Skip Ribbon Commands
Skip to main content

Quick Launch

AACMI > AACMI Blog
May 21
IMPROVING THE FLOW OF INFORMATION TO THE AUDIT COMMITTEE
Introduction
The purpose of this paper is to discuss methods of improving the flow of information to audit committees so that they are better able to perform their oversight function.

 

The audit committee has been recognized as an important entity level control.  Independent auditors rely upon the audit committee to provide the auditors with important information necessary to perform the audit function.  For example, AS No. 16 requires the independent auditor to “inquire of the audit committee about whether it is aware of matters relevant to the audit, including, but not limited to, violations or possible violations of laws or regulations.”[1]
 
A well-informed audit committee is essential to a high quality audit.  Yet, as we will see from this paper, there are many examples of audit committees which do not have the information that is important to performing an effective oversight function.
 
Most audit committees rely upon the information provided to them by the CEO and CFO.  Yet these are the very persons with respect to whom the audit committee is expected to provide oversight to protect shareholders.  The audit committee’s other primary source of information is the independent auditor.  Unless the audit committee has effective independent information sources, the independent auditor should not assume that the audit committee has any more information than was provided to the independent auditor by management.
 
Therefore, the ability of the audit committee to obtain information independent of the CEO and CFO is crucial to an effective audit.
 
Sources of Information for the Audit Committee
The following are the primary sources of information for the audit committee:
 
·         CEO and CFO
 
·         Independent auditors and internal auditors
 
·         Lower level executive management
 
·         Securities analysts, short sellers, and newspaper/web articles
 
·         Suppliers and customers
 
·         Employee whistleblowers
 
Employee Whistleblowers
Employee whistleblowers, including lower level executives, are a  potentially important source of information for the audit committee.  However, communication from employees to the audit committee requires that (a) employees recognize misconduct or enterprise risk and (b) are motivated to reveal this information directly to the audit committee.
Unfortunately, as will be demonstrated by this paper, under the current system employees do not generally recognize misconduct or enterprise risk and they have very little motivation to reveal this information to the audit committee.  Their lack of motivation stems from the potential retaliation they may face from the company as well as the lack of any reward for assuming the risk of revealing sensitive information to the audit committee.
 
According to the 2011 National Business Ethics Survey [2], “More than one in three people who said they observed misconduct also decided not to report it to someone who could take appropriate action to address it.”  The report further stated “In many cases, employees observe misconduct, but do not report because they are not attuned to the ethical dimension of workplace conduct.  They fail to see how particular behaviors violate workplace standards and values.”
 
SOX Hotlines Are Largely Ineffective
In reaction to the Enron, WorldCom and other shareholder disasters during the 2000 to 2002 period, Congress enacted the Sarbanes- Oxley Act of 2002 which mandated that companies whose stock is traded on national securities exchanges require audit committees to establish procedures for “the confidential, anonymous submission by employees of the issuer of concerns regarding questionable accounting or auditing matters.”  This resulted in employee hotlines being established by most public companies.  However, these hotlines have not been effective in most cases to induce management personnel to go over the heads of the CEO or CFO and make disclosures to the audit committee.
 
According to the 2011 National Business Ethics Survey, only 6% of employees surveyed would use a hotline to report employee misconduct.  Most will just report the misconduct to their immediate supervisor, if they report at all.  Since a supervisor or the persons the supervisor reports to may be involved in the illegal activity, in many situations the report may never reach the independent directors or the CEO. 
 
A report by Network, Inc., "2012 Corporate Governance and Compliance Hotline Benchmarking Report", dated July 24, 2012, stated that 48% of whistleblower calls were anonymous, a fact that suggests that many employees fear retaliation.  The presence of such a high percentage of anonymous complaints means that the organization has not established a culture which encourages internal whistleblowing.  The net result is that employees fear becoming a pariah and either will not provide valuable information to the board or the CEO or will do so only anonymously.
 
Although Congress, when passing the Sarbanes-Oxley Act of 2002 (SOX), may have contemplated an active and effective whistleblower program, this goal has not been uniformly realized.  The hotlines today are primarily a vehicle for employment discrimination, sexual harassment and other similar employment related complaints, rather than a pipeline for major fraud, illegality or enterprise risk of interest to the independent directors.  The hotlines typically fail to create incentives for executives below the CEO and CFO level to reveal important information directly to the audit committee.  Unfortunately, some independent directors are misled by the employment-related complaints on the hotline into believing the hotline is really effective.
 
There are seven major problems with the current whistleblower systems:
 
1.   The tone at the top tolerates but does not encourage whistleblowers, particularly executive whistleblowers.
 
2.   There is no meaningful reward or recognition for legitimate whistleblowers.
 
3.   The inability to communicate with anonymous whistleblowers results in failure to fully investigate anonymous information.
 
4.   The system does not guarantee anonymity.
 
5.   The system is not well advertised.
 
6.   The audit committee uses employee administrators and investigators who are not viewed as independent by whistleblowers and who do not even have forensic skills.
 
7.   Whistleblowers’ motivations and personalities affect the investigation.
 
Many public companies have a “paper” whistleblower system.  In such a system, the company has complied with the letter of the SOX requirements and exchange listing rules but has done nothing more.  Management tolerates the whistleblower system but does not encourage whistleblowers. Whistleblowers are almost never recognized as employees of the month.  As a result, potential whistleblowers (including executives whistleblowers), facing daunting disincentives, refuse to participate in the system.
 
Concerning the SOX whistleblower statute, the former general counsel of the Securities and Exchange Commission (SEC) has stated:
 
“Not all corporate compliance programs work well. Some—no matter how elaborately conceived and extensively documented—exist only on paper. Some small numbers are shams. I once knew of an ostensibly anonymous employee hotline that actually rang on the desk of the CEO’s secretary. I’m not at all sure that Congress intended that a whistleblower at this company would have to avail himself of this hotline before coming to the Commission and getting an award.”[3]
Very few, if any, whistleblower systems provide meaningful rewards or recognition for whistleblowers. Although some employees are driven by their moral compass to do the right thing and do not need rewards, the number of employees who are Mother Teresa is very limited. Given the real possibility that the employment of persons disclosing wrongful activity may be terminated and even if not terminated such person could be socially ostracized, employees have no reason to assume those risks without a meaningful incentive.   Internal whistleblower systems do not have to compete economically with the size of awards available under the whistleblower statutes since there are many disincentives to external employee whistleblowing.  However, the lack of any meaningful reward or other recognition for internal whistleblowers reflects an organizational attitude that is not conducive to whistleblowing.
 
