Does Your Organization NEED a Whistleblower Policy?

/

GUEST BLOGGER

Eileen Leslie, CFE, CPA
Forensic Analyst, Forensic Strategic Solutions

I envision a resounding “yes” is crossing your mind, no matter who you are or where you fall in the organizational chain of command.

But seriously, stop and think. You are the organization’s owner, president, human resources manager, executive, employee, etc., and in your opinion, should your organization have a whistleblower policy or does it need one?

The difference I am trying to convey has to do with your organization’s ethical culture.

Of course most, if not all, organizations should have a whistleblower policy in place. It should include all of the standard and essential elements: definition of covered individuals, encouragement to report wrongdoings, non-retaliation and non-discrimination provisions, confidentiality of individuals and a defined process of reporting. The policy should be effectively communicated to pertinent individuals and the implementation and enforcement processes should be functional.

The question of needing a policy depends on the culture or values of the organization.

While working as a financial analyst in the U.S. Attorney’s Office, I investigated many whistleblowers’ allegations of companies violating the False Claims Act. I recall one time sitting across the table from a CEO who clearly did not foster an ethical culture when it came to doing business with the federal government. When asked if he knew or had read the federal regulations governing the company’s business, he responded by chuckling and saying the regulations were “too boring to read.” His sentiment, obviously, trickled down to the company’s management and employees, resulting in whistleblower allegations, a federal investigation and ultimate settlement with the company.   

So, what are the best practices for an organization to not need a whistleblower policy?

  1. Hire ethical people.
  2. Hire competent people who have the knowledge to perform their work in accordance with state and federal laws and regulations.
  3. Create an environment where people are encouraged to report problems or concerns.
  4. Take reported problems seriously, investigate and resolve if needed.
  5. Reward good faith reporting.
  6. Take the negativity out of whistleblowing or filing complaints, and create opportunities to better the organization.

Sounds simple, right? No organization wants to suffer the embarrassment and negative publicity that can occur as a result of whistleblower allegations. Review your organization’s current whistleblower policy if it has one. Ask yourself, “Do you need that policy?”

Top Fraud Predictions for 2015: Technology will shape the fight

/

GUEST BLOGGER

Scott Patterson, CFE
ACFE Senior Media Relations Specialist

Technology will give fraudsters an edge in 2015, but it will also provide new tools for organizations and investigators. Three of our experts weighed in on digital currencies, information security and other issues that will help shape the effort to prevent and detect fraud in the new year:

  • Technology will increase the sophistication of fraud schemes. This is an existing trend that will accelerate in 2015, according to ACFE Regent Gerard Zack, CFE, Managing Director – Global Forensics for BDO Consulting. “More and more we are reacting to reports of fraud with, ‘how did they do that?’” Zack said. “It’s a reflection of schemes becoming more complex and capitalizing on technology, including some of the new technology deployed by companies in the interest of improving efficiency. While simple frauds still exist, we are seeing a distinct proliferation of more complex fraud schemes.”
  • But technology (like data analytics) will also help catch tomorrow’s frauds. Zack is quick to note that for fraudsters, technology is a double-edged sword – as it will also be leveraged by the professionals trying to catch them. “There will be more breakthroughs in the use of technology to detect fraud – particularly in the use of visual analytics and also in the use of tools to mine unstructured data.”
  • Improving information security will be a major priority. More massive data breaches, like the ones that have stricken Home Depot, Target Corp. and other large retailers over the past two years, are likely to occur in 2015, according to ACFE Vice President and Program Director Bruce Dorris, J.D., CFE. “These breaches have exposed widespread vulnerabilities among organizations that store and maintain personal information, putting millions of individuals at risk,” Dorris said. “Considering that storage of data continues to grow at an exponential pace, more trouble lay ahead – and there is an increasing need for information security and protecting against data breaches.”
  • Digital currencies will shake up fraud risks for retailers and consumers. An increased acceptance of bitcoin and other digital currencies among merchants will signal a shift in fraud risk, according to Jacob Parks, J.D., CFE, Associate General Counsel at the ACFE. “Vendors/sellers face reduced fraud risks from ‘friendly fraud,’ where customers fraudulently cancel credit card or bank payments after receiving an item,” Parks said. “Digital currency transactions are generally permanent, which makes this scheme untenable. However, consumers face an increased risk of fraud by dishonest sellers, since the transaction is often not insured or protected by an agreement with a financial institution. Additionally, consumers using digital currencies have a reduced identity theft risk because the transactional data stored by the seller cannot be used by malicious parties to charge the customer (this also means vendors have a reduced risk of data breaches involving these customers).”
  • With protections for whistleblowers increasing, more people will step forward to report fraud. Dorris said that a decade ago, few countries had whistleblower protections. However, increased awareness about the harm caused by major frauds at organizations has led to legislators looking to whistleblowers to prevent or mitigate such crimes. “France, South Africa, South Korea, Australia and other countries have all taken substantial reforms to protect whistleblowers, particularly those who identify crimes in the public sector,” Dorris said. “U.S. policy has moved beyond simply protecting whistleblowers; it now has several programs that financially incentivize whistleblowing regarding bribery, tax evasion and corporate accounting fraud. The programs are largely still in the beginning stages, but have already had major payouts.”

