Whistle-bloWing: not child's play for internal auditors - Michael coWan
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
Whistle-blowing: not child’s play for internal auditors MICHAEL COWAN The views and opinions expressed in this paper are those of the author and do not necessarily reflect the official policy or position of Thomson Reuters.
About the author
Michael Cowan is a regulatory intelligence analyst in the Enterprise Risk Management division of
Thomson Reuters Accelus. He has 26 years’ experience and is a qualified internal auditor (CMIA). He
has worked in compliance roles at UK Asset Resolution, Cattles and the Financial Services Authority;
the views expressed are his own.
Michael Cowan
2 Whistle-blowing – noT child’s play for internal auditors MAY 2014CONTENTS
ENSURING FAIR PLAY FOR whistleblowers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
WHISTLE-BLOWING: DEFINITIONS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
INTERNAL AUDIT AND WHISTLE-BLOWING . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
THE RISING TIDE OF WHISTLE-BLOWING . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
REPORTING WRONGDOING AROUND
THE WORLD - WHISTLE-BLOWING ACROSS BORDERS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
3 Whistle-blowing – noT child’s play for internal auditors MAY 2014Ensuring fair play for is that the case has not been investigated
whistleblowers thoroughly, further action by the whistleblower
The schoolyard is a funny place. Children may be taken with more senior managers
of different ages, races, creeds and colours; resulting in reprimands for the initial person who
different attitudes and approaches; different investigated/dealt with the disclosure. Of course
reactions to similar events. It really is the adult there are rules and regulations that protect the
world in miniature. In many ways the experiences identity of the informant and the way they are
that we face in our early years are a microcosm treated following the whistle-blowing incident,
of what later life has to throw at us. In fact, at least as far as they can.
when it comes to reacting to bad behaviour and
In the middle of this soup of accusations,
“blowing the whistle”, the adult world bears a
sometimes weak evidence, desire to do the
striking resemblance to schoolyard behaviour.
right thing and personal feelings, is the internal
In the school yard when something wrong auditor. Often held up as the bastion of good
happens, the immediate threat by the victim governance and fairness, the internal auditor
or another student is, “I’ll tell the teacher!”. is expected to ensure fair play and provide
Sometimes this is a hollow threat but sometimes assurance that the process allows for a correct
it is followed through, leading to an investigation conclusion that satisfies all parties.
of the facts, assessment of the credibility of So what are internal auditors expected to do
witnesses and then firm and decisive action. when presented with the thorny subject of
Then the repercussions begin. The “snitch” whistle-blowing in an organization? This report
might be subject to retribution by the attempts to provide a summary of policies
perpetrator. The informant may be looked upon and guidance that exist and to suggest some
as someone who is not to be trusted, with even practical tips for internal auditors.
the informant’s parents passing the message Whistle-blowing: Definitions
that it’s “not nice to tell tales”. The teacher will, In the United States, Securities and Exchange
however, be more aware of the perpetrator and Commission Rule 21F-2 (a) defines a
the informant, and this may include protecting whistleblower as “an individual who, alone or
the latter, as far as they can, from further jointly with others, provides information to the
retaliation. SEC relating to a possible violation of the federal
In the adult world there is whistle-blowing. In an securities laws that has occurred, is ongoing, or
organization, when wrongdoing is uncovered, is about to occur”.
employees are encouraged to report it internally In the UK, the Employment Rights Act 1996
or to an independent body. This is followed by identifies six outcomes that an employee should
an investigation of the facts, an assessment of consider have occurred, are occurring or are
the credibility of witnesses and then firm and likely to occur and identifies what disclosures
decisive action. Then the repercussions begin. should be covered.
The informant could be sacked or at least
From an internal audit perspective the UK
marginalized in his or her career. Colleagues
Chartered Institute of Auditors’ position paper
may refuse to trust them for fear of further
on whistle-blowing policy states that “Whistle-
disclosures. The informant’s manager may
blowing is when an employee, contractor or
reflect this in performance appraisals and bonus
supplier goes outside the normal management
rewards.
channels to report suspected wrongdoing at
Bullying may occur, not only to the informant but work.”
the person who is subject of, or dealing with, the
allegation. For example, where the perception
4 Whistle-blowing – noT child’s play for internal auditors MAY 2014“Appropriate whistle-blowing reviews needs to be carefully considered. When
procedures are in place and are undertaking a review of the whistle-blowing
expected to be utilized by employees policies and procedures, the standard auditing
without any reprisal, to support approach can be adopted. When investigating
specific whistle-blowing allegations, however,
effective compliance with the risk
especially if board members are implicated, the
management framework; the normal audit route may not be appropriate.
