Whistle-bloWing: not child's play for internal auditors - Michael coWan

Page created by Bob Caldwell
 
CONTINUE READING
Whistle-blowing:
not child’s play for
internal auditors
MICHAEL COWAN

The views and opinions expressed in this paper are those of the author and do not
necessarily reflect the official policy or position of Thomson Reuters.
About the author
          Michael Cowan is a regulatory intelligence analyst in the Enterprise Risk Management division of
          Thomson Reuters Accelus. He has 26 years’ experience and is a qualified internal auditor (CMIA). He
          has worked in compliance roles at UK Asset Resolution, Cattles and the Financial Services Authority;
          the views expressed are his own.
          Michael Cowan

2   Whistle-blowing – noT child’s play for internal auditors                                                     MAY 2014
CONTENTS
                      ENSURING FAIR PLAY FOR whistleblowers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

                      WHISTLE-BLOWING: DEFINITIONS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

                      INTERNAL AUDIT AND WHISTLE-BLOWING . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

                      THE RISING TIDE OF WHISTLE-BLOWING . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

                      REPORTING WRONGDOING AROUND
                      THE WORLD - WHISTLE-BLOWING ACROSS BORDERS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

3   Whistle-blowing – noT child’s play for internal auditors                                                                                            MAY 2014
Ensuring fair play for                                  is that the case has not been investigated
          whistleblowers                                          thoroughly, further action by the whistleblower
          The schoolyard is a funny place. Children               may be taken with more senior managers
          of different ages, races, creeds and colours;           resulting in reprimands for the initial person who
          different attitudes and approaches; different           investigated/dealt with the disclosure. Of course
          reactions to similar events. It really is the adult     there are rules and regulations that protect the
          world in miniature. In many ways the experiences        identity of the informant and the way they are
          that we face in our early years are a microcosm         treated following the whistle-blowing incident,
          of what later life has to throw at us. In fact,         at least as far as they can.
          when it comes to reacting to bad behaviour and
                                                                  In the middle of this soup of accusations,
          “blowing the whistle”, the adult world bears a
                                                                  sometimes weak evidence, desire to do the
          striking resemblance to schoolyard behaviour.
                                                                  right thing and personal feelings, is the internal
          In the school yard when something wrong                 auditor. Often held up as the bastion of good
          happens, the immediate threat by the victim             governance and fairness, the internal auditor
          or another student is, “I’ll tell the teacher!”.        is expected to ensure fair play and provide
          Sometimes this is a hollow threat but sometimes         assurance that the process allows for a correct
          it is followed through, leading to an investigation     conclusion that satisfies all parties.
          of the facts, assessment of the credibility of          So what are internal auditors expected to do
          witnesses and then firm and decisive action.            when presented with the thorny subject of
          Then the repercussions begin. The “snitch”              whistle-blowing in an organization? This report
          might be subject to retribution by the                  attempts to provide a summary of policies
          perpetrator. The informant may be looked upon           and guidance that exist and to suggest some
          as someone who is not to be trusted, with even          practical tips for internal auditors.
          the informant’s parents passing the message             Whistle-blowing: Definitions
          that it’s “not nice to tell tales”. The teacher will,   In the United States, Securities and Exchange
          however, be more aware of the perpetrator and           Commission Rule 21F-2 (a) defines a
          the informant, and this may include protecting          whistleblower as “an individual who, alone or
          the latter, as far as they can, from further            jointly with others, provides information to the
          retaliation.                                            SEC relating to a possible violation of the federal
          In the adult world there is whistle-blowing. In an      securities laws that has occurred, is ongoing, or
          organization, when wrongdoing is uncovered,             is about to occur”.
          employees are encouraged to report it internally        In the UK, the Employment Rights Act 1996
          or to an independent body. This is followed by          identifies six outcomes that an employee should
          an investigation of the facts, an assessment of         consider have occurred, are occurring or are
          the credibility of witnesses and then firm and          likely to occur and identifies what disclosures
          decisive action. Then the repercussions begin.          should be covered.
          The informant could be sacked or at least
                                                                  From an internal audit perspective the UK
          marginalized in his or her career. Colleagues
                                                                  Chartered Institute of Auditors’ position paper
          may refuse to trust them for fear of further
                                                                  on whistle-blowing policy states that “Whistle-
          disclosures. The informant’s manager may
                                                                  blowing is when an employee, contractor or
          reflect this in performance appraisals and bonus
                                                                  supplier goes outside the normal management
          rewards.
                                                                  channels to report suspected wrongdoing at
          Bullying may occur, not only to the informant but       work.”
          the person who is subject of, or dealing with, the
          allegation. For example, where the perception

