"Note; this is my repost from year 2016 but still relevant today"
Desolate as it may be, the Chase Bank debacle massively affirms the findings of the 2016 Report to the Nations published by the Association of Certified Fraud Examiners (ACFE). The findings in the 2016 Report to the Nations have not been any different, at least not significantly, compared to the prior years’ reports. In a summary extract, the consistent findings have been that1:
> Fraud incidents involving the highest leadership in an organization, in this case the Board of directors, results in the highest financial losses
> The most common fraud detection method was tip offs
> Organizations that had reporting hotlines were much more likely to detect fraud through tips than organizations without hotlines
> Fraudulent financial statement schemes resulted in the highest financial losses
> The longer the fraud lasted, the greater the financial loss that was incurred
> Whistle blowers were most likely to report fraud to their direct supervisors or company executives
> The most common fraud concealment methods were creating and altering physical documents
Considering that the 2016 Report to the Nations (the Report) is the ninth report issued by the ACFE, it is about time individuals charged with fraud risk management responsibilities revisit the earlier Reports, identify occupational fraud and abuse trends and craft or recommend suitable fraud risk management strategies for their organizations.
It has variously been reported that the Chase Bank sham was anonymously reported through a letter to the Bank’s foreign directors. This serves to reinforce the findings in the Report on the usefulness of whistle blowing mechanisms in uncovering occupational fraud. Whistle blowing mechanisms are just as important in the public sector. Recall that major government scandals such as the Goldenberg scandal and the Anglo-Leasing scandal reported were discovered through whistle blowing. The question that begs is how seriously company executives and their Boards in both the public and private sectors view the substance of whistle blowing mechanisms in the wake of the reported financial shambles and the consistent findings in the Report.
Looking at some of the highly regulated industries for instance, the regulators have issued guidelines that address risk management. You may find in the guidelines, the regulator requires that the regulated entity establishes an independent Compliance function that among other things, is responsible for promoting an ethical culture within the organization. Along the same lines, the Compliance function is responsible for establishing and maintaining a whistle blowing hotline. To ensure the independence of the Compliance function, the head of the function should have unfettered access to an Ethics and Compliance committee of the Board to among other things report on material non-compliances or fraud incidents involving senior management. Organizations operating in a less regulated environment may borrow from these practices in their effort to manage occupational fraud.
At the onset, a well-planned out marketing campaign about the presence and valued use of a whistle blowing hotline should be executed. However, the success of a whistle blowing hotline is critically dependent on the confidence its users place on it. For instance, in designing an internal whistle blowing hotline, attention should be given to the integrity and capacity of resources available to investigate or at least follow up on all the cases reported. If the users experience is such that complaints or tip offs are not investigated, users may cease reporting potentially credible information that would uncover fraud. If through a risk assessment process it is determined that there is insufficient trust or capacity to support a whistle blowing hotline within the organization, consideration should be given to external contractors. Additionally, hotline users should be provided with the option of reporting anonymously to encourage reserved whistle blowers to file their reports. An organization that has established a successful whistle blowing hotline affords the risk management support staff a database of crucial information to guide its risk assessment plans. Internal auditors, external auditors, risk and compliance practitioners and fraud investigators all stand to benefit from the wealth in data recorded in whistle blowing hotlines.
Underpinning the proper design and establishment of a whistle blowing hotline is the right tone from senior management and the Board. A zero tolerance culture and practice against occupational fraud would go a long way in supporting individual rationalizations to report fraud incidents. This may mean organizations reconsidering their stance of not suing fraud perpetrators, for exemplary purposes with the ultimate aim of indoctrinating an anti-fraud culture.
The Board should ensure that a whistle blowing policy is documented and communicated within the organization. It would also be useful to inform external business partners about the organization’s anti-fraud stance and instruct them on how to file actual or suspect fraud incidents. The policy should expressly state that whistle blowers will not be retaliated against. For instance, that employees will not face adverse employment action or retaliatory action from the employer as a consequence of blowing the whistle. Additional consideration should be given relating to rewarding whistle blowers.
Where fraud incidents involve the highest level of management or even Board members as has been publicly cited in the Chase Bank muddle, the whistle blower should consider blowing the whistle to outside parties such as the police or other governmental or regulatory agencies.
In conclusion, Board committees in discharging their risk governance responsibilities should evaluate the structures in place within the organization against research findings from professional associations such as the ACFE and the documented mega-frauds and insist that effective mechanisms be put in place where control gaps are identified. The Board Audit Committee may for instance, consider including in its terms of reference its responsibility for overseeing the organization’s whistle blowing policy and being available to receive tip offs from potential whistle blowers. Risk management professionals should then report back to the Board committees on the effectiveness of whistle blowing mechanisms implemented by senior management. For regulated entities, the regulator should act as an additional governance tier in assessing the design and operating effectiveness of fraud risk mechanisms in place, including the operationalization of a whistle blowing hotline. The value proposition for whistle blowing hotlines may also provide a business case for professional services firms to offer this facility for a fee.