Fraud Magazine recently spoke with veteran CFEs Ján Lalka in the Czech Republic, Jonathan T. Marks in the U.S., and Sean McAuley in Scotland about how fraud examiners can help organizations develop secure, workable whistleblowing programs. This article explains why they're essential and, in some cases, a matter of life and death.
"Rat" and "snitch" are among the terms
Thesaurus.com offers as synonyms for "whistleblower." The other 13 are just as negative; not even one is neutral, much less positive. It's the kind of uniform disapproval you'd expect in synonyms for "villain." And these aren't just words in a book; they're manifestations of beliefs that incite and legitimize retaliation for perceived breaches of trust.
So, when someone in a position of authority characterizes whistleblowing as treachery, it unleashes powerful forces that coerce all but the most determined individuals into silence. Blowing the whistle truthfully is no defense when you're marked as a traitor. Those brave enough to speak out sometimes pay for it with their lives.
Witness the fate of Daphne Caruana Galizia, the Maltese investigative journalist assassinated by an unidentified car-bomber. (See
Malta Car Bomb Kills Panama Papers Journalist by Juliette Garside, The Guardian, Oct. 16, 2017.) "The situation is desperate,"
Caruana Galizia wrote on "Running Commentary," her anti-corruption blog, an hour before being blown to bits.
Only four months earlier,
Facebook had closed the user account of Malta's national trade union chief for inciting his followers to demand that critics of the government be stoned in public. The same official serves as an advisor to the prime minister's cabinet. For years, whistleblowers in Malta — who had no other way to expose fraud — told Caruana Galizia about foreign and domestic politicians, executives and organized criminals engaging in bribery, tax evasion and money laundering, which she then reported in her blog.
According to a Nov. 25, 2017, article by Tom Kingston in The Times of London, a whistleblowing private banker in Malta had leaked to Caruana Galizia information about a secret Panamanian bank account through which the prime minister received bribes from foreign rulers.
In 2015, 11 million documents, leaked from Panamanian law firm Mossack Fonsecca, described 200,000 shell companies the firm formed to hide the wealth of powerful figures from around the world. Among those holding such accounts were Malta's energy minister and the prime minister's chief of staff, both of whom claimed their deposits were legitimate and unrelated to their boss. Nevertheless, the possibility that the various Maltese accounts were illicitly connected was a red flag too bright to leave unexamined. So, Caruana Galizia reported the whistleblower's allegation on her blog, and the prime minister threatened to sue for libel. But before any legal action could materialize, Caruana Galizia was murdered and the whistleblower fled to England, where she told The Times, "If I go back to Malta now, I will not be alive for very long."
Some might consider Malta — a member of the European Union since 2004 — as an outlier in a supranational group widely regarded as the world's most progressive governmental entity. But the power elite in other EU nations also threaten the press and the whistleblowers it gives voice to. Take, for example, Miloš Zeman, president of the Czech Republic, which along with neighboring Slovakia joined the EU when Malta did. Speaking at a press briefing in Prague four days after Caruana Galizia's murder, he smilingly brandished an imitation assault rifle. On its stock were inscribed the Czech words for "At journalists." (See
Czech president waves mock rifle 'at journalists' during news conference, by Rick Noack, The Washington Post, Oct. 23, 2017.)
The Post also reported that Zeman had told Russian President Vladimir Putin that there was a "need to liquidate journalists," although he later backtracked his comment after his critics pointed to accusations that the Russian government could be behind reporters' murders. Regardless, such incitements — despite their occasional joking tone — understandably inhibit the press and whistleblowers. That, of course, is their purpose.
Corruption in Central Europe
"Whistleblowing meant reporting anyone who criticized the government." — Ján Lalka, CFE, founder and managing director, Surveilligence
"People in government here have great power," says Ján Lalka, CFE, founder and managing director of Surveilligence, a financial crime investigative agency with offices in Prague, Czech Republic and Bratislava, Slovakia. With 14 years of fraud-fighting experience in the region, Lalka understands corruption there as only a native can. "Everyone sees a lot of dishonesty at the top, but they don't know who'd be better," he says. "In Slovakia, things would improve if we had independent media, police who have permission and the ability to investigate serious fraud, unbiased prosecutors and judges who aren't corrupt — but major scandals indicate that we don't. It strongly discourages whistleblowing."
