OK, compliance professionals — time to put on your thinking caps! One of our colleagues in the emerging markets wrote to me the other day looking for advice about who should manage a company’s internal reporting hotline. Let’s give him some help.
My friend hails from a second-tier country in the Asia-Pacific region, one moving up the global corporate supply chain swiftly but also still struggling with corruption in the government and private sectors. He serves on some corporate boards and consults with others on compliance, audit, and governance issues. Hence his question about who should run internal hotlines, in a country that hasn’t yet embraced the concept of a strong, speak-up culture. (Then again, how much better are we in the West, really?)
Here is his message, lightly edited for clarity:
The client’s question is which function should be in charge of the internal hotline: compliance, legal counsel, or internal audit? And when should that function report issues to the audit committee?
Our reason for asking is that the client doesn’t want the CEO to be directly involved in handling internal complaints. I often read articles that recommend companies use a “balanced approach” — but what is that balanced approach, specifically? Can the audit committee be informed immediately upon receipt of any serious whistleblowers matter?
My friend isn’t wrong to say that most articles on this subject offer some form of, “Well, it depends…” and then pummel the reader with nuance and detail, because there really are 100 different ways to answer the question.
If you look closely, however, my friend is really asking this: how can the audit committee assure that internal reporting mechanisms are strong, vibrant, and free from interference?
That’s something compliance professionals ponder all the time. So let’s give him some answers.
Begin With the Audit Committee
First, I told my friend, the audit committee should be in charge of this process because the audit committee bears ultimate responsibility for responding to matters of misconduct and risk management. So while the CEO, general counsel, and compliance officer might recommend certain oversight structures for the internal reporting hotline — the final decision should come from the audit committee, and then those in-house groups implement it.
(We’ve seen that message delivered numerous times by regulators here in the United States. For example, when Citibank agreed earlier this year to pay $400 million and overhaul its risk management program, one marching order was that the board had to assure effective processes were in place to track employee complaints.)
Second, the critical issue here is that regardless of whoever manages the internal hotline on a daily basis, that person should have a clear path to bring hotline complaints to the audit committee whenever he or she wants.
In that case, and since I’m a stickler for clear lines of authority, I’d recommend that the audit committee codify that principle right into its charter. A statement something along the lines of: “The audit committee shall be informed of whistleblower reports any time the report involves allegations of accounting fraud, inaccurate financial reporting, or non-compliance with regulations; or any other issues the internal reporting manager deems appropriate for the committee’s attention.”
By framing the issue that way, where the audit committee expressly demands that it shall be informed about internal reports, you actually give the person in charge of the reporting hotline a certain degree of protection and empowerment. He or she can tell the CEO or anybody else who might try to bury a report, “Get lost. I’m obligated to take this to the audit committee. You don’t have the right to veto this.”
Will that language in the audit committee charter remove all the risk of obstruction or retaliation from senior executives who don’t want something to reach the audit committee? Of course not. But it does clarify how compliance, audit, and legal are supposed to handle internal complaints. When meddling or retaliation does happen, at least there will be no ambiguity that those actions go against the audit committee’s instructions. That’s an important fact to establish for regulatory investigations and even a compliance officer’s personal career security.
So Who Runs the Hotline?
We’re still left with my friend’s original question: Who should be in charge of the internal reporting function? That is, who should be the in-house agent of the audit committee, trying to execute this part of its oversight duties?
Well, as all the other articles out there have already said, it depends.
The two primary considerations are the hotline manager’s independence, so he or she can follow an allegation wherever it may lead; and his or her competence to conduct those investigations effectively. The person running the internal hotline on a day-to-day basis needs both of those things to do the job well.
The head of internal audit usually does have more independence, which is good. But he or she may not be skilled at investigations, particularly when the issue involves potential violations of law or extensive interviewing of employees. In theory, internal audit could be empowered to use outside counsel or other advisers for complex investigations as necessary. (That would be wise, so the lawyers could exercise attorney-client privilege on behalf of the company.)
Still, internal audit is just the wrong fit for hotlines. Internal audit shouldn’t be running anything, other than internal audits and perhaps testing of controls for Sarbanes-Oxley compliance.
On the other hand, a compliance officer will be better at managing investigations, but may not have the necessary independence — especially if he or she reports to the general counsel. Hence we spend so much time talking about how to strengthen the compliance officer’s authority and reporting channels to the audit committee.
Without knowing more about my friend’s client, I suppose I’d say this: the compliance officer should manage the internal hotline on a day-to-day basis; and thanks to a crystal clear job description, report to the CEO rather than the general counsel. Meanwhile, the audit committee should have a clear statement that internal hotline reports can be brought to it any time the compliance officer feels necessary.
That’s my take, anyway. What am I missing? Send me your thoughts at [email protected].