Online Exclusive

Fighting internal fraud with anonymous whistleblower hotlines

As the ACFE’s Occupational Fraud 2024: A Report to the Nations shows, tips from employees are the most common method of fraud detection in organizations. But to encourage employees to report wrongdoing, they must feel safe doing so, and protecting their anonymity is essential to that end. Here, the author discusses how organizations can best implement anonymous fraud reporting hotlines that encourage people to report wrongdoing and help them detect frauds faster and recover more losses.



When the city of Hamilton in Ontario, Canada, first enacted its whistleblower bylaw in 2009, city leaders soon discovered that it wasn’t effectively uncovering wrongdoing in municipal government. The city council had originally passed the bylaw to encourage city employees and citizens alike to report instances of fraud and other abuses they’d witnessed, but in the years since it had gone into effect, few people were reporting anything. City leaders decided that they needed to shift their strategy to encourage whistleblowing and contacted my organization, an ethics reporting and case management provider, for help.

As we reviewed Hamilton’s whistleblower bylaw, we realized that it had an anti-retaliation policy without an anonymous-reporting tool to shield the identities of tipsters should they report wrongdoing — a best practice that can encourage people to come forward and report instances of fraud and abuse. (See “Creating a No-Tolerance Approach to Retaliation,” by Cherelle Johannes, Navex, Risk and Compliance Matters, 2022.) The new system that Hamilton decided to implement is a completely anonymous hotline with an anti-retaliation policy to encourage people to come forward and report fraud without fear. City employees and the public can access the new system 24 hours a day, seven days a week by email, telephone, mail and fax. The system is run by the city’s Office of the Auditor General.

It wasn’t long after Hamilton implemented its new whistleblower hotline in 2019 that the auditor’s office saw an influx of reports of various types of wrongdoing. Between January 1, 2019, and June 30, 2020, the city auditor received 99 complaints. Between July 1, 2020, and June 30, 2021, it received 80 reports. The city auditor received 107 tips from city staff and the public between July 2021 and June 2022, and between July 2022 and June 2023, the city had a total of 157 reports — it’s highest volume of reports ever received, according to the city’s 2023 Fraud, Waste, and Whistleblower Semi-Annual Update. (See “Audit reports to committees.”)

Tips to the hotline revealed instances of city employees playing golf with vendors during work hours, vendors buying drinks for city employees’ at an office holiday party, stolen equipment, and failures to disclose conflicts of interest. Because of these tips, the city fired employees, referred cases to the police, and investigated $1.1 million in actual and potential losses while recovering $33,000 in losses since 2019.

(See “Fraud & Waste Hotline,” City of Hamilton Office of the City Auditor; “Tip line reveals Hamilton manager had relatives connected to major projects worth $95M,” by Samantha Beattie, CBC, Feb. 17, 2023; “Golf with vendors, free booze and stolen tools: 5 takeaways from Hamilton’s annual fraud report,” by Dan Taekema, CBC News, Nov. 23, 2021; and “Anonymous tip line leads city to discover $202K lost to fraud and waste,” CBC News, Oct. 20, 2020.)

The city’s Fraud and Waste Hotline demonstrates how an anonymous reporting system can encourage people to come forward to report fraud in the workplace and assist employers in recouping losses to fraud and abuse. Hamilton’s example also showcases how a multifaceted operating system with various reporting mechanisms — web, telephone, mail and fax — can provide comprehensive protection for people who otherwise wouldn’t blow the whistle.

Indeed, Hamilton’s original whistleblower bylaw had the right intention to seek input from employees and citizens, but it lacked the proper mechanisms to be truly effective. The bylaw outlined protections for city employees from job-related retaliation for reporting wrongdoing; however, anti-retaliation policies work best when they’re coupled with anonymous reporting hotlines. (See “Evidence on the Use and Efficacy of Internal Whistleblowing Systems,” by Stephen R.) Now, Hamilton city employees and citizens can report wrongdoing anonymously and confidentially through a toll-free number or online intake form. From there, all reports are reviewed by the city auditor’s office, and any additional communication takes place through an encrypted case management system that protects whistleblower.

