By Pamela Verick Stone, Protiviti Director
Business scandals. Financial frauds. The Sarbanes-Oxley Act of 2002.
These are a few reasons companies have a need to provide a means for people to report wrongdoing — and protect those who make such reports.
For smaller employers, developing a whistleblower program can be a big job. It takes time and resources, both of which can be especially difficult for smaller employers to spare.
For companies that employ internal auditors, they are on the front lines of the issue — often identifying “red flags” of fraud and misconduct, or receiving letters reporting wrongdoing, thrusting them into whistleblower investigations.
We’re going to discuss ways in which small companies can handle these whistleblower program requirements — and minimize the amount of time and resources needed to do it. Let’s start with important whistleblower program considerations.
Sarbanes-Oxley Act of 2002
Section 806 of the Sarbanes-Oxley Act of 2002 (“Sarbanes-Oxley Act”) requires whistleblower protections for employees. It bars employers from taking certain actions against employees who disclose certain information and calls for special damages and attorney’s fees to be paid to whistleblowers whose protections are violated.
Section 1107 of the Act allows for fines or imprisonment of up to 10 years for those who intentionally interfere with or retaliate against anyone who provides truthful information to law enforcement authorities regarding the commission of a federal offense.
The COSO – Internal Control Integrated Framework calls for companies to establish channels of communication for people to report suspected improprieties. Companies need to:
- Provide employees a way to communicate their concerns or complaints about potential unethical or unlawful behavior.
- Consider how employees may communicate through someone other than a director superior, such as an ombudsman or corporate counsel.
- Allow for anonymous reporting.
- Determine whether employees actually use the communication channel.
- Provide whistleblowers with feedback and immunity from reprisals.
- Ensure timely and appropriate follow-up by management on whistleblower tips received from customers, vendors, regulators or other external parties.
PCAOB Standard No. 2
Paragraph 24 of the Public Company Accounting Oversight Board Standard No. 2 states that auditors should evaluate all controls specifically intended to address the risks of fraud that have a “reasonable possible likelihood” of having a material effect on the company’s financial statements.
These controls include the adequacy of the company’s procedures for handling complaints and for accepting confidential submissions of concerns about questionable auditing or accounting matters.
Statement on Auditing Standards No. 99 (“SAS 99”) says employees should be given the means to obtain advice internally before making decisions that appear to have significant legal or ethical implications.
SAS 99 also says employees should be able to communicate concerns about potential Code of Conduct violations without fear of retribution. In addition, they should be able to raise issues anonymously, if preferred.
Federal Sentencing Guidelines
Federal sentencing guidelines call for employers to have and to publicize a reporting system that may include mechanisms that allow for anonymity and confidentiality. The guidelines also state that employees and others should be able to report or seek guidance regarding potential or actual criminal conduct without fear of retaliation.
As we can see, the statutory and regulatory requirements and recommendations are quite similar. All mention the need for confidential reporting and warn against retaliating against those who report wrongdoing.
Many companies meet these standards and statutory requirements by establishing telephone hotlines for reporting. An ethics/compliance officer, fraud officer, general counsel, internal audit director or another trusted person typically receives or monitors the calls and their handling.
A company’s size can complicate whistleblower protection. Small size often means that employees know one another or are familiar with various areas of the company. After a whistleblower complaint is made, employees in a small company may be able to narrow the source of the complaint or the department from whence it came.
Retaliation against the suspected source of the complaint from anyone in the company could put the organization at risk. In addition, gossip and the rumor mill also can hinder productivity.
Section 806 of the Sarbanes-Oxley Act protects employees who provide information or assist in an investigation from discharge, demotion, suspension, threats, harassment or any form of discrimination.
Employees may file a complaint with the U.S. Department of Labor or ask for de novo review in federal district court if the Secretary of Labor does not respond within 180 days. Remedies include all relief necessary to make the employee whole, including reinstatement with the same seniority status, back pay with interest and compensation for other losses, such as litigation expenses, expert witness fees and reasonable attorney fees.
Because of these problems and penalties, training and education regarding company whistleblower policies and protections is vital. Everyone in the organization — including top managers, employees, contractors, subcontractors and agents — needs to understand the policies and protections.
This can be accomplished in a variety of ways: employee handbooks, codes of ethics or conduct, intranet and internet education, new-hire training among them.
Elements of Effective Whistleblower Programs
One key element of all whistleblower programs is a reporting mechanism appropriate to the organization. It must be communicated to employees, actively monitored, offer confidentiality and anonymity, and give those who use the program the ability to obtain advice regarding their complaint.
Rules pertaining to intake procedures, information retention, evaluation and escalation procedures, case tracking and monitoring, closeout procedures and management reporting need to be in place. These are typically addressed through the company’s incident response plan and case management system.
Investigative protocols and procedures that enable the company to evaluate what types of issues need to be pursued, and the skills needed to pursue them, also are needed. Depending on the nature of the allegation, the available resources, the urgency of the response and the need for confidentiality, the company will need to decide whether to handle the matter internally or seek outside help.
Finally, the company must fix problems raised by legitimate complaints. To properly do this, disciplinary, prosecution and recovery guidelines are needed.