Although the SOX whistleblower system allows for anonymous whistleblowers, that system does not work well because the audit committee or its counsel may need to further question the person whose identity has been hidden.  Audit committees tend to provide fewer resources to investigating anonymous complaints.[4]
 
Moreover, many current whistleblower systems do not guarantee anonymity.  Voice recognition techniques can be used to trace hotline calls.  Private detectives can use handwriting analysis to trace anonymous letters.  Anonymous e-mails can be traced back to the whistleblower’s computer.  Best practices would provide greater guarantees of anonymity by permitting communication through the whistleblower’s personal counsel (at the company’s expense if the information is legitimate) and allowing the whistleblower to form an entity to further hide his or her identity.
 
Hotline service providers advertise their ability to ask further questions to the anonymous whistleblower. Although this service is useful, it is not a good substitute for direct communication between the whistleblower’s lawyer and the audit committee’s attorney, without the intervention of the hotline service provider. Hotline providers do not normally have the forensic skills necessary to ask follow-up questions. Sophisticated executive whistleblowers know that the information they reveal to the hotline, including their company position, is not protected from discovery by the attorney- client privilege.  Moreover, executive whistleblowers, concerned about being blackballed and anxious about maintaining anonymity, will not necessarily be comfortable with an ongoing detailed dialogue with a hotline service provider selected by management and possibly even providing summaries of the conversation to management personnel. Yet, without this detail it is difficult for the audit committee to conduct a thorough investigation.
 
Many companies do not adequately communicate the whistleblower system except in a policy contained in an SEC filing or on their websites.  As a result, average employees may not realize that the company even has an anonymous whistleblower system.  A survey by the Institute of Internal Auditors indicates that employee familiarity with the organization’s hotline is a key factor in encouraging its use.[5]
 
The administration and investigation of whistleblower complaints are typically performed initially by the internal auditor, director of compliance, human resources (HR) head, or general counsel.  All of these individuals are company employees whose compensation is determined by management (with the possible exception of the internal auditor).
 
Potential whistleblowers do not have confidence in the independence or impartiality of those employees who would administer or investigate their complaints.  Moreover, many of these individuals are not skilled forensic investigators.
An example of why whistleblower systems do not work can be found in the Enron case.  Sherron Watkins sent a letter to Kenneth Lay, Enron’s chairman, stating, in part, that “I am incredibly nervous that we will implode in a wave of accounting scandals.”  Kenneth Lay then gave the matter to inside counsel to administer and investigate Watkins’ complaint, rather than using completely independent counsel for that purpose.  Inside counsel then employed Enron’s regular outside counsel, which received substantial legal fees from Enron, to perform the investigation.  At the end of a very limited investigation, the regular outside law firm gave Enron a report that, in general, found no substance to Watkins’ complaint.  A separate investigation completed shortly after Enron’s bankruptcy by an independent board committee, using completely independent counsel, found significant substance to Watkins’ complaint.
 
Whether a particular company’s hotline is effective can only be determined through employee surveys and exit interviews which are directed primarily at the executive group.  Independent directors should consider conducting such surveys anonymously using third party service providers.
 
Lower Level Executives Will Typically Not Report Misconduct or Enterprise Risk to the Audit Committee
 
Lower level executives of the company who may have extremely important information for the audit committee will typically not risk their careers by reporting misconduct or other risky behavior to the audit committee, either through a hotline or directly.
 
There are many examples where executives of companies facing major financial risks refuse to use the hotline or to otherwise directly report to the audit committee.
 
For example, prior to the collapse of AIG, there were executives who recognized the major risks being undertaken through its derivatives business in credit default swaps[6], but had no incentive to reveal these risks to the directors.  According to a Michael Lewis article[7], in mid-2005, an AIG executive named Eugene Park was fiddling around at work with his online trading account after reading about this wonderful new stock called New Century Financial with a terrific dividend yield.  So Park looked at New Century’s financial statements and noticed something “frightening”.[8]
 
The average homeowner counted on to feed the interest on the “A+” tranche of New Century mortgage-backed collateralized debt obligations (“CDOs”) had a credit score of only 598, with a 4.28% likelihood of being 60 days or more late on payment.[9]  Park subsequently discovered that the AIG Financial Products Division was insuring a substantial portion of the New Century mortgages.  He allegedly revealed this information to Joseph Cassano’s No. 2 person in the AIG Financial Products Division and was ultimately blown off by Cassano. [10] Had a robust whistleblower system existed at AIG at that time, Park might have used it to advise the AIG audit committee.  Instead, the AIG Financial Products Division did not reduce or hedge their existing super-senior tranches of subprime CDOs, although they stopped writing credit default swaps in late 2005/2006.[11]
 
Why did Eugene Park not use the AIG anonymous employee hotline to report to the AIG audit committee the excess risk being taken by AIG in issuing credit default swaps?  One can only speculate that there was no reward for Park to do so and it is likely he would have had an abbreviated career at AIG had Joseph Cassano discovered that Park had gone over his head to the AIG audit committee.
 
According to the Lehman Bros. Bankruptcy Examiner Report, Matthew Lee, a Senior Vice President of Lehman Bros. finance division, was aware of accounting improprieties at Lehman Bros.  In May 2008, he sent a letter to his superior, Martin Kelly, the Lehman Bros. controller, about the Repo 105 transactions which were used by Lehman Bros. to move assets off the balance sheet at quarter-end.[12]  There was no response to the letter.
 
