Dial “M” for Malfeasance
New regulations will require companies to put in complaint systems
for employees. But CFOs say setting up good lines of communication
can be a real pain.
By Craig Schneider
According to a recent report by The Association of Certified Fraud Examiners,
organizations lose about six percent of their revenue to occupational
fraud and abuse. The study also noted that occupational fraud was most
commonly detected by a tip from an employee, customer, vendor, or an
anonymous source.
You don't have to tell Thom Weatherford about the value of inside information.
Years ago, when serving as CFO of Ungermann Bass (then owned by Tandem
Computers), Weatherford received a tip from an employee that a country
manager was coercing workers to record "revenue that wasn't really
revenue." Weatherford launched an internal investigation, which
ultimately confirmed the employee's disturbing allegation. "Luckily,
there was no harm on the revenue side," recalls Weatherford. "But
there was always that potential."
Weatherford, who recently retired as finance chief of analytics software
maker Business Objects, still serves on the boards of two companies.
He says the ugly incident at Ungermann Bass provided a valuable lesson
that might have otherwise gone unheeded. "It did bring up that maybe
our internal controls could be strengthened," he acknowledges.
Turns out the internal controls at a lot of companies could stand some
strengthening. Over the past eighteen months, shareholders have witnessed
a seemingly endless parade of corporate scandals, revenue restatements,
and Securities and Exchange Commission investigations.
To restore some faith in corporate accountability, lawmakers have attempted
to ratchet up the control function at publicly traded companies. Part
of that ratcheting up involves expanding the role — and responsibilities — of
audit committees.
But legislators and regulators also seem intent on making it easier
for whistleblowers like the Ungermann Bass employee to rat out their
bosses. The Sarbanes-Oxley Act of 2002, for example, includes a proposed
rule requiring audit committees to establish procedures for the receipt,
retention, and treatment of anonymous and confidential complaints by
employees on accounting or auditing matters.
The SEC plans on issuing the final rules governing the compliance notification
systems by April 26. SEC spokesman John Heine says the Commission could
come out with the final rules even sooner. Either way, publicly traded
companies must be in compliance with the law within a year of its publication
in the Federal Registrar.
There's just one problem. Observers say the current design of the SEC's
complaint notification system is so vague that they’re not quite
sure what compliance entails.
Take Gary Barton, senior audit manager at J.C. Penny Company. Barton
says he believes the retailer will be able to comply with the proposed
system without using one of the many third-party providers that offer
hotline services. But Barton also concedes that he's been meeting with
compliance officers at other companies to figure out best practices for
addressing the whistleblower requirements of Sarbanes-Oxley.
And the audit manager acknowledges that uncertainty about the new law
may eventually force him to contact an outsourcer. "If we go further
and they tell us where the complications are," he says, "then
we'll look further into outsourcing."
Hotline Hang-ups
One complication Barton and others may encounter: potential conflicts
of interests. Companies must have a reporting system that allows for
confidential and anonymous reporting by employees. In addition, they
must maintain an appearance of independence once those complaints come
through. "There must also be frank, open and clear channels of communication
so that information can reach the audit committee," says the proposal.
Indeed, concerns over independence and anonymity have some employers
turning to third-party providers to at least manage the recording requirement
in their complaint notification systems. Certainly, there's no shortage
of providers to turn to. These are halcyon days for outsourcers of corporate
hotlines, and in recent months, a number of vendors (including Edcor,
Report it, and The Network) have started aggressively hawking their services.
Complaint notification system outsourcers also like to point to data
from The Association of Certified Fraud Examiners showing that organizations
with fraud hotlines cut their fraud losses by approximately 50 percent
per scheme. But critics warn that setting up a hotline through a third
party doesn't fully get employers off the compliance hook.
They're right. An outsourcer who receives a legitimate complaint from
an employee must still pass that information on to somebody at the company — typically,
the company's compliance officer. Depending on the set-up, a member of
the internal audit or general counsel's staff may also be assigned to
investigate and relay a validated claim to a company's audit committee
for review.
