BoardAndFraud

Whistleblowers: Tipsters not trusting the system? Here’s how to win them back

Background

Anonymous hotlines and tip-reporting structures are useless, of course, if informants don’t trust them. Employees won’t blow the whistle if they fear reprisals. So, their concerns often don’t enter case-management systems and frauds continue. Here’s how to earn back their trust, take them seriously and transform raw tips into valuable fraud examinations.

For 25 years, an anonymous hotline run out of the Office of the State Inspector General in Virginia has helped expose wrongdoing in state government. As of October 2017, the State Fraud, Waste and Abuse Hotline had received more than 16,000 calls. The top five allegations of wrongdoing included: 1) leave abuse 2) state vehicle misuse 3) violation of state hiring policy 4) misuse of state equipment and resources, and 5) non-compliance with agency policies. (See Hotline for fraud, waste, abuse in state government gets 16K calls over 25 years, by Evanne Armour, WAVY.com, Oct. 27, 2017.)

According to the article, Michael Westfall, acting state inspector general, said it isn’t always easy for whistleblowers to pick up the phone and call, but it’s important to hold the powerful accountable. “It’s difficult for folks to report fraud, waste and abuse because oftentimes they work with these folks or they’re neighbors with these folks,” said Westfall. “However, we want citizens to be assured that their tax dollars are being spent appropriately and that folks that are in state government can be relied upon to take appropriate actions.”

When organizations properly devise anonymous hotlines, they can be powerful tools for detecting fraud and abuse. I’m not sure much has changed in the last 10 years. In fact, according to the ACFE’s 2020 Report to the Nations, the most common fraud or misconduct detection method was tips, 43 percent, and organizations that had reporting hotlines were much more likely to detect fraud through tips than organizations without hotlines.

From a compliance perspective, we hope people will report fraud internally, but that’s not always the case. Employees might not trust hotlines, the receivers of the information, the overall compliance programs or that their organizations won’t retaliate against them.

In 2017, I spoke at the 28th Annual ACFE Global Fraud Conference in Nashville, Tennessee, about developing a timely, systematic and repeatable process for evaluating and prioritizing whistleblower tips. During my discussions with attendees, a few themes surfaced.

First, we found that tips of fraud or misconduct don’t always come through a hotline. Tips often come from other channels, such as through emails, faxes or surveys; on handwritten notes slipped under doors; via websites or on social media; by phone or text messages; or during private conversations with internal auditors or supervisors. Some studies and surveys indicate only a small percentage of tips are made through hotlines. This, of course, is a problem.

Attendees acknowledged that tips, unfortunately, might not make it into case management systems if the tipsters don’t use their organizations’ hotlines. Fraud patterns could exist, but they’re hidden in plain sight because organizations don’t capture and store information in their reporting systems. By the time they uncover the patterns, it might be too late for organizations to prevent or deter misconduct.

We also discussed why tipsters might not trust their supervisors, bosses or key contacts. I believe that too often managers don’t elevate issues because organizations reward them for handling problems — or potential problems — at the lowest level. Sophisticated organizations should flip the script and inform managers they’ll be held accountable if they don’t enter them into their reporting systems.

During the breakout session, we also discussed such concerns as “conscience disregard” and “deliberate ignorance.” We considered whether organizations make reasonable, timely and prudent inquiries. Do they do their due diligence?

Digging deeper, I uncovered a probable root cause of the reason why more tips don’t come through hotlines: The breakout session attendees indicated that their overall hotline processes aren’t independent, and their organizations don’t consistently apply the appropriate amount of professional skepticism.

Addressing hotline weaknesses

The attendees at my session gave me a lot to think about. First, we must consider the triage and investigative process when reporting fraud.

Unwavering internal audit procedures

Internal audit and compliance departments can be effective in evaluating allegations, or organizations’ hotlines design and effectiveness. Boards of directors need to ensure that their internal audit departments’ involvement in whistleblowing processes don’t undermine their ability to carry out prime-assurance functions.

The risk management, governance and internal control processes should be operating effectively. Internal auditors should look beyond financial risks and statements to consider wider issues such as organizations’ reputations, growth, their impact on the environment and the way they treat their employees. (See The changing role of internal audit, Deloitte, June 2012.)

A board also should recognize the red flag of an employee in an internal audit or compliance department transferring or leaving their organization during an investigation of a tip because it could mean the auditor or compliance professional had succumbed to pressure to avoid blowing the whistle. In 2015, The Institute of Internal Auditors Research Foundation (IIARF) published a study as a part of the “Global Internal Audit Common Body of Knowledge.” The author reported that more than 50 percent of North American chief audit executives said they’d been directed to omit or modify an important audit finding at least once. Forty-nine percent said they’d been directed not to perform audit work in high-risk areas. (See Ethics and Pressure: Balancing the Internal Audit Profession, by Dr. Larry E. Rittenberg, Ph.D., CIA, CPA.)

Whistleblowers are the single greatest source of information in uncovering fraud or misconduct.

In an unhealthy or weak corporate culture, the “right” amount of pressure or overarching profit motive can cause anyone involved in the whistleblowing process to consciously overlook evidence or even lie. (See Nobody likes a rat: On the willingness to report lies and the consequences thereof, by Ernesto Reuben and Matt Stephenson, Journal of Economic Behavior & Organization, Volume 93, September 2013, Columbia University, November 2012.) “Ovem lupo commitere” is Latin for “to set a wolf to guard sheep.” Organizations also should be cognizant of who they put in positions of power where they can exploit situations to their own benefit.

