10 Fordham Street
Williston Park, NY 11596-1823

February 18, 2003

Mr. Jonathan G. Katz
United States Securities
  and Exchange Commission
450 NW 5th Street
Washington, DC 20549-0609

        Reference: File No. S7-02-03

        Release Nos. 33-8173; 34-47137; IC-25885
        Standards Relating to Listed Company Audit Committees

Dear Sirs,

Please accept our comments on the proposed Rules for employee reporting of accounting, internal control and auditing irregularities, Section 301 (4) of the Sarbanes-Oxley Act of 2002.


We are concerned over the lack of attention being given to employee submission of accounting, internal accounting controls or auditing matters, as evidenced by the absence of any substantive Rule proposal beyond the wording of the act itself.

To the contrary, the strengthening of Audit Committees and, in particular, employee reporting of accounting, internal control and auditing irregularities have the potential to do more to safeguard the integrity of financial reporting than the rest of Sarbanes-Oxley combined.

We have performed an analysis of approximately 480 instances of serious accounting irregularities (or outright frauds) that the Commission has acted on over the last fifteen years. We have found that employee reporting would be effective or highly effective in stopping inappropriate Financial Statements in 56% of cases analyzed, quality audits in 24% and strong Audit Committee oversight in 39%. (Sums exceed 100% in that more than one mechanism may be effective).

Employee reporting is more frequently effective than quality audits because many instances of inappropriate Financial Statements occur in "interior" quarters where auditor involvement is more limited.

The figure for Audit Committee oversight is somewhat inflated by the almost one quarter of cases where the company involved was mainly or entirely fraudulent. At least in theory, an active and independent Audit Committee could prevent the excesses of these companies. Audit Committees are particularly important in detecting "Entity Fraud", the creation of non-consolidated entities to hide losses.

The challenge we confront is how to take advantage of the knowledge and integrity of honest employees who find themselves aware of or participating in an accounting scandal.

Our proposals are two-fold. We have specific guidelines for the implementation of Section 301 (4) and more importantly, guidelines for a comprehensive, voluntary "Active Program" aimed at encouraging employees to report any matters of accounting or internal control concern.

Proposed Mandatory Rules for Section 301 (4). "Passive Program"

As described more fully in IIA, below, the Mandatory Rules should require that the submission mechanism be easily accessible, submissions be logged and controlled and that the submission mechanism operate outside the company.

Proposed Voluntary Rules for Section 301 (4). "Active Program"

A program that will cause employees to submit matters of concern to the Audit Committee requires a) an active effort by Company management to define reporting matters of concern as a vital part of an employee's job, b) directly address the issue of loyalty, c) provide significant rewards to employees who report a substantive matter on a timely basis and d) the Commission itself should publicly go on record that the SEC will aggressively pursue anyone participating in accounting irregularities. This means putting teeth into the Commission's long held view that being a "good soldier" is not a justification for participating in appropriate accounting.

To communicate these concepts, the companies instituting the voluntary program will need to identify all employees significantly involved in the accounting process, provide seminars explaining the rewards of reporting matters and the consequences of not reporting, and require these employees certify at least annually that they understand their responsibilities in submitting matters of concern, and have reported any such matters. These requirements are discussed fully in IIB, below.

We propose that the Commission establish the standards of a voluntary "Active Program" and allow companies that meet these standards to report their maintenance of such a program. As discussed in Appendix A we do not believe companies should report their procedures unless they are in compliance with the proposed "Active Program".

Cost-Benefit Analysis

Employee reporting is the most cost effective manner of enhancing the integrity of financial statements. The procedures necessary to satisfy the Commission's proposed rules are almost cost free, although the effectiveness of a "passive" submission system is limited. The pro-active voluntary procedures entail the costs of staff certification and seminars. Nonetheless these costs are small compared to the extensions of audit work needed to obtain similar levels of assurance and miniscule compared to the costs of accounting irregularities.

