Overview
Whistleblower and Anonymous Reporting is the process by which employees and third parties can confidentially report ethical concerns, misconduct, or policy violations without fear of retaliation. This process supports SOC 2 CC2.2 by ensuring concerns are communicated, received, and handled through defined and monitored channels.
Step-by-Step Process
Establish reporting channels
The HR Manager sets up and maintains approved whistleblower reporting channels, including an anonymous reporting tool or dedicated email hotline. The output is active, accessible reporting mechanisms available to all employees and relevant external parties.
Role: HR Manager
Publish reporting policy
The HR Manager publishes the whistleblower and non-retaliation policy in the employee handbook and internal knowledge base. The output is a formally approved and communicated policy that explains how to submit reports and what to expect.
Role: HR Manager
Receive and log reports
When a report is submitted, the HR Manager or designated reviewer acknowledges receipt and ensures the report is logged in the tracking system or case management tool. The output is a timestamped report record with a unique case ID.
Role: HR Manager
Review and assess report
The HR Manager performs an initial assessment to determine the nature, severity, and required escalation for the report. The output is a documented assessment and decision on next steps, including investigation or referral.
Role: HR Manager
Investigate and escalate as needed
Assigned investigators gather relevant information, maintain confidentiality, and escalate issues to Legal or Executive Management if required. The output is an investigation summary and documented actions taken.
Role: HR Manager
Close case and retain records
Once resolved, the HR Manager formally closes the case and ensures all records are retained according to the company retention policy. The output is a closed case status with supporting documentation stored securely.
Role: HR Manager
What You Need Before Starting
- Approved whistleblower and non-retaliation policy
- Access to EthicsPoint, NAVEX, or email hotline inbox
- Case tracking or HR case management system access
- Employee handbook or internal knowledge base access
Evidence Your Auditor Expects
- Screenshot of active EthicsPoint or NAVEX reporting portal showing system date
- Whistleblower policy PDF with approval date and version number
- Case log export showing report ID, submission date, and status
- Closed investigation summary document with resolution date
How This Looks In Your Tools
EthicsPoint
Log in to the EthicsPoint admin portal and navigate to Admin > Case Management > Cases to view submitted reports. Verify that anonymous reporting is enabled by going to Admin > Program Setup > Intake Settings and confirming anonymity options are active.
To review a report, select a case ID, review the Intake Summary, and add notes under Case Notes. Update the case status using the Status dropdown and save changes to generate an updated timestamp.
NAVEX
Access the NAVEX One platform and select Whistleblowing & Incident Management from the main dashboard. Navigate to Cases > Open Cases to view new or in-progress reports.
Click into a case to review reporter details, allegations, and attachments. Use the Actions menu to assign investigators, add comments, and update the case status, ensuring all updates are automatically logged with date and time.
Email hotline
Access the dedicated whistleblower email inbox (e.g., whistleblower@company.com) using authorized HR Manager credentials. Review new emails and save each report as a PDF with the email header showing date and time received.
Log the report into the case tracking system by creating a new case record and attaching the saved email. Restrict inbox access permissions and periodically review access logs to maintain confidentiality.
Common Audit Findings
- Reporting channels not communicated
- This occurs when policies are approved but not distributed to employees. Prevent this by documenting policy publication dates and including whistleblower reporting in onboarding materials.
- Lack of anonymous reporting option
- Auditors note this when tools are misconfigured or email hotlines require identification. Regularly review tool settings to confirm anonymity is enabled and documented.
- Missing case review documentation
- This happens when reports are handled informally without notes. Require case notes and status updates for every report before closure.
- No evidence of timely response
- Auditors flag delays when timestamps are missing or unclear. Ensure acknowledgment and review actions are logged with dates in the case system.