Ethics Hotline Best Practices
1. Access to Ethics Hotline 24/7/365 and in multiple languages
2. Multiple methods to reach Ethics Hotline
  a. Internet
  b. Email
  c. Toll-free phone
  d. Fax
  e. Regular mail
3. Secure, confidential, and anonymous incident reporting and handling
  a. Third-party (or external or independent) Ethics Hotline provides greater safeguard of anonymity
  b. Internet reporting via SSL encrypted site ensures security
  c. IP address and caller ID not stored to ensure anonymity
  d. Ethics Hotline personnel pass an extensive background check and adhere to a strict confidentiality agreement
  e. All Ethics Hotline information is kept in a secure environment; access to confidential data is username/password protected
  f. During investigation of an incident, the organization should not reveal that it is reacting to a tip (disclosure may be a breach of confidentiality and may put the whistleblower at risk)
4. Single Ethics Hotline used to report all issues
  a. Accounting, internal accounting controls, or auditing matters / systematic misrepresentation of business and financial transactions
  b. Workplace issues (such as substance abuse, FLSA, FMLA)
  c. Envrionmental, health and safety concerns
  d. Falsification of documents (fabricating, altering, or destroying any part of a document such as a record including that related to billing for the purpose of gaining some advantage)
  e. Discrimination (age, disability, genetic information, national origin, pregnancy, race/color, religion, sex), harassment (written, verbal or physical; suggestive or direct) or violence in the workplace
  f. Conflict of interest (when a personal interest influences the objective exercise of one’s duties; including related to gifts)
  g. Breach of confidentiality (including related to Intellectual Property, HIPAA)
  h. Theft or embezzlement (fraudulent appropriation of property or funds)
  i. Vandalism/destruction or improper use of employer property
  j. Unfair competition, bribery (includes violation of US Antitrust, FCPA)
  k. Other violations (insider-trading, money-laundering)
  l. Suggestion (or question entry, allowing an organization to become proactive instead of just reactive to ethical issues)
5. Incident reports processed and forwarded within 24 hours to the organization’s designated contact(s)
  a. Dual dissemination of incident reports acts as a system of checks and balances within the organization
  b. Ideally all incident reports go to the same person(s)
  c. Per SOX section 301, complaints regarding accounting, internal accounting controls, or auditing matters go to the Audit Committee. The Board should additionally directly receive complaints regarding senior management
  d. For public organizations, one of the designated contacts is typically the Ethics Officer. Ideally, the Ethics Officer does not report to the CEO or CFO, but rather directly to the Board of Directors. For a private organization, one of the designated contacts is ideally the President
6. Comprehensive case management system
  a. All incident reports maintained in the same case management system
  b. Incidents get a reference number so that a follow-up can be entered and/or status of report can be known
  c. Organization files a corrective/preventive action as part of the case management system
  d. Case log includes:
  - date submitted
  - description of complaint
  - submitted by (employee, customer, vendor, shareholder, or other)
  - current status (resolved, under investigation, dismissed, withdrawn, pending/no action)
  - actions taken (date and comments)
  Reference AICPA toolkit
  e. On-demand case management system (and/or periodic reporting) facilitates:
  - the organization’s ability to analyze incident data
  - management of the CAPA/resolution process
  - testing by internal auditors
  - oversight by the Audit Committee
7. Appropriate and timely report handling by the organization
  a. The incident report is forwarded to the appropriate department(s). For example, the legal department would be interested in complaints regarding discrimination, regulatory violations, etc.
  b. The organization should have procedures in place for the proper handling of complaints by personnel who receive the incident reports. The procedures should be periodically reviewed with legal counsel
  c. The organization is alerted if a response has not been filed
  d. If the organization determines that an ethics code violation has occurred, appropriate disciplinary action is taken - from a verbal warning up to firing and even restitution
  e. The organization should consider changes in internal policies and look for “hot spots” (e.g. is there a division that seems to have more issues? if so, there may be opportunities for increased training there)
8. Whistleblower protection
  a. To comply with law (see SOX Act sections 301, 806, and 1107), and for the effectiveness of an Ethics Hotline, whistleblower protection must be clearly communicated and documented
  b. The whistleblower protection policy at minimum contains:
  - A statement that whistleblowers will not be subject to any form of retaliation such as firing, demotion, harassment, or miss out on promotion, even if investigation findings do not support the nature of the complaint
  - Contact info to the Office of the Whistleblower Protection Program (administered by the US Department of Labor’s Occupational Safety and Health Administration or OSHA)
9. Ethics Hotline communication to employees and stakeholders
  a. Top management voices its importance
  b. Integral part of Ethics Code
  c. Promoted in Ethics Training and educational materials
  d. Continual awareness via postings, articles, and corporate site