With a new year also comes new threats. But, as many anti-fraud professionals know, just as the fraudsters think of new techniques to wreak havoc, the fraud fighters standing on the other side are armed and ready to prevent and detect it. 

Want more? Visit ACFE.com to find two more fraud predictions for 2015.

CFEs' Pledge to Protect Employees

/

LETTER FROM THE PRESIDENT

Fraud Magazine

James D. Ratley, CFE
ACFE President and CEO

A CEO is committing fraud. And many of the middle managers and staff members know it. What to do?

Corporate leaders have always faced pressure to tweak the ledgers to make the company goals. Since the Sarbanes-Oxley Act of 2001, organizations have implemented fraud hotlines and whistleblower protection programs to curb C-suite transgressions. However, as Bob Tie writes in Fraud Magazine's cover article, only when such resources are well-designed, implemented and managed do employees have the confidence to use them.

According to the ACFE's 2014 Report to the Nations on Occupational Fraud and Abuse, "Owners/executives accounted for less than one-fifth of all frauds, but the median loss in owner/executive cases was $500,000, approximately four times higher than the median loss caused by managers and nearly seven times that of employees." The median duration of fraud schemes perpetrated by employees was 12 months; by managers, 18 months; and by owners/executives 24 months, according to the report.

Clearly, Tie writes, organizations need to improve their employees' ability to report C-suite misbehavior. CFEs can offer guidance to employees who'll help fight fraud if they know hotlines are truly anonymous and responsive and they're convinced they'll be thoroughly protected if they come forward.

Tie quotes management consultant Warren G. Bennis: "A manager has a short-range view; a leader has a long-range perspective." 2012 ACFE Sentinel Award recipient Michael C. Woodford, then president and CEO of Japan's Olympus Corp., decided that he would be a leader and heed the fraud accusations of an anonymous Olympus employee reported in a Japanese business publication. Woodford confronted the company's board and forfeited his job. But his actions propelled the story into the media and the courts.

Tie writes that Woodford had performed well, but he wasn't born a leader. However, he became one by maintaining his integrity. "Because I was CEO of a large multinational corporation, it was much more likely that people would eventually hear me out," Woodford says in the article. "The real concern is how you make it easier to report wrongdoing for, say, a junior management accountant with three children and a big mortgage."

Indeed. CFEs' responsibilities go beyond just performing thorough fraud examinations. We have to actively encourage C-suite executives to protect employees who want to do the right thing. Our pledge to detect and deter fraud demands no less.

Read more about the fraud options of the C-suite on Fraud-Magazine.com.

Investigating a Contemptible Fraud

/

LETTER FROM THE PRESIDENT

I've seen all kinds of fraud. Some are mind-numbing. Others are intriguing or preposterous. But only a few are truly contemptible. The cover story in this month's Fraud Magazine tells of a fraud that endangered the lives of the poorest of the poor while generating millions for the fraudsters.

On May 13, 2013, Ranbaxy USA Inc., a subsidiary of Ranbaxy Laboratories Limited, pleaded guilty to seven federal criminal counts of selling adulterated drugs with intent to defraud, failing to report that its drugs didn't meet specifications and making intentionally false statements to the government. Ranbaxy, in the largest drug safety settlement to date with a generic drug manufacturer, agreed to pay $500 million in fines, forfeitures and penalties.

Dinesh Thakur, a former research executive with Ranbaxy, blew the whistle on the company after his boss found that it had provided false data to the World Health Organization. Thakur, then a new employee, investigated and discovered a company culture that not only tolerated fraud but also apparently celebrated and encouraged it among its employees. His boss reported Thakur's results to the board, and he then later resigned in protest. Thakur also resigned after Ranbaxy falsely accused him of breaking company rules.

Thakur eventually took his discoveries to the U.S. Food and Drug Administration and endured almost nine years of aiding governmental investigative agencies before Ranbaxy finally pleaded guilty.

"It certainly was cathartic to stand in the Federal Court in the District of Maryland in May of last year to hear the company plead guilty to seven counts of felony," Thakur says in the cover interview article. "I felt the weight of this case removed from my shoulders. It was a victory not just for me and my legal team, but the hundreds of millions of patients worldwide who were subjected to adulterated medicines by this company in the most unethical manner. More importantly, this case sent a strong message to manufacturers of medicines that you cannot hide from the long arm of the law just because you are a foreign entity."

For "Choosing Truth Over Self," the ACFE honored Thakur with its Sentinel Award at the recent 25th Annual ACFE Global Fraud Conference.

I know that we'll see many more contemptible frauds. But thanks to Thakur, and the diligent investigators who investigated Ranbaxy's systemic crimes, we'll see a bit less fraud that ravages the defenseless. 