Integration with other initiatives of Sarbanes-Oxley

The "Active Program" cements two important concerns of Sarbanes-Oxley, the emphasis on internal controls and on individual accountability as mandated by the certification requirements of Section 302.

Internal controls both serve employee reporting and are served by employee reporting. Internal controls provide guidance to employees on acceptable on unacceptable activity. Accounting controls make accounting irregularities more obvious and more difficult. Finally accounting controls serve as a tripwire. The absence or diminishing of accounting controls provide an opportunity to report a problem before the intense circumstances of an accounting irregularity arise.

Internal controls however become merely words in Procedures Manuals unless there is an active constituency defending them. The Commission has been dealing with the breakdown of internal controls since Drayer-Hanson in 1946. Under the "Active Program" all staff having roles in the accounting and internal control process are identified and required to certify the continued operation of the controls covering their responsibilities. Employee reporting is a major addition to the existing mechanisms defending internal controls.

Finally, Sarbanes-Oxley places major new responsibilities on Audit Committees. As we noted in the introduction, there are specific areas of concern where corporate boards and Audit Committees in particular are the most important element in the internal control regime. However Audit Committees cannot be expected to review every posting made to their company's general ledger. For this they need the resources of the company's staff, and employee reporting is the means by which this resource is available to them.

Auditing firms

We recommend that a program analogous to the "Active" program we are proposing for reporting companies be mandated for their auditors. The paradigms of corporate fraud is that senior officers motivated by big money initiate frauds that require the participation of numerous employees motivated by false loyalty or fear and lacking the means of stopping the fraud.

This is equally true for auditing firms. Individual partners or offices may have incentives to retain important clients, but there are no such incentives for the staffs performing the audit work. Certainly in the Arthur Andersen related cases the accounting irregularities were no secret to the audit staffs. It is highly unlikely that a signficant accounting irregularity could occur in a major company without the audit staff discovering some indication of the problem.


A. Proposed mandatory regulations

The Commissions Release states:

each audit committee would need to establish procedures for:

  • The receipt, retention and treatment of complaints received by the issuer regarding accounting, internal accounting controls or auditing matters, and

  • The confidential, anonymous submission by employees of the issuer of concerns regarding questionable accounting or auditing matters.

and continues,

We do not propose to mandate specific procedures that the audit committee must establish. Given the variety of listed issuers in the U.S. capital markets, we believe companies should be provided with flexibility to develop and utilize procedures appropriate for their circumstances. We expect each audit committee to develop procedures that work best consistent with its company's individual circumstances.

This is far too vague. At a minimum the Commission should specify the following so that even the modest objectives mandated by Sarbanes-Oxley have some degree of effectiveness.

While we use the general term "employee" it includes persons who are officers of the company as well.

a) Contact mechanism. The Audit Committee must designate contact points including a mailing address, telephone number and E-mail address that are outside of the Company. Communications to these contact points must be monitored at least weekly (and daily in the period prior to 10Q and 10K filings) by a member of the Audit Committee or an agent designated by the Audit Committee.

b) All communications to or via these contact mechanisms must be logged and all communciations must be saved for at least seven years from receipt.

c) A log detail must summarize the issue reported, an evaluation of the issue reported, the rationale for the evaluation, and if appropriate, the actions taken to close the reported issue.

  1. The evaluation is a categorization of the legitimacy of the contact and the issue reported and should include:

      Not meaningful. The submission did not address an accounting or control concern or was too vague to determine what issue was being reported.

      Acceptable. The audit committee determines the accounting decisions or internal control procedures being questioned are acceptable.

      Overturned. The accounting decision is deemed aggressive, and while not contrary to GAAP the audit committee directs that it be reversed.

      Fraudulent. That a deliberate and illegal attempt was made to falsify company records and that persons responsible are fired.

d) The results of the audit committee's evaluation of the matter reported must be made available to the reporting employee in a confidential manner.

e) The log and any supporting documentation must be available for SEC inspection for seven years, the first two years in a readily accessible location.

