When it comes to preventing or detecting fraud, whistleblower hotlines remain among the best protection money can buy. They can also be an important tool for internal auditors to assess fraud risk and provide information that can increase the quality of audits and should be assessed on a regular basis.
In its 2018 global study of occupational fraud, the Association of Certified Fraud Examiners (ACFE) reported that tips from whistleblower hotlines were the most common way, by a wide margin, that occupational fraud is initially detected. And tips have remained one of the most common sources of detection since ACFE began publishing the report in 2010. In the same report, ACFE noted that fraud losses were 50 percent lower at organizations with hotlines than at those without them.
An anonymous whistleblower hotline should be a critical piece of any organization’s anti-fraud efforts. Likewise, since the effectiveness of anti-fraud controls is a key area of concern for internal audit, auditors can and should be looking into company hotlines to ensure they are operating effectively and are prepared to handle tips that could possibly save their company thousands or even millions of dollars.
Last year, for example, Capital One revealed that it had been victim of a data breach in which the personal data of over 100 million people, including bank account numbers and social security numbers, were stolen or compromised. According to coverage of the breach, the theft was perpetrated by a former employee of the cloud services provider used by Capital One. The bank became aware of the issue when a tipster wrote to its security hotline, warning that some of the bank’s data appeared to have been leaked. Subsequent investigation into the tip led to discovery of the breach. While the tip was too late to prevent the breach entirely, it could have been worse if it went undetected for longer.
Benefits of a Hotline
Whistleblower hotlines allow organizations to leverage the power of the many—what we now call “crowd sourcing.” By empowering everyone in the organization (and everyone it interacts with) to report red flags or suspicious behavior, the eyes and ears of many individuals can provide a breadth of coverage to detect fraud that a dedicated team could never achieve.
What’s more, when considering the extent of this coverage and the potential cost of undetected fraud, hotlines are relatively inexpensive and easy to implement and maintain. Depending on the organization and the level of insourcing vs. outsourcing, there are a number of factors that can impact the cost of a hotline, such as the number of communication channels (phone, e-mail, app, and others), the number of languages supported by the hotline, and the required complexity of the case management system. Multinational companies must also consider regulations in the jurisdictions they do business in to ensure that they don’t run afoul of local privacy laws. Still, with fairly basic technology needs and minimal staffing hotlines are one of the most cost-effective anti-fraud controls any company can put in place. They also have the added benefit of being available 24/7.
One of the few downsides to hotlines is that they tend to be passive, in that they typically do not seek out fraud, but instead wait for employees (and other parties) to provide tips. This means hotlines are not necessarily good at detecting fraud quickly, and since the longer a fraud goes on the more it generally costs, the most effective approach is to use a hotline in concert with other, more active fraud detection methods, such as audits, data analytics, and other monitoring tools.
Internal Audit Assurance of Whistleblower Hotline
Although hotlines are relatively inexpensive and easy to implement, that does not mean the company can take a “set it and forget it” approach to managing them. Indeed, there are many ways that internal audit can help provide assurance as to the quality and effectiveness of the hotline program on an ongoing basis. Here are five areas to consider during audits of whistleblower hotlines:
- Functionality and Organization
The most basic thing internal audit can do is verify that the hotline exists and that it is in working order. Audits should include testing to ensure that phone numbers are operational, calls are routed properly, digital communications are transmitted properly, and instructions provided to hotline users can be followed easily and intuitively. In addition to basic functionality, internal audit can look into whether the hotline is adequately supported and has everything it needs in order to work effectively and accomplish its mission. This includes sufficient funding and access to resources, but it also includes staffing by qualified individuals with the training and expertise to handle the different types of cases the hotlines receives.
These individuals should possess, or have access to those who possess, expertise in areas such as accounting, HR, legal, and security and they should be able to demonstrate that they have received appropriate training specific to manning a hotline. Also, there must be a person in senior leadership who ultimately owns and is accountable for the hotline, and it should be clear who that person is. Finally, the hotline program needs the authority to act and the ability to guard the anonymity of whistleblowers and protect against retaliation.
It is not enough, however, for the hotline to merely exist and be available to potential whistleblowers. In order for it to be effective, employees must be aware of the hotline, understand its purpose, and know how to use it. Therefore, internal audit should seek to understand the communications strategy for the hotline. Ideally, communication about the hotline will be incorporated into a broader communication effort around the company’s ethics and anti-fraud efforts. This will help users to think of the hotline not just as a means for reporting bad behavior, but as a key part of the company’s commitment to enforcing the code of conduct. It is also important that the hotline be regularly advertised in high-visibility areas.