Tips can fight occupational fraud

Without Hamilton’s updated anonymous reporting tools in place, many cases of wrongdoing would've flown under the radar, and the city wouldn’t have been able to recover any losses. Occupational fraud, fraud committed by individuals against their employers, is perhaps the most common and costliest form of financial crime, according to the Association of Certified Fraud Examiner’s (ACFE) Occupational Fraud 2024: A Report to the Nations. With an estimated 3.55 billion people in the global workforce, there’s plenty of opportunity and potential for fraud. The main categories of occupational fraud, asset misappropriation, financial statement fraud, and corruption, can cause devastating losses for organizations. Asset misappropriation, which involves an employee stealing or misusing their employer’s resources, caused a median loss of $120,000, in the fraud cases studied in the ACFE’s 2024 Report to the Nations. Financial statement fraud, in which a perpetrator makes a material misstatement or omission in an organization’s financial statements, caused a median loss of $766,000 in the 2024 report. And corruption, which includes bribery, conflicts of interest and extortion, caused a median loss of $150,000 in 2024. (See “First look at Occupational Fraud 2024: A Report to the Nations,” ACFE Staff, Fraud Magazine, March/April 2024 and ACFE.com/RTTN.)

Tips are an important detection method that can blunt the force of occupational fraud. Despite the numerous advances in fraud detection technology, according to the 2024 Report to the Nations, a simple call or email from a concerned employee — or an external party — is still the most common method for uncovering occupational fraud. Fraud detected by tips accounted for 43% of fraud cases studied in the 2024 ACFE report. Over half of those tips (52%) came from employees, and a third came from vendors (11%) and customers (21%). [See “First look at Occupational Fraud 2024: A Report to the Nations.”] According to the report, organizations with hotlines were able to detect fraud much faster and had lower median losses than organizations without hotlines. The duration of a fraud for an organization with an active hotline was 12 months compared to 24 months for those organizations without hotlines. As for median losses, organizations with hotlines experienced a median loss of $100,000 but organizations without hotlines had a median loss of $200,000 in the study. (See ACFE.com/RTTN.)

In fact, Hamilton’s city auditor acknowledged in a media release about its fraud, waste and abuse report, that its hotline not only helps the city deter fraud, waste, and wrongdoing, but it also helps the city strengthen internal controls, mitigate risks, and improve policies and standard operating procedures. (See “Anonymous tip line leads city to discover $202K lost to fraud and waste.”)

When fraudsters are an internal threat, it’s vital that employees and others are empowered to report their concerns. Educating employees about their role in fighting fraud and communicating a designated reporting system that makes it convenient — and safe — for employees and external parties to use make the difference in protecting workplaces from fraud. According to the 2024 Report to the Nations, tips are twice as likely to come from employees who received fraud awareness training as from employees who didn’t receive any training. (See ACFE.com/RTTN.)

Protecting anonymity

Workplaces with a robust speak-up culture in which management encourages open and honest communication with employees can better combat internal fraud. A speak-up culture fosters a sense of mutual accountability; management is honest with employees, and employees act accordingly. (See “Prioritize workplace ethics reporting to reduce enterprise risk,” by Shannon Walker, Security, Nov. 18, 2022.) But even in organizations with a speak-up culture, employees might not feel entirely comfortable coming forward to report misdeeds they’ve witnessed. For many, there’s a stigma attached to whistleblowing, and many fear being labeled troublemakers or fear retaliation from management for speaking out. And, when people don’t feel safe expressing their concerns internally, they might seek external organizations or media to report wrongdoing, which can compound an organization’s problems well beyond the fraud itself. A loss of business and damage to a company’s reputation are just a few of the problems an organization faces when an employee goes to the media first. (See “Navigating the choppy waters of internal whistleblowing,” by Carolyn Conn, Ph.D., CFE, CPA, Stephen M. Kohn and Grace Schepis, Fraud Magazine, November/December 2022.) However, an anonymous reporting tool provides a layer of protection for employees who want to come forward. It’s also essential for organizations to implement a corresponding zero-tolerance policy against retaliation so that employees have nothing to fear when reporting their concerns.

