​

David Welch was the CFO of Cardinal Bankshares when he became aware of what he thought was potential accounting misconduct on the part of other insiders. He reported his suspicions to his supervisors. Not long after filing that report, Welch was fired. He sued Cardinal Bankshares for unlawful termination and retaliation under the whistleblower’s act. The Virginia-based bank claimed in court that Welch was terminated because he failed to cooperate with the company’s investigation of the alleged financial irregularities. The judge found that the evidence did not support the company’s claim, and ruled that Cardinal Bankshares was guilty of retaliating against Welch for his whistleblower activities.

This case is significant because it is one of the first cases of whistleblower retaliation brought to court based on the Sarbanes-Oxley legislation, which requires as one of its corporate governance provisions that companies give employees a way to report financial irregularities anonymously. The legislation seeks to protect whistleblowers like Welch through anonymity. One proven means of achieving this objective is a confidential hotline. By giving employees a secure way to share what they know, hotlines help companies uncover internal and external fraud, as well as other unethical activities that can ultimately hurt an organization.

The Association of Certified Fraud Examiners cites the value of receiving tips when fighting fraud. Its 2004 Report to the Nation found that tips were the most common method for detecting fraud. The survey also found that organizations without a hotline lost twice as much money in a fraud scheme as companies with a hotline, presumably because of the hotline’s effectiveness as an early detection device. 

Before establishing a hotline program, companies must consider how the hotline should be set up, how to get out the word, and how to handle tips.

Setting up a service. The hotline must be set up properly to be effective. The key objectives are to ensure maximum availability, engender trust, and provide true confidentiality.

With regard to availability, the service should be up 24 hours a day throughout the year. It is critical to offer around-the-clock service, because 40 percent of hotline calls happen outside of traditional business hours. In addition, calls should be answered live, because some callers will be put off if they have to leave a recorded message.

The hotline number should be a toll-free call. If the company has offices in more than one location, it should ensure that each location, whether in a different state or country, can access the hotline through a toll-free number.

The origin of calls should remain secret and the gender of the caller should not be revealed in the resulting report. These are important aspects of protecting confidentiality.

Since trust is a major factor in the success of a hotline, the company may want to consider outsourcing the program. Having a third party handle the hotline helps to alleviate the concern that “anonymous” calls will go to a company person who will recognize the tipster’s voice.

Spread the word. Ethics programs fail either because the program lacks credibility or because there is insufficient communication between managers and employees. In setting up the communication program, security personnel should, therefore, keep those twin concerns in mind.

First, some information about the hotline should come from top management to give the program credibility and to illustrate the company’s dedication to workplace ethics. The next step is making sure that anyone who could possibly know about fraud knows about the hotline. Among the issues to consider when getting out the word about the hotline are what to highlight in communications about the program, whom to target, and what media to use.

What to highlight. At first glance, getting the word out about a hotline program seems fairly simple. There is, however, more to it than just publishing a phone number.

The communications campaign should first list the types of activities, such as kickbacks, that should be reported. Doing so helps to reinforce the idea that these are prohibited activities. The communication should then list the various ways of reporting these activities, including talking to a manager, calling the security department directly, or calling the hotline.

Information on how the hotline is run and what will happen when someone calls should be a key part of the message. This communication should educate employees about how confidentiality is ensured (that calls aren’t recorded and can't be traced, for example), so that tipsters will have more confidence about reporting their concerns.

Whom to target. Hotlines are most effective when information about how to use them is widely and prominently disseminated. The objective is to ensure that contact information is at hand whenever a person has the impulse to provide an anonymous tip.

It is also advisable to go beyond direct employee notification when advertising a hotline. While a majority of tips do come from the employees, other sources—customers, suppliers, and shareholders—generate helpful information as well. Security can never know who may be aware of an activity that is costing the organization money. Former employees could report illegal activities they have heard about from current employees and suppliers could report requests for kickbacks that they have received.

The usefulness of communication to nonemployees is illustrated by the example of one large company that began printing the hotline number on all checks issued to suppliers. In response, the company received a hotline tip from a major supplier’s employee. This honest person had inside knowledge of a long-term overbilling scheme that was costing the company substantial amounts of money. Thanks to that tip, the company was able to stop the fraud and recover its losses.