treatment of whistleblowers is clearly
articulated and followed in practice.” • Purpose, authority and responsibility (1000)
This standard states that the purpose, authority
and responsibility of the internal audit activity
Financial Stability Board, Guidance on
must be formally defined in an internal audit
Supervisory Interaction with Financial
charter. This also applies to whistle-blowing
Institutions on Risk Culture – A Framework
activity. The organization needs to be clear
for Assessing Risk Culture, April 2014. about the role internal audit will take in
whistle-blowing and in sufficient detail to be
Internal audit and whistle-blowing
aware of the methodology to be used. This
The importance of appropriate whistle-blowing
point is also linked to standards 2030-2040 on
policies and procedures to the effective
Policies and Procedures, which state that the
discharge of an organization’s corporate
chief audit executive must establish policies
governance is significant. Corporate governance
and procedures to guide the internal audit
is fundamental to effective risk and control
activity.
within organisations, which means that whistle-
blowing policies must be at the heart of internal • Proficiency and Due Professional Care (1200)
auditors’ responsibilities. and Resource Management (2030) These
two standards go to the conduct and skill of
As an independent assurance function, it is easy
the internal auditor. Standard 1200 states
for senior management to use internal audit as
that engagements must be performed with
a vehicle to manage all whistle-blowing traffic.
proficiency and due professional care and
This is not necessarily the right answer. The
Standard 2030 states that the chief audit
global standards that govern internal auditors
executive must ensure that internal audit
around the world touch on many of the reasons
resources are appropriate, sufficient and
why this is the case.
effectively deployed to achieve the approved
• Independence and objectivity (Standard 1100) plan. For small internal audit teams in
This states that internal audit activity must particular the nature of whistle-blowing
be independent and internal auditors must investigations and the level of seniority required
be objective in performing their work. From a to undertake them may stretch resources and
whistle-blowing point of view a commitment the ability to comply fully with this standard.
to “manage” the whistle-blowing process
• Quality Assurance and Improvement
in the organisation may compromise the
Programme (1300) This standard states that
independence of internal audit. To undertake
the chief audit executive must develop and
whistle-blowing investigations, for example,
maintain a quality assurance and improvement
might put internal audit in the role of line
programme that covers all aspects of the
management rather than as a vital part of the
internal audit activity. Appropriate review and
corporate governance of the organisation.
quality checks of activity concerning whistle-
•D
irect interaction with the board (1111) This blowing activity is a valuable safety net for
standard states that the chief audit executive appraising findings and recommendations,
must communicate and interact directly whether the review has covered all points and
with the board. This and other reporting what potential challenges might come from
requirements in the standards mean that the recipients.
reporting of the outputs of whistle-blowing
5 Whistle-blowing – noT child’s play for internal auditors MAY 2014• Planning (2010) This standard states that • reassuring potential whistleblowers;
the chief audit executive must establish a
• whistle-blowing to external bodies;
risk-based plan to determine the priorities of
the internal audit activity, consistent with the • commitment, clarity and tone from the top;
organisation’s goals. The effect that whistle- • access to independent advice;
blowing activity has on planning should not
• openness, confidentiality and anonymity;
be overlooked. Where individual cases are
being investigated, work may need to be • offering an alternative to line management;
undertaken promptly, and to tight deadlines. • structure.
Cases may arise at very short notice, requiring
inconvenient reallocation of resources. In Also in the UK, the Committee on Standards
worst-case scenarios the timing and perhaps in Public Life has recommended that good
volume of whistle-blowing cases may require whistle-blowing policies should:
amendments to be made to the annual audit • provide examples distinguishing whistle-
plan, especially for smaller internal audit blowing from grievances;
departments.
