Whistle-bloWing: not child's play for internal auditors - Michael coWan
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
Whistle-blowing: not child’s play for internal auditors MICHAEL COWAN The views and opinions expressed in this paper are those of the author and do not necessarily reflect the official policy or position of Thomson Reuters.
About the author Michael Cowan is a regulatory intelligence analyst in the Enterprise Risk Management division of Thomson Reuters Accelus. He has 26 years’ experience and is a qualified internal auditor (CMIA). He has worked in compliance roles at UK Asset Resolution, Cattles and the Financial Services Authority; the views expressed are his own. Michael Cowan 2 Whistle-blowing – noT child’s play for internal auditors MAY 2014
CONTENTS ENSURING FAIR PLAY FOR whistleblowers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 WHISTLE-BLOWING: DEFINITIONS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 INTERNAL AUDIT AND WHISTLE-BLOWING . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 THE RISING TIDE OF WHISTLE-BLOWING . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 REPORTING WRONGDOING AROUND THE WORLD - WHISTLE-BLOWING ACROSS BORDERS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 3 Whistle-blowing – noT child’s play for internal auditors MAY 2014
Ensuring fair play for is that the case has not been investigated whistleblowers thoroughly, further action by the whistleblower The schoolyard is a funny place. Children may be taken with more senior managers of different ages, races, creeds and colours; resulting in reprimands for the initial person who different attitudes and approaches; different investigated/dealt with the disclosure. Of course reactions to similar events. It really is the adult there are rules and regulations that protect the world in miniature. In many ways the experiences identity of the informant and the way they are that we face in our early years are a microcosm treated following the whistle-blowing incident, of what later life has to throw at us. In fact, at least as far as they can. when it comes to reacting to bad behaviour and In the middle of this soup of accusations, “blowing the whistle”, the adult world bears a sometimes weak evidence, desire to do the striking resemblance to schoolyard behaviour. right thing and personal feelings, is the internal In the school yard when something wrong auditor. Often held up as the bastion of good happens, the immediate threat by the victim governance and fairness, the internal auditor or another student is, “I’ll tell the teacher!”. is expected to ensure fair play and provide Sometimes this is a hollow threat but sometimes assurance that the process allows for a correct it is followed through, leading to an investigation conclusion that satisfies all parties. of the facts, assessment of the credibility of So what are internal auditors expected to do witnesses and then firm and decisive action. when presented with the thorny subject of Then the repercussions begin. The “snitch” whistle-blowing in an organization? This report might be subject to retribution by the attempts to provide a summary of policies perpetrator. The informant may be looked upon and guidance that exist and to suggest some as someone who is not to be trusted, with even practical tips for internal auditors. the informant’s parents passing the message Whistle-blowing: Definitions that it’s “not nice to tell tales”. The teacher will, In the United States, Securities and Exchange however, be more aware of the perpetrator and Commission Rule 21F-2 (a) defines a the informant, and this may include protecting whistleblower as “an individual who, alone or the latter, as far as they can, from further jointly with others, provides information to the retaliation. SEC relating to a possible violation of the federal In the adult world there is whistle-blowing. In an securities laws that has occurred, is ongoing, or organization, when wrongdoing is uncovered, is about to occur”. employees are encouraged to report it internally In the UK, the Employment Rights Act 1996 or to an independent body. This is followed by identifies six outcomes that an employee should an investigation of the facts, an assessment of consider have occurred, are occurring or are the credibility of witnesses and then firm and likely to occur and identifies what disclosures decisive action. Then the repercussions begin. should be covered. The informant could be sacked or at least From an internal audit perspective the UK marginalized in his or her career. Colleagues Chartered Institute of Auditors’ position paper may refuse to trust them for fear of further on whistle-blowing policy states that “Whistle- disclosures. The informant’s manager may blowing is when an employee, contractor or reflect this in performance appraisals and bonus supplier goes outside the normal management rewards. channels to report suspected wrongdoing at Bullying may occur, not only to the informant but work.” the person who is subject of, or dealing with, the allegation. For example, where the perception 4 Whistle-blowing – noT child’s play for internal auditors MAY 2014
