A little over a month ago, the SEC adopted its Final Rules regarding the Dodd-Frank whistleblower program.
The Rules have generated a firestorm of controversy, as evidenced by the attention given to the new Rules in the media and some intense online sparring between high-profile bloggers sitting on different sides of the issue.
The feedback we're hearing from executives surrounds the SEC's ruling giving whistleblowers the option of going straight to the SEC, rather than first to the company and then to the SEC, with reports of any alleged corporate wrong-doing. Executives are concerned that their companies will be falsely accused by disgruntled employees, yet have to spend time, effort, and money proving the company's innocence. Another concern: problems that do exist -- but are being properly addressed by the company, unbeknownst to the whistleblower -- will be reported.
In light of the SEC's decision, executives and board members should review their companies' internal controls over financial reporting, especially the entity-level controls that deal with whistleblower policies and procedures. This review will include evaluating design, operational effectiveness, and control risk around whistleblower controls.
The internal audit committee in particular needs to get objective feedback to answer questions such as:
- How does the company demonstrate that it has zero tolerance for fraud and inappropriate activities, across all employee levels?
- Are all employees aware of the company's whistleblower procedures? If not, what improvements in training and education can be made?
- Do employees feel that they would be retaliated against if they reported possible wrong-doing to an internal whistleblower hotline? If yes, what steps must the company take to create an environment where employees will be motivated to go to the company first, before the SEC, with their concerns?
- Does the company have whistleblower policies in place for foreign subsidiaries, that are consistent with SEC regulations?
Reviewing the design and operational effectiveness of entity-level controls - especially those around whistleblower policies - are a first step in helping innocent companies protect themselves against frivolous or malicious reports to the SEC and giving companies with problems a chance to clean up their act before the SEC gets involved.