RSM Resources

While the Sarbanes-Oxley Act of 2002 (SOX) does not bind privately held companies, many experts suggest that leaders at midsized businesses consider implementing the law’s whistle-blower provisions.

"There are a lot of unethical or illegal things that happen in companies that management simply has no clue about," says John Morrow, vice president of the American Institute of Certified Public Accountants in Washington, D.C. "There’s often someone out there just looking for away to report such activity, and it’s important to remember that employees aren’t the only sources for those kinds of tips."

In its most recent "Report to the Nation," the Association of Certified Fraud Examiners supports Morrow’s comments. The national study shows that 34 percent of all corporate fraud activity — including accounting and audit irregularities — surface through tips. While employees generated two-thirds of those tips, customers, vendors and anonymous third parties generated the remainder.

Handled well, a SOX whistle-blower program can build organizational credibility and internal morale. On the other hand, Morrow cites the example of a poorly run program at a large public company, which directed would-be whistle-blowers to the company’s head of internal audit.

"Nobody realized that there was internal caller ID on all of those contacts,and many of the people making those calls did so from company phones,"he says. "While the internal audit guy did his best to keep those contacts confidential, the risk of an electronic trail never occurred to those callers."

A closer look at key provisions

SOX rules provide substantial protections for whistle-blowing employees,including the right to a jury trial and criminal penalties of as much as 10 years for company officials found guilty of retaliation. The law also requires in-house or outside legal counsel of an SEC-traded business to report any violations of securities law or fiduciary responsibilities to a company’s chief legal officer or CEO. If the concerns are not resolved at that level, the attorney must address the issues with the company’s audit committee.

Public company audit committees, meanwhile, are required to create processes for the confidential "receipt, retention and treatment" of tips on financial irregularities. While the law does not provide proscribe fixes, some experts point to a best-practice whistle-blower approach that United Technologies Corp. (UTC) established three years ago.

In 2003,the company updated its existing Ombudsman/DIALOG program to accommodate SOX-related reporting on audit and accounting problems. The main keys to its success: internal staff who serve as intermediaries between tipsters and company officials, confidential phone and online reporting tools, and written responses to all internal or external sources who file a complaint.

"The structure and confidentiality of the program are key," says Patrick Gnazzo, UTC’svice president for business practices, in a Workforce Management overview of his company’s approach to a SOX-mandated whistle-blower approach. "We can’t protect information if the person conducting the investigation gets the complaint directly from the individual. And no one in the company can demand information from our program."

Launching a whistle-blower reporting system

Has your company established an effective whistle-blower reporting system? If not, here are some tips to help your organization get started.

Outline your policy. This step will lay the foundation of your company’s program to uncover fraudulent or illegal activity. The policy should provide clear direction on the role of management and company directors, and provide employees and other stakeholders with specifics on what to do when they encounter illegal or unethical behavior — and where to report it. The latter issue, Morrow says, is a key decision.

"Regardless of whether a company sets up an internal system to handle such reports, or goes with an outside service providing a hot line and other support tools, the big issue is to make sure that the confidentiality of all contacts is respected," he says.

Provide training and education tools. By itself, a policy will do nothing to encourage whistle-blowers or curb bad behavior. Experts say companies also need to design training tools to highlight the policy, explain why it’s important and reinforce that it has the support of top management. At a deeper level, it is vital to develop education programs for managers to teach them how to respect confidentiality and handle direct or indirect reports of SOX-related misconduct. Outside the company, Morrow recommends including vendors and customers in the education process. This can be as simple as an introductory letter from company leadership followed by reminder forms in regular correspondences — with contact information for a whistle-blower hot line and other reporting tools.

Improve documentation of employee performance. Legal observers of Sarbanes-Oxley say that a SOX-related whistle-blower complaint is, in effect, a complaint about the workplace. With that in mind, savvy companies need to step up their monitoring and documentation of employee complaints, and be able to demonstrate how they handled follow-up actions or investigations. This is critically important when the company terminates an employee, which can trigger future whistle-blower actions.

Facilitate a sound process for investigations.The credibility of a whistle-blower program is only as good as the investigation practices that support it. For that reason, it is important that public company audit committees or private company directors establish consensus on how they will review SOX-related complaints. Key considerations in this area include how the company will use internal or external investigative resources, gather evidence,interview staff or management in question, and protect confidentiality. The investigative procedures should also spell out how the company will take disciplinary actions and how it will report or disclose incidents to employees and other company stakeholders.

Ensure good record retention practices. In the big picture, companies need to develop comprehensive methods for documenting and retaining all whistle-blower complaints. That’s because the law provides potentially stiff civil and criminal penalties for companies that cannot produce accurate and complete documentation during a SOX-related court action. This may include everything from initial contact reports, transcripts from meetings or oral conversations about the alleged problem, and physical copies of all evidence from an investigation.

By taking these steps, you canhelp build credibility with employees and other stakeholders about your company’s commitment to financial integrity.