Why did Matthew Lee not use the employee hotline to report this directly to the audit committee?  We can only speculate.  Perhaps Lee decided that sending a letter to a superior was risky enough without further jeopardizing his career by going to the Lehman Bros. audit committee.  There is no evidence that Lehman Bros. created any reward for providing legitimate information on the employee hotline.  In any event, Lee was laid-off less than a month after sending the letter.[13]
 
According to the McLean and Nocera book “All the Devils Are Here:  The Hidden History of the Financial Crisis”, Jeff Kronthal, a senior executive at Merrill Lynch, warned the then CEO, Stan O’Neal, about the excessive subprime risk being assumed by Merrill Lynch.  This warning was ignored and disbelieved by the CEO.
 
Why didn’t Jeff Kronthal use the anonymous employee hotline to warn the audit committee of this excessive risk?  Going over the head of the CEO, even on an anonymous basis, is considered an act of disloyalty to the management team and typically results in some form of retaliation, including being considered a pariah within the company and the industry as a whole.
 
The Financial Crisis Inquiry Report notes that Matthew Tannin, a Bear Stearns executive, stated in a diary in his personal e-mail account in 2006, long before the collapse of Bear Stearns, that “a wave of fear set over [him]” when he realized that the Enhanced Fund “was going to subject investors to ‘blow up risk’” and “we could not run the leverage as high as I had thought we could.”[14]  Why didn’t Matthew Tannin use the anonymous employee hotline to report his concern to the Bear Stearns audit committee?  Likely for the same reasons stated above, i.e. lack of reward and likelihood of retaliation.
 
Each of these cases are examples of significant information which was known within the management group but was unknown by the audit committee or other independent directors.  One may speculate that had this vital information been reported to the audit committee, the tremendous losses subsequently incurred by shareholders may have been wholly or partially avoided.
 
Elements of a Robust Whistleblower Policy
If audit committees and independent directors want to receive information from executives below the CEO or CFO level in order to fulfill their oversight obligations, they must establish a robust whistleblower system and an effective compliance program.
 
An effective compliance program requires the following elements:
 

·    Independent directors must be in charge and must be given the resources to fulfill their responsibilities.

 
·    The whistleblower system for accounting, auditing and enterprise risk complaints must be independently administered.  This means that employees of the company (such as HR, internal audit or inside counsel) should not initially receive such hotline complaints, as is the current practice, but rather complaints should initially go directly to the  audit committee  chair or his or her designee ( such as completely independent counsel or other ombudsman).  This assures the executive whistleblower that their more serious complaints will be independently handled by persons not beholden to management..  Routine employee complaints, such as employment discrimination, sexual harassment, and similar complaints, should be referred back to HR for investigation.  Alternatively, a separate hotline can be developed solely for non-employment related complaints, with HR continuing to receive employment related complaints on its own hotline.
 
·     Employee whistleblower complaints which are made to their supervisor and which relate to accounting or enterprise risk must be reported by the supervisor directly to the audit committee.
 
·        Employee whistleblower complaints (other than routine employment discrimination, sexual harassment and similar complaints) should be investigated by completely independent counsel (or other ombudsman) reporting directly to the independent directors, who should (where appropriate) utilize the services of an auditing firm other than the company’s regular independent auditor.  Employees of the company should not be used to investigate non-employment complaints in order to encourage executive whistleblowers to use the system.
 
·      Suppliers and customers should be able to access the whistleblower system.
 
·       Direct contact information for the audit committee should be posted on the company’s website.
 
·       There should be no presumption that anonymous complaints are less deserving of investigation.
 
·       Absolute protection of whistleblowers’ identity is essential.  Employee whistleblowers (other than routine employment complaints described above) should be permitted to use their own personal counsel and to form entities in order to protect their identity.  This protection of identity is designed to encourage executives to use the whistleblower system.
 
·       The motivations and personality of the whistleblower are not relevant to the truth of the allegations.  Whistleblowers with difficult personalities or who have obviously ulterior motives may receive short shrift in any investigation, even though their complaints may be valid.  SEC officials made this mistake in ignoring Harry Markopolos’ revelations about Bernie Madoff approximately 10 years before his Ponzi scheme was revealed.[15]
 
·        Periodically assess the effectiveness of any employee hotline and provide employee compliance training.
 
·    Independent counsel should report to the whistleblower or his or her attorney the status and results of the investigation and the organization should provide annual reports to all employees as to actions taken.
 
·    Legitimate employee whistleblowers should receive meaningful monetary rewards.
 
·    The whistleblower policy must be communicated effectively.
 
·    There should be milder sanctions for whistleblowers involved in illegal group activity.
 
·    Retaliation claims and decisions to terminate whistleblowers should be independently investigated by the audit committee.
 
·    The director of corporate compliance (if any) should report to the independent directors and become their eyes and ears within the organization.
 
·    The tone at the top of the organization must support an ethical, law-abiding culture.  The tone at the top should be established not only by the CEO and CFO but also the chair of the audit committee.
 
Annual Employee Survey
Audit committees should annually test the culture of the organization.  One method of testing the culture is by having employees answer (on an anonymous basis) a simple questionnaire which contains the following three questions:
 
·    If you see misconduct by another employee, what are the chances you would report it?  (Scale of 1 to 10, with 10 being most likely)
 
·    If you saw misconduct by a senior officer, such as the CEO or CFO, what are the chances you would report it? (Scale of 1 to 10, with 10 being most likely)
 
·    Would you be willing to initially report misconduct or significant enterprise risk exposure directly to the audit committee? (Scale of 1 to 10, with 10 being most likely)
 
 Conclusion
It is recommended that the Center for Audit Quality and its participating organizations adopt the best practices for audit committees set forth in this paper in order to improve the flow of information to the audit committee, thereby improving the quality of the independent audit.

