​​​Whistleblowing in Action​

Comments Views

​​​An anon​ymous tip has led to the dismissal of the head of Richmond, Va.'s finance department, WTVR-TV reports. An investigation by the city auditor found that the employee, Sharon Judkins, had become eligible for nearly US $408,000 in benefits from more than 800 hours of unused sick time she had accumulated during a previous stint with the city. Richmond's mayor has requested that the Virginia Commonwealth's Attorney review other findings not included in the audit report to determine whether there was any criminal wrongdoing. Since 2010, the city's Fraud Squad hotline has received more than 100 tips each year, officials say.​

Lessons Learned

The actions and results depicted in this story align with a well-organized and effective whistleblower program, but this isn't always the case with other organizations and jurisdictions. Internal auditors should assess whistleblower programs and their effectiveness, and, when in positions of authority, take action to ensure all the key components of an effective whistleblower program are in place.

Many organizations and jurisdictions around the world don't necessarily do so. Generally, most observers assess that the United States has the overall strongest set of whistleblower programs. By contrast, programs andprotections for whistleblowers in Canada and other Commonwealth countries are considered comparatively weak, with limited legislation covering the public and private sector, and limited formal protection for those who speak up internally or externally.

Here are four essential components of an effective whistleblower framework, along with suggestions for what auditors should both look for and help establish:

1. Governance. A well-designed whistleblower program should include structures encompassing government legislation and enforcement, which are leveraged through private resources and also motivate agencies to investigate allegations. Specific whistleblower legislation with the broadest possible coverage of institutions and organizations is a hallmark of a strong whistleblower framework, but many countries rely on old and very broad laws, such as for libel cases. Consistent program objectives and scope of application also are critical to avoid gaps in whistleblower coverage and overly complex processes caused by inconsistencies. In some jurisdictions, for example, employees working side by side in the same organization, but with different employers or employment statuses, may not have the same coverage under whistleblower legislation. In the United States, whistleblower programs vary considerably by industry, city, and state. 

Both internal and external whistleblower programs are essential for effective fraud/corruption coverage. Audit functions should figure prominently in either scenario in the fraud risk assessment stage and as an independent means to investigate and recommend remedial actions on cases, including using forensic auditing. However, they should not get involved in the overall program management or recommendation of incentives aspect of whistleblower programs. Because of the importance of incentives, effective governance of whistleblower programs also will involve creating procedures that provide for judicial oversight to ensure award decisions are fair.

2. Reporting​. Requirements, incentives, and mechanisms also are core parts of a strong whistleblower framework. Tip line programs may be commendable, but they can't match the targeted, high-quality information and enhanced resources resulting from mandated whistleblower reporting that enforcement agencies can achieve. An organization's audit function is typically well-placed to receive and investigate cases. 

The SEC had a tip line for many years before the U.S. Dodd-Frank Wall Street Reform and Consumer Protection Act mandated that it establish a new whistleblower program, yet the commission did not act to stop Bernie Madoff, even though it repeatedly received evidence of his wrongdoing. Anonymous hotlines and redress for retaliation typically are insufficient to convince valuable whistleblowers, who often sacrifice not only their current employment but also any future employment, to come forward and report corporate wrongdoing. 

A more debated aspect of whistleblowing reporting is whether to require whistleblowers to report fraud and other wrongdoing through internal compliance programs before reporting the violations to the government. A balance needs to be struck between avoidance of weaker, frivolous, insignificant, or even fictitious whistleblower claims versus the potential for stifling or censuring bona fide cases. Perhaps providing guidance and encouragement to begin by reporting internally makes the most sense. Corporate public reporting should address cases, results from investigations (including audits), and how they ultimately were resolved, as well as what the organization has learned from them.

3. Incentives. Many countries offer few, if any, incentives to whistleblowers — Canada, the U.K., and Australia are examples. However, more than two decades of experience with whistleblower programs in the United States has shown that most individuals with evidence of significant wrongdoing need the certainty of a reward commensurate with both the value of the information they provide and the amounts that are recovered by law enforcement as a result. The SEC's whistleblower program offers strong financial incentives — rewards of up to 30 percent of amounts recovered — that recognize the risks to the individual's career and livelihood that come from stepping forward. Similarly, the U.S. Commodity Futures Trading Commission in May cut a check worth US $240,000 to one whistleblower. 

Providing mandatory — rather than discretionary — percentage rewards to whistleblowers from the recoveries their information generates are better at furthering anti-corruption and anti-fraud enforcement priorities, and also motivate other whistleblowers to step forward. Even the "culpable whistleblowers" (the architects and co-conspirators of the fraud) should not automatically be excluded from consideration. It sometimes "takes a criminal to catch a criminal," although the most appropriate "quid pro quo" may be a more lenient punishment. Auditors particularly should examine controls in this area and their effectiveness.

4. Protection. In the design and implementation of programs, protecting whistleblowers from suppression of their evidence and retaliation from the consequences of coming forward is a must. Frequently whistleblowers lose their jobs right alongside the guilty party because their organizations do not protect insiders who report wrongdoing. Organizations should keep whistleblowers' identities confidential or anonymous as much as possible under the law, although judicial processes may ultimately require their disclosure. Statutory employment protections should be in place, including compensation for lost back pay and other damages, as well as reinstatement if the whistleblower suffers retaliation in his or her employment. Internal auditors need to examine the comprehensiveness and effectiveness of controls over the protection of whistleblowers.​

​Countries and organizations may claim they have no need for whistleblower programs or that cultural impediments stop them. However, the continuing string of headline-grabbing government and business scandals demonstrates a clear need to act. Legislators and leaders worldwide need to develop and enhance strong whistleblower enforcement programs, and involve auditors in making them effective.​



Comment on this article

comments powered by Disqus
  • IIA GRC_July 2020_Premium 1
  • AuditBoard_July 2020_Premium 2
  • IDEA_July 2020_Premium 3