• give employees the option to raise a
Suggested approach for internal whistle-blowing concern outside of line
auditors management;
In the UK, the Chartered Institute of Internal
• provide access to an independent
Auditors (CIIA)’s position paper on whistle-
helpline offering confidential advice; offer
blowing policy, “Whistle-blowing and Corporate
employees a right to confidentiality when
Governance – the role of internal auditing in
raising their concern;
whistle-blowing”, which explains that boards
must be accountable for ensuring effective • explain when and how a concern may
whistle-blowing procedures are in place that safely be raised outside the organisation
guarantee confidentiality and anonymity and (e.g., with a regulator); and
avoid conflicts of interest. • provide that it is a disciplinary matter (a)
The position paper allows for two scenarios. to victimise a bona fide whistleblower, and
First, where internal audit is directly involved in (b) for someone to make a false allegation
the procedures for whistle-blowing, the board maliciously.
should ensure that there is an independent •C
orporate governance The Global
mechanism to provide assurance on the Standards (2110) state that the internal audit
effectiveness of those procedures, and secondly activity must assess and make appropriate
where internal audit is playing an indirect role, it recommendations for improving the
should provide assurance on the effectiveness of governance process in its accomplishment of
the system and procedures to the board. the following objectives:
In the discharge of these different approaches • promoting appropriate ethics and values
what could internal auditors do to ensure their within the organisation;
input is effective?
• ensuring effective organisational
Indirect involvement performance management and
• Have an appropriate policy Organizations accountability;
should have appropriate policies and
procedures for whistle-blowing. In its position • communicating risk and control
paper on whistle-blowing, the UK CIIA information to appropriate areas of the
identified the following areas as essential to an organisation; and
adequate whistle-blowing policy: • coordinating the activities of and
• addressing concerns and providing communicating information among the
feedback; board, external and internal auditors and
management.
6 Whistle-blowing – noT child’s play for internal auditors MAY 2014The relationship between whistle-blowing evidence in relation to each concern?
and the culture of an organization is crucial. A
• Have confidentiality issues been handled
healthy approach to whistle-blowing, whereby
effectively?
a firm can demonstrate (with evidence) that it
has effectively undertaken its duties, points to • Is there evidence of timely and constructive
an organization that has a healthy culture. It feedback?
is particularly important when considering the • Have any events come to the audit
reporting mechanisms within an organization committee’s or the board’s attention that
and whether these facilitate effective might indicate that a staff member has not
whistle-blowing. Such a culture will allow for been fairly treated as a result of their having
independent reporting of whistle-blowing raised concerns?
incidents, perhaps to a non-executive, whereas
• Is a review of staff awareness of the
a less developed or sophisticated cultural
procedures needed?
approach may restrict the whistleblower to
external routes such as hotlines. 2. U
se of management information Internal
auditors should ensure that the board and
Internal auditors need to assess how the
senior management get accurate and up-to-
corporate governance of an organization copes
date information on the volume and status
with whistleblowers to be able to determine
of whistle-blowing cases. The management
whether the appropriate culture has been
information should identify the reason
established.
for the event, the progress made with the
Whistle-blowing culture investigation, the issues that have been found
The areas that internal auditors may wish to and the progress made to rectify the issues.
cover here are:
3. C
ontractors and third parties In the United
1. The role of the board and audit committee States, the extension of Sarbanes-Oxley
The Institute of Chartered Accountants in to contractors poses a number of risks for
England and Wales has devised a list of organisations and internal auditors. For
questions that a good audit committee might example:
ask to sense-check their arrangements:
• Extending internal policies – Internal auditors
• Is there evidence that the board regularly need to make sure that contractors and
considers whistle-blowing procedures as part sub-contractors have equivalent inclusions in
of its review of the system of internal control? their policies or that an organization’s policies
• Are there issues or incidents which have can be applied to the contract firms to
otherwise come to the board’s attention afford those individuals the correct amount
which they would have expected to have of protection. This may not be an easy task
been raised earlier under the company’s as definitions within the judgment are still
whistle-blowing procedures? subject to interpretation.
• Where appropriate, has the internal audit • Contracts – Contractual relations and
function performed any work that provides processes will need to be reviewed to cater
additional assurance on the effectiveness of for the wider responsibilities.
the whistle-blowing procedures? • Disclosure – Appropriate disclosure
• Are there adequate procedures to track arrangements will need to be agreed so
the actions taken in relation to concerns that the whistleblower is protected but
raised and to ensure appropriate follow-up both organizations are still able to manage
action has been taken to investigate and, the process appropriately and deal with
if necessary, resolve problems indicated by subsequent issues.
