In this podcast, Steven G. Blum, CPA, CFE, principal with Control Risks Group in Washington, D.C., and a member of the Pennsylvania CPA Journal Editorial Board, previews his feature from the summer 2021 Pennsylvania CPA Journal. Blum offers tips for helping companies manage thorough whistleblower investigations, including having an established process in place and effectively responding to allegations.
By: Bill Hayes, Pennsylvania CPA Journal Managing Editor
In the summer 2021 Pennsylvania CPA Journal, Steven G. Blum, CPA, CFE, principal with Control Risks Group in Washington, D.C., and a member of the Pennsylvania CPA Journal Editorial Board, walks us through the process of managing a whistleblower investigation. His feature for the magazine offers insight on the value for a company to have an established process in place, best practices for evaluating allegations, and more. Today, he is with us to offer a sneak peek into his feature.
What are the common circumstances for which whistleblower investigations usually take place? What are the common complaints?
[Blum] At its core, a whistleblower complaint is usually some type of report over a perceived violation of company policy. Generally, policy violations could be related to some human resource issue or financial issue. Just some examples: it could involve a vendor onboarding process, allegations of conflicts of interest, or unfair trade practices. There's just a lot of different kinds of complaints because there's so many different constituencies that exist within a company's orbit.
For example, a vendor might complain about what they perceive as an unfair bidding process. An employee might complain about a violation of an anti-discriminatory policy. I'm only really talking about complaints in the article that I wrote about, essentially mostly internal complaints. You could also have whistleblowers that are making allegations to various regulators.
But probably the most common type of complaint that you see is really just typical HR policy violations. I don't deal with many of those in particular. They could be something as simple as “Somebody's eating my lunch out of the refrigerator every day.” I mean, it could be that common. But my practice relates to those complaints that impact the company's financial element in some way. It could be financial reporting fraud, asset misappropriation, anything that might impact the integrity of senior management or personal dealings that are done at the expense of the company. They may be less common, the ones that I typically deal with, but they tend to be much more problematic and important for the company to deal with.
How important would you say it is to have an established process in place for when whistleblower investigations take place and you have to handle them?
[Blum] It's never a question of if a whistleblower investigation takes place – a whistleblower happens, a complaint happens, but when? Allegations of wrongdoing in some form will arise regardless of the level of a company's preparation to deal with them. Companies have to have the programs and processes in place for the intake of the complaints, they have to have a process for evaluating and investigating those complaints because the alternative is that some important complaints may fail to reach the appropriate people at the company or they may not be properly evaluated in the first place, which can result in an incorrect conclusion and then something that you have to deal with later, and it becomes a bigger problem.
Are there any steps that would be considered hallmarks of a standard whistleblower investigation process plan, and what would those be?
[Blum] There are some important elements of a good whistleblower process, but it may look different depending upon the company. I’ll pose some general questions, and I'll backtrack a little bit after. You want to ask about how effective is your company's reporting mechanism, how am I going to scope the allegations, how do I figure out what allegations merit further investigation, do I have a process for monitoring the outcome of the investigation, how do I track the investigation's results, and what are my data collection and preservation capabilities within the company? In particular, now when these allegations come up, how do I deal with them, given everything that's happening with the pandemic?
Those tend to be the high-level things that companies should be asking about. First thing we talk about is reporting mechanism. Do we have some type of anonymous reporting mechanism at the company and is that publicized to employees and other third parties that deal with the company? How often is it used? Do we make sure that our employees and third parties are aware of that process? Because if you're not aware of it, it doesn't matter that you have it. Are employees comfortable with using it. Those are the sub questions when you think about, well, step one, how do employees report their concerns up to the company?
Then once it's reported, what do we do to figure out if it's something that requires further investigation, and more importantly, if it does, what steps do we take to make sure that, when we investigate it, we're independent, objective in our investigation? Also important, who actually conducts the investigation and is tasked with determining the proper scoping of the investigation? There's a whole area around what do you do when it comes in, and trying to figure out if it's worth ... how important is it and how far do we pursue it, is it credible, and all that other good stuff?
