Last year the SEC issued rules, pursuant to Section 301 (“Public Company Audit Committees”) of Title III of the Sarbanes-Oxley Act of 2002 (SOA), requiring audit committees to establish procedures for “(a) the receipt, retention and treatment of complaints received by the issuer regarding accounting, internal accounting controls or auditing matters, and (b) the confidential, anonymous submission by employees of the issuer of concerns regarding questionable accounting or auditing matters.” Most public companies must be in compliance with this requirement by the earlier of (1) the first annual shareholders meeting after January 15, 2004, or (2) October 31, 2004. Foreign private issuers and small-business issuers must be in compliance by July 31, 2005.
This edition of The Bulletin focuses on the issues that audit committees and management should consider as they collaborate to comply with this requirement. This and other Section 301 requirements are important because the SEC’s rules direct the national securities associations to prohibit the listing of any security of a company that is not compliant with them. Noncompliance with Section 301 can also lead to a determination that, at a minimum, there is a significant deficiency in internal control over financial reporting.
The SEC’s view
The SEC’s comments on the new rule refer to the “alleged misdeeds by corporate executives and the independent auditor.” In its discussion of the rule for handling reports of such matters, the SEC states:
... we are not mandating specific procedures that the audit committee must establish ... We do not believe that in this instance a ‘one size fits all’ approach would be appropriate. ... We expect each audit committee to develop procedures that work best consistent with its company’s individual circumstances to meet the requirements in the final rule …
The Commission acknowledges that audit committees must rely on management for information about the company’s financial reporting process. Further, it states that the establishment of formal procedures for receiving and handling complaints should serve to facilitate disclosures, encourage proper individual conduct and alert the audit committee to potential problems before they have serious consequences.
A state of flux
While many audit committees are modifying their charter to insert verbatim the language from the statute as a “working model,” few committees have addressed specifically how the process will work. As a practical matter, whistleblower complaints, whether financial or legal in nature (or both), can present sensitive situations for directors and management. One concern of many executives is that it is not unusual for complaints to come from irresponsible or aggrieved employees. For example, multinationals have experienced disgruntled employees claiming knowledge of violations under the Foreign Corrupt Practices Act.
While this area is in its infancy, an analogy can be made to other situations requiring director follow-up. For example, in the event a board receives a responsible allegation that a member of management has engaged or is about to engage in a material, unlawful act, how is it required to act? In such instances, directors often take a conservative approach. They may require and oversee a comprehensive investigation, listen to the complainant (if he or she will come forward), seek advice and formal recommendations from outside advisors and counsel about appropriate board or committee action, formulate a final decision, take action in accordance with that decision, and if necessary, make appropriate disclosure inside and/or outside the company. Complicating this process, however, is the SEC’s recent “up-the-ladder” rules for legal counsel to “blow the whistle” for inadequate disclosure or breach of fiduciary duties. These rules raise questions for management as to the appropriate process for consulting counsel for advice on handling matters reported by whistleblowers.
Some practices to consider
Section 301 differs from other SOA requirements in that it states that the audit committee “must establish” the procedures required to handle complaints and confidential, anonymous submissions. To fulfill its responsibilities under the statute, the audit committee needs help from management, counsel and advisors with the design and execution of the appropriate process. If management is proactively and effectively addressing these requirements, the audit committee’s approval should be sought. The committee should provide input as to the appropriate protocols (see below) and oversee the process to ensure those protocols are honored. The process must consider how to assess these matters, determine who will investigate them, and address how results will be communicated to management and the audit committee.
Some process design points to consider are discussed below:
- Design the reporting process to use, considering the company’s culture, structure, complexity and risk profile. An employee whistleblower program is a process available to employees designed to allow them to report complaints and concerns on a confidential, anonymous basis. The procedures that will be most effective to implement such a program for, say, a small company with 100 employees could be very different from the processes and systems that would need to be in place for a large, multinational corporation with tens of thousands of employees. Many organizations use “employee hotlines” that allow employees to call toll free and report incidents and complaints on a confidential, anonymous basis. The idea is to design and promote a program with the goal of enabling employees to have a dialog about potentially serious issues in a manner that they respond to favorably. While hotlines are effective tools for addressing the Section 301 requirements, they are only one piece of the puzzle.
