What the SEC's first outsider whistleblower award means for internal audit

Last Friday, the Securities and Exchange Commission’s whistleblower office announced an important first: It revealed the only award to date for aiding in the prosecution of securities fraud paid to an individual who had never worked at the company in question.

It's an important development. Until now, all of the SEC's whistleblower awards have been paid to individuals who were working for the company at some point before they tipped off the agency about potential frauds at their employers.

The fact that the latest whistleblower was able to provide the SEC with important information about a securities fraud at a company without ever walking its halls, ever sitting in on any meetings, and never getting access to its confidential documents and files is eye opening. The SEC paid $700,000 to the individual for bringing the fraud to its attention. The SEC didn’t identify the winner of the award, nor did it name the company involved. It said only that the person “conducted a detailed analysis that led to a successful SEC enforcement action.”

“The voluntary submission of high-quality analysis by industry experts can be every bit as valuable as first-hand knowledge of wrongdoing by company insiders,” said Andrew Ceresney, Director of the SEC’s Enforcement Division, in a statement announcing the award. “We will continue to leverage all forms of information and analysis we receive from whistleblowers to help better detect and prosecute federal securities law violations.”

For internal auditors, the message is simple: Do your homework. Do the data analysis, benchmark performance indicators and other data against peers, and hunt for outliers and anomalies, or others will do it for you. I can only imagine the discussion between the chief audit executive and the audit committee chair at this company after it was revealed that a securities fraud was uncovered not by the meticulous practices of the internal audit team, but by an outsider poring over public data. That assumes, of course, that those individuals didn’t take part in the fraud or look the other way.

Outsourced Fraud-Checking

It’s not the first time outsiders have conducting independent analysis that indicated a company or group of companies were likely up to no good. Harry Markopolos famously hounded the SEC to investigate Bernie Maddoff’s firm after his analysis showed Maddoff’s stated investment returns were impossible to achieve on such a regular basis. A report by Erik Lie, a finance professor at the University of Iowa, suggested companies, including Apple, were likely back-dating stock options. A SEC investigation bore out those suspicions.

The whistleblower program is an important incentive for companies to provide easy-to-use channels and mechanisms inside the company to bring wrongdoing and potential frauds to light before some analyst or researcher does. Companies would much rather discover problems and potential frauds themselves, long before they get a knock at the door from the feds so that they can deal with them internally and stop small frauds from becoming big ones.

Clearly internal audit needs to play a big role in that process. No only should internal audit conduct the analysis to look for red flags of fraud in various data streams, it needs to assess the effectiveness of whistleblower hotlines and other programs that encourage employees to come forward with concerns about potential wrongdoing. It also needs to assure that controls are in place to prevent retaliation against those who do come forward.

Ensuring the free flow of information about potential fraud and abuse—following up on it, analyzing it, and ensuring investigations take place when needed—are the best ways to ensure that some outside analyst with a spreadsheet doesn’t find a fraud before you do. They may also keep you from having to explain to the audit committee chair how an outsider, armed only with public data, was able to see problems before you did.