B . Proposed Voluntary Procedures ("Active Program")

The scheme of employee reporting contemplated by Sarbanes-Oxley and the Commission's proposed rule does not address a) employee awareness of their role in accounting integrity, b) the incentives to report irregularities, or c) the negative consequences of failing to report irregularities, nor does it provide a mechanism to assign to specific individuals specific areas of accounting and internal control responsibility.

As these issues go well beyond the mechanism required by Sarbanes-Oxley, we believe that the "Active Program" should be voluntary. However, we also believe that the Commission should establish Rules governing the "Active Program". Companies complying with these rules should be allowed to state they maintain an "Active Employee Reporting Program" in their communications with the public. We believe that companies that do not meet the standards of the "Active Program" should not disclose their 301 (4) procedures.

Employee Education. Company senior management is required to educate its employees that any type of accounting irregularity is against Company policy (as well as the law), and it is an explicit part of an employee's job requirements to report accounting and internal control irregularities to the Audit Committee. This may be accomplished through direct meetings, seminars, videoconferences or video programs featuring senior management, and should be reinforced at least once every three years.

The employee education program also must include information on how to identify inappropriate activity, respond to questionable activity and how to contact the Audit Committee in an anonymous and confidential way.

Senior management regardless of the size of the company means the President or CEO of the company. In larger companies Senior Management would also include subsidiary or divisional senior management. Determining these additional levels of senior management would be left to the company.

Employee Rewards. The Company must maintain and actively publicize a policy that any employee who reports a significant accounting irregularity on a timely basis will receive a substantial financial reward (we believe this should be two years compensation). The financial reward emphasizes the Company's commitment to honest reporting, mitigates employee concerns over the price they might pay for reporting irregularities, and represents an exceedingly small price to pay to stop fraudulent reporting before it occurs.

Accountability. The Company must maintain and actively publicize a policy that any employee who participates in an accounting fraud, even if coerced, will be held responsible for their actions. This is the "stick" side of a robust reporting mechanism. In the absence of a robust employee reporting environment there are significant limitations on the extent to which lower level participants in an accounting fraud can or should be held responsible for their actions. Within a robust employee reporting environment it becomes practical to hold all employees responsible for their participation in questionable activity. Employee accountability is achieved through a "push down" version of the senior officer certification required by Sarbanes-Oxley.

The identification of the accounting and internal control roles played by company employees is a vital component of a proper control environment. Arguably the accounting and internal control roles of all employees should already be identified. Realistically this is probably not the case. Accordingly most of this particular recommendation should be required anyway. All this proposal is adding is that employees certify that they have not participated in any accounting irregularity or violation of internal control procedures, and that the Company formally track and maintain these certifications.

(Well-designed control procedures recognize that situations requiring exceptions to normal procedures are a way of life and thus the control procedures themselves establish allowable exceptions.)

C. Auditing Firms

As we've noted above, the logic of employee reporting applies to the staffs of auditing firms as well. In some ways it is even more compelling given the indigenously separate nature of each audit.

The question with auditing firms is what constitutes the "Audit Committee". One suggestion is that auditing firm Audit Committees consist of retired Partners, with half of the members coming from other auditing firms.


A common denominator in the accounting frauds affecting virtually all large companies, and many smaller ones, is that the frauds require the participation and knowledge of ordinary company employees.

Providing a robust mechanism for these employees to report irregularities is key to protecting financial integrity. Such reporting is the most sure and effective way for fraudulent activity to be "discovered". Additionally, senior executives will be much less likely to initiate or tolerate falsified accounting if they believe that someone will report these occurrences.

We can ask where were the auditors and why didn't they find all these frauds and irregularities, but must keep in mind that it's the company's employees who live with these problems.

The challenge we confront is how to take advantage of the knowledge and integrity of honest employees who find themselves aware of or participating in an accounting scandal. We believe that the "Active Program" we have recommended meets this challenge.

Very truly yours,
Michael Chenkin
  Gregory Warren

APPENDIX A. The Commissions questions

Should the proposed rule require a company to disclose the procedures that have been established or any changes to those procedures? If so, where and how often should the disclosure appear and what should it look like?

