to encourage them to conduct full due-diligence on any company before entering into a transaction, which is essentially the same practice for any business to be safely conducted offline.
Our management is dedicated to maintaining a safe and trustworthy marketplace. We will timely review our policies and enforcement efforts to help maintain high standards.
Upholding Alibaba values is something that our Company takes absolutely seriously because our management believes our values are fundamental to our long-term success. We will revamp the human resources management processes and policies, including the recruitment process, training process, incentive and performance review process, as well as the sales management structure in order to ensure proper checks and balances, and to align incentive towards building long-term customer value.
Integrity of our employees
One of our most important values is Integrity, which covers the integrity of both our employees and our online marketplaces as trusted and safe places for our small business customers.
Although the investigation described above in relation to fraudulent suppliers on our marketplace did not create any direct material financial impact on us, nor was any senior management involved and we have been making good faith efforts to address the problem, our former chief executive officer and chief operating officer rendered their resignations to take the ultimate responsibility for not being able to uphold our value system. Their resignations have delivered a very clear and strong message that we will not tolerate any behavior that compromises our culture, values or principles.
Additional process applied for identifying, evaluating and managing the significant risks faced
Operation and emerging risks were brought to our audit committee through corporate governance meetings in addition to the regular audit committee meetings. Audit committee members are invited to comment on the agenda and may submit proposals for inclusion into the agenda for consideration.
In 2010, we organized three corporate governance meetings for members of our audit committee with a view to enhancing their understanding of our Company’s new strategy and business risks faced. Topics covered, among other areas, customer service, insurance coverage, technology and intellectual property were presented in these meetings for review and discussions.
As an oversight of our internal control procedures, our audit committee also considers the findings of major investigations on internal control matters as delegated by our board, on our management’s invitation or on its own initiative. For example, in mid-January 2011, one of our independent non-executive directors, KWAN Ming Sang, Savio, with the assistance of our internal audit team, formed a special task force and conducted an internal investigation to identify the circumstances and root causes leading to the existence of fraudulent suppliers on our marketplace, and proposed recommendations for improvement in our operations to our management.
Internal Audit Function
Our internal audit team formulates the annual internal audit plan based on a top-down risk based approach to ensure the projects are aligned with our corporate strategies and objectives. Audit results are reported to our audit committee and senior management. Our internal audit team also performs remediation reviews to ensure outstanding issues are properly addressed. In addition, it maintains regular communications with our external auditors so that both parties are aware of the significant factors that may affect their
respective scopes of work. We will continue to have an internal audit team which provides independent assessment on the existence and effectiveness of our internal control system, mainly through conducting annual internal audit and audit on various operational projects.