By Robert Tie, CFE
Fraud Magazine recently spoke with veteran CFEs Ján Lalka in the Czech Republic, Jonathan T. Marks in the U.S., and Sean McAuley in Scotland about how fraud examiners can help organizations develop secure, workable whistleblowing programs. This article explains why they’re essential and, in some cases, a matter of life and death.
“Rat” and “snitch” are among the terms Thesaurus.com offers as synonyms for “whistleblower.” The other 13 are just as negative; not even one is neutral, much less positive. It’s the kind of uniform disapproval you’d expect in synonyms for “villain.” And these aren’t just words in a book; they’re manifestations of beliefs that incite and legitimize retaliation for perceived breaches of trust.
So, when someone in a position of authority characterizes whistleblowing as treachery, it unleashes powerful forces that coerce all but the most determined individuals into silence. Blowing the whistle truthfully is no defense when you’re marked as a traitor. Those brave enough to speak out sometimes pay for it with their lives.
Witness the fate of Daphne Caruana Galizia, the Maltese investigative journalist assassinated by an unidentified car-bomber. (See Malta Car Bomb Kills Panama Papers Journalist by Juliette Garside, The Guardian, Oct. 16, 2017.) “The situation is desperate,” Caruana Galizia wrote on “Running Commentary,” her anti-corruption blog, an hour before being blown to bits.
Only four months earlier, Facebook had closed the user account of Malta’s national trade union chief for inciting his followers to demand that critics of the government be stoned in public. The same official serves as an advisor to the prime minister’s cabinet. For years, whistleblowers in Malta — who had no other way to expose fraud — told Caruana Galizia about foreign and domestic politicians, executives, and organized criminals engaging in bribery, tax evasion, and money laundering, which she then reported in her blog.
According to a Nov. 25, 2017, article by Tom Kingston in The Times of London, a whistleblowing private banker in Malta had leaked to Caruana Galizia information about a secret Panamanian bank account through which the prime minister received bribes from foreign rulers.
In 2015, 11 million documents, leaked from Panamanian law firm Mossack Fonseca, described 200,000 shell companies the firm formed to hide the wealth of powerful figures worldwide. Among those holding such accounts were Malta’s energy minister and the prime minister’s chief of staff, who claimed their deposits were legitimate and unrelated to their boss. Nevertheless, the possibility that the various Maltese accounts were illicitly connected was a red flag too bright to leave unexamined. So, Caruana Galizia reported the whistleblower’s allegation on her blog, and the prime minister threatened to sue for libel. But before any legal action could materialize, Caruana Galizia was murdered, and the whistleblower fled to England, where she told The Times, “If I go back to Malta now, I will not be alive for very long.”
Some might consider Malta — a member of the European Union since 2004 — as an outlier in a supranational group widely regarded as the world’s most progressive governmental entity. But the power elite in other EU nations also threatens the press and the whistleblowers it gives voice to. For example, Miloš Zeman, president of the Czech Republic, joined the EU with neighboring Slovakia when Malta did. Speaking at a press briefing in Prague four days after Caruana Galizia’s murder, he smilingly brandished an imitation assault rifle. On its stock were inscribed the Czech words for “At journalists.” (See Czech president waves mock rifle ‘at journalists’ during a news conference, Rick Noack, The Washington Post, Oct. 23, 2017.)
The Post also reported that Zeman had told Russian President Vladimir Putin that there was a “need to liquidate journalists.” However, he later backtracked his comment after his critics pointed to accusations that the Russian government could be behind reporters’ murders. Regardless, such incitements — despite their occasional joking tone — understandably inhibit the press and whistleblowers. That, of course, is their purpose.
Corruption in Central Europe
“Whistleblowing meant reporting anyone who criticized the government.” — Ján Lalka, CFE, founder and managing director, Surveilligence.
“People in government here have great power,” says Ján Lalka, CFE, founder and managing director of Surveilligence, a financial crime investigative agency with offices in Prague, Czech Republic and Bratislava, Slovakia. With 14 years of fraud-fighting experience in the region, Lalka understands corruption as only a native can. “Everyone sees a lot of dishonesty at the top, but they don’t know who’d be better,” he says. “In Slovakia, things would improve if we had independent media, police who have permission and the ability to investigate serious fraud, unbiased prosecutors and judges who aren’t corrupt — but major scandals indicate that we don’t. It strongly discourages whistleblowing.”
The EU exerts pressure on member states that violate its Charter of Fundamental Rights, which guarantees dignity, freedom, equality, solidarity, citizens’ rights, and justice. Unfortunately, the EU has little prosecutorial power over its sovereign nations (See the “Background” section.) And that makes it hard to reduce corruption where the government commits or permits it.