 



[1] AS No. 16, Appendix 1, Paragraph 8; See also AS No. 12 and AU sec. 317.
[2] Ethics Resource Center – “Inside The Mind Of A Whistleblower”, A Supplemental Report of the 2011 National Business Ethics Survey
[3] David M. Becker, Esq., General Counsel, “Speech by SEC Staff: Remarks at the Practicing Law Institute’s Ninth Annual Institute on Securities Regulation in Europe.” U.S. Securities and Exchange Commission, January 25, 2011.
[4] James E. Hunton and Jacob M. Rose, “Effects of Anonymous Whistle-Blowing and Perceived Reputation Threats on Investigations of Whistle-Blowing Allegations by Audit Committee Members” Journal of Management Studies 1. No. 48 (2011): 75-98.
[5] Mary B. Curtis, “Whistleblower mechanisms: A Study of the Perceptions of ‘Users’ and “Responders.” Dallas Chapter of the Institute of Internal Auditors, April 2006.
[6]  Bethany McLean and Joel Nocera, “All The Devils Are Here: The Hidden History of the Financial Crisis”, Portfolio/Penguin (2010) p. 190.
[7] “The Great Hangover: 21 Tales of the New Recession from the Pages of Vanity Fair”, Harper Perennial (2010); See also The Financial Crisis Inquiry Report, Pgs. 200-201 (January 2011).
[8] Id.
[9] Moe Tkacik’s Page, “That AIG Story, For Readers Who Are Sick of AIG Already” (7/6/2009), http://trueslant.com/moetkacik/ 
[10] “The Great Hangover: 21 Tales of the New Recession from the Pages of Vanity Fair”, Harper Perennial (2010).
[12] “Report of Anton R. Valukas, Examiner,” March 11, 2010, p. 21. http://lehmanreport.jenner.com. 
[14] “The Financial Crisis Inquiry Report”, The Financial Crisis Report Commission, Pursuant to Public Law 111-21, January 2011
[15] U.S. Securities and Exchange Commission, Office of Investigations, “Investigation of Failure of the SEC to Uncover Bernard Madoff’s Ponzi Scheme—Public Version,” Report No. OIG-509, August 2009, p. 250. www.sec.gov/news/
studies/2009/oig-509.pdf. See also H. Markopolos, No One Would Listen (Hoboken, NJ: John Wiley & Sons, 2010).

April 25
Why CEOs and Boards Should Establish Robust Internal Whistleblower Policies

A robust internal whistleblower policy is an important internal control. Even the Center for Audit Quality has mentioned the key role played by this internal control for financial reporting purposes.[1] Most CEOs and directors believe that, by installing a hotline and creating a paper whistleblower policy, they have established an effective internal whistleblower system. They are misled by the fact that occasionally the hotline is used for typical employee grievances, such as perceived discrimination or sexual harassment complaints.

Unfortunately, much more is required to create a robust internal whistleblower policy.  Indeed, it requires a cultural change within the organization which must start with the "tone at the top". Although "tone at the top" usually means the tone set by the CEO, it also includes the tone set by the independent directors as well. CEO's and directors also tend to greatly underestimate the significant disincentives to internal whistleblowing, including both direct and subtle forms of retaliation to which internal whistleblowers are subject.

Both the federal and state governments have adopted external whistleblower reward systems to encourage employee whistleblowers to reveal misconduct directly to governmental authorities. The following chart is a brief summary of the external rewards now provided to employees for revealing wrongdoing to governmental authorities:

 
Dodd-Frank
10% to 30% of amount collected for violation of federal securities laws (including Foreign Corrupt Practices Act) or Commodity Exchange Act if monetary sanctions exceed $1 million.
False Claims Act
15% to 25% of collected recovery, but can be as high as 30% or as low as 10%
IRS
Mandatory Awards of 15% to 30% of amount collected if amounts in dispute exceed $2 million and if target taxpayer is an individual, annual gross income must exceed $200,000.  If target taxpayer is an entity, there is no gross income requirement.  Discretionary awards authorized below the $2 million threshold.
Miscellaneous Statutes
Act to Prevent Pollution From Ships (up to one-half of fine), state and local false claims laws etc.

 

The five primary reasons that organizations, whether public, private, governmental or non-profit, should adopt a robust whistleblower system are:

  • To protect the organization from criminal indictment, conviction and fines and from related civil liability and, in the case of non-profit organizations, the loss of donor support;
  • To protect the shareholders or other equity holders of the organization from loss of value of their equity interests;
  • To protect the board of directors and officers from civil liability;
  • To protect the chief executive officer ("CEO") from both criminal and civil liability; and
  • To protect the business reputation of both the directors and the CEO as well as the reputation of the organization itself.

Many public companies have a "paper" whistleblower system. In such a system, the company has complied with the letter of the SOX requirements and exchange listing rules but has done nothing more. Management tolerates the whistleblower system but does not encourage whistleblowers. As a result, potential whistleblowers, facing daunting disincentives, refuse to participate in the system.

Many not-for-profit organizations and private companies have adopted similar ineffective whistleblower policies.  Many CEOs and boards believe that by establishing a hotline service they have an effective whistleblower policy.  However, according to the Ethics Resource Center ("ERC") only 5% of employees would use hotlines to first report misconduct.[2] In 2011, 56% of first reports were made to the employee's direct supervisor. [3] However, the direct supervisor or a higher tier superior may be involved in the misconduct and will bury the report.  One of the primary reasons employees will seek whistleblower rewards from governmental authorities, such as the SEC, is because of perceived retaliation against internal whistleblowers.



[2] Ethics Resource Center:  Inside the Mind of a Whistleblower – 2012 ("ERC Report"), p. 12
[3] ERC Report, p. 11

 

 

 

 

April 24
From Enron to Lehman Bros.: What Can We Learn From These Corporate Governance Failues? (Introduction)

Lessons for Boards From Recent Corporate Governance Failures

The internal whistleblower policy of organizations is an important internal control.  In order for boards to fulfill their oversight obligations, they should have information provided to them by lower-level personnel, in addition to the normal board packages received from the CEO and CFO.  Moreover, the CEO and CFO need to establish an effective whistleblower system in order to properly perform their jobs. Nothing is more embarrassing for a CEO than to have a surprise government investigation which might have been avoided with a robust internal whistleblower system.

Most hotlines are ineffective for a variety of reasons which are discussed in full in my article entitled "From Enron to Lehman Brothers: Lesson for Boards from Recent Corporate Governance Failures" and my book entitled "Whitleblowers: Incentives, Disincentives and Protection Strategies", John Wiley & Sons, Inc. (2012).   

