Investigation Tips for Anonymous (Whistleblower) Reports

Whistleblowers have reported more than 40 percent of employees' misconduct, according to the 2014 annual report of Association of Certified Fraud Examiners. They either keep their name anonymous - 80 percent of whistleblowers are anonymous, or leave their actual names in the reports with contact information (including email address) – which enables us to contact the whistleblower and ask questions in the course of the investigation. However, it is hard to carry out an investigation if the whistleblower remains anonymous. Therefore, the audit team may not conduct an investigation in a proper manner, or may consider the whistleblower's information misleading, resulting in possible negative effects on the engagement company ("company"). 

Most of the whistleblower reports that I have encountered in my 16 years of investigations of possible illegal activities were anonymous reports, as a whistleblower takes risks to report a company's misconduct, including exposure of himself / herself, the possible defamation of the subject person, and the possibility of calumny. The internal audit team should not ignore whistleblowers' reports. Even though it is an anonymous whistleblower's report, we have to investigate as thoroughly as we could to identify any wrongdoing.

If a whistleblower reports that a person who is in charge of a company's purchasing business receives bribes from the company's supplier, and does not include detailed and specific information, it will be difficult to conduct the investigation. We recommend the following methods to verify the whistleblower reports.

First, identify the fraud type and fraud scheme, which the whistleblower may mention in the report. In addition, it is important to check the company domain, financial reports and accounting data, evaluation reports, third parties (customers and suppliers), and master information (vendor and material database and human resources database). 

We should identify key persons or senior managers who are involved in any improper transaction to collect and identify information related to fraud scheme, and review information pertaining to their activities, including company credit card payment records, attendance records, office log data, correspondence information (phone records and email database), data stored on alleged persons' computers, information devices and other relevant persons' devices. These types of information determine the investigation scope.

Second, find clues and red flags that may indicate there is a fraud scheme. The red flags are helpful to detect fraud schemes and are the most important part of the fraud investigation. We can brainstorm in various perspectives and discuss with employees who have relevant experience to identify red flags.

For example, a fraud clue in a real estate transaction might be where no lot number has been shown until the transaction is closed. The lot number of the land helps us find the land location and satellite images of the land shape through internet map search. A fraudster who sells fake land without a lot number may ask a buyer to pay some money (down payment) before an on-site visit. Once the buyer has paid, the fraudster will run away with the money.

If a whistleblower reported a team leader who embezzled company money through fake transactions, we can check the company's accounts payable. To mitigate accounting risks, a company segregates the employee duty – only a team leader can approve the transactions and another one of the team records the accounts payable. If the team leader decides to embezzle money, he has to create fake records for accounts payable himself in the company accounting system (or ERP). We may identify the alleged fraudster(s) through the IP address deficiencies. 

If we identify a few red flags in a fraud case, we can see the fraud scheme has occurred. After the audit team identifies the red flags related to the whistleblower report, it should be able to verify the fraud in the investigation. To verify clues and red flags, it is usually necessary to analyze large amounts of financial records with database analysis techniques and IT forensic tools.

If a purchaser receives money from a supplier repeatedly, to verify the fraud clues in the whistleblower report, the audit team should investigate the following things in the investigation.

1. Identify whether there are suppliers who are suspected of bribing the purchaser, by looking for:

• suppliers who have an unusually high level of costs (commission, marketing expenses, labour costs, etc.) on the financial statements and whose volume has increased steadily among all the suppliers;
  
• suppliers whose assessment results are always in the top 20 percent;
  
• suppliers with a high rate of complaints from their sub-contracted suppliers, implying that there are problems or unusual business practices between a supplier and its sub-contracted suppliers;
  
• purchasing officers who have frequent business meetings or visits with a supplier in same patterns; and
  
• whether a conflict of interest exists between the person who is in charge of purchasing and a supplier. (We can investigate any relationship between the person and the supplier's shareholding structure and business registration records.)​.
  

​2. Identify former sales and accounting staff who might have worked for the suspected supplier for the past one or two years. They may know confidential information, including transactions with the supplier.

