Editor’s note: Yesterday, Dan focused on the new age bounty hunter that came about from he passage of The Dodd-Frank Wall Street Reform And Consumer Protection Act (Dodd-Frank) in July 2010: the “corporate whistleblower.” Today he continues his discussion, talking about testing your company’s systems, policies, processes and procedures.
From a corporate fraud standpoint, there are several areas that I want to highlight as part of this testing/reviewing process: internal reporting tools, communication, training and reporting protection.
The purpose of a corporation’s internal reporting system (the ethics hotline) is to provide employees with an anonymous mechanism to report ethics concerns, possible fraud and unethical or inappropriate behavior so that the corporation can investigate the allegation, determine if there is a factual basis for the allegation, take appropriate employment and legal action (if necessary) against the individual(s) involved, and strengthen the internal controls surrounding the company’s processes, practices and procedures which may have been violated (post mortem analysis).
It is important to note, however, that not all calls to the ethics hotline are indicative of corporate fraud or inappropriate behavior, and no adverse action of any kind should be taken without significant, independent fact-finding investigation (“Just the facts, ma’am”) to confirm the validity of the report.
Employers need to ensure that all reports to the ethics hotline are investigated in a timely, unbiased and thorough manner, appropriately documented in a central document repository or case management information reporting system, and retained in accordance with the company’s data records retention schedule.
Communication, as always, is imperative. In light of Dodd-Frank, however, employers should increase regular communication to employees through internal company communication tools (newsletters, websites, intranet, postings, employee handbook updates, new hire orientation training, emails, flyers, mailings, etc.) regarding ethical behavior, and company standards for business dealings, sales practices and a host of other corporate policies like Acceptable Use of Company Technology, Code of Business Conduct, Conflict of Interest and the Foreign Corrupt Practices Act (FCPA).
Communication should also remind employees of the internal reporting mechanisms and tools available for them to use if they have concerns about specific behavior or practices. These tools shouldn’t require employees to look hard to find them.
Lastly, companies must ensure that their internal control communication and event notification procedures are being followed so that the audit committee, board of directors and other senior management are being made aware of potential issues in a near real-time basis.
Increased communication standards, and open door policies, should help businesses get out in front of issues before they get ugly and create a need for regulators carrying big sticks. This is where the well rounded, holistic management approach that I’ve written about and outlined in the past (Tis the Season To Analyze Your Anti-fraud Efforts For The New Year) is valuable and pays dividends.
In addition to increasing internal communication, companies should increase the amount of regular ethics training provided to employees, reinforcing the corporation’s ethical culture and code of business conduct.
CCI author and ethics expert Frank Bucaro had this to say about it:
“One shot ethics training is really no ethics training at all. There are so many possibilities, for all budgets in developing impactful ethics training. Organizations that are genuine in their desire to offer ethics training to all employees should seriously consider developing a well planned, fully integrated and ongoing training program.”
I completely agree with Bucaro about the return on ethics training investment and the “that kind of behavior is NOT tolerated around here” culture it promotes.
Additionally, companies should require and track annual certification by employees, acknowledging that they have reviewed the training material and will abide by the company’s ethical standards. While this may currently be done pursuant to Sarbanes Oxley provisions, re-evaluating your ethics training programs and strengthening efforts in this area is strongly recommended in light of regulatory acts like Dodd-Frank that incentivize employees to come forward with information.
Finally, given the anti-retaliation provisions of Dodd-Frank, which strengthen existing Sarbanes Oxley whistleblower provisions (SEC. 806. Protection For Employees of Publicly Traded Companies Who Provide Evidence of Fraud), employers need to work with their human resources departments and labor lawyers to ensure that individuals who come forward via the internal reporting mechanism are not retaliated against if their identity becomes known.
Employees who recognize that there are company processes in place to protect them might look internally first for resolution before seeking out the SEC. After all, whistleblowing rewards might not ultimately be the huge “golden ticket” that the eccentric chocolateer Willy Wonka promotes it as.