4   Whistle-blowing – noT child’s play for internal auditors                                                            MAY 2014
“Appropriate whistle-blowing                         reviews needs to be carefully considered. When
          procedures are in place and are                      undertaking a review of the whistle-blowing
          expected to be utilized by employees                 policies and procedures, the standard auditing
          without any reprisal, to support                     approach can be adopted. When investigating
                                                               specific whistle-blowing allegations, however,
          effective compliance with the risk
                                                               especially if board members are implicated, the
          management framework; the                            normal audit route may not be appropriate.
          treatment of whistleblowers is clearly
          articulated and followed in practice.”              • Purpose, authority and responsibility (1000)
                                                                 This standard states that the purpose, authority
                                                                 and responsibility of the internal audit activity
          Financial Stability Board, Guidance on
                                                                 must be formally defined in an internal audit
          Supervisory Interaction with Financial
                                                                 charter. This also applies to whistle-blowing
          Institutions on Risk Culture – A Framework
                                                                 activity. The organization needs to be clear
          for Assessing Risk Culture, April 2014.                about the role internal audit will take in
                                                                 whistle-blowing and in sufficient detail to be
          Internal audit and whistle-blowing
                                                                 aware of the methodology to be used. This
          The importance of appropriate whistle-blowing
                                                                 point is also linked to standards 2030-2040 on
          policies and procedures to the effective
                                                                 Policies and Procedures, which state that the
          discharge of an organization’s corporate
                                                                 chief audit executive must establish policies
          governance is significant. Corporate governance
                                                                 and procedures to guide the internal audit
          is fundamental to effective risk and control
                                                                 activity.
          within organisations, which means that whistle-
          blowing policies must be at the heart of internal   • Proficiency and Due Professional Care (1200)
          auditors’ responsibilities.                            and Resource Management (2030) These
                                                                 two standards go to the conduct and skill of
          As an independent assurance function, it is easy
                                                                 the internal auditor. Standard 1200 states
          for senior management to use internal audit as
                                                                 that engagements must be performed with
          a vehicle to manage all whistle-blowing traffic.
                                                                 proficiency and due professional care and
          This is not necessarily the right answer. The
                                                                 Standard 2030 states that the chief audit
          global standards that govern internal auditors
                                                                 executive must ensure that internal audit
          around the world touch on many of the reasons
                                                                 resources are appropriate, sufficient and
          why this is the case.
                                                                 effectively deployed to achieve the approved
          • Independence and objectivity (Standard 1100)        plan. For small internal audit teams in
             This states that internal audit activity must       particular the nature of whistle-blowing
             be independent and internal auditors must           investigations and the level of seniority required
             be objective in performing their work. From a       to undertake them may stretch resources and
            whistle-blowing point of view a commitment           the ability to comply fully with this standard.
            to “manage” the whistle-blowing process
                                                              • Quality Assurance and Improvement
            in the organisation may compromise the
                                                                 Programme (1300) This standard states that
            independence of internal audit. To undertake
                                                                 the chief audit executive must develop and
            whistle-blowing investigations, for example,
                                                                 maintain a quality assurance and improvement
            might put internal audit in the role of line
                                                                 programme that covers all aspects of the
            management rather than as a vital part of the
                                                                 internal audit activity. Appropriate review and
            corporate governance of the organisation.
                                                                 quality checks of activity concerning whistle-
          •D
            irect interaction with the board (1111) This        blowing activity is a valuable safety net for
           standard states that the chief audit executive        appraising findings and recommendations,
           must communicate and interact directly                whether the review has covered all points and
           with the board. This and other reporting              what potential challenges might come from
           requirements in the standards mean that the           recipients.
           reporting of the outputs of whistle-blowing

