The ReportLine Difference Services Technology News Room About Us Contact Us Login
ReportLine  
News Room
Home » Resources » News Archive » 

25-apr-2003  |  Corporate Accountability Report

Download this Article [PDF]

Complying with Sarbanes-Oxley’s Complaint Procedures

By Marian Exall

In the eight months since the Sarbanes-Oxley Act was signed into law, public companies, their auditors and outside counsel have been scrambling to get a handle on what is undeniably the most comprehensive piece of legislation on corporate governance to be passed in decades. The Act includes new standards for audit committees of corporate boards, including the requirement that audit committees establish procedures for the receipt, retention and treatment of complaints regarding questionable accounting or auditing matters, and for the confidential, anonymous submission of such complaints by the company’s employees.

The Securities and Exchange Commission has now issued a Final Rule on this requirement. The Final Rule does nothing to flesh out the general language of the Act, leaving audit committees still guessing about what constitutes a compliant complaint procedure. While the procedure guidelines remain unclear, the deadline for compliance has been defined. Corporations have until the first annual shareholders’ meeting after January 15, 2004, but no later than October 31, 2004, to establish a procedure. Companies that miss this deadline will be de-listed from the national stock exchanges and securities associations.

A New Era of Corporate Accountability

Companies seeking to anticipate the evolving standards for handling employee concerns about financial irregularities need to take a step back and look at Sarbanes-Oxley as a whole, and the environment that gave rise to it. Although the consequence of non-compliance – de-listing – seems draconian enough, Sarbanes-Oxley contains other powerful enforcement incentives in Sections 806 and 1107, the whistleblower protection provisions. Section 806 creates a new private cause of action for employees who feel they have been retaliated against because they reported financial irregularities. Section 1107 provides criminal penalties, including up to ten years in prison, for retaliating against a Sarbanes-Oxley whistleblower. These serious potential consequences for perceived retaliation make the care and handling of complaining employees through a credible, confidential complaint procedure a top priority.

Finally, let’s not forget what spurred the passage of Sarbanes-Oxley to begin with. The freewheeling nineties, when no questions were asked as long as the stock price kept climbing, are emphatically over. The recent clamor for the reimbursement of executive bonuses indicates legal compliance is only a minimum threshold. The investing public now demands a higher standard of financial ethics than before. Companies that embrace this demand by going beyond Sarbanes-Oxley to adopt procedures that are transparent, objectively administered, consistently monitored, and openly communicated will succeed in the new era of corporate accountability.

Given this context, answers to the questions left unanswered by the Final Rule become clear:

Must complaints be routed directly and exclusively to the audit committee, or may they be funneled through/shared with management?

The audit committee must be intimately involved in the receipt and handling of employee complaints, as well as making initial decisions about the implementation of the process. An existing procedure that directs all complaints to management, and leaves it up to management to decide whether and how to investigate, will not be adequate. Management may not have the appropriate incentives to self-report all questionable practices. Employees may not trust assurances of anonymity and may fear reprisal when their complaints are funneled to management.

Will an in-house procedure pass muster, or should the procedure be administered by an independent third party?

For the same reasons – the potential to ignore complaints, lack of anonymity, and fear of reprisal – the complaint procedure should be administered by an independent third party, provided, of course, that the third party organization is staffed and experienced to handle these kind of matters. Over the last few months, a number of new players offering complaint notification systems have jumped on the Sarbanes-Oxley bandwagon. Few of these organizations have much experience handling the delicacies of an anonymous ethics call. In selecting a vendor for the sensitive area of Sarbanes-Oxley compliance, audit committees should assure themselves that the provider has successful experience in handling business ethics, loss prevention and legal compliance reporting over a period of years.

What kind of disclosure will be required?

