Ethics and Compliance

Does your internal audit team have responsibility for monitoring and reporting on your company’s ethics hotline? In benchmarking with my peers, it seems that about a third of the companies I talk to have some direct responsibility within internal audit to perform this task, while the rest do not. However, all of them would participate in investigations if calls were received regarding fraudulent employee activities, theft, or other financial matters.

For those who maintain this responsibility, is there a perceived problem in implementing IIA Standard 2100: Nature of Work, which calls on internal auditors to “evaluate and contribute to the improvement of governance, risk management, and control processes”? There seems to be much more guidance around the role that an auditor plays in risk management than in monitoring ethics and compliance calls. I suppose that an objective external resource could be used to evaluate the governance processes if internal audit played a significant role in designing and managing these processes, so from an independence standpoint, the organization could still receive feedback on the performance of this activity.

If your company has a dedicated and separate ethics and compliance function, does internal audit periodically perform audits of this governance process? For larger, more established audit functions, I presume the answer is “yes” or “covered through Sarbanes-Oxley testing of entity-level controls.” But I’m just wondering.

Posted on Aug 25, 2011 by Kiko Harvey

Share This Article:    

  1. As part of the SOX Entity control; our internal Audit Dept reviews the confidential call log into the hotline each month and verifies that our Senior Counsel reports Hot Line results to the Board of Directors each meeting as documented in the BOD Minutes.  To date, we have had no financially related calls as all have been faxes, wrong numbers,  customer service type calls. 

  1. At IP, IA participates in hotline investigations concerning book keeping improprieties, fraud, theft, kickbacks/bribes, embezzlement, etc.  But we do not audit the hotline procedures from a governance perspective. Our external audit performs that role. 

  1. If your internal audit group performs a governance audit of hotline procedures and is independent of this area - you may want to focus on the following:  1) Timeliness of matter resolution 2)  Reports of conflict of interest involving senior management  3) Measuring service levels of outsourced service providers taking hotling calls 4) Accuracy of coding of calls 5) Sufficiency of documentation supporting call investigation and 6) Hotline reporting and call summaries.  SOX processes may not be sufficiently detailed enough to evaluate the operational areas of hotline calls.

  1. The Denver Auditor's Office completed an audit last year of the City's ethics and compliance program and found several issues, including: lack of a centralized hotline; no comprehensive reporting function, which led to an inability to identify the universe of ethics complaints; weak protections for anonymous whistleblowers; multiple "codes" (such as the ethics code and a code of conduct); inadequate ethics training; and poor funding for the ethics oversight function.

    We also tested and confirmed the applicability of the Federal Sentencing Guidelines for Organizations to the public sector. This is a relatively new application of the FSG in the public sector and was surprising to a number of city officials.

    I encourage you to take a look at our report, which can be found at: I welcome any feedback, either through this forum or at


  1. Kiko is the best blogger ever.

Leave a Reply