Saturday, May 14, 2011

PCAOB SAG Member Warns Congress that SEC Whistleblower Regulations without Internal Notification Could Harm Financial Reporting

A member of the PCAOB’s Standing Advisory Group told a House panel that SEC proposed regulations implementing the whistleblower provisions of Dodd-Frank should require a prospective whistleblower to report their concerns through company-sponsored internal compliance systems before reporting to the SEC. In testimony before the Capital Markets Subcommittee, Robert Kueppers said that allowing whistleblowers to bypass internal company procedures could result in less accurate financial statements since internal reporting would give the company an opportunity to correct problems before they impact the financial statements that are included in reports filed with the SEC. Mr. Kueppers, a former SEC Professional Accounting Fellow, is currently deputy CEO of Deloitte. The House is considering legislation amending the Dodd-Frank whistleblower provisions to require internal corporate reporting as a prerequisite for a whistleblower reward either before, or simultaneously with, reporting to the SEC

On a separate point, Mr. Kueppers agreed with Dodd-Frank’s exclusion from the SEC whistleblower financial reward program of accounting firm personnel reporting on suspected violations by companies they audit. Providing a financial reward for such reporting would be contrary to the requirements of Section 10A of the Securities Exchange Act of 1934, he said, which sets forth specific steps that outside auditors must follow when suspected illegal acts are identified during the course of an audit, including the requirement to report their findings directly to management, and in some cases to the audit committee or the SEC.

Returning to his broader theme, the SAG Member testified that the whistleblower program should be implemented in such a way as to establish a constructive balance between strengthening the operation of effective company compliance programs and encouraging timely whistle blowing to the SEC. He believes that this could be achieved by a requirement, as a condition of eligibility to receive a monetary award, that whistleblowers report their concerns fully and in good faith through company-sponsored internal compliance systems before reporting to the SEC; alternatively, at a minimum, he believes that concurrent reporting to the SEC and internally should be required.

The former SEC fellow expressed concern that the Commission’s proposed rules create a monetary incentive for whistleblowers to bypass companies’ established and effective internal reporting procedures. While the proposals include a 90-day grace period to prevent individuals from being penalized for first reporting their concerns through internal channels, there is no financial incentive for would-be whistleblowers to do so. In fact, despite SEC reassurances, Mr. Kueppers feels that whistleblowers may be concerned that in order to meet the requirement to provide original information in their report, they must be the first to file certain information, and waiting up to 90 days to inform the SEC could lessen their chances of receiving a whistleblower reward because others may by then have filed reports containing the same information.

A whistleblower may also choose not to report internally because he or she believes that the company could then rectify the problem, and therefore be subject to lesser or no monetary sanctions upon which an award would be paid. From a whistleblower’s perspective, therefore, internal reporting may lessen the likelihood of receiving a monetary award and reduce the potential size of the award. Moreover, by inadvertently discouraging the use of internal procedures, the proposed rules may raise concerns about the design effectiveness of a company’s internal controls over financial reporting. If the effectiveness of companies’ internal systems are allowed to erode, there could be a rise in the incidence of financial reports that include incorrect reports about the effectiveness of internal controls as well as inaccurate financial information that would have been corrected had management been alerted of the problem through the timely use of internal procedures.

When suspected wrongdoing is reported internally, emphasized the SAG Member, management, under the oversight of the audit committee and with appropriate assistance of outside auditors, could investigate, prevent a violation from occurring, or mitigate the impact of an error. This may include, on a timely basis, preventing any misleading disclosure to investors, removing culpable individuals from positions of responsibility, disciplining employees who had prior knowledge of the wrongdoing but failed to intercede, and making any necessary disclosures in SEC reports. If whistleblowers report their information directly only to the SEC, however, the opportunity for company management, audit committees and independent auditors to foster accurate financial reporting may be delayed or even lost because allegations are not promptly communicated to companies as they become known

For example, if an employee of a company sees a problem late in the fourth quarter and reports his or her concerns to the company internally, the company would be expected to address those concerns before it issues its year-end financial statements. But if that same whistleblower bypasses internal channels and reports his or her concerns only to the SEC, there would be a risk that the report will not be reviewed by the SEC staff, or brought to the attention of company management, before year-end financial results are announced or financial statements are released, resulting in a later restatement.

The SAG Member stressed that existing frameworks, such as regulations promulgated under the Sarbanes-Oxley Act and standards established by the Institute of Internal Auditors, should be allowed to continue to operate as intended. Section 301 of Sarbanes-Oxley, for example, directs audit committees to establish procedures for receiving and processing complaints and anonymous tips regarding internal accounting controls or auditing matters. He noted that many companies now require their employees to report actual or suspected illegal acts or violations of a corporate code of conduct through internal channels.

The monetary incentive to bypass internal reporting procedures also may impact assessments of companies’ internal control over financial reporting, he cautioned, which are required by Sarbanes-Oxley. Companies’ whistleblower hotlines and other means of confidential reporting, designed to detect and deter securities fraud and other violations, are considered entity-level controls, he noted, and thus among the very few controls that can be effective in reducing the risk that management is overriding other internal controls

Most companies put such controls into place in a regulatory environment that encouraged the internal detection and resolution of potential accounting problems. If the new whistleblower program were to encourage employees to bypass these existing entity-level controls, he warned, the fundamental assumptions upon which those controls were designed could be affected. Because of the potential shift in employee motivations, management and external auditors may no longer be able to conclude that controls that were once effective in detecting and deterring wrongdoing remain so. Thus the design of the controls themselves could be deemed flawed, he said, a result that could be avoided by ensuring that whistleblowers use internal procedures rather than only reporting their concerns to the SEC.