Losses from fraud total about 5% of annual revenues for the typical company. Employee tips are the primary way companies learn about internal fraud, with more than 40% of fraud identified via whistleblowing, according to the Association of Certified Fraud Examiners’ 2014 Report to the Nations on Occupational Fraud and Abuse. From the 2002 passage of the Sarbanes-Oxley Act (SOX), P.L. 107-204, to the 2010 passage of the Dodd-Frank Wall Street Reform and Consumer Protection Act, P.L. 111-203, much emphasis has been placed on increasing employees’ willingness to blow the whistle on fraud. Companies that maximize their employees’ willingness to report fraud in-house position themselves to learn about problems before they become bigger issues—and before employees feel the need to report them outside of the organization.
In an effort to curb fraud, companies have instituted third-party administration of ethics hotlines, and the follow-up of fraud complaints by internal audit and the audit committee. However, recent research, detailed in this article, reveals several counterintuitive aspects of whistleblowing, showing that a company’s fraud reporting programs can be implemented in a way that actually decreases employees’ willingness to report fraud. This article looks at actions organizations can take to avoid inadvertently discouraging fraud reporting and instead promote whistleblowing.
Third-party administrators of hotlines
Using third-party administrators to oversee hotlines is considered a “best practice” that companies use to encourage whistleblowing (see “Fraud Hotlines: Don’t Miss That Call,” JofA, Aug. 2013, page 32). An effective third-party setup typically includes a case management system that allows an administrator to track the complaint. From the employer’s perspective, the ability to ensure employee anonymity is one of the most important perceived benefits. But does the promise of anonymity actually encourage employees to use hotlines?
A 2009 study based on interviews of more than 90 managers and published in Auditing: A Journal of Practice & Theory, found that employees are more hesitant to report possible fraud to “outsiders” as opposed to using internal company reporting programs and resources, even if those internal programs don’t follow “best practices” similar to the external hotlines. This is, according to the study, because employees prefer to report wrongdoing to the organization rather than to outsiders. While hotlines run by third-party administrators are still “internal” to the organization, employees often view these external resources as reporting outside of the organization because the hotlines are not maintained by company employees.
What can companies do? Companies often want to retain the use of an external reporting system, such as a hotline administered by a third party, rather than bringing the reporting system in-house. Hotlines maintained by third parties may be more cost-effective and may offer whistleblowing reporting “best practices,” but corporations that use a third-party administrator should ensure that the following is occurring:
- The hotline should be perceived as part of the company rather than as something “separate” from or outside of the organization.
- Employees need to believe that using the external reporting mechanism is the company’s preferred way of reporting. Periodic reminders should be sent to employees to reinforce the use of the reporting mechanism.
- The hotline name and literature should make it clear that employees can call with any questions on ethical behavior. Research conducted by the Ethical Leadership Group and cited in an article on the Santa Clara University website showed that channels named “Hotline” or “Alert Line” receive about four calls per year per 1,000 employees, while lines with names such as “Open Line” or “Help Line” receive about 23 calls per 1,000 employees each year. The difference is that names such as Hotline and Alert Line give the impression that they are 911-like, emergency-only services, while names such as Open Line and Help Line give the impression that they provide mentoring services.
Follow-up of anonymous fraud reports
SOX requires audit committees of publicly traded companies to provide a whistleblowing option so that employees can anonymously report fraud. Typically, the board of directors’ audit committee and corporate internal audit department work together to follow up on complaints. Although it’s not required, private companies of all sizes should consider offering an option to encourage internal whistleblowing.
Numerous studies have found that employees are more likely to report fraud if they can do so anonymously because this minimizes concerns about retaliation and other negative consequences. But audit committee members viewed anonymous reports as less credible and were less willing to allocate resources to these reports (compared to nonanonymous reports), according to a study published in the Journal of Management Studies. A study of 84 chief audit executives (and deputy chief audit executives) revealed similar findings, according to an article published in the journal Behavioral Research in Accounting.