whistle-blowing? • Grievance procedures – It is very important
• Are there adequate procedures for retaining to define what complaints would be handled
7 Whistle-blowing – noT child’s play for internal auditors MAY 2014by the grievance procedure and what would Direct involvement
afford the employee the protections under • Employ the appropriate skills and resources
the whistle-blowing provisions of the Act. Whistle-blowing investigations may require
• Legal processes – There may well be an experienced internal auditors to undertake
increase in whistle-blowing cases following detailed forensic testing or sensitive
the ruling and some may be erroneous. questioning of senior management. Heads
Further clarification of the detail of this ruling of internal audit should ensure that whistle-
will only come through further legal cases blowing investigations are allocated to
and it may be that organizations need to appropriate internal auditors. Where this is
reinforce legal resources in order to cater for not possible, heads of internal audit should
the potential increase in legal cases. consider undertaking the investigation
themselves or outsourcing it to a firm that has
4. Employee awareness It is important that the relevant skills.
internal audit gives an opinion on the
measures to train and make employees • Ensure security measures adequately protect
aware of the appropriate channels to invoke a the whistleblower It is incumbent on the
whistle-blowing request. It is fundamental to investigations team that information gained
an adequate whistle-blowing policy that those during the investigation is kept confidential and
who have reason to blow the whistle know stored securely where access can be restricted.
how to do so. Reporting a whistle-blowing Of course the anonymity of the whistleblower
incident may involve reporting concerns to is paramount (unless they waive their right)
a senior non-executive or to an independent and this will undoubtedly be included at some
external body. Clear communications point in the evidence retained, increasing the
demonstrate to the relevant regulator that need for confidentiality, and from the rest of the
organizations are engendering a healthy internal audit team as well.
attitude towards whistle-blowing that adds to • Adopt the correct auditing process A whistle-
the evidence that their culture is appropriate. blowing investigation may not fit with the
5. Involvement of other departments, e.g., normal audit methodology for undertaking
compliance or general counsel Of course, a routine internal audit. It is good practice
organisations may elect to delegate to have a separate process for undertaking
responsibility for investigating whistle- a whistle-blowing investigation. It helps to
blowing incidents to another department, keep a structure to what could be a rather
e.g., compliance or general counsel function. fluid task, ensures that all relevant milestones
In these cases internal audit need to be have been covered and should help with time
assured that the procedures for identifying, management and budget planning.
investigating, reporting and ensuring • Make sure creditability is retained during
actions are completed adequately, and are interviews As mentioned above, interviews
appropriate and robust. Essential to this is could be with senior management on
whether these departments are independent particularly sensitive subjects. It is important
enough and can thoroughly and promptly that the correct level of seniority is devoted to
investigate specific claims. The risk may these interviews from internal audit. At these
be that these departments do not have interviews, it is recommended that internal
the mandate to probe sensitive issues auditors discuss the issue at hand in a fluid
comprehensively and therefore do not provide way. It is unlikely that a checklist approach
either the whistleblower or the organization to interview techniques would garner the
with sufficient comfort that claims are being appropriate facts. As an alternative, it may be
treated seriously and will be acted on. useful to discuss the chronology of specific
events where possible, making a note of each
stage and seeking evidence of actions/events.
8 Whistle-blowing – noT child’s play for internal auditors MAY 2014• Retain evidence properly As well as The rising tide of whistle-blowing
keeping evidence secure, it is important that
comprehensive evidence is kept of key actions/ “Whistleblowers are becoming
decisions, etc. Files should be organized bolder, whether motivated through
logically and evidence of conclusions clearly conscience or fear.”
indicated. There is a good chance that these
files will be reviewed either by an external audit Dr Ian Peters, chief executive of the UK
or by regulators to make sure whistle-blowing Chartered Institute of Internal Auditors,
policies have been taken seriously. Foreword to “Whistle-blowing and
•E
nsure clarity during reporting The final report Corporate Governance”, January 2014.
should be circulated to the board initially and
then to appropriate senior management if felt With the heightened focus on whistle-blowing
necessary. The report may contain sensitive since before the financial crisis, the number
information, hence the two-stage reporting of cases around the world has increased. For
process. If one of the board is implicated, then example, the U.S. Securities and Exchange
a steer from the chairman, or the chair of the Commission reported that in the fiscal year
audit committee, should be taken about his/ 2013, 3,238 whistleblower requests were
her attendance at the meeting. Good protocol received, up by 8 percent from 3,001 in the
would be to address any specific issues with fiscal year 2012. The most common complaint
them prior to circulation of the report and allow categories reported by whistleblowers in 2013
their comment to be captured in the report. were corporate disclosures and financials (17.2
Again, if this is with a director or equivalent, the percent), followed by fraud (17.1 percent) and
chairman’s advice may be taken about whether manipulation (16.2 percent).
