Compliance officers continue to fret over the effects of the Securities and Exchange Commission's whistleblower program, established by the Dodd-Frank Act, which has earmarked payouts to those who report tips on corporate fraud.

They're concerned employees could ignore internal corporate compliance hotlines in favor of running straight to regulators with their tips so they can collect the reward, rendering those hotlines less effective.  Compliance and internal audit professionals are now looking for ways to ensure that compliance hotlines remain a viable tool for the organization.

Although little public data is available, indicators suggest a steady flow of high-quality information is making its way to the regulator. Sean McKessy, who joined the SEC as its first chief of the Office of the Whistleblower, says, however, that employees don't seem to be bypassing internal hotlines. In fact, McKessy says, most tips to the SEC have already been reported internally.

George Canellos, SEC deputy director of enforcement, recently told a legal conference that the whistleblower program appears to be an early success. “We've seen an uptick [in the number of tips], but it's not exactly clear how much of an uptick ... What's really clear is the quality of those tips has greatly improved,” adding that market manipulation, dishonest accounting, and potential violations of the Foreign Corrupt Practices Act are the most popular topics of whistleblower reports.  

This is positive news, but it buoys the importance of maintaining an effective internal hotline, and assuring that internal auditors play an essential role in monitoring it. The historical stigma of the whistleblower as informant has its various cultural explanations, yet the discomfort is universal so making sure the hotline works as it should is critical.

Fraud specialists still consider whistleblower reporting mechanisms as one of the most effective means of fighting corruption and detecting fraud in organizations. The following is a case example that demonstrates the value of a hotline and the role of internal audit in supporting its effectiveness.

Background

This case description involves a large publicly traded health benefits company that provides a range of medical and speciality products.

The company had a large IT department that many viewed as a separate part of the organization. As a result, they were often overlooked when it came time to communicate and promote company-wide initiatives. The IT department was also suffering from poor morale and frequent turnover of programming staff.

A telephone helpline had been in place for approximately two years. A broad range of issues were reported through the helpline, including allegations of regulatory violations and employee misconduct. Feedback from employees regarding the helpline was generally positive with a significant percentage of callers (approximately 15 percent) using the mechanism to seek guidance.

The helpline was active, and averaging 1.5 calls per 1,000 employees per year since inception. The internal audit department observed, however, that not a single member of the IT department made a report or sought guidance through the helpline. The compliance department then realized that while all company regions provided basic training on the compliance and ethics program, regional compliance officers did not include IT staff as “regional” employees. Similarly, the corporate units did not include IT in their compliance training.

The compliance officer determined that a compliance liaison needed to be formally designated for the IT function and given the responsibility of ensuring implementation of core compliance and ethics program activities for the department. A new chief information officer had recently been hired who was supportive of the ethics and compliance program. As a result, IT employees finally began receiving basic training and communications regarding the company helpline.

As training to IT employees was implemented across the organization, the typical initial surge of calls started coming to the helpline. The compliance and ethics department observed that calls coming from IT employees concerned two major issues:

Questions regarding conflicts of interest and hiring of family members

Allegations that certain managers (director-level and above) were manipulating certain metrics to maximize their annual bonus

Conflicts-of-Interest Resolution

Upon evaluating questions regarding conflicts of interest and the hiring of family members, internal auditors learned there was a widespread perception of favoritism and inappropriate reporting relations in the IT department. A review was conducted with the support of human resources that included questioning all IT managers about their direct reports and employees of their unit. The company determined that there was only one instance of a manger hiring a family member (a brother-in-law), but that person did not report to the manager and was in a different section of the IT organization. Still, the review found that managers occasionally would refer friends or family members to another manager, and employees believed the referring managers exerted influence in the hiring process.

The historical stigma of the whistleblower as informant has its various cultural explanations, yet the discomfort is universal so making sure the hotline works as it should is critical.

Because of the misperceptions, which the company believed was affecting morale, all the IT managers received training on appropriate employment practices (hiring, performance reviews, discipline, and retention). Communications were also delivered to all IT employees explaining policies and practices regarding the hiring of family members.

During follow-up with callers to the helpline, the callers stated that the work environment in the IT department had noticeably improved. They also expressed gratitude that their questions were answered and that their issues were addressed. The callers felt their concerns were taken seriously when they saw the communications on hiring practices and upon having discussions with managers during staff meetings. Staff retention started improving in the department.

Manipulation of Data

The company also made an effort s to get more detail on the allegations by anonymous callers that managers were manipulating data to improve their annual bonuses. The human resources leader responsible for incentive compensation noted that the same allegation was made by an anonymous letter the prior year, but it was difficult to investigate the matter due to limited information. For instance, there were over 10 managers with varying compensation factors who could potentially fall under the allegations. Further, the data sources on which some of the metrics were based were not centrally maintained and controls were loose. A comprehensive investigation at that time would have been difficult and time intensive.

Through the telephone hotline, internal auditors were able to obtain more information from the callers, thus isolating the metrics and the managers in question. It was determined that the bonuses of a select few IT managers were indeed influenced by a questionable data source, which was controlled by a non-manager with minimal oversight and controls.

Following interviews with the key individual and review of the data file (including forensic analysis), it was determined that one IT manager had misrepresented information provided to the staff person maintaining the data. Notably, this staff person also reported to this manager. As a result, the IT manager's bonus compensation was inflated.

The IT manager was subsequently terminated. The compliance department and internal audit also worked with HR to review all bonus compensation arrangements to assess appropriateness and potential for data manipulation. Performance incentives were adjusted and stricter controls on pertinent data files were implemented. The board and senior leadership began considering linking ethics- and compliance-oriented conduct and measures to bonus compensation and other company incentives.

Observations

The case study provides support for several basic tenets of an effective ethics and compliance helpline.

First, a helpline is of no value if the workforce is not aware of it. Although a helpline was in place, it became apparent that a segment of the company had not been informed. And it was hotline data that revealed this gap. By reviewing data segmented by region, department, incident classification, and other criteria, it became obvious in comparison to the rest of the organization that the IT department had not used the helpline.

The ethics and compliance office obtained support from the CIO for making IT part of the helpline community and for designating an accountable liaison within the IT function. The support of department leadership likely influenced the success of the training and communications delivered by the ethics and compliance staff.

Awareness of the helpline is not sufficient to ensure success. The company made sure that issues and allegations were addressed and investigated, as needed. Employees who choose not to report wrongdoing indicate a belief that nothing will be done anyway, so why take the risk? Employees also cite fear of retaliation as a reason for not reporting.

Here, the ethics and compliance office with internal audit support established the credibility of the helpline as a resource to raise issues and report misconduct. The concerns regarding nepotism and conflicts of interest were taken seriously, and although the   violations were not as widespread as the calls indicated, the review went a long way to clear the air.

The investigation and dismissal of the manager who manipulated data to increase bonus compensation sent a message to the department that such conduct would not be tolerated. Without the reports by anonymous callers, it is highly unlikely this scheme would have been uncovered. And the telephone mechanism enabled a degree of interactivity that supported a detailed investigation—which had not been possible by submission of an anonymous letter.

The helpline proved to be a successful management tool. Before the helpline was utilized, the IT function was a hotbed of discontent and high turnover. Once underlying concerns were safely raised and addressed, employee satisfaction and retention improved. Clearly the helpline supported a culture of compliance and ethical behavior in the workplace, which in turn fostered satisfaction in the workplace.