3. Identify any supplier who is in a disadvantaged stage in transactions with the company, including:

• business interruption, lower rates of company evaluation, reduction in quantity, and unfair business conditions;
  
• supplier supplied good quality parts, but the company inspector intentionally evaluated a bad quality level. If the supplier's test results are frequently bad, we have to clarify whether the results are really bad or not;
  
• supplier who has low frequency of business meetings or visits with the purchasing staff. (Normally, a purchaser shall have regularly meetings with the supplier who supplies material to the company, as the two parties shall check quality and discuss about delivery time, product price and contracts.);
  
• the sub-contracted supplier who dealt with the supplier suddenly shifts to another supplier; and
  
• the supplier knows many rumors which are compatible with the whistleblower report.
  

4. Identify employees who:

• are involved in deviation from the purchasing department's normal practice;
  
• had a good performance assessment in their former team have a bad performance assessment in the current team, implying that the employees probably know the team leader's wrongdoings;
  
• have been excluded from the position to handle key suppliers for the past one or two years;
  
• are isolated or not invited to team mates' party dinners or other activities;
  
• have worked in the purchasing department for more than four or five years but have not had a specific position;
  
• try to collect work-related information from their colleagues who are not in the purchasing department;
  
• go out for work as frequent as other colleagues, though the employees do not have a schedule; and
  
• are not satisfied with their department know a lot of rumors related to the whistleblower report.
  

5. Interview with the alleged person's predecessors:

• through the predecessors, we understand potential and relevant fraud schemes and predictable fraud clues; and
  
• identify the reputation and contact information of the supplier, including the supplier's price, quality, delivery date, production capacity, and business representative through the predecessors.
  

6. Identify general information about the alleged person:

• employee profiling, payroll accounts, family members and relationships, and conflicts of interest with the company;
  
• whether the employee is involved in any real estate registration and involved in any assets collateral security;
  
• whether the employee owns automobiles and equity, and joins any clubs through the people around the alleged person; and
  
• analyze the alleged person's social network information (hobby, travel information, personal relationship, visit place and date, etc.).
  

7. Identify the traveling routes and destinations of the alleged person:

• analyse business logs, attendance records and office access card records;
  
• analyse company phone records and e-mail logs;
  
• check corporate card usage history; and
  
• check IT system logs and metadata analysis (pc, server, printer, network etc.).
  

8. Examine if the alleged person has the following signs while he/she is at work:

• negligence, breach of contract, interruption, malicious act, management supervision negligence and company reputation impairment; and
  
• any conflict of interest matters.
  

9. Perform IT forensic investigation of all digital information devices provided by the company:

• check the information devices that the alleged person has used under the prior consent; and
  
• important for IT forensics to maintain data integrity.
  

10. When the alleged person receives money from corruption, the typical clues are listed in the following: 

• expenditure is more than income;
  
• the alleged person's working behavior suddenly became more positive and active than his / her colleagues, implying that the alleged person might be motivated by the rebate from a vendor;
  
• have built a reputation among suppliers;
  
• if the alleged person plays golf with the suppliers, they will usually play on working days but under the excuse for visiting suppliers;
  
• the alleged person might receive bribes every month in his or her bank account under the name of the alleged person's family member or parent. In this case, the alleged person may use a bonded credit card to take out the bribes;
  
• conduct money laundering with improperly received cash;
  
• the alleged person may have several bank accounts to receive money; and
  
• in some cases, the balance of the alleged person's salary account is increasing, as he/she only spends the bribing payment from the supplier.
  

It is very difficult to detect fraudulent activities for conspiracy unless it is reported. The latency period is usually more than three years. The alleged persons could cause a huge loss to the company, ranging from hundreds of thousands to several hundreds of millions of dollars. The audit team should comprehensively compare, examine, analyze and investigate the above information even if it is from a whistleblower, whose efforts and courage should not be in vain.

Mason Kim, Ausus Advisory Seoul