"Whistling in the Dark: Whistleblower Programs Under Sarbanes-Oxley"

Originally published in Wall Street Lawyer, Vol. 7, No. 1 June 2003.

Quentin Faust is a corporate lawyer of the Dallas office of Andrews Kurth. His email address is quentinfaust@andrewskurth.com.

The whistleblower appears to be the only hero to emerge from the recent corporate scandals and financial meltdowns involving some of America’s largest public companies. Politicians and the investing public applauded the actions of individuals like Sherron Watkins when it was revealed that she attempted to bring accounting irregularities to the attention of Enron’s management. Now, Michael Vines is in the spotlight, making headlines for similar attempts in connection with allegations of improper accounting at HealthSouth Corp.1

As part of the Sarbanes-Oxley Act of 2002, Congress has encouraged whistleblowers to come forward by requiring public companies to “establish procedures for the receipt, retention and treatment of complaints regarding accounting, internal accounting controls, or auditing matters.”2 Sarbanes-Oxley also protects employees who come forward with such information from retaliation by management.3 Congress clearly wanted to encourage employees inside America’s public companies to act as watchdogs.

While the goal of encouraging whistleblowers is admirable, it appears that Congress overlooked a rather obvious point: The process by which companies deal with complaints and allegations of misconduct is more important than encouraging employees to provide such information. Individuals like Watkins and Vines had the courage and conviction to step forward even without the confidential grievance procedures and enhanced protections Congress now requires. The problem is that after the information was reported, nothing happened.

While the Sarbanes-Oxley Act mandates a process for receiving complaints on the front end and provides employees with protections and rights to seek redress on the back end, there is currently no legislative or administrative guidance as to what should happen in between these two points. The result is that public companies are left with many unanswered questions as they attempt to comply with the new whistleblower provisions. The following are but a few:

• What must a company do with anonymous tips?
• What should a company do with tips that have nothing to do with its financial controls but deal
  instead with more run-of-the-mill employee grievances?
• Must every tip go up the ladder to the general counsel or even outside counsel?
• Must every tip regarding financial matters go to the audit committee?
• Does the receipt of an allegation of wrongdoing trigger any new or expanded fiduciary duties?
• Do directors face an expanded duty of care that now includes a duty to adequately investigate such allegations?
• When is a tip adequately investigated?
• Is the company allowed to determine which allegations have merit and which do not, and how should such determinations be made?
• If a company, in good faith, fails to recognize and follow up what turns out to have been a valid complaint, how might it demonstrate that the oversight was not intentional and culpable?
• Who should be responsible for administering these procedures, and is that person subject to increased liability if a mistake is made?

Even without definitive guidance to answer these questions, a public company would benefit from pre-established procedures to process, evaluate, and investigate whistleblowers’ claims. The ultimate goal should be twofold: managing claims in a way that minimizes the time and cost to the company, and demonstrating that the information was handled in a responsible manner—regardless of the outcome.

Initial Processing of Claims—First Tier Review

Third party service providers are currently available to help companies establish anonymous reporting procedures. In fact, many of these services expressly market themselves to public companies as being able to assist with Sarbanes-Oxley compliance. These services are typically implemented through the use of telephone hotlines or Internet Web sites. The confidential information is gathered and transmitted directly to the person or persons the company designates as the initial recipient.

Technically, the Sarbanes-Oxley Act only mandates procedures for handling the submission of information relating to a company’s financial, accounting, and auditing matters. However, once employees have access to an anonymous complaint process, they will almost certainly use it to report all types of concerns. While Sarbanes-Oxley does not govern how these non-financial matters should be handled, it would be imprudent for a company to simply ignore them as not falling within its technical requirements.

Instead, companies could use empirical criteria to sort information as it is received. Certainly a portion of the complaints will relate only to an individual employee’s particular situation (i.e., not receiving benefits, bonuses, or raises that the individual believes he or she is entitled to receive). Perhaps complaints like this can be logged, categorized, and compiled, with no further action required under Section 301, unless and until a pattern emerges that the company’s human resources administrator might need to address.4 These “personal” claims do not need to be funneled to the audit committee; nor do they warrant a higher level of review.

In contrast, any claim that addresses legal, financial, or accounting issues should be appropriately directed for a qualitative review as a second-tier claim. In addition, some apparent first-tier claims might deserve a second-tier review if broader legal issues are involved, such as repeated complaints of sexual harassment, racial discrimination, or unfair labor practices.

The process by which companies deal with complaints and allegations of misconduct is more important than encouraging employees to provide such information.

