New Benchmark Data on Hotline Programs

A new analysis of whistleblower hotline programs around the world finds that most businesses believe their hotline programs are generally effective, primarily depending on easy accessibility of the hotline and whether the hotline is managed by an independent, outside party.

So says a report issued this week by the Institute of Internal Auditors and the Association of Certified Fraud Examiners. The two groups polled more than 1,600 audit and anti-fraud professionals around the world, and pulled together their findings in a 56-page report that offers rich glimpses into what makes a successful hotline program tick. 

Among the findings:

  • The single group most likely to manage the hotline program is the internal audit function, cited by 42 percent of respondents; followed by the compliance team and the audit committee (tied at 36 percent each), and then legal and HR (tied at 27 percent each). 
  • More than 80 percent of companies offer multiple reporting channels; 28 percent offer four or more. 
  • Only 16 percent of respondents rated their hotline programs as not very effective, compared to 35 percent who said it was “very effective” and 9 percent who said it was “extremely effective.” 
  • Among companies whose hotlines allow for anonymous reporting, only 14 percent of respondents rated their hotline programs as not effective. Among companies that don’t allow anonymous reports, that figure jumps to 41 percent.

That last finding about anonymous reporting — that if you don’t allow it, your hotline is more likely to be ineffective — drives to a deeper point about hotline performance that peeks out from a number of findings in the report. Namely, the success of your hotline depends on the trust-building structures you place around it. 

For example, the report also compared hotline effectiveness depending on whether you outsource the hotline program to an independent party or manage it in-house. The result is Figure 1, below. 

Source: IIA/ACFE

 

Hotlines managed by independent parties are seen as highly effective much more often than those managed by in-house teams. That’s not surprising. When employees know that someone within the company is receiving reports, they’re less likely to trust that the hotline manager will act on their concerns, and more likely to suspect that the company will somehow ferret out their identity and retaliate.

Or look at some findings on confidentiality. Among companies with strong confidentiality protections, 49 percent rated their program as highly effective. Among those without such protections, only 29 percent did. 

Even better: when senior leaders expressed zero tolerance for whistleblower retaliation, 57 percent said they had a highly effective program. Absent those promises of protection, the number dropped to 36 percent (and 22 percent said they had a weak program). 

Hotline Accessibility Matters Too

The report also listed the common attributes that hotline programs have. See Figure 2, below. 

Source: IIA/ACFE

 

In addition to the anonymous reporting and confidentiality, it’s also interesting to see so many attributes that touch on accessibility: 83 percent running a hotline that’s available every moment of every day; 70 percent with an official whistleblower policy (which tells employees that the hotline is there for them to use); and 51 percent that can handle reports in multiple languages. Honestly that last one is lower than I’d like, but it still drives home the point that accessibility matters. 

There’s also the issue of hotline intake channels. The more channels your hotline offers, the more often it’s perceived as highly effective and the less often it’s seen as poor. See Figure 3, below. 

Source: IIA/ACFE

 

One other interesting item: companies that also had anti-fraud programs scored better on hotline effectiveness (53 percent highly effective and only 10 percent ineffective) than those without anti-fraud programs (35 percent effective and 22 percent effective).

I’m not quite sure what to make of that finding. On one level it makes sense; companies with dedicated anti-fraud teams are more likely to take complaints seriously, and therefore would be perceived as having effective hotlines. Then again, it’s mostly larger businesses that have anti-fraud programs, and they’re also more likely to devote enough resources for a robust hotline program. So clearly there’s correlation here, but not necessarily causation.

What to Do With This Report 

This is a benchmarking report, so above all else, use it to benchmark your hotline program. If you’re an internal auditor, you can use it as a blueprint for an upcoming audit of the hotline. If you’re a compliance officer, you can perform your own benchmark analysis — maybe to present to the board, or to show to auditors, or keep on file in case you’re ever in talks with regulators and need to defend your program. 

Indeed, I can’t help but recall that message from SEC chief accountant Paul Munter last fall, where he urged audit firms to do better at assessing fraud risk among their clients. Munter expressly mentioned whistleblower hotlines as something auditors could examine, as an indicator of the company’s overall control environment and corporate culture. So if you’re a compliance officer likely to have such a conversation with your auditors, this benchmark report would be a great resource to help you frame your answers. 

Moreover, the Justice Department has been crystal clear that whistleblower hotlines should be accessible, and that companies need to keep assessing the effectiveness of their overall compliance programs and make improvements as necessary. Again, this benchmarking report is a great resource to help you understand what “effectiveness” means in practice. 

Leave a Comment

You must be logged in to post a comment.