There are hidden complexities in the implementation of a seemingly simple provision of the Sarbanes-Oxley Act (“SOX”). Because of this hidden complexity, many companies have done little to address its provisions. Most of the thousands of law firm articles written about SOX provide nothing more than a brief recital of the law, with little or no comment regarding expected challenges. The unwary will certainly be trapped.
Easier Said Than Done
The challenge lies in SOX’s Section 301(4). It states simply that “Each audit committee shall establish procedures for the receipt, retention and treatment of complaints received by the issuer regarding accounting, internal accounting controls, or auditing matters; and the confidential anonymous submission by employees of the issuer of concerns regarding questionable accounting or auditing matters.”
One might incorrectly conclude that SOX’s whistle-blowing provision is a narrow requirement that pertains to only accounting matters. In actuality, little falls outside the overall rubric of accounting, auditing, and internal accounting controls.
Employees with any concerns in these broad areas obtain widespread protection. SOX Section 806 provides job security and monetary damages if retaliation occurs against an employee that reports anything that the employee reasonably believes may be a violation of any securities law, any rule of the Securities and Exchange Commission (“SEC”), or any other federal law. Section 1107 further complicates the issue by providing criminal and monetary penalties against individuals or companies that provide such retaliation, on top of the civil remedies the employee has through Section 806.
Successful whistle-blowers receive national attention. Time magazine named three whistle-blowers (from Enron, Worldcom and the FBI) as their “Persons of the Year”. Identifying these people as role models, putting their pictures on the cover of national magazines, and having the press herald them as national heroes will obviously embolden other employees to voice their concerns. As described above, SOX protects employees who attempt to follow their example.
SEC Regulations Provide Few Answers
The SEC’s implementing rules repeat the above SOX language, and do not give substantive guidance or safe harbor provisions. Instead, the SEC said, “We do not propose to mandate specific procedures that the audit committee must establish. Given the variety of listed issuers in the U.S. capital markets, we believe companies should be provided flexibility to develop and utilize procedures appropriate for their circumstances. We expect each audit committee to develop procedures that work best consistent with its company’s individual circumstances”.
This initial flexibility provides false comfort to anyone contemplating less than a rigorous implementation of Section 301. When a high-profile problem arises, there will be no clemency for using this flexibility as a short cut. The press and securities class action plaintiffs will also second-guess management, claiming that their “flexible” solution was really no solution at all.
Practical challenges occur in conducting a responsible and complete investigation under SOX’s requirements. The simple reality is that, despite the SEC’s flexibility, there are few good options. Any solution must meet all of the following requirements:
- Provision must be made for complaints to be received confidentially and anonymously;
- The audit committee is responsible for complaint collection and investigation;
- No retaliation occurs towards those providing information.
Anonymity and Independence Mandate Outside Assistance
Although some companies will want to establish an internally operated system, serious shortcomings exist. These shortcomings include:
- Depending upon the nature of the complaint, the company’s internal system could be directly or indirectly within the control of the target of the complaint.
- Sufficient anonymity may not exist. Modern technology and computer systems at most companies allow a skilled person to identify the source of many voice and computer communications.
- The risk of retaliation claims increase with greater internal involvement. If communications initially come to a person within a company, an argument can be made that the established communication vehicle was not anonymous. Subsequent employee discipline of anyone involved allows the employee to assert that the action was in retaliation to the whistle-blowing complaint.
If handling these sensitive issues internally causes additional allegations of impropriety, any perceived cost savings will quickly disappear. Because the risks of additional allegations are great, audit committees should insist that the collection and investigation of complaints be separated from the company.
The audit committee’s responsibility for administering this system also favors using an outside advisor. Obviously, few (if any) audit committee members will be interested in making their personal phone numbers, addresses, etc. available to all employees of the companies they serve.
Phone and Email Hotlines Are Poor Choices That Cost More in the Long-Run
In order to meet these constraints, some have advocated phone and/or email hotlines. Under these systems, all employees receive a telephone number and/or address to report complaints. Outside vendors provide clerical assistance by transcribing the complaint. When employed in this fashion, this service is largely a stenographic service.
While a good starting point, a simple hotline is hardly a SOX compliant solution. Most hotline vendors perform their assignment with telephone operators inexperienced in accounting matters. These people cannot be expected to:
- Understand the complexities involved with accounting, auditing, and internal accounting controls;
- Ask questions that will facilitate a further investigation and ultimate disposition; or
- Implement any of the policy guidelines established by the Audit Committee.
The greater concern with inexperienced phone operators is that there are often limited opportunities to obtain an informant’s cooperation. Without complete information in the first contact, the opportunity may be permanently lost. Even if additional communications are possible, unnecessary concern is sometimes initially raised simply because the first communication did not gather necessary and pe