Choose your tools

The right reporting tools allow management to respond effectively to tips so that employees see that their concerns are addressed and the risk of fraud going undetected is minimized. Organizations can implement reporting hotlines either internally or through a third-party provider. In-house hotline providers are often the most cost-effective option for an organization; however, not all organizations have the workforce capability to respond quickly to tips the way a third-party provider can. For example, people might not have the privacy or opportunity to report incidents during their typical work hours; in the case of vendors or clients, some might not even be in the same country or time zone to easily reach an in-house hotline during work hours. A global ethics hotline provider can fill in those gaps for an organization and supply a reporting system that’s available around the clock every day of the year. The “global” distinction is often important for companies that operate worldwide with employees in different time zones. Finding the right provider that is accessible 24 hours a day, seven days a week and all year round and offers services in all the languages that your employees conduct business in is crucial for response times and efficiency. These providers often set up all the necessary tools for an organization to collect reports and track data and supply translation services to handle international calls. Smaller organizations that operate within only one geographical locale might consider working with a local hotline provider with scaled services that are right for their organization.

Third-party operator systems generally work like this: People contact the system by calling a toll-free number and reporting their concerns to an agent. Trained personnel transcribe the calls and compile a report that’s then stored in a case-management system. Generally, there’s a secure case-management system that protects the anonymity and accessibility of the data it stores. Some case management systems go further to protect data and run on redundant infrastructure that prevents the application from being inoperable if there’s a single hardware failure. Data is encrypted once recorded and geo-replicated to a secondary data center so that the data can be recovered after a disaster. (Geo-replicated data refers to data that’s been copied to servers in different locations. Geo-replication is generally used as part of a disaster-recovery plan so that if one data center’s been destroyed during a storm or some other disaster, there’s another data center in another location with the same information, safe and sound. [See “What is geographic replication (aka geo-replication)?” Aerospike.])

It’s a best practice to have strict controls over who has access to the data and the systems. Information should always be encrypted between the client and server to ensure that incoming reports are protected and secured when they’re forwarded to the organization’s designated administrator for review. (See “Global Ethics Hotline,” Whistleblower Security.)

Web-intake form

In the 2024 Report to the Nations, CFEs surveyed for the study reported that web-based reporting tools, such as email and online intake forms, were the most common methods for reporting fraud in their organizations. (See “First look at Occupational Fraud 2024: A Report to the Nations.”) These web-based reporting tools can be used in conjunction with telephone hotlines to provide multiple options for people who might not be comfortable making a report over the phone or who might not have access to the internet.

Like a hotline, you can distribute the web-intake form through a third party not linked to your organization’s computer hardware. Organizations can customize the questionnaire with an option to attach documents or images related to the incident. Once submitted, the reporter receives a unique identification number to access the report’s status. The secure platform ensures that all data is encrypted and that only designated administrators can access reports.

Organizations can maximize the benefits of their reporting tools by training staff on how to use the system and making sure that they understand the policies and procedures that guide the system. When employees are trained in fraud prevention, and the reporting mechanism is unique to the organization, they’re more likely to utilize those tools themselves when necessary. (See ACFE/RTTN.)

Ensuring confidentiality and anonymity

It’s vital to ensure the confidentiality of anyone using the reporting system; however, this can be a tall order for an organization using an in-house reporting system. Providing anonymity is even more complicated for small organizations where close relationships between employees are commonplace. This is where having a comprehensive zero-tolerance anti-retaliation policy is crucial. Best practices for organizations of any size include terminating the employment of anyone who reprimands a co-worker for reporting a concern. No employee, manager or senior executive should be exempt from termination for violating the anti-retaliation policy, including for intimidating, threatening or intercepting a report. When people think of retaliation, they often think only of employment termination, but retaliation can come in many different forms. Marginalization or shunning by co-workers, impromptu negative performance reports and scheduling people to work unfavorable shifts are all types of retaliation that could be considered as part of the policy. (See “Workplace Retaliation: What Are Your Rights?” By Lisa Guerin, J.D., NOLO.)

Moreover, employees, vendors and customers can very well lose confidence in a business when investigations into reported wrongdoing aren’t conducted properly or don’t achieve the desired results. In any case, management must respond to complaints promptly and follow up with thorough investigations. The guidelines for investigations should be laid out in a comprehensive policy that prioritizes the safety of whistleblowers and those who investigate the cases. Having detailed notes that are checked for accuracy is crucial for starting a thorough investigation. In organizations with in-house systems, a designated administrator should be responsible for auditing the notes and information provided by the whistleblower. When using a third-party reporting tool, this information can be audited externally and given to the designated administrator, human-resource representative or executive responsible for carrying out the investigation for the organization. The process varies from organization to organization — a large company might have a larger body of administrators responsible for overseeing whistleblower reports than a small company would. It’s best practice for an impartial and independent party to conduct the investigation so that evidence is collected objectively. The investigator should meet with the whistleblower and accused parties, and all parties should be assured that the case will be kept confidential, and everyone will be protected from retaliation. Large-scale organizations may have a full-time investigator independent of the company to remain unbiased. Not all organizations can afford an independent investigator, while others may appoint their human resource team who already deals with employee-related concerns. Of course, when an organization detects fraud, it should consider consulting with local law enforcement.

