February 14, 2003
Mr. Jonathan G. Katz
Securities and Exchange Commission
450 Fifth Street. N.W.
Washington, DC 20549-0609
Re: File No. S7-02-03, "Standards Relating to Listed Company Audit Committees"
Dear Mr. Katz:
We are submitting comments and recommending modifications to the Proposed Rule for Audit Committee procedures for the confidential and anonymous receipt, treatment, and retention of audit and financial related concerns by employees, Exchange Act Rule 10A-3 Part 240.10A-3 (b) (3) Complaints.
We recommend the Proposed Rule be modified to provide clearer guidance as to what is required for Listed Companies to be in compliance. Without clear guidance, investors will not know whether listed companies have put into practice, proactive and effective procedures for the independent Audit Committees to encourage employees and others to report legitimate concerns regarding auditing and financial issues.
By way of background, the authors each have over twenty-five years of consulting and management expertise in senior management positions and prior accountability related to Board of Directors in regulated utilities and traditional commercial establishments1. All our experience supports the premise that almost all officers and executives of listed companies are honest and truly encourage reasonable procedures that prevent and remediate fraud at all levels of the corporation. It is for these honest directors, officers, and managers that we have had the privilege of working with in the past and that we look forward to working with in the future that we respectfully submit our comments.
To assist the reader, our comments are provided in the following order:
- The Need to Create a Proactive and Effective Environment
- Barriers and Solutions to Effective Reporting of Concerns
- Recommended Modifications to the Proposed Rule
- Justification for Modifying the Proposed Rule
I. The Need to Create a Proactive and Effective Environment
AuditConcerns has conducted extensive research over the past six months regarding employee reporting of concerns. Our research began with clients who were impacted by the Enron failure and expanded to include current and former members of three of the Big Four accounting firms, many corporate counsels, compliance officers, employees, Audit Committees, CFO's, corporate secretaries, and numerous members of the National Association of Corporate Directors. Based on our research, we believe the SEC rules for the audit committee's concerns and complaint procedures need to be established with consideration of the following principals:
- The responsibility for the concern and complaint procedures and the interface with the submitter must be independent from management and others subject to direct management control. This is absolutely necessary to minimize an employee's fear of retaliation or breach of confidentiality associated with the good faith submitting of a concern.
- Encouragement and leadership must be provided from both the Audit Committee and management so that employees are expected and obligated to report valid concerns related to violations of the code of ethics, financial and accounting malfeasance, and all instances of legal or regulatory non-compliance.
- A professional environment for the submission of concerns must convey integrity, trust, and accountability to those who in good faith report concerns and complaints. Procedures that fail to establish a means for confidential and anonymous feedback to the submitter for obtaining clarifying information and fail to relay that the concerns were addressed, will succeed only in frustrating the submitter and those involved with the investigation.
- The submitters must believe that retaliation or public exposure of submitters will not be tolerated. This message has to be conveyed by words, procedures and technology that take clear steps to enhance confidentiality and anonymity.
- Adequate resources must be provided to the audit committee members so that they can serve in their role and insist on procedures and systems that encourage submission and treatment of valid concerns.
Unless the Proposed Rule is modified to incorporate these principals, investors will be denied the intent of the Sarbanes-Oxley Act, i.e. to establish a clear obligation for the independent Audit Committee to serve as a reliable guardian of the shareholder and public interest. Simply put, the Final Rules should enable employees and others to help Audit Committees identify areas where they should be suspicious. This is essential if we are to avoid future remarks similar to those heard on May 7, 2002 from the testimony of Dr. Robert K. Jaedicke, the former Chairman of the Enron Audit Committee, before the Permanent Subcommittee on Investigations:
"we had no cause for suspicion before it was too late."
Unless the audit committee is informed of a concern or complaint, they will rarely be able to ask the questions or initiate actions that identify potential problems of which even the management team may be uninformed. However, in about all the cases where accounting and financial fraud is taking place, the perception is that senior management is involved. For this reason alone, employees must be able to submit concerns in a way that is independent of management. Honest management must have a clear way to submit concerns anonymously themselves. The rules must require this, if honest employees, officers, board members and investor's are to be given the opportunity to prevent and intercept corporate malfeasance by making it reasonably easy and safe to submit a concern to the audit committee. This can be done effectively without burdening companies with unnecessary costs or bureaucracy. We believe the opportunity to increase shareholder confidence and the ability for employees to protect the shareholders interest is well worth the marginal cost of compliance that requires effective procedures.
