Association of Audit Committee Members | Improving the Flow of Information to the Audit Committee
This links to the home page
  • Improving the Flow of Information to the Audit Committee
    05/21/2013 | by Lipman, Frederick D.


    The purpose of this paper is to discuss methods of improving the flow of information to audit committees so that they are better able to perform their oversight function.

    The audit committee has been recognized as an important entity level control. Independent auditors rely upon the audit committee to provide the auditors with important information necessary to perform the audit function. For example, AS No. 16 requires the independent auditor to “inquire of the audit committee about whether it is aware of matters relevant to the audit, including, but not limited to, violations or possible violations of laws or regulations.”[1]

    A well-informed audit committee is essential to a high quality audit. Yet, as we will see from this paper, there are many examples of audit committees which do not have the information that is important to performing an effective oversight function.

    Most audit committees rely upon the information provided to them by the CEO and CFO. Yet these are the very persons with respect to whom the audit committee is expected to provide oversight to protect shareholders. The audit committee’s other primary source of information is the independent auditor. Unless the audit committee has effective independent information sources, the independent auditor should not assume that the audit committee has any more information than was provided to the independent auditor by management.

    Therefore, the ability of the audit committee to obtain information independent of the CEO and CFO is crucial to an effective audit.

    Sources of Information for the Audit Committee

    The following are the primary sources of information for the audit committee:
    • CEO and CFO
    • Independent auditors and internal auditors
    • Lower level executive management
    • Securities analysts, short sellers, and newspaper/web articles
    • Suppliers and customers
    • Employee whistleblowers

    Employee Whistleblowers

    Employee whistleblowers, including lower level executives, are a potentially important source of information for the audit committee. However, communication from employees to the audit committee requires that (a) employees recognize misconduct or enterprise risk and (b) are motivated to reveal this information directly to the audit committee.

    Unfortunately, as will be demonstrated by this paper, under the current system employees do not generally recognize misconduct or enterprise risk and they have very little motivation to reveal this information to the audit committee. Their lack of motivation stems from the potential retaliation they may face from the company as well as the lack of any reward for assuming the risk of revealing sensitive information to the audit committee.

    According to the 2011 National Business Ethics Survey [2], “More than one in three people who said they observed misconduct also decided not to report it to someone who could take appropriate action to address it.” The report further stated “In many cases, employees observe misconduct, but do not report because they are not attuned to the ethical dimension of workplace conduct. They fail to see how particular behaviors violate workplace standards and values.”

    SOX Hotlines Are Largely Ineffective

    In reaction to the Enron, WorldCom and other shareholder disasters during the 2000 to 2002 period, Congress enacted the Sarbanes- Oxley Act of 2002 which mandated that companies whose stock is traded on national securities exchanges require audit committees to establish procedures for “the confidential, anonymous submission by employees of the issuer of concerns regarding questionable accounting or auditing matters.” This resulted in employee hotlines being established by most public companies. However, these hotlines have not been effective in most cases to induce management personnel to go over the heads of the CEO or CFO and make disclosures to the audit committee.

    According to the 2011 National Business Ethics Survey, only 6% of employees surveyed would use a hotline to report employee misconduct. Most will just report the misconduct to their immediate supervisor, if they report at all. Since a supervisor or the persons the supervisor reports to may be involved in the illegal activity, in many situations the report may never reach the independent directors or the CEO.

    A report by Network, Inc., "2012 Corporate Governance and Compliance Hotline Benchmarking Report", dated July 24, 2012, stated that 48% of whistleblower calls were anonymous, a fact that suggests that many employees fear retaliation. The presence of such a high percentage of anonymous complaints means that the organization has not established a culture which encourages internal whistleblowing. The net result is that employees fear becoming a pariah and either will not provide valuable information to the board or the CEO or will do so only anonymously.

