Audit committees should consider the following questions when assessing the design effectiveness of a hotline:
- Does the hotline have a dedicated hotline number, fax number, website, e-mail address, and regular mail or post office box address to expedite reports of suspected incidents of misconduct?
- Does the hotline demonstrate confidentiality, including showing how caller ID, e-mail tracking, and other technologies cannot be used to identify the whistleblower? Has the entity considered use of an independent hotline operator to enhance the perception of confidentiality in addition to any real improvement?
- Does the hotline use trained interviewers to handle calls to the hotline rather than a voice mail system?
- Is the hotline available 24 hours a day, 365 days a year?
- Does the hotline have multilingual capability to support hotline callers with different ethnic backgrounds or who are calling from different countries?
- Are callers provided with a unique identification number to enable them to call back later anonymously to receive feedback or follow-up questions from investigators?
- Does the entity have a case management system to log all calls and their follow-up and to facilitate management of the resolution process, testing by internal auditors and oversight by the audit committee? To download a sample tracking report that audit committees can use for this purpose, click here.
- Has the entity established protocols for the timely distribution of each type of complaint, regardless of the mechanism used to report the complaint, to appropriate individuals within the company and to the audit committee and board of directors where appropriate? Are complaints of any kind involving senior management automatically and directly submitted to the audit committee without filtering by management or other entity personnel?
- Does the entity effectively distribute comprehensive educational materials and training programs to raise awareness of the hotline among potential users? Are these materials available in all relevant languages given the potential user base, and do they take into consideration cultural differences that may require alternative approaches to achieve the desired goal?
- Does the entity support outreach to potential stakeholders other than employees?
- Do the entity’s internal auditors periodically evaluate the design and operating effectiveness of the hotline? What were the internal auditors’ conclusions regarding (a) how the hotline reflects changes in the company’s operations and in best practices, (b) whether the hotline is receiving satisfactory support from management, employees and other participants, and (c) whether protocols established for forwarding information to the audit committee have been followed?
—Prepared by the AICPA Antifraud Programs and Controls Task Force.
More from the JofA: