Establishing New Complaint Procedures: Audit Committees Under the Sarbanes-Oxley Act

Responsibility for handling employee complaints is new to audit committees. Committee members shouldn't rely on existing structures that direct complaints to management. Fraud examiners can help audit committees comply with the intent and spirit of section 301 of the U.S. Sarbanes-Oxley Act.

Several months before Enron's financial situation became public, Sherron Watkins had written a seven-page, no-holds-barred letter detailing her concerns about the company's accounting practices. Watkins, an Enron vice president, had addressed it to her boss, CEO Ken Lay. According to press reports, he brushed it off. Apparently, no member of the Enron board of directors saw the letter, and her concerns didn't generate any changes in the company's financial or accounting practices. The terrible price paid by Enron shareholders and employees is well known.

The U.S. Congress enacted the Sarbanes-Oxley Act (SOX) in 2002 partly in response to the Enron situation. Among other things, SOX attempts to create new lines of communication between public companies and their employees so that people like Sherron Watkins can express concerns that will be heard by a wider audience in the company. In section 301 of SOX, Congress has now charged independent audit committees - not company management - with establishing procedures for the receipt and treatment of complaints regarding questionable accounting practices including anonymous tips from employees.

Responsibility for handling employee complaints is new to audit committees. Most companies already have procedures in place that direct complaints to management. Committee members may be inclined to rely on these existing structures and merely require that management funnel complaints dealing with accounting and auditing matters to the committee. You should review these existing structures carefully to make sure that they comply with both the intent and the spirit of section 301. In some cases, management may not have the appropriate incentive to follow up on all complaints made, particularly those that relate to alleged wrongdoing by management itself. In addition, employees may be reluctant to report concerns directly to management for fear of reprisal. In-house counsel's assistance in creating credible and effective procedures will be critical to the audit committee's performance of its increased role under section 301 in identifying potential problems before they become major financial scandals.

This article explains what you need to know about section 301 to possibly avert a compliance crisis before it develops rather than merely respond to one later. Use the list of steps in the sidebar below to develop and implement a compliant complaint procedure for your company.

The law

The relevant portion of section 301 provides as follows: Complaints. - Each audit committee shall establish procedures for -

(A) the receipt, retention, and treatment of complaints received by the issuer regarding accounting, internal accounting controls, or auditing matters; and

(B) the confidential anonymous submission by employees of the issuer of concerns regarding questionable accounting or auditing matters. [15 U.S.C. § 78f (2002)]

Congress directed the U.S. Securities and Exchange Commission (SEC) to flesh out the sparse language of section 301 in a rule implementing the provision. In the final rule, the SEC chose not to specify any required features for a complaint procedure that complies with section 301. (Citing a desire to maintain maximum flexibility for public companies, the final rule issued on April 9, 2003, does no more than add a deadline for compliance. Audit committees must have had their complaint procedures in place by the first annual shareholders' meeting after Jan. 15, 2004, and no later than Oct. 31, 2004. Though the deadline has passed, the information here still will be helpful for all public companies to ensure they are in compliance.)

Comments submitted to the SEC on the proposed rule on section 301 were about equally divided between those who wanted more specific guidance and those who felt that the complaint procedures already in place were working adequately, arguing that there was no need to overreact to what they believed would be a rare and extraordinary circumstance.

In-house counsel charged with the responsibility of advising a company as to whether an existing complaint procedure complies with section 301 would be wise to review the requirements of section 301 carefully and to keep in mind the consequences for noncompliance.

Elements of a compliant complaint procedure

Coding of complaints

Audit committee members naturally will be concerned about being deluged with complaints that have little to do with the serious accounting frauds and audit failures that are the target of SOX. Here, the company must walk a thin line in establishing the parameters of its complaint procedure. Does it reject complaints because they're not obviously and directly related to financial reporting requirements but risk the consequences that something that has serious financial consequences goes uninvestigated? Or does it take a more comprehensive approach by encouraging reports of anything that seem questionable about the company's practices, and then identify the complaints that have some section 301 substance to them?

