In a recent external audit, one finding was as follows:
Finding #1: The Bank does not have an anonymous reporting mechanism that employees can call with fraud concerns.

Recommendation: We recommend the Bank create a mechanism for this finding specifically, that would allow an employee to communicate information regarding fraud (or other issues) to management, without the fear of repercussions. These communications should be received directly by the Audit Committee.

Does anyone else have this sort of communication in place and if so what is it? Our HR manager and I are trying to come up with something.

We have a whistleblowers policy included as part of our code of conduct. Anyone can have direct access to the chair of the audit committee.

Do they call that individual directly? If so, do you list their phone number? We were thinking of a recorded message line that the audit chair would access.

We have contracted with a vendor that provides a hotline service. The cost is very, very reasonable. The calls are taken by the hotline, then reported to the chair of the audit committee. He then delegates someone (probably me - Compliance Mgr) to investigate and report back to him.

We have a documented policy that provides contact information as well as using a service provider. The cost is extremely reasonable. I field all calls/reports and then involve the appropriate staff to help resolve them. The entire audit committee has automatic access to the reports - they are notified of them the same time I am as they come in.

We have considered the third party service, but wrote into our code of conduct that anyone can contact me (the internal auditor) either confidentially or anonymously, and that they could also contact any member of the audit committee, who are listed on the website. (We did not give their phone numbers or addresses, but they are all local and in the phone book.)

They should follow a chain of command. They can first go to their supervisor. If that is not appropriate they may come to me (the Auditor) or the HR Director. Otherwise they can go to the chair of the Audit Committee whose contact information is noted in the policy.

I disagree with the chain of command - what if the person you are complaining about IS your Supervisor? Or, what if it is the Human Resources person - I agree that it should be an anonymous process - someone can submit memo to audit committee with no name on it and put in a mailbox designated for the audit committee in the corporate office -

One thing to consider, especially for those that have to be SOX compliant, is that the means that the employee has to communicate concerns must allow for confidential communication. There is a huge benefit to using a third party provider in this area. And it is definitely worth the month - we have about 900 employees and it is only costing us $2500 a year (roughly) for the service. It allows very easy tracking by the folks involved, including communication between myself and the audit committee that the reporting employee can't see. I also think it cuts down on questions from the audit committee since they see the same information I do.

It can be an anonymous process to the audit committee--which is probably best. However, they are given other options.

What aif you are not subject to SOX, should we still persue this? We have been, but the question just came up if we should put the effort into it.

We aren't subject to SOX but we are a FDICIA bank. Regardless it would seem to be a good corporate governance practice. Our regulators and external auditors were pleased we had a policy.

It's not hard to do, it's really inexpensive, it can be a morale booster for your staff, all examiners and auditors love it - I think it's worth your while even if you don't have to.

Original Poster: I would appreciate the names of any third party providers you would recommend. Also any verbiage regarding policies would be greatly appreciated as well. We are subject to FDICIA, under the current guidelines, and need to have these procedures in place.

We use National Hotline Services. They helped us with sample policies, etc. as well.

Here's their website.

Where at in FDICIA is it "required"? Is it just a guideline?

To my knowledge, it's not required in FDICIA - but it is required in SOX.

I beleive having a Whistleblower policy/procedure is required as a separate law, not part of FDICIA or SOX.

We have a whistleblower policy which is provided to each new employee and, of course, all the old ones. Our contact the chairman of the Audit Committee. His adress, phone number, etc. is provided to the employees. We are not regulated by SOX or FIDICIA but we still have the policy in place as a best practice.

There are also state & federal laws that apply to non-publically traded entities.

Our Audit Committee made the decision to use an outside vendor, Ethicspoint. It is a user friendly system and the cost is moderate -- they seem to be highly recommended in the banking industry. Also, they have model letters that can be sent to employees advising them of what they need to do in case they suspect fraud.

We use Ethicspoint as well (see my post earlier). They were very easy to roll out and use.

I agree. Our bank is doing this way.