Exercising professional skepticism

We exhibit professional skepticism in the fraud-fighting process when we take nothing for granted, continuously question what we hear and see, and critically assess all documents and statements. Consider these steps:

(See Five Steps to Fighting Fraud with Professional Skepticism, by Jonathan T. Marks, Sarbanes-Oxley Compliance Journal, June 2014.)

Educate others on how to make and receive tips

How an organization reacts or triages a tipster’s message can make or break how far the information goes. Tips that use the word “fraud” are treated much more seriously than words or phrases like “misunderstanding,” “possible error” or “difference of opinion.” We need to reassess how we train our people. If you don’t have one already, establish ethics training and educate employees on the proper way to report an alleged fraud.

It’s equally important to correctly capture the information of an alleged fraud or breach. Use a case management tool to track incoming allegations or complaints, document follow-up actions and communications, record investigations, store closed cases, and provide other data or metrics.

Set yourself up for success

When a tip comes in, I use this process that I established to effectively capture, triage, assess, investigate and report potential misconduct:

Understand the business environment and its network of third-party relationships. Review the organization’s fraud risk assessment. PwC notes in its 2016 Global Economic Crime Survey that one in five respondents, or 20 percent, have never carried out a fraud risk assessment. The risk assessment should identify at minimum:

Look at the tip from all angles. Consider the source, credibility of the information and the seriousness of the compliant. Are they alleging fraud? Check the background of the source or complainant (if known). Search for a possible legal and/or financial impact and consider activating your crisis management plan.

Undertake electronic data preservation, collection and review. Prepare a litigation hold communication, which is a written directive advising custodians of certain documents and electronically stored information to preserve potentially relevant evidence in anticipation of future litigation. If you operate in different jurisdictions there might be different rules or expectations for preservation triggers, which could precede the formal launch of an investigation.

Perform triage on the allegation and determine how your company will assess tips or complaints. Make these determinations early on and understand that those decisions might change as the organization learns more about the situation.

Select an independent team that has the skills and capabilities to deal with the allegation — this helps eliminate bias. This might include internal audit, human resources, information technology, compliance, general or outside counsel, external forensic accountants, etc.

Proactively ensure the tipster doesn’t face retaliation. On Feb. 21, the U.S. Supreme Court, in Digital Reality Trust, Inc. v. Somers, ruled that the 2010 Dodd-Frank Wall Street Reform and Consumer Protection Act apply only to those who’ve reported allegations to the U.S. Securities and Exchange Commission (SEC) at the time of the retaliatory conduct. (See Supreme Court Articulates Dodd-Frank Whistleblower Definition in Digital Realty Trust, Inc. v. Somers, Lexology, Feb. 23.) However, employees who report violations internally might still benefit from significant protections afforded by the U.S. Sarbanes-Oxley Act of 2002.

Following this ruling, whistleblowers might now wonder whether they can trust their internal networks to protect them. Protect tipsters by enforcing the organization’s non-discrimination and non-retaliation policy, investigating carefully and thoroughly before any adverse action’s taken, acting consistently and fairly, and documenting what occurs.

Execute your investigation protocols. This will include finding facts and conducting interviews. Consider performing data analysis or analytics. Maintain lines of communication with the tipster. Do this by providing regular updates and expressing your appreciation for their willingness to come forward.

Summarize the report findings. Ensure all documentation is in order. If nefarious activities have taken place, carefully and thoughtfully share your findings with counsel, if they don’t already know.

Perform root-cause analysis and remediate. Root-cause analysis benefits the organization by identifying the underlying cause(s) of an issue and helps enhance business processes. An issue might reoccur if you don’t perform an effective root-cause analysis and enact appropriate remediation activities. Root-cause analysis ensures an organization isn’t treating the symptoms and decreases the likelihood of additional re-work, embarrassment or regulatory issues.

Trust the process

Fear of reprisal can and often does prevent employees and others from reporting genuine concerns. This creates a challenge for a board, audit committee, senior leadership, internal audit and others. Whistleblowers are the single greatest source of information in uncovering fraud or misconduct. You’ll free them to speak out if board members and management take the lead in implementing and maintaining a formal fraud risk management program, which includes a sound hotline reporting program.

Trusting the process means that whistleblowers believe there’s a strong tone and conduct from the top, and their organizations will objectively evaluate their concerns and, no matter what, won’t retaliate. Retaliation in most cases mutes the employees voice!

Crisis Situations

During a crisis situation, fear and reprisal can be elevated and thus its important to find ways to connect with employees and others.

A study states individual behaviors in crisis situations do not correspond to everyday life behaviors, which makes sense.  For a variety of reasons individuals may overlook ethical violations and not report the alleged bad behavior.  Thus, understanding mew and emerging fraud risks, leaning on internal audit to enhance monitoring, and stepping up management reviews are critical in the fight against fraud!

I welcome your thoughts and comments!

Best,

 

Jonathan T. Marks, CFE, CPA, is a partner at Baker Tilly and can be reached at jtmarks@bakertilly.com

 

Original article: http://www.fraud-magazine.com/article.aspx?id=4295001874

Modified from 2018