A Roadmap for Audit Committees in Meeting the Challenges Posed by Enhanced Regulatory Scrutiny Under the Dodd-Frank Act
Audit committees must aid management in navigating an increasingly complex regulatory framework. Two recent developments arising from the passage and implementation of the Dodd-Frank Act1 have led to further challenges for audit committees and increased the importance of their oversight role.
First, Dodd-Frank created new monetary incentives for whistleblowers and increased the breadth and scope of anti-retaliation protections for whistleblowers. Second, Dodd-Frank gave the SEC authority to initiate enforcement actions against entities and individuals that “recklessly provide substantial assistance in violation of the securities laws.” As a result, public companies and their officers and directors may be liable for securities violations of which they were unaware if the government can establish that they failed to maintain proper internal controls or to create a culture of regulatory compliance. This newsletter discusses the new regulations and their ramifications for public companies and also suggests a set of best practices for audit committees going forward.
Enhanced Whistleblower Provisions and Protections
In May 2011 the SEC adopted final rules to implement the whistleblower bounty program mandated by Section 922 of the Dodd-Frank Act.2 Since the new measures went into effect in August 2011, the number and quality of tips the SEC has received have reportedly increased.3 The new rules provide monetary awards for whistleblowers who voluntarily provide the SEC with original information that leads to a successful enforcement action yielding more than $1 million in sanctions. The bounty applies both to public companies and to nonpublic subsidiaries whose financials are consolidated into the parent. The amount of the award is ultimately at the Commission’s discretion, but will range anywhere from 10 to 30 percent of the total monetary sanctions collected in successful Commission and related actions.4
The final rules encourage, but do not mandate, that employees utilize internal compliance and reporting systems before reporting to the SEC.5 Given the increase in monetary awards, there is a risk that whistleblowers may bypass internal reporting systems and report directly to the SEC. As a result, audit committees should ensure that management creates a protected, anonymous system (when allowed under the country’s laws where the employee and alleged malfeasor are located) for employee complaints and that it communicates to employees that reports will be taken seriously. It should be recognized, however, that such efforts may be less successful when a whistleblower has already retained outside counsel.
Dodd-Frank also enhanced anti-retaliation protections for whistleblowers. The Act prohibits the SEC from disclosing information that could reveal a whistleblower’s identity. Internal complaints constitute protected activity provided the whistleblower had a reasonable belief that the information provided related to possible securities law violations. Aggrieved employees can bring claims up to a maximum of ten years from the last retaliatory act (versus 180 days under Sarbanes-Oxley).6 Whistleblowers who have been retaliated against can also earn double the potential damage recovery under Dodd-Frank than was previously available under Sarbanes-Oxley.7
SEC Enforcement Actions for “Recklessly Providing Substantial Assistance”
Perhaps Dodd-Frank’s greatest impact on the responsibilities of audit committees arose from its expansion of scienter requirements. Sections 929M-O of the Dodd-Frank Act lowered the standard for “aiding and abetting” violations of the securities laws from “knowingly providing substantial assistance” to “knowingly or recklessly providing substantial assistance” and expanded the Commission’s authority to bring aiding and abetting actions beyond the Securities and Exchange Act of 1934 to the Securities Act of 1933, the Investment Company Act and the Investment Advisers Act. Prior to Dodd-Frank the SEC had to prove that an individual had actual or constructive knowledgeof the securities violation. Now the SEC need prove only that the individual acted recklessly.8 Recklessness has been defined by the courts as “highly unreasonable [conduct], involving not merely simple, or even inexcusable negligence, but an extreme departure from the standards of ordinary care, and which presents a danger of misleading buyers or sellers that is either known to the defendant or is so obvious that the actor must have been aware of it.”9 This should make it easier for the Commission to bring aiding and abetting actions in the future. These changes might be particularly significant for audit committees, given their responsibility for assessing risk management and compliance.
At present there is no private right of action for aiding and abetting another in violation of the securities laws; however, that may change, as Section 929Z(a) of the Dodd-Frank Act provided that the “Comptroller General of the United States shall conduct a study on the impact of authorizing a private right of action against any person who aids or abets another person in violation of the securities laws.”
In light of this new standard, audit committees of public companies should ensure that procedures and systems are in place to guard against reckless securities violations. Here are some recommendations:
Recommended Best Practices for Audit Committees
- Ensure members’ independence, lack of conflicts, and financial expertise.
- Perform rigorous self and peer evaluations.
Monitoring the Effectiveness of Internal Controls/Internal Audit Process
- Ensure that the company has a robust internal audit function.
- Critically challenge reports from management about the company’s processes and internal controls.
- Discuss the evaluation of and response to any control deficiencies with auditors and management.
Oversight of Financial Reporting/Accounting
- Ensure the accuracy of the company’s financial statements.
- Discuss with management and auditors the timing and nature of disclosures.
- Look for any inconsistencies in the company’s financials to determine when restatements may be warranted.
