By proposing to offer whistle-blowers big cash rewards if they come straight to the Securities and Exchange Commission with information about potential corporate fraud, the SEC will spur companies to tighten their internal controls, risk-management and internal-audit experts say.
The Dodd-Frank financial regulatory law enacted in July requires the SEC to set up a program to pay awards to eligible whistle-blowers who provide “original information about a violation of the federal securities laws that leads to . . . successful enforcement” producing cash sanctions of more than $1 million. Earlier this month, the commission proposed rules that would pay informants from 10% to 30% of the amount recovered.
Speaking on behalf of the Institute of Internal Auditors, Denny Beran, chief audit executive at JCPenney, tells CFO he thinks the large potential awards would lure some whistle-blowers straight to the SEC. But “from an internal-auditing perspective, we would like to see employees turn to the companies first,” either by going straight to management or via the ethics hotline, he says.
That’s why some companies are considering handing out their own (much smaller) compensation awards as well as looking at better ways to root out fraudsters. “You don’t want to have the SEC knocking on your door to provide your detection control,” says Pam Verick, a director in the litigation, restructuring, and investigative services unit of Protiviti, a consultancy.
Since November 3, when the commission issued its proposal, clients have been calling her with questions about how to review corporate codes of conduct, says Verick, a consultant in fraud risk management and Foreign Corrupt Practices Act issues. (The SEC is seeking comment letters on the proposal through December 17.)
One particular matter corporate risk managers are revisiting is chain-of-command reporting, a structure in which employers expect employees to report potential frauds to their supervisors, who would then “escalate the information up the chain of command,” explains Verick. The problem is, if the managers have been involved with bad behavior or don’t take employees’ claims seriously enough, they might not report the claims to their bosses.
The risk managers are thus taking a second look at their companies’ escalation procedures and the extent of the ethics training given to their managers. The aim is that “if somebody does report an issue, it does get up to the general counsel or the corporate compliance department,” says Verick.
But such analysis and training are hardly foolproof — especially if the general counsel or compliance officer has an interest in not reporting the fraud. In a recent case he studied through court records and discussions with the whistle-blower, Michael Brozzetti, chief executive of Boundless, an ethics consultancy, says the problem was that the general counsel’s office had conflicting responsibilities. The office was responsible both for investigating whistle-blower complaints and approving contracts the company made with vendors. That represented a “fundamental conflict of interest,” notes Brozzetti. “Internal audit has a responsibility to look at the overall design of a whistle-blower process.”
Besides thinking about structural ways to mitigate fraud, internal risk officials are mulling how to make potential whistle-blowers more comfortable within the corporate structure so that they won’t run to the SEC. Brozzetti says he’s discussed the idea of whistle-blower sabbatical programs with some compliance executives. In such programs, if employees divulge information about a fraud and are uncomfortable working for the company while their complaints are being investigated, they are provided with paid leave.
The proposed rule would, however, give whistle-blowers a chance to try their luck with their employers before going to the SEC. Employees with knowledge of potential fraud who report it to their supervisors, compliance officers, or corporate lawyers would still be eligible for cash awards, according to the proposal. Such whistle-blowers would get “a 90-day grace period after reporting their information internally to make a whistleblower submission and have [it] deemed effective,” the SEC states.
Still, a large number of cases result in recoveries of less than $1 million and thus would not be subject to the incentives. “Companies need to publicize that if employees find a fraudulent case worth $40,000, you don’t want to go to the SEC with it,” says Beran.