The EU exerts pressure on member states that violate its
Charter of Fundamental Rights, which guarantees dignity, freedom, equality, solidarity, citizens' rights and justice. Unfortunately, the EU has little prosecutorial power over its sovereign nations (See the
"Background" section.) And that makes it hard to reduce corruption where the government commits or permits it.
Some nations fare better
Elsewhere, countries with a longer history of democracy encourage whistleblowers to come forward. Businesses that neglect signs of fraud usually pay the price when it comes to light. Excuses generally don't protect them from fines or even prosecution. So, not being hostile to whistleblowers isn't enough; businesses must actively support them. That means giving employees, suppliers and others good reason to believe that trustworthy company officials will maintain whistleblowers' confidentiality, promptly investigate their reports and take action as necessary, including notifying law enforcement where appropriate.
"Transparency and swift response are key elements in an effective whistleblowing program." — Jonathan T. Marks, CFE, CPA, partner and leader of regulatory investigations and compliance, Marcum LLP
"Transparency and swift response are key elements in an effective whistleblowing program," says Jonathan T. Marks, CFE, CPA, partner and leader of regulatory investigations and compliance practice at Marcum LLP, a global public accounting and advisory services firm with headquarters in New York.
With more than three decades of experience investigating corruption and other fraud, Marks took particular note of the
2015 directive then-U.S. Deputy Attorney General Sally Yates issued to U.S. attorneys on investigating corporate misconduct.
"Known simply as 'the Yates memo,' " Marks says, "it instructed federal attorneys to prosecute individual executives who knew or should have known of wrongdoing but failed to disclose all relevant facts to the government, regardless of whom they implicate."
Yates wrote, "To be eligible for any cooperation credit, corporations must provide to the Department [of Justice] [DOJ] all relevant facts about the individuals involved in corporate misconduct. … Companies cannot pick and choose which facts to disclose. … If a company seeking cooperation credit declines to learn of such facts or to provide the Department with complete factual information about individual wrongdoers, its cooperation will not be considered a mitigating factor pursuant to USAM 9-28.700 et seq." [The U.S. Attorney's Manual specifies the criteria DOJ uses to measure a company's cooperation for consideration in sentencing and the levying of fines
(Principles of Federal Prosecution of Business Organizations, section 9-28.700, The Value of Cooperation).]
Also, provisions in the
Dodd-Frank Act (pages 5ff) and the
Sarbanes-Oxley Act (section 1107) prohibit organizations from retaliating against whistleblowers or employees whose duties relate to whistleblower support. Yet, as this issue of Fraud Magazine went to press, the U.S. Supreme Court was about to render its verdict in Digital Realty Trust, Inc. v. Somers, whose outcome might narrow certain whistleblowers' protection from employer retaliation. At issue is whether Dodd-Frank applies to persons who've reported fraud other than to the Securities and Exchange Commission (SEC). The court's verdict won't affect whistleblowers who file their complaints directly with the SEC.
"Companies that ignore these laws do so at their peril," Marks says. But many CFEs wonder how they can persuade senior management to carefully share information upon discovery of a major internal fraud. Marks points to the Yates memo. "The SEC will more likely than not come after managers who knew of bad behavior and didn't do everything possible to investigate and end it. You can't fight fraud by hiding it or directing it away from the board and external auditors. Instead of trying to cover up, management should seek more information."
One source stands out, and CFEs should frequently call management's attention to it. Year after year,
tips provide the most leads on undetected fraud. So, why do some companies with whistleblower programs still get blindsided by fraud? Because their systems look fine on paper but fail to measure up in actual practice.
"Tips come in many forms — emails, calls to hotlines or customer service, notes under doors, conversations with managers and so on," Marks explains. "More than a few organizations don't formally capture them all. A case management system that doesn't record every allegation and investigation is incomplete. When tips die on the vine deep within a company, it can't fully understand its own fraud profile or deal with it effectively."