5   Whistle-blowing – noT child’s play for internal auditors                                                          MAY 2014
• Planning (2010) This standard states that               • reassuring potential whistleblowers;
            the chief audit executive must establish a
                                                                     • whistle-blowing to external bodies;
            risk-based plan to determine the priorities of
            the internal audit activity, consistent with the         • commitment, clarity and tone from the top;
            organisation’s goals. The effect that whistle-           • access to independent advice;
            blowing activity has on planning should not
                                                                     • openness, confidentiality and anonymity;
            be overlooked. Where individual cases are
            being investigated, work may need to be                  • offering an alternative to line management;
            undertaken promptly, and to tight deadlines.             • structure.
            Cases may arise at very short notice, requiring
            inconvenient reallocation of resources. In               Also in the UK, the Committee on Standards
            worst-case scenarios the timing and perhaps              in Public Life has recommended that good
            volume of whistle-blowing cases may require              whistle-blowing policies should:
            amendments to be made to the annual audit                • provide examples distinguishing whistle-
            plan, especially for smaller internal audit                 blowing from grievances;
            departments.
                                                                     • give employees the option to raise a
          Suggested approach for internal                               whistle-blowing concern outside of line
          auditors                                                      management;
          In the UK, the Chartered Institute of Internal
                                                                     • provide access to an independent
          Auditors (CIIA)’s position paper on whistle-
                                                                        helpline offering confidential advice; offer
          blowing policy, “Whistle-blowing and Corporate
                                                                        employees a right to confidentiality when
          Governance – the role of internal auditing in
                                                                        raising their concern;
          whistle-blowing”, which explains that boards
          must be accountable for ensuring effective                 • explain when and how a concern may
          whistle-blowing procedures are in place that                  safely be raised outside the organisation
          guarantee confidentiality and anonymity and                   (e.g., with a regulator); and
          avoid conflicts of interest.                               • provide that it is a disciplinary matter (a)
          The position paper allows for two scenarios.                  to victimise a bona fide whistleblower, and
          First, where internal audit is directly involved in           (b) for someone to make a false allegation
          the procedures for whistle-blowing, the board                 maliciously.
          should ensure that there is an independent             •C
                                                                   orporate governance The Global
          mechanism to provide assurance on the                   Standards (2110) state that the internal audit
          effectiveness of those procedures, and secondly         activity must assess and make appropriate
          where internal audit is playing an indirect role, it    recommendations for improving the
          should provide assurance on the effectiveness of        governance process in its accomplishment of
          the system and procedures to the board.                 the following objectives:
          In the discharge of these different approaches             • promoting appropriate ethics and values
          what could internal auditors do to ensure their               within the organisation;
          input is effective?
                                                                     • ensuring effective organisational
          Indirect involvement                                          performance management and
          • Have an appropriate policy Organizations                   accountability;
             should have appropriate policies and
             procedures for whistle-blowing. In its position         • communicating risk and control
             paper on whistle-blowing, the UK CIIA                      information to appropriate areas of the
            identified the following areas as essential to an           organisation; and
            adequate whistle-blowing policy:                         • coordinating the activities of and
              • addressing concerns and providing                      communicating information among the
                 feedback;                                              board, external and internal auditors and
                                                                        management.
6   Whistle-blowing – noT child’s play for internal auditors                                                           MAY 2014
The relationship between whistle-blowing                   evidence in relation to each concern?
          and the culture of an organization is crucial. A
                                                                    • Have confidentiality issues been handled
          healthy approach to whistle-blowing, whereby
                                                                       effectively?
          a firm can demonstrate (with evidence) that it
          has effectively undertaken its duties, points to          • Is there evidence of timely and constructive
          an organization that has a healthy culture. It               feedback?
          is particularly important when considering the            • Have any events come to the audit
          reporting mechanisms within an organization                  committee’s or the board’s attention that
          and whether these facilitate effective                       might indicate that a staff member has not
          whistle-blowing. Such a culture will allow for               been fairly treated as a result of their having
          independent reporting of whistle-blowing                     raised concerns?
          incidents, perhaps to a non-executive, whereas
                                                                    • Is a review of staff awareness of the
          a less developed or sophisticated cultural
                                                                       procedures needed?
          approach may restrict the whistleblower to
          external routes such as hotlines.                       2. U
                                                                      se of management information Internal
                                                                     auditors should ensure that the board and
          Internal auditors need to assess how the
                                                                     senior management get accurate and up-to-
          corporate governance of an organization copes
                                                                     date information on the volume and status
          with whistleblowers to be able to determine
                                                                     of whistle-blowing cases. The management
          whether the appropriate culture has been
                                                                     information should identify the reason
          established.
                                                                     for the event, the progress made with the
          Whistle-blowing culture                                    investigation, the issues that have been found
          The areas that internal auditors may wish to               and the progress made to rectify the issues.
          cover here are:
                                                                  3. C
                                                                      ontractors and third parties In the United
          1. The role of the board and audit committee              States, the extension of Sarbanes-Oxley
              The Institute of Chartered Accountants in              to contractors poses a number of risks for
              England and Wales has devised a list of                organisations and internal auditors. For
              questions that a good audit committee might            example:
              ask to sense-check their arrangements:
                                                                    • Extending internal policies – Internal auditors
            • Is there evidence that the board regularly              need to make sure that contractors and
               considers whistle-blowing procedures as part            sub-contractors have equivalent inclusions in
               of its review of the system of internal control?        their policies or that an organization’s policies
            • Are there issues or incidents which have                can be applied to the contract firms to
               otherwise come to the board’s attention                 afford those individuals the correct amount
               which they would have expected to have                  of protection. This may not be an easy task
               been raised earlier under the company’s                 as definitions within the judgment are still
               whistle-blowing procedures?                             subject to interpretation.

            • Where appropriate, has the internal audit            • Contracts – Contractual relations and
               function performed any work that provides               processes will need to be reviewed to cater
               additional assurance on the effectiveness of            for the wider responsibilities.
               the whistle-blowing procedures?                      • Disclosure – Appropriate disclosure
            • Are there adequate procedures to track                  arrangements will need to be agreed so
               the actions taken in relation to concerns               that the whistleblower is protected but
               raised and to ensure appropriate follow-up              both organizations are still able to manage
               action has been taken to investigate and,               the process appropriately and deal with
               if necessary, resolve problems indicated by             subsequent issues.
               whistle-blowing?                                     • Grievance procedures – It is very important
            • Are there adequate procedures for retaining             to define what complaints would be handled

