Internal auditors can help management create effective whistleblower programs that protect users and enable organizations to address problems before they become public knowledge

Early warning system: internal auditors can help management create effective whistleblower programs that protect users and enable organizations to address problems before they become public knowledge

Hernan Murdock

WITH THE NUMERous allegations of financial fraud and dubious accounting practices in the headlines these days, organizations are increasingly turning to internal whistleblower programs to discover and correct improper activities. In fact, Section 301.4 of the U.S. Sarbanes-Oxley Act of 2002 requires public companies to establish procedures for “a) the receipt, retention, and treatment of complaints received by the issuer regarding accounting, internal accounting controls, or auditing matters; and b) the confidential, anonymous submission by employees of the issuer of concerns regarding questionable accounting or auditing matters.”

Although whistleblowing is commonly thought of as the act of revealing inappropriate activities to parties outside an organization, internal whistleblower programs allow management to take corrective action inside a corporation without the negative effects that come with public disclosure, such as financial distress, loss of capital for investors, and a drop in value in the stock market. Through these programs, employees are encouraged to discreetly and anonymously disclose concerns about accounting and operational issues. This way, all employees help the organization stay on track, and internal auditors, who cannot possibly examine every process and transaction, cast a wider net in their risk-management efforts.

Internal auditors can play an integral role in the development of whistleblower programs by working with management to create a system that protects the anonymity of the employees who use it and gives them maximum access to the tools that will help them report their concerns. Effective whistleblower programs are developed through four distinct phases–assessment, building, program release, and performance monitoring.


During the assessment phase, management must evaluate the organization’s needs, define a protocol for the program, create reporting mechanisms, and establish an oversight board to ensure allegations are handled appropriately.

EVALUATE NEEDS The first step in establishing an effective whistleblower program is assessing the organization’s needs and its operational environment. For example, management should determine the requirements and characteristics of the company’s employees, including the major linguistic groups and geographic locations. If the organization has a meaningful population that speaks languages other than English, the program operators should be able to communicate in those languages.

ESTABLISH PROTOCOL Internal auditors can help define the protocol and make sure sufficient controls are included in the design, such as safeguards to protect the identity and privacy of employees reporting wrong-doing and measures to ensure the integrity of data, especially information that is stored electronically. The protocol should:

* Assign every allegation a code number that is given to the caller and used as the reference for all future communications. Although whistleblowers usually choose to remain anonymous, some may wish to stay in touch with investigators in case there is a need for additional information, to receive an update as the investigation progresses, or to be notified of the final disposition of the case.

* Require investigators to act discreetly and professionally and not to disclose information.

* Make sure performance reports and all other materials distributed outside the department do not include the whistleblower’s identity.

* Restrict access to files and reports.

The protocol also should include procedures for responding quickly to high-risk allegations. It should outline turnaround times for assigning investigators once an allegation is reported, and it should indicate the escalation procedures that will be followed. For example, the disclosure of a scheme to transfer millions of dollars offshore or of safety violations that could result in bodily harm warrants a different response than an allegation of irregularities in travel and entertainment expenses.


Employees should be able to contact program operators inexpensively and with as few complications as possible. Internal auditors can help verify that the reporting mechanisms are appropriate and that information provided is accurate, complete, timely, and useful. Possible reporting methods include:

* Telephone hotlines–If this method is used, the organization should make sure the whistleblower is not required to make a toll call to file a report. A company with one geographic location can use a local phone number, but most organizations need a toll-free line that can be reached by employees from anywhere at any time

* Fax lines–This method is useful when the whistleblower has documentation that could help in the investigation.

* A Web page on the company’s intranet–Background and contact information can be presented at this central location.

* E-mail–Employees should be able to file anonymous e-mail reports from the intranet or the Internet. These communications should be directed to a designated individual who should review them frequently.

