You found out that your organization engages in fraud and violates laws and regulations. Which of the following is the best way for you to report the fraud?
A. Act based on the roles and responsibilities of the whistleblowing program policy
B. Refer to the program plan of corporate compliance and ethics
C. Lookup the employee manual
D. Report to the regulatory authority
Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.
My suggested answer is C. Lookup the employee manual.
Added on 2020/10/26:
I revised the question sentence from “Which of the following is the best way you should follow?” to “Which of the following is the best way for you to report the fraud?” to be more specific and highlight the reporting procedure.
We should follow organizational policies, but they are not specific enough to denote operational procedures. The roles and responsibilities of the whistleblowing program policy may specify who should do what in terms of implementing the policy; reporting procedures or instructions typically will not be elaborated in this section.
The employee manual or handbook typically has compiled or summarized policies and procedures. It’s a good start point for a whistleblower to find procedures, instructions, or related information to report the fraud. Some whistleblowing policy documents may include instructions or procedures to do so, but they are not addressed in the roles and responsibilities of the policy.
A policy is a statement of the management intent which documents objectives, rules, practices, or regulations, directs the activities, and affects the behavior of people.
- A program policy is a high-level document created to direct and initiate an organization’s program.
- Issue-specific policies are developed to address areas of current relevance and concern to an organization.
Information Security Program Policy
Program policy is used to create an organization’s information security program. Program policies set the strategic direction for security and assign resources for its implementation within the organization. A management official—typically the SISO—issues program policy to establish or restructure the organization’s information security program.
This high-level policy defines the purpose of the program and its scope within the organization, addresses compliance issues, and assigns responsibility to the information security organization for direct program implementation as well as other related responsibilities.
Source: NIST SP 800-12 R1
Whistleblowing Program Policy
The whistleblowing program policy is a high-level document and the section of roles and responsibilities typically won’t address detailed reporting procedures for whistleblowing.
Corporate Compliance and Ethics Program
The corporate compliance and ethics program may address whistleblowing issues as well. However, the purpose of the program plan is not to provide whistleblowers with reporting procedures to report potential fraud. The program plan is developed to implement the program and produce results. Developing whistleblowing procedures can be one of the program plan’s tasks, but reporting fraud is not.
Reporting to the regulatory authority is just one of the options. A whistleblower may report to the internal authority, regulatory authority, law enforcement, etc.
- Not every company is subject to specific regulations or has an explicit regulatory authority that sets up hotlines to accept reporting.
- According to Wikipedia, “over 83% of whistleblowers report internally to a supervisor, human resources, compliance or a neutral third party within the company, with the thought that the company will address and correct the issues.”
- Elements of an Effective Whistleblower Hotline
- Employee handbook
- How To Write And Update Your Employee Handbook For 2020
- How to Develop an Employee Handbook
- Employee Manual October 2019 (Lawton City)
- DECISION-MAKING: STRATEGIES, POLICIES, PROGRAMMES AND PLANS,
LEGISLATION, POLICY INSTRUMENTS AND THE REGULATORY
FRAMEWORK; INVOLVEMENT OF MAJOR GROUPS
A BLUEPRINT FOR YOUR SUCCESS IN CISSP
My new book, The Effective CISSP: Security and Risk Management, helps CISSP aspirants build a solid conceptual security model. It is not only a tutorial for information security but also a study guide for the CISSP exam and an informative reference for security professionals.