7   Whistle-blowing – noT child’s play for internal auditors                                                               MAY 2014
by the grievance procedure and what would              Direct involvement
             afford the employee the protections under              • Employ the appropriate skills and resources
             the whistle-blowing provisions of the Act.                Whistle-blowing investigations may require
            • Legal processes – There may well be an                  experienced internal auditors to undertake
               increase in whistle-blowing cases following             detailed forensic testing or sensitive
               the ruling and some may be erroneous.                   questioning of senior management. Heads
               Further clarification of the detail of this ruling      of internal audit should ensure that whistle-
               will only come through further legal cases              blowing investigations are allocated to
               and it may be that organizations need to                appropriate internal auditors. Where this is
               reinforce legal resources in order to cater for         not possible, heads of internal audit should
               the potential increase in legal cases.                  consider undertaking the investigation
                                                                       themselves or outsourcing it to a firm that has
          4. Employee awareness It is important that                 the relevant skills.
             internal audit gives an opinion on the
             measures to train and make employees                   • Ensure security measures adequately protect
             aware of the appropriate channels to invoke a             the whistleblower It is incumbent on the
             whistle-blowing request. It is fundamental to             investigations team that information gained
             an adequate whistle-blowing policy that those             during the investigation is kept confidential and
             who have reason to blow the whistle know                  stored securely where access can be restricted.
             how to do so. Reporting a whistle-blowing                 Of course the anonymity of the whistleblower
             incident may involve reporting concerns to                is paramount (unless they waive their right)
             a senior non-executive or to an independent               and this will undoubtedly be included at some
             external body. Clear communications                       point in the evidence retained, increasing the
             demonstrate to the relevant regulator that                need for confidentiality, and from the rest of the
             organizations are engendering a healthy                   internal audit team as well.
             attitude towards whistle-blowing that adds to          • Adopt the correct auditing process A whistle-
             the evidence that their culture is appropriate.           blowing investigation may not fit with the
          5. Involvement of other departments, e.g.,                  normal audit methodology for undertaking
              compliance or general counsel Of course,                 a routine internal audit. It is good practice
              organisations may elect to delegate                      to have a separate process for undertaking
              responsibility for investigating whistle-                a whistle-blowing investigation. It helps to
              blowing incidents to another department,                 keep a structure to what could be a rather
              e.g., compliance or general counsel function.            fluid task, ensures that all relevant milestones
              In these cases internal audit need to be                 have been covered and should help with time
              assured that the procedures for identifying,             management and budget planning.
              investigating, reporting and ensuring                 • Make sure creditability is retained during
              actions are completed adequately, and are                interviews As mentioned above, interviews
              appropriate and robust. Essential to this is             could be with senior management on
              whether these departments are independent                particularly sensitive subjects. It is important
              enough and can thoroughly and promptly                   that the correct level of seniority is devoted to
              investigate specific claims. The risk may                these interviews from internal audit. At these
              be that these departments do not have                    interviews, it is recommended that internal
              the mandate to probe sensitive issues                    auditors discuss the issue at hand in a fluid
              comprehensively and therefore do not provide             way. It is unlikely that a checklist approach
              either the whistleblower or the organization             to interview techniques would garner the
              with sufficient comfort that claims are being            appropriate facts. As an alternative, it may be
              treated seriously and will be acted on.                  useful to discuss the chronology of specific
                                                                       events where possible, making a note of each
                                                                       stage and seeking evidence of actions/events.

