Anonymous hotlines and tip-reporting structures are useless, of course, if informants don’t trust them. Employees won’t blow the whistle if they fear reprisals. So, their concerns often don’t enter case-management systems and frauds continue. Here’s how to earn back their trust, take them seriously and transform raw tips into valuable fraud examinations.
For 25 years, an anonymous hotline run out of the Office of the State Inspector General in Virginia has helped expose wrongdoing in state government. As of October 2017, the State Fraud, Waste and Abuse Hotline had received more than 16,000 calls. The top five allegations of wrongdoing included: 1) leave abuse 2) state vehicle misuse 3) violation of state hiring policy 4) misuse of state equipment and resources, and 5) non-compliance with agency policies. (See Hotline for fraud, waste, abuse in state government gets 16K calls over 25 years, by Evanne Armour, WAVY.com, Oct. 27, 2017.)
According to the article, Michael Westfall, acting state inspector general, said it isn’t always easy for whistleblowers to pick up the phone and call, but it’s important to hold the powerful accountable. “It’s difficult for folks to report fraud, waste and abuse because oftentimes they work with these folks or they’re neighbors with these folks,” said Westfall. “However, we want citizens to be assured that their tax dollars are being spent appropriately and that folks that are in state government can be relied upon to take appropriate actions.”
When organizations properly devise anonymous hotlines, they can be powerful tools for detecting fraud and abuse. I’m not sure much has changed in the last 10 years. In fact, according to the ACFE’s 2018 Report to the Nations, the most common fraud or misconduct detection method was tips, 40 percent, and organizations that had reporting hotlines were much more likely to detect fraud through tips than organizations without hotlines.
From a compliance perspective, we hope people will report fraud internally, but that’s not always the case. Employees might not trust hotlines, the receivers of the information, the overall compliance programs or that their organizations won’t retaliate against them.
In 2017, I spoke at the 28th Annual ACFE Global Fraud Conference in Nashville, Tennessee, about developing a timely, systematic and repeatable process for evaluating and prioritizing whistleblower tips. During my discussions with attendees, a few themes surfaced.
First, we found that tips of fraud or misconduct don’t always come through a hotline. Tips often come from other channels, such as through emails, faxes or surveys; on handwritten notes slipped under doors; via websites or on social media; by phone or text messages; or during private conversations with internal auditors or supervisors. Some studies and surveys indicate only a small percentage of tips are made through hotlines. This, of course, is a problem.
Attendees acknowledged that tips, unfortunately, might not make it into case management systems if the tipsters don’t use their organizations’ hotlines. Fraud patterns could exist, but they’re hidden in plain sight because organizations don’t capture and store information in their reporting systems. By the time they uncover the patterns, it might be too late for organizations to prevent or deter misconduct.
We also discussed why tipsters might not trust their supervisors, bosses or key contacts. I believe that too often managers don’t elevate issues because organizations reward them for handling problems — or potential problems — at the lowest level. Sophisticated organizations should flip the script and inform managers they’ll be held accountable if they don’t enter them into their reporting systems.
During the breakout session, we also discussed such concerns as “conscience disregard” and “deliberate ignorance.” We considered whether organizations make reasonable, timely and prudent inquiries. Do they do their due diligence?
Digging deeper, I uncovered a probable root cause of the reason why more tips don’t come through hotlines: The breakout session attendees indicated that their overall hotline processes aren’t independent, and their organizations don’t consistently apply the appropriate amount of professional skepticism.
Addressing hotline weaknesses
The attendees at my session gave me a lot to think about. First, we must consider the triage and investigative process when reporting fraud.
Unwavering internal audit procedures
Internal audit and compliance departments can be effective in evaluating allegations, or organizations’ hotlines design and effectiveness. Boards of directors need to ensure that their internal audit departments’ involvement in whistleblowing processes don’t undermine their ability to carry out prime-assurance functions.
The risk management, governance and internal control processes should be operating effectively. Internal auditors should look beyond financial risks and statements to consider wider issues such as organizations’ reputations, growth, their impact on the environment and the way they treat their employees. (See The changing role of internal audit, Deloitte, June 2012.)
