Retaliation Exposure Tipping Point? Supreme Court Extends SOX Whistleblower Protections to Private Company Employees

GUEST BLOGGER

Shanti Atkins
President and Chief Strategy Officer, NAVEX Global

The Supreme Court in Lawson vs FMR, LLC (delivered March 4, 2014, after a 6-3 vote) has ruled that employees of private companies engaged by public companies are covered by the whistleblower protections of Sarbanes-Oxley Act of 2002 (SOX).

In Lawson, two employees of FMR, LLC (a private employer contracted with by publicly traded mutual funds) claimed they were retaliated against by their employer after raising issues of fraud. They filed for whistleblower protection under SOX. FMR responded by claiming that their employees were not protected by SOX from firing or retaliation because SOX applied only to claims brought by employees of public companies.

A Seminal Shift in Coverage

SOX was enacted largely in response to shareholder fraud at a publicly traded company, Enron. SOX included a provision to protect whistleblowers from retaliation to encourage reporting of fraud. No one ever argued that these protections did not apply to employees of public companies. In fact as pointed out by dissenting U.S. Supreme Court Justice Sonia Sotomayor, the name of the pertinent SOX section was “Protection for Employees of Publicly Traded Companies Who Provide Evidence of Fraud.” For years it was a widely held position that this whistleblower protection applied solely to employees of the 5,000 or so companies with publicly traded securities in the U.S. Lawson changes that position entirely.  The decision’s seminal shift in SOX coverage opens up the potential for more claims brought by employees of the third parties of private companies who have been engaged by public companies.

What’s the Practical Impact on Exposure?

The true size of this potential new universe of protected claimants is still uncertain. Depending on your position, you either think that there will be an overwhelming rush by accountants, law firms and even in the most extreme cases, babysitters (as argued in the dissenting opinion of Justice Sotomayor) to bring retaliation claims. Or, you believe it will be “business as usual.” Much of this final debate may hinge on an undecided question about the types of claims protected and whether or not, as many allege, they are limited to shareholder fraud. But one thing is clear. Public and private companies alike must now take greater care with how whistleblowers are handled after a report has been filed.

A Reminder that Risk Continues to Escalate Through the Use of Third Parties

While the full impact of the decision on the number and subject matter of whistleblower claims remains to be seen, there is another critical take-away from Lawson: The use of all third parties puts the engaging party at higher risk of fines, litigation and damage to reputation. Whether in the form of liability for direct, unlawful acts such as bribery or quality failures, or liability for the consequences of retaliation, all third parties need to be evaluated for the potential risk to the enterprise, private and public. This argues in favor of universal but proportional due diligence, especially data driven technology solutions, as well as strong policies, training and further monitoring and auditing of third parties.

The Importance of Effective Reporting Channels

In light of this opinion, an additional area of heightened concern for all employers should be the need to ensure that the company has an effective, well-communicated hotline for employees to report misconduct, along with a robust case management system to centralize, manage and resolve those reports – whether brought through the hotline, or another avenue, including management and HR. This is not just a requirement or best practice for publicly traded companies. It is a universal need. More than just collecting reports of misconduct, employers should ensure that reports are being promptly investigated and actually resolved. This concern is illustrated in the results of NAVEX Global’s just published 2014 Hotline Benchmarking Report. From the NAVEX Global website, “the Report’s findings showed that the number of days it is taking organizations to close a reported case has gone from 30 days in 2008 to 36 days in 2013. Questions on accounting, auditing and financial reporting took an average of 46 days to close…”

“Every additional day an employee is left wondering whether their concern has been taken seriously represents a risk to the organization,” said Carrie Penman, chief compliance officer and senior vice president of advisory services at NAVEX Global. “An ongoing increase in case closure time is a red flag; organizations need to ensure they have sufficient and properly trained resources available to manage the increasing volume of reports in the coming year. The trend is especially notable given that under some regulatory provisions for external reporting and whistleblower awards, an organization may have limited time to complete an internal investigation.”

Lawson Reminds Us of the Ongoing Challenges Around Whistleblowing and Retaliation

The whistleblower risk to companies is clearly increasing. Even with overall workplace misconduct on the decline according to a recent study from the Ethics Resource Center (ERC), retaliation bucks the trend, continuing to rise at an alarming pace. This syncs up with NAVEX Global’s own proprietary data (based on the largest database of reported incidents in the world) where overall report volume has increased substantially over the past three years. 

Lawson demonstrates continued support for expanding the protections for whistleblowers. Experienced compliance specialists, executives, attorneys and others who address the reduction of risk or exploit its vulnerabilities should take proactive steps to identify whistleblower risks and implement or enhance current plans to address them. Bringing the impact of Lawson to the attention of the top ranks of an organization is also critical – executive management, the C-Suite and the Board. It’s a decision worthy of everyone’s attention.

Find out more about how businesses can protect themselves by downloading our SOX Whistleblower Protection Toolkit for Private Businesses.

Employers Beware: Confusion on Whistleblower Protection Breeds Silence

GUEST BLOGGER

Sheila Keefe, CFE
Principal, BDR Advisors, LLC
Lake Geneva, WI

Anonymous tips serve as the No.1 fraud detection tool available, according to the ACFE’s 2010 Report to the Nations on Occupational Fraud and Abuse, which states that tips are the leading source of initial detection of occupational fraud with a discovery rate of 40 percent. As helpful as tips are in the fight against fraud, those brave enough to come forward may be putting their jobs at risk. However, the key to protection can be as easy as understanding the legal provisions.

