The Association of Certified Fraud Examiners (ACFE) reports that 40 percent of business fraud is discovered through confidential tips from employees, yet only about 33 percent of businesses have hotlines to facilitate these tips.
Because the AFCE also notes that a typical U.S. organization loses 6 percent of its revenue to fraud every year, there is clearly a compelling business case to be made for implementing employee whistleblower hotlines. The AFCE found it curious that so many companies are ignoring or overlooking this opportunity, because confidential reporting mechanisms require relatively little expense and are highly effective antifraud devices.
Section 301 of the Sarbanes-Oxley Act requires publicly traded companies to establish methods for employees to communicate any accounting or financial concerns. Closely held companies and not-for-profit organizations are not bound by Sarbanes-Oxley, but prudence would dictate — and best practices recommend — establishing early warning systems to identify and stop fraud before it leads to costly fines or litigation.
While a locked suggestion box, a post office box or an access-controlled page on a Web site may work, the best option to encourage people to blow the whistle is probably a telephone hotline. This inexpensive solution to a potentially costly problem is universally accessible 24 hours a day, and callers do not need to identify themselves.
Companies that do not want to open and maintain their own hotlines may choose from a number of third-party providers that offer independent hotline services. These providers will usually customize their services to fit an organization’s size, reporting requirements and budgets. Pricing may include an all-inclusive annual flat fee or a nominal set-up charge, plus a per-incident cost.
Develop policies
Simply having a hotline or other reporting mechanism is not enough, however. Companies must communicate regularly with employees in developing whistleblower policies and procedures. They should detail, in writing, what constitutes unethical or fraudulent behavior and give examples of the types of activities that should be reported.
In addition, as part of an effective fraud program, companies should include:
- Fraud training for employees
- Clearly communicated behavioral expectations and consequences for noncompliance
- Employee education on the effect of fraud on salaries, bonuses and other benefits
- A no-gift policy that is communicated to employees and vendors
Fliers posted at designated locations, inserts in vendor and client correspondence, and training for employees and managers (and customers and vendors, if necessary) are also good ways to reinforce the message.
Of course, whistleblower reports must include enough specifics to allow an investigation. Thus, whistleblower policies should include reporting standards and procedures, along with guidelines for the amount and type of information required. A sample whistleblower policy and tracking report are available on the American Institute of Certified Public Accountants Web site at www.aicpa.org/audcommctr/toolkitsnpo/Whistleblower_Tracking.htm.
Communicate actions
When reports come in to a whistleblower hotline, they should be documented with details of the alleged impropriety and the steps taken to address it. There is no need to publicize particulars, but it is a good practice to communicate general statistics and actions taken so that employees understand the information is not being ignored or dismissed.
In addition to establishing whistleblower policies and reporting mechanisms, companies must demonstrate their commitment to acting on them. Employees must believe that dishonest activities, whether theft, conflict of interest or falsification of records, will be detected and punished.
There is no obligation for privately held companies to adopt fraud-prevention procedures, but doing so can avert losses from fraud and litigation that would be far more costly than the relatively inexpensive mechanisms required to prevent them.
Mari Reidy can be reached at (312) 899-7005 or mailto:[email protected]