 For example, according to a report by Network, Inc., "2012 Corporate Governance and Compliance Hotline Benchmarking Report", dated July 24, 2012, 48% of whistleblower calls were anonymous, a fact that suggests that many employees fear retaliation.  The presence of such a high percentage of anonymous complaints means that the organization has not established a culture which encourages internal whistleblowing.  The net result is that employees fear becoming a pariah and either will not provide valuable information to the board or the CEO or will do so only anonymously.

A  study of audit committees by James E. Hunton and Jacob M. Rose, "Effects of Anonymous Whistle-Blowing and Perceived Reputation Threats on Investigations of Whistle-Blowing Allegations by Audit Committee Members", 2010, provide fewer resources to investigating anonymous complaints. It is difficult to ask follow-up question to an anonymous source.

According to the 2011 National Business Ethics Survey, only 6% of employees surveyed would use a hotline to report employee misconduct.  Most will just report the misconduct to their immediate supervisor, if they report at all.  Since a supervisor or the persons the supervisor reports to may be involved in the illegal activity, in many situations the report may never reach the independent directors or the CEO. 

 

April 23
From Enron to Lehman Bros.: What Can We Learn From These Corporate Governance Failures? (PART I)
 

 

Government investigations, bankruptcy receiver reports and numerous books provide a rich source of information about the major corporate disasters of the first decade of the 21st century.  Although the financial implosions, starting with Enron and ending with Lehman Bros., have significant differences, there is one major corporate governance theme which appears.  The board of directors and, in particular, the independent directors did not have the information required to properly perform their oversight duties, even though such information was known to various members of management.
 
In almost all the cases, the directors claimed they were misinformed or “duped” by the CEO or CFO.[1]  In this respect these disasters were partly the result of a failure of corporate governance, particularly the failure to establish a robust whistleblower system as an internal control.  Independent directors of these companies which suffer shareholder debacles tend to lose their business reputation and their other directorships.[2]
 
The audit committee and other independent directors of these companies relied heavily on the fact that the company was receiving clean audit opinions from its independent auditors and failed to develop other independent sources of information.  An investment advisory group formed by the Public Company Accounting Oversight Board (“PCAOB”) noted that the following companies all received unqualified audit opinions within months of their failure:
 
A Sampling of Failed Financial Institutions
All of which received unqualified audit opinions within months of the failure
 
Company
Event
Event Date
Investor Losses ($m)*
Audit Firm
Lehman Bros.
Bankruptcy
9/15/2008
31,437.10
E&Y
AIG
TARP
9/16/2008
155,499.60
PwC
Citigroup
TARP
10/26/2008
212,065.20
KPMG
Fannie Mae
Gov’t takeover
9/6/2008
64.10
Deloitte
Freddie Mac
Gov’t takeover
9/2/2008
41.50
PwC
Wash Mutual
Bankruptcy
9/26/2008
30,558.50
Deloitte
New Century
Bankruptcy
4/2/2007
2,576.40
KPMG
Bear Stearns
Purchased
3/17/2008
20,896.80
Deloitte
Countrywide
Purchased
1/11/2008
22,776.00
KPMG
* Calculated based on decline in market capitalization from one year prior to the event and the event date. Fannie Mae and Freddie Mac data is from 10/9/07 and 9/12/08.
 
It is clear that corporate governance oversight cannot be effective if the only source of board information is the CEO, CFO and the independent auditor.


[1] F. Lipman, “Whistleblowers: Incentives, Disincentives and Protection Strategies”, John Wiley & Sons, Inc. (2012), pp. 82-83.
 
[2] The story of Herbert S. “Pug” Winokur, Jr., former head of the Finance Committee of the Enron Board of Directors, who subsequently lost his directorship with the Harvard Corporation, is eloquently told by Andrea Redmond and Patricia Crisafulli, Comebacks: Powerful Lessons from Leaders Who Endured Setbacks and Recaptured Success on Their Terms (San Francisco: Jossey-Bass, 2010).

 

April 21
From Enron To Lehman Bros.:  What Can We Learn From These Corporate Governance Failures? (PART II)

Sox Hotlines are Ineffective

In reaction to the Enron, WorldCom and other shareholder disasters during the 2000 to 2002 period, Congress enacted the Sarbanes- Oxley Act of 2002 which mandated that companies whose stock is traded on national securities exchanges require audit committees to establish procedures for “the confidential, anonymous submission by employees of the issuer of concerns regarding questionable accounting or auditing matters.”  This resulted in employee hotlines being established by most public companies.  However, these hotlines have not been effective in most cases to induce management personnel to go over the heads of the CEO or CFO and make disclosures to the audit committee.

For example, prior to the collapse of AIG, there were executives who recognized the major risks being undertaken through its derivatives business in credit default swaps[1], but had no incentive to reveal these risks to the directors.  According to a Michael Lewis article[2], in mid-2005, an AIG executive named Eugene Park was fiddling around at work with his online trading account after reading about this wonderful new stock called New Century Financial with a terrific dividend yield. 

So Park looked at New Century’s financial statements and noticed something “frightening”.[3]  The average homeowner counted on to feed the interest on the “A+” tranche of New Century mortgage-backed collateralized debt obligations (“CDOs”) had a credit score of only 598, with a 4.28% likelihood of being 60 days or more late on payment.[4]  Park subsequently discovered that the AIG Financial Products Division was insuring a substantial portion of the New Century mortgages.  He allegedly revealed this information to Joseph Cassano’s No. 2 person in the AIG Financial Products Division and was ultimately blown off by Cassano. [5] Had a robust whistleblower system existed at AIG at that time, Park might have used it to advise the AIG audit committee.  Instead, the AIG Financial Products Division did not reduce or hedge their existing super-senior tranches of subprime CDOs, although they stopped writing credit default swaps in late 2005/2006.[6]

Why did Eugene Park not use the AIG anonymous employee hotline to report to the AIG audit committee the excess risk being taken by AIG in issuing credit default swaps?  One can only speculate that there was no reward for Park to do so and it is likely he would have had an abbreviated career at AIG had Joseph Cassano discovered that Park had gone over his head to the AIG audit committee.

