criminal and fraudulent acts of their
employees. Under the U.S. Federal Corporate Sentencing Guidelines, the applicable fines and penalties resulting from
a fraudulent act within the corporation
can be substantially reduced if the company can demonstrate that it has a solid
internal corporate compliance program.
One of the elements of this program
is a “reporting system whereby employees and other agents could report criminal conduct by others within the
organization without fear of retribution.”
For every $100,000 in fines that result
from an employee’s acts, a corporation’s
compliance in this area could reduce that
fine by up to $60,000. Furthermore, the
corporation’s self-reporting of the violation could potentially reduce the fine by
up to an additional $40,000.
From a practical perspective, it makes
sense to encourage employees to report
fraud for three reasons. First, fraudsters
usually steal in response to financial
pressures. But even when their financial needs are met, they often continue
stealing, and the amounts involved tend
to grow. Second, employees are more
effective than any other mechanism at
detecting and reporting fraud.
Although statistics on this topic vary,
a 2003 study by accounting firm KPMG
revealed that 63 percent of fraud discoveries resulted from notifications by
employees, yet only 12 percent resulted
from external audits.
Finally, when employees have concerns
about possible fraud or abuse, they often
feel pressure to take some type of action.
Providing an appropriate, carefully
planned, company-sanctioned internal
reporting mechanism can potentially
improve morale, provide a safety valve
for employees, and prevent the possibly devastating effects of reporting that
Although employees of publicly held companies are
protected from whistleblowing retribution by
Sarbanes-Oxley, many staff members will not
necessarily trust that the regulations will be upheld.
number of employees actually using the
system by considering the factors that
may influence employees’ willingness to
come forward. These factors include the
existence of an organizational ethics code
and accompanying training, the structure of the process for reporting fraud,
employees’ personal traits in the area
of courage and honesty, the structure of
the organization itself, and the organizational culture.
MAXIMIZING THE BENEFITS
Despite the predominant role played by
employee reporting in the discovery of
fraud, a 1995 study by Ethikos magazine,
a bimonthly publication based in New
York that examines ethical and compliance issues in business, indicated that
only half of employees who had witnessed misconduct reported the wrongdoing to their organization. As companies
structure and refine their reporting
processes, they can help increase the
ETHICS CODE AND TRAINING One of the most
critical factors influencing an employee’s
decision to report questionable acts is
the existence of a comprehensive ethics
code in the organization and regular
employee training with respect to that
code. For an employee to report a
wrongful act, four primary conditions
‡He or she must believe that the act
‡He or she must believe that the
wrongful act is actually occurring.
‡He or she must believe that the act is
adequately serious to merit reporting.
‡He or she must believe that he or
she has a responsibility to report.
The ethics code helps to meet these
conditions by delineating activities that
the company regards as illegal or unethical, thereby ensuring that employees
know what acts are considered wrongful. The code and associated training
should also explain the employee’s
responsibility to report violations,
whether known or suspected.
The code of ethics should be reviewed
annually with employees, or it is likely to
be disregarded. During this review and
training, employees should be encouraged to comply with internal controls and
be reminded of their responsibility for
reporting violations of the ethics code or
In many cases, employees are not certain that a fraud is occurring. They are
more likely to be aware of a variety of
red flags, which may include breaches
of internal controls, lifestyle changes,
or unjustified temper flare-ups.
Employees need to be reassured that
reporting these observations is a good
thing and that they do not have to be
certain that a fraud is occurring to report
observed red flags.
With respect to internal controls, it
is also helpful for employees to understand the reasons behind the rules. They
are less likely to override controls and
more likely to report breaches of those
controls when they understand the
underlying purpose. One accounting
instructor tells of a bank branch manager who attended one of his night
classes. When the instructor explained
that requiring two signatures on a check
helps keep one person from being able
to commit check fraud without the
other’s knowledge, the manager became
visibly alarmed. To ensure “less hassle” for her co-signer, the student had
released her co-signing authority on one
of the bank’s accounts to the other co-signer by signing a pile of blank checks.
When she realized the reason for the
two independent signatures, she
reported the event to the appropriate
bank authorities and helped uncover a
significant embezzlement being perpetrated by her co-signer.
Research done at Florida State and
Binghamton Universities also suggests
that employees may be more likely to
report a suspicious act if:
‡The perpetrator offers excuses or
makes justifications for his actions.
‡The employee perceives that the
actions are due to low integrity on
the perpetrator’s part.
‡The employee feels that the perpetrator had control over the situation,
as opposed to being coerced.
Apologies offered by the perpetrator,
however, may make it more difficult for
employees to report fraud, and the struggle to report increases tremendously if
INTERNAL AUDITOR FEBRUARY 2004