Several whistleblower protection laws and rules are in place to prevent retaliation against whistleblowers, including the Whistleblower Protection Act of 1989, Sarbanes-Oxley Act (SOX) and the Dodd-Frank Reform Act. But even with these protections, retaliation still occurs. In Tides v. The Boeing Co., the Ninth Circuit Court excluded two auditors from SOX whistleblower protection because the whistleblowers went to the media instead of approved recipients such as supervisors, law enforcement and Congress. These two Boeing auditors were not the first to make the mistake of going first to the media. An Air Marshall did the same thing in 2009 when he expressed concern that Air Marshalls would not be flying on long, non-stop flights in order to accommodate budget constraints.

Aside from the importance of using the right channels for anonymous tips, courts have also expressed concern over informants coming forward with wild accusations. In 2006, a whistleblower went to authorities with office gossip about possible fraudulent misstatements by Northwestern University made in efforts to secure a more favorable bond rating and loans. When the claims proved baseless, the courts denied the informant whistleblower status citing inadequate evidence.

These cases show that prospective whistleblowers should be mindful of the elements that allow for protection. Unfortunately, such confusion on what it takes to qualify for whistleblower protection may silence many, possibly explaining why most tips come in anonymously or from company outsiders, with just 49 percent of tips coming from employees, per the Report to the Nations. Employers who wish to mobilize their workforce to fight fraud should do their best to ensure that whistleblowers feel comfortable coming forward in spite of what they may fear by putting in place vigorous whistleblower protection programs in their organizations that can include whistleblower hotlines and anonymous update mechanisms.

To read more about Sheila or to follow her blog, Business Done Right, go here.

Be a Revenue Enhancer, not an Overhead Cost

Cora.JPG

GUEST BLOGGER

Cora Bullock

Assistant Editor, Fraud Magazine

The recession has dramatically changed our lives, and it has undoubtedly affected internal auditing. Danny Goldberg, CPA, CIA, CISA, CGEIT, CCSA, national professional development practice director of Sunera, addressed just how much it has affected IA in his Tuesday breakout session, "Evolution of Auditing: How the Recession Is Changing the Industry." He summarized the IA changes by saying, "Don’t be an overhead cost. Be a revenue-enhancer. My CIO at my old job didn’t see the innate value in internal auditing. Once I saved him money, he did."

Internal auditors are still valuable, but not only do they need to continue to do more with less, they also must become revenue enhancers by working inside the organization to cut costs and help the company become more efficient and effective. The nattily dressed Goldberg gave many tips on how to do so, including enterprise risk management (ERM). He pointed out that ERM was very popular in the mid-2000s because we were prosperous then, and it's becoming increasingly popular so companies can cover their rears, so to speak. "If you're in IA, you need to get into ERM," said Goldberg. "ERM will raise your profile in your company."

The Sarbanes-Oxley Act (SOX) was another hot button. "We need to use our SOX knowledge to leverage into other areas of the company. If you haven’t done that, then we're wasting our SOX knowledge, guys!" he exclaimed.

Goldberg also said that there is still significant segregation between operations and IT, but he believes that audit and IT risk assessment should be combined: "You can't audit a division without knowing their IT systems." And different groups are doing different testing, but we need to learn to integrate our audits.

Read the full article here.

New, Changing Laws Call for Open Minds and Informed Objectivity from CFEs

LETTER FROM THE PRESIDENT

James D. Ratley, CFE
ACFE President and CEO

We’ve all heard the adage that a crisis can be an opportunity. But how often, when we’re focused on solving an immediate problem, do we miss the chance to leap forward to more comprehensive remedies? As CFEs, we owe it to our clients and employers — and to our own career aspirations — to identify and/or devise strategies that meet current and future needs.

With that in mind, consider the Security and Exchange Commission’s (SEC) proposed revamping of its whistle-blower program as mandated by the Dodd-Frank Act (see recent Forbes post). The plan permits those reporting corporate malfeasance to bypass internal whistle-blowing channels and go straight to the SEC without jeopardizing their eligibility for an up-to-30-percent share in any resulting sanction of $1 million or more against corporations.

Critics say this strategy will seriously weaken corporations’ fraud detection and prevention regimes that the Sarbanes-Oxley Act mandated. Plus, if a whistle-blower tells only the SEC about a fraud, the corporation — presuming it is unaware of the fraud — would issue financial statements that inadvertently conceal the fraud.

Therefore, employers might consider revising and strengthening their internal reporting procedures to encourage employees to first raise any concerns directly with them before bringing legal claims in court or to regulatory bodies.

This complex issue calls for equally pressing considerations, such as the need for a prompt, effective response when frauds are revealed and incorporation of whistle-blower protection. In numerous recent cases, employees who reported significant fraud through corporate channels were, at best ignored or, at worst, persecuted. In some cases, the common good also suffered when the unresolved fraud continued.

These valid and sometimes opposing concerns call for open minds and informed objectivity. As CFEs, we are uniquely qualified to provide leadership to our employers and clients and help them implement anti-fraud measures that address both individual incidents and overall circumstances.

Read the full Letter from the President from the latest issue of Fraud Magazine here.