What to Do When an Audit Committee Complaint Arrives

Although SOX and the rules do not address what the committee is to do when a complaint is received, the text of the Act and the rules imply that each complaint is expected reviewed at the very least, and the applicable corporate law is consistent with this conclusion. Directors of a corporation, as a part of their duty of care, have a duty of oversight, and a number of cases have held that this duty of oversight is breached if the directors knew or should have known that violations of law were occurring and the directors took no action. Directors may be protected by the business judgment rule in examining an issue and determining that no action is required, but the business judgment rule will offer no protection if the directors fail to look in to obvious signs of wrong doing (so-called “red flags”) and therefore do not make an informed decision to take no action.

Screening Complaints

Accordingly, almost any complaint should be screened in some manner to determine whether it merits action, further investigation or dismissal. A decision must be made as to who will initially review each complaint. The appropriate procedure will vary from company to company, depending upon its size and the frequency with which complaints are received, but it seems advisable that almost any policy provide for review of each complaint by at least one member of the audit committee or the audit committee's designee. If complaints are rare and a designated representative of the audit committee is reasonably accessible, it may be desirable to have each complaint screened by an audit committee member. In a larger organization, an initial screening might be performed by a designee, such as a member of the internal audit staff, inside counsel or, perhaps, outside counsel, in each case with a report back to an audit committee member. In a recent speech, Stephen Cutler, the Commission's Director of Enforcement, suggested that issuers appoint a permanent ombudsman or business practices officers to investigate complaints. The audit committee member or designee should make a recommendation to the audit committee to refer the matter for investigation, to refer the matter for other appropriate action or to not pursue the matter.

No Guidance

There is no guidance in the Act or rules as to what level of credibility a complaint must possess in order to merit further investigation. It is possible that some complaints, on their face, may be found to be frivolous and to merit no further action, except perhaps to report the receipt and the reasons for disregarding the complaint to the full committee. A complaint might be frivolous because it concerns an unimportant or immaterial matter or perhaps because the complaint is not credible. However, this would appear to be a safe conclusion only if the complaint is demonstrably false. It is important to note that SOX requires that an anonymous complaint procedure be adopted. It is obviously difficult to judge the credibility of an anonymous complaint. Accordingly, the Act implies that anything other than a clearly frivolous complaint should be investigated in some manner.

The manner of the appropriate investigation is left entirely to the reasonable discretion of the audit committee. Similar to screening complaints, it typically will be impractical for the audit committee to conduct any level of investigation as a committee. Like the screening process, the appropriate investigatory procedure will vary from company to company and also will vary depending upon the nature of the complaint. In some instances, such as matters involving finance, accounting or internal controls, the audit committee may determine that an inquiry by an internal audit staff member is appropriate. In other instances, such as matters involving potential liability or violations of law, an inquiry by in-house counsel may be desirable. In yet other circumstances, such as particularly sensitive or complex matters, it may be desirable to have an inquiry made by the issuer's regular outside counsel. In the most extreme circumstances, particularly where the issuer's regular outside counsel was involved in the matter that is the subject of the complaint, it may be appropriate for the audit committee to engage its own counsel to make an inquiry. Section 301 of the Act specifically requires that the audit committee have authority to retain advisers, including counsel, and requires that the issuer provide the funds necessary for it to do so. In selecting the investigator, some consideration should be given to the attorney-client privilege and possible or pending litigation. The committee may wish to consider whether an investigation should be undertaken by inside or outside counsel in order to provide possible attorney-client privilege protection of information obtained through an investigation.

The nature and scope of the appropriate investigation is also left to the reasonable discretion of the audit committee. However, the audit committee should exercise reasonable oversight to make sure that a reasonable investigation is conducted. In a recent speech, Giovanni Prezioso, the Commission's General Counsel, warned against investigations that are improperly structured. He noted, in particular, investigations in which the persons making the investigation were not given sufficient authority or resources or in which the scope of the inquiry was unduly circumscribed.

