Tag Archives: sarbanes oxley act

"MACH" A Match for Whistleblowers

“MACH” A Match For Whistleblowers

In 2002, the Sarbanes-Oxley Act (SOX) breathed new life into whistleblower programs for U.S.-listed public companies. This legislation had a particular impact on audit committees, handing them the responsibility of, “establishing procedures for

  • The receipt, retention and treatment of complaints received by the issuer regarding accounting, internal accounting controls, or auditing matters; and
  • The confidential, anonymous submission by employees of the issuer of concerns regarding questionable accounting or auditing matters.”

SOX, however, did not provide any guidance to audit committees on what procedures should be considered or how to evaluate their effectiveness once established. As a result, for many companies, complaint handling is still a haphazard process that tends to operate in crisis mode. It can be both costly and time consuming, yielding few, if any, measurable results. We have found that — even now, 10 years after the enactment of SOX — companies are still struggling to find an effective approach to handling whistleblower complaints.

It is important to understand the role whistleblower complaint handling plays in deterring corporate fraud. Controls on the front end that prevent or deter fraud are critical — after all, the cheapest fraud is one that never happens. An effective whistleblower program, however, is the last line of defense.

According to the Association of Certified Fraud Examiners’ (ACFE’s) 2012 Report to the Nations, a study of 1.388 cases of occupational fraud, the most fraud is not detected as a result of internal controls. This is in part because perpetrators of fraud work in areas that are not tightly controlled or in areas that they themselves control. By far, the most effective form of fraud detection is a tip, often received via a fraud hotline.

The ACFE study also reports that the presence of a whistleblower hotline results in a much higher likelihood that occupational fraud will be discovered by a tip. For the most part, what has been lacking both from the literature and from practice is a methodical approach that organizations can use to register complaints and channel them to the appropriate groups for action. Only by establishing a comprehensive process will organizations be able to ensure that, when the whistle does blow, someone has the wherewithal to stop the train, get out and investigate.

One process, which Grant Thornton developed, is called the Model Accounting Complaint-Handling Process, or MACH Process. The MACH Process is designed to provide both meaningful structure and enough flexibility so that it can be adapted to any organization. It should not be viewed as a soup-to-nuts formula for setting up a whistleblower program. Instead, the MACH Process focuses on the component of any whistleblower program that requires the most attention from management and the board, handling complaints once they are received. Setting up the overall program is important, including making decisions regarding whether to insource or outsource the program administration, who to engage, how to handle different countries’ related legal requirements, and so on. The focus here is on what happens once the whistle blows and that train starts rolling down the track.

The MACH Process consists of six basic steps:

1.   Receive the complaint.
2.   Analyze the complaint.
3.   Investigate the complaint.
4.   Resolve the complaint.
5.   Report the resolution of the complaint.
6.   Retain the necessary documentation.

This complaint-handling process can be tailored to meet the needs of virtually any organization. The MACH Process is designed to ensure not only that venues exist for the gathering of whistleblower complaints, but also that all complaints are documented, investigated and addressed in the appropriate manner and that the process involves all necessary stakeholders.

Ultimately, by establishing an effective whistleblower complaint-handling process, organizations will be able to identify and deal with cases of fraud that have the greatest potential to harm reputation and bottom line.

For more information about the MACH Process, please visit gt.com.

Employee Theft

Employee Theft: Is It Happening To You?

Employee theft is rampant in small to mid-sized businesses. It never ceases to astound people that a trusted employee could steal from you. It angers you and makes you sad, but it is happening every day. Large amounts are being stolen from businesses both small and large.

After the Enron debacle, Congress passed the Sarbanes-Oxley Act (SOX) to tighten the responsibility of the accountant to detect fraud. Talk to someone in the accounting community about SOX and they will roll their eyes and heave a large sigh. In all levels of the attest function performed by accountants (compilation, review and audit), SOX has had an effect. The result of this increased testing is that more employee theft than ever before is being uncovered.

In fact, the American Institute of Certified Public Accountants (AICPA) released a recent study that has some astounding statistics. According to their survey of members, up to 82 percent of small- to mid-market businesses have or will experience employee theft. Of the incidences of theft uncovered, the average theft amount equals $125,000. And believe it or not, most of these thieves are not prosecuted.

Are you a victim? Most of us would immediately say, “No, all my employees are completely trustworthy.” But, what about the next employee you hire? What about the employee who has had an unexpected life change (divorce, death or other experience) that has affected his/her financial stability? What about that employee’s spouse who you might not quite trust? Could that person have undue influence to convince your employee to do something?

Employee theft can come in many forms. Look at the following ways employees can steal from you:


Does the employee who collects the cash also make the deposit and reconcile the bank statements?


Does the employee who makes the vendor payments reconcile the bank statement? Does this employee have access to online accounts or a signature stamp?


Do your employees steal time by running personnel errands or spending excess time on the phone as you are paying them for doing the company work?

Company credit cards

Do your employees have company credit cards? Are the expenses charged to these cards reviewed by someone other than that employee?

Computer access

You would be amazed at how many employees run a small business on your computer and on your company time.

How can you stop this? First of all, have a policy that strictly forbids the above activities (and other similar activities). Second, look at your business functions and determine where you are vulnerable. Third, make sure there is a separation of duties between employees who handle areas where theft could occur. Fourth, consider monitoring where employees spend their computer time.

There are many ways an employee can steal from their employer; it isn’t always financial theft. There are also many ways an employer can prevent this activity. Being aware is the first step.

Interested in learning more about employee theft? Download B2B CFO’s free, 27-page book “Top 10 Ways Your Employees are Stealing From You” at B2BCFO.com.