and Good Governance
By Tim V. Eaton and Michael D. AkersJUNE 2007 - The Sarbanes-Oxley Act of 2002 (SOX) has forever changed corporate governance for publicly held corporations. Recent data suggest that the costs of compliance with the provisions of SOX can be very significant. Because these mandated requirements apply almost exclusively to publicly held corporations, some companies have cited the high costs of SOX compliance as a rationale for going private. After all, SOX was developed in response to high-profile corporate scandals that included Enron, WorldCom, and Tyco, and was not designed to address problems in other sectors. Unfortunately, problems in corporate governance are not unique to public corporations.
Problems in the Government and Nonprofit Sectors
Problems exist in the government and nonprofit sectors just as they do in the corporate sector. Recent alleged problems at the World Bank (reported in U.S. News and World Report) include kickbacks, payoffs, bribery, embezzlement (a midlevel manager took over $2 million), and collusive bidding.
According to EthicsPoint, a leading provider of technology-based governance, risk, and compliance services, more than 20 separate states’ attorneys general have launched 30 investigations into nonprofits all over the United States. In 2002, the United Way scandal (where a director took funds through questionable payments and other executives charged the organization for personal expenses) came to the public’s attention. Its aftermath has had a dramatic impact on fundraising. The Washington Post reported that the United Way’s fall fundraising drive had dropped from a high of $90 million in 2001 to $19 million in 2004. Other notable nonprofit organizations such as the American Red Cross and the Nature Conservancy have also had to deal with scandals and the resulting negative impacts. The Red Cross had funds stolen and additional bonuses taken because of poor internal controls. The Nature Conservancy encountered problems when the organization engaged in inappropriate business and real estate transactions with its trustees.
Even universities are not immune from scandals. Scandals such as that involving presidential spending at American University often relate to the misuse of athletic, research, or university funds. As part of the termination decision, American University’s board of trustees asked its former president to reimburse the institution $125,000 for personal expenses as well as authorize the audit committee to disclose $398,000 in unreported taxable income. Because of the increasing prevalence and publicizing of these incidents, many government and nonprofit entities are not only more aware of SOX, but have already begun the process of implementing certain provisions of SOX within their organizations.
According to a 2004 Grant Thornton study, nearly half of nonprofits have made corporate governance policy changes in the wake of SOX. The study highlights the following statement from Grant Thornton’s Larry Ladd: “Many not-for-profits believed that Sarbanes-Oxley was a passing fad or bubble. Today, however, awareness of the act and actions based on the provisions of Sarbanes-Oxley are on the rise. Board members and regulators are now pressing for reform.”
While the costs of implementing the provisions of SOX are unquestionably high, certain provisions do have significant benefits. These beneficial components can be selectively applied by noncorporate entities to provide good organizational governance and reduce the potential for fraudulent activity. Additionally, all organizations should consider that failure to respond appropriately today could lead to potential disaster in the future. The consequences may include not only the loss of funds but also the high-profile negative publicity that can severely damage an organization’s reputation.
One specific component of SOX that is particularly applicable to noncorporate organizations is whistleblowing, the act of reporting wrongdoing to another party. At the time of the Grant Thornton study, only 29% of nonprofits had a whistleblower policy in place. Organizations of all kinds should better understand what whistleblowing is, what the components of a whistleblowing policy are, and where to turn for more information.
What Is Whistleblowing?
Whistleblowing can be defined in a number of ways. In its simplest form, whistleblowing involves the act of reporting wrongdoing within an organization to internal or external parties. Internal whistleblowing entails reporting the information to a source within the organization. External whistleblowing occurs when the whistleblower takes the information outside the organization, such as to the media or regulators. Establishment of a clear and specific definition of whistleblowing itself should be a fundamental component of every whistleblower policy.
Whistleblowers have garnered attention recently due to the worldwide media exposure of recent accounting scandals. In 2002, Time magazine named whistleblowers Cynthia Cooper of WorldCom, Sherron Watkins of Enron, and Coleen Rowley of the FBI as its “Persons of the Year.” While the first two individuals are well known and involve financial scandals, Rowley’s whistleblowing was a noncorporate case but with very serious ramifications involving lapses in the intelligence community in the weeks prior to the September 11, 2001, terrorist attacks.