II. Barriers and Solutions to Employee Reporting of Suspected Improprieties
On July 30, 2002, President Bush signed the Sarbanes-Oxley Act of 2002 to help prevent corporate fraud. The SEC, Congress, and other agencies have ongoing investigations that have both investors and employees concerned with how to prevent at their companies what went wrong at well known and respected companies such as Xerox, WorldCom, Rite Aid, Adelphi, Tyco, Enron, Dynegy, Edison Schools, Homestore, Microsoft, and PNC Bank. Fraud and incorrect financial reporting at such companies has cost investors and employees billions of dollars. The compliance systems that were the purview of management failed to work. Audit committees claimed they had no idea of problems. In seeking improvement, Congress directed the Commission to establish rules that require an independent audit committee and require that the Audit Committee implement procedures for employees to effectively question and bring proper attention to accounting and financial improprieties
AuditConcerns research has identified three major barriers to effective processes for reporting and treatment of employee concerns.
(1) Employees have to be informed of the opportunity and procedures to bypass management and confidentially and anonymously report complaints and concerns to the Audit Committee. Otherwise, they will be reluctant to submit a concern if they believe that their identity may be revealed and they would be subject to retaliation. Employees believe confidentiality and anonymity are not assured from company-managed compliance reporting systems, management hotlines, or others reporting to management.
(2) Employees with a suspicion of potential wrongdoing usually lack the resources to investigate further and don't want to put their careers on the line with incomplete information. These employees will often remain silent because they believe they could damage their careers or be subjected to harassment by questioning potential wrongdoing, especially if management appears to have approved the activity or transaction. These employees are much more likely to submit their concern if they know that there is an independent (not reporting to management) Audit Committee that can determine if the concern warrants action.
(3) Independent Audit Committee members are worried that personally receiving anonymous concerns at companies with large groups of employees and investors could be `burdensome and risky' due to the time required, accessibility, and liability issues. Without clear guidelines that define Audit Committee responsibility, our research indicates that most audit committee members will end up delegating this task back to management or management's agents. Many audit committee members have demanding responsibilities in other companies, and may delegate the complaint and concern activity totally back to management or management's agents unless the Commission provides clear guidance to the contrary.
These barriers can be overcome if the Commission establishes guidelines for the Audit Committee concern and complaint procedure that:
- Provide well understood, easy ways for employees to submit information in an unfettered way back to the Audit Committee or independent (not subject to management conflict of interest) designees. The designee should report only to the audit committee and should not be an employee, management, or supplier of other services to management or the company. This eliminates a potential source of a conflict of interest.
- Encourage employees to submit the concerns without fear that the employee's identity would be revealed to management or to other employees. The audit committee can use technology and procedures to minimize the risk of exposing an employee's identity. While they can not always prevent disclosure due to the nature of the investigation, the audit committee should have steps that alleviate purposeful or negligent exposure of the submitter.
- Remove the `burdensome' worry of the audit committee members by clarifying they can use independent resources to help administer an effective concerns procedure as long as they maintain oversight responsibility. This would allow the audit committee to use consultants, technology or part time staff to minimize expense and time requirements for the audit committee. Economical systems and support can make it easy for employees to submit concerns over the internet, phone, fax, or by mail. These concerns can then be reviewed and processed according to procedures that allow the audit committee to utilize the most appropriate resources for investigation. In rare cases the Audit Committee may require investigative resources not regularly used by the company. In many cases they would be able to use traditional resources such as the independent auditors, internal auditing, or internal/external corporate counsel for investigative treatment.
The recommendations we are providing to the proposed rule rely on an independent audit committee that is qualified and dedicated to serving their role as a reliable guardian of the shareholder and public interest. The modifications to the proposed rule still allow listed companies to meet the requirements in a manner that is customized to each company's circumstances.