A board also should recognize the red flag of an employee in an internal audit or compliance department transferring or leaving their organization during an investigation of a tip because it could mean the auditor or compliance professional had succumbed to pressure to avoid blowing the whistle. In 2015, The Institute of Internal Auditors Research Foundation (IIARF) published a study as a part of the “Global Internal Audit Common Body of Knowledge.” The author reported that more than 50 percent of North American chief audit executives said they’d been directed to omit or modify an important audit finding at least once. Forty-nine percent said they’d been directed not to perform audit work in high-risk areas. (See Ethics and Pressure: Balancing the Internal Audit Profession, by Dr. Larry E. Rittenberg, Ph.D., CIA, CPA.)
Whistleblowers are the single greatest source of information in uncovering fraud or misconduct.
In an unhealthy or weak corporate culture, the “right” amount of pressure or overarching profit motive can cause anyone involved in the whistleblowing process to consciously overlook evidence or even lie. (See Nobody likes a rat: On the willingness to report lies and the consequences thereof, by Ernesto Reuben and Matt Stephenson, Journal of Economic Behavior & Organization, Volume 93, September 2013, Columbia University, November 2012.) “Ovem lupo commitere” is Latin for “to set a wolf to guard sheep.” Organizations also should be cognizant of who they put in positions of power where they can exploit situations to their own benefit.
Exercising professional skepticism
We exhibit professional skepticism in the fraud-fighting process when we take nothing for granted, continuously question what we hear and see, and critically assess all documents and statements. Consider these steps:
• Play the role of the independent reviewer or inspector — particularly of your own assumptions. A professional skeptic continuously challenges their beliefs and belief-based risk assessments — assessments influenced by trust and confidence.
• Resist complacency. Question whether you’re placing undue weight on prior risk assessments or discounting evidence inconsistent with your expectations.
• Be alert to pressure that you might receive to truncate risk-assessment procedures or make unwarranted assumptions to beat time constraints and approaching deadlines.
• Understand sources (generated internally vs. externally) of evidence. Identify and assess audit risks from multiple perspectives by using many evidence sources.
• Be aware of the relative reliability of various types of evidence. In general, documentation from internally generated documents — particularly those that are generated manually or aren’t linked to other reporting systems — is less reliable because fraudsters can more easily manipulate them than documents generated by external sources, such as banks or suppliers.
(See Five Steps to Fighting Fraud with Professional Skepticism, by Jonathan Marks, Sarbanes-Oxley Compliance Journal, June 2014.)
Educate others on how to make and receive tips
How an organization reacts or triages a tipster’s message can make or break how far the information goes. Tips that use the word “fraud” are treated much more seriously than words or phrases like “misunderstanding,” “possible error” or “difference of opinion.” We need to reassess how we train our people. If you don’t have one already, establish ethics training and educate employees on the proper way to report an alleged fraud.
It’s equally important to correctly capture the information of an alleged fraud or breach. Use a case management tool to track incoming allegations or complaints, document follow-up actions and communications, record investigations, store closed cases, and provide other data or metrics.
Set yourself up for success
When a tip comes in, I use this process that I established to effectively capture, triage, assess, investigate and report potential misconduct:
Understand the business environment and its network of third-party relationships. Review the organization’s fraud risk assessment. PwC notes in its 2016 Global Economic Crime Survey that one in five respondents, or 20 percent, have never carried out a fraud risk assessment. The risk assessment should identify at minimum:
• Fraud schemes that could potentially occur. Schemes might involve failure to disclose certain transactions with related parties, material asset impairments, unrecorded liabilities or accounting practices that violate GAAP.
• Possible concealment strategies on and off the books that fraudsters could use to avoid detection. On-the-book fraud occurs within the business. Illicit payments or activities are recorded, generally in some disguised manner. Off-the-book fraud bypasses the accounting system, so an audit trail might not exist. Bribery and kickback schemes are examples of off-the-book fraud.
• Conversion tactics that allow the fraudster to realize ill-gotten gains. Depositing funds into an account, making payments to relieve a personal debt or making a purchase are examples of conversion tactics.