Retaliation Exposure Tipping Point? Supreme Court Extends SOX Whistleblower Protections to Private Company Employees

/

GUEST BLOGGER

Shanti Atkins
President and Chief Strategy Officer, NAVEX Global

The Supreme Court in Lawson vs FMR, LLC (delivered March 4, 2014, after a 6-3 vote) has ruled that employees of private companies engaged by public companies are covered by the whistleblower protections of Sarbanes-Oxley Act of 2002 (SOX).

In Lawson, two employees of FMR, LLC (a private employer contracted with by publicly traded mutual funds) claimed they were retaliated against by their employer after raising issues of fraud. They filed for whistleblower protection under SOX. FMR responded by claiming that their employees were not protected by SOX from firing or retaliation because SOX applied only to claims brought by employees of public companies.

A Seminal Shift in Coverage

SOX was enacted largely in response to shareholder fraud at a publicly traded company, Enron. SOX included a provision to protect whistleblowers from retaliation to encourage reporting of fraud. No one ever argued that these protections did not apply to employees of public companies. In fact as pointed out by dissenting U.S. Supreme Court Justice Sonia Sotomayor, the name of the pertinent SOX section was “Protection for Employees of Publicly Traded Companies Who Provide Evidence of Fraud.” For years it was a widely held position that this whistleblower protection applied solely to employees of the 5,000 or so companies with publicly traded securities in the U.S. Lawson changes that position entirely.  The decision’s seminal shift in SOX coverage opens up the potential for more claims brought by employees of the third parties of private companies who have been engaged by public companies.

What’s the Practical Impact on Exposure?

The true size of this potential new universe of protected claimants is still uncertain. Depending on your position, you either think that there will be an overwhelming rush by accountants, law firms and even in the most extreme cases, babysitters (as argued in the dissenting opinion of Justice Sotomayor) to bring retaliation claims. Or, you believe it will be “business as usual.” Much of this final debate may hinge on an undecided question about the types of claims protected and whether or not, as many allege, they are limited to shareholder fraud. But one thing is clear. Public and private companies alike must now take greater care with how whistleblowers are handled after a report has been filed.

A Reminder that Risk Continues to Escalate Through the Use of Third Parties

While the full impact of the decision on the number and subject matter of whistleblower claims remains to be seen, there is another critical take-away from Lawson: The use of all third parties puts the engaging party at higher risk of fines, litigation and damage to reputation. Whether in the form of liability for direct, unlawful acts such as bribery or quality failures, or liability for the consequences of retaliation, all third parties need to be evaluated for the potential risk to the enterprise, private and public. This argues in favor of universal but proportional due diligence, especially data driven technology solutions, as well as strong policies, training and further monitoring and auditing of third parties.

The Importance of Effective Reporting Channels

In light of this opinion, an additional area of heightened concern for all employers should be the need to ensure that the company has an effective, well-communicated hotline for employees to report misconduct, along with a robust case management system to centralize, manage and resolve those reports – whether brought through the hotline, or another avenue, including management and HR. This is not just a requirement or best practice for publicly traded companies. It is a universal need. More than just collecting reports of misconduct, employers should ensure that reports are being promptly investigated and actually resolved. This concern is illustrated in the results of NAVEX Global’s just published 2014 Hotline Benchmarking Report. From the NAVEX Global website, “the Report’s findings showed that the number of days it is taking organizations to close a reported case has gone from 30 days in 2008 to 36 days in 2013. Questions on accounting, auditing and financial reporting took an average of 46 days to close…”

“Every additional day an employee is left wondering whether their concern has been taken seriously represents a risk to the organization,” said Carrie Penman, chief compliance officer and senior vice president of advisory services at NAVEX Global. “An ongoing increase in case closure time is a red flag; organizations need to ensure they have sufficient and properly trained resources available to manage the increasing volume of reports in the coming year. The trend is especially notable given that under some regulatory provisions for external reporting and whistleblower awards, an organization may have limited time to complete an internal investigation.”

Lawson Reminds Us of the Ongoing Challenges Around Whistleblowing and Retaliation

The whistleblower risk to companies is clearly increasing. Even with overall workplace misconduct on the decline according to a recent study from the Ethics Resource Center (ERC), retaliation bucks the trend, continuing to rise at an alarming pace. This syncs up with NAVEX Global’s own proprietary data (based on the largest database of reported incidents in the world) where overall report volume has increased substantially over the past three years. 

Lawson demonstrates continued support for expanding the protections for whistleblowers. Experienced compliance specialists, executives, attorneys and others who address the reduction of risk or exploit its vulnerabilities should take proactive steps to identify whistleblower risks and implement or enhance current plans to address them. Bringing the impact of Lawson to the attention of the top ranks of an organization is also critical – executive management, the C-Suite and the Board. It’s a decision worthy of everyone’s attention.

Find out more about how businesses can protect themselves by downloading our SOX Whistleblower Protection Toolkit for Private Businesses.