Auditing Hotline Effectiveness
Written by: Richard Kusserow on June 3, 2013
More and more legal and regulatory requirements call for having an employee hotline, including the U.S. Sentencing Commission Guidelines for Organizations, recently passed Sarbanes-Oxley Act, Privacy and Security Rules under the Health Insurance Portability and Accountability Act, Defense Industry Initiative (DII), DHHS OIG Compliance Guidance, Supreme Court decisions on Sexual Harassment, among others. The Office of Inspector General (OIG) in their various compliance guidance documents stressed not only the importance of compliance communication and hotlines as a critical element of any compliance program, but that it should be effective. The problem for many is trying to determine how and what an effective hotline function should look like.
What is clear to most organizations is that they cannot operate their own hotline in house that is cost effective. Hotline vendors provide an extremely cost effective alternative and should be carefully considered. However, like with any other purchasing decision, it is important to know what to look for. Even with vendors accepting the calls, the major part of any hotline operation is with the provider and the challenge is making the hotline operation an integral element of any organization’s risk management, compliance, and ethics program. Once established, the hotline program should operate under strict policies and procedures. To do otherwise invites increased exposure to added liability and unwanted consequences.
Learn About Our Confidential Hotline ServicesGet Free Quote & Demo
There are great benefits to an organization in gaining feedback from those who are in the workplace. Information from the hotline may be able to alert management to issues affecting their “bottom-line”, exposure to liability, morale of the workforce, etc. All this is possible, if it is operated correctly. A poorly managed hotline program can do just the opposite. It can educate people into believing management does not care to hear from them, worse will penalize anyone who tries to use the hotline. This, in turn, can lead to their silence, where they will not warn the organization of a looming problem. Worst of all, employees with no outlet for their concerns, frustrations, and problems within legitimate organization channels may seek redress outside. There are thousands of instances where insiders (a) leak to the press; (b) engage an attorney and sue their employer (for sexual harassment, injury, slander, discrimination, etc.); (c) inform regulatory authorities of unsafe conditions or other violations; (d) report a suspected violation of law to a state for Federal enforcement agency; (e) file a qui tam action (Whistleblower suit); or just leave the organization for another job.
Channeling information through legitimate avenues of communication is absolutely critical to the effectiveness of any compliance program. However, just establishing a hotline is not enough; it must be made credible and effective or it will cause more damage than not having one at all. A hotline viewed as a “sham” invites cynicism and gives added rationalization to “blow the whistle” on the employer.
Best Practice Tips
- Hotline should be subject of ongoing auditing and monitoring
- Have audit performed by those independent of the program
- Results should be documented in a written report
- Review should document findings/suggestions
- Have reports go to senior management and Board for action
Ongoing Auditing of the Headline
It is important to periodically conduct an audit of the Hotline operation to determine: (1) whether the Hotline was operating in accordance with the established protocols, policies and procedures; (2) level of documentation and evidencing of the operation is adequate to assure effectiveness; and (2) if stated objectives for the Hotline operation are being achieved. Reviews of the hotline function should focus on the actual operation of the Hotline, and whether it was being operated in a manner that was consistent with the established protocols, policies and procedures designed for its operation. To be independent and objective, the audit should be performed by someone outside the Compliance Office. The review should include:
- On-site review where information is received processed, stored, transmitted, and managed.
- Visible examination of the security of the files was made.
- Examining a sample of cases to determine compliance with existing policies and procedures.
- Reviewing reports on the Hotline provided to the Executive and Board level compliance committees for content and accuracy.
Review of Call Log. There needs to be a Hotline Call Log and it should be examined to ensure that it includes specific information for each call taken, including:
- Caller identification number
- Identifying initials of the operator taking the call
- Date the call was received
- Whether investigation of the call information is required (yes or no)
- Whether the investigation is completed (yes or no)
- Whether follow-up action is needed (yes or no)
- Whether follow-up has been completed (yes or no)
- Date of resolution
Review of Written Guidance. Organizations with a hotline should have policies and procedures governing all aspects of the function and gathering into a single manual which provide instructions and guidance on the operation of the Hotline. The annual review should verify that the policies provide adequate guidance to Hotline staff; are written in a clear and concise manner; have been distributed to all covered persons; and have been used in compliance training programs. The hotline related policies should address;
- Hours of the Hotline operation
- Filing and numbering system
- Storage and access parameters
- Record retention policy
- Form and format of call information
- Manner by which calls should be handled
- Key review points that should be covered with the caller
- Ensuring caller understood the ground rules of the function
- Proper protocols to ensure that complete information is gathered
- Types of routine and investigative compliance services
- General compliance reviews
- Conducting investigations
- Phone procedures for receiving hotline calls
- General operating protocols
- Documentation and tracking of calls
- Record keeping and numbering
- File retention
- Closure of cases
- Contact list of key individuals that may need to be alerted to a call situation
Finally, the review should take steps to find evidence that the organization encourages employees to report problems and is accepting of reported employee concerns or allegations of suspected violation of law, regulation, organization policy, wrongful behavior, and unethical conduct within the organization in the event that the existing management and human resources grievance procedures are inappropriate or unresponsive. The results of the audits should be reported in concise, clear statements. The following are some of the questions that an audit report should answer:
- Is the hotline operating in accordance with established policies/procedures?
- Are calls being diligently followed up to resolve issues and problems?
- Are hotline calls being resolved by responsible parties cooperatively?
- Are reports being acted upon in a timely manner?
- Has the hotline staff received training on their duties and responsibilities?
- Are call reports sufficiently detailed so as to permit appropriate follow-up?
- Are employees being reminded that the Hotline is available for them?
- Are executive leadership and Board being kept informed on the results of the hotlines?
- Is the hotline operation functioning as an effective compliance tool?
- Is there high use by employees suggests widespread confidence in the hotline operation?
- Are the anonymity and/or confidentiality of callers being protected?
- When test calls were made, were they answered by the second ring?
- Are all calls reported properly on the call log?
- Is the information received by the hotline maintained privately?
- Are those who evaluate and investigate hotline complaints properly trained?
- Are records kept regarding the duration of hotline calls?
- Is there appropriate file security and access controls is limited to authorized persons?
- Are hotline files kept in a private office, in a locked …