he needs to be included. Across the Atlantic, the UK Financial Conduct
•F
ormat of report The normal audit report Authority has seen a 38 percent rise in whistle-
may not be appropriate for a whistle-blowing blowing reports. Reports averaged around
investigation. A separate format may be 338 a month in the previous year, whereas the
devised to make reporting as clear and concise FCA has seen around 467 a month in the past
as possible. It may be useful to adopt a format year. Sixty percent of cases were about general
that allows the internal auditor to present regulatory concerns, four reports concerned
the facts chronologically and then draw the alleged misappropriation of client money,
conclusions from that. 23 insider trading, 21 market manipulation and
25 cases related to money laundering. The
•G
uard against overlap with the HR grievance FCA said that it had opened 72 percent more
process An organization’s whistle-blowing investigations during 2013 based on information
policy should manage the boundaries between from whistleblowers than its predecessor in the
a true attempt to blow the whistle and a previous 12 months.
grievance between colleagues or between an
employee and the company. At times, these This level of activity will no doubt continue.
issues can become intertwined, but whereas There is a growing link between whistle-blowing
one is subject to whistle-blowing protocols, the and conduct risk. As regulators around the
other is dealt with by HR policy. A clear steer world clarify and progress their conduct and
should be given about how each is dealt with cultural messages, a positive practical approach
and, where issues cross boundaries, what is to to whistle-blowing in a firm will be taken as a
be done and by whom. strong indicator that all is well with the culture,
whereas poor practices may well not only be
seen as an indicator of poor culture but might
also lead to greater regulatory scrutiny.
9 Whistle-blowing – noT child’s play for internal auditors MAY 2014This will focus more attention on the role of internal audit. The increase in numbers may well be
partly attributable to internal audit’s more intense involvement in the whistle-blowing process
(although this is difficult to prove with the information available at time of writing). Internal auditors
need to assess the risk that whistle-blowing poses to their firm and their function and select an
approach that best offsets that risk. In a survey undertaken by the UK CIIA, 41 percent of respondents
reported that internal audit had day-to-day responsibility for whistle-blowing arrangements, but only
two-thirds of respondents believed their arrangements to be effective.
And a final word about schoolyard behavior: As children mature and leave juvenile behaviour behind,
there is a good chance that they will turn into intelligent, reasonable, well-rounded adults. It is
to be hoped that this is also true in business life (in particular the financial services industry) and
that conduct and culture within organizations improve so much that the need for whistle-blowing
declines.
Reporting wrongdoing around the world - whistle-blowing across borders
A further consideration for inclusion in a policy is the accommodation of whistle-blowing cases from
different jurisdictions (i.e., cross-border). As many countries have their own whistle-blowing laws
and regulations and in this ever-globalised world, it looks more and more likely that whistle-blowing
cases will start to originate from other countries. This may lead to confusion as to what rights the
whistleblower has and the process that needs to be invoked (among other things). It is important
that an organization’s whistle-blowing policy clarifies these points. For example, in the United States,
the Commodity Futures Trading Commission (CFTC)’s whistleblower rules establish a procedure
for whistleblowers to report any violations of the Commodity Exchange Act. The impact of this
requirement may trigger a “cross-border” issue when it relates to a foreign market participant.
There has been significant focus on whistle-blowing in many jurisdictions around the world because
of its importance to good governance within organisations. A summary of the status of a selection of
different countries’ approaches is included below:
EUROPE ASIA
In China, a 24-hour corruption hotline reporting system has been
Only four European Union countries
established, and encompasses many government entities including
have legal frameworks for whistleblower
the Public Security Bureau, the State Administration for Industry and
protection that are considered to be
Commerce and various court and prosecution departments.
advanced.
AMERICA AUSTRALIA
In March 2014, the U.S. Supreme In Australia, there are
Court ruled that the whistle- whistleblower protections
blowing provisions in the in a number of pieces of
Sarbanes-Oxley Act of 2002 legislation, but the degree
should be expanded to employees to which they are used is
of private contractors and sub- unclear.
contractors of public companies.
AFRICA
The South African government has indicated its support for the
concept of whistle-blowing and has acknowledged the need to
offer legal protection to whistle blowers with the introduction of
the Protected Disclosures Act, called the Whistleblowers Act.