According to the Lehman Bros. Bankruptcy Examiner Report, Matthew Lee, a Senior Vice President of Lehman Bros. finance division, was aware of accounting improprieties at Lehman Bros.  In May 2008, he sent a letter to his superior, Martin Kelly, the Lehman Bros. controller, about the Repo 105 transactions which were used by Lehman Bros. to move assets off the balance sheet at quarter-end.[7]  There was no response to the letter.

Why did Matthew Lee not use the employee hotline to report this directly to the audit committee?  We can only speculate.  Perhaps Lee decided that sending a letter to a superior was risky enough without further jeopardizing his career by going to the Lehman Bros. audit committee.  There is no evidence that Lehman Bros. created any reward for providing legitimate information on the employee hotline.  In any event, Lee was laid-off less than a month after sending the letter.[8]

According to the McLean and Nocera book “All the Devils Are Here:  The Hidden History of the Financial Crisis”, Jeff Kronthal, a senior executive at Merrill Lynch, warned the then CEO, Stan O’Neal, about the excessive subprime risk being assumed by Merrill Lynch.  This warning was ignored and disbelieved by the CEO.

Why didn’t Jeff Kronthal use the anonymous employee hotline to warn the audit committee of this excessive risk?  Going over the head of the CEO, even on an anonymous basis, is considered an act of disloyalty to the management team and typically results in some form of retaliation, including being considered a pariah within the company and the industry as a whole.

The Financial Crisis Inquiry Report notes that Matthew Tannin, a Bear Stearns executive, stated in a diary in his personal e-mail account in 2006, long before the collapse of Bear Stearns, that “a wave of fear set over [him]” when he realized that the Enhanced Fund “was going to subject investors to ‘blow up risk’” and “we could not run the leverage as high as I had thought we could.”[9]  Why didn’t Matthew Tannin use the anonymous employee hotline to report his concern to the Bear Stearns audit committee?  Likely for the same reasons stated above, i.e. lack of reward and likelihood of retaliation.

Each of these cases are examples of significant information which was known within the management group but was unknown by the audit committee or other independent directors.  One may speculate that had this vital information been reported to the audit committee, the tremendous losses subsequently incurred by shareholders may have been wholly or partially avoided.


[1]  Bethany McLean and Joel Nocera, “All The Devils Are Here: The Hidden History of the Financial Crisis”, Portfolio/Penguin (2010) p. 190.
[2] “The Great Hangover: 21 Tales of the New Recession from the Pages of Vanity Fair”, Harper Perennial (2010); See also The Financial Crisis Inquiry Report, Pgs. 200-201 (January 2011).
[3] Id.
[4] Moe Tkacik’s Page, “That AIG Story, For Readers Who Are Sick of AIG Already” (7/6/2009), http://trueslant.com/moetkacik/ 
[5] “The Great Hangover: 21 Tales of the New Recession from the Pages of Vanity Fair”, Harper Perennial (2010).
[7] “Report of Anton R. Valukas, Examiner,” March 11, 2010, p. 21. http://lehmanreport.jenner.com. 
[9] “The Financial Crisis Inquiry Report”, The Financial Crisis Report Commission, Pursuant to Public Law 111-21, January 2011

 

April 20
From Enron to Lehman Bros.:  What Can We Learn From These Corporage Governance Failures? (PART III)

 

Defects in Current Whistleblower Systems
 
Although Congress, when passing the Sarbanes-Oxley Act of 2002 (SOX), may have contemplated an active and effective whistleblower program, this goal has not been uniformly realized.  The hotlines today are primarily a vehicle for employment discrimination, sexual harassment and other similar employment related complaints, rather than a pipeline for major fraud, illegality or enterprise risk of interest to the independent directors.  The hotlines typically fail to create incentives for executives below the CEO and CFO level to reveal important information directly to the audit committee.  Unfortunately, some independent directors are misled by the employment-related complaints on the hotline into believing the hotline is really effective.
 
There are seven major problems with the current whistleblower systems:
  1. The tone at the top tolerates but does not encourage whistleblowers, particularly executive whistleblowers.
  2. There is no meaningful reward or recognition for legitimate whistleblowers.
  3. The inability to communicate with anonymous whistleblowers results in failure to fully investigate anonymous information.
  4. The system does not guarantee anonymity.
  5. The system is not well advertised.
  6. The audit committee uses employee administrators and investigators who are not viewed as independent by whistleblowers and not even have forensic skills.
  7. Whistleblowers' motivations and personalities affect the investigation.
 
Many public companies have a “paper” whistleblower system.  In such a system, the company has complied with the letter of the SOX requirements and exchange listing rules but has done nothing more.  Management tolerates the whistleblower system but does not encourage whistleblowers. Whistleblowers are almost never recognized as employees of the month.  As a result, potential whistleblowers (including executives whistleblowers), facing daunting disincentives, refuse to participate in the system.
 
Concerning the SOX whistleblower statute, the former general counsel of the Securities and Exchange Commission (SEC) has stated:
 
Not all corporate compliance programs work well. Some—no matter how elaborately conceived and extensively documented—exist only on paper. Some small numbers are shams. I once knew of an ostensibly anonymous employee hotline that actually rang on the desk of the CEO’s secretary. I’m not at all sure that Congress intended that a whistleblower at this company would have to avail himself of this hotline before coming to the Commission and getting an award.[1]
 
Very few, if any, whistleblower systems provide meaningful rewards or recognition for whistleblowers. Although some employees are driven by their moral compass to do the right thing and do not need rewards, the number of employees who are Mother Teresa is very limited. Given the real possibility that the employment of persons disclosing wrongful activity may be terminated and even if not terminated such person could be socially ostracized, employees have no reason to assume those risks without a meaningful incentive.   Internal whistleblower systems do not have to compete economically with the size of awards available under the whistleblower statutes since there are many disincentives to external employee whistleblowing.  However, the lack of any meaningful reward or other recognition for internal whistleblowers reflects an organizational attitude that is not conducive to whistleblowing.
 
