On July 30, 2002 the Sarbanes-Oxley Act (SOX) was signed into law. The law applies to publicly-traded institutions, generally with more than 300 shareholders, however, certain aspects of the law apply to banks with more than $500 million in assets through regulatory requirements, and concepts of the law are strongly recommended by banking regulators for all banks with fewer than $500 million in assets.
The primary intent of the Act is to hold executives and the independent accountants of public companies more responsible to shareholders and imposing much stricter penalties in cases of fraud. Senior management is required to pay more attention to auditing and controlling functions, as serious penalties are possible in case of fraud, defection, obstruction of justice and destruction of evidence. Changes are required on the board of directors, in that it is a requirement for the non-executive directors to regularly meet separately. Non-executive directors also must allocate more of their time on board duties and assume greater responsibilities due to board independence and transferring of power. Our auditors will also wield more independent power under the requirements of the law.
IT Controls Critical
IT (Information Technology) is a term that encompasses all forms of technology used to create, store, exchange, and use information in its various forms - in other words all of our data. The financial industry is driven by IT. Compliance with the SOX requires the creation of automated controls, aiming to reduce or even eliminate the possibility of errors.
Although much of what has been written about the SOX is aimed at how management, audit and the board of directors will change and function, one part of the Act states that the Audit Committee of the board of directors is responsible for "establishing procedures for the receipt, retention and treatment of complaints... regarding accounting, internal accounting controls or auditing matters." It goes on to specifically state that the reporting mechanism must enable employees to remain anonymous when making such a complaint. This is a logical and important step toward protecting a whistleblower
Specifically, Sarbanes-Oxley, Section 301 states: Complaints: Each Audit Committee shall establish procedures for: A. The receipt, retention, and treatment of complaints received by the issuer regarding accounting, internal accounting controls, or auditing matters; and B. The confidential anonymous submission by employees of the issuer of concerns regarding questionable accounting or auditing matters.
In the Report to The Nation, the Association of Certified Fraud Examiners documented how fraud was discovered. The results were not surprising to those Security Officers and Directors in our financial institutions. Initial discovery of fraud was by:
- Law Enforcement - 1.7%
- Tip from Vendor - 5.1%
- Tip from Unknown Party - 6.2%
- Tip from Customer - 8.6%
- External Audit - 11.5%
- Internal Audit - 18.6%
- Accidental Discovery - 18.8%
- Tip from Employees - 26.3%
Many financial institutions have discovered the value of anonymous employee hotlines to comply with the SOX legislation and detect damaging internal fraud.
As our financial institutions and other public companies review and revise their governance procedures, there are certain hotline best practices that are helpful in developing a hotline program to uncover fraud and other unethical and/or illegal activities. We're going to look at the process of developing an effective ethics hotline program by going through three
- Planning the hotline program
- Communicating about the hotline
- Reacting to hotline tips
Implementing a hotline may seem to be a simple endeavor, but planning an effective reporting process can be quite complex. It must adequately protect the confidentiality of anonymous callers while providing quality information. A modern hotline program requires planning regarding how information is received, how information is distributed and how records of complaints and investigations are maintained. You may want one person as a project leader.
In order to create a program that meets the needs of the entire organization, this person must involve representatives of several departments, though in a small financial institution, one person may represent several areas. Implementation should include: Legal, Finance/Audit, Human Resources, Risk Management/Loss Prevention, Operations, the board of directors Audit Committee, Information Technology (IT), and Communications.
This group typically meets several times to discuss the plan and anticipate any enhancements that would make the program more valuable. For example, if the organization is large enough to anticipate a steady stream of calls, Human Resources or Loss Prevention may have an existing case management system. Hotline data can easily be fed into an existing system via an EDI datafeed. While this is a simple matter for the IT department, having this conversation early on ensures a
The most effective way to learn about fraud is to provide employees a variety of methods for reporting their concerns about illegal or unethical behavior. A face-to-face conversation generates more detailed information than one-way communication, like an anonymous note. However, not everyone may feel comfortable with an "open door policy." And there may be some hesitation from fear of potential retaliation. In these situations, the hotline interview is the best option, as long as the communication is handled by an experienced interviewer. The important thing is to provide every possible means of reporting information internally, so corrective action can be taken.
One of the important features of the hotline is its anonymity. It's interesting to note that not all hotline callers are anonymous. About 50% of hotline callers give their names. About 30% of callers report they had previously informed management of the situation, and are concerned that nothing had been done about it.
To be continued - Our thanks to THE NETWORK for providing us with Best Practices in Ethics Hotlines and for their permission to use it.
Copyright © 2005 Bankers' Hotline. Originally appeared in Bankers' Hotline, Vol. 15, No. 6, 7/05
First published on 07/01/2005