Additionally, companies must assess the level of expertise and availability of qualified internal staff to handle what could be very complicated scenarios. Allegations could range from financial improprieties to supervisory abuse, pollution, or inappropriate contractual obligations. Also, the caller could be in a state of emotional distress out of guilt, fear of retaliation, or other emotional pressure, making it necessary for the staff to handle the situation tactfully and professionally while gathering the facts.

Internal auditors should serve as members of the response team and recommend other employees for the program based on their knowledge of legal, accounting, financial, personnel, and operational matters. Small organizations may meet their staffing needs by designating several qualified individuals who are on call or available via pagers and cellular phones and rotate among themselves to provide continuous coverage. Many organizations find it advantageous to outsource the whistleblower program to ensure independence, achieve broader coverage, and overcome a lack of internal expertise and staff availability. Outsourcing the program does not exempt management from taking a hard look at the organization and deciding exactly how the program will be implemented and run. The service provider will need this information. Sometimes the company providing the employee assistance program is also qualified to provide support for a whistleblower program.

Whenever possible, and especially in locations with large employee concentrations, organizations should designate an ombudsperson employees can speak to personally. The ombudsperson should abide by the same standards of professionalism and confidentiality as the operators of the whistleblower program.

SELECT AN OVERSIGHT BOARD Establishing an oversight board helps ensure that allegations will be handled appropriately and can enhance the program’s credibility. The oversight board should include key senior officers–legal counsel, the chief financial officer, the chief audit executive, and the human resources director–who have diverse backgrounds and the authority within the organization to take appropriate corrective actions.

The manager of the whistleblower program should have a reasonable budget, sufficient independence, and direct access to senior management so investigations can be conducted without interference. The manager should also meet periodically with the oversight board to report on disclosures made through the program and provide feedback on performance statistics. During all communications, appropriate care should be exercised to protect the identity of those involved and to avoid impairing the investigation. The oversight board should meet often enough to send the message that management supports the program, that disclosures are important, and that concerns are handled promptly.


The conclusions of the assessment are addressed in phase two: The call-center is staffed, telephone and fax lines are installed, the oversight board is organized, and the meeting calendar is established. All involved in the program, from telephone operators to the oversight board, should receive sufficient training to ensure they understand their roles and possess the skills necessary to handle their responsibilities. Training should include the already defined callhandling protocol and cover multiple scenarios including escalation procedures.

Another important element of phase two is developing or modifying the organization’s policies and procedures to make the whistleblower program an official component of the system of internal controls. An internal auditor should work with management to make sure the whistleblower program is included in the employee manual and code of ethics and that a charter is developed for the oversight board that specifies the board’s role, responsibilities, membership, and authority. Having these elements in writing will go a long way toward creating an environment in which the program is seen as a credible and permanent resource within the organization.


In the third phase, the whistleblower program is released throughout the organization. Although hard-copy memorandums, e-mail, video conferencing, voice conferencing, or even computer-based training programs are viable options for releasing the program, the most effective approach is through face-to-face meetings with employees. These encounters allow workers to gain a better appreciation for the importance of the new program and management’s commitment to its success, and to get their questions answered.

The length of these meetings can vary according to the needs of the organization and the audience size. An hour or two should be long enough to provide employees with sufficient background information on details including:

* Reasons for implementation.

* Benefits to the control environment.

* Management’s commitment to high standards and a reminder of the company’s code of conduct policy.

* Staffing of the program.

* Avenues available for disclosing concerns.

* Existence of an oversight board to ensure privacy, professionalism, timely investigations, and prompt remediation.

It is best to release the program throughout the entire organization at once to ensure it receives sufficient momentum. If costs make that impractical in a large organization that is geographically spread out, face-to-face meetings could be held at the largest locations while smaller sites are notified electronically. Another method that works well is a “train the trainer” program, which involves putting key individuals through the training at a centralized location and then sending them back to their own sites to educate their colleagues. Country managers, division heads, local human resource directors, or qualified consultants could be trained beforehand on the program’s details, and then all locations can go live at the same predetermined date.