Of course, there's no point in amassing historical information if you don't use it. "Companies should continually comb their case management systems for yellow and red flags that, taken collectively, could point to signs of recurring fraud," Marks adds. "And when a whistleblower leaves any kind of identifying information, examine that person's reporting history, if any, without compromising the source's confidentiality. That history might offer clues to the source's credibility."
According to the ACFE's 2016
Report to the Nations , employees (51.5 percent), customers (17.6 percent) and vendors (9.9 percent) were the biggest groups among identified sources of tips (p. 26). Information of this nature helps companies ensure that their whistleblowing programs meet the needs not only of employees, but also of customers, vendors and others who might provide valuable anti-fraud intelligence.
"You can't just tick the box and say, 'Whistleblower program done!' I'm sorry, but that doesn't work." — Sean McAuley, CFE, senior fraud manager, Anderson, Anderson & Brown LLP (AAB)
Operational competence alone won't carry the day, though; strong stewardship is also essential. "Some managers think setting up a whistleblower program is a finite task," says Sean McAuley, CFE, senior fraud manager at Anderson, Anderson & Brown LLP (AAB), a global chartered accountancy and professional services firm headquartered in Aberdeen, Scotland, capital of the North Sea oil and gas industry. "Absolutely not; it's an ongoing responsibility. You can't just tick the box and say, 'Whistleblower program done!' I'm sorry, but that doesn't work."
McAuley, with 25 years of fraud-fighting experience, leads the AAB team providing external whistleblower support to companies across the globe. "People who report fraud have guts, but they're not stupid or reckless," he says. "A whistleblowing program will never be effective if it doesn't inspire their trust and confidence."
The best way to get it, he adds, is to staff the telephone hotlines and websites with experienced anti-fraud professionals who understand the technical nuances and importance of what whistleblowers have to say and how much they risk by speaking out. It also means the organization immediately acknowledges receipt of their reports, keeps confidential the details they've revealed about their identity, and ensures it will promptly look into the issues they've raised. "CFEs should help organizations get these fundamentals right," McAuley says. "If they don't, their whistleblower programs will fail."
Be quick; be astute
One of the greatest challenges in managing a whistleblower program is prioritizing the tips it receives. "Companies shouldn't let low-priority reports consume resources they ought to devote to critical tips," Marks advises. "Besides delaying the investigation of serious fraud, it exposes them to regulatory censure."
Marks recommends that CFEs advise their clients to classify and prioritize tips into five categories — from the least dangerous threats, level one, to the most dangerous, level five. (See
Allegation triage stages.) "This speeds up and improves the organization's response," he adds. "Say a tipster alleges the CFO is manipulating revenue. Many companies' corporate structure is complex, especially if they operate in multiple jurisdictions. You've got to identify sources of relevant information, gather and analyze it, then investigate. That takes time, sometimes a lot. You might interview some sources a second — even third — time to get the whole truth."
"CFEs also should impress upon their clients the importance of sharing information and seeking the active involvement of groups — for example, HR, internal audit, compliance, legal, IT — within whose purview each allegation of wrongdoing falls," Marks says.
Internal staff can satisfactorily investigate allegations assigned to triage levels one, two and three. But allegations involving legal matters, financial statements or senior managers should be assigned to triage levels four or five because of their potentially catastrophic effect on the organization. Because regulators sometimes question the independence and professional skepticism of internal investigations in such cases, CFEs should strongly recommend engaging outside investigators to perform them.
Sometimes, the discovery of additional information reveals an allegation is more serious than originally thought. "Then raise the triage level and bring in additional groups and skills," Marks says. "And always follow established protocol, no matter what. Your clients must never defer or shut down an investigation before it's complete."
Other ways to find the truth
Marks calls CFEs' attention to a current SEC investigation into retaliation against corporate whistleblowers. Former PepsiCo General Counsel Maura Smith told the commission in 2017 that the company fired her in 2012 in retaliation for the way she handled an internal probe into Foreign Corrupt Practices Act violations by a PepsiCo subsidiary in Russia. (See
SEC Probes Departure of PepsiCo's Former Top Lawyer, by Andrew Ackerman, Joe Palazzolo and Jennifer Maloney, Sept. 27, 2017.) But
PepsiCo said it hadn't engaged in any retaliatory conduct.
