Whistleblower Hotlines, Internal Control and the Link to Sarbanes-Oxley

Lynn Fountain's Profile

The requirement for financial whistleblower hotlines surfaced out of the Sarbanes-Oxley legislation.  Yet, although hotlines have been in place for many years, their effectiveness as a method of internal control can be questioned and debated.  If you question that concept, consider some of the following information and questions that can help you solidify the effectiveness of the control procedures of your hotline.

Few if any professionals enter a position within a company with the goal to be a whistleblower. But in today’s complex and dynamic business world sometimes things just happen. When those incidents occur, if there isn’t an appropriate outlet for reporting concerns and if the company has not instilled a culture of openness, transparency and strong ethics, professionals can find themselves in a morale predicament. We know from studies of human behavior that the concept of right and wrong, good and bad, morale or immoral can relate to an individual’s upbringing, social or economic status or even religious or personal beliefs. Most whistleblowers don’t call a hotline because they are furious with a company or want to get back at a particular person; they have an intrinsic belief that the observed behavior or actions was truly wrong. If the person has reached a point of feeling the need to call an anonymous hotline, then the potential issue may have already reached a peaking point higher than management may have ever anticipated.

The  actual statistics around personal implications to whistleblowers can be daunting to anyone thinking of utilizing a hotline. Information from a study of 233 whistleblowers identified:

• 90% were later fired or demoted
• 27% faced lawsuits
• 26% later sought psychiatric or physical care

•25% suffered alcohol abuse
• 17% lost their homes
• 15% got divorced
• 10% attempted suicide
• 8% went bankrupt.

Despite these disparaging statistics, only 16% of individuals within the study indicated they would not blow the whistle again. The reason is linked to their individual moral belief that what they were doing was truly “the right thing to do.” Their purpose was not to “rat” on the company but to “right some wrong.”

Corporate Hotline History

If what has been outlined and written about hotlines is strong advice, why do we continue to see corporate struggles and scandals leading to whistle-blower complaints?  Either the current outlined processes are not sufficient, or companies just aren’t listening.

Let’s start back at the beginning. Why should we pay attention to previously reported or high-profile whistleblower cases?  Whenever human behavior is involved, peering into past scenarios can teach us a great deal about what concepts work and which don’t. Hopefully, we learn from mistakes of the past and take appropriate steps to prevent similar issues in the future. Preventing future issues requires understanding the reason why an issue occurred, how it occurred and what could have been done to prevent it.  Before you dismiss that possibility, ask yourself what you know about your own company’s whistleblower process. Answer a few of the questions below to begin to assess your program?

How is the program communicated throughout the organization?

  • Is communication managed on the company’s code of conduct? If so, how often are employees asked to affirm the code t and in what manner does that affirmation occur?
  • Are there posters throughout your corporate headquarters? If so, where are they placed? Are they in strategic areas where employees would recognize or hidden behind  hallways, corners or doors?
  • Is the hotline process posted on your internal web-site in a place that is easily identified by employees?  

How often is there open communication by senior leaders about the hotline with employees?

  • Do managers openly endorse the program or reluctantly comply?
  • Is there some unwritten code rumored regarding the hotline which results in employees feeling uncomfortable reporting an issue?
  • How does management communicate the protocol for investigating issues that come through the hotline? Would an employee be able to recite that protocol?

How and who manages your hotline?

If it is internally managed, how do you ensure employee confidentiality? It is not enough just to state in a policy that the hotline is confidential, if actions are as loud as words, policy statements alone will go untrusted by employees. Consider:

  • If it is externally managed, have you checked its effectiveness?
  • If you were to call the hotline, how effective does the representative understand the issue being reporting?
  • Is the call tape recorded? If so, is the caller informed that they are being recorded?
  • What type of facts and information does the representative ask for? Are they simply recording what you say or are they receptive enough to ask questions to help better explain and understand the full scope of the issue?
  • How quickly do calls get communicated to the proper individuals within the organization for investigation?

Are calls received through the hotline taken seriously or viewed by managed as something that has to be administered?

  • Would employees be able to relay any positive outcomes of the hotline?
  • How long does it take management to investigate or react to an issue?
  • Are issues “always” resolved with no concerns? If so, do you have any concerns about how the issue was investigated?
  • Who decides that an issue has been completely and thoroughly investigated? Is there a protocol for investigation?

How are the results of hotline issues reported to the Board and Audit Committee?

  • Does the Board receive statistics of calls or are they informed of the substance of the issues?
  • Do they ask the hard questions of management about reported issues?
  • Does the Board have input into the investigation process?

All of these questions are important when assessing the effectiveness of your hotline. Be cautious of relying too heavily on statistics. Statistics are only as good as the information collected.  If the hotline call is wrongly classified, improperly evaluated or assessed, or improperly handled and responded to, the statistics may have little or no meaning.

If you are a member of a company’s Board, ask yourself:

  • What information is provided to you regarding the content and resolution of calls coming through the hotline?
  • Are you satisfied with the reporting of just numbers?
  • Are you aware of the facts behind more significant complaints?
  • Are you satisfied with the investigative techniques?
  • If not, ask yourself why.

Whistleblowers will continue to be a component of corporate America and part of the ongoing story of corporate governance practices. It is evident through legislation that regulators believe the existence of a whistleblower hotline is important. The effectiveness of these hotlines will be are something that will continue to be debated in the corporate world.

Companies can make a difference within their own procedures. To do this, they must understand the reason and importance of the hot- line process to their own governance procedures. Executives must set the right tone and be open to the communication protocols that are established to provide the proper outlet for the flow of information.

Learn much, much more in Lynn's SOX courses and her world-class SOX Certification on Illumeo.


Former Chief Audit Executive for two global companies, expert in leadership, SOX, COSO, ERM and corporate governance frameworks. Nationally recognized trainer, speaker published author.