Risk & Compliance

Dial ”M” for Malfeasance

New regulations will require companies to put in complaint systems for employees. But CFOs say setting up good lines of communication can be a real...
Craig SchneiderMarch 12, 2003

According to a recent report by The Association of Certified Fraud Examiners, organizations lose about 6 percent of their revenue to occupational fraud and abuse. The study also noted that occupational fraud was most commonly detected by a tip from an employee, customer, vendor, or an anonymous source.

You don’t have to tell Thom Weatherford about the value of inside information.

Years ago, when serving as CFO of Ungermann Bass (then owned by Tandem Computers), Weatherford received a tip from an employee that a country manager was coercing workers to record “revenue that wasn’t really revenue.” Weatherford launched an internal investigation, which ultimately confirmed the employee’s disturbing allegation. “Luckily, there was no harm on the revenue side,” recalls Weatherford. “But there was always that potential.”

Weatherford, who recently retired as finance chief of analytics software maker Business Objects, still serves on the boards of two companies. He says the ugly incident at Ungermann Bass provided a valuable lesson that might have otherwise gone unheeded. “It did bring up that maybe our internal controls could be strengthened,” he acknowledges.

Turns out the internal controls at a lot of companies could stand some strengthening. Over the past 18 months, shareholders have witnessed a seemingly endless parade of corporate scandals, revenue restatements, and Securities and Exchange Commission investigations.

To restore some faith in corporate accountability, lawmakers have attempted to ratchet up the control function at publicly traded companies. Part of that ratcheting up involves expanding the role — and responsibilities — of audit committees.

But legislators and regulators also seem intent on making it easier for whistle-blowers like the Ungermann Bass employee to rat out their bosses. The Sarbanes-Oxley Act of 2002, for example, includes a proposed rule requiring audit committees to establish procedures for the receipt, retention, and treatment of anonymous and confidential complaints by employees on accounting or auditing matters.

The SEC plans on issuing the final rules governing the compliance notification systems by April 26. SEC spokesman John Heine says the Commission could come out with the final rules even sooner. Either way, publicly traded companies must be in compliance with the law within a year of its publication in the Federal Registrar.

There’s just one problem. Observers say the current design of the SEC’s complaint notification system is so vague that they’re not quite sure what compliance entails.

Take Gary Barton, senior audit manager at J.C. Penney Co. Barton says he believes the retailer will be able to comply with the proposed system without using one of the many third-party providers that offer hotline services. But Barton also concedes that he’s been meeting with compliance officers at other companies to figure out best practices for addressing the whistle-blower requirements of Sarbanes-Oxley.

And the audit manager acknowledges that uncertainty about the new law may eventually force him to contact an outsourcer. “If we go further and they tell us where the complications are,” he says, “then we’ll look further into outsourcing.”

Hotline Hang-ups

One complication Barton and others may encounter: potential conflicts of interest. Companies must have a reporting system that allows for confidential and anonymous reporting by employees. In addition, they must maintain an appearance of independence once those complaints come through. “There must also be frank, open and clear channels of communication so that information can reach the audit committee,” says the proposal.

Indeed, concerns over independence and anonymity have some employers turning to third-party providers to at least manage the recording requirement in their complaint notification systems. Certainly, there’s no shortage of providers to turn to. These are halcyon days for outsourcers of corporate hotlines, and in recent months, a number of vendors (including Edcor, Report it, and The Network) have started aggressively hawking their services.

Complaint notification system outsourcers also like to point to data from The Association of Certified Fraud Examiners showing that organizations with fraud hotlines cut their fraud losses by approximately 50 percent per scheme. But critics warn that setting up a hotline through a third party doesn’t fully get employers off the compliance hook.

They’re right. An outsourcer who receives a legitimate complaint from an employee must still pass that information on to somebody at the company — typically, the company’s compliance officer. Depending on the setup, a member of the internal audit or general counsel’s staff may also be assigned to investigate and relay a validated claim to a company’s audit committee for review.

Some corporate executives also doubt that third-party hotline operators will be able to handle complex allegations coming from disaffected finance workers. Some believe relatively low-paid operators will not be able to always ask the next logical question that would make an anonymous caller’s complaint complete for investigative purposes. Vendors deny that charge. But it’s also uncertain — if calls are truly anonymous — how corporate officers will be able to follow up on an inconclusive report from an outsourcer.