Smith left the company after signing a non-disclosure agreement and receiving a $6 million separation package. And, thus, the situation remained ... until 2017, when the SEC began an investigation into whether U.S. corporations were using employment contracts to discourage employees from reporting wrongdoing. As part of that probe, the agency subpoenaed Smith, who then shared the previously untold side of her story.
Marks says that when a successful senior executive suddenly leaves her coveted position to "pursue other opportunities," CFEs should look for red flags that might lie behind that bland assertion. He notes that ACFE Research Director Andi McNeal, CFE, CPA, in an ACFE Insights blog post, "Exit Interviews: An Overlooked Tool in the Anti-Fraud Toolbox," wrote that "[... few organizations] use these interviews as a formal element of their anti-fraud programs, leaving them vulnerable to missing candid and crucial information about ethical issues and blind spots, and even the warning signs of potential or existing fraud." McNeal also identified several key questions to pose during exit interviews. (See ACFE Insights,
Exit Interview: An Overlooked Tool in the Anti-Fraud Toolbox.)
La Valletta, Malta - November 2, 2017: Flowers and candles for the murdered journalist Daphne Caruana Galizia at La Valletta on Malta. Photo by Stefan Ember.
Past but not forgotten
In some nations — including several in the EU — whistleblowers have no government support, suffer reprisals and don't even have public opinion on their side. "Oligarchs own all the major media in the Czech Republic and Slovakia, so the people don't have access to reliable information," Lalka says.
In the nearly three decades since the former Czechoslovakia's so-called Velvet Revolution and eventual break-up into two independent nations, Czechs and Slovaks have lived under nominal democracy, colored by the lingering spirit of the communist regime's secret police.
"Under them, whistleblowing meant reporting anyone who criticized the government," Lalka recalls. Stubborn remnants of that negative connotation persist to this day, as shown in Transparency International's (TI) report,
People and Corruption: Europe and Central Asia (page 28), which notes that in only six EU member states "did a substantial majority of respondents say that [whistleblowing] is socially acceptable: Portugal, Germany, Italy, the UK, Sweden and France. … There is a large difference in results between EU members who joined before 2004 and those who joined in 2004 or later [including Malta, the Czech Republic and Slovakia]. In the older member states, 58 per cent of citizens feel it is socially acceptable, but this falls to just 31 per cent among the newer members."
Further inhibiting any would-be whistleblowers is the widespread corruption in government and industry. "People rightfully fear they'd expose themselves to retaliation and accomplish nothing," Lalka says. "The fraud would continue." TI concurs. Its "People and Corruption" report states (page 23) that "… the most common reason people don't report corruption is that they are afraid of the consequences (30 per cent). … The second most common reason is that corruption is difficult to prove (14 per cent). … A further one in eight think that the main reason people don't report is that nothing would be done or it wouldn't make a difference."
"The EU pushes us to have anti-corruption laws, so the government of Slovakia dutifully passed one that required companies to implement whistleblowing systems," Lalka says. " 'Look at our new law,' Slovak officials told EU representatives from Brussels. 'Be happy.' But there was nothing to be happy about."
When the law was first proposed in 2014, Lalka and his colleagues weighed in during the public comment period. "As a legal document, the law was fine, but there was no guidance on how to implement it," he says. Nor did the state promote the law in any way. The law contains no case studies, no explanation of the benefits whistleblowing systems would produce, no indication of what functionality these systems should offer and no information on how to determine whether the systems were effective.
"So, organizations just went through the motions, hiring lawyers to write up formal plans for the systems," Lalka says. Companies set up dedicated email accounts and phone lines to receive tips, held a few seminars and paid no further attention to the law. "As a result, people here still don't think it's safe to blow the whistle," he says. Research confirms the effect of this widespread fear. According to the
above TI study, 25 of Slovakia's 29 national ministries said they'd
received no allegations of misconduct in the first 18 months after the law took effect in 2015.