    Although Congress, when passing the Sarbanes-Oxley Act of 2002 (SOX), may have contemplated an active and effective whistleblower program, this goal has not been uniformly realized. The hotlines today are primarily a vehicle for employment discrimination, sexual harassment and other similar employment related complaints, rather than a pipeline for major fraud, illegality or enterprise risk of interest to the independent directors. The hotlines typically fail to create incentives for executives below the CEO and CFO level to reveal important information directly to the audit committee. Unfortunately, some independent directors are misled by the employment-related complaints on the hotline into believing the hotline is really effective.

    There are seven major problems with the current whistleblower systems:
    1. The tone at the top tolerates but does not encourage whistleblowers, particularly executive whistleblowers.
    2. There is no meaningful reward or recognition for legitimate whistleblowers.
    3. The inability to communicate with anonymous whistleblowers results in failure to fully investigate anonymous information.
    4. The system does not guarantee anonymity.
    5. The system is not well advertised.
    6. The audit committee uses employee administrators and investigators who are not viewed as independent by whistleblowers and who do not even have forensic skills.
    7. Whistleblowers’ motivations and personalities affect the investigation.

    Many public companies have a “paper” whistleblower system. In such a system, the company has complied with the letter of the SOX requirements and exchange listing rules but has done nothing more. Management tolerates the whistleblower system but does not encourage whistleblowers. Whistleblowers are almost never recognized as employees of the month. As a result, potential whistleblowers (including executives whistleblowers), facing daunting disincentives, refuse to participate in the system.

    Concerning the SOX whistleblower statute, the former general counsel of the Securities and Exchange Commission (SEC) has stated:
    “Not all corporate compliance programs work well. Some—no matter how elaborately conceived and extensively documented—exist only on paper. Some small numbers are shams. I once knew of an ostensibly anonymous employee hotline that actually rang on the desk of the CEO’s secretary. I’m not at all sure that Congress intended that a whistleblower at this company would have to avail himself of this hotline before coming to the Commission and getting an award.”[3]
    Very few, if any, whistleblower systems provide meaningful rewards or recognition for whistleblowers. Although some employees are driven by their moral compass to do the right thing and do not need rewards, the number of employees who are Mother Teresa is very limited. Given the real possibility that the employment of persons disclosing wrongful activity may be terminated and even if not terminated such person could be socially ostracized, employees have no reason to assume those risks without a meaningful incentive. Internal whistleblower systems do not have to compete economically with the size of awards available under the whistleblower statutes since there are many disincentives to external employee whistleblowing. However, the lack of any meaningful reward or other recognition for internal whistleblowers reflects an organizational attitude that is not conducive to whistleblowing.

    Although the SOX whistleblower system allows for anonymous whistleblowers, that system does not work well because the audit committee or its counsel may need to further question the person whose identity has been hidden. Audit committees tend to provide fewer resources to investigating anonymous complaints.[4]

    Moreover, many current whistleblower systems do not guarantee anonymity. Voice recognition techniques can be used to trace hotline calls. Private detectives can use handwriting analysis to trace anonymous letters. Anonymous e-mails can be traced back to the whistleblower’s computer. Best practices would provide greater guarantees of anonymity by permitting communication through the whistleblower’s personal counsel (at the company’s expense if the information is legitimate) and allowing the whistleblower to form an entity to further hide his or her identity.

    Hotline service providers advertise their ability to ask further questions to the anonymous whistleblower. Although this service is useful, it is not a good substitute for direct communication between the whistleblower’s lawyer and the audit committee’s attorney, without the intervention of the hotline service provider. Hotline providers do not normally have the forensic skills necessary to ask follow-up questions. Sophisticated executive whistleblowers know that the information they reveal to the hotline, including their company position, is not protected from discovery by the attorney- client privilege. Moreover, executive whistleblowers, concerned about being blackballed and anxious about maintaining anonymity, will not necessarily be comfortable with an ongoing detailed dialogue with a hotline service provider selected by management and possibly even providing summaries of the conversation to management personnel. Yet, without this detail it is difficult for the audit committee to conduct a thorough investigation.

