Fraud has always represented a business risk for organisations. The threat of fraud led to the enactment of legislation and regulations. High-profile accounting scandals renewed the focus on financial-reporting fraud, resulting in legislation and subsequent rulemaking concerning corporate governance and internal controls.
Audit committees have a responsibility for ensuring the existence of effective whistleblower mechanisms
Audit committees must place some reliance on management for information about the company's financial reporting process.
Since the audit committee is dependent to a degree on the information provided to it by management and internal and outside auditors, it is imperative for the committee to cultivate open and effective channels of information.
Management may not have the appropriate incentives to self-report all questionable practices.
A company employee or other individual may be reticent to report concerns regarding questionable accounting or other matters for fear of management reprisal.
The establishment of formal procedures for receiving and handling complaints should serve to facilitate disclosures, encourage proper individual conduct and alert the audit committee to potential problems before they have serious consequences.
The use of a third-party telephone hotline to receive tips from both inside and outside the organisation appears to be the practice most often used by companies to receive whistleblower tips. Some companies choose to use an e-mail box accessible only by key management, such as the CFO or legal counsel, while others prefer to use a Web-based technology for submission of anonymous complaints.
Whatever the chosen methodology, audit committee members should work with management to ensure that employees, investors and others are aware of the confidential disclosure option. Employees can be informed of this in their employee handbooks and in the human resources orientation process. Additionally, notices and instructions for submitting tips can be posted in company facilities and on intranet sites.
Notifying outsiders of avenues for submitting their concerns poses different challenges. The company Web site is the most natural vehicle for communicating the procedures to individuals outside of the organisation. The page containing this information and the investor information/relations page are logical locations for displaying whistleblower procedures. The customer service and investor relations operators should be prepared to answer questions regarding how to submit concerns and complaints in the financial reporting arena.
The audit committee should work with management to ensure that there is a mechanism to validate the appropriate representation of receipts from the third-party vendor, the e-mail box, or other submission vehicles so that more than one company representative is privy to the information. Designees from the internal audit, legal and risk management departments, or some combination thereof, are typically responsible for investigating the complaints and reporting back to the audit committee. Reports should be given to the audit committee on a regular basis unless significant events warrant real-time communication. The audit committee must choose how often it will provide reports to the board. This should occur at least twice a year, but more frequently if events warrant.