What media to use. Security must evaluate the availability of various media. An ideal communication plan will include more than one medium, preferably incorporating both written materials and face-to-face meetings with managers. This multipronged approach to communication will reinforce both the message itself and the importance of the ethics initiative.

Security should consider intranet sites, company e-mail announcements, shareholder mailings, in-home mailings, and company town hall meetings as media for the ethics hotline message. Security could also leave supplies of wallet-sized cards with the hotline number in break rooms for employees to take home with them. The more vehicles security uses for communication, the more tips it will receive.

Many organizations also post hotline signs in areas visible to their customers. Another tactic is to include the information in a letter mailed to the employees of suppliers, or to print the hotline number on all checks distributed to vendors, as in the case noted earlier.

Establishing trust. Each round of communication is likely to result in an increase in the call volume received via the hotline. If security finds that this is not happening, it should look into the situation. 

One example of a program that needed some attention was the hotline at a large airplane manufacturer. As reported by the company’s auditors, the audit showed that the program was well known thanks to training and posters; 98 percent of employees had received ethics training and were aware of the hotline, and posters about the program were displayed in high-traffic areas.

Despite these findings, the audit also revealed that almost half of the employees did not think they could call the hotline anonymously. The auditors noted that the employees feared retaliation and that the hotline did not appear to be available around the clock. The lack of trust that the information would be kept confidential prevented the hotline from being as effective as it should have been.

How to handle tips. The hotline will receive reports of many different types of activities. Depending on the nature of the information and the company's protocol, the tip could be forwarded to corporate security, internal audit, loss prevention, an ethics officer, or external investigators.

For example, reports of discrimination might be sent to a corporate human resources officer, while reports involving employee theft might be routed to one of several regional loss prevention officers, based on the location of the complaint. Allegations of misconduct by an executive might need to go to an external investigations team.  Thus, each new tip needs to undergo a triage process to ensure that it is sent to the right recipient.

To avoid an ad hoc approach, a detailed matrix for report distribution should be developed and maintained. Persons in charge of distributing tip information after it is received should be kept apprised of turnover that might affect the distribution list.

An important aspect of dissemination is including a system for checks and balances to protect the company from accusations of covering up illegal behavior. For example, if the program provides for only one person to receive a report of suspected misconduct, the system is vulnerable to cover-up by that person. Dual dissemination, in which all reports are sent to at least two recipients, mitigates that risk.

Some companies have all reports of fraud sent to an internal audit department as the primary recipient of the information, with a copy to the ethics officer as the secondary recipient. The ethics officer is then aware of every allegation that arises.

Notification. Although many hotline reports do not require immediate notice, there are certain situations that warrant quick reaction. Reports generally resulting in immediate notification include threats of violence or physical harm to employees or customers, threats of business interruption, and notice that an illegal activity is expected to happen within the next 24 hours.

Whoever operates the hotline must have a way of contacting designated company representatives 24 hours a day, seven days a week in case a particularly time-sensitive report is received. The best approach is to provide a list of key personnel’s home and cell phone numbers to the hotline operators.

Response. How a company responds to tips is critical to the long-term success of the hotline. If an employee makes the difficult decision to report an issue and the company does not react appropriately, the credibility of the hotline will be diminished. A poor response may cost the company future opportunities to receive information that could help prevent or detect unethical activities.

There is more at stake than just the credibility of the hotline, however. If a company reacts inappropriately to allegations of fraud and takes disciplinary action before an investigation takes place, the results can be costly and embarrassing. 

One issue that bears attention in this regard is the potential misuse of the hotline by employees who may be disgruntled or have a grudge to settle. This concern is minimized by offering a professionally operated hotline involving a live interview. People attempting to file a bogus report are generally discouraged by the detailed nature of a live interview and often abandon the report when it becomes obvious that their fabricated story will not stand up to close inspection.

It is important to note that this is a serious weakness of Web-based hotlines that do not involve a live conversation. It is the interaction between an intelligent interviewer and a person who must answer questions immediately that makes false reports less likely.

Investigation. The objective during an interview with an anonymous caller is to gather as much information as possible so that investigators can conduct a thorough investigation. Anxious callers frequently need help organizing their thoughts, and the challenge for the interviewer is to ask probing questions that cover all pertinent lines of inquiry.