The other thing is the company's own accountability. Are we looking at things and saying, "Hey, how timely are we in making sure we're responsive to these whistleblower allegations?" It doesn't do us any good to have a whistleblower make a complaint, and then we don't deal with it in a timely manner, or we don't track our responses to those allegations because that's another part of the process. Because there's a lot of, even in tracking the allegations and the ultimate investigations, there's a lot of good information that you can glean from the various allegations that are made and findings from those allegations. So, are there other patterns of misconduct or other red flags that might indicate some general weakness in our control system or in our compliance somewhere? Those are other hallmarks of a good system.
Another part of this is if we're looking at how good are we at responding to whistleblower allegations, oftentimes you have to say, "Well, if we get a complaint, do we have the in-house capabilities with respect to data collection and preservation?" As well as an understanding of what the particular data protection and privacy laws might be relevant to the jurisdiction that we're looking at because often a lot of the investigation work involves gathering data, putting freezes on data. If you don't have that capability in-house, you want to have a go-to third party that can help you do that. Because, again, oftentimes that's the only thing you have in pursuing, especially at the outset, an investigation into some or at least evaluating an allegation without opening it up further because that's what's readily available to you.
Nowadays, I think the final piece is in the past if we went off and had an allegation of some wrongdoing, we would go back and we could talk to people, we can visit with them, things of that nature. Now we have a different situation where many offices are closed or restricted. How do you do things remotely? How do you gather information and data remotely? This adds a level of complexity to it that didn't exist. Even how the situation where there's countries in the world we still can't travel to, and maybe during the summer more of them will open up. But again, it's not the same type of world that we had a year-and-a-half ago, where it was easy to go to the problem. Now we have to take different measures.
Those tend to be … and again, it looks differently in every company … but those tend to be some of the big areas of a good whistleblower process that a company needs to be assessing and working with. It's an iterative process. You're constantly improving and working on it, but those are the big areas to think about.
Would you be able to describe the process that goes behind evaluating allegations? What are the considerations that companies have to keep in mind?
[Blum] Again, this could look differently in every company, but the goal is the same. You're trying to gauge the seriousness of the allegation so that you can put together an appropriate response. Overstating or understating the seriousness of an allegation or complaint could result in ultimately more time and costs incurred than should have been necessary. I always say the worst thing about doing a disruptive, costly investigation is having to do it twice. But right out of the gate, when I look at an allegation, I'm trying to judge it on several different criteria. I want to know who within the organization are these allegations directed against? How many people within the organization may be involved? Could there be a serious impact to the company's current or prior financial reporting? Is senior management's credibility or the company's reputation on the line here? Could that be really significantly impacted by the allegation? I don't mean the fact that someone made an allegation, but I mean from the standpoint of, if this allegation were true, does that cause this credibility issue or reputational issue at the company?
Another area would be, what's the likelihood of a government regulator involvement? If it's a financial reporting issue and it's a public company, there's a good chance that, for example, the SEC could want to understand what's happening and be involved. That ups the level of complexity and potential importance. Finally, are the allegations themselves reasonable and detailed enough and consistent with the known facts about the business?
There could be allegations that you're like, "Well, this is crazy. We don't even do this, or it has nothing to do with what we do. It doesn't make any sense." Then, there are others where the allegations could be lined up with something that you know has occurred in the business. You're like, "Okay, well, here's the complaint about…" I don't know, for example, "…we just did an acquisition of X and this allegation goes to the heart of that. There's some alignment there and it causes us to be concerned.”
Those are some of the big areas that you kind of look at generally. I think the one other important thing to take away is that it's not a static process. You don't go through and make your determination all at once. It's somewhat iterative in that you may, when you're evaluating, have very little to work with at the very beginning of this, and you don't know which way is up. You have to continue pulling in additional facts and reevaluating the allegations based on information as you get it so that you can have enough information to ultimately make some credible response.