Minimize Time and Resources
The “magic” to maximizing organizational time and resources for small companies is a basic, commonsense approach: “keep it simple.” A consistent, repeatable process that is documented and reviewed with employees can be as effective as the most ornate organizational and process matrix.
Some things to think about:
1. Reporting mechanisms. Want to outsource your hotline but think the costs outweigh the benefits? Vendors offer various service packages and some tailor their offerings specifically for small companies — outsourcing may not be as expensive as you first thought. Some small companies have even explored the use of an external answering service that will take down basic information and relay it to your organization’s “first responder” — much like a doctor’s office. Alternatively, some companies have a separate telephone line equipped with voicemail that is maintained by either corporate compliance or general counsel. For written letters, you may consider the use of a Post Office box that is checked on a regular basis. Or maybe an email box with assigned and secured privileges is right for you. Do employees know from who they can obtain advice on issues that may be of concern? Hotlines can sometimes be misused because employees don’t know where to go for information, or issues can be resolved prior to escalation to higher levels. Providing a channel for employees to obtain advice is as important as those for reporting concerns. Some small companies provide contact information for either a compliance officer or human resource representative when employees call seeking advice. It’s important that your employees clearly understand where they can obtain advice and report issues of concern.
2. Communications. While many organizations communicate with employees about reporting mechanisms through email or their intranet, not everyone in a small company may have online access. Consider other ways to reach people — either through a message on or included with their paycheck/pay stub, posters in public view (such as a lunch or break room), voicemail, employee newsletters, employee “kiosks,” etc. Clear, concise and ongoing messaging is important, too. Also consider what language(s) you may need to communicate your message in and the accuracy of your translation.
3. Incident response. Understanding the “who, what, when, where and how” of an issue is important for all companies. But for those that are small, this can be particularly sensitive given their size or the potential matter at hand. The use of a form, or “checklist,” during the intake process is key to obtaining, and evaluating, much needed information in a consistent manner that will then be immediately provided to your company’s “first responder(s).” Depending upon your size, you may only have one person dedicated as your “first responder.” Others may use a “decision tree” to help guide the individual receiving the information to get it to the right person — and this can be critical when time matters most. Whatever your escalation model, consider the issue of back-up. If your first responder can’t be reached, you should have a plan in place on what to do next in order to ensure that potential issues are raised and resolved efficiently and effectively. Something else your company needs to consider is data privacy and retention. How will you protect the person and information that has been provided to you? How long will you keep it? How will you store it? You may want to seek the advice of counsel and human resources to determine what is best for your small company.
4. Case management. Once an issue is reported within your company, it is important to track what’s being done about it. Some companies have purchased case management systems that are tied to, or complement, their hotline services. Other small companies use an internal database, spreadsheet or word template that is updated on a routine basis. Whatever your company chooses, emphasis should be placed on the ability to understand the current status of an issue, who’s working on it, how long it’s been open and what’s being done to investigate or remediate it. Procedures should also be in place to report, or communicate, the matter to management, the board, regulators and law enforcement as appropriate, and to “close out” the matter when the review or investigation is completed.
5. Investigative protocols and procedures. When issues arise, small companies often must decide the most appropriate manner in which to investigate the matter without causing disruption to operations and while still maintaining the integrity of the investigative process. For some small companies, the skillset necessary to thoroughly examine reported matters may not be “in-house.” The role of counsel, particularly as it relates to the preservation of privilege and confidentiality, as well as the responsibilities of the Audit Committee for certain accounting-related matters, should also be taken into the company’s consideration of its investigative protocols and procedures. Many small companies simply rely on outside counsel to handle such matters for them.
6. Remediation. It’s important for your company to set forth its expectations regarding ethical behavior, as well as potential consequences for related infractions. Many companies, regardless of size, include this information in their Code of Conduct and/or employee handbook. Disciplinary, prosecution and recovery guidelines help to reinforce your company’s “tone at the top,” as well as provide a clear, consistent approach in handling difficult or sensitive matters. For some small companies, the impact of disciplinary matters upon overall operations may be a consideration in remediation efforts. Emphasis should be placed on the company’s need to truly resolve internal control or behavioral issues in a timely and thorough manner that will help strengthen overall operating effectiveness, rather than on short-term solutions that may provide an “easy” or “temporary” fix.
For small companies, a successful whistleblower program can be achieved by developing simple strategies that are cost effective, ensure confidentiality and complement their organizational culture, while at the same time meeting regulatory requirements.
Ongoing awareness and support of the program by the board, management and employees is critical, as is active monitoring. The whistleblower program should evolve with the company so that growth or changes within the organization are appropriately reflected in the sophistication of the program, thereby providing a sustainable method for the prevention and detection of fraud and misconduct.
Pamela Verick Stone is a Director in Protiviti’s Financial Investigations & Litigation Consulting practice where she focuses on investigations and leads our fraud risk management initiative. Pam has 16 years of risk management experience, including development of anti-fraud programs and controls, fraud risk assessment, fraud and misconduct investigations, Sarbanes-Oxley assistance and development of compliance and ethics programs for both the public and private sector. Prior to joining Protiviti, Pam was a Director in the Forensic practice of a Big 4 professional services firm where she served as a global product champion for fraud and misconduct diagnostic services.