Some corporate executives also doubt that third-party hotline operators
will be able to handle complex allegations coming from disaffected finance
workers. Some believe relatively low-paid operators will not be able
to always ask the next logical question that would make an anonymous
caller's complaint complete for investigative purposes. Vendors deny
that charge. But it's also uncertain — if calls are truly anonymous — how
corporate officers will be able to follow up on an inconclusive report
from an outsourcer.
What is crystal clear, however, is that any complaint notification system
works best if the notifier of a complaint trusts the system. Says Lesley
Ann Skillen, a partner at law firm Getnick & Getnick: "The key
to making one of the hotlines work is to make employees feel comfortable
about making a report without fear of retaliation or retribution."
Get-Out-of-Jail Fee Card
That's no small task — particularly given recent headlines. In
August 2001, for instance, Roy L. Olofson, then a finance vice-president
at Global Crossing Ltd., reportedly sent a letter to the telco's top
ethics official alleging that the company swapped fiber-optic capacity
with other carriers to artificially boost revenues. Olofson was laid
off three months later in what the company insists was part of a company-wide
reduction. Global Crossing's management also claims that the VP of finance
sought a large payment in exchange for his silence on the subject, a
claim Olofson denies.
Regardless, the Olofson case would seem to confirm what some workers
already suspect: whistleblowers often end up on the street. Certainly,
Sherron Watkins' testimony that former Enron CFO Andy Fastow tried to
get her fired for going directly to CEO Kenneth Lay with her now-famous
emails may make comfort a bit of a hard sell. Says Skillen: "That
doesn't give everyone a wonderful feeling for going over the head of
their bosses and reporting something to senior management."
Hotline experts say there are things companies can do to help protect
the confidentiality of complaints, however. Mostly, it's a matter of
getting good information upfront so a company's audit committee doesn't
have to track down the whistleblower.
To ensure a complete report, David Mair, former director or risk management
at the U.S. Olympic Committee, recommends that employers require hotline
callers to provide some basic information when calling in. He says employees
should recount the exact nature of the fraud, such as "I believe
that this transaction was improperly reported."
He says workers should also be asked when they first become aware of
the action being reported, how they came to possess the information they
are reporting, and if they participated in the transaction. It's also
important to make sure that employees indicate whether they actually
witnessed the alleged transgression. Many third-party providers are familiar
with the questions and say they can customize support to cover all the
necessary bases.
As employers get better at dealing with tips and complaints, it's possible
that employees will become less fearful about reporting indiscretions.
There's some evidence, in fact, that employees are already getting more
comfortable blowing the whistle on employers — and sharing their identity
when doing it.
Over the past six months, only 48 percent of callers to the corporate
ethics hotlines run by The Network Inc. have requested anonymity. That's
a steep drop from an average of 75 percent over the past 20 years, says
CEO Tony Malone, whose company provides hotline services to about 1,000
companies.
Malone ascribes the change — which predates the anti-retaliatory
measures in Sarbanes-Oxley — to a growing awareness among employees
of the harm that unethical corporate behavior can cause. Says Malone: "Employees
are profoundly aware that inappropriate behavior can bring about the
ruin of their company and damage them personally."
Is This Where We Go To Complain?
Meanwhile, employers seem to be profoundly aware that retaliation against
a whistleblower can damage them financially.
To date, relatively few suits alleging retribution against whistleblowers
have made it to trial. In fact, corporate boards seem hell-bent on keeping
such cases from ever reaching a courtroom.
It doesn't take a super genius to figure out why. Bob McMullan, CFO
of GlobespanVirata Inc., says that when whistleblowers bring litigation
against management of a company for such claims as wrongful termination,
the American justice system tends to run in reverse. "Companies
have to prove their innocence," he asserts. "[The claim] is
deemed to be correct."
