VideoAccording to a recent report by The Association of Certified Fraud Examiners, organizations lose about 6 percent of their revenue to occupational fraud and abuse. The study also noted that occupational fraud was most commonly detected by a tip from an employee, customer, vendor, or an anonymous source.
You don't have to tell Thom Weatherford about the value of inside information.
Years ago, when serving as CFO of Ungermann Bass (then owned by Tandem Computers), Weatherford received a tip from an employee that a country manager was coercing workers to record "revenue that wasn't really revenue." Weatherford launched an internal investigation, which ultimately confirmed the employee's disturbing allegation. "Luckily, there was no harm on the revenue side," recalls Weatherford. "But there was always that potential."
Weatherford, who recently retired as finance chief of analytics software maker Business Objects, still serves on the boards of two companies. He says the ugly incident at Ungermann Bass provided a valuable lesson that might have otherwise gone unheeded. "It did bring up that maybe our internal controls could be strengthened," he acknowledges.
Turns out the internal controls at a lot of companies could stand some strengthening. Over the past 18 months, shareholders have witnessed a seemingly endless parade of corporate scandals, revenue restatements, and Securities and Exchange Commission investigations.
To restore some faith in corporate accountability, lawmakers have attempted to ratchet up the control function at publicly traded companies. Part of that ratcheting up involves expanding the role — and responsibilities — of audit committees.
But legislators and regulators also seem intent on making it easier for whistle-blowers like the Ungermann Bass employee to rat out their bosses. The Sarbanes-Oxley Act of 2002, for example, includes a proposed rule requiring audit committees to establish procedures for the receipt, retention, and treatment of anonymous and confidential complaints by employees on accounting or auditing matters.
The SEC plans on issuing the final rules governing the compliance notification systems by April 26. SEC spokesman John Heine says the Commission could come out with the final rules even sooner. Either way, publicly traded companies must be in compliance with the law within a year of its publication in the Federal Registrar.
There's just one problem. Observers say the current design of the SEC's complaint notification system is so vague that they're not quite sure what compliance entails.
Take Gary Barton, senior audit manager at J.C. Penney Co. Barton says he believes the retailer will be able to comply with the proposed system without using one of the many third-party providers that offer hotline services. But Barton also concedes that he's been meeting with compliance officers at other companies to figure out best practices for addressing the whistle-blower requirements of Sarbanes-Oxley.
And the audit manager acknowledges that uncertainty about the new law may eventually force him to contact an outsourcer. "If we go further and they tell us where the complications are," he says, "then we'll look further into outsourcing."
Hotline Hang-ups
One complication Barton and others may encounter: potential conflicts of interest. Companies must have a reporting system that allows for confidential and anonymous reporting by employees. In addition, they must maintain an appearance of independence once those complaints come through. "There must also be frank, open and clear channels of communication so that information can reach the audit committee," says the proposal.
Indeed, concerns over independence and anonymity have some employers turning to third-party providers to at least manage the recording requirement in their complaint notification systems. Certainly, there's no shortage of providers to turn to. These are halcyon days for outsourcers of corporate hotlines, and in recent months, a number of vendors (including Edcor, Report it, and The Network) have started aggressively hawking their services.
Complaint notification system outsourcers also like to point to data from The Association of Certified Fraud Examiners showing that organizations with fraud hotlines cut their fraud losses by approximately 50 percent per scheme. But critics warn that setting up a hotline through a third party doesn't fully get employers off the compliance hook.
They're right. An outsourcer who receives a legitimate complaint from an employee must still pass that information on to somebody at the company — typically, the company's compliance officer. Depending on the setup, a member of the internal audit or general counsel's staff may also be assigned to investigate and relay a validated claim to a company's audit committee for review.
Some corporate executives also doubt that third-party hotline operators will be able to handle complex allegations coming from disaffected finance workers. Some believe relatively low-paid operators will not be able to always ask the next logical question that would make an anonymous caller's complaint complete for investigative purposes. Vendors deny that charge. But it's also uncertain — if calls are truly anonymous — how corporate officers will be able to follow up on an inconclusive report from an outsourcer.
Reader Comments» Post a comment