The Sarbanes-Oxley Act is – at its essence – all about disclosure. Although there is no direct reference to disclosure with regard to reports of financial irregularities made through the mandated complaint procedure, other parts of the legislation, notably Section 404, imply that companies should be ready to reveal at least summary reports of complaint handling activity. In attesting to the effectiveness of the internal control structure, auditors will need access to such information. The statement regarding internal controls now required in the annual report may also reference complaint-handling activity. It makes sense, then, to anticipate that information concerning the number of complaints received, their nature, and their disposition will need to be disclosed.

How long should complaint records be retained?

In order to complete the annual report’s “internal control structure” statement, public companies must keep records for at least the prior fiscal year. We advocate retaining records for three years: this will enable in-depth analysis, the recognition of trends, the development of future policies and training programs, and most importantly will demonstrate due diligence.

What complaint reporting mechanism will be effective for the Act’s purpose?

For good reasons, the classic employee complaint reporting mechanism has been the telephone hotline. Employees with concerns ranging from harassment to loss prevention to workplace violence call a 1-800 number at any time of the day or night and talk to a skilled interviewer who elicits the details necessary to investigate and resolve the issue. The telephone hotline has proved to have major advantages over messaging services and web-based systems primarily because it is interactive. In addition, the caller’s anonymity is preserved, a feature mandated by the new law.

However, the reporting mechanism is only one leg of a three-legged stool. Without employee education and awareness on the front end, and thorough and unbiased investigation and tracking on the back end, the system collapses. Again, the law is silent on these aspects of an effective complaint procedure.

Communicating with employees about the availability of a reporting procedure is an ongoing effort. Ultimately, converting legal requirements into “the way we do things here” depends on everyone from the Board down internalizing new standards for corporate accountability and disclosure. Constant and consistent communication helps achieve that end, as does the thorough, prompt and unbiased investigation of employee complaints. While the investigation of financial irregularities must be handled as discretely and confidentially as possible, the fact that a company takes such matters seriously will be noted over time from changes in personnel and practices that result from the resolution of complaints.

First Steps

It has been estimated that less than 10% of public companies currently have employee complaint procedures in place which comply with Sarbanes-Oxley. For the other ninety-plus percent, here are the first steps:

  • The audit committee drafts a Request for Proposal defining the company’s specific requirements. Examples of such requirements might be the ability of foreign-based or non-English speaking employees to access the system, the scope of the reports that will be accepted, to whom the reports will be disseminated, how long records are kept, what type of summary reports are needed, etc.
  • Solicit and receive proposals: Management might screen proposals for the audit committee, but it is recommended that committee members themselves have the opportunity to participate in interviewing the finalists.
  • Audit committee selects the provider and approves the final implementation plan.
  • Implementation: This phase may take from a couple of weeks to several months, depending on the company’s individual requirements. Supporting employee educational materials – posters and brochures – are produced and distributed, and meetings held to announce the new procedures, before the new reporting channel “goes live.”

Over time, the courts will flesh out the legal standards for compliance with the employee complaint procedure requirement. More immediately, it will be the court of investor opinion that decides whether a company has honored the intent of Sarbanes-Oxley. Those companies who quickly and publicly adopt new procedures will reap a precious and increasingly scarce reward: investor confidence.

Marian Exall, Corporate Counsel with The Network, Inc., is an attorney with eighteen years of experience in both in-house and outside counsel roles, focusing on employment law for much of her career. Prior to joining The Network in 2003, she was with Home Depot and the law firms of King & Spalding and McKenna, Long & Aldridge. The Network has provided anonymous hotline services for more than 20 years, helping corporations become compliant with federal regulations such as the Sarbanes-Oxley Act and the Federal Sentencing Guidelines.

Reproduced with permission from Corporate Accountability Report, Vol. 1, No. 14, pp.425-426 (April 25, 2003). Copyright 2003 by The Bureau of National Affairs, Inc. (800-372-1033) www.bna.com
ReportLine is a service of The Network | © 2008 The Network, Inc. All rights reserved. | Terms of Use | Privacy Policy Contact Us | Call Us: 800.253.0453