In 2002, the Sarbanes-Oxley Act (SOX) breathed new life into whistleblower programs for U.S.-listed public companies. This legislation had a particular impact on audit committees, handing them the responsibility of, “establishing procedures for
- The receipt, retention and treatment of complaints received by the issuer regarding accounting, internal accounting controls, or auditing matters; and
- The confidential, anonymous submission by employees of the issuer of concerns regarding questionable accounting or auditing matters.”
SOX, however, did not provide any guidance to audit committees on what procedures should be considered or how to evaluate their effectiveness once established. As a result, for many companies, complaint handling is still a haphazard process that tends to operate in crisis mode. It can be both costly and time consuming, yielding few, if any, measurable results. We have found that — even now, 10 years after the enactment of SOX — companies are still struggling to find an effective approach to handling whistleblower complaints.
It is important to understand the role whistleblower complaint handling plays in deterring corporate fraud. Controls on the front end that prevent or deter fraud are critical — after all, the cheapest fraud is one that never happens. An effective whistleblower program, however, is the last line of defense.
According to the Association of Certified Fraud Examiners’ (ACFE’s) 2012 Report to the Nations, a study of 1.388 cases of occupational fraud, the most fraud is not detected as a result of internal controls. This is in part because perpetrators of fraud work in areas that are not tightly controlled or in areas that they themselves control. By far, the most effective form of fraud detection is a tip, often received via a fraud hotline.
The ACFE study also reports that the presence of a whistleblower hotline results in a much higher likelihood that occupational fraud will be discovered by a tip. For the most part, what has been lacking both from the literature and from practice is a methodical approach that organizations can use to register complaints and channel them to the appropriate groups for action. Only by establishing a comprehensive process will organizations be able to ensure that, when the whistle does blow, someone has the wherewithal to stop the train, get out and investigate.
One process, which Grant Thornton developed, is called the Model Accounting Complaint-Handling Process, or MACH Process. The MACH Process is designed to provide both meaningful structure and enough flexibility so that it can be adapted to any organization. It should not be viewed as a soup-to-nuts formula for setting up a whistleblower program. Instead, the MACH Process focuses on the component of any whistleblower program that requires the most attention from management and the board, handling complaints once they are received. Setting up the overall program is important, including making decisions regarding whether to insource or outsource the program administration, who to engage, how to handle different countries’ related legal requirements, and so on. The focus here is on what happens once the whistle blows and that train starts rolling down the track.
The MACH Process consists of six basic steps:
1. Receive the complaint.
2. Analyze the complaint.
3. Investigate the complaint.
4. Resolve the complaint.
5. Report the resolution of the complaint.
6. Retain the necessary documentation.
This complaint-handling process can be tailored to meet the needs of virtually any organization. The MACH Process is designed to ensure not only that venues exist for the gathering of whistleblower complaints, but also that all complaints are documented, investigated and addressed in the appropriate manner and that the process involves all necessary stakeholders.
Ultimately, by establishing an effective whistleblower complaint-handling process, organizations will be able to identify and deal with cases of fraud that have the greatest potential to harm reputation and bottom line.