In addition to reviewing the communications plan, internal audit should gauge employee awareness of the hotline’s existence and purpose to see if the communications plan is having an impact on awareness and if there is opportunity for improvement. At the same time, it is not only employees who need to be made aware of the hotline. The various parties with which the organization interacts can also be valuable sources of tips as it relates to fraud, and these parties should have an awareness and understanding of the hotline program as well. ACFE reported that nearly one-third of the tips that led to fraud detection in their study came from people outside the organization, including customers, vendors, and competitors. A robust communication plan is not only important from the standpoint of user awareness, but also for capitalizing on the hotline’s effectiveness as a fraud deterrent. The greater the general awareness of the hotline, the more likely a potential fraudster will be dissuaded from trying inappropriate or illegal behavior.
Whistleblower hotlines by nature handle sensitive issues and information, and if these are not handled correctly, it is possible the hotline could expose the organization to greater risk than it is designed to control. It is critical that management have a thorough and complete understanding of all external regulations and whistleblower laws, as well as internal company policies, with which the hotline must comply. Internal audit should understand the hotline’s compliance risk-assessment process and determine whether it is staying on top of changes (and variations, particularly for multinationals) in the regulatory environment. If the organization contracts with a third party for hotline services, then internal audit should examine whether an effective third-party risk management process (including a right to audit clause) is in place around the hotline, particularly as it relates to data privacy and cybersecurity.
While the outcomes of hotline cases may be challenging to quantify, there are nevertheless performance measures that can be used to evaluate hotlines, and it is important for internal audit to have an understanding of how the hotline program measures its own success.
One of the key performance measures internal audit can use when looking at whistleblower hotlines is usage rates, or the number of calls and cases the hotline fields. There is no right number or quota of calls that the hotline should be receiving, but usage rates can provide clues as to the effectiveness of the hotline. For example, if there is a significant change in the historical trend of usage, internal audit should work with hotline management to understand the cause. Or, if the hotline is very seldom used, it could be an indicator that there is a lack of awareness of the hotline itself, or it may suggest that employees and other parties need additional education about red flags and the types activity they should report. Another possibility, which is a key risk related to hotlines, is that potential users do not feel comfortable or confident in using the hotline.
In a paper for the DLA Piper Employment group, Tim Marshall and Michael Sheehan wrote, “Individuals are more likely to speak out…if they can be confident that their report will be acted on, that they will be protected against retaliation and that their employer is serious about weeding out corruption and mismanagement.” By looking at usage rates, in addition to conducting employee surveys and interviews and reviewing past cases, internal audit should seek to understand whether there is confidence in the hotline and if not, why.
Along with usage, response time is another important indicator. It is not only important that tips be acted upon, as noted above, but that they be acted upon in a timely manner. Failure to do so may erode employee confidence in the hotline process. Relevant response times include the time to respond to the initial report, as well as time elapsed from the initial report until some action is taken or the case is closed. Internal audit should understand what the hotline program’s goals are as it relates to response time and whether these goals are being met.
Finally, the types of cases that are reported to the hotline, regardless of severity, generally involve some type of risk to the organization, whether it be financial, legal, or reputational. Therefore, the hotline should be able to demonstrate in some way that it is making a positive impact on the organization through risk mitigation. Ideally this should include both quantitative and qualitative evidence, and while it may not always be as straightforward as calculating dollars saved due to a detected fraud, it is nevertheless important for the hotline to be able to demonstrate and articulate its value to the organization.
- Case Files
Reviewing a sample of past cases gives internal audit the opportunity to address a number of important questions around the performance and effectiveness of a hotline. When reviewing past cases, auditors should explore questions such as:
- Is there a policy in place to guide the hotline staff’s response to tips, and is that policy being followed?
- Are the people involved (hotline staff, subject-matter experts, senior leadership, etc.) doing a good job of following through from when tips are reported until they are resolved?
- Are tipsters’ identities being kept anonymous where appropriate?
- Are tipsters being protected from retaliation?
- Are documentation and record-keeping protocols being followed?
Determining the success of whistleblower hotlines is not always a straightforward endeavor. Nevertheless, there are indicators to review and questions that internal audit can ask to help provide assurance that this critical element of the company’s anti-fraud arsenal is functional and effective. With tips still the most likely source for catching fraudulent activity, it is well worth the time to investigate whether the hotline is effectively reducing fraud risk, if the hotline itself is exposing the company to any risks, and if there are any enhancements to the hotline process that internal audit could recommend.
Doing so could mean getting the next tip—and catching the next fraud—just a little more quickly.
Kevin Alvero, CISA,CFE, is senior vice president of internal audit at Nielsen.