“Appropriate whistle-blowing reviews needs to be carefully considered. When procedures are in place and are undertaking a review of the whistle-blowing expected to be utilized by employees policies and procedures, the standard auditing without any reprisal, to support approach can be adopted. When investigating specific whistle-blowing allegations, however, effective compliance with the risk especially if board members are implicated, the management framework; the normal audit route may not be appropriate. treatment of whistleblowers is clearly articulated and followed in practice.” • Purpose, authority and responsibility (1000) This standard states that the purpose, authority and responsibility of the internal audit activity Financial Stability Board, Guidance on must be formally defined in an internal audit Supervisory Interaction with Financial charter. This also applies to whistle-blowing Institutions on Risk Culture – A Framework activity. The organization needs to be clear for Assessing Risk Culture, April 2014. about the role internal audit will take in whistle-blowing and in sufficient detail to be Internal audit and whistle-blowing aware of the methodology to be used. This The importance of appropriate whistle-blowing point is also linked to standards 2030-2040 on policies and procedures to the effective Policies and Procedures, which state that the discharge of an organization’s corporate chief audit executive must establish policies governance is significant. Corporate governance and procedures to guide the internal audit is fundamental to effective risk and control activity. within organisations, which means that whistle- blowing policies must be at the heart of internal • Proficiency and Due Professional Care (1200) auditors’ responsibilities. and Resource Management (2030) These two standards go to the conduct and skill of As an independent assurance function, it is easy the internal auditor. Standard 1200 states for senior management to use internal audit as that engagements must be performed with a vehicle to manage all whistle-blowing traffic. proficiency and due professional care and This is not necessarily the right answer. The Standard 2030 states that the chief audit global standards that govern internal auditors executive must ensure that internal audit around the world touch on many of the reasons resources are appropriate, sufficient and why this is the case. effectively deployed to achieve the approved • Independence and objectivity (Standard 1100) plan. For small internal audit teams in This states that internal audit activity must particular the nature of whistle-blowing be independent and internal auditors must investigations and the level of seniority required be objective in performing their work. From a to undertake them may stretch resources and whistle-blowing point of view a commitment the ability to comply fully with this standard. to “manage” the whistle-blowing process • Quality Assurance and Improvement in the organisation may compromise the Programme (1300) This standard states that independence of internal audit. To undertake the chief audit executive must develop and whistle-blowing investigations, for example, maintain a quality assurance and improvement might put internal audit in the role of line programme that covers all aspects of the management rather than as a vital part of the internal audit activity. Appropriate review and corporate governance of the organisation. quality checks of activity concerning whistle- •D irect interaction with the board (1111) This blowing activity is a valuable safety net for standard states that the chief audit executive appraising findings and recommendations, must communicate and interact directly whether the review has covered all points and with the board. This and other reporting what potential challenges might come from requirements in the standards mean that the recipients. reporting of the outputs of whistle-blowing 5 Whistle-blowing – noT child’s play for internal auditors MAY 2014
• Planning (2010) This standard states that • reassuring potential whistleblowers; the chief audit executive must establish a • whistle-blowing to external bodies; risk-based plan to determine the priorities of the internal audit activity, consistent with the • commitment, clarity and tone from the top; organisation’s goals. The effect that whistle- • access to independent advice; blowing activity has on planning should not • openness, confidentiality and anonymity; be overlooked. Where individual cases are being investigated, work may need to be • offering an alternative to line management; undertaken promptly, and to tight deadlines. • structure. Cases may arise at very short notice, requiring inconvenient reallocation of resources. In Also in the UK, the Committee on Standards worst-case scenarios the timing and perhaps in Public Life has recommended that good volume of whistle-blowing cases may require whistle-blowing policies should: amendments to be made to the annual audit • provide examples distinguishing whistle- plan, especially for smaller internal audit blowing from grievances; departments. • give employees the option to raise a Suggested approach for internal whistle-blowing concern outside of line auditors management; In the UK, the Chartered Institute of Internal • provide access to an independent Auditors (CIIA)’s position paper on whistle- helpline offering confidential advice; offer blowing policy, “Whistle-blowing and Corporate employees a right to confidentiality when Governance – the role of internal auditing in raising their concern; whistle-blowing”, which explains that boards must be accountable for ensuring effective • explain when and how a concern may whistle-blowing