Whistleblowers have reported more than 40 percent of employees' misconduct, according to the 2014 annual report of Association of Certified Fraud Examiners. They either keep their name anonymous - 80 percent of whistleblowers are anonymous, or leave their actual names in the reports with contact information (including email address) – which enables us to contact the whistleblower and ask questions in the course of the investigation. However, it is hard to carry out an investigation if the whistleblower remains anonymous. Therefore, the audit team may not conduct an investigation in a proper manner, or may consider the whistleblower's information misleading, resulting in possible negative effects on the engagement company ("company").
Most of the whistleblower reports that I have encountered in my 16 years of investigations of possible illegal activities were anonymous reports, as a whistleblower takes risks to report a company's misconduct, including exposure of himself / herself, the possible defamation of the subject person, and the possibility of calumny. The internal audit team should not ignore whistleblowers' reports. Even though it is an anonymous whistleblower's report, we have to investigate as thoroughly as we could to identify any wrongdoing.
If a whistleblower reports that a person who is in charge of a company's purchasing business receives bribes from the company's supplier, and does not include detailed and specific information, it will be difficult to conduct the investigation. We recommend the following methods to verify the whistleblower reports.
First, identify the fraud type and fraud scheme, which the whistleblower may mention in the report. In addition, it is important to check the company domain, financial reports and accounting data, evaluation reports, third parties (customers and suppliers), and master information (vendor and material database and human resources database).
We should identify key persons or senior managers who are involved in any improper transaction to collect and identify information related to fraud scheme, and review information pertaining to their activities, including company credit card payment records, attendance records, office log data, correspondence information (phone records and email database), data stored on alleged persons' computers, information devices and other relevant persons' devices. These types of information determine the investigation scope.