Ideally, the interviewer should obtain information such as the time and place of the incident, length of time the illegal activity has been ongoing, names of the accused, and the nature of any documentation that could provide assistance in the investigation.

The interviewer should also try to get the names or descriptions of any known witnesses and a detailed description of the nature of the allegation. Some of this information may be difficult to obtain because the caller might not know the information or the caller might hang up without completing the full interview.

Since most tips are from anonymous sources, it will be difficult for security to evaluate the source. But protecting the caller’s identity is key to a successful program.

The hotline report should use language designed to help protect the caller. For example, the caller should not be identified by gender. In addition, the hotline provider should not track incoming calls or use caller ID; there should be no possibility of tracing the caller. Data-security measures should be comprehensive, including physical security of the facility, data encryption, and hacker protection.

One potentially helpful tool is to maintain a dialogue with an anonymous caller. To accomplish this, the interviewer asks the caller to call back on a certain date and provide an ID code that will link to his or her report. The investigator then has an opportunity to send in questions after the initial report. These questions are relayed to the anonymous caller who may then help advance the investigation.

With or without this follow-up, however, the investigator must perform clearly defined steps to determine whether the tip warrants further action. The initial investigation should be timely, and the objective should be to ascertain the validity of the tip without impugning the reputation of anyone against whom allegations have been made.

Investigators should try to find out whether the activity occurred in the past and has stopped or whether it is ongoing. If the caller was aware that the activity was part of a larger operation, this information may have been included in the initial hotline report.

While not being too ready to accept tips as valid, security should also not make the mistake of ignoring a complaint that seems insignificant or unlikely. Sometimes smaller problems can be an indication of a larger trend, and each report requires due diligence. Taking each tip seriously not only helps companies meet requirements under Sarbanes-Oxley, but it also lends credibility to the hotline, which may lead to more information.

Procedures. There are numerous investigative strategies that can be implemented based on the type of situation. If an organization has its own security department, that department will be able to develop a plan for gathering evidence to either validate or disprove the allegation.

An internal security department may also choose to involve specialists when faced with allegations of executive malfeasance or a complex case of accounting irregularities. Some companies have responded to Sarbanes-Oxley by sending reports of accounting irregularities to the company board of directors’ audit committee, which coordinates with an external group to handle the investigation.

Whether a tip is investigated by an internal or an external entity, all of the standard investigative steps should be followed. That includes keeping the investigation confidential and working with legal counsel to ensure that laws are followed and that evidence collected will stand up in court.

The critical issue that investigators acting on anonymous tips must bear in mind is that the tip itself cannot be used as evidence in court. The case must be built essentially from scratch, using the tip only as a lead.

Documentation. Security should be vigilant in enforcing documentation of the hotline operations, including a log of calls and how each was followed up. This documentation is part of Sarbanes-Oxley compliance, which requires procedures for the “receipt, retention, and treatment of complaints.”

If a company faces any charges of not responding to fraud tips, it will want to be able to produce a record showing that the steps it took with regard to all hotline tips were appropriate. The only way to do this is through documentation. 

The company must also have security procedures to ensure the confidentiality of this documentation. The protection of this information is critical because a leak could place the whistleblower in jeopardy, leading to a retaliation lawsuit.

Many companies use a centralized online tracking system that allows field investigators access to case file information while protecting data with security measures similar to those used in online banking. This approach facilitates creation of detailed logs of activities while keeping information secure. The case-documentation tool should have a dated entry log that cannot be changed after the entry is complete, which will help the company defend itself if it ever has to prove that the steps it took were appropriate.

Under Sarbanes-Oxley, companies must proactively fight fraud and protect whistleblowers. Anonymous hotlines, properly operated and backed by thorough investigations of tips, can help them do both.

Timothy L. Mohr, CFE (Certified Fraud Examiner), is the director of investigations for FIRSTGlobal Investigations, a division of BDO Seidman, LLP, providing confidential internal investigations to public and private clients. Dave Slovin is the vice president of business development at The Network, in Norcross, Georgia, a company that has operated confidential hotlines for more than 20 years.