Why don't CIOs turn in more insider criminals? No one suggests that CIOs routinely cover up corporate crime, but management pressures may inhibit CIOs from acting on their suspicions early in a fraud scheme.
It's rare to happen upon a digital smoking gun that incontrovertibly proves a corporate crime. It's later, during a formal investigation once auditors know what they're looking for, that the obviously damning evidence is uncovered. Early on, though, a CIO might notice something amiss. Perhaps a network activity log shows unusual patterns or some entries in the general ledger look off. CIOs may hesitate to step forward, feeling they don't know enough about the intimate workings of finance, says Jim Anderson, a management consultant at Blue Elephant Consulting. (For more, see " How CIOs Can Learn to Catch Insider Crime.")
"They think, 'I'm probably wrong. I probably just don't understand it,'" Anderson says. He adds that such self-doubt may be more common in CIOs who report to CFOs, which is about 23 percent, according to our annual State of the CIO survey.
Also, bringing up vague concerns could mar the relationship between the CIO and whomever he tells--and certainly whomever he accuses, Anderson says. To avoid that, the CIO might sweep aside his ideas and assume, like so many professionals do, that internal and external auditors will catch anything untoward.
Finally, many companies lack a clear process for reporting suspected wrongdoing. It may seem obvious that someone should go to a manager or the human resources department, even the CEO. But without a well-known policy for how to handle the situation, some employees-even CIOs-will do nothing, Anderson says. If someone is busy with everyday work and unsure of himself already, he says, "the issue just dies."
Follow Senior Editor Kim S. Nash on Twitter: @knash99.
Read more about risk management in CIO's Risk Management Drilldown.