20 Years After Sarbanes-Oxley

20 Years After Sarbanes-Oxley

Sarbanes-Oxley, my how you’ve grown. It is hard to believe that the Sarbanes-Oxley Act of 2002 turned 20 years old in July. While some of us feel like we are in 2019 or 2020, still trying to process the way the world has been influenced by the pandemic, surely SOX wasn’t TWENTY YEARS AGO? Yet, here we are. Arthur Andersen, Enron and WorldCom certainly left behind a legacy that changed the financial world, especially that of the public company.

Read More

Exciting Career Path For CFEs

LETTER FROM THE PRESIDENT

James D. Ratley, CFE
ACFE President and CEO

Huge fraud cases such as Enron and WorldCom were disastrous for their employees and communities. But they did wake up the lawmakers who had to face the huge personal and financial costs of fraud. One result was the U.S. Sarbanes-Oxley Act (SOX) of 2002, which made corporation CEOs and CFOs finally sit up straight and take responsibility for their quarterly statements.

SOX also opened up doors for CFEs. Public businesses — and nonprofits — now hire more CFEs who can help prevent and deter fraud (few entities, except the ACFE, used those words before SOX) and keep them out of deep trouble.

Also, SOX and the Securities and Exchange Commission (SEC), require that every public company's board of directors have a "financial expert" on its audit committee. This is a little-known opportunity for CFEs.

The author of our cover article, W. Steve Albrecht, Ph.D., CFE, CPA, CIA, writes that in 2013, more than 10 boards of directors asked him to join them, and during the past 12 years, he's been on eight boards for public and private companies.

Now, granted, Albrecht was the first ACFE president, helped develop the concepts in the Fraud Triangle, and is a legendary fraud researcher and professor. But hard-working and savvy CFEs of all stripes can place this on their goal lists.

The SEC says each financial expert candidate must have experience as a principal financial officer, principal accounting officer, controller or public accountant, or have supervised anybody in these positions. Albrecht writes that he didn't meet any of these work requirements. "However, as a CFE, I've served as an expert witness in 36 fraud cases in which I obtained experience overseeing and assessing the performance of companies and public accountants in the preparation, auditing or evaluation of financial statements," he says. "Were it not for my expert witnessing and other CFE fraud examination experiences, I wouldn't be qualified to be a financial expert."

As a fraud examiner you also might not have held any of these accounting-related positions, but if you've been in the industry for a while, there's a good possibility that you've done some expert-witnessing work.

Albrecht writes that most CFEs have the skills necessary to work on audit committees. "As a CFE, you might think you have a narrow background," Albrecht writes. "But you've developed skills that make you a great board and audit committee member and help you interact well in any business setting."

Maybe it's time for you to check out this rewarding career diversion.

Retaliation Exposure Tipping Point? Supreme Court Extends SOX Whistleblower Protections to Private Company Employees

GUEST BLOGGER

Shanti Atkins
President and Chief Strategy Officer, NAVEX Global

The Supreme Court in Lawson vs FMR, LLC (delivered March 4, 2014, after a 6-3 vote) has ruled that employees of private companies engaged by public companies are covered by the whistleblower protections of Sarbanes-Oxley Act of 2002 (SOX).

In Lawson, two employees of FMR, LLC (a private employer contracted with by publicly traded mutual funds) claimed they were retaliated against by their employer after raising issues of fraud. They filed for whistleblower protection under SOX. FMR responded by claiming that their employees were not protected by SOX from firing or retaliation because SOX applied only to claims brought by employees of public companies.

A Seminal Shift in Coverage

SOX was enacted largely in response to shareholder fraud at a publicly traded company, Enron. SOX included a provision to protect whistleblowers from retaliation to encourage reporting of fraud. No one ever argued that these protections did not apply to employees of public companies. In fact as pointed out by dissenting U.S. Supreme Court Justice Sonia Sotomayor, the name of the pertinent SOX section was “Protection for Employees of Publicly Traded Companies Who Provide Evidence of Fraud.” For years it was a widely held position that this whistleblower protection applied solely to employees of the 5,000 or so companies with publicly traded securities in the U.S. Lawson changes that position entirely.  The decision’s seminal shift in SOX coverage opens up the potential for more claims brought by employees of the third parties of private companies who have been engaged by public companies.

What’s the Practical Impact on Exposure?

The true size of this potential new universe of protected claimants is still uncertain. Depending on your position, you either think that there will be an overwhelming rush by accountants, law firms and even in the most extreme cases, babysitters (as argued in the dissenting opinion of Justice Sotomayor) to bring retaliation claims. Or, you believe it will be “business as usual.” Much of this final debate may hinge on an undecided question about the types of claims protected and whether or not, as many allege, they are limited to shareholder fraud. But one thing is clear. Public and private companies alike must now take greater care with how whistleblowers are handled after a report has been filed.

A Reminder that Risk Continues to Escalate Through the Use of Third Parties

While the full impact of the decision on the number and subject matter of whistleblower claims remains to be seen, there is another critical take-away from Lawson: The use of all third parties puts the engaging party at higher risk of fines, litigation and damage to reputation. Whether in the form of liability for direct, unlawful acts such as bribery or quality failures, or liability for the consequences of retaliation, all third parties need to be evaluated for the potential risk to the enterprise, private and public. This argues in favor of universal but proportional due diligence, especially data driven technology solutions, as well as strong policies, training and further monitoring and auditing of third parties.