- Develop appropriate protocols. Protocols are needed in several areas. For example:
- Reporting protocols define (a) how complaints are received and by what facility, i.e., by an external hotline vendor or through internal staff, (b) where the complaints go when they come in, and (c) when complaints warrant immediate escalation to the audit committee. All reported complaints should be documented and sent to the audit committee on a periodic basis, e.g., monthly or quarterly. Serious matters, however, should be reported to the committee as soon as possible.
- Complaint cataloging protocols provide guidance on categorizing and prioritizing complaints and submissions to facilitate subsequent review. Filtering is a significant part of the process. The task is to segregate complaints, anonymous or not, having relevance to accounting, internal accounting controls, auditing or fraud matters so that they are reported in an appropriate form, including in a summary report, to the audit committee.
- Investigative protocols facilitate decisions to investigate matters as well as ensure privilege, confidentiality and appropriate communication of findings. They include, among other things, (a) determining whether complaint handling is free of conflicts of interest (i.e., reported issues may concern an investigative team member’s area of responsibility), and (b) ensuring use of appropriate evidence-gathering techniques to facilitate admissible characteristics. These protocols are important in any fraud investigation that may result from a complaint.
- Protective protocols address the specific SOA Section 806 provisions that protect whistleblowers. Employees who report accounting irregularities and fraud must not be singled out or discriminated against because of their actions.
- Develop a communications strategy. With assistance from management and advisors, the committee should formulate a comprehensive plan to announce the procedures for handling complaints and submissions to all company employees. The goal is to ensure all employees recognize that they should report any fraudulent or unethical behavior. Periodic reminders on the process should ensure employees understand the importance and parameters of the program and follow its guidelines. For example, consider:
- Incorporating the complaint hotline information on pay stubs and websites
- Communicating the information during regular performance feedback, consistent with the company’s human resources program
- Providing a strong education component to improve the quality of reported data as well as ease the filtering process
- Incorporating a clear articulation of the consequences for abusing the complaint system, including dismissal
- Including information in new employee orientation and periodic training programs to ensure all employees, regardless of their position or status, are aware of the process and the related protections
- Determine the makeup of the complaint assessment team. The assessment team should be led by the general counsel and should include the chief compliance officer and a senior representative from human resources. If there is one, the chief risk officer, the ethics officer/ombudsman and chief security officer should be included. Each complaint should be investigated with appropriate documentation. Depending upon the nature and complexity of the complaint, appropriate audit techniques and a review of IT systems logs may be important to a proper investigation, requiring the participation and assistance of the internal audit director and chief information officer. Highly sensitive complaints will need to be investigated under the direction of the audit committee. In these instances, the audit committee should consider having the investigation coordinated by outside counsel. Other complaints may be delegated to management with accountability for reporting back to the committee. The audit committee must be satisfied with the resolution process.
- Identify and establish a relationship with appropriate advisors and auditors. The committee should consider the assistance it will need from management and advisors with designing the process, defining the protocols, developing a communications plan and, if necessary, conducting investigations. The committee should engage outside counsel to advise on legal and reporting matters. The committee may want to identify outside forensic accountants and independent investigators and establish a “go to” relationship with these parties. Relationships with and assistance from local and federal law enforcement agencies may also be considered to ensure timely participation, if needed. Guidelines are also needed for communicating with the outside auditor when conducting an investigation. Depending on the nature and type of investigation and the status of the investigation, the committee may need to inform the external auditor of the complaint or anonymous report. Remember, Section 302 of SOA requires management to disclose to the external auditor (and audit committee) any fraud, regardless of materiality, involving someone who is a participant in the financial reporting process. Thus management must be appropriately involved.