The origins of whistleblowing go back well over a century. In fact, whistleblowing initially arose not in connection with corporate malfeasance, but in the federal government’s False Claims Act.
1863: The False Claims Act’s influence. The False Claims Act was established to offer incentives to individuals who reported companies or individuals defrauding the government. It was introduced by Abraham Lincoln in 1863 to target sales of fake gunpowder to the Union during the Civil War. In 1986, the False Claims Act was brought back and Congress added antiretaliation protections. The Act also specifies that the whistleblower can share in up to 30% of the proceeds of the lawsuit. According to the Taxpayers Against Fraud (TAF) False Claims Act Legal Center (www.taf.org), this Act has resulted in more than $17 billion dollars of recoveries for the U.S. government since 1986. Major nonprofits that have paid large settlements in recent years include major universities and government entities (see www.taf.org/top100fca.htm for a comprehensive list of the largest claims). Financial rewards to whistleblowers can, however, create an incentive to report bogus false claims. The Act imposes monetary penalties on bogus whistleblowers.
1989 and 1994: The Whistleblower Protection Act. Under the Whistleblower Protection Act, passed in 1989 and amended in 1994, federal employees are protected from workplace retaliation when disclosing waste and fraud. The purpose of the Act and subsequent amendments was to strengthen the protections available to federal employees. Congress has considered reforms that would overhaul the act and enhance protections for federal employees who expose fraudulent activity, waste, and threats to public safety. Such legislation was debated last year, and in 2007, the House of Representatives approved the Whistleblower Protection Enhancement Act, which overhauls federal whistleblower law.
2002: SOX requirements. In addition to the changing attitude toward whistleblowing, changes in laws and rights related to whistleblowing have followed. SOX provides an example of how publicly traded companies have been required to reshape their businesses and their attitudes toward workplace crime. Sections 806, 301, and 1107 of SOX provide additional guidance for whistleblowing.
Section 806 extends protection to employees of publicly traded companies who report fraud to any federal regulatory or law enforcement agency, any member or committee of Congress, or any person with supervisory authority over the employee. This regulation states that whistleblowers who provide information or assist in an investigation of violations of any federal law relating to fraud against shareholders or any SEC rule or regulation are protected from any form of retaliation by any officer, employee, contractor, subcontractor, or agent of the company. Employees who are retaliated against will be “entitled to all relief necessary to make the employee whole” (SOX section 806), including compensatory damages of back pay, reinstatement of proper position, and compensation for litigation costs, expert witness fees, and attorney fees.
SOX also requires audit committees to take a role in whistleblowing and reducing corporate fraud. Section 301, amending the Securities Exchange Act of 1934, compels audit committees to develop reporting mechanisms for the recording, tracking, and acting on information provided by employees anonymously and confidentially. By mandating policies and protection for reporting wrongdoing, the SOX standards go beyond merely encouraging companies to be more responsive to employee whistleblowers.
In SOX section 1107, the reach of whistleblowing policies extends beyond public corporations. This section extends protection to any person who reports to a law enforcement officer information related to a violation of a federal law. These whistleblowers are protected from any retaliation by the offender. A violator may be fined and imprisoned for up to 10 years.
Supreme Court decision. In May 2006, the Supreme Court ruled
in Garcetti v. Ceballos that whistleblowers who make statements
while performing their jobs may not be constitutionally protected. Richard
Ceballos, a supervising deputy attorney, was asked by defense counsel
to review a case where defense counsel claimed the affidavit used by the
police to obtain a search warrant was inaccurate. Ceballos concluded upon
his review that there were significant misrepresentations in the affidavit,
and he communicated his findings in a memo to his supervisors, the petitioners,
and the trial court. Ceballos later claimed that the petitioners retaliated
against him for his memo. Reversing the ruling of the Ninth Circuit Court
of Appeals, the Supreme Court found that the memo was not protected because
Ceballos wrote it while performing his employment duties. Congress has
Why Implement a Whistleblower Policy?