Although the SOX whistleblower system allows for anonymous whistleblowers, that system does not work well because the audit committee or its counsel may need to further question the person whose identity has been hidden.  Audit committees tend to provide fewer resources to investigating anonymous complaints.[2]
 
Unfortunately, approximately half of whistleblower calls in 2010 were anonymous, a fact that suggests that many employees fear retaliation.[3]
 
Moreover, many current whistleblower systems do not guarantee anonymity.  Voice recognition techniques can be used to trace hotline calls.  Private detectives can use handwriting analysis to trace anonymous letters.  Anonymous e-mails can be traced back to the whistleblower’s computer.  Best practices would provide greater guarantees of anonymity by permitting communication through the whistleblower’s personal counsel (at the company’s expense if the information is legitimate) and allowing the whistleblower to form an entity to further hide his or her identity.
 
Hotline service providers advertise their ability to ask further questions to the anonymous whistleblower. Although this service is useful, it is not a good substitute for direct communication between the whistleblower’s lawyer and the audit committee’s attorney, without the intervention of the hotline service provider. Hotline providers do not normally have the forensic skills necessary to ask follow-up questions. Sophisticated executive whistleblowers know that the information they reveal to the hotline, including their company position, is not protected from discovery by the attorney- client privilege.  Moreover, executive whistleblowers, concerned about being blackballed and anxious about maintaining anonymity, will not necessarily be comfortable with an ongoing detailed dialogue with a hotline service provider selected by management and possibly even providing summaries of the conversation to management personnel. Yet, without this detail it is difficult for the audit committee to conduct a thorough investigation.
 
Many companies do not adequately communicate the whistleblower system except in a policy contained in an SEC filing or on their websites.  As a result, average employees may not realize that the company even has an anonymous whistleblower system.  A survey by the Institute of Internal Auditors indicates that employee familiarity with the organization’s hotline is a key factor in encouraging its use.[4]
 
The administration and investigation of whistleblower complaints are typically performed initially by the internal auditor, director of compliance, human resources (HR) head, or general counsel.  All of these individuals are company employees whose compensation is determined by management (with the possible exception of the internal auditor).
 
Potential whistleblowers do not have confidence in the independence or impartiality of those employees who would administer or investigate their complaints.  Moreover, many of these individuals are not skilled forensic investigators.
 
An example of why whistleblower systems do not work can be found in the Enron case.  Sherron Watkins sent a letter to Kenneth Lay, Enron’s chairman, stating, in part, that “I am incredibly nervous that we will implode in a wave of accounting scandals.”  Kenneth Lay then gave the matter to inside counsel to administer and investigate Watkins’ complaint, rather than using completely independent counsel for that purpose.  Inside counsel then employed Enron’s regular outside counsel, which received substantial legal fees from Enron, to perform the investigation.  At the end of a very limited investigation, the regular outside law firm gave Enron a report that, in general, found no substance to Watkins’ complaint.  A separate investigation completed shortly after Enron’s bankruptcy by an independent board committee, using completely independent counsel, found significant substance to Watkins’ complaint.
 
Whether a particular company’s hotline is effective can only be determined through employee surveys and exit interviews which are directed primarily at the executive group.  Independent directors should consider conducting such surveys anonymously using third party service providers.


[1] David M. Becker, Esq., General Counsel, “Speech by SEC Staff: Remarks at the Practicing Law Institute’s Ninth Annual Institute on Securities Regulation in Europe.” U.S. Securities and Exchange Commission, January 25, 2011.
[2] James E. Hunton and Jacob M. Rose, “Effects of Anonymous Whistle-Blowing and Perceived Reputation Threats on Investigations of Whistle-Blowing Allegations by Audit Committee Members” Journal of Management Studies 1. No. 48 (2011): 75-98.
[3] “2011 Corporate Governance and Compliance Hotline Benchmarking Report” The Network, Inc., http://tnwinc.com/files/2011TNWbenchmarkingreport.pdf?webSyncID=feeb1011-cfd5-46f5-9002-b82b755566a9&sessionGUID=839c7949-4019-6a43-b5c5-2ebd95e8aea9; Deloitte Forensic Center, “Whistleblowing and the New Race to Report: The Impact of the Dodd-Frank Act and 2010’s Changes to U .S. Federal Sentencing Guidelines.” 2010.  www.deloitte.com/view/en_US/us/Services/Financial-Advisory-Services/Forensic-Center/fb02b4b17deaa210VgnVCM2000001b56f00aRCRD.htm.
[4] Mary B. Curtis, “Whistleblower mechanisms: A Study of the Perceptions of ‘Users’ and “Responders.” Dallas Chapter of the Institute of Internal Auditors, April 2006.
 

 

April 19
From Enron to Lehman Bros.: What Can We Learn From These Corporate Governance Failues? (PART IV)

 

Elements of a Robust Whistleblower Policy 

 

If audit committees and independent directors want to receive information from executives below the CEO or CFO level in order to fulfill their oversight obligations, they must establish a robust whistleblower system and an effective compliance program.

 

An effective compliance program requires the following elements: 
  • Independent directors must be in charge and must be given the resources to fulfill their responsibilities.
  • The whistleblower system for accounting, auditing and enterprise risk complaints must be independently administered. This means that employees of the company (such as HR, internal audit or inside counsel) should not initially receive such hotline complaints, as is the current practice, but rather complaints should initially go directly to the audit committee chair or his or her designee ( such as completely independent counsel or other ombudsman). This assures the executive whistleblower that their more serious complaints will be independently handled by persons not beholden to management.. Routine employee complaints, such as employment discrimination, sexual harassment, and similar complaints, should be referred back to HR for investigation. Alternatively, a separate hotline can be developed solely for non-employment related complaints, with HR continuing to receive employment related complaints on its own hotline.
  • Whistleblower complaints (other than routine employment discrimination, sexual harassment and similar complaints) should be investigated by completely independent counsel (or other ombudsman) reporting directly to the independent directors. Employees of the company should not be used to investigate non-employment complaints in order to encourage executive whistleblowers to use the system.
  • There should be no presumption that anonymous complaints are less deserving of investigation.
  • Absolute protection of whistleblowers' identity is essential. Whistleblowers (other than routine employment complaints described above) should be permitted to use their own personal counsel and to form entities in order to protect their identity. This protection of identity is designed to encourage executives to use the whistleblower system.
  • The motivations and personality of the whistleblower are not relevant to the truth of the allegations. Whistleblowers with difficult personalities or who have obviously ulterior motives may receive short shrift in any investigation, even though their complaints may be valid. SEC officials made this mistake in ignoring Harry Markopolos' revelations about Bernie Madoff approximately 10 years before his Ponzi scheme was revealed. [1]
  • Periodically assess the effectiveness of any employee hotline and provide employee compliance training. Independent counsel should report to the whistleblower or his or her attorney the status and results of the investigation and the organization should provide annual reports to all employees as to actions taken.
  • Legitimate employee whistleblowers should receive meaningful monetary rewards.
  • The whistleblower policy must be communicated effectively.
  • There should be milder sanctions for whistleblowers involved in illegal group activity.
  • Retaliation claims should be independently investigated.
  • The director of corporate compliance (if any) should report to the independent directors and become their eyes and ears within the organization.
  • The tone at the top of the organization must support an ethical, law-abiding culture. The tone at the top should be established not only by the CEO and CFO but also the chair of the audit committee.