- Maintain good records. Records should be kept of meetings, actions taken and the results of those actions, including the disposition of all complaints, whether investigated by management or the audit committee. These records should include a summary of the facts, recommendations and resolutions and, where appropriate, the committee’s conclusions and direction to management. Required actions may include process changes, disclosures, employee training, fraud-prevention efforts, risk-assessment activities and terminations.
- Conduct a fraud risk assessment. While listed last, this suggestion could just as easily have been listed first. A fraud risk assessment with senior and possibly middle management can identify accounting- and fraud-related risks within the organization. Such assessments often provide insights as to patterns and common industry issues to watch for when evaluating complaints and submissions. They may also identify areas where a proactive solution is warranted to minimize the risk of fraud. Following are steps to consider when conducting a fraud risk assessment:
- Understand the company’s industry specific and geographic fraud risks. For example, determine if the company operates in countries where corruption and fraud risk is high. Certain industries also have unique fraud risks, and the risk assessment should identify these factors.
- Review all previously issued reports concerning fraud. Internal sources or external consultants may have issued reports regarding fraud issues that may still be relevant.
- Evaluate the existing anti-fraud program and related policies. The program should have elements of prevention, deterrence and detection. Determine if there is corporate oversight of the anti-fraud efforts to ensure consistency throughout the organization.
- Consider conducting facilitated meetings with various management personnel to determine their perspective on fraud within the organization. These meetings should include representatives from senior management and the business units. They should also include corporate functional heads such as finance, human resources, risk management, corporate security, information systems and internal audit.
- Conduct surveys of other employees to understand their knowledge of the frequency of fraud. Utilize web-based survey tools to reach the greatest number of employees. Use these surveys to determine if employees understand the company’s fraud prevention, deterrence and detection policies.
- Compare findings to those of similar organizations. Search for best practices rather than just benchmarking against peers. “Think outside the box” and find the best solutions for your company.
While the audit committee has the ultimate responsibility for making decisions regarding the nature of the process, many companies are not starting with a “clean slate.” A practical step is for management to provide information about existing procedures so the committee can evaluate their suitability for purposes of complying with the statute. Many large organizations have established procedures to investigate the various types of complaints, including conflicts of interest, violations of law, fraud, theft and misuse of assets. The audit committee, with the assistance of its advisors and management, should evaluate the scope and adequacy of these processes if they exist, and request modifications of them, as necessary, to meet the intent of SOA Section 301. Alternatively, the committee should ask management to submit a plan for the design and implementation of an appropriate process.
Following are examples of things the committee should request for the last three years at a minimum:
- Any consultant studies regarding the code of conduct, ethics, compliance, anonymous reporting of complaints, fraud prevention, etc.
- The existing code of conduct, compliance procedures, internal documentation of fraud, fraud policies, etc., and any recent changes or waivers
- Any completed risk assessments indicating the possibility of accounting irregularities or fraud to understand what was recommended and how management responded
- External audit management letters or internal audit reports that address sensitive matters
If a confidential, anonymous reporting procedure is already in place, the audit committee should request information about current policies and practices, how the process works, who receives the initial complaint, how the complaint is forwarded to management and how the company normally handles complaints. The audit committee’s purpose is to assess whether the established process can accommodate accounting, fraud, ethical and conflicts-of-interest issues. If there is a process for investigating sensitive complaints, the committee should obtain information on the composition of the investigation team, who determines when to investigate, and typical investigatory scopes, approaches and reporting. The committee should also understand from management the historical frequency of fraud incidents and ethical violations. If a hotline is in place, the volume of use is an indicator of its operating effectiveness.
The committee should consider conducting executive sessions or interviews with appropriate executives to gain their perspective on historical issues and incidents. These executives may include the chief financial officer, internal audit director, general counsel, chief human resources officer, chief compliance officer, chief risk officer, controller, ethics officer/ombudsman, business unit heads and external auditor.
Over time and with the assistance of management, the committee should find out what other companies are doing. Through input from advisors and networking with other directors and executives, obtain examples of practices on complaint reporting and the related management processes. Evaluate these practices as they apply to your industry and to your company’s facts and circumstances.
