If you want some real scary reading, put down your Steven King novel and read the Report to the Nations on Occupational Fraud and Abuse that is put out biannually by the Association of Certified Fraud Examiners. According to this study of 1,388 organizations where fraud occurred, the typical organization loses 5 percent of its revenues annually to fraud. Of the fraud cases studied, the median fraud loss for religious, charitable or social service organizations was $85,000, and was $200,000 for health care organizations. The report goes on to say that tips are the number one way frauds are detected, accounting for over 43 percent of the frauds in their study. Moreover, organizations that had anonymous reporting systems in place suffered less than half the financial losses from fraud sustained by organizations without such systems. For this reason, it is in your best interest to have a mechanism in place to make it as easy as possible for your employees and vendors to raise concerns.
Another reason to have a whistle-blower policy is so you can check “yes” on the Form 990 when the IRS asks if you have a whistle-blower policy. This is considered one of the 33 best practices for good governance put out by the Panel on Nonprofits. In addition, the Sarbanes-Oxley Act imposes fines and penalties on organizations that retaliate against whistle-blowers, and having a policy provides a process to help ensure you do not retaliate against whistle-blowers.
A whistle-blower policy provides individuals a means to report suspicious activity. Fraud reporting mechanisms, such as hotlines, should be set up to receive tips from both internal and external sources and should allow anonymity and confidentiality. Management should regularly make employees and vendors aware of the process, actively encourage them to report suspicious activity and emphasize that the organization has an anti-retaliation policy. A good sample policy from the National Council of Nonprofits can be found at this link.
A common concern about whistle-blower hot lines is what happens if employees bombard the system with petty grievances or fabricate allegations. A survey of hotline vendors found the average annual volume of complaints to be a manageable 4 per every 100 employees, and only about 3 percent involve matters of a serious nature. To be effective, the organization must respond to even the smallest of complaints. You may also want to consider including a provision in your policy for how you will deal with baseless allegations.
Once you have the process in place you may think you are all set. I had a few clients that believed that to be the case, and were surprised when we found the process to be broken. As a surprise audit test, we obtained their policy and attempted to report a fraudulent activity. With one client, the third-party hotline service we called had an employee answer the phone who didn’t know the line was for whistle-blower reporting or what to do with our concern. The client’s executive director was very upset when we shared our results and immediately called the hotline vendor to rectify the situation. The next time we tested the system, our allegation made it from the hotline vendor to the audit committee chair as it was supposed to.
When reviewing another client’s process, the policy allowed employees to mail or fax in allegations of wrongdoing. However, when we tested this process we learned that the faxes went to the main fax machine kept at the receptionist’s desk. We pointed out that perhaps the receptionist was not the proper person to be handling sensitive legal matters. For allegations that were mailed in, the letters went to the mail room to be opened by the mail clerk. This clerk explained to us that if the letter looked to be accounting related he would just forward it to accounting, not exactly where you would want an allegation about improper behavior of your accounting staff to go. The client appreciated the feedback on their process and has since revamped it to direct all allegations to their HR director.
Another client included an email address in their policy for employees and vendors to direct their concerns to. Our audit team crafted an email with our fraud concern and sent it off to the address listed. When we were not contacted about our email, we started inquiring about where our complaint wound up. It turns out that the email address in the policy was incorrect and any complaints submitted were just disappearing into cyberspace without even a notification that the email could not be delivered. That left the client wondering how many real complaints had suffered a similar fate. They immediately corrected the policy and communicated the change to their staff.
The importance of having a policy cannot be understated. But also important is having an effective process that is working properly. Now may be a good time to dust off that policy and do a “test of the emergency broadcast system.” Bottom line is, we all want our organizations to do the right thing, and we want our employees to tell us when we aren’t.