Meeting New Whistleblower Reporting Requirements; Complying With Section 301 of the SOX
Section 301 of Sarbanes-Oxley calls for companies to have systems in place for receiving and handling confidential reports of questionable accounting or auditing practices. However, when it established rules to meet this requirement, the Securities and Exchange Commission (SEC) did not outline specific procedures for doing so, leaving many questions unanswered for company boards and management.
"Section 301 provides the opportunity for employees to express concerns about possible inappropriate actions, particularly with regard to accounting or auditing matters," said Everett Gibbs, managing director for Protiviti. "While the intent of the rule is clear, the SEC noted there is no 'one-size-fits-all' approach to establishing a complaint-reporting process. We frequently receive questions on this subject from boards, audit committees and management. We've addressed them while offering a useful template to design a process that is comprehensive, effective and fully compliant."
Most public companies must meet the requirement by the earlier of their first annual meeting after January 15, 2004, or October 31, 2004. Following are practical steps Protiviti details in the current issue of The Bulletin for organizations formulating their complaint-reporting processes:
- Consult with management about existing procedures. Audit committees can then evaluate whether the established complaint-reporting process accommodates issues relating to accounting, fraud, breaches of ethics and conflicts of interest.
- Consider the company's culture, structure, complexity and risk profile. The process used by a small company employing 100 people likely will differ considerably from that of a multinational corporation with thousands of employees. Although the law doesn't specify how complaints should be received, companies should ensure employees are comfortable using the selected method. In The Bulletin, Protiviti reviews the advantages and disadvantages of several complaint-reporting mechanisms.
- Establish protocols for complaint handling and disposition. Companies need specific procedures for how complaints are received, documented, filtered, investigated and circulated. They also should establish frequency guidelines for sending complaints to the audit committee (e.g., monthly or quarterly, with certain allegations forwarded immediately due to their nature or seriousness). In addition, firms should have safeguards in place for the protection of whistleblowers. (Note: Section 806 of Sarbanes-Oxley makes it unlawful to single out or discriminate against employees who report suspected misconduct.)
- Make employees aware of complaint-reporting procedures. Ensure they understand how to report possible wrongdoings and the importance of doing so. Companies can communicate this information in a variety of ways -- for example, during employee orientations and performance reviews, and on paycheck stubs and websites.
- Determine the composition of the complaint assessment team. The team should be led by the general counsel and include the chief compliance officer and a senior representative from human resources. Others on the team, depending on whether the company has such positions, might include the chief risk officer, ethics officer ombudsman and chief security officer. Highly sensitive complaints should be investigated under the direction of the audit committee, which in turn may want to involve outside counsel.
- Establish relationships with advisors and auditors. Outside consultants can be essential in helping audit committees understand "what to do" and "what not to do," especially during sensitive inquiries. Failure to properly conduct internal investigations could result in information leaks or might jeopardize evidence needed in a legal proceeding.
- Maintain good records. Include a summary of the handling and disposition of all complaints -- facts, recommendations and resolutions, and, where appropriate, the audit committee's conclusions and direction to management. Actions in response to complaints may include process changes, disclosures, employee training, fraud prevention efforts, risk-assessment activities and
- Review fraud risks. A fraud risk assessment can provide the audit committee with insights about common issues relating to industry, company or geographic risks that can be helpful in evaluating complaints. These reviews may involve looking at historical reports about fraud risks, evaluating existing anti-fraud measures, and conducting interviews or surveys with management and employees to obtain their perspective on fraud risks and prevention efforts.
For additional information, please visit www.protiviti.com and download the latest issue of The Bulletin, "Establishing an Effective Complaint and
Confidential, Anonymous Reporting Process." (Protiviti offers The Bulletin free of charge.)