Managing the process
When managing the process going forward, audit committees will require assistance from management, staff and advisors. Ordinarily management will provide a plan for the committee to approve. The plan should specify the level of effort required of management, support staff and outside advisors. Note that Section 301 of SOA requires companies to fund the outside advisors the audit committee deems necessary.
The audit committee must pay close attention to any sensitive investigations it initiates. When overseeing such investigations, it is imperative to understand “what to do” as well as “what not to do.” For example, an investigation’s objectives must be clearly articulated. It must be conducted in a comprehensive and objective manner. Equally important is determining if and when the findings should be reported and to whom and how. While investigations are underway, information should be restricted to those individuals designated by the audit committee as having a “need to know.” Failure to conduct internal corporate investigations on a discreet basis can result in embarrassing leaks. Further, if not gathered and preserved properly, evidence may be considered inadmissible in a court of law, creating further embarrassment. Often, in these types of investigations, an employee’s career may be on the line, so every attempt must be made to be fair and to limit the release of any potentially damaging information. Someone who has experience conducting sensitive, “board-level” investigations should lead the investigation team.
Sometimes organizations take disciplinary action against an employee before completing an investigation. Making rash decisions based on emotion and without all the facts can lead to mistakes. Conducting an investigation after disciplinary actions are taken can compromise the objectivity of the inquiry.
Another factor in managing the process is employee law, which varies by country and, in some cases, by state. In some countries, investigations must be completed within a specified time period once management determines there is cause for an examination of the facts. In addition, some countries may require the participation of employee “works councils.” The process must ensure timely review of the facts, determine if an investigation is needed and drive decisive action.
Using “hotlines” for confidential, anonymous reporting
While the SEC does not specifically require the use of an external- based hotline, audit committees and management may wish to investigate the firms offering them. Considering the inherent complexity of managing sensitive information and responsive investigations, it may be both more cost effective and free of conflict-of-interest issues if third-party providers supply the primary complaint hotline facility and collect information through that facility.
Hotlines have been around for a long time. They were first established within the retail industry to allow sales associates to report theft, shoplifting and pilferage. They proved to be an efficient way to reduce shrinkage. In the past, organizations have used hotlines to receive complaints regarding racial and gender discrimination, sexual harassment, and government contract fraud and abuse. If administered properly, they also allow for reporting of accounting, internal control and auditing deficiencies as well as fraud, and can provide a deterrent that can reduce the number of reported incidents over time. An independent third-party normally administers hotlines to maintain confidentiality and anonymity.
Some new service providers offer their clients the opportunity to implement Internet-based reporting of complaints. In lieu of external providers, some companies merely utilize internal phone numbers that receive voice-recorded complaints from employees. Internal hotlines may be used by the audit committee so long as they are accessed and managed by a company employee (a compliance or ethics officer, for example) who reports directly to and works directly with the committee. These options have advantages and disadvantages that must be considered carefully. For example, one of the clearest benefits of an external provider is that the reporter will not be speaking with someone he or she knows. Another issue is to understand the distinction between “anonymity” and “confidentiality,” as they are not one and the same. If the intention is to promise anonymity, the process must be designed to preserve it. Once the source is known, anonymity is lost for good.
Hotlines are only a tool and are not the whole solution. It is possible that the organization may already have one or more internal hotlines in play. If there are too many hotlines, employees can get confused. Thus the audit committee needs to carefully weigh its options before deciding to go forward with a new hotline.
Some things to do and avoid
In closing, the SEC’s rules on complaints and confidential, anonymous submissions set expectations for compliance without cumbersome details regarding methods to use. Protiviti has developed a checklist of important things audit committees and management should consider, with the assistance and support from counsel and advisors. The checklist also includes mistakes to avoid. The checklist, entitled “Some Things to Do and Avoid,” is available as a supplement to this issue of The Bulletin on www.protiviti.com.
