Print Divider Print Divider Branding

3 Company Policies to Protect Against Fraud



Social Logo Social Logo Social Logo Social Logo

As auditors, we are often asked what policies are critical for organizations. Though much depends on the type and size of the organization, there are three key policies that all companies should have:

  1. Code of ethics
  2. Whistleblower policy
  3. Record retention and document destruction policy

Code of Ethics

One of the most valuable assets of a company is its reputation. One of the easiest ways to help prevent damage to a company’s reputation is the “tone at the top.” The tone at the top is primarily conveyed through the actions of management or a board of directors, both internally and externally, but also through policies such as a code of ethics.

Employees and/or board members come from different backgrounds and will often have different definitions of what is ethical behavior. A code of ethics establishes a common framework for employees, management and board members to make decisions when interacting with clients, vendors and the media by defining what ethical behavior is in the organization. A code of ethics can reduce subjective or inconsistent management decisions, which saves time, money and potential adverse results from an unethical decision.

When preparing the company’s code of ethics, management should:

  1. Define what ethical behavior means at the company and should provide specific examples of unacceptable behavior.
  2. Convey the significance of the policy by requiring all employees and board members to sign a copy of the policy upon hire or appointment to the board.
  3. Periodically review the policy for relevance and changes in current laws or norms of the organization.

Whistleblower Policy

The 2016 Report to the Nations Global Fraud Study published by The Association of Certified Fraud Examiners noted that tips are the most common way of discovering fraud. The presence of anti-fraud controls was correlated with lower losses and quicker fraud detection. The 36.7% of victim organizations that were using proactive data monitoring and analysis techniques as part of their anti-fraud program suffered fraud losses that were 54% lower and detected the frauds in half the time compared to organizations that did not use this technique. Management review and the presence of a whistleblower hotline were both similarly correlated with regard to lower losses (50% reduction) and decreased time to detect the scheme (50% reduction), and most of the other controls showed similar reductions, as well.

When preparing the organization’s whistleblower policy, management should:

  • Clearly state that fraudulent activity is not tolerated by the organization and it is the responsibility of all employees to report violations or suspected violations.
  • Include a “no retaliation” section, noting that retaliation will not be tolerated in any form and if it does occur it will be promptly investigated. The Occupational Safety and Health (OSH) Act passed in 1970 protects workers from retaliation under 22 federal laws.
  • Provide a hierarchy for reporting issues internally, including options for when the person in question is the person that would typically receive the complaint. In this situation the policy may direct the employee to contact someone on the board.
  • Reference the organization’s code of ethics policy. This policy often requires the board, management and employees of the organization to observe high standards for business and personal ethics.
  • Consider including a whistleblower hotline, which provides additional anonymity and has been shown to make employees more likely to report potential or actual wrongdoing.
  • Illustrate examples of what is considered fraud and would therefore be reported through this process versus another type of complaint that should be resolved through other outlets.  These examples will help direct employees to appropriate outlets and will reduce the costs of investigating items that are not fraud.

Record Retention and Document Destruction

Organizations retain documents for a number of reasons, and some documents are legally required to be maintained for a specified period of time. Others are critical in supporting accurate accounting records, and still others are retained for knowledge transfer when there is a turnover in staffing. All of these needs must also be balanced against the organization’s physical and electronic storage capabilities.

When preparing the organization’s record retention and document destruction policy, management should:

  • Begin by determining what types of documents the organization has. These may include employee records, accounting records, tax records, board minutes, email communications, department policies and federal or non-federal grants and contracts. 
  • Research if any document types are governed by federal, state, local or international statutes.
  • Assign a retention period for each type of document. For some documents, professional judgement must be used. Typical retention periods include:
    • 3 years: employee applications, I-9 forms, and cash and credit card receipts
    • 7 years: contracts, journal entries, employee offer letters, and invoices
    • Permanent: corporate documents, IRS application for tax-exempt status, IRS determination letter, annual audits, and IRS form 990 tax filings
  • Describe not only the system for filing and maintaining the documents, but also the process for destroying the documents once the established time period has passed.
  • Create a process to review all retained documents and establish their destruction timeline. Ensure that the documents are destroyed on time. If the documents are not destroyed they are legally discoverable if the organization were to be sued.
  • Decide how the documents should be destroyed. If the document is confidential in nature, a secure method to shred physical documents must be established. Examples of confidential documents may include social security numbers, dates of birth, or bank account information.
  • Identify who within the organization is responsible for the different types of documents.  The organization may choose to designate one person in the accounting department for retaining accounting records and another within the human resource department for maintaining employee personnel records.
  • Require draft documents to be destroyed as soon as official signed versions are available.
  • Remind employees that it is a crime under Section 802 of the Sarbanes Oxley Act to intentionally destroy, alter, falsify, etc. any records, documents or tangible objects that are involved in or could be involved in a U.S. government investigation or prosecution of any matter or in a Chapter 11 bankruptcy filing.
  • Create a system to halt all document destruction once the organization is aware that it is under investigation or it may be subject to legal proceedings.

By adopting these three policies, an organization can protect its valuable reputation, be more efficient in making decisions, detect fraud in a timely manner, and protect the organization from knowledge loss and excess liability.