    Many companies do not adequately communicate the whistleblower system except in a policy contained in an SEC filing or on their websites. As a result, average employees may not realize that the company even has an anonymous whistleblower system. A survey by the Institute of Internal Auditors indicates that employee familiarity with the organization’s hotline is a key factor in encouraging its use.[5]

    The administration and investigation of whistleblower complaints are typically performed initially by the internal auditor, director of compliance, human resources (HR) head, or general counsel. All of these individuals are company employees whose compensation is determined by management (with the possible exception of the internal auditor).

    Potential whistleblowers do not have confidence in the independence or impartiality of those employees who would administer or investigate their complaints. Moreover, many of these individuals are not skilled forensic investigators.

    An example of why whistleblower systems do not work can be found in the Enron case. Sherron Watkins sent a letter to Kenneth Lay, Enron’s chairman, stating, in part, that “I am incredibly nervous that we will implode in a wave of accounting scandals.” Kenneth Lay then gave the matter to inside counsel to administer and investigate Watkins’ complaint, rather than using completely independent counsel for that purpose. Inside counsel then employed Enron’s regular outside counsel, which received substantial legal fees from Enron, to perform the investigation. At the end of a very limited investigation, the regular outside law firm gave Enron a report that, in general, found no substance to Watkins’ complaint. A separate investigation completed shortly after Enron’s bankruptcy by an independent board committee, using completely independent counsel, found significant substance to Watkins’ complaint.

    Whether a particular company’s hotline is effective can only be determined through employee surveys and exit interviews which are directed primarily at the executive group. Independent directors should consider conducting such surveys anonymously using third party service providers.

    Lower Level Executives Will Typically Not Report Misconduct or Enterprise Risk to the Audit Committee

    Lower level executives of the company who may have extremely important information for the audit committee will typically not risk their careers by reporting misconduct or other risky behavior to the audit committee, either through a hotline or directly.

    There are many examples where executives of companies facing major financial risks refuse to use the hotline or to otherwise directly report to the audit committee.

    For example, prior to the collapse of AIG, there were executives who recognized the major risks being undertaken through its derivatives business in credit default swaps[6], but had no incentive to reveal these risks to the directors. According to a Michael Lewis article[7], in mid-2005, an AIG executive named Eugene Park was fiddling around at work with his online trading account after reading about this wonderful new stock called New Century Financial with a terrific dividend yield. So Park looked at New Century’s financial statements and noticed something “frightening”.[8]

    The average homeowner counted on to feed the interest on the “A+” tranche of New Century mortgage-backed collateralized debt obligations (“CDOs”) had a credit score of only 598, with a 4.28% likelihood of being 60 days or more late on payment.[9] Park subsequently discovered that the AIG Financial Products Division was insuring a substantial portion of the New Century mortgages. He allegedly revealed this information to Joseph Cassano’s No. 2 person in the AIG Financial Products Division and was ultimately blown off by Cassano. [10] Had a robust whistleblower system existed at AIG at that time, Park might have used it to advise the AIG audit committee. Instead, the AIG Financial Products Division did not reduce or hedge their existing super-senior tranches of subprime CDOs, although they stopped writing credit default swaps in late 2005/2006.[11]

    Why did Eugene Park not use the AIG anonymous employee hotline to report to the AIG audit committee the excess risk being taken by AIG in issuing credit default swaps? One can only speculate that there was no reward for Park to do so and it is likely he would have had an abbreviated career at AIG had Joseph Cassano discovered that Park had gone over his head to the AIG audit committee.

    According to the Lehman Bros. Bankruptcy Examiner Report, Matthew Lee, a Senior Vice President of Lehman Bros. finance division, was aware of accounting improprieties at Lehman Bros. In May 2008, he sent a letter to his superior, Martin Kelly, the Lehman Bros. controller, about the Repo 105 transactions which were used by Lehman Bros. to move assets off the balance sheet at quarter-end.[12] There was no response to the letter.

