In the auditing world, very few things are simple to understand and easy to accomplish. Today’s topic is an exception. Establishing a whistleblower hotline is one of the most important things you can do, and it is surprisingly easy and inexpensive. If you work in an Internal Audit department or sit on an Audit Committee, and you do not have a whistleblower hotline, change this as soon as possible! For you external auditors, if a client does not have a whistleblower hotline, this is a “gimme” recommendation you can make.
This post will explain why this is such a critical service, describe how you can optimize the process in your role, and alert you to some common difficulties to watch out for.
What is a Whistleblower Hotline?
When I use the term whistleblower hotline, I’m referring to a 24-hour live phone line and website administered by a third party that employees can contact anonymously to report fraud and other events. As the leader or representative of the Internal Audit department, you contract with a provider. You are not actually hiring someone to sit at a desk and man a phone line for you. Providers run and staff call centers that handle multiple clients, making this a very cost-effective service.
Whenever a reporter calls, a representative will take their information, create a report, and submit it to you and your Audit Committee chairperson. If a reporter submits a form online, they will answer different prompts and questions, which then generates the report. All communications go back and forth through the third party provider.
There should be a protocol in place where a report made about audit will only go to the Audit Committee representative, and vice versa. Usually, there will be protocols for different types of complaints. It’s common to have the CEO and/or security officer contact be notified if a threat or report of violence is made. The provider may also ask for an H/R representative to notify for events like sexual harassment allegations. There are extreme cases where others need to be brought into the loop, and this should be decided in advance!
Why Your Company Needs a Hotline
You may be thinking a whistleblower hotline is not necessary, as you have multiple alert methods in place. Don’t employees already have several options where they can speak out if something is wrong? What about their manager, the CEO, or Human Resources? You have an open door policy as Internal Audit right? Shouldn’t they just come talk to you?
I like to think of a whistleblower hotline as one option on a buffet for employees to choose from. In a perfect world, they will go to their manager, who will handle the issue, and everything will work out. But this is the real world, and things don’t always happen the way they are supposed to.
Maybe an employee is being abused or threatened by someone well-respected, and does not believe they will be taken seriously if they report it. Perhaps they fear retaliation. It’s even possible that your reporter was part of a fraud or crime, regrets it, and wants to inform someone about what happened. Reporting anonymously might be the first step for that person to involve your audit group, expose the wrongdoing, and start to make amends.
Who is a Whistleblower?
We all believe we are at heart whistleblowers. I can tell you from experience, you don’t know how you will feel until you are actually faced with reporting a crime, abuse, or fraud. Some people are just not willing to put themselves in the line of fire to report something. They might be fearful of their safety, or scared to lose a paycheck or healthcare benefit they need to survive. Maybe they just want to report what they know and get back to work. But you still need to know if something is going on, Auditor! Don’t you want that person, regardless of their circumstances, to get the information into your hands?
Auditors have a huge incentive to get a whistleblower program started. Audit Committees, boards and CEOs who understand what these programs can offer will be supportive. If they are hesitant or skeptical, here is some food for thought. Think of the worst thing that could happen at your company. Enron, Penn State or Harvey Weinstein level bad. Now, think of how you would like this to unfold, because the truth always comes out eventually. Do you want to be the top story because a whistleblower went to the media, who listened, investigated and ultimately reported? Or, do you want to be the company that followed their established procedures, performed an internal investigation, exposed wrongdoing, and is now working with the authorities to prosecute offenders? That last one is a less interesting story which will get far fewer clicks, by the way.
This is an easy one! Internal Audit and other company stakeholders should be on the same page.
Get the Word Out!
So now that you know why you need a whistleblower hotline, let’s think about making it as seamless and effective as possible. Obviously, the first step is finding a provider. Google, call, ask questions, and follow up with references. You have the skill set to figure out which one is right for you.
Once you have your hotline setup, you need to spread the word to employees. Here are some common ways to advertise your hotline:
- Put up posters with hotline information in employee break rooms and other common areas, away from the public
- Hand out informational cards or pamphlets to employees
- Post the hotline number and a link to the website on an audit intranet page
- Send a yearly reminder email to all employees
- Talk about your hotline at new employee orientation
- Include hotline information in the employee handbook and/or company code of conduct
Get it in Writing!
You should also have an Anti-Fraud and Whistleblower Protection Policy prepared and approved as part of your implementation. This is one of the few exceptions to the “auditors shouldn’t write policies” policy. While everyone is responsible for reducing fraud, the reporting and investigation processes are owned by Internal Audit. Policy ownership is appropriate in this case.
For those who don’t have access to The Audit Library, here are some Whistleblower Policy basics. The document should describe the steps that will be taken to protect employees who use the hotline, as well as guidelines and what they can expect. I also think this is a good time to explain the consequences of knowingly and falsely accusing someone of a crime or violation. Similar to protecting the anonymity of reporters who fear retaliation for telling the truth, you need to be ready to take steps against employees who abuse the hotline in an attempt to harm others. It happens, and you need to be ready!
Finally, you or one of your direct reports needs to call the number to make a test report, and log a test report online, sooner than later. Does the phone number work? The link? Did the report you received match up to your version of the phone call? Was the representative empathetic and professional? Did the website survey make sense and meet your needs? Trust but verify, folks!