procedures are in place that safely be raised outside the organisation guarantee confidentiality and anonymity and (e.g., with a regulator); and avoid conflicts of interest. • provide that it is a disciplinary matter (a) The position paper allows for two scenarios. to victimise a bona fide whistleblower, and First, where internal audit is directly involved in (b) for someone to make a false allegation the procedures for whistle-blowing, the board maliciously. should ensure that there is an independent •C orporate governance The Global mechanism to provide assurance on the Standards (2110) state that the internal audit effectiveness of those procedures, and secondly activity must assess and make appropriate where internal audit is playing an indirect role, it recommendations for improving the should provide assurance on the effectiveness of governance process in its accomplishment of the system and procedures to the board. the following objectives: In the discharge of these different approaches • promoting appropriate ethics and values what could internal auditors do to ensure their within the organisation; input is effective? • ensuring effective organisational Indirect involvement performance management and • Have an appropriate policy Organizations accountability; should have appropriate policies and procedures for whistle-blowing. In its position • communicating risk and control paper on whistle-blowing, the UK CIIA information to appropriate areas of the identified the following areas as essential to an organisation; and adequate whistle-blowing policy: • coordinating the activities of and • addressing concerns and providing communicating information among the feedback; board, external and internal auditors and management. 6 Whistle-blowing – noT child’s play for internal auditors MAY 2014
The relationship between whistle-blowing evidence in relation to each concern? and the culture of an organization is crucial. A • Have confidentiality issues been handled healthy approach to whistle-blowing, whereby effectively? a firm can demonstrate (with evidence) that it has effectively undertaken its duties, points to • Is there evidence of timely and constructive an organization that has a healthy culture. It feedback? is particularly important when considering the • Have any events come to the audit reporting mechanisms within an organization committee’s or the board’s attention that and whether these facilitate effective might indicate that a staff member has not whistle-blowing. Such a culture will allow for been fairly treated as a result of their having independent reporting of whistle-blowing raised concerns? incidents, perhaps to a non-executive, whereas • Is a review of staff awareness of the a less developed or sophisticated cultural procedures needed? approach may restrict the whistleblower to external routes such as hotlines. 2. U se of management information Internal auditors should ensure that the board and Internal auditors need to assess how the senior management get accurate and up-to- corporate governance of an organization copes date information on the volume and status with whistleblowers to be able to determine of whistle-blowing cases. The management whether the appropriate culture has been information should identify the reason established. for the event, the progress made with the Whistle-blowing culture investigation, the issues that have been found The areas that internal auditors may wish to and the progress made to rectify the issues. cover here are: 3. C ontractors and third parties In the United 1. The role of the board and audit committee States, the extension of Sarbanes-Oxley The Institute of Chartered Accountants in to contractors poses a number of risks for England and Wales has devised a list of organisations and internal auditors. For questions that a good audit committee might example: ask to sense-check their arrangements: • Extending internal policies – Internal auditors • Is there evidence that the board regularly need to make sure that contractors and considers whistle-blowing procedures as part sub-contractors have equivalent inclusions in of its review of the system of internal control? their policies or that an organization’s policies • Are there issues or incidents which have can be applied to the contract firms to otherwise come to the board’s attention afford those individuals the correct amount which they would have expected to have of protection. This may not be an easy task been raised earlier under the company’s as definitions within the judgment are still whistle-blowing procedures? subject to interpretation. • Where appropriate, has the internal audit • Contracts – Contractual relations and function performed any work that provides processes will need to be reviewed to cater additional assurance on the effectiveness of for the wider responsibilities. the whistle-blowing procedures? • Disclosure – Appropriate disclosure • Are there adequate procedures to track arrangements will need to be agreed so the actions taken in relation to concerns that the whistleblower is protected but raised and to ensure appropriate follow-up both organizations are still able to manage action has been taken to investigate and, the process appropriately and deal with if necessary, resolve problems indicated by subsequent issues. whistle-blowing? • Grievance procedures – It is very important • Are there adequate procedures for retaining to define what complaints would be handled 7 Whistle-blowing – noT child’s play for internal auditors MAY 2014
