Update on the current board issues: July 2014

Audit committee issues


Some tips for maintaining an effective whistleblower program

Back to top

Both the Sarbanes-Oxley and the Dodd-Frank acts address the role and protection of whistleblowers. The Sarbanes-Oxley Act calls for the audit committee to oversee operation of a confidential hotline at the company level. The Dodd-Frank Act created a separate department at the SEC with a whistleblower hotline that provides cash rewards to whistleblowers whose testimony leads to a conviction.

The Anti-Fraud Collaboration organization, which includes the Center for Audit Quality (CAQ), the Financial Executives International (FEI), The Institute of Internal Auditors (IIA), and the National Association of Corporate Directors (NACD), recently held a webcast on how to improve whistleblower programs. It was moderated by Cindy Fornelli, CAQ executive director, and included three speakers: Kristin Rivera, PwC forensics services partner; Patricia Harned, president of the Ethics Resource Center; and Janice Innis-Thompson, senior managing director and chief compliance and ethics officer of TIAA-CREF.

Three years after the SEC whistleblower program was put into place, most whistleblowers are reporting incidents of misconduct to their immediate supervisor or higher management, according to Harned. She cited data from her organization’s 2013 National Business Ethics Survey (NBES) that found that 35% of employees filed whistleblower reports with their supervisor and 22% with higher management.

“There’s something about having a whistleblower hotline,” Harned said, “but employees usually like to go their supervisor first. They tend to use the hotline when the problem involves their supervisor.”

According to the NBES, even as many workers indicated that the federal provisions would not impact their intent to file a whistleblower complaint, a sizeable number said the law’s combination of whistleblower protections and bounties made them more likely to report concerns, both internally and externally. Those who had experienced retaliation in the past, and those who had reported in order to receive a bounty, were far more likely to say that these rules would encourage them to report.

Innis-Thompson shared her process with the Anti-Fraud Collaboration webcast audience.

“One of the things we do at TIAA-CREF is that we have a committee that aggregates the employee [whistleblower] reports,” Innis-Thompson said. “Other reports come through our internal audit department.” Aggregation helps the national financial services organization to classify the complaints and determine where there may be problems, she said.

Rivera noted that companies that aggregate whistleblower complaints could create a report similar to the SEC’s annual report with customized versions for the audit committee, the full board and other stakeholders.

Rivera and Innis-Thompson also had some key takeaways for audit committees and boards to consider when setting up and reviewing a whistleblower program:

  • Make sure you have a feedback loop to the individual reporting the complaint.
  • Communicate availability of the company whistleblower hotline across the company.
  • Evaluate whether the allegation indicates a deficiency in internal control over financial reporting, which could be relevant to the company and your auditor’s assessment of effectiveness.
  • Ask if the allegation could have potential legal implications.