Oversight of External Auditor
- Ensure the qualifications and independence of the company’s outside auditor.
- Consult with the outside auditor to ensure appropriate testing.
- Review company financials with the outside auditor to understand them in detail.
Oversight of Regulatory/Legal Compliance
- Ensure the company’s compliance with legal and regulatory requirements in the U.S. and abroad.
- Emphasize the importance of an appropriate “tone at the top” regarding compliance.
- Consider splitting the legal and compliance functions and, under any circumstances, ensure that the Chief Compliance Officer reports directly to the Board or the Audit Committee.
- Review business codes of conduct.
- Review incentives for reporting.
- Keep appropriately translated compliance materials up to date and accessible to all employees.
- Ensure employees receive frequent training on compliance with applicable laws, including the FCPA.
Ensure Reporting and Investigation of Allegations of Misconduct
- With Chief Compliance Officer, develop policies and procedures for confidential reporting of allegations of misconduct through a well-publicized “hotline.”
- Ensure that allegations reach senior leadership in a timely fashion.
- Regularly review management’s response to allegations.
- Triage allegations so that those requiring more time are handled first. A company has 120 days before an employee can report to the SEC without losing his or her “first in line” status as a whistleblower.
- Conduct thorough investigations in response to allegations, but not at the expense of implementing timely remedial action to correct any problems.
- Use outside counsel if the allegations involve senior management.
- Use outside counsel to preserve and collect documents and conduct employee interviews.
- Allow outside counsel to determine what other third parties (e.g., investigators, forensic accountants, e-discovery vendors) should be retained.
- Protect the company’s privilege when interacting with the SEC or law enforcement agencies (courts do not always honor limited waiver agreements entered into with the government). Carefully define the scope of communication to the Commission and guard against unauthorized disclosures of privileged information or attorney work product.
Oversight of Risk Management
- Educate senior officers and country managers as to potential whistleblower signs (e.g., criticism regarding third-party relationships, requests for closed files, questions regarding company procedures as well as applicable foreign laws).
- Foster information sharing among risk management personnel, and ensure that this information is regularly presented to the Audit Committee.
- Ensure segment reporting when appropriate, and require a closer look at any region that has a significant shift in sales volume.
- Encourage management to perform due diligence in advance of hiring third parties. Particularly for those operating abroad, ask for representations regarding third parties’ compliance/internal control procedures, provide third parties with summaries of applicable company policies, and train third parties in key compliance areas.
- Ensure that a thorough due diligence assessment, including anticorruption, is conducted before any foreign acquisition.
- Review and revise, if necessary, the policies of newly acquired companies (particularly those from countries that are low on the Transparency International Corruption Perceptions Index).10
Remember, “an ounce of prevention is worth a pound of cure.” Furthermore, even if these measures are not completely successful in preventing violations, the Department of Justice’s Principles of Federal Prosecution of Business Organizations gives significant weight to robust compliance programs in determining whether a prosecution is appropriate.11 In addition, even when the DOJ decides that prosecution is appropriate, the U.S. Sentencing Guidelines provide for a reduction in penalties if the company had in place an “effective compliance and ethics program” that was well-publicized, monitored by the company’s Board and contained anti-retaliation provisions for whistleblowers.12
1. Dodd-Frank Wall Street Reform and Consumer Protection Act, Pub. L. No. 111–203 (2010), was enacted on July 21, 2010 in order to address oversight and supervision of financial institutions and to enhance corporate governance and whistleblower provisions. back to text
2. See SEC Final Rules, 17 C.F.R. §§ 240.21F-1—240.21F-17 (2011), publicly available at http://www.sec.gov/rules/final/2011/34-64545.pdf. back to text
3. See Speech by Sean McKessy, Chief, Office of the Whistleblower (Aug. 11, 2011), publicly available at http://www.sec.gov/news/speech/2011/spch081111sxm.htm. back to text
4. See SEC Final Rule, 17 C.F.R. § 240.21F-5 (2011). back to text
5. For example, see SEC Final Rule, 17 C.F.R. § 240.21F-6(a)(4) (2011), listing participation in internal compliance programs as one factor the Commission may consider in increasing the amount of the whistleblower's award. back to text
6. See Kramer v. Trans-Lux Corp., 3:11CV1424 SRU, 2012 WL 4444820 (D. Conn. Sept. 25, 2012). back to text
7. See 15 U.S.C. § 78u-6(h)(1)(C) (2010). back to text
8. See 15 U.S.C. § 78t(e) (2010). back to text
9. Hollinger v. Titan Capital Corp., 914 F.2d 1564, 1569 (9th Cir. 1990), quoting Franke v. Midwestern Oklahoma Dev. Auth., 428 F. Supp. 719, 725 (W.D. Okla. 1976). back to text
10. The Corruption Perceptions Index for 2012 is publicly available at http://www.transparency.org/cpi2012/results. back to text
11. See United States Attorney's Manual, 9-28.800. back to text
12. See U.S.S.G. § 8C2.5(f)(1). back to text