What is crystal clear, however, is that any complaint notification system works best if the notifier of a complaint trusts the system. Says Lesley Ann Skillen, a partner at law firm Getnick & Getnick: “The key to making one of the hotlines work is to make employees feel comfortable about making a report without fear of retaliation or retribution.”

Get-Out-of-Jail Fee Card

That’s no small task — particularly given recent headlines.

In August 2001, for instance, Roy L. Olofson, then a finance vice president at Global Crossing Ltd., reportedly sent a letter to the telco’s top ethics official alleging that the company swapped fiber-optic capacity with other carriers to artificially boost revenues. Olofson was laid off three months later in what the company insists was part of a companywide reduction. Global Crossing’s management also claims that the VP of finance sought a large payment in exchange for his silence on the subject, a claim Olofson denies.

Regardless, the Olofson case would seem to confirm what some workers already suspect: whistle-blowers often end up on the street. Certainly, Sherron Watkins’ testimony that former Enron CFO Andy Fastow tried to get her fired for going directly to CEO Kenneth Lay with her now-famous E-mails may make comfort a bit of a hard sell. Says Skillen: “That doesn’t give everyone a wonderful feeling for going over the head of their bosses and reporting something to senior management.”

Hotline experts say there are things companies can do to help protect the confidentiality of complaints, however. Mostly, it’s a matter of getting good information upfront so a company’s audit committee doesn’t have to track down the whistle-blower.

To ensure a complete report, David Mair, former director or risk management at the U.S. Olympic Committee, recommends that employers require hotline callers to provide some basic information when calling in. He says employees should recount the exact nature of the fraud, such as “I believe that this transaction was improperly reported.”

He says workers should also be asked when they first become aware of the action being reported, how they came to possess the information they are reporting, and if they participated in the transaction. It’s also important to make sure that employees indicate whether they actually witnessed the alleged transgression. Many third-party providers are familiar with the questions and say they can customize support to cover all the necessary bases.

As employers get better at dealing with tips and complaints, it’s possible that employees will become less fearful about reporting indiscretions. There’s some evidence, in fact, that employees are already getting more comfortable blowing the whistle on employers — and sharing their identity when doing it.

Over the past six months, only 48 percent of callers to the corporate ethics hotlines run by The Network Inc. have requested anonymity. That’s a steep drop from an average of 75 percent over the past 20 years, says CEO Tony Malone, whose company provides hotline services to about 1,000 companies.

Malone ascribes the change — which predates the anti-retaliatory measures in Sarbanes-Oxley — to a growing awareness among employees of the harm that unethical corporate behavior can cause. Says Malone: “Employees are profoundly aware that inappropriate behavior can bring about the ruin of their company and damage them personally.”

Is This Where We Go to Complain?

Meanwhile, employers seem to be profoundly aware that retaliation against a whistleblower can damage them financially.

To date, relatively few suits alleging retribution against whistle-blowers have made it to trial. In fact, corporate boards seem hell-bent on keeping such cases from ever reaching a courtroom.

It doesn’t take a super-genius to figure out why. Bob McMullan, CFO of GlobespanVirata Inc., says that when whistle-blowers bring litigation against management of a company for such claims as wrongful termination, the American justice system tends to run in reverse. “Companies have to prove their innocence,” he asserts. “[The claim] is deemed to be correct.”

Darryl Rains, an attorney at Morrison & Foerster, concurs. “Two-thirds of jurors come to court believing that corporate executives are dishonest and will lie to make a buck,” he notes. “Those statistics predate Enron.”

Such jury predilections may explain why Walt Disney Co. recently settled a reported $20 million “whistle-blower” lawsuit for an undisclosed amount. A former executive brought the suit, claiming she was fired for refusing to help the company allegedly cheat the Internal Revenue Service. Disney management declined comment for this story, but has reportedly called the allegations “shameful and untrue.”

Nonetheless, the mere prospect of jaw-dropping jury awards may convince some CFOs to bring in third-party hotline vendors to handle employee complaints. Some observers say contracting an outsourcer could prove crucial if a whistle-blower is later fired for, say, poor performance. With an outsourcer running a hotline and information kept confidential and anonymous, they assert a supervisor would likely be free of blame if they fired an underachieving employee. Why? There would be no way for the supervisor to know that the individual was the one who lodged a complaint.

