There are hidden complexities in the implementation of a seemingly simple provision of the Sarbanes-Oxley Act (“SOX”). Because of this hidden complexity, many companies have done little to address its provisions. Most of the thousands of law firm articles written about SOX provide nothing more than a brief recital of the law, with little or no comment regarding expected challenges. The unwary will certainly be trapped.
Easier Said Than Done
The challenge lies in SOX’s Section 301(4). It states simply that “Each audit committee shall establish procedures for the receipt, retention and treatment of complaints received by the issuer regarding accounting, internal accounting controls, or auditing matters; and the confidential anonymous submission by employees of the issuer of concerns regarding questionable accounting or auditing matters.”
One might incorrectly conclude that SOX’s whistle-blowing provision is a narrow requirement that pertains to only accounting matters. In actuality, little falls outside the overall rubric of accounting, auditing, and internal accounting controls.
Employees with any concerns in these broad areas obtain widespread protection. SOX Section 806 provides job security and monetary damages if retaliation occurs against an employee that reports anything that the employee reasonably believes may be a violation of any securities law, any rule of the Securities and Exchange Commission (“SEC”), or any other federal law. Section 1107 further complicates the issue by providing criminal and monetary penalties against individuals or companies that provide such retaliation, on top of the civil remedies the employee has through Section 806.
Successful whistle-blowers receive national attention. Time magazine named three whistle-blowers (from Enron, Worldcom and the FBI) as their “Persons of the Year”. Identifying these people as role models, putting their pictures on the cover of national magazines, and having the press herald them as national heroes will obviously embolden other employees to voice their concerns. As described above, SOX protects employees who attempt to follow their example.
SEC Regulations Provide Few Answers
The SEC’s implementing rules repeat the above SOX language, and do not give substantive guidance or safe harbor provisions. Instead, the SEC said, “We do not propose to mandate specific procedures that the audit committee must establish. Given the variety of listed issuers in the U.S. capital markets, we believe companies should be provided flexibility to develop and utilize procedures appropriate for their circumstances. We expect each audit committee to develop procedures that work best consistent with its company’s individual circumstances”.
This initial flexibility provides false comfort to anyone contemplating less than a rigorous implementation of Section 301. When a high-profile problem arises, there will be no clemency for using this flexibility as a short cut. The press and securities class action plaintiffs will also second-guess management, claiming that their “flexible” solution was really no solution at all.
Practical challenges occur in conducting a responsible and complete investigation under SOX’s requirements. The simple reality is that, despite the SEC’s flexibility, there are few good options. Any solution must meet all of the following requirements:
- Provision must be made for complaints to be received confidentially and anonymously;
- The audit committee is responsible for complaint collection and investigation;
- No retaliation occurs towards those providing information.
Anonymity and Independence Mandate Outside Assistance
Although some companies will want to establish an internally operated system, serious shortcomings exist. These shortcomings include:
- Depending upon the nature of the complaint, the company’s internal system could be directly or indirectly within the control of the target of the complaint.
- Sufficient anonymity may not exist. Modern technology and computer systems at most companies allow a skilled person to identify the source of many voice and computer communications.
- The risk of retaliation claims increase with greater internal involvement. If communications initially come to a person within a company, an argument can be made that the established communication vehicle was not anonymous. Subsequent employee discipline of anyone involved allows the employee to assert that the action was in retaliation to the whistle-blowing complaint.
If handling these sensitive issues internally causes additional allegations of impropriety, any perceived cost savings will quickly disappear. Because the risks of additional allegations are great, audit committees should insist that the collection and investigation of complaints be separated from the company.
The audit committee’s responsibility for administering this system also favors using an outside advisor. Obviously, few (if any) audit committee members will be interested in making their personal phone numbers, addresses, etc. available to all employees of the companies they serve.
Phone and Email Hotlines Are Poor Choices That Cost More in the Long-Run
In order to meet these constraints, some have advocated phone and/or email hotlines. Under these systems, all employees receive a telephone number and/or address to report complaints. Outside vendors provide clerical assistance by transcribing the complaint. When employed in this fashion, this service is largely a stenographic service.
While a good starting point, a simple hotline is hardly a SOX compliant solution. Most hotline vendors perform their assignment with telephone operators inexperienced in accounting matters. These people cannot be expected to:
- Understand the complexities involved with accounting, auditing, and internal accounting controls;
- Ask questions that will facilitate a further investigation and ultimate disposition; or
- Implement any of the policy guidelines established by the Audit Committee.
The greater concern with inexperienced phone operators is that there are often limited opportunities to obtain an informant’s cooperation. Without complete information in the first contact, the opportunity may be permanently lost. Even if additional communications are possible, unnecessary concern is sometimes initially raised simply because the first communication did not gather necessary and pertinent facts.
However, from the perspective of most hotline companies, they have done their job by taking down the complaint and forwarding it to someone else. As an audit committee member, in-house legal counsel, or executive that is personally certifying to the appropriateness of the company’s financial statements, this is hardly a complete solution.
A company may also encourage its Audit Committee to use the financial statement auditors to investigate employee complaints. However, some of the concerns will relate to these auditors. To avoid conflicts of interest, companies should use an independent firm who has accounting and auditing expertise.
Using an independent outside vendor skilled in accounting and auditing provides a much better result. The outside firm can gather needed information that will allow the complaint to be resolved, and can perform an initial investigation using the Audit Committee’s policies. SOX specifically provides that each company funds this outside assistance for their audit committee.
Policy Issues for the Audit Committee to Address
The Audit Committee should have substantive involvement in setting policies and overseeing the ongoing implementation of their policies. They cannot appropriately delegate this area to the company, and then be satisfied with hearing a periodic report from management.
The Audit Committee’s policies should answer questions such as the following:
- Who gets copies of the complaints? In order to maintain the complaints as confidential and anonymous, who should NOT have access to the complaints?
- At what point should company management be actively involved? How does this vary based on the type of complaint?
- Assuming the audit committee does not need to individually address every complaint, what type of summary should the committee receive?
- Recognizing that not all complaints deserve the same attention, what is the process that determines the level of effort given to each?
- What documentation should be maintained regarding the resolution of each complaint?
- What level of overall review is necessary to ensure that complaints are not dismissed individually when a pattern of potential misconduct exists?
- Assuming that no public disclosure becomes required, what level of voluntary reporting regarding SOX Section 301 compliance should occur?
- How should the complaint system be communicated and reinforced to the company’s employees and relevant third parties?
Fulcrum Inquiry is a forensic accounting firm with significant experience in handling financial investigations, accounting processes, and related dispute resolution. Our personnel are able to field employee complaints and take steps to implement your audit committee’s directives. By involving accounting and auditing professionals early in the process, we independently address anonymous complaints at an overall lower cost.
Our charges for operating the complaint system and responding to employee concerns are no greater than our competitors. Generally, our charges are limited to the actual time spent fielding calls, billed at our competitive hourly rates.
Learn More About Our Whistleblower Services.