Following the corporate scandals of the last five years, there has been renewed attention to the issue of fraud. Both public and private companies recognize that fraud can undermine, or even destroy trust in their business, often with catastrophic financial results. According to a 2006 report by the Association of Certified Fraud Examiners, anonymous tips are the most effective means of detecting fraud. Since the Sarbanes-Oxley (SOX) Act was passed in 2002, audit committees of public companies are required to establish procedures for gathering and processing complaint information, and they must guarantee confidentiality and protection to employee whistleblowers. Because smaller, often private, companies suffer from a higher incidence of fraud than larger companies, many of them have adopted similar policies, either using audit committees or an independent third party. But establishing a whistleblower hotline is only a first step. Many companies are struggling to handle the myriad complaints that come through the door once the gates are open. Two challenges in particular have beset audit committees and other groups responsible for examining and addressing whistleblower complaints. The first is balancing the rights of the whistleblower and accused party to remain anonymous against the needs of investors or others to be informed. The second is screening the complaints that come in and separating those that are likely to have a financial impact from those that are non-material in nature. The solution to these challenges is to develop a comprehensive process for handling whistleblower complaints. At international accounting firm Grant Thornton LLP, we utilize an approach with our clients entitled the Model Accounting Complaint-Handling Process, or MACH ProcessSM, for dealing with whistleblower complaints that have the potential to uncover financial fraud. The MACH Process consists of six steps: Receive: Establish a system for logging in complaints in a consistent manner to ensure that every complaint, no matter how small, is addressed. Follow-up with more in-depth interviews using trained professionals to determine which complaints have merit and which are relevant to financial reporting. The latter must be referred to the audit committee in public companies. Analyze: Determine the best course of action by classifying complaints based on sensitivity (potential to harm the company) and materiality (potential impact on the financial statements). For example, a sensitive matter might be one involving board members or senior executives. A material matter might be an incentive structure that has resulted in false earnings reports. Investigate: Assign team members based on sensitivity and materiality factors. For example, human resources should be involved in any sensitive complaints. The external auditor will need to be apprised of the investigation for any complaint that is material to the financial statements, but they cannot be part of the investigation team due to independence considerations. Often the services of external consultants, such as forensic investigators or crisis communications specialists, are needed. If the company already has relationships with these professionals, it will be better prepared to quickly move forward with the investigation. Resolve: Develop a plan to address the complaint. The audit committee or other independent body should approve the plan and monitor its implementation. Report: The communications phase of the complaint-handling process can be very delicate. Whistleblowers will expect timely reports, while innocent suspects will want their absolution to be announced promptly. Determining what information to share with whom may require the assistance of legal counsel, public relations professionals and others to avoid liability for incomplete or inaccurate disclosures. A system for capturing experiences from handling whistleblower complaints can yield best practices for future decision making. Retain: Documents produced during the complaint-handling process represent evidence that should be preserved, protected and retained in accordance with each company’s document retention policies. Care must be taken to restrict access to hard-copy documents and to store and secure electronic data. This material also serves as a record of the audit committee’s compliance with any regulatory requirements and provides evidence that the organization is successfully addressing accounting, internal control and auditing risks. For the complaint-handling process, as for all processes, the “devil is in the details.” On the one hand, the system must be used in order to be effective,a communications challenge in and of itself. Employees and outside parties must understand how to file complaints, what venues exist and what level of confidentiality they will be afforded. On the other hand, the audit committee must develop procedures for handling the overwhelming number of complaints that often surface once people realize the available avenues for airing grievances. Ultimately, by establishing an effective complaint-handling process, the organization will be able to identify and deal with those cases of fraud that have the greatest potential to harm the company’s reputation and bottom line. Jim Pulsipher is the practice leader for Grant Thornton LLP’s financial institutions group in the West region and the Partner-in-Charge of the firm’s Woodland Hills office. He is a Certified Public Accountant in the State of California with more than 30 years of experience.