8   Whistle-blowing – noT child’s play for internal auditors                                                                MAY 2014
• Retain evidence properly As well as                  The rising tide of whistle-blowing
             keeping evidence secure, it is important that
             comprehensive evidence is kept of key actions/       “Whistleblowers are becoming
             decisions, etc. Files should be organized            bolder, whether motivated through
             logically and evidence of conclusions clearly        conscience or fear.”
             indicated. There is a good chance that these
            files will be reviewed either by an external audit    Dr Ian Peters, chief executive of the UK
            or by regulators to make sure whistle-blowing         Chartered Institute of Internal Auditors,
            policies have been taken seriously.                   Foreword to “Whistle-blowing and
          •E
            nsure clarity during reporting The final report      Corporate Governance”, January 2014.
           should be circulated to the board initially and
           then to appropriate senior management if felt          With the heightened focus on whistle-blowing
           necessary. The report may contain sensitive            since before the financial crisis, the number
           information, hence the two-stage reporting             of cases around the world has increased. For
           process. If one of the board is implicated, then       example, the U.S. Securities and Exchange
           a steer from the chairman, or the chair of the         Commission reported that in the fiscal year
           audit committee, should be taken about his/            2013, 3,238 whistleblower requests were
           her attendance at the meeting. Good protocol           received, up by 8 percent from 3,001 in the
           would be to address any specific issues with           fiscal year 2012. The most common complaint
           them prior to circulation of the report and allow      categories reported by whistleblowers in 2013
           their comment to be captured in the report.            were corporate disclosures and financials (17.2
           Again, if this is with a director or equivalent, the   percent), followed by fraud (17.1 percent) and
           chairman’s advice may be taken about whether           manipulation (16.2 percent).
           he needs to be included.                               Across the Atlantic, the UK Financial Conduct
          •F
            ormat of report The normal audit report              Authority has seen a 38 percent rise in whistle-
           may not be appropriate for a whistle-blowing           blowing reports. Reports averaged around
           investigation. A separate format may be                338 a month in the previous year, whereas the
           devised to make reporting as clear and concise         FCA has seen around 467 a month in the past
           as possible. It may be useful to adopt a format        year. Sixty percent of cases were about general
           that allows the internal auditor to present            regulatory concerns, four reports concerned
           the facts chronologically and then draw                the alleged misappropriation of client money,
           conclusions from that.                                 23 insider trading, 21 market manipulation and
                                                                  25 cases related to money laundering. The
          •G
            uard against overlap with the HR grievance           FCA said that it had opened 72 percent more
           process An organization’s whistle-blowing              investigations during 2013 based on information
           policy should manage the boundaries between            from whistleblowers than its predecessor in the
           a true attempt to blow the whistle and a               previous 12 months.
           grievance between colleagues or between an
           employee and the company. At times, these              This level of activity will no doubt continue.
           issues can become intertwined, but whereas             There is a growing link between whistle-blowing
           one is subject to whistle-blowing protocols, the       and conduct risk. As regulators around the
           other is dealt with by HR policy. A clear steer        world clarify and progress their conduct and
           should be given about how each is dealt with           cultural messages, a positive practical approach
           and, where issues cross boundaries, what is to         to whistle-blowing in a firm will be taken as a
           be done and by whom.                                   strong indicator that all is well with the culture,
                                                                  whereas poor practices may well not only be
                                                                  seen as an indicator of poor culture but might
                                                                  also lead to greater regulatory scrutiny.

9   Whistle-blowing – noT child’s play for internal auditors                                                            MAY 2014
This will focus more attention on the role of internal audit. The increase in numbers may well be
          partly attributable to internal audit’s more intense involvement in the whistle-blowing process
          (although this is difficult to prove with the information available at time of writing). Internal auditors
          need to assess the risk that whistle-blowing poses to their firm and their function and select an
          approach that best offsets that risk. In a survey undertaken by the UK CIIA, 41 percent of respondents
          reported that internal audit had day-to-day responsibility for whistle-blowing arrangements, but only
          two-thirds of respondents believed their arrangements to be effective.
          And a final word about schoolyard behavior: As children mature and leave juvenile behaviour behind,
          there is a good chance that they will turn into intelligent, reasonable, well-rounded adults. It is
          to be hoped that this is also true in business life (in particular the financial services industry) and
          that conduct and culture within organizations improve so much that the need for whistle-blowing
          declines.
          Reporting wrongdoing around the world - whistle-blowing across borders
          A further consideration for inclusion in a policy is the accommodation of whistle-blowing cases from
          different jurisdictions (i.e., cross-border). As many countries have their own whistle-blowing laws
          and regulations and in this ever-globalised world, it looks more and more likely that whistle-blowing
          cases will start to originate from other countries. This may lead to confusion as to what rights the
          whistleblower has and the process that needs to be invoked (among other things). It is important
          that an organization’s whistle-blowing policy clarifies these points. For example, in the United States,
          the Commodity Futures Trading Commission (CFTC)’s whistleblower rules establish a procedure
          for whistleblowers to report any violations of the Commodity Exchange Act. The impact of this
          requirement may trigger a “cross-border” issue when it relates to a foreign market participant.
          There has been significant focus on whistle-blowing in many jurisdictions around the world because
          of its importance to good governance within organisations. A summary of the status of a selection of
          different countries’ approaches is included below:

          EUROPE                                                                 ASIA
                                                                                 In China, a 24-hour corruption hotline reporting system has been
          Only four European Union countries
                                                                                 established, and encompasses many government entities including
          have legal frameworks for whistleblower
                                                                                 the Public Security Bureau, the State Administration for Industry and
          protection that are considered to be
                                                                                 Commerce and various court and prosecution departments.
          advanced.

          AMERICA                                                                                                         AUSTRALIA
          In March 2014, the U.S. Supreme                                                                                 In Australia, there are
          Court ruled that the whistle-                                                                                   whistleblower protections
          blowing provisions in the                                                                                       in a number of pieces of
          Sarbanes-Oxley Act of 2002                                                                                      legislation, but the degree
          should be expanded to employees                                                                                 to which they are used is
          of private contractors and sub-                                                                                 unclear.
          contractors of public companies.

                                                    AFRICA
                                                    The South African government has indicated its support for the
                                                    concept of whistle-blowing and has acknowledged the need to
                                                    offer legal protection to whistle blowers with the introduction of
                                                    the Protected Disclosures Act, called the Whistleblowers Act.