When using a third-party system, the reporter can be contacted through the case management system, helping eliminate the need to gather contact information that could reveal their identity. This system may direct the reporter to provide more information, including some identifying information, for the case to move forward. It’s dependent on the nature of reports and the scale of the business. This is where the anti-retaliation policy comes in to protect reporters who cooperate in providing more information so that the investigation can proceed. These company policies also protect the report's subject as employees who aren’t involved in the incident shouldn’t know that one of their co-workers is the subject of an investigation. As a case progresses, especially if law enforcement gets involved, anonymity may no longer be guaranteed or feasible.

After the conclusion of an investigation, management should take time to assess and evaluate the process to determine what aspects of the investigation were successful and what ones weren’t. It’s important to assess the reporting process to make continual, needed improvements. Soliciting feedback from reporters can be especially helpful in tailoring best practices to your organization’s reporting requirements. A good strategy for getting feedback from reporters is through direct and specific questions as you seek to close the loop on the case.

For anonymous reporting mechanisms to be used effectively, management must advertise the reporting tool to all employees and stakeholders and provide instructions and training on using the tools. Employees should know how to access the anonymous reporting tools and what types of incidents are worthy of reporting. Methods of communicating to employees include training groups and one-on-one meetings to discuss the reporting system so that all employees are properly informed of the organization’s reporting procedures and how to use them effectively.

Whistleblower hotline training for employees

The following are best practices for providing whistleblower training for employees:

  • Synthesize policy documentation into easy-to-read and accessible files for employees to reference.
  • Provide examples in the documentation of the types of wrongdoing specific to your industry (i.e., employees of an accounting firm would get examples of falsified records).
  • Hold a company-wide training session to brief all employees on how to report using web-intake forms and hotlines (if both are being implemented) and provide an example of the communication they’d receive after submitting a report.
  • If enlisting a third-party provider, give employees information about how the software keeps their information safe and secure.
  • Have managers follow up with their direct reports to ensure that they’re comfortable and confident in their ability to use the tools if necessary.
  • Encourage a speak-up culture in your organization and remind employees they won’t face retaliation for reporting wrongdoing.

Example web-intake form

Location:

Department of Case:

Level of anonymity (Select One):

  • Strictly anonymous
  • Anonymous from your organization
  • Contact information provided

When it happened.

  • Ongoing case? Select yes or no.
  • Has the case been reported to a supervisor in the past? Yes or no.
  • Date of occurrence?
  • Are you an employee of the organization? (This question is often used in public service organizations where members of the public might also report.)

From the list below, select the issue(s) you are reporting:

  • Bribery
  • Conflict of interest
  • Contractor/vendor wrongdoing
  • Criminal activity
  • Customer service
  • Financial reporting and accounting
  • Fraud and embezzlement
  • Harassment and/or discrimination
  • Information security
  • Misconduct/code of conduct
  • Misuse of assets/asset security
  • Privacy
  • Public safety
  • Suggestions for improvement
  • Violence and/or abuse
  • Vision and values
  • Workplace health and safety
  • Other:

Describe the case:

List all individuals involved:

Has this case been referred to anyone outside of the organization, such as police, media or a government agency?

Please provide additional comments here:

Dropbox to attach files:

Confirm submission and create password to access the case management system:

Empower employees to report fraud

Internal mechanisms for anonymous reporting can greatly reduce the risks that occupational fraud poses to organizations. Whether you implement reporting tools internally or outsource to a third party, ensure that you’re providing your employees with the necessary training and detailed policies that will empower them to confidently report their concerns and know that they’re safe doing so. An organization with employees who feel safe to speak up and know that their anonymity is protected without the threat of retaliation is an organization better equipped to detect fraud sooner and recover its losses.

Shannon Walker is the president of WhistleBlower Security, a Canadian-based ethics reporting and case management provider. Contact her at info@whistleblowersecurity.com.