The Importance of Effective Reporting Channels

In light of this opinion, an additional area of heightened concern for all employers should be the need to ensure that the company has an effective, well-communicated hotline for employees to report misconduct, along with a robust case management system to centralize, manage and resolve those reports – whether brought through the hotline, or another avenue, including management and HR. This is not just a requirement or best practice for publicly traded companies. It is a universal need. More than just collecting reports of misconduct, employers should ensure that reports are being promptly investigated and actually resolved. This concern is illustrated in the results of NAVEX Global’s just published 2014 Hotline Benchmarking Report. From the NAVEX Global website, “the Report’s findings showed that the number of days it is taking organizations to close a reported case has gone from 30 days in 2008 to 36 days in 2013. Questions on accounting, auditing and financial reporting took an average of 46 days to close…”

“Every additional day an employee is left wondering whether their concern has been taken seriously represents a risk to the organization,” said Carrie Penman, chief compliance officer and senior vice president of advisory services at NAVEX Global. “An ongoing increase in case closure time is a red flag; organizations need to ensure they have sufficient and properly trained resources available to manage the increasing volume of reports in the coming year. The trend is especially notable given that under some regulatory provisions for external reporting and whistleblower awards, an organization may have limited time to complete an internal investigation.”

Lawson Reminds Us of the Ongoing Challenges Around Whistleblowing and Retaliation

The whistleblower risk to companies is clearly increasing. Even with overall workplace misconduct on the decline according to a recent study from the Ethics Resource Center (ERC), retaliation bucks the trend, continuing to rise at an alarming pace. This syncs up with NAVEX Global’s own proprietary data (based on the largest database of reported incidents in the world) where overall report volume has increased substantially over the past three years. 

Lawson demonstrates continued support for expanding the protections for whistleblowers. Experienced compliance specialists, executives, attorneys and others who address the reduction of risk or exploit its vulnerabilities should take proactive steps to identify whistleblower risks and implement or enhance current plans to address them. Bringing the impact of Lawson to the attention of the top ranks of an organization is also critical – executive management, the C-Suite and the Board. It’s a decision worthy of everyone’s attention.

Find out more about how businesses can protect themselves by downloading our SOX Whistleblower Protection Toolkit for Private Businesses.

Employers Beware: Confusion on Whistleblower Protection Breeds Silence

GUEST BLOGGER

Sheila Keefe, CFE
Principal, BDR Advisors, LLC
Lake Geneva, WI

Anonymous tips serve as the No.1 fraud detection tool available, according to the ACFE’s 2010 Report to the Nations on Occupational Fraud and Abuse, which states that tips are the leading source of initial detection of occupational fraud with a discovery rate of 40 percent. As helpful as tips are in the fight against fraud, those brave enough to come forward may be putting their jobs at risk. However, the key to protection can be as easy as understanding the legal provisions.

Several whistleblower protection laws and rules are in place to prevent retaliation against whistleblowers, including the Whistleblower Protection Act of 1989, Sarbanes-Oxley Act (SOX) and the Dodd-Frank Reform Act. But even with these protections, retaliation still occurs. In Tides v. The Boeing Co., the Ninth Circuit Court excluded two auditors from SOX whistleblower protection because the whistleblowers went to the media instead of approved recipients such as supervisors, law enforcement and Congress. These two Boeing auditors were not the first to make the mistake of going first to the media. An Air Marshall did the same thing in 2009 when he expressed concern that Air Marshalls would not be flying on long, non-stop flights in order to accommodate budget constraints.

Aside from the importance of using the right channels for anonymous tips, courts have also expressed concern over informants coming forward with wild accusations. In 2006, a whistleblower went to authorities with office gossip about possible fraudulent misstatements by Northwestern University made in efforts to secure a more favorable bond rating and loans. When the claims proved baseless, the courts denied the informant whistleblower status citing inadequate evidence.

These cases show that prospective whistleblowers should be mindful of the elements that allow for protection. Unfortunately, such confusion on what it takes to qualify for whistleblower protection may silence many, possibly explaining why most tips come in anonymously or from company outsiders, with just 49 percent of tips coming from employees, per the Report to the Nations. Employers who wish to mobilize their workforce to fight fraud should do their best to ensure that whistleblowers feel comfortable coming forward in spite of what they may fear by putting in place vigorous whistleblower protection programs in their organizations that can include whistleblower hotlines and anonymous update mechanisms.

To read more about Sheila or to follow her blog, Business Done Right, go here.

Be a Revenue Enhancer, not an Overhead Cost

Cora.JPG

GUEST BLOGGER

Cora Bullock

Assistant Editor, Fraud Magazine

The recession has dramatically changed our lives, and it has undoubtedly affected internal auditing. Danny Goldberg, CPA, CIA, CISA, CGEIT, CCSA, national professional development practice director of Sunera, addressed just how much it has affected IA in his Tuesday breakout session, "Evolution of Auditing: How the Recession Is Changing the Industry." He summarized the IA changes by saying, "Don’t be an overhead cost. Be a revenue-enhancer. My CIO at my old job didn’t see the innate value in internal auditing. Once I saved him money, he did."

Internal auditors are still valuable, but not only do they need to continue to do more with less, they also must become revenue enhancers by working inside the organization to cut costs and help the company become more efficient and effective. The nattily dressed Goldberg gave many tips on how to do so, including enterprise risk management (ERM). He pointed out that ERM was very popular in the mid-2000s because we were prosperous then, and it's becoming increasingly popular so companies can cover their rears, so to speak. "If you're in IA, you need to get into ERM," said Goldberg. "ERM will raise your profile in your company."

The Sarbanes-Oxley Act (SOX) was another hot button. "We need to use our SOX knowledge to leverage into other areas of the company. If you haven’t done that, then we're wasting our SOX knowledge, guys!" he exclaimed.

Goldberg also said that there is still significant segregation between operations and IT, but he believes that audit and IT risk assessment should be combined: "You can't audit a division without knowing their IT systems." And different groups are doing different testing, but we need to learn to integrate our audits.

Read the full article here.