10 Whistle-blowing – noT child’s play for internal auditors MAY 2014Europe arrangements were ineffective. Fifty-four
In November 2013 a Transparency International percent said they did not train key members
report on the state of whistle-blowing in of staff designated to receive concerns. Forty-
European countries concluded that only four percent confused personal complaints
four European Union countries had legal with whistle-blowing and in 10 percent of cases
frameworks for whistleblower protection that respondents said their arrangements were not
were considered to be advanced: Luxembourg, clearly endorsed by senior management.
Romania, Slovenia and the United Kingdom. Of In March 2014, the National Audit Office
the other 23 EU countries, 16 have partial legal (NAO) issued its report on the state of whistle-
protections for employees who come forward blowing in UK government departments. It
to report wrongdoing. The remaining seven reported that more could be done to improve
countries have either very limited or no legal the whistle-blowing arrangements. The NAO’s
frameworks. Several EU countries in recent years main findings were that there was no strategic
have taken steps to strengthen whistleblower cross-government lead for whistle-blowing;
rights, including Austria, Belgium, Denmark, that internal “checks and balances” could be
France, Hungary, Italy, Luxembourg, Malta, better exploited; and that some systems were
Romania and Slovenia. Countries that have more mature than others when collecting,
issued proposals or have announced plans for coordinating and disseminating intelligence.
proposed laws include Finland, Greece, Ireland,
the Netherlands and Slovakia.
“You only have to look at my
UK committee’s work on everything
In the UK, employment protections for from GP out-of-hours services
internal whistle-blowing are contained in the to tax avoidance to see how vital
Employment Rights Act 1996 (as amended by whistleblowers are to protecting
the Public Interest Disclosure Act 1998) (PIDA).
taxpayers’ money. It is extremely
This Act covers nearly all employees in the
government, private and non-profit sectors. The
worrying therefore that half of workers
law also legally protects contractors, trainees
stay silent about misconduct, possibly
and UK workers based overseas. The provisions because they fear what will happen if
introduced by the Public Interest Disclosure Act they speak out. Government must do
1998 protect most workers from being subjected more to support those workers that try
to a detriment by their employer. Detriment to protect taxpayers’ money.”
may take a number of forms, such as denial of
promotion, facilities or training opportunities A statement from Rt Hon Margaret Hodge,
which the employer would otherwise have chair of the Committee on Public Accounts,
offered. Employees who are protected by the UK, March 2014
provisions may make a claim for unfair dismissal
if they are dismissed for making a protected In financial services, the Financial Conduct
disclosure. Authority’s whistle-blowing requirements are
In the 1990s the whistle-blowing charity Public set out in Chapter 18 of the Senior Management
Concern at Work (PCW) was established and Arrangements, Systems and Controls
it has been at the forefront of developments sourcebook of the FCA Handbook. These
in whistle-blowing in the UK ever since. In encourage firms to adopt appropriate internal
November 2013 Public Concern at Work procedures that will guide staff to blow the
(together with EY) undertook a comprehensive whistle internally about matters that are relevant
survey of UK whistle-blowing policies. The survey to the functions of the FCA. SYSC 18.2.2 provides
found that 93 percent of respondents said they guidance on the types of internal procedures
had formal whistle-blowing arrangements in that may be appropriate for larger firms as well
place but a third thought their whistle-blowing as smaller firms.
11 Whistle-blowing – noT child’s play for internal auditors MAY 2014In October 2013 the FCA provided its response Exchange Act. Section 806 also creates a cause
to the Parliamentary Commission on Banking of action in favour of persons who have been
Standards. The commission, in its report on subjected to retaliation.
standards of behaviour in the banking industry,
In addition s 301 of Sarbanes-Oxley requires
concluded that not only did internal compliance
audit committees of firms that issue securities
and formal control structures fail to uphold
listed in the U.S. to adopt procedures for
proper banking standards, but that a culture of
handling complaints about a company’s
fear prevented employees from speaking out
financial reporting, especially anonymous or
about serious wrongdoing. The FCA agreed
confidential complaints.
with the commission recommendations and
has undertaken to consult, in 2014, on whether Under Sarbanes-Oxley if a firm employs a third
additional rules are needed to set minimum party e.g. an accountancy firm to investigate a
standards for whistle-blowing and how whistle-blowing incident the firm must report
prescriptive these should be. This consultation this to the SEC.
will include the proposal that a member of a Post the financial crisis, s 922 of the Dodd-Frank
firm’s senior management is made personally Wall Street Reform and Consumer Protection
accountable for whistle-blowing procedures. Act included provisions amending s 21F of the
Securities Exchange Act of 1934 to introduce
“Formal whistle-blowing practices financial incentives and related protections for
play an important role in creating whistleblowers who report individuals or firms
this culture but should not be a who violate U.S. federal securities laws.
first port of call. If staff have a good The Securities and Exchange Commission’s
understanding of conduct standards, whistleblower rules came into effect on August
and feel secure about speaking out, 12, 2011. The SEC will pay an award to eligible
they will inform senior management whistleblowers who voluntarily provide the
when they see malpractice occurring, Commission with original information about a
through both informal and formal violation of the U.S. securities laws that leads to
channels.” a successful enforcement action, examples of
successful enforcement actions and incentives to
From the FCA’s response to the use internal compliance mechanisms.