It is important to note that many listed companies already have systems for employees to report concerns such as discrimination or work related complaints. These options focus on a broad set of compliance issues such as discrimination, sexual harassment, environmental compliance, safety, and improper behavior of front line or mid level employees. Although these existing compliance systems can continue to function as the responsibility of management, there must be a confidential and anonymous process that provides employees with unfettered access to the independent Audit Committee. It should be left up to the discretion of individual companies if they choose for the audit committee to also be the recipient of non financial or auditing related concerns.
The modifications to the proposed rule should require that the audit committee have procedures that are effective so that:
- The audit committee has responsibility for gathering information from employees and others that identifies and corrects wrong doing.
- The procedure is clear, widely known by employees and can serve as a deterrent and barrier to wrong doing.
- The investors know that listed companies have audit committee procedures that give them full access to employee insights related to potential audit or financial issues that might impair the accuracy and transparency of financial reports.
Some concerns may be baseless. However, if the audit committee receives a large number of such concerns, it can advise management, and the company will benefit if widely held misconceptions or rumors are properly addressed. For the rare concern that turns out to be evidence of significant wrongdoing, the audit committee will have an opportunity for remediation that may prevent a financial catastrophe for investors and employees alike.
III. Recommended Modifications to the Proposed Rule
We recommend the following modifications to the Proposed Rule such that listed companies must meet minimum requirements for Title III Section 301 (4) of the Sarbanes-Oxley Act of 2002 dealing with procedures for audit committees to receive, process, and retain complaints and concerns as suggested below:
Audit Committees (or Board acting in lieu of Audit Committees) of registered companies are required to establish procedures by (date not to be after July 1, 2003) for:
- The receipt, retention and treatment of complaints received by the issuer regarding accounting, internal accounting controls, or auditing matters; and
- The confidential, anonymous submission by employees of the issuer of concerns regarding questionable accounting or auditing matters.
Audit committees shall:
- Institute effective procedures to ensure that all employees including officers can submit financial and audit related concerns directly to the Audit Committee. This process must be independent of management. Information regarding how to access the reporting mechanisms should be made readily available to all employees and independent contractors by including that information in the code of conduct and/or code of ethics and by circulating the information (e.g., by publishing the phone number, fax number, web site, mailing address, and e-mail address on wallet cards) or conspicuously posting the information in common work areas2.
- The Audit Committee shall process concerns and complaints consistent with the need to maintain a reasonable high degree of confidentiality and anonymity. It is recognized that confidentiality and anonymity can not be guaranteed and that the very act of investigating a particular concern or complaint could inadvertently lead to disclosure of the submitter's identity. The Audit Committee will take reasonable steps to minimize the risk of disclosure. For example, if a concern is expressed related to the independent auditors, there would be increased risk of disclosure of the submitter's identity if the investigation were handled by a member of the existing independent auditing firm. However, the Audit Committee can rely on management and its agents such as internal or external counsel, human resources, compliance officers, internal auditing, or other independent auditors if it believes that the nature of the concern and the resources used for investigation will not jeopardize the committee's ability to get a fair and unbiased evaluation and that the submitter is not unduly exposed to breach of confidentiality or anonymity that could lead to retaliation or harassment.
- Inform all employees and officers that even if the identity of a submitter becomes known or is implied, that retaliation or harassment of the submitter of a concern is in itself a violation of the code of conduct and can subject the company and the individuals involved to severe penalties under `whistleblower' status of the Sarbanes-Oxley Act of 2002 and other statutes.
- The Audit Committee shall have procedures such that all employees, all officers, all directors, and other submitters should be able to submit a concern in good faith to the audit committee without fear of retribution.
- The audit committee shall document the implementation of its concerns procedures and maintain materials and records related to receipt and processing of concerns and complaints for the greater of :
- a minimum of seven (7) years from the date of receipt or
- a minimum of seven (7) years from the last date of investigation, review, or action taken by the Audit Committee.
- Maintain procedures such that concerns and complaints are received independent from management, the independent auditors, internal auditing, corporate counsel, or any agents that report to or are expected to be influenced by management.