What are, if you could identify them, the particular best practices for responding to an allegation? Are there factors that can make that response more complicated?
[Blum] That's why you have to, when you start out, answer the question, what is it that you're trying to accomplish? What's your strategic vision here for an actual response? That's one overarching thing and maintaining that focus on what are we trying to do because it's easy to get pulled back and forth.
But I think another is a best practice involved in an investigation's thoroughness. This can be hard. It is a bit of a balancing act. Investigations have to be thorough and should always consider the broader business operations and risk. I guess you have to think about it because, as I was saying before, even worse than engaging in a disruptive and expensive investigation is having to conduct that investigation twice.
But what do I mean when I say consider the broader business? It may mean considering if there are other potential frauds in the business unit, or similar problems if it occurred in another territory. If an individual is implicated in a fraud, you need to think about what other areas has that individual touched within the organization.
From a thoroughness perspective, you don't want to just assume, "Okay, well here we see, we're looking at this one piece," and you have to understand, well, where else does that piece occur? If you have an individual or a particular type of control that's being overridden, how do you make sure to fence it in to understand, "Well, where else could this have occurred, and how do I have to expand my investigation scope to make sure that I've covered this?" Because, again, if you have outside parties that are interested in the outcome of the investigation, let's say it's an independent auditor or some regulator, they're going to ask those questions, "Okay, if this guy has access to these controls and these processes, how do we know he didn't do the same thing over here?" That certainly makes things more complicated and challenging.
Another thing that can be very challenging is when you're dealing with multiple overseas jurisdictions and all of their diverse laws and culture and the COVID-19 pandemic travel restrictions. You may have issues where there's a lot of regulatory oversight where the regulators are really particularly interested or even the public has a lot of interest in something, because that'll ratchet up the complexity. You could have an issue where the company is a pretty well-known company that has a lot of employees. Something becomes more public and there's a lot of general interest about the outcome of the investigation or who's involved. That public scrutiny adds a whole level of complexity to it. Lots of different things that ... I mean, there could be other complexities. If you think about it, you might have to convince investors that an organization's controls and risk management that gave rise to the allegations in the first place are adequate going forward.
It depends on who your stakeholders are to the business. There's lots of different things that can make your investigation more challenging. It could be the people that you're trying to speak to, even those that are part of the investigation. They up and leave and hire counsel and clam up. There's lots of different things, and it's always different, which makes them fun if you get to investigate them. It's not so fun if you're the company that's involved and being investigated.
How important is the idea of data preservation during whistleblower investigations, and what are some rules to remember in that area?
[Blum] I think the first thing is that when you think about your data and your ability to preserve it and so forth, that needs to be one of the first things that you think about as you're moving forward. Really securing it. Similar to a litigation hold that companies put on documents, whistleblower allegations might require a hold be placed on potentially relevant documents. You want to ensure that paper documents don't get shredded and electronic records don't get written over. For example, many times when companies do their backups, they are reusing backup tapes. Oftentimes, they're just rewriting over older backup. When it comes to electronic evidence, sometimes it pays just to be overly inclusive because it doesn't really take up much space and you don't often really know what you're going to ultimately need to review.
So a couple of other points to think about is, do you have someone in-house to deal with it, to begin any data collection requirements? It may not just be the servers – your computer servers – but could include personal devices. Do you have that in-house expertise to navigate data privacy issues that might come up, particularly international ones? A good takeaway is … and, look, a lot of companies don't have it. They may have somebody who can download server information or what have you, but it's more than just that. If you don't have that kind of stuff in-house, have some reputable consultants who can provide that expertise and have them on your speed dial and retained so that whatever situation you happen to be in, you have a laundry list of the go-to consultants that have already been prescreened for this type of stuff.
Those are some big areas. We see a lot of companies that just go outside the organization to make sure they have that expertise, because it's constantly changing and you really need it, and it's not something that most companies have the resources to maintain like that.
An interesting line from the piece: "An investigation should not be viewed as the end of the matter." So, there's a remediation stage. What does that step entail?