Darryl Rains, an attorney at Morrison & Foerster, concurs. "Two-thirds
of jurors come to court believing that corporate executives are dishonest
and will lie to make a buck," he notes. "Those statistics predate
Enron."
Such jury predilections may explain why Walt Disney Co. recently settled
a reported $20-million "whistleblower" lawsuit for an undisclosed
amount. A former executive brought the suit, claiming she was fired for
refusing to help the company allegedly cheat the Internal Revenue Service.
Disney management declined comment for this story, but has reportedly
called the allegations "shameful and untrue."
Nonetheless, the mere prospect of jaw-dropping jury awards may convince
some CFOs to bring in third-party hotline vendors to handle employee
complaints. Some observers say contracting an outsourcer could prove
crucial if a whistleblower is later fired for, say, poor performance.
With an outsourcer running a hotline and information kept confidential
and anonymous, they assert a supervisor would likely be free of blame
if they fired an under-achieving employee. Why? There would be no way
for the supervisor to know that the individual was the one who lodged
a complaint.
Other experts warn that complaint hotlines set up entirely in-house
for Sarbanes-Oxley compliance can overload the directors or officers
handling the calls. "My concern would be that they would not have
the time to do it effectively or management's position wouldn't be able
to independently deal with employee complaints," says attorney Rains.
The issue, however, is up for debate. Hugh Donnelly, vice president
of audit at Pfizer, notes that the company uses a third-party hotline
vendor. The drug maker's compliance officer serves as the initial point
of contact with the company's outsourcer.
While Donnelly says Pfizer's audit committee will have the final say
on whether the company's current practice will come up to the SEC's requirements,
he's comfortable leaving the filtering to his compliance officer. "If
any financial items would come through that," Donnelly explains, "my
compliance offer would clearly get me involved to assist on the investigation,
if that's required."
Jocelyn Arel, partner with Testa, Hurwitz & Thibeault, LLP, suggests
that companies that want to take the most conservative approach to complaint
notification systems should have allegations go directly to the audit
committee — without going through senior management. "It depends
how an individual company defines anonymous," she says.
Realistically, though, Arel concedes that even with a small number of
cases to validate, audit committee members are generally too busy to
handle more than a few complaints.
Mayhem or Maytag?
Whether they get more than that remains to be seen. For the moment,
though, J.C. Penny's Barton is worried how to best filter thousands of
worker phone calls once the retailer rolls out its hotline in the next
few months. Barton says he's come to expect the avalanche after discussing
Sarbanes-Oxley hotline compliance with the general counsel at retail
rival, Sears.
Eckerd Corp., J.C. Penny's drugstore chain subsidiary, may also provide
Barton with a glimpse of what he can expect. Eckerd already has an operational
hotline that is staffed at all hours by the company's loss prevention
group. But just six calls out of thousands made to the center over the
last six months were related to accounting or auditing matters. The group’s
manager passed the reports to the compliance officer who serves as the
gatekeeper for further investigation by appropriate members of the staff. "I
assume they are resolved," Barton says of the six calls, “and
are not a big issue.”
To be sure, Eckerd’s hotline is not compliant with the Sarbanes-Oxley
proposed rule because it does not allow for employees to make their calls
anonymously. But Barton says that will soon change: "The way to
do it is to assign a case or claim number to the individual," he
explains.
The individual can then call back and reference that same number to
learn of any progress in the claim’s investigation. Many times,
Barton says, the complaint comes from a lower-level individuals whose
lack of full understanding on accounting practices "may lead them
to do what they believe is a whistleblower activity."
In fact, some experts say it's not real likely that dozens of complaints
will merit review by the company's audit board, let alone its board of
directors. Mair says he's helped establish ethics hotline programs at
eight organizations. So far, he says all but one considers what they've
done a success. "I think the one that isn't happy overspent on what
they could have done," he says, noting that the company hired a
full-time person to staff the hotline and do the follow-up.
In the end, Mair says, the staff member simply had no reports to investigate. "It
was like the Maytag repair man."
Most companies would love to have that problem.
|
