IN THIS ISSUE
Q&A With Dave Harmon
"A few years ago, my company implemented an ethics hotline as part of our response to comply with Sarbanes-Oxley. Our service contract will expire soon, and we are reevaluating what we have in place. Thinking beyond Sarbanes-Oxley, what implications might our hotline have for ERM or CSA?"
DAVE HARMON, CIA, CCSA, CPA, CISA
DIRECTOR OF FINANCIAL MANAGEMENT PROGRAMS, UNIVERSITY OF CALIFORNIA
To directly answer your question, hotlines have a significant role to play with enterprise risk management (ERM) and the Committee of Sponsoring Organizations of the Treadway Committee (COSO) because they have control implications for components of COSO and span across the entire business enterprise.
Hotlines are hotter than ever before, and for good reason. According to the Association of Certified Fraud Examiners' 2006 Report to the Nation on Occupational Fraud and Abuse, "Occupational frauds are more likely to be detected by a tip than by other means such as internal audits, external audits, or internal controls." As you point out, hotlines are mandated for many companies to comply with the U.S. Sarbanes-Oxley Act of 2002. In fact, Sarbanes-Oxley compliance has undoubtedly been the primary driver by requiring a hotline for all publicly traded companies. In 2005, California even passed a similar requirement for nonprofit organizations. However, the philosophy of ERM and COSO makes a strong case for expanding hotline applications beyond merely complying with Sarbanes-Oxley at the lowest possible cost. For enlightened management, this expansion should not be a big jump to make. It just requires that hotlines be regarded as a key component of internal control rather than a statutory requirement.
The effective use of a hotline sends a clear message regarding management's intentions and expectations, which clearly figures into how employees view the organization's tone at the top. Keep in mind that the key word here is effective. Transparency and accountability are critical to how hotlines are viewed throughout an organization. Do people understand how the reporting works?For instance, do they believe hotlines are truly confidential and that there is accountability? One measure that strengthens how hotlines are perceived is when they are used in combination with a formal code of conduct, which helps clarify desirable versus unacceptable behavior.
Hotlines also can play an essential role in risk assessment when issues arise that otherwise might not get management's attention. This particularly could be true where there is a weak control environment. If you are embarking upon an ERM effort, you may find that sanitized hotline information is useful to expand what management views as their risk universe beyond financial management. Conversely, ERM and other risk assessment activities may give you insight into how to plan and organize your hotline's reporting to be more effective.
Additionally, hotlines are a significant enterprisewide control and monitoring activity. They are preventive in the sense that the threat of sanctions may deter inappropriate and fraudulent activities and are detective in that they monitor these activities for appropriate follow-up. Given these benefits, you may want to take a more critical look at what you have in place and consider whether enhancements are needed. This not only includes the nature of your service contract, but also your internal hotline's operating procedures.
I think it is important to look at hotlines within the larger context of an ethics program. Many organizations have a patchwork of activities such as implementing a hotline and adopting a code of ethics or conduct. However, standalone activities that are not integrated into a cohesive program do not really have a significant impact on what is perceived by employees as the tone at the top. To find out where your organization stands, ask yourself these questions:
- Do we have an ethics program or a designated ethics officer?
- Is there some type of mandatory ethics and compliance training? If so, who has oversight responsibility? Ideally, the answer would be the audit committee.
- How often does senior management discuss ethics and compliance in internal communications to employees? If the answer is not at all or one or two times a year, that's not enough to get people to believe that the organization is really serious about a hotline. Consistent and regular communication is a critical success factor.
I think you get my point. Hotlines are important with regards to Sarbanes-Oxley, as well as ERM and COSO. However, they are only one part of the larger picture of ethics.
David Harmon, CIA, CCSA, CPA, CISA, is director of financial management programs at the University of California, Los Angeles, and instructs several IIA courses on CSA. Harmon helped to develop a CSA program in his former position at Fannie Mae and contributed to the questions in The IIA's Certification in Control Self-assessment exam.