[Blum] There's usually takeaways from every investigation because you want to avoid a similar issue happening that you didn't want happening again. You want to avoid that happening again in the future. You've got to think about at the end of these investigations, based upon your findings, what policies need to be changed? What new controls may need to be implemented? What additional training must take place after this? Basically, what was it that caused the problem to happen, and how could you avoid it next time?
Sometimes you need to start implementing new measures before you even have completed the investigation. For example, say you discover ineffective controls over payments that were intentionally overwritten. That could be one thing. Another is, let's say certain individuals may need to be separated immediately to avoid further financial damage. If the people that you find are involved are doing something they shouldn't be doing, the way to stop them is to separate them from employment or keep them away from the areas that they were causing the problems.
There could be other temporary control measures that you need to implement. Going back to the first thing, which is if you have ineffective controls that are being intentionally overwritten, you may want to change things around temporarily just to make sure that nobody else takes advantage of some weakness that is out there. You would do this stuff even before you've completed the investigation. Generally speaking, the investigation, it's not necessarily the end of the matter. It's a useful tool to fix things on a go-forward basis.
The closing line of the piece is, "Too often, whistleblowers are ostracized, when in fact they should be rewarded." Found that really interesting. Is that a mindset that's out there, that organizations have, that whistleblowers should be, not to say that they should be ostracized, but is that the sort of mindset that's out there, and how can it be addressed?
[Blum] It's not as much as you would hope. Look, I'll say it again later, but one of the important things to think about is, if I am a company and there's something going wrong in my organization, I want people to come forward to tell me about it. It's kind of like you're eating in a restaurant. You get served, food is cold or something isn't prepared right – it's burned – you didn't like an experience. Sometimes you're afraid to call it to the attention of the manager or the owner of the business. Well, when I talk to people who own restaurants, they tell me, "Look, we want you to tell us what's happening or what you don't like or what's going wrong because we want you to come back. You're our livelihood. If you don't tell us, we won't know and ultimately people stop coming, and we'll go out of business. Our job is to make you happy."
It's the same way in a sense with whistleblowers. You want to keep those types of complaints in-house and do something about them before it becomes more problematic. It's always important to create this culture with an organization where people are free to bring up questions related to what they see happening in the organization. One of the best ways to do that is create a culture that rewards versus punishes legitimate well-intentioned employee inquiries, or even allegations of wrongdoing. Too often, the attitude projected by a company is that, "We don't want to hear your complaint, or we don't care if you don't understand something, we don't owe you an explanation for it."
That's really the wrong message and attitude because it leads to allegations, some that may be credible or some that are not. It could be based on misunderstandings and things of that nature, and it just takes up your time and creates unhappy employees. You want to be able to handle the issue within the company, and you want employees to be comfortable raising those issues within the company. The alternative is, well, they go to regulators, they go out into the public and voice their concerns outside the organization. That complicates your own process.
I'll close with an example where I think what a company … there's a local company in Pennsylvania I got to see up close that actually did it right. It was an investigation, and there were actually employee kickbacks that were happening from a factory in China. The factory owner was paying a percentage of the value of the goods that the company purchased. He was paying that back to our company's buyer. It went on for a number of years and that company's buyer who dealt with that factory owner, he ultimately retired and was replaced.
The new buyer comes along, he's in the factory and the factory owner reaches out to him and he's showing them these little spreadsheets and saying, "Here's the total value. Here's the value that we want to send. Where do I send this money?" The buyer's like, "What do you mean? You send it to the company. Why are you telling me?" He was confused. Then he realized that he was being offered this kickback for the total value of the goods that were purchased, and so he reports this to the company's chief compliance officer. We did the investigation. At the end of all that, that chief compliance officer made it a point of publicly praising and rewarding that company buyer and holding them out as an example to others.
By doing it, the company was positively reinforcing that behavior in others and making it public because, look, let's face it, that new guy could have continued on collecting those funds and no one would have been the wiser.