Sarbanes-Oxley Complaint Procedure Fact Sheet

The Act

The Sarbanes-Oxley Act of 2002 (SOX) was passed in response to publicly traded companies issuing misleading financial statements at the direction of senior executives and sometimes with the assistance of outside auditors. The Act attacks the problem on many fronts, including new standards for a board of directors’ audit committee.

The Complaint Procedure Requirement

Section 301 requires an audit committee “to establish procedures for the receipt, retention and treatment of complaints … regarding accounting, internal accounting controls or auditing matters,” including anonymous employee reports. The law is not restricted to employee complaints.

Deadline for Compliance

The SEC’s final rule requires compliance by the first annual shareholders’ meeting after January 15, 2004, but no later than October 31, 2004.

Penalty for Non-Compliance

The penalty for not having the procedures in place by the deadline is de-listing of the company by the stock exchange or securities association through which its stock is traded.

Whistleblower Protections

SOX contains strong prohibitions on retaliating against anyone reporting questionable accounting or auditing practices (whistleblowers):

• Section 806 gives employees a right to sue their employer for retaliation. First, employees must file a charge with the U.S. Department of Labor. OSHA then has 180 days to investigate and resolve the complaint. It is likely that this process will not satisfy whistleblowers, and they will sue.
• Section 1107 provides for criminal penalties, including up to 10 years in prison, for retaliation.

Disclosure

Section 404 of SOX requires disclosure regarding the effectiveness of the “internal control structure” in the company’s annual report and in the outside auditor’s report. The complaint procedure mandated under Section 301 is reasonably considered an “internal control structure”, and therefore at least summary information must be disclosed.

The Network’s case management systems enable documentation of investigations, demonstrating due diligence in complying with SOX and facilitating trend analysis.

Recordkeeping

SOX does not dictate how long complaint records must be retained, but the disclosure requirement in Section 404 implies that records must be kept for at least the next fiscal year.

Questions That Remain Unresolved

Must complaints be routed directly to the audit committee, or can they be channeled through management?
If management is involved in the accounting fraud, it would be futile to route whistleblower complaints to management. The Network recommends that Sarbanes-Oxley complaints be automatically routed to a designated member of the audit committee and to the person who typically receives ethics violation reports. Dual dissemination ensures that the Audit Committee is aware of allegations and all reports are documented by a company employee for investigation.

Is an internal procedure adequate, or must it be run by an independent third party?
Internal complaint procedures contribute to positive employee relations and are often effective in solving problems before they escalate. However, employees reporting high-stakes, sensitive issues such as accounting fraud may not trust internal channels. An independent channel assures the employees’ confidentiality and demonstrates the company’s commitment to maintaining an ethical workplace.

What reporting mechanism is required?
The law simply requires a confidential reporting mechanism. A 24-hour telephone hotline has a proven track record of success for business ethics issues because it assures caller’s anonymity. It is also interactive, allowing a skilled interviewer to elicit the details needed to produce an actionable report. Other mechanisms, such as messaging services, e-mail or postal mail do not possess these features and may expose the company to liability because it has notification of misconduct but insufficient information to act.

How should the procedure be communicated to employees?
Employee education is critical to the effectiveness of a complaint procedure. Posters, brochures and other written materials should be supplemented by discussion of the reporting procedures in employee meetings and manager training. Communication is not a one-time event; it must be periodically updated and refreshed.

How should Sarbanes-Oxley complaints be investigated?
Audit committees should seek the help of outside counsel to investigate complaints received through a SOX hotline.

What are the Case Management Requirements?
The law does not specify how a company should retain or handle incident reports. However, Section 404 contains requirements regarding annual report disclosure and external audit, which will be difficult to achieve without recording information for each complaint, including a description of any actions taken to investigate the concern. The annual report requirements make it sensible to retain this information for at least a year. The Network’s Online Case Management system complies fully with this aspect of the law.

When does this need to be done?
Sarbanes-Oxley’s whistleblower retaliation penalties, including fines and incarceration, are in effect now. Given the severity of the penalties, it is wise to act quickly to provide the required protection.

This material has been created to assist in the interpretation of the Sarbanes-Oxley Act to clients of The Network, Inc. It does not constitute legal counsel, and sharing this information does not create an attorney-client relationship. ©2003 The Network, Inc. All rights reserved.