In all instances, it is best to have a high-level member of management involved in the release to reiterate the organization’s commitment to the program. Internal auditors also should visibly endorse it, not only to add legitimacy to the program, but also to increase the audit department’s visibility. During future audits, employees will be more likely to connect the internal audit department with organizational initiatives and see internal auditing as an extension of the whistleblower program. As a result, employees will feel more comfortable approaching the auditors directly if they have concerns. The key is to encourage communication throughout the organization and to quickly channel information about inappropriate activities to someone who can take corrective action.

Finally, the selection of the facilitator for these sessions is as important as the material to be presented. Choosing a sympathetic and knowledgeable facilitator will add to the acceptance of the program and put employees at ease.


Organizations often dedicate a great deal of resources to conceive a project, build it, and release it, only to forget about it and see all the time, energy, and resources go to waste. With a whistleblower program, it is critical to have a monitoring component for quality control that will ensure compliance with the parameters established and to make sure employees remain aware that the program is in place and working effectively. Monitoring can be done through meetings with the oversight board, which should take place at least once a quarter.

The manager of the whistleblower program should attend these meetings and present a report showing:

* The number of disclosures received.

* A categorization of the allegations reported.

* Cycle times from filing to action and from action to resolution.

* Reporting avenues used.

* Outside parties involved.

* A measure of the criticality and financial impact of the allegations.

The audit committee, senior management, and internal auditors should receive a copy of these reports. Valuable information about the types of allegations and their magnitude, frequency, and method of disclosure can be shared with the internal auditors without releasing the whistleblower’s identity. Also, critical developments should be brought to the attention of the audit committee immediately.

Internal auditors can help after the program is up and running by independently and objectively assessing its effectiveness. Are all allegations handled seriously, professionally, discreetly, and promptly? Does the program have an adequate budget to offer continuous coverage in all significant geographic locations and to allow for investigations? Are allegation files complete?

Anonymous annual employee surveys can provide a wealth of information about workers’ awareness of the program’s purpose, effectiveness, and performance weaknesses. Employees should also receive whistleblower program reminder notices at least yearly during staff meetings. Obtaining and acting on employee feedback will allow management to improve and customize the program.


A program that encourages employees to disclose inappropriate activities internally, and that promptly and effectively handles all allegations, will reduce the likelihood that employees will be forced to blow the whistle externally, thus precipitating crises. When preventive and detective controls fail, a whistleblower program may be the only avenue for making management aware of inappropriate transactions or behaviors in the organization.

By getting involved and helping their organizations correct problems early on, internal auditors can be perceived as action agents–not necessarily the people who will implement changes, because those responsibilities belong to management, but the people who get things done by taking employees’ concerns up the chain of command to senior management, the board of directors, and the audit committee. When this happens and employees become aware of it, they will likely confide their concerns to internal auditors. The end result is the quick and appropriate resolution of problems while they are still relatively small and manageable.

Four Phases of an Effective Whistleblower Program


Evaluate Needs

Establish Protocol

Identify Reporting Mechanisms

Select Oversight Board


Train Operators and Oversight Board

Update Policies and Procedures

Write Board’s Charter


Distribute Notices

Define Program Release Mechanism

Meet with Employees


Meet with Oversight Board

Review Performance Reports

Survey Employees

10 Steps to Assessing a Whistleblower Program

1. REVIEW THE PROGRAM’S PROTOCOL. Make sure the protocol provides clear and specific guidance on what to do and whom to contact in response to a range of possible scenarios.

2. EXAMINE ALLEGATION FILES. Verify that the information in the allegation files is consistent and complete so investigations are not impaired. Confirm that the whistleblower’s identity was protected and that a key or code instead of the whistleblower’s name was used during the investigation.