A key factor in employee willingness to use hotlines is the communication of the results of investigations of hotline tips and the actions taken.[2]  Many companies do not adequately communicate this information to the whistleblower.



[1] U.S. Securities and Exchange Commission, Office of Investigations, “Investigation of Failure of the SEC to Uncover Bernard Madoff’s Ponzi Scheme—Public Version,” Report No. OIG-509, August 2009, p. 250. www.sec.gov/news/
studies/2009/oig-509.pdf. See also H. Markopolos, No One Would Listen (Hoboken, NJ: John Wiley & Sons, 2010).
[2] Ibid

 

March 02
Should the Motivations and Personalities of the Internal Whistleblower be Relevant to the Truth of the Allegations?

Some people believe that the motivation and personality of an internal whistleblower are relevant to the validity of their allegations.  A cogent argument can be made that neither the motivations nor personality of the whistleblower have anything to do with the truth of their charges.

The SEC made exactly that same mistake in refusing to take seriously the complaint of Harry Markopolos who claimed that he had discovered the Madoff Ponzi scheme, approximately 8 years before it was revealed.[1]  Harry Markopolos, a quantitative financial analyst, first blew the whistle on Bernard Madoff's multibillion-dollar Ponzi scheme in 2000, and over the ensuing eight years preceding Madoff's arrest, sent detailed accusations to various Securities and Exchange Commission offices. Each report met with a thundering silence. Harry's investigation started when his bosses at the money management firm he worked for wanted him to design a financial product that was as consistently profitable and low-risk as the one offered by Madoff. It took Harry only a few minutes to study Madoff's supernaturally consistent rate of return and "investment strategy" to realize it was most likely a fraud.

The SEC likely viewed Harry Markopolos as motivated by a desire to hurt a competitor, namely Madoff, who was allegedly producing better returns for his investors than Harry Markopolos was producing for his company.[2]  The following is a passage from Harry Markopolos' book:

"Certainly one reason that office [the SEC's New York office] paid so little attention to my submission is that they believed my motive for pursuing Madoff was to collect a big reward.  Bachenheimer [Doria Bachenheimer, Assistant Director of the SEC's New York branch office] described me to SEC Inspector General David Kotz as 'a competitor of Madoff's who had been criticized for not being able to meet Madoff's returns, and that he was looking for a bounty' – information she probably got from my previous public testimony. She added, 'If the first thing I hear from someone is what's in it for me, then it raises my antenna a little bit.'" [3]

Academic researchers[4] have long studied the various motivations of whistleblowers.  These motivations vary from very honorable and honest motivation, such as altruistic behavior[5] to do the right thing or to resolve an injustice[6], to devious motivations such as taking advantage of statutory protections of whistleblowers.

In the end, however, the motivations of the whistleblower are arguably not relevant to whether the whistleblower's allegations are true or false.



 

[1]  Harry Markopolos with Frank Casey, Neil Chelo, Gaytri Kachroo, and Michael Ocrant, “No One Would Listen: A True Financial Thriller” (John Wiley & Sons, Inc.2010)  p. 171
[2] Id.
[3] Id at p. 156
[4] Michael J. Gundlach, et al, “The Decision to Blow the Whistle: A Social Information Process Framework”, Academy of Management Review, Vol 28, No. 1 (Jan., 2003), pp. 107-123; Marcia P. Miceli and Janet P. Near, “The Incident of Wrongdoing, Whistle-Blowing, and Retaliation: Results of a Naturally Occurring Field Experiment”, Employee Responsibilities and Rights Journal, Vol. 2, No. 2, 1989; Janet P. Near (Indiana University) and Tamila C. Jensen (Boren, Elperin, Howard, and Sloan Attorneys at Law, “The Whistleblowing Process:  Retaliation and Perceived Effectiveness”, Work and Occupations, Vo. 10, No. 1, February 1983 3-28.
[5] Brief, A.P. & Motowidlo, S. 1986, “Prosocial organizational behaviors”, Academy of Management Review, 11: 710-725.
[6] Greenberg, J. 1887b. “Reactions to procedural justice in payment distributions: Do the ends justify the means?”, Journal of Applied Psychology, 72: 55-71.

 
March 01
Model Meeting Agendas

From time to time we have received questions from members as to the scheduling of meetings of public company audit committees.  In particular, questions have been asked as to what should be on the agenda for each of the meetings and how many meetings should the average audit committee hold.  There is no one answer for every public company audit committee since each situation varies with the peculiar circumstances of the public company.  However, we have in the past been provided with the following agendas for a total of five meetings of the audit committee.  Each agenda sets forth the topics to be covered at that meeting.  The agendas assume a calendar year company.

 

 About this blog

 

Frederick D. Lipman 
Frederick D. Lipman, President

Welcome to the AACMI Blog!  Through these entries, the association will endeavor to share news and information dedicated to strengthening audit committees around the world.  We hope you will visit us often! 

© Copyright 2016 AACMI
LinkedInTwitter