by the grievance procedure and what would Direct involvement afford the employee the protections under • Employ the appropriate skills and resources the whistle-blowing provisions of the Act. Whistle-blowing investigations may require • Legal processes – There may well be an experienced internal auditors to undertake increase in whistle-blowing cases following detailed forensic testing or sensitive the ruling and some may be erroneous. questioning of senior management. Heads Further clarification of the detail of this ruling of internal audit should ensure that whistle- will only come through further legal cases blowing investigations are allocated to and it may be that organizations need to appropriate internal auditors. Where this is reinforce legal resources in order to cater for not possible, heads of internal audit should the potential increase in legal cases. consider undertaking the investigation themselves or outsourcing it to a firm that has 4. Employee awareness It is important that the relevant skills. internal audit gives an opinion on the measures to train and make employees • Ensure security measures adequately protect aware of the appropriate channels to invoke a the whistleblower It is incumbent on the whistle-blowing request. It is fundamental to investigations team that information gained an adequate whistle-blowing policy that those during the investigation is kept confidential and who have reason to blow the whistle know stored securely where access can be restricted. how to do so. Reporting a whistle-blowing Of course the anonymity of the whistleblower incident may involve reporting concerns to is paramount (unless they waive their right) a senior non-executive or to an independent and this will undoubtedly be included at some external body. Clear communications point in the evidence retained, increasing the demonstrate to the relevant regulator that need for confidentiality, and from the rest of the organizations are engendering a healthy internal audit team as well. attitude towards whistle-blowing that adds to • Adopt the correct auditing process A whistle- the evidence that their culture is appropriate. blowing investigation may not fit with the 5. Involvement of other departments, e.g., normal audit methodology for undertaking compliance or general counsel Of course, a routine internal audit. It is good practice organisations may elect to delegate to have a separate process for undertaking responsibility for investigating whistle- a whistle-blowing investigation. It helps to blowing incidents to another department, keep a structure to what could be a rather e.g., compliance or general counsel function. fluid task, ensures that all relevant milestones In these cases internal audit need to be have been covered and should help with time assured that the procedures for identifying, management and budget planning. investigating, reporting and ensuring • Make sure creditability is retained during actions are completed adequately, and are interviews As mentioned above, interviews appropriate and robust. Essential to this is could be with senior management on whether these departments are independent particularly sensitive subjects. It is important enough and can thoroughly and promptly that the correct level of seniority is devoted to investigate specific claims. The risk may these interviews from internal audit. At these be that these departments do not have interviews, it is recommended that internal the mandate to probe sensitive issues auditors discuss the issue at hand in a fluid comprehensively and therefore do not provide way. It is unlikely that a checklist approach either the whistleblower or the organization to interview techniques would garner the with sufficient comfort that claims are being appropriate facts. As an alternative, it may be treated seriously and will be acted on. useful to discuss the chronology of specific events where possible, making a note of each stage and seeking evidence of actions/events. 8 Whistle-blowing – noT child’s play for internal auditors MAY 2014
• Retain evidence properly As well as The rising tide of whistle-blowing keeping evidence secure, it is important that comprehensive evidence is kept of key actions/ “Whistleblowers are becoming decisions, etc. Files should be organized bolder, whether motivated through logically and evidence of conclusions clearly conscience or fear.” indicated. There is a good chance that these files will be reviewed either by an external audit Dr Ian Peters, chief executive of the UK or by regulators to make sure whistle-blowing Chartered Institute of Internal Auditors, policies have been taken seriously. Foreword to “Whistle-blowing and •E nsure clarity during reporting The final report Corporate Governance”, January 2014. should be circulated to the board initially and then to appropriate senior management if felt With the heightened focus on whistle-blowing necessary. The report may contain sensitive since before the financial crisis, the number information, hence the two-stage reporting of cases around the world has increased. For process. If one of the board is implicated, then example, the U.S. Securities and Exchange a steer from the chairman, or the chair of the Commission reported that in the fiscal year audit committee, should be taken about his/ 2013, 3,238 whistleblower requests were