• Individuals or gatekeepers who pose the highest risk of committing fraud. (Consider management who can possibly override internal controls.) Examples include: misusing journal entries, applying inappropriate bias to assumptions that underline accounting estimates, entering into transactions near the end of a period to meet objectives and pressuring others to initiate or participate in improper behavior.
• Established internal controls to prevent, deter or detect fraud. Properly designed internal controls discourage fraudsters and limit opportunities to hide fraud trails.
• A list of warning signals or red flags to educate the organization and help it focus on the internal controls that’ll help mitigate key fraud risks, assist the internal auditor in designing procedures and can be used by compliance, legal and internal audit to assess tips or allegations.
Look at the tip from all angles. Consider the source, credibility of the information and the seriousness of the compliant. Are they alleging fraud? Check the background of the source or complainant (if known). Search for a possible legal and/or financial impact and consider activating your crisis management plan.
Undertake electronic data preservation, collection and review. Prepare a litigation hold communication, which is a written directive advising custodians of certain documents and electronically stored information to preserve potentially relevant evidence in anticipation of future litigation. If you operate in different jurisdictions there might be different rules or expectations for preservation triggers, which could precede the formal launch of an investigation.
Perform triage on the allegation and determine how your company will assess tips or complaints. Make these determinations early on and understand that those decisions might change as the organization learns more about the situation.
Select an independent team that has the skills and capabilities to deal with the allegation — this helps eliminate bias. This might include internal audit, human resources, information technology, compliance, general or outside counsel, external forensic accountants, etc.
Proactively ensure the tipster doesn’t face retaliation. On Feb. 21, the U.S. Supreme Court, in Digital Reality Trust, Inc. v. Somers, ruled that the 2010 Dodd-Frank Wall Street Reform and Consumer Protection Act apply only to those who’ve reported allegations to the U.S. Securities and Exchange Commission (SEC) at the time of the retaliatory conduct. (See Supreme Court Articulates Dodd-Frank Whistleblower Definition in Digital Realty Trust, Inc. v. Somers, Lexology, Feb. 23.) However, employees who report violations internally might still benefit from significant protections afforded by the U.S. Sarbanes-Oxley Act of 2002.
Following this ruling, whistleblowers might now wonder whether they can trust their internal networks to protect them. Protect tipsters by enforcing the organization’s non-discrimination and non-retaliation policy, investigating carefully and thoroughly before any adverse action’s taken, acting consistently and fairly, and documenting what occurs.
Execute your investigation protocols. This will include finding facts and conducting interviews. Consider performing data analysis or analytics. Maintain lines of communication with the tipster. Do this by providing regular updates and expressing your appreciation for their willingness to come forward.
Summarize the report findings. Ensure all documentation is in order. If nefarious activities have taken place, carefully and thoughtfully share your findings with counsel, if they don’t already know.
Perform root-cause analysis and remediate. Root-cause analysis benefits the organization by identifying the underlying cause(s) of an issue and helps enhance business processes. An issue might reoccur if you don’t perform an effective root-cause analysis and enact appropriate remediation activities. Root-cause analysis ensures an organization isn’t treating the symptoms and decreases the likelihood of additional re-work, embarrassment or regulatory issues.
Trust the process
Fear of reprisal can and often does prevent employees and others from reporting genuine concerns. This creates a challenge for a board, audit committee, senior leadership, internal audit and others. Whistleblowers are the single greatest source of information in uncovering fraud or misconduct. You’ll free them to speak out if board members and management take the lead in implementing and maintaining a formal fraud risk management program, which includes a sound hotline reporting program.
Trusting the process means that whistleblowers believe there’s a strong tone and conduct at the top, and their organizations will objectively evaluate their concerns and, no matter what, won’t retaliate.
Jonathan T. Marks, CFE, CPA, is a partner and leader of regulatory investigations and compliance at Marcum LLP. Reach him at: firstname.lastname@example.org.
Original article: http://www.fraud-magazine.com/article.aspx?id=4295001874