3. REVIEW THE COMPOSITION AND ROLE OF THE OVERSIGHT BOARD. The organization’s legal counsel, director of internal auditing, chief financial officer, human resources director, and corporate controller should be members of this board. They should be senior officers who meet frequently, are active in their oversight capacity, and are prepared to take quick and decisive action in the event of inappropriate activities.

4. VERIFY THE AUTONOMY OF THE PROGRAM. Examine the program’s budget for sufficiency and make sure the program’s manager is independent. There should be a direct reporting line to the oversight board and the audit committee.

5. REVIEW PERFORMANCE REPORTS. Are performance reports accurate, timely, and useful? The audit committee and oversight board should agree on the content and frequency of reports, which should include at a minimum the number of allegations received, the number substantiated, a ranking of the risk/impact to the organization, and turnaround times from reporting to investigation and investigation to resolution.

6. VERIFY THE ADEQUACY OF THE PROGRAM’S BUDGET. Is the budget adequate to hire enough competent staff to handle whistleblowers’ calls and to conduct professional investigations? A single individual should not have the ability to reduce the budget because the act or threat of cutbacks could impair the program’s effectiveness, independence, and objectivity.

7. REVIEW THE EMPLOYEE MANUAL AND CODE OF ETHICS. Make sure the whistleblower program is referenced in the employee manual or the code of ethics. This will add to the program’s legitimacy and make it a permanent component of the corporate governance infrastructure. Keep the contact information up to date and make sure it’s clear that retaliation is explicitly forbidden.

8. VERIFY ACCESS TO THE PROGRAM. Are the phone, fax, and e-mail connections operational and attended to around the clock? Is the staff assigned to the overnight shift really there? Was a new facility opened somewhere that is not covered by the original access avenues?

9. CONFIRM THE QUALIFICATIONS OF THE STAFF. Make sure the attending staff is qualified, especially if there has been turnover in the group. The staff’s responsibilities are not limited to data entry because if staffers are rude, insensitive, or careless they are likely to collect insufficient or inaccurate information, limiting the chances of conducting a fair and thorough investigation.

10. SURVEY EMPLOYEES. All the planning and money spent building the perfect infrastructure will be wasted if employees do not know the program exists or if they feel their disclosures are not going to be taken seriously. An anonymous survey will reveal their level of comfort with the program; their opinion about the organization’s commitment to integrity, fairness, and openness; and their belief that their disclosure will not result in retaliation and that corrective action will be taken. Employee perceptions are key to the success of any whistleblower program. If employees refuse to use it, the program fails.

Protecting the Whistleblowers

Traditionally, whistleblowers have defied the status quo and communicated their concerns to an authority outside the organization after realizing that the improprieties they have witnessed are not being corrected internally. They have taken this initiative at great risk, as multiple studies show whistleblowers often suffer discrimination, retaliation, stress, and sometimes loss of their jobs or even their careers.

It is no wonder, then, that potential whistleblowers are hesitant to speak up within their own organizations. According to an article in the Work and Occupations journal, researchers estimate about one-third of all workers in the United States have witnessed unethical or illegal conduct in their workplaces, but more than half of them did not disclose what they observed. Moreover, an Australian study by the Independent Commission Against Corruption found that 71 percent of workers surveyed expect people who report improprieties to suffer for doing so.

In recognition of the valuable role insiders play in the discovery of fraud and unethical practices, the U.S. Sarbanes-Oxley Act of 2002 includes a provision protecting U.S. employees who disclose information or assist in detecting and stopping fraud. The act also increases the accountability of senior officers and members of the board of directors, and it requires that chief executive officers and chief financial officers of public companies file a quarterly statement attesting to the integrity of the organization’s system of internal controls–something they cannot do if they are not made aware of irregularities immediately.

HERNAN MURDOCK, CIA, is a project manager at Control Solutions International and a lecturer at Northeastern University in Boston, Mass.

To comment on this article, e-mail the author at

COPYRIGHT 2003 Institute of Internal Auditors, Inc.

COPYRIGHT 2003 Gale Group