The region's pervasive corruption also endangers CFEs and other independent investigators. "If you criticize powerful fraudsters, they'll discredit you in the media, sue you for slander and sometimes even resort to violence," Lalka says. Nevertheless, he presses on, investigating corruption however it comes to his attention. With fraud running rampant, companies and whistleblowers both seek his help.
Lack of faith
In one case, the head of internal audit at the Slovak subsidiary of a large Western European auto manufacturer contacted Lalka for help. Instead of a modern whistleblowing system, his company had a specially designated postal box for anonymously submitting written tips about wrongdoing. One such report got the audit chief's attention: A trusted purchasing manager allegedly was collecting huge kickbacks from a key supplier of the company's auto parts. Unfortunately, neither the chief nor his staff had the forensic skills necessary to conduct an effective investigation.
"Unlike CFEs," Lalka says, "[the internal auditors] aren't trained to think like thieves and spot fraud. It would be difficult for them to detect the scheme by their standard auditing procedures if the whistleblower hadn't alerted them to it." But Lalka and his firm knew exactly what to do. In addition to other investigation activities, they examined the bid histories of the previous few years for the contract and found that the purchasing manager had repeatedly — on obscure technical grounds — disqualified the bids of all contractors except the one to whom he awarded the contracts.
"As soon as his favored contractor won each contract, the unit price rose a little bit," Lalka recalls. "This was costing the company hundreds of thousands of euros a year." Because the volume was high, and the company never looked at the big picture, the fraudulent price hike went undetected. But was there proof of fraudulent intent?
To find out, Lalka and his team moved to the next stage of their investigation. First, they performed a "link analysis" with
Tovek Tools, which is analytics software compatible with
IBM's i2 Analyst Notebook.
Lalka and his team used Tovek Tools to arrange data they'd gathered on individuals and organizations of interest and exposed previously hidden relationships and conflicts of interest. "We checked not only the suspect, but others from the company that might have been in on the scheme," Lalka says. "The only relevant links we found, however, were between the suspect and the supplier, who lived near each other, and with other people they both knew from their neighborhood," he adds. (See "Sample entity relationship diagram" below.)
But that still wasn't enough to prove intent. "So, we hit the street and discreetly questioned [the suspect's and supplier's] neighbors about their lifestyles, activities and reputations," Lalka says. "We also asked about their personal relationship, if any, and that's where we hit something significant: They'd been friends since elementary school."
Lalka reported his findings to the head of internal audit and was disappointed but not surprised that the company decided to close the case. "They wrote off the losses and didn't report the case to the police because they doubted Slovak law enforcement could handle the complicated fraud and recover the stolen funds. And they didn't fire the purchasing manager because they feared the company's reputation would suffer if his costly fraud was revealed," Lalka says. "They just wanted to stop the scheme and were under no illusion that the authorities would administer justice."
In Lalka's experience, results like this aren't unusual. In fact, the same thing happened in another of his cases. An anonymous tipster wrote directly to Lalka about a kickback scheme at a large retailer. Lalka suspects that because he writes articles and speaks publicly about fraud, he was known to the would-be whistleblower, who thought Lalka could help. So, he contacted the company, and was impressed when its CEO and corporate security chief came to his office. "They definitely were disturbed about the alleged scheme, which they knew could be inflicting heavy losses on their employer," Lalka recalls. "But, like the auto manufacturer, they didn't report the case to the police, and chose to deal with it internally." The common factor in these and so many other cases he sees, Lalka says, is lack of faith in the authorities' ability or willingness to fight fraud. But he hasn't lost faith.
Lalka believes the solution is for CFEs to keep on working together to defeat fraud. "We benefit from the guidance and good example of our colleagues in Western nations," he says. "CFEs here have greater visibility and prestige than when I earned my credential in 2006. These days, companies seeking forensic services insist that bidders have CFEs on their teams."
Tragedy in Scotland
Aberdeen has long been capital of the North Sea oil and gas industry. McAuley clearly remembers its perhaps darkest day, July 6, 1988, when Piper Alpha, an offshore oil and gas drilling platform,
exploded and collapsed, killing 167 workers. "Piper was situated 120 miles from here," he recalls. "It was a heavy blow to Aberdeen, home to most of the dead and injured. Unsafe production practices caused the blast. Management had known of but not ended them."
