In a 2024 report, the Association of Certified Fraud Examiners (ACFE) published the 13th volume in an ongoing series of studies the organization describes as “the largest and most comprehensive study ever conducted on the costs and effects of occupational fraud.” The report, entitled Occupational Fraud 2024: A Report to the Nations, concludes that “occupational fraud is very likely the largest and most costly form of financial crime in the world.” And with estimated annual costs that run into the trillions of dollars, that’s not an overstatement.
There is a long and growing list of organizations around the world suffering significant damage from fraud-related losses. No industry is immune to fraud, but manufacturing, financial institutions (both traditional banking and fintech companies), healthcare, and government and public administration are especially prone to fraud. Even more concerningly, those numbers are headed in the wrong direction. Financial fraud is becoming more common — and more costly — with each passing year.
With fraud on the rise and the stakes higher than ever, brands and businesses need to be both proactive and responsive when it comes to whistleblowers — a group responsible for a remarkable 43% of all fraud detection. Understanding the best practices for creating and managing whistleblower reporting systems — and for conducting appropriate investigative follow-up — is something every executive who values their bottom line should be prioritizing.
Platforms and partnership
Making sure that you capture that critical 43% of whistleblower tips starts by building a reporting system where whistleblowers feel comfortable sharing their concerns. Many smaller and mid-level organizations may not have a reporting system in place. For larger companies and those that do have a whistleblower tip line or email contact, the first and most important step is collaborating with a trusted security partner to make sure your information-gathering infrastructure is up to the task. In today’s digital age, hotlines and phone calls aren’t enough — there needs to be some kind of email or digital reporting framework in place.
A trusted and experienced security partner can help build that framework or assess and improve an existing system, identifying any gaps or shortcomings that may exist. The right partner should also be able to advise on a response process to effectively screen, manage, and respond to tips when they come in.
That third-party objectivity is important. Too many organizations rely solely on internal teams with little or no investigative training to follow up on tips that might involve coworkers — or superiors. It’s a recipe for disaster. An outside security team’s only interest is determining what did and did not happen.
Common issues and liabilities
In one recent case, a company that came looking for whistleblower support had several thousand employees with access to their existing reporting system, which garnered just one report in the last calendar year. To a security expert, that’s a red flag that immediately suggests a cultural problem — likely either a lack of awareness or a lack of comfort with and trust in the system.
Of course, some organizations don’t even have a formal process or platform in place. Others have a system, but no effective mechanism for follow-up or investigative support. Some organizations even need an education in whistleblower rights, making sure they don’t expose themselves to legal liability by punishing whistleblowers who provide bad information.
Taking action
Once a complaint, concern, or allegation is received, the role of an expert security partner is to contextualize, assess, and evaluate the potential validity of the information. Who are the subjects? What is the nature of the irregular activity that is being reported, what is the jurisdiction where this is taking place, and how might that information impact the scope and type of investigation that might need to take place?
That review process can be supplemented by open-source databases, discrete field work, public records research, and sourced inquiries. A security team can create a profile on the subjects and institutions that may be involved, and they can begin identifying any relevant connections between employees, clients, and external vendors.
Once due diligence has been performed, the investigation (if needed) begins in earnest. Internal investigations often include document reviews, computer forensics to obtain digital evidence like emails, and forensic accounting to reconstruct relevant transactions.
The final step is in-person interviews with subjects, witnesses, and any other relevant party that might provide useful information. Because this fieldwork often provides valuable information that substantiates or enriches an investigation, it’s a good idea to work with a security partner who has demonstrated investigative capabilities and boots-on-the-ground expertise in the field.
At a time when tips remain the single most effective way for organizations and their security partners to identify and address fraud, gathering, managing, and responding to whistleblower concerns and complaints is an urgent priority for decision-makers. Together with a trusted security partner, they can optimize their tipline or reporting system, make sure they are effectively analyzing that information, and conduct investigations in a way that yields a meaningful reduction in financial fraud losses.