10   Whistle-blowing – noT child’s play for internal auditors                                                                                            MAY 2014
Europe                                              arrangements were ineffective. Fifty-four
           In November 2013 a Transparency International       percent said they did not train key members
           report on the state of whistle-blowing in           of staff designated to receive concerns. Forty-
           European countries concluded that only              four percent confused personal complaints
           four European Union countries had legal             with whistle-blowing and in 10 percent of cases
           frameworks for whistleblower protection that        respondents said their arrangements were not
           were considered to be advanced: Luxembourg,         clearly endorsed by senior management.
           Romania, Slovenia and the United Kingdom. Of        In March 2014, the National Audit Office
           the other 23 EU countries, 16 have partial legal    (NAO) issued its report on the state of whistle-
           protections for employees who come forward          blowing in UK government departments. It
           to report wrongdoing. The remaining seven           reported that more could be done to improve
           countries have either very limited or no legal      the whistle-blowing arrangements. The NAO’s
           frameworks. Several EU countries in recent years    main findings were that there was no strategic
           have taken steps to strengthen whistleblower        cross-government lead for whistle-blowing;
           rights, including Austria, Belgium, Denmark,        that internal “checks and balances” could be
           France, Hungary, Italy, Luxembourg, Malta,          better exploited; and that some systems were
           Romania and Slovenia. Countries that have           more mature than others when collecting,
           issued proposals or have announced plans for        coordinating and disseminating intelligence.
           proposed laws include Finland, Greece, Ireland,
           the Netherlands and Slovakia.
                                                               “You only have to look at my
           UK                                                  committee’s work on everything
           In the UK, employment protections for               from GP out-of-hours services
           internal whistle-blowing are contained in the       to tax avoidance to see how vital
           Employment Rights Act 1996 (as amended by           whistleblowers are to protecting
           the Public Interest Disclosure Act 1998) (PIDA).
                                                               taxpayers’ money. It is extremely
           This Act covers nearly all employees in the
           government, private and non-profit sectors. The
                                                               worrying therefore that half of workers
           law also legally protects contractors, trainees
                                                               stay silent about misconduct, possibly
           and UK workers based overseas. The provisions       because they fear what will happen if
           introduced by the Public Interest Disclosure Act    they speak out. Government must do
           1998 protect most workers from being subjected      more to support those workers that try
           to a detriment by their employer. Detriment         to protect taxpayers’ money.”
           may take a number of forms, such as denial of
           promotion, facilities or training opportunities     A statement from Rt Hon Margaret Hodge,
           which the employer would otherwise have             chair of the Committee on Public Accounts,
           offered. Employees who are protected by the         UK, March 2014
           provisions may make a claim for unfair dismissal
           if they are dismissed for making a protected        In financial services, the Financial Conduct
           disclosure.                                         Authority’s whistle-blowing requirements are
           In the 1990s the whistle-blowing charity Public     set out in Chapter 18 of the Senior Management
           Concern at Work (PCW) was established and           Arrangements, Systems and Controls
           it has been at the forefront of developments        sourcebook of the FCA Handbook. These
           in whistle-blowing in the UK ever since. In         encourage firms to adopt appropriate internal
           November 2013 Public Concern at Work                procedures that will guide staff to blow the
           (together with EY) undertook a comprehensive        whistle internally about matters that are relevant
           survey of UK whistle-blowing policies. The survey   to the functions of the FCA. SYSC 18.2.2 provides
           found that 93 percent of respondents said they      guidance on the types of internal procedures
           had formal whistle-blowing arrangements in          that may be appropriate for larger firms as well
           place but a third thought their whistle-blowing     as smaller firms.

