Audit Committee Considerations for Whistleblower Hotlines

Audit committees should consider the following questions when assessing the design effectiveness of a hotline:


  • Does the hotline have a dedicated hotline number, fax number, website, e-mail address, and regular mail or post office box address to expedite reports of suspected incidents of misconduct?
  • Does the hotline demonstrate confidentiality, including showing how caller ID, e-mail tracking, and other technologies cannot be used to identify the whistleblower? Has the entity considered use of an independent hotline operator to enhance the perception of confidentiality in addition to any real improvement?
  • Does the hotline use trained interviewers to handle calls to the hotline rather than a voice mail system?
  • Is the hotline available 24 hours a day, 365 days a year?
  • Does the hotline have multilingual capability to support hotline callers with different ethnic backgrounds or who are calling from different countries?
  • Are callers provided with a unique identification number to enable them to call back later anonymously to receive feedback or follow-up questions from investigators?
  • Does the entity have a case management system to log all calls and their follow-up and to facilitate management of the resolution process, testing by internal auditors and oversight by the audit committee? To download a sample tracking report that audit committees can use for this purpose, click here.
  • Has the entity established protocols for the timely distribution of each type of complaint, regardless of the mechanism used to report the complaint, to appropriate individuals within the company and to the audit committee and board of directors where appropriate? Are complaints of any kind involving senior management automatically and directly submitted to the audit committee without filtering by management or other entity personnel?
  • Does the entity effectively distribute comprehensive educational materials and training programs to raise awareness of the hotline among potential users? Are these materials available in all relevant languages given the potential user base, and do they take into consideration cultural differences that may require alternative approaches to achieve the desired goal?
  • Does the entity support outreach to potential stakeholders other than employees?
  • Do the entity’s internal auditors periodically evaluate the design and operating effectiveness of the hotline? What were the internal auditors’ conclusions regarding (a) how the hotline reflects changes in the company’s operations and in best practices, (b) whether the hotline is receiving satisfactory support from management, employees and other participants, and (c) whether protocols established for forwarding information to the audit committee have been followed?


—Prepared by the AICPA Antifraud Programs and Controls Task Force.


More from the JofA:


 Find us on Facebook      Follow us on Twitter



Year-end tax planning and what’s new for 2016

Practitioners need to consider several tax planning opportunities to review with their clients before the end of the year. This report offers strategies for individuals and businesses, as well as recent federal tax law changes affecting this year’s tax returns.


News quiz: Retirement planning, tax practice, and fraud risk

Recent reports focused on a survey that gauges the worries about retirement among CPA financial planners’ clients, a suit that affects tax practitioners, and a guide that offers advice on fraud risk. See how much you know with this short quiz.


Bolster your data defenses

As you weather the dog days of summer, it’s a good time to make sure your cybersecurity structure can stand up to the heat of external and internal threats. Here are six steps to help shore up your systems.