The Association of Certified Fraud Examiners recently released its 2022 benchmarking report on anti-fraud technologies, and the compliance community may want to look at the findings. According to this report, a majority of businesses don’t have dedicated, disciplined technology for case management – and businesses of all sizes should be attuned to this need.
The ACFE surveyed more than 880 anti-fraud professionals around the world, and 58 percent said their organizations didn’t use any case management software at all. Among the 42 percent who did, the most popular choice was in-house software, presumably developed by the respondents’ IT departments. Compliance officers should consider the implications of that finding.
Case management is a crucial compliance capability because it brings discipline to how you investigate matters at scale – and that’s the part that matters more and more to effective compliance these days. For example, the U.S. Justice Department’s guidelines for effective compliance programs expressly state that case management capabilities are an element of compliance programs that prosecutors will consider:
“Prosecutors should also assess the company’s processes for handling investigations of such complaints, including the routing of complaints to proper personnel, timely completion of thorough investigations, and appropriate follow-up and discipline.”
Moreover, more capable case management systems simply make good sense in today’s business world. The modern large corporation has to address a multitude of complaints covering a breadth of issues. Addressing these in a manual or disconnected way introduces too much risk that something goes overlooked or gets mishandled, with potentially painful consequences (regulatory enforcement, civil lawsuits, reputational damage) to follow.
The Elements of Effective Case Management
What should effective case management accomplish? What are the primary components of success? The answers are right in those Justice Department guidelines.
Routing of complaints to proper personnel. The case management system should be able to take an allegation that arrives through internal reporting channels and swiftly assign the matter to appropriate personnel. For example, HR addressing workplace conduct issues, compliance or legal handling corruption, internal audit managing accounting fraud, and so forth.
This means workflows need to be mapped out in advance, and personnel need to be assigned who are competent enough and independent enough to investigate the case properly. For example, one complaint might be handled internally; multiple complaints on the same issue could suggest a deeper problem, best handled by outside investigators.
Interconnected systems for a holistic view. Fraud case investigation can involve multiple departments and stakeholders. When case information and data is siloed, it makes a thorough investigation more difficult, and important pieces of the situation may be lost. Organizations should approach these investigations with a unified system in order to streamline the process, ensuring all stakeholders can prioritize addressing the case and not spending time tracking down relevant information.
Timely completion of thorough investigations. Every case has a unique set of facts and should not be rushed simply to make a deadline. That said, a good case management system can map out the likely course that most cases will take, to guide investigators through the necessary steps promptly.
An important part of this phase is also evidence collection. Have all relevant documents been collected, and all witnesses interviewed? Has evidence been consolidated into one secure file, so no stray scrap of information gets lost? The ability to manage and preserve evidence, make changes in policies, and to document findings is crucial.
Appropriate follow-up and discipline. This may be the most important point of all. Follow-up and discipline show employees the company is serious about its commitment to ethics and compliance. So once the facts of a case have been collected, and any policy or legal violations have been confirmed, your case management system should then guide executives to whatever remedial and disciplinary actions are warranted. These actions include potentially changing company policy or expanding training initiatives.
That’s not to say the software decides how the company resolves a case. Rather, the case management system shows the humans what the appropriate response should be – and then the humans can either follow through or document their reasons for taking a different course of action. So long as that decision is documented, and you can show how that decision actually is in step with the company’s ethical priorities, you’ll be on firm ground.
There several other capabilities your case management program should have, too. For example, data analytics and reporting are important, so you can detect patterns in cases that might suggest deeper issues (“we’re seeing a widespread spike in corruption allegations, maybe our due diligence is off, or our training is unclear”). Automated case summaries and customized dashboards are another useful feature to help bring senior executives up to speed quickly if they need to be briefed on an issue.
But foremost, start with the original source. What you need to do for effective case management is right there in the Justice Department guidelines.
The Perils of In-House Solutions
Back to the ACFE survey. Most companies aren’t using any dedicated case management technology at all – and among the 42 percent that are, the most popular solution is “in-house.” That’s still not a comforting thought.
In-house software solutions raise concerns about development costs, cybersecurity, and versatility of the system. How is the software maintained and updated over time? How do you assure timely patches for cybersecurity weaknesses that come to light? If your company merges with another that also has its own home-grown case management system, how do you integrate your case management processes and archives?
Another troubling, yet common, scenario are in-house systems that are really just a set of protocols to guide compliance teams as they collect and log evidence via email, spreadsheet, and shared drives. Automation and consistent workflows assisted by technology are more efficient, scalable and reliable and help companies avoid the common pitfalls of ad-hoc or homegrown solutions.
Instead, the ideal should be dedicated case management technology that fits into other elements of your compliance program, including internal reporting systems and any data analytics and policy management tools – It should all be part of the whole.
Right now, it seems, too many companies are still just doing the minimum to get by or cobbling pieces together.
For more information on how your organization can prevent and address corporate fraud and corruption, check out these resources on navex.com.