her attendance at the meeting. Good protocol received, up by 8 percent from 3,001 in the would be to address any specific issues with fiscal year 2012. The most common complaint them prior to circulation of the report and allow categories reported by whistleblowers in 2013 their comment to be captured in the report. were corporate disclosures and financials (17.2 Again, if this is with a director or equivalent, the percent), followed by fraud (17.1 percent) and chairman’s advice may be taken about whether manipulation (16.2 percent). he needs to be included. Across the Atlantic, the UK Financial Conduct •F ormat of report The normal audit report Authority has seen a 38 percent rise in whistle- may not be appropriate for a whistle-blowing blowing reports. Reports averaged around investigation. A separate format may be 338 a month in the previous year, whereas the devised to make reporting as clear and concise FCA has seen around 467 a month in the past as possible. It may be useful to adopt a format year. Sixty percent of cases were about general that allows the internal auditor to present regulatory concerns, four reports concerned the facts chronologically and then draw the alleged misappropriation of client money, conclusions from that. 23 insider trading, 21 market manipulation and 25 cases related to money laundering. The •G uard against overlap with the HR grievance FCA said that it had opened 72 percent more process An organization’s whistle-blowing investigations during 2013 based on information policy should manage the boundaries between from whistleblowers than its predecessor in the a true attempt to blow the whistle and a previous 12 months. grievance between colleagues or between an employee and the company. At times, these This level of activity will no doubt continue. issues can become intertwined, but whereas There is a growing link between whistle-blowing one is subject to whistle-blowing protocols, the and conduct risk. As regulators around the other is dealt with by HR policy. A clear steer world clarify and progress their conduct and should be given about how each is dealt with cultural messages, a positive practical approach and, where issues cross boundaries, what is to to whistle-blowing in a firm will be taken as a be done and by whom. strong indicator that all is well with the culture, whereas poor practices may well not only be seen as an indicator of poor culture but might also lead to greater regulatory scrutiny. 9 Whistle-blowing – noT child’s play for internal auditors MAY 2014
This will focus more attention on the role of internal audit. The increase in numbers may well be partly attributable to internal audit’s more intense involvement in the whistle-blowing process (although this is difficult to prove with the information available at time of writing). Internal auditors need to assess the risk that whistle-blowing poses to their firm and their function and select an approach that best offsets that risk. In a survey undertaken by the UK CIIA, 41 percent of respondents reported that internal audit had day-to-day responsibility for whistle-blowing arrangements, but only two-thirds of respondents believed their arrangements to be effective. And a final word about schoolyard behavior: As children mature and leave juvenile behaviour behind, there is a good chance that they will turn into intelligent, reasonable, well-rounded adults. It is to be hoped that this is also true in business life (in particular the financial services industry) and that conduct and culture within organizations improve so much that the need for whistle-blowing declines. Reporting wrongdoing around the world - whistle-blowing across borders A further consideration for inclusion in a policy is the accommodation of whistle-blowing cases from different jurisdictions (i.e., cross-border). As many countries have their own whistle-blowing laws and regulations and in this ever-globalised world, it looks more and more likely that whistle-blowing cases will start to originate from other countries. This may lead to confusion as to what rights the whistleblower has and the process that needs to be invoked (among other things). It is important that an organization’s whistle-blowing policy clarifies these points. For example, in the United States, the Commodity Futures Trading Commission (CFTC)’s whistleblower rules establish a procedure for whistleblowers to report any violations of the Commodity Exchange Act. The impact of this requirement may trigger a “cross-border” issue when it relates to a foreign market participant. There has been significant focus on whistle-blowing in many jurisdictions around the world because of its importance to good governance within organisations. A summary of the status of a selection of different countries’ approaches is included below: EUROPE ASIA In China, a 24-hour corruption hotline reporting system has been Only four European Union countries established, and encompasses many government entities including have legal frameworks for whistleblower the Public Security Bureau, the State Administration for Industry and protection that are considered to be Commerce and various court and prosecution departments. advanced. AMERICA AUSTRALIA In March 2014, the U.S. Supreme In Australia, there are Court ruled that the whistle- whistleblower protections blowing provisions in the in a number of pieces of Sarbanes-Oxley Act of 2002 legislation, but the degree should be expanded to employees to which they are used is of private contractors and sub- unclear. contractors of public companies. AFRICA The South African government has indicated its support for the concept of whistle-blowing and has acknowledged the need to offer legal protection to whistle blowers with the introduction of the Protected Disclosures Act, called the Whistleblowers Act. 10 Whistle-blowing – noT child’s play for internal auditors MAY 2014