Some nations fare better
Elsewhere, countries with a longer history of democracy encourage whistleblowers to come forward. Businesses that neglect signs of fraud usually pay the price when it comes to light. Excuses generally don’t protect them from fines or even prosecution. So, not being hostile to whistleblowers isn’t enough; businesses must actively support them. That means giving employees, suppliers, and others good reason to believe that trustworthy company officials will maintain whistleblowers’ confidentiality, promptly investigate their reports and take action as necessary, including notifying law enforcement where appropriate.
“Transparency and swift response are key elements in an effective whistleblowing program.” — Jonathan T. Marks, CFE, CPA, partner and leader of the global forensic investigations and compliance, Baker Tilly US LLP.
“Transparency and swift response are key elements in an effective whistleblowing program,” says Jonathan T. Marks, CFE, CFF, CPA, partner, and leader of the global fraud and forensic investigations and compliance practice at Baker Tilly US LLP, a global public accounting and advisory services firm.
With more than three decades of experience investigating corruption and other fraud, Marks took particular note of the 2015 directive then-U.S. Deputy Attorney General Sally Yates issued to U.S. attorneys on investigating corporate misconduct.
“Known simply as ‘the Yates memo,’ ” Marks says, “it instructed federal attorneys to prosecute individual executives who knew or should have known of wrongdoing but failed to disclose all relevant facts to the government, regardless of whom they implicate.”
Yates wrote, “To be eligible for any cooperation credit, corporations must provide to the Department [of Justice] [DOJ] all relevant facts about the individuals involved in corporate misconduct. … Companies cannot pick and choose which facts to disclose. … If a company seeking cooperation credit declines to learn of such facts or to provide the Department with complete factual information about individual wrongdoers, its cooperation will not be considered a mitigating factor pursuant to USAM 9-28.700 et seq.” [The U.S. Attorney’s Manual specifies the criteria DOJ uses to measure a company’s cooperation for consideration in sentencing and the levying of fines (Principles of Federal Prosecution of Business Organizations, section 9-28.700, The Value of Cooperation).]
Also, provisions in the Dodd-Frank Act (pages 5ff) and the Sarbanes-Oxley Act (section 1107) prohibit organizations from retaliating against whistleblowers or employees whose duties relate to whistleblower support. Yet, as this issue of Fraud Magazine went to press, the U.S. Supreme Court was about to render its verdict in Digital Realty Trust, Inc. v. Somers, whose outcome might narrow certain whistleblowers’ protection from employer retaliation. At issue is whether Dodd-Frank applies to persons who’ve reported fraud other than to the Securities and Exchange Commission (SEC). The court’s verdict won’t affect whistleblowers who file their complaints directly with the SEC. Click Here for an update!
“Companies that ignore these laws do so at their peril,” Marks says. But many CFEs wonder how they can persuade senior management to share information upon discovery of a major internal fraud carefully. Marks points to the Yates memo. “The SEC will more likely than not come after managers who knew of bad behavior and didn’t do everything possible to investigate and end it. You can’t fight fraud by hiding it or directing it away from the board and external auditors. Instead of trying to cover up, management should seek more information.”
One source stands out, and CFEs should frequently call management’s attention to it. Year after year, tips provide the most leads on undetected fraud. So, why do some companies with whistleblower programs still get blindsided by fraud? Because their systems look fine on paper but fail to measure up in actual practice.
“Tips come in many forms — emails, calls to hotlines or customer service, notes under doors, conversations with managers, and so on,” Marks explains. “More than a few organizations don’t formally capture them all. A case management system that doesn’t record every allegation and investigation is incomplete. When tips die on the vine deep within a company, it can’t fully understand its own fraud profile or deal with it effectively.”
Of course, there’s no point in amassing historical information if you don’t use it. “Companies should continually comb their case management systems for yellow and red flags that, taken collectively, could point to signs of recurring fraud,” Marks adds. “And when a whistleblower leaves any identifying information, examine that person’s reporting history, if any, without compromising the source’s confidentiality. That history might offer clues to the source’s credibility.”
According to the ACFE’s 2016 Report to the Nations, employees (51.5 percent), customers (17.6 percent), and vendors (9.9 percent) were the biggest groups among identified sources of tips (p. 26). Information of this nature helps companies ensure that their whistleblowing programs meet employees’ and customers’ needs, vendors, and others who might provide valuable anti-fraud intelligence.