We recommend against disclosing Rule 301 (4) procedures to investors as the scope of 301 (4) is far too limited to create a reliable employee reporting environment. As we stated above, companies that adhere to a voluntary program along the lines we have suggested, but with formal rules mandated by the Commission, should be allowed, if not encouraged to report this to the public.

This should be disclosed in 10-K and equivalent filings. Further, as compliance with the rules of an "Active Program" is auditable, companies may elect to include the fact that they maintain such a program in the Notes to their Financial Statements.

Should specified procedures be prescribed or encouraged? For example, should we specify how long complaints must be retained? Should we specify who could or could not be designated by the audit committee for the receipt and treatment of complaints?

In our Detailed Section on Mandatory procedures we have indicated a holding period for complaints and logs documenting the complaints and their resolution. We also indicate that complaints should go to someone outside the company, either directly to a member of the Audit Committee or an agent of theirs.

APPENDIX B. Analysis of Accounting Irregularities and Frauds

In devising means to prevent accounting irregularities it is instructive to see what irregularities have actually occurred. Major company Financial Statement irregularities involve numerous and widespread schemes involving many managers and employees, dollar amounts too huge to hide or both.

Rite Aide, Tyco, Xerox, and Waste Management involved laundry lists of inappropriate accounting manipulations. Significant irregularities at Adelphia, CUC, Lernout and Hauspie, Phar-Mor, Sunbeam, Towers Financial, Westwood One and Woolworth, likewise involved wide ranging efforts. Major income smoothing at W. R. Grace and Microsoft, likewise was fairly obvious inside the company.

Worldcom's multi-billion dollar manipulation of line charges was known by a significant number of people within the company as were aspects of the Enron scandal.

Bankers Trust suffered a major scheme to misappropriate escheatable funds; Gruntal had a similar scandal. Salomon accumulated two hundred million dollars in internal reconciliation differences and Oxford Health eighty-one million in accounting errors. Dozens of accounting personnel have to deal with the accounts underlying these problems, and the errors or unexplained differences arising in them.

Revenue frauds occurred in half of the cases we reviewed, typically occurring with smaller companies. "Inflating" sales is the single most prevalent type of irregularity, occurring in over 150 cases. Sales inflation means there is the illusion of sale, although not its accounting substance. Techniques include, use of `side letters', consignment sales, bill and hold sales and holding open shipping or billing periods.

Except for "side letters" where the sales executives who negotiate the "side letters" often keep them secret, all of these techniques involve the direct participation of company employees. Furthermore most instances of artificial sales give rise to aged receivables, and thus the awareness of credit and accounts receivable personnel. The problem of secret side letters can be resolved through the basic internal control step of having Finance and Accounting personnel confirm the terms of all material sales with their counterparts at the alleged purchaser.

In addition to inflated sales, revenue inflation accomplished through accounting determinations, such as percentage of completion, occurred over thirty times. Proper review procedures by accounting personnel should prevent material errors in this area.

Reserves were an issue in some fifty cases, including instances of inadequate reserves and using reserves as "cookie jars" to manage income.

Outright stealing led to materially inaccurate financial statements in 15 cases. In 16 instances (including 5 of the stealing cases) subsidiaries gave rise to materially inaccurate parent company financial statements. This is significant because in most of these instances the subsidiaries appeared to be too small to be worth substantial accounting and auditing attention.

Inappropriate capitalization of expenses occurred in twenty-five cases, other non-GAAP accounting in twenty-two cases and there were over fifty instances where the irregularity was effected through journal entries (meaning without a semblance of underlying activity to justify the journal entry.

There were 7 cases of irregularity accomplished through the creation of non-consolidated entities. The most noteworthy of these is of course Enron. Dynegy and PNC also made large adjustments due to entity issues.

Finally there were almost 160 instances of asset over-valuation. The majority of these occurrences involved companies that were largely or entirely fictional/ fraudulent.