Parliamentary Committee on Banking In March 2014, the U.S. Supreme Court
Standards, UK, October 2013. ruled that the whistle-blowing provisions in
the Sarbanes-Oxley Act of 2002 should be
United States expanded to employees of private contractors
The United States has had whistle-blowing laws and sub-contractors of public companies. This
since as long ago as the 1800s. More recently means that those employees will be protected
whistleblowers appeared in the Sarbanes-Oxley by the whistleblower provisions contained in
Act of 2002, primarily in s 806. This makes the Act. This potentially includes lawyers and
it unlawful for corporate issuers and various accountants of a firm but the actual defined
persons who work for them or do business with scope includes those “whose performance will
them, to retaliate against persons reporting take place over a significant period of time”.
violations of the U.S. securities laws or other It will, however, only be possible to raise a
U.S. laws prohibiting corporate fraud. Section complaint arising from the contractor’s “fulfilling
806 applies to companies that have a class of its role as contractor for the public company, not
securities registered under s 12 of the Securities the contractor in some other capacity”.
Exchange Act of 1934, as amended, or that
are required to file reports under s 15(d) of the
12 Whistle-blowing – noT child’s play for internal auditors MAY 2014“The new whistleblower program 30, 2013, the Commission announced
is a part of our effort to enhance it had approved payouts to each of the
the agency’s capacity to detect and three whistleblowers in connection with
prevent fraud. The proposed final money that had been collected in a related
criminal proceeding.
rules build upon our efforts over the
past two years and our experience
with the Sarbanes-Oxley Act — an Act Case 3 - In October 2013, the SEC
that made great strides in creating announced an award of more than
whistleblower protections and $14 million to a whistleblower whose
requiring internal reporting systems information led to an SEC enforcement
action that recovered substantial investor
at public companies. From that
funds.
experience, we learned that despite
Sarbanes-Oxley, too many people In addition most U.S. federal and state
remain silent in the face of fraud. government entities have mechanisms for
Today’s rules are intended to break reporting fraud and abuse, and some provide
the silence of those who see a wrong.” awards for whistleblowers. These range from
New York State’s False Claims Act, which
Mary L Schapiro, chairman, U.S. Securities provides whistleblower awards similar to awards
and Exchange Commission, opening offered under the U.S. False Claims Act; to the
statement at SEC open meeting, May 2011. New York State Office of the Attorney General’s
General, Immigration Fraud, Healthcare
and Medicaid Fraud hotlines; to the U.S.
Case 1 - On August 21, 2012, the SEC Environmental Protection Agency’s Fraud,
announced its first whistleblower award. Waste, and Abuse Hotline; to the Montgomery
In that instance, the whistleblower County, Pennsylvania, Controller’s Office’s Fraud
helped the Commission stop a multi- & Abuse Tipline.
million dollar fraud. The whistleblower
provided documents and other significant
“During the year, the Office paid
information that allowed the investigation
to move at an accelerated pace and prevent
whistleblowers a total of over
the fraud from ensnaring additional victims.
$14 million in recognition of their
During Fiscal Year 2013, the Commission contributions to the success of
made three more payments to this enforcement actions pursuant to
whistleblower in connection with additional which ongoing frauds were stopped
amounts that had been collected by the in their tracks. While the amounts
Commission in the underlying enforcement paid are significant, the bigger story
action. is the untold numbers of current
and future investors who were
Case 2 - On June 12, 2013, the SEC shielded from harm thanks to the
announced it had issued an award to information and cooperation provided
three whistleblowers who helped the by whistleblowers. At the end of the
Commission shut down a sham hedge day, protecting investors is what
fund. Two of the whistleblowers provided the whistleblower programme is all
information that prompted the Commission about.”
to open the investigation and stop the
scheme before more investors were Foreword to the 2013 Annual Report to
harmed. The third whistleblower provided Congress on the Dodd- Frank Whistleblower
independent corroborating information Programme, Sean X McKessy, chief, Office of
and identified key witnesses. On August
the Whistleblower.