All organizations, including universities, governmental entities, and nonprofits, should consider implementing whistleblowing provisions. Consider these important facts from the Association of Certified Fraud Examiners’ 2006 “Report to the Nation on Occupational Fraud and Abus”:
Reporting on internal controls was recommended to the corporate community in the late 1970s, but it took the large scandals (such as Enron) for the SOX legislation to impose such reporting. Recent legislation in California (California’s Nonprofit Integrity Act of 2004) and proposed legislation in other states suggest that nonprofit organizations should consider “best practice” governance policies and mechanisms similar to the provisions of SOX, as doing so may prepare them for future legislative requirements.
IRS data indicate that many nonprofit organizations would be categorized as small businesses. Most small businesses struggle with an appropriate level of segregation of duties, making a whistleblower policy a good mitigating control. A whistleblower policy and effective enforcement has the potential not only to significantly reduce fraudulent activity but also to send a signal to both internal and external constituencies that the organization exercises good corporate governance. Just as corporations must answer to shareholders, universities, government entities, and nonprofit organizations must answer to the public regarding the stewardship of resources.
The authors agree with the commentary in The CPA Journal (Mary-Jo Kranacher, “Whistleblowing: The Devil in the Details,” July 2006) that whistleblowing can significantly affect a whistleblower’s life and livelihood. The authors believe that the potentially huge personal impact whistleblowing can have on individual whistleblowers means there is an even greater need for organizations to develop clear whistleblower policies.
Many professional organizations associated with universities, government entities, or nonprofit organizations have recognized certain mechanisms as a best practice and recommend that their constituents implement whistleblower polices. The following are a few examples.
National Association of College and University Business Officers. NACUBO provided whistleblowing guidelines in its Advisory Report 2003-3, “The Sarbanes-Oxley Act of 2002: Recommendations for Higher Education.” Although SOX is not required for colleges and universities, NACUBO’s recommendations are based on SOX section 301. NACUBO Advisory Report 2003-3 states:
BoardSource and Independent Sector. BoardSource (formerly the National Center for Nonprofit Boards) and Independent Sector (a leadership foundation for charities, foundations, and corporate giving programs) published a joint report, “The Sarbanes-Oxley Act and Implications for Nonprofit Organizations.” It overviews the SOX provisions and makes several recommendations to nonprofits, such as the following:
National Council of Nonprofit Associations. The NCNA, a network of state and regional nonprofit organizations, developed a sample whistleblower policy for use by small and mid-sized nonprofits. The sample policy covers the following areas: responsibility for reporting violations, preventing retaliation against whistleblowers, methods for reporting violations, the compliance officer’s duties, applicable areas of complaints and those responsible for addressing them, the involvement of the audit committee in complaints involving internal controls and auditing, the treatment of malicious or false allegations, confidentiality, and procedures for acknowledging reported violations.
Developing a Whistleblower Policy
A whistleblower policy may be drafted and implemented by management, but it should then be submitted to the audit committee or board of directors. The foundation of any whistleblower policy is a clear and specific definition of whistleblowing. Other key aspects of a whistleblower policy include the following:
Upon completion of the whistleblower policy, the organization should develop implementation and enforcement mechanisms that are consistent with the policy. Although the first step—creating an environment where a whistleblower will report problems that exist—is the crucial one, to be fully effective a whistleblower policy must be consistently implemented, claims investigated and evaluated, and proper enforcement taken when necessary.
The purpose of this article is to increase awareness of the need for whistleblower policies for universities, governmental entities, and nonprofit organizations. Important components of these policies have been introduced above, but organizations should do additional research before adopting their final policies. Those wishing to develop a whistleblower policy can consult the actual text of SOX, examine the sample whistleblower policy from the National Council of Nonprofit Associations (see www.ncna.org), and look at actual policies developed by other organizations. The Sidebars provide information to help begin the process.
Click here to view Sidebar 1.
Click here to view Sidebar 2.
Tim V. Eaton, PhD, CPA, is an associate professor of accountancy at Miami University, Oxford, Ohio.
Michael D. Akers, PhD, CPA, CMA, CFE, CIA, CBM, is the Charles T. Horngren Professor of Accounting and chair of the department of accounting at Marquette University, Milwaukee, Wisc.