We believe that a company should include in its complaint procedure some process that involves coding or classification of complaints received so that the procedure identifies the complaints that require more investigation and attention from the audit committee. We aren't suggesting, however, that audit committee members perform the triage themselves. The person in your company charged with managing the complaint procedure or your properly qualified service provider could use the coding procedure. You can establish a set of codes for complaints received and the appropriate recipient for a report of a complaint based on its code. If a complaint receives a code that indicates that it may involve a section 301 matter, the complaint will result in a report to the audit committee. You can route other complaints to human resources, loss prevention, or some other internal department, as appropriate. In every case, maintain a complete record of all complaints received, the treatment of the complaints under the procedure, and the ultimate disposition of the complaints. Periodically review the entire record with the audit committee.

Bear in mind that section 301 doesn't limit the scope of the procedure to employee complaints, although the mandate of confidentiality applies only to submissions from employees.

In defining the scope of complaints to handle in a section 301 complaint procedure, you should anticipate that complaints may come from vendors, clients, customers, and other stakeholders.

Reporting mechanisms

The systems that companies use to permit employees and others to make complaints range from low- to high-tech and formal to informal. Your company may already use a variety of these systems. An open-door policy, an ombudsman office, and a suggestion box are some of the most frequently used systems. The telephone hotline has been a classic reporting method for more than 20 years. A hotline system may be a 24/7 service with trained interviewers to elicit information, create and transmit incident reports, and follow-up as requested by the company to gather more information from complaining parties, or it may be merely a voice-mail box checked sporadically. Don't assume that they're all alike.

New technology has spawned new reporting systems. E-mail reporting has the disadvantages of not providing complete anonymity and of not being as interactive as other systems. Although attempts are being made to overcome these drawbacks, many employees still don't have computer access to use a Web-based system. Therefore, e-mail doesn't offer a comprehensive solution, although it may form part of an overall compliance strategy.

An effective complaint procedure shouldn't depend on any single reporting mechanism but should incorporate a number of different channels for employees to voice concerns. Some channels will provide anonymity, some interactivity, and some both. For section 301 complaints, a telephone hotline might be the centerpiece of the system, but it could and probably should be supplemented by other procedures, such as a simple post office box for snail-mail reports and an e-mail reporting system. Old faithfuls, such as an "open door" process, if still credible with employees, continue to be useful channels in surfacing accounting and auditing concerns.

Building employee awareness through training

Even a well-designed complaint procedure will fail without adequate training for employees. You must train employees on the reasons for the procedure, the type of complaints sought, how to use the procedure, and its confidentiality. Without this type of training, the system will crumble.

You should view employee training as an ongoing effort. After the initial announcement of the complaint procedure, a company should use staff meetings, employee newsletters, Web sites, posters, wallet cards, and brochures to maintain awareness. If the company uses a third-party service provider for its complaint procedure, employee communications should be part of the implementation plan established with the service provider. The messages conveyed should be fresh and relevant and cover the "what's in it for me?" aspect. Ultimately, creating a climate of compliance depends on everyone from the board on down internalizing the new standards of corporate accountability and disclosure reflected in SOX. Constant and consistent communications and training play an important part in achieving this objective.

Safeguarding against retaliation

If employees fear retaliation for making complaints under the procedure, they won't make complaints. The system will fail if employees have no confidence in the confidentiality of the procedure. You must design procedures that ensure that management cannot identify a person who filed an anonymous complaint by handwriting or voice recognition, phone records, or Internet e-mail accounts.

Safeguarding against retaliation is also necessary to protect companies from the possibility of incurring civil and criminal penalties under SOX. Section 806 creates a new private cause of action for whistle-blowers who claim that they have been retaliated against for reporting accounting fraud. An aggrieved employee's remedy is to file a charge with the Department of Labor, exhaust administrative remedies, and then seek damages in court. The other SOX whistle-blower protection provision is section 1107, which imposes criminal penalties of imprisonment for up to 10 years for retaliation against an employee who reports accounting fraud. These two provisions together clearly reflect a heightened standard for handling employee complaints about accounting and auditing misconduct even if such complaints are rare and unusual occurrences.

Disclosure of internal controls

Section 301 is only part of the focus on internal controls in the Sarbanes-Oxley Act. Internal controls are generally considered to be those systems and procedures used by a company to achieve core business objectives, to provide reliable financial reporting, and to comply with applicable laws and regulations. A complaint procedure is one aspect of the internal controls of a company.