A government-sponsored investigation found that "workers did not want to put their continued employment in jeopardy through raising a safety issue that might embarrass management." [See
The public inquiry into the Piper Alpha disaster (Cm 1310), by William Douglas Cullen, Lord Cullen of Whitekirk.]
"Piper Alpha is a reminder of the importance of transparency," McAuley says. "Whistleblowers can help if they're allowed to speak and are heeded."
Absolutely usually
"It's easy for a company to say it won't tolerate any fraud at all," McAuley says. "But its commitment to zero tolerance will be tested when a tipster levels a fraud charge against its CEO or a senior director."
McAuley recalls speaking, at a client site, to an executive about improving his whistleblowing program. "I'm all for it, but let's not go too far," the exec said. "I don't want to be putting out a lot of fires." McAuley quickly informed him that undetected risks are usually more dangerous than known ones and explained that a good whistleblowing program would help prevent "fires."
He urges CFEs to help their clients understand and comply with whistleblowing legislation in their jurisdictions. "The penalties can be severe for not preventing bribery and other crimes," he says. (See
Major Whistleblowing Laws.)
In the UK, under the Bribery Act 2010, a commercial organization is guilty of an offense if someone associated with it engages in bribery to get or keep business or a business advantage — unless the organization can show it implemented adequate procedures, such as a whistleblowing program, to prevent bribery.
"This law is one reason why in the last couple of years, we've seen a 200 percent-plus increase in the number of organizations engaging us," McAuley says.
Establishing trust
McAuley's firm, AAB, offers the external whistleblower service, "SeeHearSpeakUp." "We receive whistleblower reports on behalf of our clients and prepare them for investigation, which they usually prefer to handle themselves," he says. But the firm also has experienced fraud investigators and former police officers fully qualified to examine allegations of wrongdoing, if a client requests it. "Most callers to our service tell us they're far more comfortable contacting an external whistleblowing service than speaking directly to their own management," McAuley says. "That's important to them."
He adds that the vast majority who contact his firm fear reprisals and want to remain anonymous. "We thank them for having the courage to come forward," he says, "and assure them that whatever identification — if any — they provide will remain confidential, unless law enforcement requires us to share it with them."
"As part of our service, we also keep whistleblowers informed about the status of the matters they report. Public-sector organizations are much more likely than those in the private sector to share investigation outcomes with us," McAuley says. "Sharing that information assures whistleblowers that their concerns are taken seriously and investigated. Not sharing it undermines transparency and discourages whistleblowers from using the system again."
How the system works
McAuley and his firm devised a simple method by which whistleblowers can provide information confidentially and his firm can communicate with them without knowing their identity. "If they initially contact us by phone, our call handlers will give them a unique personal ID number," he says. "If the initial contact is online, our system will assign the personal ID number. That number enables callers to our telephone lines to come back and check the status of whatever they reported or to provide more information about their concerns."
"Our web reporting facility offers our clients an alternative reporting method," McAuley adds. "We grant each of our clients an individual account on it, which they access with a username and password that everyone in their organization shares."
For example, one of the firm's clients has 41,000 employees in 100 locations around the globe. Any of those employees who wanted to make a report would use the same client username and password to log on to the system. But because they each would receive a unique personal ID number, the system easily can distinguish between them and keep their reports confidential and separate. When an employee submits a report, the information is added to the client's case management system, which immediately notifies specially designated contacts at each client site.
These individuals, known as "authorized receivers of information," are senior managers in corporate divisions best prepared to deal with the most common forms of fraud. "As part of our service, we insist that our clients assign at least three or four senior managers to this role," McAuley says.
When someone makes an allegation, all authorized receivers of information simultaneously receive an email notifying them of it. And when authorized receivers of information log in, they gain full access to that whistleblower report.
"Of course, there's a small possibility that an allegation might be about an authorized receiver of information," McAuley says. "In the unlikely event that this were to occur, only the other authorized receivers of information would be notified and have access to the relevant information."