What to Expect Once Your Hotline is Live
Once you go live, you will probably forget about your hotline for a while. If you go a year without an alert, test the phone line and website again, to make sure it’s all working. If the issue isn’t technical, then either nothing has happened (doubtful) or the employees are choosing not to report to you. This is a time to dig deep. What is the reputation of your department? Are you trusted? Respected? If you think there’s work to be done here, ask a reliable source for feedback and invest in some training. Become the audit team that ethical reporters come to in times of need.
In my experience, once the first reporter finds you, others will follow. When someone uses it, and has a good experience, they tell their friends and confidants. Hotline activity may spike in the aftermath of a fraud or mass firing. As the entire company reflects on what happened, employees may be more likely than usual to speak out.
Investigation Tips and Tools
While each report and investigation is unique, there are certain procedures that should always be followed. Quickly acknowledge the reporter and ask any follow-up questions to get the ball rolling. Adhere to any deadlines your provider sets, such as call back dates. If you take an investigation as far as it can go without knowing the identity of your reporter, be honest and say so. Don’t make any promises you can’t keep.
Conduct interviews with a witness. If you don’t have any other department staff, see if you can borrow someone from your external audit firm for a couple of hours. Interview your subject in a central location, such as a conference room with large windows. The reporter might see you and know first-hand that you are actively investigating. Keep detailed and thorough notes of your investigation. Subscribers to The Audit Library can utilize the Alert and Investigation Tool to guide you through this process.
Finally, involve as few people as you possibly can. Check in with your CEO, and find out how much information they would like to have when a report comes in. They might appreciate a heads up, or they might prefer you to just handle it and brief them when you wrap up. When I was the Chief Audit Executive, I would share the report with my team, to see if anyone had any input or thoughts at first glance, before assigning a lead investigator. Any interviews would be performed with as little notice as possible, to gauge honest responses from subjects. Others were involved on a need-to-know basis.
Once the investigation concludes provide an executive summary to the full Audit Committee, and try to keep it as brief as possible. It’s human nature to want to opine and speculate on a salacious story, but that’s not the role of audit or our overseers. If the conversations get too wild or hypothetical, reel the group back together and remind everyone to stick to the facts.
How to Deter Abuse
Unfortunately, there are those who see an anonymous service they can use to make complaints against others as an opportunity. Get a boss fired, retaliate against a rival, show up a peer at promotion time, etc. It’s one of the more unpleasant parts of our job, but having a plan for when (not if) this happens will help you immensely. You should always be questioning the motives of reporters. That’s not victim blaming, it’s professional skepticism and a natural part of the process!
If the motivation for a report seems to be to harm another person’s reputation for no apparent reason, this is a huge red flag! Allegations can follow a person, fairly or not, for the rest of their career. Also look out for unnecessary details or personal information being shared which is unrelated to the reported event. Honest reporters don’t have all the information, and will not overcompensate for what they simply don’t know. Consider whether or not gaps in the narrative are reasonable. Put yourself in the place of the reporter, and contemplate what prompted them to report this, why they chose to involve you specifically, and whether a person in that place/position would have access to the information they say they have.
One tactic if you suspect your reporter is not being completely honest, is to ask them point blank what they think should be done about the event they are reporting. “What is a positive resolution, in your opinion?” is a completely fair question to ask. Express empathy, and take the investigation as far as you can. If they respond with more unfounded allegations, you can politely state that you are going to move on to other concerns.
Paperwork, Paperwork and more Paperwork!
These reports can result in a lot of documents. As a general rule, I recommend keeping a folder for each investigation, archived by date, in your permanent files or on a secure drive. For each investigation, include the Alert and Investigation Tool, or whatever summary document you used. It’s also a good idea to hold onto interview notes, bank statements, photos, report copies, and scanned copies of any responses.
I liked to keep a spreadsheet with basic report info, not because it was required, but rather to have on hand as a quick reference for the Audit Committee, regulators, external auditors, etc. Anytime I was asked what reports had been filed in a given period, I just sorted the spreadsheet, and provided a copy to whoever was making the request (assuming they were allowed to see it!) Then I could easily follow up on any questions, and provide supporting documentation. The Complaint Tracking Template is a really simple spreadsheet subscribers can use, if you see the value in this practice.
The Average Report
Most of the reports you will receive from a whistleblower hotline are not major frauds, sensational scandals or personal vendettas. Frankly, most reports are boring! If you do this for a while, you’ll get reports that you can’t do anything about. “I don’t like my job” and “my co-worker is awful!” do not qualify as audit concerns. Feel free to state out loud that you are not the morality police if needed. An alleged office romance that the subjects deny having is not something you have any authority over. Policies and procedures simply can’t address everything, and neither can you.
Just accept that the insignificant and silly reports are part of the process that eventually will yield the big investigation. For the real whistleblower to come forward, you need to have an established process in place, and a reputation for professionalism. That means knowing when to pursue an allegation, and when to check yourself and step back. Treat the reporter and the subject fairly, and don’t be afraid to ask difficult questions.
Now I want to hear from you! Do you use a whistleblower hotline? What provider do you use, and would you recommend them to your peers? Any additional tips you can provide the readers? Leave a comment!