SOX requires extensive disclosure regarding internal controls. Section 404 requires that a company state in each annual report the responsibility of management to establish and maintain effective internal controls and provide an assessment by the company of the effectiveness of its internal controls. Section 404 also requires that a company's auditor attest to and assess the effectiveness of a company's internal controls as part of the annual audit of the financial statements of the company. Section 404 requires an auditor to disclose any "material weakness" or "significant deficiency" in the company's internal controls. Under the final accounting standards, the existence of a material weakness in a company's internal controls will likely prevent the auditor from giving an "unqualified" opinion on the company's internal controls. Therefore, in reviewing an existing complaint procedure or establishing a new one, you need to view the procedure as an integrated part of the company's internal controls and be aware that both management and the external auditor will need to refer to it in making their required disclosures regarding internal controls.

Investigating complaints

There is no one best way to investigate a complaint made by a whistle-blower. The procedure for conducting the investigation will be influenced significantly by whether the audit committee chooses to conduct an internal investigation managed by company officials or to conduct an independent investigation managed by outside counsel or another independent party.¹

Regardless of the type of investigation conducted, some steps are important in every effective investigation. First, make sure that the investigators have adequate resources, expertise, and time to complete the investigation. The quality of the investigation will depend on these factors. Second, make sure that the investigators gain control of all documents, e-mails, and other written materials that might be involved in the allegations in the complaint. Third, have the investigators interview all employees and anyone else that may have information that relates to the subject of the investigation. Fourth, coordinate the timing of the investigation with other priorities or responsibilities of the company, such as responding to a government subpoena, making filings with the SEC, and complying with local laws or internal policies relating to investigations of possible employee misconduct. Finally, make sure that there are no conflicts of interest among the investigators that might affect the independence of the investigation or the credibility of the conclusions reached in the investigation.

To make sure that investigators gain control of all relevant documents at the beginning of an investigation, you should immediately suspend all ordinary course document destruction practices of the company as soon as the investigation begins. Section 802 creates new criminal penalties for any knowing destruction or concealment of documents to obstruct or influence a government investigation or in contemplation of a government investigation. Because an internal investigation or an independent investigation may be conducted "in contemplation" of a government investigation, destruction of documents during the course of an internal or an independent investigation may violate section 802.

Although you can't anticipate the shape of any particular investigation when you are establishing your section 301 complaint procedure, you need to help the audit committee understand the range of options that it will have if it receives a complaint of accounting fraud. When setting up the procedure, help the audit committee think through the issues of who might do the investigation, what steps will be taken to ensure investigator access to all relevant information, and how the investigation will be managed in coordination with external disclosure obligations. Taking these steps will enable the audit committee to act more effectively if the procedure is ever triggered.

Conclusion

The Sarbanes-Oxley Act is a monumental piece of legislation. In-house counsel and fraud examiners have to determine ways to implement section 301, a task made more difficult by the lack of guidance in the subsequent regulation, and then help the audit committee assess if existing complaint procedures measure up. In developing a section 301 complaint procedure, take a step back and look at the section as a whole and the scandals that gave rise to it. Companies that embrace new standards of disclosure and accountability by going beyond the letter of the law to adopt complaint procedures that are transparent, objectively administered, consistently monitored, and openly communicated will gain an advantage in today's business environment. Over time, the courts will flesh out the legal standards for compliance in whistle-blower lawsuits and securities fraud actions. More immediately, investor opinion will decide whether a public company has honored the spirit of section 301 by encouraging employees and others to speak up about questionable accounting practices and listening to them when they do.

Marian Exall is corporate counsel with The Network, Inc., in Norcross, Ga., which manages EthicsLine, endorsed by the ACFE. Her 18 years of experience in both in-house and outside counsel roles have focused mostly on employment law.

This article was adapted from "Audit Committees under the Sarbanes-Oxley Act: Establishing the New Complaint Procedure," ACCA Docket 21, no. 7, (July/August 2003): 102-110. Copyright © 2003 Marian Exall, John D. "Jack" Capers Jr., and the American Corporate Counsel Association. All rights reserved. Reprinted with permission of the authors and the Association of Corporate Counsel (formerly the American Corporate Counsel Association). If you are interested in joining ACC, please go to www.acca.com, call 202.293.4103, ext. 360, or e-mail membership@acca.com.