How Auditors' Fraud Inquiry Strategies Can Increase the Likelihood of Whistleblowing Free

Workplace fraud continues to be a costly global problem, causing significant harm to affected organizations, with the American Association of Certified Fraud Examiners (ACFE) reporting that a typical organization loses as much as 5 percent of annual revenues to fraudulent activity (ACFE 2020). As a means of detecting such illegal acts, auditing standards require auditors to make inquiries of client personnel about the client-employees' knowledge or suspicion of fraud in their organization. According to the ACFE's 2020 Report to the Nations, external auditors account for the discovery of as little as 4 percent of uncovered fraud, suggesting that auditors' inquiry techniques could be improved (ACFE 2020).¹ Despite the regular use of this form of information gathering, many auditors receive little guidance on fraud-inquiry best practices and few studies have examined the relative effectiveness of techniques that auditors may use to improve the quality of their fraud inquiries (Liu 2012).

Our study extends research on time-of-day effects in professional judgments, as well as research on mitigating the effects of perceived retaliation risk on whistleblower reporting. We find that reminding client-employees about statutory whistleblower protections, as well as conducting fraud inquiries later in the day (when human impulse resistance is diminished) jointly increase the likelihood that a client employee will disclose fraud to the external auditor. These easily implementable interventions can significantly strengthen an auditor's fraud inquiry technique and increase the likelihood of employee fraud disclosures.

Auditing standards (AS 2110.54–58, PCAOB 2010; AU-C 240.16, AICPA 2016) require auditors to consider fraud as part of the overall audit plan. These standards also require that auditors inquire of management and “employees with varying levels of authority within the company, including, e.g., company personnel with whom the auditor comes into contact during the course of the audit,” regarding their knowledge of suspected or identified fraud (PCAOB 2010, ¶ 57). Such inquiries are unlikely to be effective if client employees, fearing retaliation, are hesitant to share such information. Research indicates that such fear is the primary reason why individuals fail to report observed fraud (NBES 2012).

As a means of reducing fears of whistleblower retaliation, the U.S. Congress passed the Sarbanes-Oxley Act of 2002 (SOX), in recognition of the significant risk that often accompanies the reporting of fraud. SOX contains protections for whistleblowers making it a felony to retaliate against a covered whistleblower (Sec 3(b)(1)) and provides civil provisions which can entitle whistleblowers to compensatory remedies. Presently, best-practices call for corporate whistleblower hotline policies to emphasize such protections from retaliation (NYSE 2014).

Unfortunately, client employees may not be cognizant of these significant statutory protections when auditors conduct their fraud inquiries. While fear of retaliation may inhibit employees' likelihood of reporting fraud, reminding them of their statutory protections could mitigate such fears and increase the likelihood of disclosure.

Our study also considered the timing of client fraud inquiries, drawing upon research related to self-regulation. This research suggests that exercising self-control, regulating behavior, and engaging in volitional acts throughout the day can render decision-makers relatively more depleted in their capacity for self-restraint (Baumeister, Bratslavsky, Muraven, and Tice 1998). This phenomenon, known as ego depletion, has been shown to increase individuals' propensity for over-sharing personal information and talking too much in social settings (Vohs, Baumeister, and Ciarocco 2005). That is, ego depletion inhibits a person's capacity for impulse resistance. Since prior research also suggests that it requires more cognitive effort to lie than to be honest (Baughman, Jonason, Lyons, and Vernon 2014), we expect that client employees will be more likely to disclose suspected fraud in the afternoon (when they are more likely to experience ego depletion) than in the morning hours of the day.

We recruited 70 participants with an average of 15.5 years of work experience and 8.9 years of business experience for our experimental study.² Participants were asked to consider the case of an employee in the accounts payable department of a fictional publicly traded company who recently discovered that their employer had violated the terms of a large contract by knowingly using materials that did not meet the specifications of the customer. The terms of the contract stipulated that this kind of violation would nullify the contract and entitle the customer to restitution (i.e., reimbursement for all sales made under the contract to-date). As a result, disclosure of this fraud would necessitate restating the company's financial statements for the last two years. Study participants assumed the role of the employee and were asked to indicate how likely they would be to disclose their knowledge of the fraud in a meeting with the external auditor during the auditor's fraud inquiry. Participants were also asked to indicate the risk of retaliation facing the employee in the given scenario.

In our test, half of the participants were told that SOX provided robust legal protections against retaliation for whistleblowers, while the other half received no such prompt. Additionally, half of the participants completed the study in the morning (8:00 a.m.–11:00 a.m.), while the other half completed the study during the afternoon hours of the day (3:00 p.m.–6:00 p.m.). This design results in four experimental conditions: morning and afternoon, with or without the reminder of whistleblower protections.

Participants in conditions where the auditor promoted statutory whistleblower protections from retaliation indicated that they would be significantly more likely to disclose the fraud than participants who did not receive that information. This finding suggests that promotion of statutory protections during a fraud inquiry helped to mitigate the employee's fear of retaliation. In addition, participants who completed the study in the afternoon indicated a greater willingness to disclose the fraud to the auditor than participants who completed the study in the morning. This finding is consistent with our participants being more cognitively depleted later in the day and, accordingly, being less likely to expend the cognitive effort necessary to inhibit the disclosure of identified fraud. These results are presented in Figure 1.

Recall that theory suggests that reminders of the existence of statutory whistleblower protections will reduce the perception of retaliation risk and will thus reduce the perceived cost of reporting fraud. In order to test this explanation of our findings, we perform a statistical technique called a path analysis which examines the intervening role of participants' perceptions of retaliation risk on the likelihood that they would report. This analysis indicates that promoting statutory protections during the fraud inquiry reduced perceptions of retaliation risk. That is, participants reminded of the whistleblower protections were more likely to believe that the client employee would be safe from retaliation. This lower perceived risk of retaliation led to an increase in the likelihood of fraud disclosure. Our path analysis provides strong evidence that the efficacy of promoting statutory protections during the fraud inquiry is due to reduced perceptions of retaliation risk.

Finally, our results do not suggest an interactive effect of timing and statutory protections on the likelihood of fraud disclosure meaning that the benefits of these strategies are additive in nature and that one strategy is unlikely to distort the effectiveness of the other. As a result, applying both strategies concurrently will result in the greatest likelihood of fraud disclosure.

Informed by best practices in whistleblower hotline disclosure as well as prior research related to self-regulation, our study provides insight into practices that may help auditors improve the efficacy of their fraud disclosures. Our results suggest that many employees have concerns about whistleblower retaliation and that these concerns can be mitigated by reminding the employee of protections that are available to protect whistleblowers.³

We also found that auditors can increase the likelihood of client fraud disclosure if they conduct their inquiries later in the day. Obviously, the ability to employ this strategy could be constrained in situations where audit inquiries occur spontaneously or where the ability to conduct inquiry later in the day is limited by the client's availability. However, even in such situations, the auditor may wish to conduct fraud inquiries near the end of a client interaction, when the employee is more likely depleted.

Like all research, our study is subject to some limitations that may warrant investigation by future researchers. First, the participants in the study had general business experience that was consistent with the background of an accounts payable clerk, but it is unclear if our results would generalize to more experienced personnel or employees who were trained auditors. Additionally, the location of the interview could be an important element of fraud inquiries that a future study could address. While we believe more research is needed on best-practices for conducting auditors' fraud inquiries, we hope that our results provide auditors with practical and actionable strategies that can improve the effectiveness of their inquiry procedures and enhance the quality of their audit work.