Other experts warn that complaint hotlines set up entirely in-house for Sarbanes-Oxley compliance can overload the directors or officers handling the calls. “My concern would be that they would not have the time to do it effectively or management’s position wouldn’t be able to independently deal with employee complaints,” says attorney Rains.

The issue, however, is up for debate. Hugh Donnelly, vice president of audit at Pfizer, notes that the company uses a third-party hotline vendor. The drug maker’s compliance officer serves as the initial point of contact with the company’s outsourcer.

While Donnelly says Pfizer’s audit committee will have the final say on whether the company’s current practice will come up to the SEC’s requirements, he’s comfortable leaving the filtering to his compliance officer. “If any financial items would come through that,” Donnelly explains, “my compliance offer would clearly get me involved to assist on the investigation, if that’s required.”

Jocelyn Arel, partner with Testa, Hurwitz & Thibeault, LLP, suggests that companies that want to take the most conservative approach to complaint notification systems should have allegations go directly to the audit committee — without going through senior management. “It depends how an individual company defines anonymous,” she says.

Realistically, though, Arel concedes that even with a small number of cases to validate, audit committee members are generally too busy to handle more than a few complaints.

Mayhem or Maytag?

Whether they get more than that remains to be seen. For the moment, though, J.C. Penney’s Barton is worried how to best filter thousands of worker phone calls once the retailer rolls out its hotline in the next few months. Barton says he’s come to expect the avalanche after discussing Sarbanes-Oxley hotline compliance with the general counsel at retail rival, Sears.

Eckerd Corp., J.C. Penney’s drugstore chain subsidiary, may also provide Barton with a glimpse of what he can expect. Eckerd already has an operational hotline that is staffed at all hours by the company’s loss prevention group. But just six calls out of thousands made to the center over the last six months were related to accounting or auditing matters. The group’s manager passed the reports to the compliance officer who serves as the gatekeeper for further investigation by appropriate members of the staff. “I assume they are resolved,” Barton says of the six calls, “and are not a big issue.”

To be sure, Eckerd’s hotline is not compliant with the Sarbanes-Oxley proposed rule because it does not allow for employees to make their calls anonymously. But Barton says that will soon change: “The way to do it is to assign a case or claim number to the individual,” he explains.

The individual can then call back and reference that same number to learn of any progress in the claim’s investigation. Many times, Barton says, the complaint comes from a lower-level individuals whose lack of full understanding on accounting practices “may lead them to do what they believe is a whistle-blower activity.”

In fact, some experts say it’s not real likely that dozens of complaints will merit review by the company’s audit board, let alone its board of directors. Mair says he’s helped establish ethics hotline programs at eight organizations. So far, he says all but one considers what they’ve done a success. “I think the one that isn’t happy overspent on what they could have done,” he says, noting that the company hired a full-time person to staff the hotline and do the follow-up.

In the end, Mair says, the staff member simply had no reports to investigate. “It was like the Maytag repair man.”

Most companies would love to have that problem.

What Hotline Outsourcers Charge

With the Securities and Exchange Commission set to issue final guidelines on complaint notification systems, some CFOs aren’t sure how much setting up those systems will cost.

There is a growing belief among corporates that merely spending enough to hook up a phone line with a voicemail that has caller-ID disabled will not be enough to satisfy the SEC. And as John Robertson, CEO of hotline outsourcer Edcor, notes, a big part of the expense is just getting the message out. “Communication costs can far exceed the cost of the line itself,” he says.

Anthony Lavalle, CEO of Report It, a third-party provider based in Great River, New York, explains his company’s sliding scale: The system ranges from $5 per employee for smaller companies to as little as 95 cents for businesses with more than 20,000 employees (per employee, per year).

Corporations with 100,000 employees or more can purchase dedicated servers, which are typically tied into longer-term service agreements. It will also be on a per-employee charge but with costs of hardware, software, and setup. The regular hotline annual service agreement, in contrast, can be terminated if the client is not happy.

Edcor’s Robertson claims to be able to have hotline services up for clients in less than 24 hours. Report It is currently promising setup within five days for its hotline service. “But as we get closer to the April 26 date,” says Lavalle, “we may have to extend that if many are waiting.”