All organizations are subject to wrongdoing by their employees, including fraud. Countless organizations know from past experience that it is impossible to completely eliminate this risk. However, deterrence using various management and control mechanisms help reduce the risk. Chief among those mechanisms is an effective program that encourages and supports whistleblowing. A whistleblower is someone who reports wrongdoing to denounce perpetrators and seek justice. The whistleblower may be an insider such as an employee or contractor, or may be an outsider such as a customer, supplier, competitor, investor, or any other stakeholder or member of the public at large. Approximately one third of whistleblowers are outsiders.¹

The most effective mechanism

Research by the Association of Certified Fraud Examiners (ACFE) indicates that “whistleblower tips are by far the most common way that fraud schemes are detected.”² According to the research, whistleblowing accounts for 43% of fraud detection (and presumably any other type of wrongdoing), which is more than three times the amount of fraud detected by any other method such as internal audit, monitoring, accounting, or control procedure (Figure 1). These findings are not really surprising given the astute and elaborate schemes used by perpetrators, including bribery, kickbacks, conflicts of interest, theft, misappropriation of assets, and financial statement fraud. Detection of wrongdoing and fraud schemes can be rather difficult.

Much room for improvement

Such is the whistleblowing imperative that 75% of ACFE survey respondents report that their organization have a whistleblower program with a hotline for receiving disclosures.³ Hotlines may include a dedicated phone line, a secure email address, a web-based platform, and ideally all of these portals. The hotlines may be managed internally by a dedicated group, or by an external party such as a law firm on a contract for receiving whistleblower disclosures. Functions or groups typically mandated for receiving disclosures include internal audit functions, ethics and compliance divisions, fraud investigation teams, and audit committees of the board.

Given the prevalence of wrongdoing within organizations, the effectiveness of whistleblowing, and its emphasis in legislation such as the Sarbanes Oxley Act (2002), and the Dodd-Frank Act (2010), it is rather surprising and troubling that 25% of ACFE survey respondents report that their organization does not have a formal whistleblower hotline program, defined as “a program consisting of one or more mechanisms or initiatives designed to encourage and collect reports from parties with information about potential wrongdoing or misconduct.”⁴ Of the 75% who report having such a program, only 44% consider their program “extremely” or “very” effective.⁵ Accordingly, only 33% (44% x 75%) of organizations have a satisfactory whistleblower hotline program (Figure 2).

Trust is paramount

An effective whistleblower program is important for identifying all types of wrongdoing, including fraud. It is also critical for maintaining organizational reputation.⁶ Whistleblowing is a prevention and detection mechanism. It provides deterrence by making wrongdoing a lot more difficult to get away with. It is by far the best mechanism for detection. Surprisingly, current laws and regulations provide limited guidance for setting up an effective whistleblower program.⁷

Research by the ACFE and the IIA indicates that “the foundational component for an effective [whistleblower] hotline program is trust. If parties do not perceive that whistleblower reports will be taken seriously, that whistleblower identities will be safeguarded, and that whistleblowers will be protected from potential retaliation, the presence of other program components will have little effect on the overall program effectiveness.”⁸ The ability to provide information anonymously, and to provide it confidentially using secure communication channels are key considerations. Figure 3 illustrates the most common approaches used by organizations to protect whistleblowers.

Strong governance is fundamental

As mentioned by Mr. David Doyle, former Chief Compliance Officer of Starwood Hotels and Resorts, “a whistleblower hotline won’t do the organization any good if it isn’t supported with a culture that encourages people to pick up the phone or log on to report any concerns they may have. There needs to be the proper tone at the top – the board and management must be seen to be committed to the program and, whenever possible, be seen to be acting on the information that comes in.”⁹

Based on research by the ACFE and IIA, hotlines “entirely or partially administered by an external third party are perceived as more effective than hotlines administered solely by internal staff (…). Employees may trust an outside, professional hotline provider to be more impartial or to better protect incoming reports than inside parties who might be subject to organizational politics or have a vested interest in the outcomes of any reports received.”¹⁰ Professional hotline providers include law firms that specialize in ethics and compliance. If a hotline is managed internally, it is critical for the function to be independent from management, and to be perceived accordingly.

Whether a whistleblower program is managed externally or internally, there must be oversight and accountability within the organization regarding the function and process involved. In my view, the audit committee of the board of directors (or equivalent representatives) is the only body capable of exercising real and effective oversight without being in a conflict of interest. The function receiving whistleblower disclosures must have direct and unfettered access to the audit committee, and should absolutely report to the committee (solid or dotted line). The audit committee must set clear policies and guidelines regarding the issues to be informed with, the means and frequency of information, and how issues should be assigned for resolution. Finally, the audit committee should receive regular reports and briefings on the whistleblower disclosures, decisions to investigate or not, timelines and costs of investigations, and conclusions or resolutions of cases investigated.

Process effectiveness is essential

The ACFE and the IIA offer guidance on governance and best practices for whistleblower hotline programs. Their guidance is available in: Building a Best-In-Class Whistleblower Hotline Program, published in 2023. Table 1 outlines key practices for an effective process.

Conclusion

Whistleblowing is critical for deterrence, prevention and detection of all types of wrongdoing and fraud within organizations. However, just like any other risk management and control process, the effectiveness of a whistleblower program is contingent upon a strong governance setting, a sound management framework, and an effective process for receiving and managing disclosures. Despite more than 20 years of Sarbanes Oxley and associated reporting on controls over financial reporting, it is surprising and troubling that only one third of organizations are perceived to have a satisfactory whistleblower hotline program according to ACFE members. There is very good guidance from the ACFE and IIA, and from the International Standards Organization (ISO, standard 37002). Given the critical importance of whistleblowing, the nature of the legislations and regulations advocating for it, the scale and costs of the wrongdoing and fraud previously encountered leading up to these legislations and regulations, and the amount and quality of the guidance available, it is completely unacceptable for an organization not to have a truly effective whistleblower hotline program.

Endnotes

__________________________

¹  Association of Certified Fraud Examiners (ACFE), Occupational Fraud 2024: A Report to the Nations, p.23.
²  Association of Certified Fraud Examiners (ACFE) and Institute of Internal Auditors (IIA), Building a Best-In-Class Whistleblower Hotline Program, (2023), p.1.
³  Ibid., p.1.
⁴  Ibid., p.1.
⁵  Ibid., p.16.
⁶  Deloitte, Perspectives on Whistleblower Programs: David Doyle, CCO, Starwood Hotels & Resorts, (Wall Street Journal, Deloitte Risk Journal, October 5, 2016).
⁷  Ibid.
⁸  Association of Certified Fraud Examiners (ACFE) and Institute of Internal Auditors (IIA), Building a Best-In-Class Whistleblower Hotline Program, (2023), p.3.
⁹  Deloitte, Perspectives on Whistleblower Programs: David Doyle, CCO, Starwood Hotels & Resorts, (Wall Street Journal, Deloitte Risk Journal, October 5, 2016).
¹⁰ Association of Certified Fraud Examiners (ACFE) and Institute of Internal Auditors (IIA), Building a Best-In-Class Whistleblower Hotline Program, (2023), p.18.