SUPPLEMENT TO ISSUE 11 OF THE BULLETIN
Establishing an Effective Complaint and Confidential, Anonymous Reporting Process
Some Things to Do and Avoid
The SEC has issued rules, pursuant to Section 301 of the Sarbanes-Oxley Act of 2002 (SOA), requiring audit committees to establish procedures for “(a) the receipt, retention and treatment of complaints received by the issuer regarding accounting, internal accounting controls or auditing matters, and (b) the confidential, anonymous submission by employees of the issuer of concerns regarding questionable accounting or auditing matters.” Most public companies must be in compliance with this requirement by the earlier of (1) the first annual shareholders meeting after January 15, 2004, or (2) October 31, 2004. Foreign private issuers and small- business issuers must be in compliance by July 31, 2005.
Issue 11 of The Bulletin focuses on the issues that management and audit committees should consider as they comply with this Section 301 requirement. The Section 301 requirements (see Issue 9 of The Bulletin for a description) are important because the SEC’s rules direct the national securities associations to prohibit the listing of any security of a company that is not compliant with them.
The SEC’s rules set expectations for compliance without cumbersome details regarding methods to use. This approach may create some confusion in the marketplace because of the uncertainty as to exactly what companies must do to comply. Companies can, however, expect practices to evolve over the next 12 to 18 months. With that in mind, we provide a checklist below of some of the important things audit committees and management should consider, with the assistance and support from counsel and other advisors:
- Have adequate representation from qualified counsel. Attorneys should be well-versed in the rules and regulations of the SEC and exchanges.
- • Evaluate the organization’s risks, culture, management operating style, internal resources and existing procedures regarding reporting of audit and accounting irregularities and fraud before designing the program. Understand the unique risks relating to fraud within your organization, your industry and geographies in which your company operates. Remember that even the SEC recognizes there is no “one size fits all” approach. The answers and solutions will evolve as you learn more about your options and are able to evaluate which ones fit best within your organization.
- • Integrate ethics policies and procedures enterprisewide for reporting fraud and accounting irregularities. This should occur across business units, geographies and subsidiaries (including international locations, to the extent appropriate under local law). Strive for a common platform to receive, evaluate and investigate complaints. This platform should encompass new acquisitions, as well.
- • Involve management in developing the process. Understand the processes management already has in place. Obtain management’s support in developing an effective program, as it is difficult to execute in isolation.
- • Retain specialists, if needed, to design and execute the program. Identify forensic accountants, corporate internal investigators and fraud-prevention specialists. Even if the committee or company doesn’t use these advisors right away, it is helpful to pre-qualify them in the event they are needed on short notice
- Do the necessary homework with respect to evaluating firms offering confidential reporting of complaints and other related solutions. There are many new firms offering various Section 301 solutions. Some of these companies are better than others. Determine whether a vendor has adequate resources to meet your specific needs. Examine the vendor’s experience and reputation. Ensure service-level agreement contracts include stipulations regarding confidentiality and completeness of timely information. Make sure the solution a vendor provides fits your requirements. Organizations should consider establishing guidelines and other specialized protocols for call routing, service outages and contingencies, and operator training.
- Communicate the program often within the organization. A comprehensive communications strategy ensures all employees understand the importance of reporting complaints as well as confidential and anonymous submissions, and follow the program guidelines.
- • Emphasize the appropriate level of objectivity with respect to the reporting and investigation of complaints. Simply stated, the person or group screening or investigating complaints must not have a vested interest in the outcome. Substantial discretionary authority must be delegated carefully to ensure the appropriate objectivity and absence of conflicts of interest.
- • Remember that Sarbanes-Oxley has specific provisions to protect whistleblowers. Your plan should include sufficient investigative protocols to ensure that employees who report accounting irregularities and fraud are not singled out or discriminated against because of their actions. Make sure that confidentiality promises are kept. In particular, once a complaint is received, make every effort to protect anonymity. For example, within smaller companies, focus first on questioning senior-level executives in confidence before broadening the inquiry to lower-level employees. Also, exercise caution when terminating employees, reducing their compensation or passing them over for a promotion. Consider the question, “Has this person in any way questioned our financial-reporting practices?" If so, consider consulting with counsel before taking action.