What can companies do? Companies should ensure that anonymous reports are not brushed aside as not credible. Internal auditors should be required to follow standardized steps to investigate both anonymous and nonanonymous complaints. These steps include:
- Log the claim in a case management system.
- Determine if an investigation is warranted.
- Determine the appropriate employees to interview.
- Draft a preliminary report.
- Implement procedures to prevent future issues.
- Communicate any policy changes in an internal corporate newsletter.
People investigating the complaints should be accountable to superiors who review the steps taken in the investigation. On a regular basis (quarterly, monthly, etc.) the audit committee should be presented with all complaints received, regardless of whether they are anonymous. However, should the audit committee members ask for more specifics (and they will for some of the complaints), transparency is an obligation, and no information should be withheld. For example, the audit committee could receive a list of all whistleblowing allegations with a summary of what the investigations into each allegation revealed. However, the list would not indicate whether each complaint was anonymous.
Methods aimed at improving corporate whistleblowing are effective only in organizations where senior management supports and champions the whistleblower. Through continual training, management can create an environment where employees feel encouraged and supported to report fraud. Numerous studies have found that employees are more likely to internally blow the whistle when they believe that the corporation will act on the information and not retaliate against the whistleblower. Additionally, recent research has found that internal fraud reports increased when peers supported whistleblowing. Routine internal communications via email and e-newsletters that inform employees about internal investigations and the importance of ethical decision-making can help management create an environment in which employees are comfortable coming forward with information.
Some fraud-reporting programs actually discourage employees from reporting fraud. Program implementation is essential to producing an increase in fraud reporting.
Organizations should ask employees annually or quarterly whether they are aware of potential fraud. This communication can be done through an online interface and reminds employees that it’s everyone’s responsibility to report wrongdoing.
Organizations using third-party administrators to run hotlines need to convey to employees that the hotline is the organization’s preferred way to report fraud. Employees are less likely to report fraud to a system that is viewed as “outside” the organization.
Organizations should use a name such as “Open Line” or “Help Line” as opposed to a name such as “Hotline” or “Alert Line.” Call-in lines with names that give the impression of being emergency-only lines generate far fewer calls than those with names that seem more welcoming.
Organizations need to institute policies that ensure that anonymous fraud tips are not brushed aside. A good way to do this is by establishing standardized steps to follow when investigating anonymous and nonanonymous complaints.
Janet A. Samuels (firstname.lastname@example.org) is an assistant professor at Thunderbird School of Global Management in Glendale, Ariz., and Kelly Richmond Pope (email@example.com) is an associate professor of accounting in the Driehaus College of Business at DePaul University in Chicago.
To comment on this article or to suggest an idea for another article, contact Jeff Drew, senior editor, at firstname.lastname@example.org or 919-402-4056.
“Fraud Hotlines: Don’t Miss That Call,” Aug. 2013, page 32
CGMA Magazine article
“Implementing an Effective Corporate Ethics Policy,” Issue 2 2014, page 8
- The AICPA Audit Committee Toolkit: Private Companies (#991007, paperback)
- Essentials of Forensic Accounting (#PFF1401P, paperback)
- The Guide to Investigating Business Fraud (#056558, paperback)
- Advanced Business Law for CPAs (#735236, text)
- Auditing for Internal Fraud (#743292, text; #163110, one-year online access)
- Fundamentals of Forensic Accounting Certificate Program (#159950, two-year online access)
For more information or to make a purchase or register, go to cpa2biz.com or call the Institute at 888-777-7077.
FVS Section and CFF credential
Membership in the Forensic and Valuation Services (FVS) Section provides access to numerous specialized resources in the forensic and valuation services discipline areas, including practice guides and exclusive member discounts for products and events. Visit the FVS Center at aicpa.org/FVS. FVS Section members can access fraud-related tools and products in the Fraud Resource Center at tinyurl.com/blc37ox. Members with a specialization in financial forensics may be interested in applying for the Certified in Financial Forensics (CFF) credential. Information about the CFF credential is available at aicpa.org/CFF.