Europe arrangements were ineffective. Fifty-four In November 2013 a Transparency International percent said they did not train key members report on the state of whistle-blowing in of staff designated to receive concerns. Forty- European countries concluded that only four percent confused personal complaints four European Union countries had legal with whistle-blowing and in 10 percent of cases frameworks for whistleblower protection that respondents said their arrangements were not were considered to be advanced: Luxembourg, clearly endorsed by senior management. Romania, Slovenia and the United Kingdom. Of In March 2014, the National Audit Office the other 23 EU countries, 16 have partial legal (NAO) issued its report on the state of whistle- protections for employees who come forward blowing in UK government departments. It to report wrongdoing. The remaining seven reported that more could be done to improve countries have either very limited or no legal the whistle-blowing arrangements. The NAO’s frameworks. Several EU countries in recent years main findings were that there was no strategic have taken steps to strengthen whistleblower cross-government lead for whistle-blowing; rights, including Austria, Belgium, Denmark, that internal “checks and balances” could be France, Hungary, Italy, Luxembourg, Malta, better exploited; and that some systems were Romania and Slovenia. Countries that have more mature than others when collecting, issued proposals or have announced plans for coordinating and disseminating intelligence. proposed laws include Finland, Greece, Ireland, the Netherlands and Slovakia. “You only have to look at my UK committee’s work on everything In the UK, employment protections for from GP out-of-hours services internal whistle-blowing are contained in the to tax avoidance to see how vital Employment Rights Act 1996 (as amended by whistleblowers are to protecting the Public Interest Disclosure Act 1998) (PIDA). taxpayers’ money. It is extremely This Act covers nearly all employees in the government, private and non-profit sectors. The worrying therefore that half of workers law also legally protects contractors, trainees stay silent about misconduct, possibly and UK workers based overseas. The provisions because they fear what will happen if introduced by the Public Interest Disclosure Act they speak out. Government must do 1998 protect most workers from being subjected more to support those workers that try to a detriment by their employer. Detriment to protect taxpayers’ money.” may take a number of forms, such as denial of promotion, facilities or training opportunities A statement from Rt Hon Margaret Hodge, which the employer would otherwise have chair of the Committee on Public Accounts, offered. Employees who are protected by the UK, March 2014 provisions may make a claim for unfair dismissal if they are dismissed for making a protected In financial services, the Financial Conduct disclosure. Authority’s whistle-blowing requirements are In the 1990s the whistle-blowing charity Public set out in Chapter 18 of the Senior Management Concern at Work (PCW) was established and Arrangements, Systems and Controls it has been at the forefront of developments sourcebook of the FCA Handbook. These in whistle-blowing in the UK ever since. In encourage firms to adopt appropriate internal November 2013 Public Concern at Work procedures that will guide staff to blow the (together with EY) undertook a comprehensive whistle internally about matters that are relevant survey of UK whistle-blowing policies. The survey to the functions of the FCA. SYSC 18.2.2 provides found that 93 percent of respondents said they guidance on the types of internal procedures had formal whistle-blowing arrangements in that may be appropriate for larger firms as well place but a third thought their whistle-blowing as smaller firms. 11 Whistle-blowing – noT child’s play for internal auditors MAY 2014
In October 2013 the FCA provided its response Exchange Act. Section 806 also creates a cause to the Parliamentary Commission on Banking of action in favour of persons who have been Standards. The commission, in its report on subjected to retaliation. standards of behaviour in the banking industry, In addition s 301 of Sarbanes-Oxley requires concluded that not only did internal compliance audit committees of firms that issue securities and formal control structures fail to uphold listed in the U.S. to adopt procedures for proper banking standards, but that a culture of handling complaints about a company’s fear prevented employees from speaking out financial reporting, especially anonymous or about serious wrongdoing. The FCA agreed confidential complaints. with the commission recommendations and has undertaken to consult, in 2014, on whether Under Sarbanes-Oxley if a firm employs a third additional rules are needed to set minimum party e.g. an accountancy firm to investigate a standards for whistle-blowing and how whistle-blowing incident the firm must report