“You can’t just tick the box and say, ‘Whistleblower program done!’ I’m sorry, but that doesn’t work.” — Sean McAuley, CFE, senior fraud manager, Anderson, Anderson & Brown LLP (AAB)
Operational competence alone won’t carry the day, though; strong stewardship is also essential. “Some managers think setting up a whistleblower program is a finite task,” says Sean McAuley, CFE, senior fraud manager at Anderson, Anderson & Brown LLP (AAB), a global chartered accountancy and professional services firm headquartered in Aberdeen, Scotland, capital of the North Sea oil and gas industry. “Absolutely not; it’s an ongoing responsibility. You can’t just tick the box and say, ‘Whistleblower program done!’ I’m sorry, but that doesn’t work.”
With 25 years of fraud-fighting experience, McAuley leads the AAB team providing external whistleblower support to companies across the globe. “People who report fraud have guts, but they’re not stupid or reckless,” he says. “A whistleblowing program will never be effective if it doesn’t inspire their trust and confidence.”
The best way to get it, he adds, is to staff the telephone hotlines and websites with experienced anti-fraud professionals who understand the technical nuances and importance of what whistleblowers have to say and how much they risk by speaking out. It also means the organization immediately acknowledges receipt of their reports, keeps confidential the details they’ve revealed about their identity, and ensures it will promptly look into the issues they’ve raised. “CFEs should help organizations get these fundamentals right,” McAuley says. “If they don’t, their whistleblower programs will fail.”
Be quick; be astute
One of the greatest challenges in managing a whistleblower program is prioritizing the tips it receives. “Companies shouldn’t let low-priority reports consume resources they ought to devote to critical tips,” Marks advises. “Besides delaying the investigation of serious fraud, it exposes them to regulatory censure.”
Marks recommends that CFEs advise their clients to classify and prioritize tips into five categories — from the least dangerous threats, level one, to the most dangerous, level five. (See Allegation triage stages.) “This speeds up and improves the organization’s response,” he adds. “Say a tipster alleges the CFO is manipulating revenue. Many companies’ corporate structure is complex, especially if they operate in multiple jurisdictions. You’ve got to identify sources of relevant information, gather and analyze it, then investigate. That takes time, sometimes a lot. You might interview some sources a second — even third — time to get the whole truth.”
“CFEs also should impress upon their clients the importance of sharing information and seeking the active involvement of groups — for example, HR, internal audit, compliance, legal, IT — within whose purview each allegation of wrongdoing falls,” Marks says.
Internal staff can satisfactorily investigate allegations assigned to triage levels one, two, and three. But allegations involving legal matters, financial statements, or senior managers should be assigned to triage levels four or five because of their potentially catastrophic effect on the organization. Because regulators sometimes question the independence and professional skepticism of internal investigations in such cases, CFEs should strongly recommend engaging outside investigators to perform them.
Sometimes, the discovery of additional information reveals an allegation is more serious than originally thought. “Then raise the triage level and bring in additional groups and skills,” Marks says. “And always follow established protocol, no matter what. Your clients must never defer or shut down an investigation before it’s complete.”
Other ways to find the truth
Marks calls CFEs’ attention to a current SEC investigation into retaliation against corporate whistleblowers. Former PepsiCo General Counsel Maura Smith told the commission in 2017 that the company fired her in 2012 in retaliation for the way she handled an internal probe into Foreign Corrupt Practices Act violations by a PepsiCo subsidiary in Russia. (See SEC Probes Departure of PepsiCo’s Former Top Lawyer, by Andrew Ackerman, Joe Palazzolo, and Jennifer Maloney, Sept. 27, 2017.) But PepsiCo said it hadn’t engaged in any retaliatory conduct.
Smith left the company after signing a non-disclosure agreement and receiving a $6 million separation package. Thus, the situation remained … until 2017, when the SEC began an investigation into whether U.S. corporations were using employment contracts to discourage employees from reporting wrongdoing. As part of that probe, the agency subpoenaed Smith, who then shared her story’s previously untold side.
Marks says that when a successful senior executive suddenly leaves her coveted position to “pursue other opportunities,” CFEs should look for red flags that might lie behind that bland assertion. He notes that ACFE Research Director Andi McNeal, CFE, CPA, in an ACFE Insights blog post, “Exit Interviews: An Overlooked Tool in the Anti-Fraud Toolbox,” wrote that “[… few organizations] use these interviews as a formal element of their anti-fraud programs, leaving them vulnerable to missing candid and crucial information about ethical issues and blind spots, and even the warning signs of potential or existing fraud.” McNeal also identified several key questions to pose during exit interviews. (See Exit Interview: An Overlooked Tool in the Anti-Fraud Toolbox)