None of this will work if employees don't know how to make reports through the whistleblowing service. McAuley's firm offers online training so that its clients can immediately introduce the system to all new hires. "We also recommend that all employees periodically take refresher training," he says. "Everyone should know how to report fraud promptly, confidentially and reliably."
Keep it in the family
CFEs should ensure their employers and clients understand what can happen when a determined whistleblower becomes frustrated by perceived or actual deficiencies in their employer's whistleblowing program. Some will contact the government, which in certain countries, such as the U.S. and the U.K., offers considerable rewards for information leading to successful prosecution of unreported fraud. The SEC says its whistleblower program has now
awarded more than $175 million to 49 whistleblowers since issuing its first award in 2012.
While other nations' law enforcement and judiciary might be less strict or even corrupt, international media are eager to expose corruption anywhere. So, some frustrated whistleblowers use secure apps and other tools that expose fraud while safeguarding confidentiality and their identity.
The
International Consortium of Investigative Journalists (ICIJ), a global network of newspaper, magazine and online reporters that helped expose the infamous Panama Papers and Paradise Papers,
highlights eight such tools on the "Leak to us" page of its website:
-
SecureDrop, an open-source whistleblower submission system supported by the Freedom of the Press Foundation.
- Encrypted email.
-
Signal, a free, open-source, end-to-end encrypted messaging app.
-
WhatsApp, which enforces end-to-end encryption on messages.
-
Wire, a free, open-source app that offers end-to-end encrypted chats, calls and files.
-
Peerio, another free, open-source, end-to end encrypted messaging app.
-
Keybase, a free, open-source security app for mobile phones and desktop computers.
- Postal mail. As the ICIJ says, ultimately, no electronic form of communication is entirely secure. Sometimes the safest way is still snail mail.
Organizations shouldn't perceive these tools as threats to their security but should fully support them and the whistleblowers who use them so they can gain valuable information and avoid fines and prosecution plus minimize reputational damage.
Not all about the Benjamins
The winds of change might bear good news for whistleblowers. According to researchers, the next generation of business leaders has a strong social conscience. The New York Times reports that "[i]n recent years, students have said ethical issues, not finances, are a business's most important responsibility." (See
Business Schools Now Teaching #MeToo, N.F.L. Protests and Trump, by David Gelles and Claire Cain Miller, Dec. 25, 2017.) "Bad behavior by big companies has thrust ethics back into the news, from Wells Fargo's creation of fake accounts to sexual harassment at Fox News to the litany of improprieties at Uber," according to the article.
The
article's authors cited a 2016 survey of business school students from around the world, conducted by the United Nations and the Macquarie University Graduate School of Management in Sydney, Australia. Half of the respondents said they'd accept 20 percent less in compensation to work for a company that "cares about employees," and two-thirds disagreed with the statement, "The most important concern for a firm is profit, even if it means bending or breaking the rules." Clearly, one-third is in danger of continuing today's worst management practices. But the clear majority favors ethical leadership that benefits all stakeholders.
Such thinking, if it spreads, could restore the once-positive connotations of "tone at the top," which would be an improvement over its current, all-too-frequent negative presence in catastrophic business cases. And that would be good news for many — especially whistleblowers and all who benefit from the risks they take to uncover fraud.
At the ready
Whistleblowers and many others anxiously await the U.S. Supreme Court's verdict in Digital Realty Trust, Inc. v. Somers. The outcome — expected soon — could make things riskier in America for some individuals thinking about exposing fraud. Of course, whistleblowers all around the world face great challenges. But in every jurisdiction, CFEs gather at conferences, chapter meetings and online to exchange insights and identify the best anti-fraud methods. Urging clients to fully support whistleblowing is one.
Former heavyweight champion Mike Tyson once said that "[e]verybody has a plan until they get punched in the mouth." If your clients' whistleblower programs are weak, help beef them up. We always aim to stop organizations from getting blindsided by fraud. Let's help them bring more allies into the fray.
Robert Tie, CFE, is a contributing writer at Fraud Magazine. His email address is: robertxtie@gmail.com.
In the May/June issue: Jonathan T. Marks, CFE, CPA, further shares his expertise in his article on whistleblowers' dilemma in trusting compliance mechanisms.