Reporting misconduct

By Richard H. Girgenti, CFE; Meghan V. Meehan, CAMS

July-S2W-whistleblowing Do your workers know how to report misconduct internally? Are they comfortable when doing so? Or would they more likely report the issue first to the SEC — for the reward?

With the passage of the U.S. Dodd-Frank Wall Street Reform and Consumer Protection Act and subsequent enabling rules, corporations face greater challenges in maintaining effective compliance programs. A key provision of the law allows whistleblowers to reap possible multimillion-dollar rewards for providing the Securities and Exchange Commission (SEC) with original information on alleged corporate wrongdoing.

After much public debate, the new law and related rules don't require whistleblowers to report knowledge of wrongdoing to their companies as a condition of eligibility for rewards. What's more, research shows that, despite the best efforts of many entities, most corporate environments usually fall short in alerting their employees of the importance of reporting misconduct internally and making them comfortable when doing so. With the U.S. federal government opening a reporting path straight to the SEC and adding a monetary incentive for employees to take that approach, many companies have strengthened their compliance programs and ensured that their cultures encourage employees to raise their hands high when they know something is amiss. [See "My Take" by Bert Lacativo, CFE, CPA. — ed.]


The SEC board members voted three to two on Aug. 12, 2011 to make the rule effective. The government can now consider a whistleblower for a reward if he or she voluntarily provides the SEC with original information, which leads to successful enforcement of a federal court or administrative action that includes monetary sanctions of more than $1 million. That reward is 10 percent to 30 percent of the total monetary sanctions.

The SEC considers the nature and severity of the misconduct to determine if the whistleblower may collect an award. With a few exceptions, the rule excludes the reward eligibility of senior managers with legal, compliance, audit, supervisory or governance responsibilities who may have learned of a reportable issue during the course of their duties. A whistleblower who may have engaged in wrongdoing may still be eligible for an award.

The SEC noted in the Annual Report on the Dodd-Frank Whistleblower Program that it had received 334 whistleblower tips on a variety of financial issues between Aug. 12 and Sept. 30, 2011, the most recent data available.


Faced with the prospects of any fraud or misconduct issue becoming a federal case —possibly even before the organization itself learns of the problem — most companies have launched a reassessment of their internal fraud prevention and compliance programs with a particular emphasis on the adequacy of internal reporting mechanisms and incentives.

  • To start, many are conducting employee surveys to gauge overall sentiment on how employees feel about using their company's internal reporting mechanisms (e.g., hotlines) and the reasons for not using them. Often companies utilize these surveys to show senior management and boards the benchmark comparisons with leading practices among others in the same industry. The surveys also establish levels from which future surveys can evaluate progress in programs' effectiveness.  
  • Many entities have launched full reviews of their codes of conduct and ethics, internal whistleblower procedures and other components of their compliance programs to assess whether they appropriately reduce the risk of violations. They are also encouraging employees, executives and directors to report suspected violations internally at the earliest possible stages.  
  • Companies are conducting assessments to identify their highest-risk areas and developing plans to fortify the compliance frameworks around them. 
  • Many are performing gap analyses of whistleblower policies relative to the Dodd-Frank rules to ensure that codes and policies align with the new law and reinforce compliance–training programs to underscore how retaliation won't be tolerated. 
  • In addition, companies are formulating how reports of wrongdoing will be investigated and by whom. Such programs also set guidelines on when boards need to be involved and assign responsibilities for investigation and notification processes that may start with general counsels or corporate compliance officers and involve leaders of affected business units. We advise companies to review their practices and policies about reporting to whistleblowers on possible actions. Many entities provide some investigation details to whistleblowers to show their cultures stand up for ethics in the workplace.  
  • Communication shows employees that companies and their leaders are committed to effective fraud detection and prevention programs. Frequent communications — such as in person at companywide meetings, through company websites and in printed newsletters — can help employees understand that business will be conducted in ethical ways and the steps the company has taken to address whistleblower complaints, including protection from retaliation. 
  • There's something extraordinary about the personal touch. Workshops and focus groups can reach deeper into employees' sentiments and may reveal issues percolating beneath the surface. The visibility and availability of company executives and board members can also go a long way to identify potential problems and create open environments for frank discussions. 
  • Many leading companies also have reached beyond their employees to ask third parties — vendors, customers, community leaders and others — to evaluate their interactions with the entities.  
  • Companies also have begun to conduct exit interviews at which they can address questions of how the entities can improve. The interviews also may reveal new issues. 
  • Meanwhile, companies are augmenting traditional hotlines with web-based reporting systems that enable employees to raise issues that may require reviews. Entities need to consider whether they may need multilingual or culturally appropriate whistleblower procedures and guidance because more companies now offer hotline or whistleblower mechanisms to third parties and in multiple countries.  


Programs that foster corporate cultures of ethical behavior, encourage open and honest communication and demonstrate entities' commitment to properly responding to reported wrongdoing can have a number of benefits.

Employees may be more likely to make their first reports through internal channels, which allow companies to quickly understand the issues and take steps to protect evidence while also considering how to most effectively stop any wrongdoings.

The goal would be to help companies maintain control by addressing potential frauds or misdeeds, which would decrease potential costs and reputational damages.

Sean McKessy, chief of the SEC's Office of the Whistleblower, noted during a published interview in March that a "significant majority" of potential wrongdoing had been reported internally before the whistleblowers took the tips or complaints to the SEC, and he recalled only one instance in which a "serious" tip wasn't first reported internally.

In addition, although the Federal Sentencing Guidelines for Organizations (FSGO) don't expressly require companies to have compliance programs to combat fraud and misconduct, the SEC considers them a mitigating circumstance that can substantially reduce possible fines and penalties. Prosecutors also might not press a case against a company if it has an effective compliance program. Companies are comparing their programs against FSGO guidelines on effective compliance programs.


Protecting your corporate interests is inextricably linked to your corporate compliance. In this continually evolving regulatory landscape, employees must know what's expected of them individually and corporately. Whistleblower programs must provide secure means of communicating information internally with assurances that the employees' careers won't be harmed. Employees who have legitimate grounds to report misdeeds and are loyal to their employers can report internally with the assurance that their companies will take the matters seriously and respond appropriately.

Richard H. Girgenti, CFE, is a principal and leader of the Forensic Service Line for KPMG LLP, the U.S. audit, tax and advisory firm. Based in New York, he is a coauthor of Managing The Risk of Fraud and Misconduct, Meeting the Challenges of a Global Regulated and Digital Environment, a comprehensive book to help C-level executives, directors and others understand these types of illegal activities.

Meghan V. Meehan, CAMS, is a manager in KPMG's Financial Services Regulatory Center of Excellence.

The views and opinions are those of the authors and don't necessarily represent the views and opinions of KPMG LLP.

Read more insight and discuss this article in the ACFE's LinkedIn group.

The Association of Certified Fraud Examiners assumes sole copyright of any article published on or ACFE follows a policy of exclusive publication. Permission of the publisher is required before an article can be copied or reproduced. Requests for reprinting an article in any form must be emailed to