    Why did Matthew Lee not use the employee hotline to report this directly to the audit committee? We can only speculate. Perhaps Lee decided that sending a letter to a superior was risky enough without further jeopardizing his career by going to the Lehman Bros. audit committee. There is no evidence that Lehman Bros. created any reward for providing legitimate information on the employee hotline. In any event, Lee was laid-off less than a month after sending the letter.[13]

    According to the McLean and Nocera book “All the Devils Are Here: The Hidden History of the Financial Crisis”, Jeff Kronthal, a senior executive at Merrill Lynch, warned the then CEO, Stan O’Neal, about the excessive subprime risk being assumed by Merrill Lynch. This warning was ignored and disbelieved by the CEO.

    Why didn’t Jeff Kronthal use the anonymous employee hotline to warn the audit committee of this excessive risk? Going over the head of the CEO, even on an anonymous basis, is considered an act of disloyalty to the management team and typically results in some form of retaliation, including being considered a pariah within the company and the industry as a whole.

    The Financial Crisis Inquiry Report notes that Matthew Tannin, a Bear Stearns executive, stated in a diary in his personal e-mail account in 2006, long before the collapse of Bear Stearns, that “a wave of fear set over [him]” when he realized that the Enhanced Fund “was going to subject investors to ‘blow up risk’” and “we could not run the leverage as high as I had thought we could.”[14] Why didn’t Matthew Tannin use the anonymous employee hotline to report his concern to the Bear Stearns audit committee? Likely for the same reasons stated above, i.e. lack of reward and likelihood of retaliation.

    Each of these cases are examples of significant information which was known within the management group but was unknown by the audit committee or other independent directors. One may speculate that had this vital information been reported to the audit committee, the tremendous losses subsequently incurred by shareholders may have been wholly or partially avoided.

    Elements of a Robust Whistleblower Policy

    If audit committees and independent directors want to receive information from executives below the CEO or CFO level in order to fulfill their oversight obligations, they must establish a robust whistleblower system and an effective compliance program.

    An effective compliance program requires the following elements:
    • Independent directors must be in charge and must be given the resources to fulfill their responsibilities.
    • The whistleblower system for accounting, auditing and enterprise risk complaints must be independently administered. This means that employees of the company (such as HR, internal audit or inside counsel) should not initially receive such hotline complaints, as is the current practice, but rather complaints should initially go directly to the audit committee chair or his or her designee ( such as completely independent counsel or other ombudsman). This assures the executive whistleblower that their more serious complaints will be independently handled by persons not beholden to management.. Routine employee complaints, such as employment discrimination, sexual harassment, and similar complaints, should be referred back to HR for investigation. Alternatively, a separate hotline can be developed solely for non-employment related complaints, with HR continuing to receive employment related complaints on its own hotline.
    • Employee whistleblower complaints which are made to their supervisor and which relate to accounting or enterprise risk must be reported by the supervisor directly to the audit committee.
    • Employee whistleblower complaints (other than routine employment discrimination, sexual harassment and similar complaints) should be investigated by completely independent counsel (or other ombudsman) reporting directly to the independent directors, who should (where appropriate) utilize the services of an auditing firm other than the company’s regular independent auditor. Employees of the company should not be used to investigate non-employment complaints in order to encourage executive whistleblowers to use the system.
    • Suppliers and customers should be able to access the whistleblower system.
    • Direct contact information for the audit committee should be posted on the company’s website.
    • There should be no presumption that anonymous complaints are less deserving of investigation.
    • Absolute protection of whistleblowers’ identity is essential. Employee whistleblowers (other than routine employment complaints described above) should be permitted to use their own personal counsel and to form entities in order to protect their identity. This protection of identity is designed to encourage executives to use the whistleblower system.
    • The motivations and personality of the whistleblower are not relevant to the truth of the allegations. Whistleblowers with difficult personalities or who have obviously ulterior motives may receive short shrift in any investigation, even though their complaints may be valid. SEC officials made this mistake in ignoring Harry Markopolos’ revelations about Bernie Madoff approximately 10 years before his Ponzi scheme was revealed.[15]
    • Periodically assess the effectiveness of any employee hotline and provide employee compliance training.
    • Independent counsel should report to the whistleblower or his or her attorney the status and results of the investigation and the organization should provide annual reports to all employees as to actions taken.
    • Legitimate employee whistleblowers should receive meaningful monetary rewards.
    • The whistleblower policy must be communicated effectively.
    • There should be milder sanctions for whistleblowers involved in illegal group activity.
    • Retaliation claims and decisions to terminate whistleblowers should be independently investigated by the audit committee.
    • The director of corporate compliance (if any) should report to the independent directors and become their eyes and ears within the organization.
    • The tone at the top of the organization must support an ethical, law-abiding culture. The tone at the top should be established not only by the CEO and CFO but also the chair of the audit committee.