In conclusion, in light of Dodd-Frank it’s apparent that there is no time like the present to address ethics and compliance performance issues. Now is the time to test, analyze, assess and optimize your company’s ethics, compliance, audit, employment processes, technology tools and reporting efforts to ensure a strong internal ethical culture and that “all systems are a go.”
Do your systems work? How do you know? Are you regularly testing them? Just because they worked last year doesn’t mean they’re working this year.
Having a robust ethics and compliance program might not only assist in defeating the financial incentives for new age bounty hunters (whistleblowers) to bypass your processes, but it could prevent the kind of financial mayhem, brand damage and lack of consumer confidence that comes it. Once your ethics system fails, it goes to the government and you become front-page news at The Wall Street Journal.
Sign up for our free weekly e-newsletter for more GRC articles, job postings, GRC events, white papers & more…..click here
About the Author Daniel W. Draz is the principal of Fraud Solutions, an international fraud consulting firm. He has 26 years of successful fraud investigation, fraud training, fraud prevention, fraud management, risk (management and investigation), audit, regulatory and compliance experience exclusively in the financial services sector. In his previous role, he was the corporate investigations manager at TransUnion LLC, where he over saw the Corporate Investigations Department, also serving as the global anti-fraud liaison to TransUnion’s operations in 25 foreign countries on six continents. Additionally, his responsibilities included oversight for all internal employee investigations involving violations of ethics, code of business conduct, hotline and acceptable technology usage policies and procedures. Daniel’s staff also investigated all customer interfacing matters and violations, violations of customer contract agreements, violations of federal rules and regulations governing permissible purpose, access of consumer credit information and cases with federal law enforcement agencies involving rings, organized criminal activity and national security matters. Prior to joining TransUnion, Daniel was a fraud investigator in the Special Investigations Unit at Standard Insurance Company in Portland, Oregon. In that capacity, he conducted sophisticated insurance (life, health and disability) investigations (civil and criminal) into questionable/fraudulent claims; referred insurance fraud investigations to local, state and federal law enforcement agencies nationwide for prosecution consideration; coordinated investigations with law enforcement agencies and prosecutors; and advised counsel, senior management and business units on fraud issues/problems/solutions. Additionally, he was also responsible for development and delivery of anti-fraud training programs and training on red flags/fraud avoidance/investigation procedures/methods to minimize exposure to financial loss. Previously, Daniel owned and operated an investigative and fraud consulting agency in California, providing specialized fraud consulting, investigative and litigation consulting services to businesses and corporations, insurance companies, self-insureds, financial services firms, large law firms, government agencies, telecom carriers and select individual clients nationally. Daniel has been a Certified Fraud Examiner (CFE) since 1996 and is a member of the American Society for Industrial Security’s (ASIS) Economic Crime Council. He has an M.S. in Economic Crime Management from Utica College (2005) and a B.S. in Criminal Justice from Arizona State University (1985). He currently holds adjunct professorships at four colleges, where he teaches a variety of graduate and undergraduate classes involving various forms of fraud, economic crime, white collar crime and criminal justice. He also has extensive experience teaching both in the classroom and online, and with developing unique academic curriculum. Daniel is a former member of the International Association of Special Investigation Units (IASIU) and a frequent speaker at national industry conferences. He is formerly associate editor, fraud investigations for PI (Private Investigator) Magazine, where he wrote on a variety of fraud-related topics. Daniel also created the first insurance fraud column for FRAUD Magazine, the official publication of the Association of Certified Fraud Examiners and is an occasional contributor to SIU Today, the official publication of the International Association of Special Investigations Units. He has been published over 40 times in industry and trade publications over the years and frequently mentors other investigators and fraud professionals around the country. To contact Daniel, email him at email@example.com. Daniel writes a regular column, Fraud Flashpoints, for Corporate Compliance Insights.