For those of you who do have a whistleblower policy (whether required by SOX or just because you feel it is beneficial), who is your initial contact or "report to" person for any incidents to be reported to? I have seen internal audit, HR, legal counsel, & risk managment, but I am curious what the most common option is. We are a closely-held and under $500MM, but feel the need to implement the policy/procedures and are curious what the most common situation is and how well they work. Any input or suggestions would be great. Thanks.

We are under $500MM and the primary report is to the Internal Auditor

We are over $500MM also and is handled through snail mail to the internal auditor.

We are over $1B and the primary reporting procedure is to the audit committee.

If they want to be anonomous, we use a 1-800 # that goes to a special voice mailbox. IA picks up the messages. Otherwise they contact IA directly. Then IA &/or Human Resources investigages. Audit Committee given summary info at the next meeting unless it was something serious enough to need their input. In that case, they would be contacted immediately once IA had done some preliminary work. IA documents and maintains the files.

We also use a 1-800 number with hits going to the IA, compliance officer and legal counsel. It is totally anonymous to the caller. We have annual training on this subject and employees are reminded about the phone number. This information is also posted on our website. Any issues would be immediately sent to the audit committee as well.

We are a public company with 220 million in assets and we report to Audit Committee Chairman in care of the Legal Council.

We are a closely held bank, less than $500mm. Our policy states that calls can be made to the Internal Auditor, Chairman of the Audit Committee or both, depending on the nature of the complaint.

We are in the process of getting a fraud hotline set up to comply with "sound corporate governance practices for banks" (privately held under $500MM - which we are). We are also examined by the FDIC. I recently found a Financial Institution Letter (FIL-17-2003) stating "It is sound corporate governance practice for a bank to establish procedures for processing complaints and employee submissions. Accordingly, each bank's audit committee should establish a mechanism, appropriate to the size and complexity of the bank, for employees to submit confidentially and anonymously concerns to the committee about questionable accounting, internal accounting control or auditing matters. The audit committee also should set up procedures for the timely investigation of complaints received and the retention for a reasonable time period of documentation concerning the complaint and its subsequent resolution. Where the board of directors fulfills the audit committee responsibilities, the procedures should provide for the submission of employee concerns to an outside director."

We are going to outsouce this and have found that it isn't all that expensive - about $1,500 to set up and $1,200 annually thereafter. I didn't do the research, but the person that did called around to some banks that we have relationships with and one of them stated that they opted to do theirs internally and would recommend others to outsource/external. The reason being they don't feel their employees really feel it is anonymous since it is internal. Hope that helps.

To the anon who post that their whistleblower function is outsourced: please register and PM me regarding your pprocess of establishing a fraud hotline and the outsourced arrangement.