11   Whistle-blowing – noT child’s play for internal auditors                                                       MAY 2014
In October 2013 the FCA provided its response        Exchange Act. Section 806 also creates a cause
          to the Parliamentary Commission on Banking           of action in favour of persons who have been
          Standards. The commission, in its report on          subjected to retaliation.
          standards of behaviour in the banking industry,
                                                               In addition s 301 of Sarbanes-Oxley requires
          concluded that not only did internal compliance
                                                               audit committees of firms that issue securities
          and formal control structures fail to uphold
                                                               listed in the U.S. to adopt procedures for
          proper banking standards, but that a culture of
                                                               handling complaints about a company’s
          fear prevented employees from speaking out
                                                               financial reporting, especially anonymous or
          about serious wrongdoing. The FCA agreed
                                                               confidential complaints.
          with the commission recommendations and
          has undertaken to consult, in 2014, on whether       Under Sarbanes-Oxley if a firm employs a third
          additional rules are needed to set minimum           party e.g. an accountancy firm to investigate a
          standards for whistle-blowing and how                whistle-blowing incident the firm must report
          prescriptive these should be. This consultation      this to the SEC.
          will include the proposal that a member of a         Post the financial crisis, s 922 of the Dodd-Frank
          firm’s senior management is made personally          Wall Street Reform and Consumer Protection
          accountable for whistle-blowing procedures.          Act included provisions amending s 21F of the
                                                               Securities Exchange Act of 1934 to introduce
          “Formal whistle-blowing practices                    financial incentives and related protections for
          play an important role in creating                   whistleblowers who report individuals or firms
          this culture but should not be a                     who violate U.S. federal securities laws.
          first port of call. If staff have a good             The Securities and Exchange Commission’s
          understanding of conduct standards,                  whistleblower rules came into effect on August
          and feel secure about speaking out,                  12, 2011. The SEC will pay an award to eligible
          they will inform senior management                   whistleblowers who voluntarily provide the
          when they see malpractice occurring,                 Commission with original information about a
          through both informal and formal                     violation of the U.S. securities laws that leads to
          channels.”                                           a successful enforcement action, examples of
                                                               successful enforcement actions and incentives to
          From the FCA’s response to the                       use internal compliance mechanisms.
          Parliamentary Committee on Banking                   In March 2014, the U.S. Supreme Court
          Standards, UK, October 2013.                         ruled that the whistle-blowing provisions in
                                                               the Sarbanes-Oxley Act of 2002 should be
          United States                                        expanded to employees of private contractors
          The United States has had whistle-blowing laws       and sub-contractors of public companies. This
          since as long ago as the 1800s. More recently        means that those employees will be protected
          whistleblowers appeared in the Sarbanes-Oxley        by the whistleblower provisions contained in
          Act of 2002, primarily in s 806. This makes          the Act. This potentially includes lawyers and
          it unlawful for corporate issuers and various        accountants of a firm but the actual defined
          persons who work for them or do business with        scope includes those “whose performance will
          them, to retaliate against persons reporting         take place over a significant period of time”.
          violations of the U.S. securities laws or other      It will, however, only be possible to raise a
          U.S. laws prohibiting corporate fraud. Section       complaint arising from the contractor’s “fulfilling
          806 applies to companies that have a class of        its role as contractor for the public company, not
          securities registered under s 12 of the Securities   the contractor in some other capacity”.
          Exchange Act of 1934, as amended, or that
          are required to file reports under s 15(d) of the