    Annual Employee Survey

    Audit committees should annually test the culture of the organization. One method of testing the culture is by having employees answer (on an anonymous basis) a simple questionnaire which contains the following three questions:
    • If you see misconduct by another employee, what are the chances you would report it? (Scale of 1 to 10, with 10 being most likely)
    • If you saw misconduct by a senior officer, such as the CEO or CFO, what are the chances you would report it? (Scale of 1 to 10, with 10 being most likely)
    • Would you be willing to initially report misconduct or significant enterprise risk exposure directly to the audit committee? (Scale of 1 to 10, with 10 being most likely)


    It is recommended that the Center for Audit Quality and its participating organizations adopt the best practices for audit committees set forth in this paper in order to improve the flow of information to the audit committee, thereby improving the quality of the independent audit.


    [1] AS No. 16, Appendix 1, Paragraph 8; See also AS No. 12 and AU sec. 317.
    [2] Ethics Resource Center – “Inside The Mind Of A Whistleblower”, A Supplemental Report of the 2011 National Business Ethics Survey
    [3] David M. Becker, Esq., General Counsel, “Speech by SEC Staff: Remarks at the Practicing Law Institute’s Ninth Annual Institute on Securities Regulation in Europe.” U.S. Securities and Exchange Commission, January 25, 2011.
    [4] James E. Hunton and Jacob M. Rose, “Effects of Anonymous Whistle-Blowing and Perceived Reputation Threats on Investigations of Whistle-Blowing Allegations by Audit Committee Members” Journal of Management Studies 1. No. 48 (2011): 75-98.
    [5] Mary B. Curtis, “Whistleblower mechanisms: A Study of the Perceptions of ‘Users’ and “Responders.” Dallas Chapter of the Institute of Internal Auditors, April 2006.
    [6] Bethany McLean and Joel Nocera, “All The Devils Are Here: The Hidden History of the Financial Crisis”, Portfolio/Penguin (2010) p. 190.
    [7] “The Great Hangover: 21 Tales of the New Recession from the Pages of Vanity Fair”, Harper Perennial (2010); See also The Financial Crisis Inquiry Report, Pgs. 200-201 (January 2011).
    [8] Id.
    [9] Moe Tkacik’s Page, “That AIG Story, For Readers Who Are Sick of AIG Already” (7/6/2009)
    [10] “The Great Hangover: 21 Tales of the New Recession from the Pages of Vanity Fair”, Harper Perennial (2010).
    [12] “Report of Anton R. Valukas, Examiner,” March 11, 2010, p. 21.
    [14] “The Financial Crisis Inquiry Report”, The Financial Crisis Report Commission, Pursuant to Public Law 111-21, January 2011
    [15] U.S. Securities and Exchange Commission, Office of Investigations, “Investigation of Failure of the SEC to Uncover Bernard Madoff’s Ponzi Scheme—Public Version,” Report No. OIG-509, August 2009, p. 250. See also H. Markopolos, No One Would Listen (Hoboken, NJ: John Wiley & Sons, 2010).