- Understand and consider the implications of the Federal Sentencing Guidelines. Over a decade ago, the U.S. Sentencing Commission revised its sentencing guidelines and penalties to organizations convicted of criminal behavior. One of the effects of the revised guidelines was to set forth some minimum criteria for an effective fraud deterrence and detection program. Therefore, it is prudent for management and the audit committee to ensure their organization’s compliance program satisfies the criteria as defined by the sentencing guidelines. These guidelines can provide a baseline for evaluating established procedures, making inquires to potential vendors and conducting periodic procedural reviews. Under the guidelines, there are seven basic elements that should be considered for inclusion into any effective compliance program:
- Compliance standards and procedures must be established to deter crime.
- High-level personnel must be involved in oversight (rather than delegating oversight in such a manner that accountability and decision-making are diluted).
- Substantial discretionary authority must be carefully delegated.
- Compliance standards and procedures must be communicated to employees.
- Steps must be taken to achieve compliance in establishing monitoring and auditing systems as well as reporting systems that provide feedback on the process and include protective safeguards.
- Standards must be consistently enforced (which may include the deployment of a repository of complaint handling and investigation dispositions to ensure consistent application across the enterprise).
- Any violations require appropriate responses, which may include modification of compliance standards and procedures, and other preventive measures.
According to the sentencing guidelines, these are the elements of effective compliance programs. The audit committee, management and their advisors should consider incorporating these elements as a baseline for evaluating established procedures.
- Listen to employees when they express their complaints and concerns. There is no need for complaints and concerns to ever get reported into a hotline if they are addressed proactively before things get out of hand. Many whistleblowers have indicated they would have never gone public with their concerns about an entity’s financial statements if senior management had been more attentive to them when they raised the issues initially. Indicating to employees that the lines of communication are open doesn't necessarily mean opening the floodgates. For example, some companies report that only a small fraction of anonymous employee complaints received each year relate to financial-reporting matters. That said, it is possible that when improprieties occur, employees may look upon the confidential, anonymous reporting process as a means of absolving themselves of responsibility.
Following are some mistakes that audit committees and management should strive to avoid:
- Delay getting started. While the date for compliance with Section 301 is not until later in 2004, time is running short. There may be a lot to do to ensure your plan is compliant.
- Take a program developed for another company and blindly implement it within your organization. To be effective, a plan requires careful thought and analysis to ensure the proper cultural fit as well as management support.
- Forget about conflicts when developing your plan. Determine who will conduct investigations of sensitive matters to ensure the appropriate objectivity.
- Fail to document your activities and track complaints over time. Maintain adequate records of meetings, accomplishments and decisions. This type of recording is useful if you ever need to defend your process or actions. In addition, track complaints over time to determine whether the percentage of complaints relating to financial reporting and the absolute volume of such complaints change over the period tracked. If companies have tracked complaints in the past, management will be better able to define the task at hand.
- Develop overly complicated solutions that are doomed to fail. Avoid burdensome programs, creating unnecessary expenses and duplicative internal reporting. If the program requires time, effort and money disproportionate to the risk, it ultimately will fail. For example, your organization may have one or more internal hotlines in play. Having too many hotlines can confuse employees, a problem for many companies. Carefully weigh your options before deciding on how to move forward with a new hotline, if this is determined to be the appropriate solution. In short, keep the program as simple for employees as possible.
- Neglect to emphasize prevention and deterrence. While the SEC rule requires companies to develop procedures to handle complaints about problems, it makes sense to concurrently develop policies and processes to prevent and deter accounting irregularities or fraud. Establish appropriate internal controls, including implementation of entity-level monitoring procedures, an internal audit function, effective reporting systems and state-of-the-art protective safeguards.
- Ignore complaints that appear to be insignificant or immaterial. Sometimes a specific complaint could be a part of a broader pattern. Sometimes the cost of a fraudulent act, including the inherent damage to the organization’s reputation, can escalate to significant proportions. In today’s fishbowl environment, materiality should not necessarily be a threshold for determining when a complaint is escalated to the audit committee prior to comprehensive periodic reporting. The assessment of significance is the audit committee’s to make, not management’s.