Protect and enable whistleblowers, your living, breathing fraud control

It is the age of the whistleblower, and tips are on the rise. According to the SEC’s 2022 Office of the Whistleblower report, the Commission received 12,322 tips in 2022 – not only a slight increase from the 12,210 tips received in 2021, but the largest number of tips ever received in a fiscal year. (The previous five years averaged 5,221.) Plus, increased incentives, in terms of higher awards provided to whistleblowers for the successful prosecution of cases, almost ensure that the number of tips will remain high and possibly increase.

The term “whistleblower” has somewhat of a negative connotation, but the reality is that a whistleblower is a living, breathing entity-level control, and the information they provide is a vital component to deterring and detecting fraud. The 2022 Association of Certified Fraud Examiners (ACFE) Occupational Fraud Report found that 42% of the frauds studied were detected by tips, and more than half of these tips were from employees. Whistleblower reporting should be viewed not as a threat, but as a signal that established controls related to detecting and preventing fraudulent activity may have failed or been bypassed.

Internal auditors, audit committees, and the organizations they serve must continue to focus on establishing and supporting processes, protocols, and policies that protect employee whistleblowers in terms of providing confidentiality and protection from retaliation. Additionally, it’s critical to provide easy access to multiple tip reporting mechanisms, enabling employees to report on potential instances of wrongdoing easily and internally.

It is important to note that organizations that do not conduct internal audits are at an increased risk of having poorly designed or ineffective controls related to detecting and deterring fraud. At such organizations, without ongoing audit activities, it is even more important to have a well-designed, easily accessible, management-supported whistleblower program and hotline.

Adjusting our perception of whistleblowers and refining the policies that protect them – and the value they bring to an organization – requires a process of continued improvement. Consider these best practices.

• Provide formal whistleblower training to all employees at least annually, if not more frequently. New employees should receive the same training during their onboarding process.
• Regularly disseminate strong “tone at the top” messaging to all employees related to the importance of the whistleblower policies, the importance of training, and how to report potential wrongdoing. These communications should strive to support a “See something, say something” culture. Consider prominently displaying your whistleblower hotline number in common work areas or as a default screen saver.
• Audit committees should seek whistleblower program training that is aligned with the committee’s role and responsibilities. Additionally, audit committees should be periodically briefed by management on the company’s whistleblower program, and those briefings should be captured in the committee’s minutes. Audit committees should also establish a standing whistleblower agenda item in their executive sessions to discuss whistleblower policies, complaints, and investigations.
• Regularly test the whistleblower hotline to confirm that all the processes and communications occur as intended. These tests should include complaints that relate to various levels of personnel within the organization, and the results should be discussed with management and the audit committee and appropriately captured within the minutes.
• Assess the skill sets of your internal auditors. Many internal audit groups lack the training and experience needed to effectively conduct a whistleblower investigation. Additionally, consider seeking external assistance in conducting these investigations. Using a third party helps ensure confidentiality during the investigation and avoid any preexisting internal professional relationship conflicts or issues.