- Provide feedback to the submitter when reasonably possible that the concern or complaint was received, to request clarifying or missing information, and to allow the submitter to stay apprised of the status of the investigation. For example, the committee might receive concerns by phone or the internet using confidential passwords or other techniques that allow the submitter to anonymously learn the status of the investigation or provide updated information.
- Be provided the budget and resources from the issuing company to hire consultants or procure technology for the confidential and anonymous receipt, processing, and retention of accounting, audit, and financial concerns and complaints from employees and others.
- Annually provide to the Board of Directors and the SEC a report on the procedures it has in place to receive, process and retain concerns and complaints. Quarterly, or more frequently if deemed necessary, provide the board an update on the effectiveness of the procedures.
IV. Justification for Modifying the Proposed Rule
The Sarbanes-Oxley Act of 2002, Title III Section 301 (4) clearly intended for audit committees of issuing companies to establish a procedure for the audit committee to receive, process and retain audit and accounting related concerns and complaints. The underlying reason for the procedure is to establish a path independent from management to allow the audit committee to gain unfettered access to audit and accounting related concerns or complaints that could originate from employees or others with information related to improper behavior. This provision of the law will work to increase investor and employee confidence if the audit committee establishes and uses appropriate procedures that foster a climate whereby submitters are informed of the process, the process is easily understood and the submitter is encouraged to submit good faith concerns. The submitters deserve to be treated with respect, confidentiality and anonymity. The benefits of the modifications to the proposed rules are:
- To clarify that the audit committee is to establish procedures that include informing employees and others of the procedures to receive, process and retain accounting and audit related concerns and complaints with reasonable steps taken for confidentiality and anonymity. Having a process that no one knows about or knows how to use is clearly not effective and does not accomplish the intent of Congress that the independent audit committee serves as a watchdog of the public and shareholder's interest.
- To clarify that the audit committee procedures for confidentiality and anonymity are in place to encourage employees to report concerns by providing an environment that is less likely to result in harassment or retaliation. The modifications clarify that management or management's agents should not be given unfettered access to the reporting of concerns. Otherwise, employees would be less likely to report a concern out of fear of retaliation or public exposure. The rules also clarify that the audit committee after reviewing a concern, can decide when it is appropriate to utilize either inside or outside resources for investigation of the concern such as the independent auditors, human resources, corporate counsel, or internal auditing. Audit committees can now reduce the cost of investigations by using existing resources where appropriate.
- To allow all employees and officers the ability to confidentially and anonymously report a concern. This is a result of requiring the independent audit committee to receive concerns without automatic access to the information by management or the independent auditors. The audit committee procedures should allow any officer including compliance officers, human resource officers, and senior management to submit a concern.
- Audit committees and legal counsel are troubled that in some cases it may be impossible to keep a concern or complaint confidential and the submitter anonymous. The proposed rules acknowledge this situation and require that when the audit committee takes `reasonable steps' to protect confidentiality and anonymity, it will be in compliance with this provision.
- Increases the likelihood that audit committees can confidentially communicate with submitters by encouraging procedures that include the use of passwords or alternative techniques. The ability to communicate with submitters should improve the effectiveness of audit committees because they can provide feedback to submitters and also request clarifying or additional information.
- Audit committees are encouraged to create a climate that facilitates the willingness of employees and others to submit information. Without the modifications to the proposed rule, it is highly probable that audit committees will be advised to severely restrict the concerns process because of the fear of plaintiff attorneys.
Please feel free to call on us at 404-264-4501 for any questions you may have or assistance we may provide.
|Robert E. Jones
||John A. Higley|
|1 || John Higley has a distinguished career in consulting and as a line manager in information technology. Most recently Mr. Higley served as a partner at Deloitte Consulting. In addition to recent work as a recognized industry consultant, Robert Jones served in numerous management positions including serving as President of Southern Development and Investment Group, a subsidiary of the Southern Company.
Mr. Higley and Mr. Jones are the founders of AuditConcerns, Inc a company founded to provide an independent source for receiving, processing and retaining employee and others concerns and complaints.
|2 ||Rephrased from Department of Health and Human Services, Office of Inspector General, Draft OIG Compliance Program Guidance for Pharmaceutical Manufacturers, Federal Register Vol. 67, No. 192/Thursday October 3, 2002 page 62057.