All complaints should go to at least two individuals for first-tier review. These individuals should be as separate as possible, with no coordination between them. For example, all claims could initially be routed to both the company’s human resources manager and its general counsel. Each individual would independently determine whether any claim should be forwarded for second-tier review. These two sources should not discuss any particular claim, although they certainly could discuss the criteria they are using to make these determinations. Having two reviewers will prevent the situation where a complaint stops cold because it has been reported to someone implicated by the claim or to someone who has a personal relationship with someone implicated by the claim. Moreover, setting up a system of checks and balances will hopefully encourage uniform treatment of claims.

Finally, there should be a uniform system for tracking each and every claim. Ideally, this would be accomplished by setting up a database that would allow any evaluator, whether at the first-tier review level or otherwise, to record the determination reached, together with any notes or comments regarding the claim. The database should operate with a “one-way” view, so that each evaluator can see only his or her comments on any given claim. Such a data collection process could be used to rebut arguments that there was collusion between the evaluators or corruption in the review process.

Independent Evaluation of Claims—Second Tier Review

Second-tier review should be conducted by individuals who, while related to the company, are arguably independent from management. (Examples include auditors, outside counsel, and independent directors.) Like first-tier claims, second tier claims should be forwarded to two independent sources for review. Although it may seem excessive, independent review by two sources is still advisable at this level because management may exercise considerable influence over the reviewers, even though they technically are independent.

At this stage it would be best if several people worked together to determine whether a claim requires remedial action or further investigation. Thus, second-tier claims could be forwarded to the audit committee (which must be composed entirely of independent directors),5 a committee of independent directors specifically formed for the purpose of conducting the second-tier review, the company’s “qualified legal compliance committee” if the company has elected to form such a committee to handle ethical issues raised by outside counsel,6 the company’s independent auditors, or its outside legal counsel.

[T]here should be a uniform system for tracking each and every claim.

Second-tier review should involve not only consideration of the claim on its face but also any fact-finding necessary to determine, where possible, the credibility of each claim. Reviewers could consider issues such as whether the purported whistleblower left his or her name to make further contact possible. It could involve a review of the supporting factual information, if any, that accompanied the allegation, taking into consideration whether similar allegations have been made and investigated in the past. It could also factor in the possibility of an ulterior motive, such as a disgruntled employee or competitor wishing to make trouble for the company.

This last possibility is, perhaps, more viable than it might first appear. Public companies issue certain reports pursuant to a predetermined schedule. Someone wishing to make life difficult for a public company could easily “game the system” by raising serious allegations of financial mismanagement immediately prior to the release of a periodic report. Such an allegation, particularly if made by an insider with enough specific information to make the claim appear credible, could put a public company’s officers, directors, and independent auditors in a very difficult situation. There may be no other choice but to conduct a full-blown independent investigation. Such an investigation could potentially bring the process of preparing a company’s annual report to a grinding halt and would likely result in substantial added expense (not to mention the effect of the company’s stock price and reputation if rumors of the allegations were to surface).

Second-tier review should result in specific findings and recommendations. There are several possible outcomes from such a review:

• If a second-tier reviewer determines that a claim is not credible, this finding and the reasons behind it should be noted in the company’s claims database, with a report to the full board to follow.
• If a real problem is substantiated, then remedial actions should be recommended to the full board and the company should determine, with the assistance of counsel, whether the problem warrants public disclosure in the company’s next periodic report (on Form 10-K or 10-Q) or deserves current disclosure (on Form 8-K).
• If the claim can neither be denied nor substantiated, then the second-tier review team should consider whether it should continue to monitor the situation or send the claim up the ladder for third-tier review.

Outside Investigation of Claims—Third-Tier Review

Third-tier review should be reserved for serious allegations that cannot be dismissed after careful review by the company’s traditional circle of independent directors and professionals. It should be conducted by a specially retained third party, such as an auditing or law firm, that has no prior connections to the company or to its management. Accordingly, this level of review will necessarily require the company to expend considerable time and money.

Because third-tier review can be so costly and serious, companies should identify specific criteria or thresholds for second-tier reviewers to determine when third-tier review is advisable. For example, third-tier review might be reserved for claims involving certain monetary amounts7; claims that, if proven, would be considered material for purposes of federal securities laws or that would require public disclosure under the Securities Exchange Act; or claims that rise to a level of civil or criminal culpability, such as any claim that, if true, might result in a felony prosecution of the company or any of its officers, directors, employees, or agents.

[Competitors] could easily “game the system” by raising serious allegations of financial mismanagement immediately prior to the release of a periodic report.