13 Whistle-blowing – noT child’s play for internal auditors MAY 2014Australia China
In Australia, there are also whistleblower In China a 24-hour corruption hotline reporting
protections in a number of pieces of legislation, system has been established, and encompasses
for example, the Banking Act 1959 (Cth), the many government entities including the Public
Insurance Act 1973 (Cth), the Life Insurance Act Security Bureau, the State Administration for
1995 (Cth) and the Superannuation Industry Industry and Commerce and various court and
(Supervision) Act 1993 (Cth). prosecution departments. The Administrative
In 2004, Part 9.4AAA of the Corporations Supervision Law and the Chinese Communist
Act 2001 was introduced after a report by the Party (CCP) Internal Supervision Rules set
Australian Prudential Regulation Authority out rules for whistle-blowing. Specifically, the
(APRA). It included detailed whistle-blowing Ministry of Supervision is the authority charged
provisions that required an officer, employee with investigating governmental officials’
or contractor to be a protected whistleblower compliance with the relevant anti-corruption
provided that: rules. The Disciplinary Commission is an
internal agency of the CCP that supervises and
• pre-disclosure identification is given; investigates CCP members’ compliance with the
• reasonable grounds for suspecting breaches of anti-corruption rules.
the Corporations Act, or the relevant court rules South Africa
are established; “The South African government has introduced
• the allegations are made in good faith; and the Protected Disclosures Act, also called
the Whistleblowers Act. The Act states that
• disclosures are made to the Australian
employees can report unlawful or irregular
Securities and Investments Commission (ASIC),
conduct by employers and fellow employees,
the company’s auditors, a director, secretary or
while receiving protection from “occupational
senior manager or a nominated person.
detriment” by employers when making certain
A protected whistleblower will have protection “protected disclosures”.
against retaliation, defamation or any other civil
Section 159 (Protection for whistle blowers;
or criminal liability for making the allegation.
item 7) also states: “A public company and
A protected allegation must be handled in a
state-owned company must directly or indirectly
certain way. It can be passed on to ASIC, APRA
1) establish and maintain a system to receive
or the Australian Federal Police without the
disclosures (contemplated in this section)
whistleblower’s consent, but only to someone
confidentially, and act on them; and 2) routinely
else with consent.
publicize the availability of that system to
Although whistleblower protections exist in the categories of persons contemplated (in
Australia, the degree to which they are used is subsection 4).”
unclear. For example, the Australian Securities
and Investments Commission and the Reserve
Bank of Australia have been criticized for how
they deal with whistleblowers and conducting
timely investigations on the back of allegations.
Case 4 – Securency – In Australia whistle-
blowing allegations led to charges being
brought against two subsidiaries of the
Reserve Bank of Australia, NPA and
Securency, as well as six former banknote
executives, regarding the payment of bribes
to foreign officials to win banknote supply
contracts.
14 Whistle-blowing – noT child’s play for internal auditors MAY 2014THOMSON REUTERS ACCELUS™
The Thomson Reuters Governance, Risk & Compliance (GRC) business delivers a comprehensive set
of solutions designed to empower audit, risk and compliance professionals, business leaders, and the
Boards they serve to reliably achieve business objectives, address uncertainty, and act with integrity.
Thomson Reuters Accelus connects business transactions, strategy and operations to the ever-
changing regulatory environment, enabling firms to manage business risk. A comprehensive
platform supported by a range of applications and trusted regulatory and risk intelligence data,
Accelus brings together market-leading solutions for governance, risk and compliance management,
global regulatory intelligence, financial crime, anti-bribery and corruption, enhanced due diligence,
training and e-learning, and board of director and disclosure services.
Thomson Reuters has been named as a category leader in the Chartis RiskTech Quadrant™ For
Operational Risk Management Systems, category leader in the Chartis RiskTech Quadrant™ for
Enterprise Governance, Risk and Compliance Systems and has been positioned by Gartner, Inc. in its
Leaders Quadrant of the “Enterprise Governance, Risk and Compliance Platforms Magic Quadrant.”
Thomson Reuters was also named as Operational Risk Software Provider of the Year Award in the
Operational Risk and Regulation Awards 2013.
For more information, visit accelus.thomsonreuters.com
© 2014 Thomson Reuters GRC01137/5-14You can also read