12   Whistle-blowing – noT child’s play for internal auditors                                                        MAY 2014
“The new whistleblower program                        30, 2013, the Commission announced
          is a part of our effort to enhance                    it had approved payouts to each of the
          the agency’s capacity to detect and                   three whistleblowers in connection with
          prevent fraud. The proposed final                     money that had been collected in a related
                                                                criminal proceeding.
          rules build upon our efforts over the
          past two years and our experience
          with the Sarbanes-Oxley Act — an Act                  Case 3 - In October 2013, the SEC
          that made great strides in creating                   announced an award of more than
          whistleblower protections and                         $14 million to a whistleblower whose
          requiring internal reporting systems                  information led to an SEC enforcement
                                                                action that recovered substantial investor
          at public companies. From that
                                                                funds.
          experience, we learned that despite
          Sarbanes-Oxley, too many people                   In addition most U.S. federal and state
          remain silent in the face of fraud.               government entities have mechanisms for
          Today’s rules are intended to break               reporting fraud and abuse, and some provide
          the silence of those who see a wrong.”            awards for whistleblowers. These range from
                                                            New York State’s False Claims Act, which
          Mary L Schapiro, chairman, U.S. Securities        provides whistleblower awards similar to awards
          and Exchange Commission, opening                  offered under the U.S. False Claims Act; to the
          statement at SEC open meeting, May 2011.          New York State Office of the Attorney General’s
                                                            General, Immigration Fraud, Healthcare
                                                            and Medicaid Fraud hotlines; to the U.S.
             Case 1 - On August 21, 2012, the SEC           Environmental Protection Agency’s Fraud,
             announced its first whistleblower award.       Waste, and Abuse Hotline; to the Montgomery
             In that instance, the whistleblower            County, Pennsylvania, Controller’s Office’s Fraud
             helped the Commission stop a multi-            & Abuse Tipline.
             million dollar fraud. The whistleblower
             provided documents and other significant
                                                            “During the year, the Office paid
             information that allowed the investigation
             to move at an accelerated pace and prevent
                                                            whistleblowers a total of over
             the fraud from ensnaring additional victims.
                                                            $14 million in recognition of their
             During Fiscal Year 2013, the Commission        contributions to the success of
             made three more payments to this               enforcement actions pursuant to
             whistleblower in connection with additional    which ongoing frauds were stopped
             amounts that had been collected by the         in their tracks. While the amounts
             Commission in the underlying enforcement       paid are significant, the bigger story
             action.                                        is the untold numbers of current
                                                            and future investors who were
             Case 2 - On June 12, 2013, the SEC             shielded from harm thanks to the
             announced it had issued an award to            information and cooperation provided
             three whistleblowers who helped the            by whistleblowers. At the end of the
             Commission shut down a sham hedge              day, protecting investors is what
             fund. Two of the whistleblowers provided       the whistleblower programme is all
             information that prompted the Commission       about.”
             to open the investigation and stop the
             scheme before more investors were              Foreword to the 2013 Annual Report to
             harmed. The third whistleblower provided       Congress on the Dodd- Frank Whistleblower
             independent corroborating information          Programme, Sean X McKessy, chief, Office of
             and identified key witnesses. On August
                                                            the Whistleblower.
13   Whistle-blowing – noT child’s play for internal auditors                                                   MAY 2014
Australia                                              China
          In Australia, there are also whistleblower             In China a 24-hour corruption hotline reporting
          protections in a number of pieces of legislation,      system has been established, and encompasses
          for example, the Banking Act 1959 (Cth), the           many government entities including the Public
          Insurance Act 1973 (Cth), the Life Insurance Act       Security Bureau, the State Administration for
          1995 (Cth) and the Superannuation Industry             Industry and Commerce and various court and
          (Supervision) Act 1993 (Cth).                          prosecution departments. The Administrative
          In 2004, Part 9.4AAA of the Corporations               Supervision Law and the Chinese Communist
          Act 2001 was introduced after a report by the          Party (CCP) Internal Supervision Rules set
          Australian Prudential Regulation Authority             out rules for whistle-blowing. Specifically, the
          (APRA). It included detailed whistle-blowing           Ministry of Supervision is the authority charged
          provisions that required an officer, employee          with investigating governmental officials’
          or contractor to be a protected whistleblower          compliance with the relevant anti-corruption
          provided that:                                         rules. The Disciplinary Commission is an
                                                                 internal agency of the CCP that supervises and
          • pre-disclosure identification is given;              investigates CCP members’ compliance with the
          • reasonable grounds for suspecting breaches of       anti-corruption rules.
             the Corporations Act, or the relevant court rules   South Africa
             are established;                                    “The South African government has introduced
          • the allegations are made in good faith; and         the Protected Disclosures Act, also called
                                                                 the Whistleblowers Act. The Act states that
          • disclosures are made to the Australian
                                                                 employees can report unlawful or irregular
             Securities and Investments Commission (ASIC),
                                                                 conduct by employers and fellow employees,
            the company’s auditors, a director, secretary or
                                                                 while receiving protection from “occupational
            senior manager or a nominated person.
                                                                 detriment” by employers when making certain
          A protected whistleblower will have protection         “protected disclosures”.
          against retaliation, defamation or any other civil
                                                                 Section 159 (Protection for whistle blowers;
          or criminal liability for making the allegation.
                                                                 item 7) also states: “A public company and
          A protected allegation must be handled in a
                                                                 state-owned company must directly or indirectly
          certain way. It can be passed on to ASIC, APRA
                                                                 1) establish and maintain a system to receive
          or the Australian Federal Police without the
                                                                 disclosures (contemplated in this section)
          whistleblower’s consent, but only to someone
                                                                 confidentially, and act on them; and 2) routinely
          else with consent.
                                                                 publicize the availability of that system to
          Although whistleblower protections exist in            the categories of persons contemplated (in
          Australia, the degree to which they are used is        subsection 4).”
          unclear. For example, the Australian Securities
          and Investments Commission and the Reserve
          Bank of Australia have been criticized for how
          they deal with whistleblowers and conducting
          timely investigations on the back of allegations.

             Case 4 – Securency – In Australia whistle-
             blowing allegations led to charges being
             brought against two subsidiaries of the
             Reserve Bank of Australia, NPA and
             Securency, as well as six former banknote
             executives, regarding the payment of bribes
             to foreign officials to win banknote supply
             contracts.

14   Whistle-blowing – noT child’s play for internal auditors                                                        MAY 2014
THOMSON REUTERS ACCELUS™
The Thomson Reuters Governance, Risk & Compliance (GRC) business delivers a comprehensive set
of solutions designed to empower audit, risk and compliance professionals, business leaders, and the
Boards they serve to reliably achieve business objectives, address uncertainty, and act with integrity.
Thomson Reuters Accelus connects business transactions, strategy and operations to the ever-
changing regulatory environment, enabling firms to manage business risk. A comprehensive
platform supported by a range of applications and trusted regulatory and risk intelligence data,
Accelus brings together market-leading solutions for governance, risk and compliance management,
global regulatory intelligence, financial crime, anti-bribery and corruption, enhanced due diligence,
training and e-learning, and board of director and disclosure services.
Thomson Reuters has been named as a category leader in the Chartis RiskTech Quadrant™ For
Operational Risk Management Systems, category leader in the Chartis RiskTech Quadrant™ for
Enterprise Governance, Risk and Compliance Systems and has been positioned by Gartner, Inc. in its
Leaders Quadrant of the “Enterprise Governance, Risk and Compliance Platforms Magic Quadrant.”
Thomson Reuters was also named as Operational Risk Software Provider of the Year Award in the
Operational Risk and Regulation Awards 2013.

For more information, visit accelus.thomsonreuters.com

                                                                               © 2014 Thomson Reuters  GRC01137/5-14
You can also read