prescriptive these should be. This consultation this to the SEC. will include the proposal that a member of a Post the financial crisis, s 922 of the Dodd-Frank firm’s senior management is made personally Wall Street Reform and Consumer Protection accountable for whistle-blowing procedures. Act included provisions amending s 21F of the Securities Exchange Act of 1934 to introduce “Formal whistle-blowing practices financial incentives and related protections for play an important role in creating whistleblowers who report individuals or firms this culture but should not be a who violate U.S. federal securities laws. first port of call. If staff have a good The Securities and Exchange Commission’s understanding of conduct standards, whistleblower rules came into effect on August and feel secure about speaking out, 12, 2011. The SEC will pay an award to eligible they will inform senior management whistleblowers who voluntarily provide the when they see malpractice occurring, Commission with original information about a through both informal and formal violation of the U.S. securities laws that leads to channels.” a successful enforcement action, examples of successful enforcement actions and incentives to From the FCA’s response to the use internal compliance mechanisms. Parliamentary Committee on Banking In March 2014, the U.S. Supreme Court Standards, UK, October 2013. ruled that the whistle-blowing provisions in the Sarbanes-Oxley Act of 2002 should be United States expanded to employees of private contractors The United States has had whistle-blowing laws and sub-contractors of public companies. This since as long ago as the 1800s. More recently means that those employees will be protected whistleblowers appeared in the Sarbanes-Oxley by the whistleblower provisions contained in Act of 2002, primarily in s 806. This makes the Act. This potentially includes lawyers and it unlawful for corporate issuers and various accountants of a firm but the actual defined persons who work for them or do business with scope includes those “whose performance will them, to retaliate against persons reporting take place over a significant period of time”. violations of the U.S. securities laws or other It will, however, only be possible to raise a U.S. laws prohibiting corporate fraud. Section complaint arising from the contractor’s “fulfilling 806 applies to companies that have a class of its role as contractor for the public company, not securities registered under s 12 of the Securities the contractor in some other capacity”. Exchange Act of 1934, as amended, or that are required to file reports under s 15(d) of the 12 Whistle-blowing – noT child’s play for internal auditors MAY 2014
“The new whistleblower program 30, 2013, the Commission announced is a part of our effort to enhance it had approved payouts to each of the the agency’s capacity to detect and three whistleblowers in connection with prevent fraud. The proposed final money that had been collected in a related criminal proceeding. rules build upon our efforts over the past two years and our experience with the Sarbanes-Oxley Act — an Act Case 3 - In October 2013, the SEC that made great strides in creating announced an award of more than whistleblower protections and $14 million to a whistleblower whose requiring internal reporting systems information led to an SEC enforcement action that recovered substantial investor at public companies. From that funds. experience, we learned that despite Sarbanes-Oxley, too many people In addition most U.S. federal and state remain silent in the face of fraud. government entities have mechanisms for Today’s rules are intended to break reporting fraud and abuse, and some provide the silence of those who see a wrong.” awards for whistleblowers. These range from New York State’s False Claims Act, which Mary L Schapiro, chairman, U.S. Securities provides whistleblower awards similar to awards and Exchange Commission, opening offered under the U.S. False Claims Act; to the statement at SEC open meeting, May 2011. New York State Office of the Attorney General’s General, Immigration Fraud, Healthcare and Medicaid Fraud hotlines; to the U.S. Case 1 - On August 21, 2012, the SEC Environmental Protection Agency’s Fraud, announced its first whistleblower award. Waste, and Abuse Hotline; to the Montgomery In that instance, the whistleblower County, Pennsylvania, Controller’s Office’s Fraud helped the Commission stop a multi- & Abuse Tipline. million dollar fraud. The whistleblower provided documents and other significant “During the year, the Office paid information that allowed the investigation to move at an accelerated pace and prevent whistleblowers a total of over the fraud from ensnaring additional victims. $14 million in recognition of their During Fiscal Year 2013, the Commission contributions to the success of made three more payments to this enforcement actions pursuant to whistleblower in connection with additional which ongoing frauds were stopped amounts that had been collected by the in their tracks. While the amounts Commission in the underlying enforcement paid are significant, the bigger story action. is the untold numbers of current and future investors who were Case 2 - On June 12, 2013, the SEC shielded from harm thanks to the announced it had issued an award to information and cooperation provided three whistleblowers who helped the by whistleblowers. At the end of the Commission shut down a sham hedge day, protecting investors is what fund. Two of the whistleblowers provided the whistleblower programme is all information that prompted the Commission about.” to open the investigation and stop the scheme before more investors were Foreword to the 2013 Annual Report to harmed. The third whistleblower provided Congress on the Dodd- Frank Whistleblower independent corroborating information Programme, Sean X McKessy, chief, Office of and identified key witnesses. On August the Whistleblower. 13 Whistle-blowing – noT child’s play for internal auditors MAY 2014
