Getting Employees to Join the Fight Against Fraud
KEVIN OMAHEN, CPA
U.S. businesses lose millions of dollars to white-collar criminals every year. The manufacturing sector is especially vulnerable to fraud schemes involving billing, corruption and non-cash assets, such as theft of inventory and equipment. Research suggests that businesses that provide a convenient and confidential way for employees to report unethical behavior are more likely to unearth wrongdoing sooner and suffer smaller losses than those without established “whistleblower” policies. This article recommends ways to make reporting hotlines as effective as possible. A Sidebar outlines the benefits of using an outside forensic accounting specialist when fraud strikes.
To Catch a Thief
Proactive fraud prevention and detection controls can substantially reduce a company’s risk of fraud and minimize fraud losses. However, all anti-fraud tools are not created equal. In each biennial edition of its Report to the Nations on Occupational Fraud and Abuse, the Association of Certified Fraud Examiners (ACFE) has consistently found that tips are the most common method of detecting fraud by a significant margin.
In the 2014 report, the ACFE found that more than 42% of frauds were detected by tips. About half of these tips came from employees, and the rest were reported by vendors, customers and anonymous sources. The second most common method of detection was management review, which unearthed fraud in only 16% of the cases in the study.
Based on these statistics, it stands to reason that reporting hotlines can be a critical weapon when deterring fraud and minimizing losses. The ACFE reports that organizations without an anonymous hotline suffered about two-thirds higher average fraud losses than those lacking this prevention mechanism.
Many private companies forgo reporting hotlines because they are seen as expensive and too formal for closely-held organizations. Only about half of the companies in the 2014 ACFE study had a reporting hotline in place, but only 18% of companies with fewer than 100 employees used a reporting hotline. However, implementing an effective reporting mechanism can be a powerful way to prevent and detect fraud for companies of all sizes.
Minimize the Fear of Retaliation
Most employees are honest and want to do what is best for their employers. But the prevalence of anonymous tips — which were the source of about 15% of the tips in the ACFE study — suggests that many whistleblowers fear retaliation from co-workers if they speak up against wrongdoers or their allegations do not pan out. This is especially true in smaller companies where it may be harder to safeguard a whistleblower’s identity.
An important component of an effective reporting hotline is to establish policies to protect the confidentiality of whistleblowers and prevent backlash, including verbal bullying or job loss — especially when employees report on suspected wrongdoing by their superiors. Often it is beneficial to consult with an attorney to ensure that the company’s hotline and related policies comply with employment laws and other regulations that may apply where you operate.
When selecting a manager to oversee the reporting hotline, choose someone who is fair and impartial and engenders trust among people inside and outside the organization. Provide your “ethics officer” with authority and training to act on information conveyed through the hotline. Hotlines can also be managed externally by third-party vendors.
Promote and Facilitate Reporting
Of course, employees need to know about the hotline before they will use it. Once you implement a confidential telephone or Internet reporting hotline, conduct a meeting to promote it to both would-be perpetrators and those who might make a report, including employees, clients, shareholders and vendors. The hotline should be convenient to use and available 24/7 in multiple languages.
Distribute guidelines for the reporting hotline when it is first launched, when you conduct periodic fraud prevention training and when new employees join the company. Also, create print and electronic promotional materials for the hotline to display in high-profile locations, such as in the lunchroom and on the company’s intranet site.
Remember, too, that reporting hotlines can unearth other problems besides fraud, such as unsafe working conditions or drug abuse by co-workers. Some companies even set up their hotlines to serve as an electronic “suggestion box” for ways to improve operating efficiencies or offer new product ideas.
Follow Up on Tips
Employees are more likely to report fraud if the company acts on tips in a prompt, serious manner and demonstrates a zero-tolerance policy for fraud. The most serious allegations should be reviewed with legal counsel first. Often, timely follow-up necessitates the use of an outside forensic accounting specialist who is trained in collecting a thorough and defensible trail of evidence.
Sidebar: Know When It Is Time for Professional Help
When fraud strikes, the company’s ethics officer may feel like he or she is looking for a needle in a haystack. However, he or she does not need to act alone. Often, company insiders lack experience on how to investigate tips or gather evidence to adequately support a fraud claim. The first step when fraud is suspected is to contact legal counsel. The use of an outside forensic accountant can prevent botched investigations and help your company recover from fraud as quickly as possible.
Forensic accountants can also help management deal with the emotional aspects of a fraud investigation. For example, they can help management minimize disruptions to normal business operations and proactively address rumors that might spread during fraud investigations.
Most important, outside experts are generally impartial and unemotional. These traits can be invaluable when owners of a closely held business feel blindsided by unethical behaviors perpetrated by trusted employees.
For more information on how to fight fraud at your organization, contact Kevin Omahen at [email protected], or call him at 312.670.7444. Visit ORBA.com to learn more about our Manufacturing and Distribution Group.
Secure Disposal of IT Equipment
Substantial resources are spent by manufacturers and distributors in choosing the right information technology (IT) equipment to invest in and how to secure those devices throughout their useful lives with passwords, encryption, firewalls, antivirus software and properly trained staff. But security concerns are often overlooked when those same assets are retired. Ongoing attention to security is a must because IT equipment typically houses a company’s most valuable intellectual property.
Just because data appears to have been deleted from a device’s hard drive does not mean it is gone. Some data may be recoverable — even if you smash a device with a sledgehammer — and recovered data can come back to haunt you if it winds up in the wrong hands.
Let us look at an example: Company A (a fictitious manufacturer) returned two copiers to its equipment leasing company. Neither party erased the devices’ internal hard drives, which stored everything that Company A had copied or scanned over the term of its lease. When the leasing company subsequently sold the copiers to a competitor, the buyer also obtained Company A’s financial data, customer lists and employee records.
It is important to look at the language of equipment leases to understand what will happen to the data stored within the hard drive on the machine after the equipment is returned. Many leases nowadays do include a hard drive destruction clause within the contract. Be sure to review leases for similar clauses, or lack thereof, before signing.
Security incidents also can arise when a company resells, recycles or donates its old IT equipment without properly erasing the hard drives. In other breaches, thieves steal assets from dumpsters or unlocked storage sites before management wipes the hard drives. The result? Large volumes of confidential and sensitive data are left unprotected and vulnerable to theft and fraud. It also opens the door for violations of software license agreements.
Bulletproof Disposal Protocols
Asset-intensive companies need formal companywide IT disposal policies to ensure reliable data destruction. Here is some guidance to consider when drafting an IT disposal policy:
Rewrite Multiple Times
Companies cannot just delete data once, because it can still be reconstructed from the device by an IT professional. Many Fortune 500 companies and the federal government follow the Department of Defense protocol, which requires data to be rewritten at least three times.
Companies often turn to outside disposal vendors to ensure safe disposal and factor disposal fees into the total cost of equipment ownership. Equipment retailers, manufacturers and leasing companies also may provide these services upon request. If you decide to outsource disposal, choose your vendors wisely. The cheapest vendor might skip steps, such as performing background checks on employees and their subcontractors, offering risk indemnification, tracking assets during the disposal process and ensuring that assets are disposed of in an environmentally responsible manner.
Dispose of outdated equipment as soon as you upgrade. Doing so reduces the risk of theft and increases the price you will receive at resale.
As IT assets near the ends of their life spans, consider whether the devices can be repurposed. Sometimes equipment can be reused internally to temporarily save the cost (and hassle) of secure disposal.