This time, the focus of the report was the examination of methods for detecting and investigating compliance violations and corporate fraud.
The report is based on data collected through an online survey conducted among heads of compliance departments, internal audit/control, security, legal, and finance departments of companies operating in Russia (96% of respondents) and Belarus (4%).
According to the study, the main methods for detecting violations in the surveyed companies include:
- analysis of reports received through whistleblowing channels (used by 81% of respondents);
- work of the security department (65%);
- compliance audits (62%);
- internal audit reviews (50%).
In addition, 35% of companies reported using automated tools to identify violations – an 11% increase compared to 2020.
The study also provides aggregated data on (1) the functioning of whistleblowing channels and (2) the conduct of internal checks and investigations related to compliance and corporate fraud.
1. Functioning of Whistleblowing Channels
As noted, whistleblowing channels remain one of the key tools for detecting compliance violations and corporate fraud. According to the survey, 96% of respondents have implemented reporting mechanisms that receive messages from employees, contractors, and business partners.
The most common formats for such mechanisms include email (94%), online portals (84%), and telephone lines (76%). On the one hand, there has been an increase in the use of modern technologies – 24% of companies now use chatbots (compared to only 3% in 2020). On the other hand, the share of companies continuing to use phones and physical drop-boxes installed in offices or at production sites has remained almost unchanged, at 76% and 20%, respectively.
Some 56% of companies manage their whistleblowing channels internally, 28% outsource these functions, 12% use a hybrid model, and 4% rely on the whistleblowing channels of their parent companies (a decrease of 7.5%, likely due to the exit of a number of foreign companies from Russia).
Anonymity remains a key feature – 92% of companies allow anonymous submissions. This capability, together with growing employee awareness about the existence and use of such reporting mechanisms, is likely contributing to increased trust in these tools: 28% of respondents (compared to 14% in 2020) said that more than half of the reports they receive are relevant. However, 44% of organizations noted that in their experience, fewer than one-third of the reports prove to be relevant.
To ensure the quality and effectiveness of their whistleblowing channels, 92% of companies conduct regular performance evaluations (up from 73% in 2020). These evaluations are typically carried out by compliance departments (56%), internal audit units (44%), and company management (20%) – 16% of companies also involve external consultants.
2. Conducting Internal Checks and Investigations
All companies participating in the survey conduct internal checks and investigations into compliance violations and corporate fraud. In most cases, these processes are managed by the security departments (77%) and compliance functions (62%). In some companies, dedicated working groups are involved (23%), as well as internal audit/control units (15%), legal departments (12%), and HR departments (12%). About 42% of participants also engage external experts – particularly in complex or lengthy investigations, or when a case is likely to be referred to law enforcement.
More than half of respondents (58%) stated that their companies have a fully regulated investigation process, although often without detailed procedures. Another 8% have developed a special Investigations Manual that outlines the process in detail. Around 27% of companies have partially regulated individual actions and subprocesses.
To carry out internal investigations, responsible personnel use a full range of tools, including:
- conflict of interest checks (92%),
- analysis of corporate information systems (85%),
- contract approval systems (85%),
- accounting and financial records (73%),
- supporting documentation (85%),
- employee interviews (81%), etc.
Only 38% of organizations use expert data sources, and 27% use polygraph testing – mainly large industrial companies in metallurgy and energy sectors.
The main sources of information in internal investigations are corporate systems (81%). More than half of the respondents also use internal document management systems, video surveillance systems, and access control systems. However, 23% do not have direct access to these systems and can obtain necessary data only through requests to relevant departments. As noted by the researchers, this reliance on supplied data creates risks of information being manipulated.
Companies are increasingly adopting automated tools to detect violations. According to the study:
- 46% use IT solutions to identify affiliations between employees and third parties,
- 38% use them to detect conflicts of interest,
- 27% to identify risk indicators in financial transactions,
- 12% use software to verify the authenticity of documents.
Another 27% have implemented DLP systems to monitor corporate email, work phones, and other electronic data.
At the same time, 46% of companies reported a lack of automated tools for monitoring risk indicators in business activities, and 38% noted a lack of automation in the investigation process itself.
Most companies (58%) complete investigations within 30 days, 23% take between 31 and 60 days, and 8% take over two months.
Following investigations, the most common sanctions include disciplinary measures (85%) and termination of employment contracts (77%). In 69% of cases, investigation materials are referred to law enforcement. About half of the companies also apply financial penalties – 54% recover damages from the employee, and 50% reduce or withhold bonuses.
Based on the outcomes of investigations, the vast majority of companies (88%) implement measures to prevent similar violations in the future.
Additionally, 81% of companies assess the effectiveness of their investigative procedures. For half of the respondents, this is done through periodic self-assessments. Only 15% involve independent external experts in the evaluation process.
*The study was conducted in three stages throughout 2023. Reports from the first two stages, published last year, are also available on Kept’s website: “Portrait of a Modern Compliance Professional” and “Compliance in Practice: Due Diligence and Other Risk Mitigation Measures”.
