Is Sarbanes-Oxley compliance worth the effort? Although SOX has its critics and the debate continues about its effectiveness, organizations are beginning to see, and in some ways to measure its positive effects. As organizations place greater emphasis on integrity and responsibility, essential financial controls are being streamlined and improved. An era of unprecedented accountability is giving way to a new business environment where compliance isn’t just an obligation – it’s a process that is yielding real benefits.
Despite this renewed commitment to governance, organizations still struggle to evaluate the success of their compliance programs. It’s one thing for a company to meet its compliance requirements on paper and quite another to determine, “Is our program really working?” or “Is our hotline generating the information we need?” Until recently, questions like these have far outnumbered tangible answers.
A recently released report offers some much needed insight. The 2006 Corporate Governance and Compliance Hotline Benchmarking Report presents a first-of-its-kind analysis of nearly 200,000 corporate hotline reports. The Network, a hotline and employee communication provider, prepared the Report along with the CSO Executive Council, a professional organization for security executives, and the Association of Certified Fraud Examiners (ACFE).
Having compared hotline data from 550 organizations over a four-year period, the Report offers a rare glimpse into this facet of compliance, giving an analytical view of how companies implement and manage hotlines. The upshot of the report? Hotlines work.
“Few organizations can afford to allow harmful activity to go undiscovered,” said Tony Malone, CEO of The Network “Although we’re just beginning to scratch the surface in determining their true potential, hotlines are making a measurable impact.”
When it comes to evaluating a hotline’s performance, it’s essential to make a critical, comparative analysis. To facilitate this effort, the Report presents hotline data from a variety of industries and breaks it down by specific variables such as issue type and industry size. It enables companies to compare their results against similar organizations, pinpoint weaknesses and modify their programs accordingly.
“From a security standpoint, the analysis of hotline activity represents a major opportunity for organizations,” said Bob Hayes, Managing Director of the CSO Executive Council, “It gives them the unprecedented ability to anticipate emerging security risks and evaluate their response.”
The Report presents a number of notable findings about hotline usage, including:
Hotlines are unearthing serious issues.
In fact, an overwhelming 65% of reports warranted an investigation. This is quickly becoming the new actionability index, which is a good indicator of the severity of issues being reported.
According to the data, companies also took some form of corrective action in 46% of cases. Although most reports involved personnel management issues, 10% involved corruption or fraud.
Most organizations are in the dark.
In 71% of cases, companies had not been notified of issues before they were reported through the hotline – an eye-opening finding for any organization concerned with compliance and risk reduction.
Anonymity is preferred.
While a slim majority of people (nearly 54%) chose to remain anonymous, they were more likely to give their names when reporting corruption and fraud.
Industry type and size impact results.
When looking at industry type, retail industries received the most reports; the fewest in the construction industry. As for industry size, those with fewer than 5,000 employees received about 22 reports per 1,000 employees per year. Interestingly, companies with 10,000 to 19,999 employees had the lowest percentage with about 14 reports per 1,000 employees.
So what do these findings mean in terms of compliance?
By comparing the Report data with other organizations and conducting an analysis of internal factors such as culture and communication, a company can successfully evaluate its performance on key internal controls.
For instance, a high number of reports regarding financial irregularities could indicate the need for greater education on SOX issues. Conversely, it could also indicate that a communications campaign promoting the hotline is succeeding. Is report volume concentrated in a particular location? A review of hotline data coupled with an internal analysis can help pinpoint hot spots of activity and determine how communication could be improved.
Data generated through hotlines can also provide a barometer of employee perceptions. Do they believe the company will protect their confidentiality? Do they understand what issues to report, and do they fear retaliation? Hotline results provide an interesting point of view on these issues, including insights into developing trends in areas such as trust and integrity.
Consider what the Report indicates about open door policies, for example. Because so many issues had not been previously reported to management, it suggests a surprising trend. Despite organizations’ best efforts to promote reporting through managerial channels, employees may still prefer alternative reporting methods.
Once an organization understands how its hotline program is working, it can also evaluate its ability to handle cases, tracking activity from first report all the way through resolution. If investigations are not yielding satisfactory results, it may indicate a deficiency in the way reports are gathered. Or perhaps it’s worth looking at why people choose to remain anonymous, which can make investigations more difficult.
While hotline results differ depending according to specific company policies and cultures, they demonstrate the valuable role hotlines play in a successful compliance program.
“Consider the potential impact of just one fraud-related incident,” said Tony Malone, “It’s anyone’s guess as to what can happen when an issue goes discovered. A hotline could mean the difference between simple disciplinary action and a full-blown incident.”
The fact that most reports are serious enough to investigate should be a loud wake up call for many organizations. It’s a clear indicator of the importance of maintaining the integrity of internal controls. A detailed analysis of hotline data gives organizations a distinct advantage.
Although hotlines are just one component of an effective compliance program, they are proving their worth in their ability to uncover weaknesses and drive improvements. While compliance is not without its costs and its efforts, it is clearly reducing risk and helping to restore confidence in financial functions and in the organizations that rely on them.
Mr. Malone has been the Company’s CEO since October 1, 1998 and co-owner of the Company since January of 2003.
In that capacity, he is responsible for the overall strategic direction of the Company.
Prior to joining The Network, Mr. Malone was President and COO for Riscorp, Inc., where he led the Company through a successful IPO up to its subsequent sale. Mr. Malone was Director of Risk Management for KFC (then a PepsiCo company), Manager of Risk Financing for BATUS Inc., and in various positions at The Upjohn Company.
He has a Master of Business Administration degree in Risk Management and a Bachelor of Arts degree in Finance. Mr. Malone holds the Associate in Risk Management (ARM) and Chartered Property & Casualty Underwriter (CPCU) professional designations.