Australia China In Australia, there are also whistleblower In China a 24-hour corruption hotline reporting protections in a number of pieces of legislation, system has been established, and encompasses for example, the Banking Act 1959 (Cth), the many government entities including the Public Insurance Act 1973 (Cth), the Life Insurance Act Security Bureau, the State Administration for 1995 (Cth) and the Superannuation Industry Industry and Commerce and various court and (Supervision) Act 1993 (Cth). prosecution departments. The Administrative In 2004, Part 9.4AAA of the Corporations Supervision Law and the Chinese Communist Act 2001 was introduced after a report by the Party (CCP) Internal Supervision Rules set Australian Prudential Regulation Authority out rules for whistle-blowing. Specifically, the (APRA). It included detailed whistle-blowing Ministry of Supervision is the authority charged provisions that required an officer, employee with investigating governmental officials’ or contractor to be a protected whistleblower compliance with the relevant anti-corruption provided that: rules. The Disciplinary Commission is an internal agency of the CCP that supervises and • pre-disclosure identification is given; investigates CCP members’ compliance with the • reasonable grounds for suspecting breaches of anti-corruption rules. the Corporations Act, or the relevant court rules South Africa are established; “The South African government has introduced • the allegations are made in good faith; and the Protected Disclosures Act, also called the Whistleblowers Act. The Act states that • disclosures are made to the Australian employees can report unlawful or irregular Securities and Investments Commission (ASIC), conduct by employers and fellow employees, the company’s auditors, a director, secretary or while receiving protection from “occupational senior manager or a nominated person. detriment” by employers when making certain A protected whistleblower will have protection “protected disclosures”. against retaliation, defamation or any other civil Section 159 (Protection for whistle blowers; or criminal liability for making the allegation. item 7) also states: “A public company and A protected allegation must be handled in a state-owned company must directly or indirectly certain way. It can be passed on to ASIC, APRA 1) establish and maintain a system to receive or the Australian Federal Police without the disclosures (contemplated in this section) whistleblower’s consent, but only to someone confidentially, and act on them; and 2) routinely else with consent. publicize the availability of that system to Although whistleblower protections exist in the categories of persons contemplated (in Australia, the degree to which they are used is subsection 4).” unclear. For example, the Australian Securities and Investments Commission and the Reserve Bank of Australia have been criticized for how they deal with whistleblowers and conducting timely investigations on the back of allegations. Case 4 – Securency – In Australia whistle- blowing allegations led to charges being brought against two subsidiaries of the Reserve Bank of Australia, NPA and Securency, as well as six former banknote executives, regarding the payment of bribes to foreign officials to win banknote supply contracts. 14 Whistle-blowing – noT child’s play for internal auditors MAY 2014
THOMSON REUTERS ACCELUS™ The Thomson Reuters Governance, Risk & Compliance (GRC) business delivers a comprehensive set of solutions designed to empower audit, risk and compliance professionals, business leaders, and the Boards they serve to reliably achieve business objectives, address uncertainty, and act with integrity. Thomson Reuters Accelus connects business transactions, strategy and operations to the ever- changing regulatory environment, enabling firms to manage business risk. A comprehensive platform supported by a range of applications and trusted regulatory and risk intelligence data, Accelus brings together market-leading solutions for governance, risk and compliance management, global regulatory intelligence, financial crime, anti-bribery and corruption, enhanced due diligence, training and e-learning, and board of director and disclosure services. Thomson Reuters has been named as a category leader in the Chartis RiskTech Quadrant™ For Operational Risk Management Systems, category leader in the Chartis RiskTech Quadrant™ for Enterprise Governance, Risk and Compliance Systems and has been positioned by Gartner, Inc. in its Leaders Quadrant of the “Enterprise Governance, Risk and Compliance Platforms Magic Quadrant.” Thomson Reuters was also named as Operational Risk Software Provider of the Year Award in the Operational Risk and Regulation Awards 2013. For more information, visit accelus.thomsonreuters.com © 2014 Thomson Reuters GRC01137/5-14
You can also read