Once an allegation reaches this level of review, it should be left completely to the outside investigators. They should have the authority and freedom to review documents and interview company personnel in connection with the inquiry with no interference from management. Their final findings should be memorialized in a written report to be delivered not only to the company’s board of directors but also to its outside counsel and independent auditors. In the wake of Enron and its progeny, accountants and lawyers need to know whether their clients have been cleared of allegations of fraud and abuse.

Potential Benefits

Public companies require further clarification and guidance in order to ensure that they are processing complaints of corporate misconduct in a manner consistent with the mandates set forth in the Sarbanes-Oxley Act. In the absence of such guidance, companies can at least protect themselves by taking all reasonable and appropriate steps to comply with the letter and the spirit of these new requirements. A company that takes seriously any and all allegations of corporate mismanagement will be able to demonstrate its commitment to identifying and rectifying such behavior at the earliest possible stage. Congress clearly adopted these provisions to prevent such misconduct from escalating to the point where, like Enron, it has a negative effect on the nation’s securities market as a whole.

Adopting specific procedures to deal with claims of mismanagement, setting forth specific criteria for evaluating such claims, and identifying those individuals who will conduct these evaluations could benefit a public company in several ways:

• By providing an efficient and cost-effective way for the company to manage complaints;
• By preventing the company from wasting time and money on claims that are clearly not material to the financial, accounting, or operational aspects of the company, thereby preserving these resources for allegations that truly require such investigation;
• By providing an affirmative defense if a complaint is dismissed that might have revealed serious corporate misconduct if properly investigated, similar to following a pre-established document retention schedule in order to provide an affirmative defense against claims of improper document destruction; and
• By providing evidence that corporate officers and directors are taking steps to fulfill their fiduciary duty of care by treating such allegations seriously and by fully investigating claims when the circumstances warrant.

Conclusion

From a public policy perspective, it is not enough to merely facilitate the reporting of fraudulent activity on a hotline or Web site and provide protections for employees sharing information about questionable management practices. These procedures are useless unless the information insiders provide is properly channeled. Reporting information into a black hole will neither spur a company to take corrective action nor deter management from abusing its power and deceiving the investing public.

From a compliance perspective, public companies require guidance in how they should process, evaluate, and investigate anonymous employee submissions. Hopefully, such guidance will be forthcoming from the SEC. In the interim, however, public companies should be proactive in considering not only the potential liabilities associated with their new obligations but also how they can insulate themselves from such liabilities.

1 See, e.g., Carrick Mollenkamp, “An Accountant Tried in Vain to Expose HealthSouth Fraud,” WALL STREET JOURNAL, May 20, 2003.

2 See § 301 of the Sarbanes-Oxley Act, new subsection 10A(m) of the Securities Exchange Act, and new Rule 10A-3(b)(3), which requires each registered national securities exchange or national securities association to prohibit the initial or continued listing of any public issuer that does not comply with specific audit committee requirements, including the requirement that the audit committee “establish procedures for (i) the receipt, retention, and treatment of complaints received by the listed issuer regarding accounting, internal accounting controls, or auditing matters; and (ii) the confidential, anonymous submission by employees of the listed issuer of concerns regarding questionable accounting or audit matters.”

3 See § 806 of the Sarbanes-Oxley Act, and new 18 U.S.C. § 1514A, which provides employees a private right of action against public issuers who retaliate because the individual provided information about possible securities law violations or participated in an investigation of such claims. This cause of action only extends to individuals who provided information to, or for investigations conducted by, a federal regulatory or law enforcement agency, a member of Congress or a Congressional committee, or a superior of the employee with the authority to investigate the alleged violations. See also § 1107 of the Sarbanes-Oxley Act and amended 18 U.S.C. § 1513, including new subsection (e), which makes it a federal crime to retaliate against individuals who provide information in connection with the commission, or possible commission, of any federal offense.

4 Of course, certain of these employee claims that allege violations of other laws and regulations should be routed to the appropriate individuals, reviewed carefully, and responded to appropriately to comply with any applicable legal or regulatory requirements.

5 See § 301 of the Sarbanes-Oxley Act and new subsection 10A(m) of the Securities Exchange Act.

6 See 17 CFR Part 205, § 205.3(k).

7 For example, Coca-Cola Co. reportedly has a new corporate policy requiring that claims of improprieties involving accounting and audit matters be automatically referred to the company’s audit committee if such allegations involve amounts in excess of $500,000. Betsy McKay, “Coke Hires Firms to Probe Allegations of Marketing and Accounting Fraud,” WALL STREET JOURNAL, May 21, 2002, page B-8.