Revisiting the roles and responsibilities of those handling whistleblower tips

By Eleftherios Tsintzas, CIA, CFE, CRMA, CFSA

Eleftherios Tsintzas (lefti4@yahoo.com) is the Deputy Audit Division Director at Alpha Bank Romania in Bucharest, Romania.

In their 2018 Report to the Nations,[1] the Association of Certified Fraud Examiners reported that the most common method of fraud detection was a tip (40%). For organizations with hotlines/helplines, the number of the fraud cases revealed through tips increased to 46%, and the median losses from fraud were 50% smaller. Also, the duration of the fraud was 50% shorter at organizations with hotlines.

But what happens if an organization has established a hotline, but the overall whistleblowing process has not been designed and implemented properly?

The case described below has been inspired by a true story, but persons and entities mentioned are fictitious.

A serious allegation

Philip was the chief audit executive in the internal audit division of a financial leasing organization. While sitting in his office reviewing a report from a recently completed audit, he received a phone call from the president of the audit committee. The president informed Philip that a serious allegation related to the anti-money laundering practices of the organization was received.

A reporter had contacted the president, revealing that the organization’s practices facilitated laundering funds of customers—shell companies, whose beneficial owners were individuals sanctioned for gun smuggling. Even worse, an employee of the organization had warned the executive management of the organization several months ago about the relevant practices.

Specifically, 10 months ago the employee had contacted the organization’s hotline and had warned that the organizational arrangements in the Know Your Customer area and the internal controls in place allowed customers—companies (possibly linked to sanctioned individuals)—to legitimize funds from illegal activities. Moreover, he had implied that senior officers of the organization were aware of the relevant practices and turned a blind eye, because these transactions improved the performance of the organization and led to increased bonuses.

The audit committee had been completely unaware of such a warning. Philip had also not been informed. How was that even possible?

Their whistleblowing program

The organization had a sufficiently detailed whistleblowing policy in place that encouraged the disclosure of potential wrongdoing (e.g., breach of legal, regulatory, and statutory requirements or unethical behavior and practices), providing guidance on the process to be followed for raising the concerns.

The policy described the hotline operation and the processes that followed the receipt of a report related to potential wrongdoing. Moreover, the hotline, managed by the risk management department of the organization, was easily accessible 24/7, offering confidentiality and anonymity. When a report related to potential wrongdoing was submitted through the hotline, it was received by an appointed employee of the risk management department, who was responsible for assessing the report and discussing it with his/her manager. If the report was considered credible, it should be forwarded to the executive management for review. If executive management considered the report worthy of investigation, it would be forwarded to internal audit. Following its investigation, internal audit would report the relevant results to the executive management and the audit committee.

So what went wrong?

Philip called the risk management department employee responsible for receiving and assessing the whistleblower reports. This person confirmed that the relevant report had been received through the hotline and assured Philip that the process described in the whistleblowing policy had been followed to the line. She had assessed the whistleblower’s report and discussed it with her manager. Both considered the report credible, so they forwarded it to the executive management of the organization for review.

Nonetheless, the executive management had not considered the report worthy of further investigation, and thus no further action was taken. Now Philip was sure of what had gone wrong.

Indeed, the whistleblowing policy had been followed to the line!

However, the fact that, according to the tip, senior officers of the organization were aware of the relevant practices and turned a blind eye was overlooked by the risk management department. Thus, the whistleblower’s report never reached the audit committee, because it was not considered worthy of further investigation by the executive management of the organization. Moreover, the whistleblowing policy of the organization did not require the whistleblower reports to be submitted to a second layer of dissemination, so as to ensure an extra review, independent of the one performed by the executive management. Had such an independent review been required, the whistleblower’s report could have reached the audit committee.

As a result of the above omissions, the money laundering was not revealed, the organization faced multimillion-dollar fines, the reputational impact was significant, and the organization was eventually taken over by one of its competitors.

This document is only available to members. Please log in or become a member.
Become a Member Login
 


Would you like to read this entire article?

If you already subscribe to this publication, just log in. If not, let us send you an email with a link that will allow you to read the entire article for free. Just complete the following form.

* required field

First name field cannot be blank!
Last name field cannot be blank!
We will send you an email that will give you access to this entire article.
Email field cannot be blank!
Enter a valid email!
Company field cannot be blank!
Enter a valid company!
Title field cannot be blank!

We're committed to your privacy. The Society of Corporate Compliance and Ethics (SCCE) & Health Care Compliance Association (HCCA) uses the information you provide us to contact you about our relevant content, products, and services. For more information, check out our Privacy Policy.


About SCCE

The Society of Corporate Compliance and Ethics (SCCE) is a non-profit, member-based professional association. SCCE supports our members' work with education, news, and discussion forums. We are a community of leaders, defining and shaping the corporate compliance environment across a wide range of industries and geographic regions. In developing and maintaining effective ethics and compliance programs, our members strengthen and protect their companies.

952.933.4977

About HCCA

The Health Care Compliance Association (HCCA), is a 501(c)6 non-profit, member-based professional association. HCCA was established in 1996 and is headquartered in Minneapolis, MN. We provide training, certification, and other resources to over 10,000 members. Our members include compliance officers and staff from a wide range of organizations, including hospitals, research facilities, clinics and technology service providers.

952.988.0141

Facebook X LinkedIn
Copyright © 2024 by Society of Corporate Compliance and Ethics (SCCE) & Health Care Compliance Association (HCCA). No claim to original US Government works. All rights reserved. All information provided through this site, including without limitation all information such as the “look and feel” of the site, data files, graphics, text, photographs, drawings, logos, images, sounds, music, video or audio files on this site, is owned and/or licensed by SCCE & HCCA or its suppliers and is subject to United States and international copyright, trademark and other intellectual property laws. Any third party logos and/or content provided herein is owned by such third parties and is used by permission herein. Your use of this site to is subject to our Terms Of Use and Privacy Statement.
Cookie settings