​A Whistleblower Line Is Not Enough​

Comments Views

Surveys show that most frauds and other inappropriate acts are discovered through tips, such as through a whistleblower line.

Some feel they have done enough if they have a business conduct policy (that is updated regularly, signed by the CEO, and to which every employee must certify annually) and a whistleblower line (where all reports are handled by internal audit or other reliable group).

But those of us who have had responsibility for investigating violations of that business conduct policy know more is needed.

The Washington Post's recent article on the Department of Veterans' Affairs (VA) case includes useful insights:

"The Department of Veterans Affairs is encouraging its employees to expose any wrongdoing they see, but a series of government reports has shown that many federal employees are reluctant to do so–and possibly with good reason. Many federal employees feel vulnerable to retaliation if they make such disclosures, according to data from two central personnel agencies, the Office of Personnel Management and the Merit Systems Protection Board."


This highlights the first additional step that has to be taken — addressing the fear, often justified, that those who report violations of the code of business conduct will find themselves at risk. As the Post says, "nearly 30 percent of respondents felt that their lives might become more difficult if they reported inappropriate practices." The article goes on to say "of those who did step forward and were identified as the source of a disclosure, about a third said they were threatened with or actually experienced retaliation, compared with just 7 percent who were given credit by management for identifying a problem. Forms of reprisal included firing, suspension, grade level downgrade, and transfers to different locations or to jobs with less desirable duties."

Management at the VA seems to feel that sending a memo urging employees to report problems and demanding that nobody retaliate is enough.

It is not enough.

Here are a few thoughts:

  1. Every employee must be able to report concerns anonymously. I was always troubled when management wrote the business conduct code at my companies where employees were asked to report concerns to their manager, or to HR, before using the whistleblower line.
  2. The whistleblower capability needs to take into consideration and be tailored to meet local legal, language, and cultural considerations. This means not only translating the code into different languages and having people take calls in the language of the caller, but making it easy for all employees, contractors, and others to make the call.
  3. Training and testing the understanding by employees of the code of conduct must be effective for all employees, recognizing the challenges of language and culture. Effective means that they understand what is meant by the code of business conduct, not just what the words say. It also means that they understand that the code represents the true intent of top management and the board.
  4. Every report must be taken seriously and looked into. I was shocked at a previous employer (I was not running internal audit there) when I called to report inappropriate behavior by my manager and others. The lawyer who took the call refused to do anything until I provided information that would identify one person, me, as the source; I knew that the information I had already provided would lead any investigation in the right direction. At another company, the HR director knew the individual reporting the violation (she came forward, bravely) and disparaged both her and her statement, saying he didn't want to investigate her claims of harassment.
  5. Every effort must be taken by investigators to protect the identity of whistleblowers. That was one of my mantras when I performed or managed investigations, and it is not that hard to accomplish.
  6. It is important for people to know that their concerns are being investigated. If possible, they should know what the resolution was — although specific disciplinary actions should be kept confidential. While many will call in to the line anonymously, I always ask the people answering the call to encourage people to give us a way to communicate with them, or to ask them to call back.
  7. Organizations need to survey their employees annually, with questions that will determine how many identify violations and how many feel they can report them without fear. It is critical that the survey results be made public and management responses be decisive and also public.
  8. Those who retaliate or fail to support an investigation should be dealt with summarily.

I welcome your thoughts on this important topic.

​The opinions expressed by Internal Auditor's bloggers may differ from policies and official statements of The Institute of Internal Auditors and its committees and from opinions endorsed by the bloggers' employers or the editors of Internal Auditor. The magazine is pleased to provide you an opportunity to share your thoughts about these blog posts. Some comments may be reprinted elsewhere, online or offline.



Comment on this article

comments powered by Disqus
  • TeamMate_May2015
  • Ideagen_Pentana_May2015
  • IIA-GRC_May2015