Among many complications and hurdles that businesses may face, data breaches and fraud are among the most damaging and most challenging to control. In 2018, fraud caused over 7 billion dollars in total losses, with 22% of total cases causing losses of over 1 million dollars as noted by the Association of Certified Fraud Examiners (ACFE). Fraud also puts company and customer information at risk, causing reputation damage that can be difficult to repair. How do get ahead of this terror? A major step may be having a “whistleblower” hotline.
Whistleblowing typically has a bad reputation, but in matters of data being exposed and fraud being executed, it is a saving grace for company reputation and finances. In 2019, Capitol One’s security hotline received an anonymous tip of data being leaked, ultimately revealing that the company’s personal data from over 100 million customers was exposed by a former employee of the company’s cloud services provider. Whether your company is as big as Capital One, or a small company with only a handful of clients, the irrefutable damage that data breaches can cause could mean a long and expensive future of security spending, lawsuits, and reputation management.
Being one step ahead of fraud situations and having the ability to detect them early is key to reduce the damage. According to ACFE’s study on fraud and abuse, the most common detection method of a data breach is receiving tips, half of which are actually provided by employees of the breached company. Companies that have hotlines in place for their employees and outside parties received 46% of fraud tips, compared to 30% without a hotline.
Implementing an effective hotline and reporting program is key to having fraud or abuse noted in a timely manner and provides the company an opportunity to mitigate potential damages. Internal whistleblower hotlines, however, may not be effective if the company’s culture is one that does not promote ethical behavior, which causes employees to stay quiet for fear of retaliation. Conversely, externally-hosted hotlines may not be as effective if the hotline company doesn’t have enough knowledge about the organization and may not be proficient in gathering all pertinent information. Whether you manage your hotline internally or externally, employees need to be made aware that the hotline exists, how it works, the procedures involved, the caller’s involvement in the reporting process, and the protections provided which should include confidentiality of calls. This is why it is valuable for companies to:
- Gather a team of knowledgeable and motivated individuals.
- Integrate the whistleblower hotline process as part of the corporate compliance and ethics program.
- Educate employees on the specifics of reporting a suspected unethical or unlawful activity and ensure this information is sufficiently publicized.
- Have a stable monitoring process in place to make sure the tips reported are properly investigated and updated.
- Update tipsters on the progress of the investigation so they feel valued.
- Offer the hotline to additional contributors, such as vendors.
- Increase awareness of the hotline and be open about success stories.
An effective whistleblower hotline can be a resource to ask questions, ask for guidance, and provide tips and safety concerns without the fear of punishment or reciprocity. It is easy to trust people and believe nothing will go wrong, but that is what makes one company more vulnerable than another. The investment in a strong hotline program is crucial to a company’s successful corporate compliance program and in turn, the company’s overall long-term success.
Shari Diamond, CIA
Partner
Shari has been with Cerini & Associates, LLP since 2008 where she works primarily with the firm’s school district clients providing internal audit and claims audit services. She has over twenty years’ experience performing internal audits, risk assessments, and compliance reviews, as well as recommending processes to strengthen the internal controls environment while increasing efficiencies. Her prior experience at PWC and Northrop Grumman included performing Information Technology audits.