It is desirable that the designated person be familiar with all of the aspects of conducting an investigation. If the complaint is from an identified individual, the obvious initial inquiry will be for the designated investigator to interview that person, and accordingly, it is particularly important that the investigator be familiar with conducting investigatory interviews. If the complaint is anonymous, perhaps even greater investigatory skills are required, because the investigator must be able to determine the person or persons who would reasonably be expected to have information about the subject topic as well as be capable of conducting the necessary interviews.

How to Conduct the Inquiry

The conduct of all but the most basic inquiry, involving only a few interviews, probably should be an interactive process between the designated investigator and the committee or the investigator's designated contact with the committee. The committee or the designated committee contact should discuss with the investigator the initial plan of inquiry, the results of that initial inquiry, proposed plans for further inquiries and the results of those inquiries. Depending upon the extent and complexity of the investigation, this process may need to be repeated a number of times, with the investigator keeping the committee informed and involved in the progress of the investigation.

Ultimately, the investigator should be required to render a report to the committee, which may include a description of the original complaint, the investigation procedure and scope, a summary of the information obtained, an analysis of the information obtained and, depending upon the complexity of the matter and the sophistication of the investigator, a possible recommendation for action, further investigation or disposition of the inquiry.

Informed by the report of the investigator, the committee should be in a position to exercise its business judgment with respect to the action, if any, to be taken. Many different responses are possible, based upon the circumstances and the results of the investigation. For example, after due investigation and consideration, the committee might conclude, among other things, that:

• changes should be made to internal procedures or controls;
• additions or corrections should be made to public disclosure;
• disclosure should be made to a governmental agency;
• employee disciplinary measures should be initiated;
• further investigation should be made, possibly requiring the assistance of outside experts, such as counsel, accountants or other investigators;
• interim action should be taken while further investigation is made; or
• the complaint should be dismissed.

Many of these determinations, of course, would require additional steps beyond the scope of this article, including consultation with counsel, accountants and the issuer's disclosure committee.

Internal and External Disclosure

Whatever determination is reached, the committee should consider the appropriateness of internal and external disclosure. The committee should report at least periodically to the full board on complaints received and actions taken. More serious matters may require more rapid reporting and may involve the full board in determinations beyond those of the committee. Also, if the complaint was not anonymous, the committee should consider making some reply to the person who made the complaint, disclosing, if appropriate, the inquiry made and the action taken. Even if the issuer determines not to pursue the complaint, a carefully considered response may help establish the issuer's commitment to compliance and taking the complaint procedure seriously. Further, the committee should consider appropriate reporting of complaints and responses to company employees. Although not all complaints, and perhaps not even most complaints, need be generally disclosed, some reporting of the receipt and response to complaints again may help demonstrate the issuer's commitment to compliance. Finally, although only likely in connection with the most serious matters, some consideration should be given, in conjunction with the disclosure committee, of the materiality of the subject matter of the complaint and the possible need for public disclosures.

Finally, in order to demonstrate compliance with the Act and the directors' duty of care, procedures should be adopted for creation and retention of documentation relating to the receipt, investigation and response to complaints.

Conclusion

There has been a tendency in responding to the requirements of SOX to focus on procedures and checklists. But the procedures and checklists are not ends unto themselves, but means to the objectives of better corporate compliance and governance. This article is intended to provide suggestions to the members of audit committees and the persons who counsel audit committees to assist them in moving beyond complaint receipt procedures to a process that encourages the reasonable handling of complaints, thereby providing the potential for the complaint process to improve corporate compliance and to help instill a corporate theme of compliance.

Much attention has been paid to the requirements of the Sarbanes-Oxley Act (SOX) and the stock exchanges and Nasdaq that issuers establish procedures under which their audit committees can receive complaints, including anonymous complaints. Various service providers now offer issuers solutions in this area, including procedures to submit complaints through hotlines and e-mail addresses maintained by the service providers. But none of the Sarbanes-Oxley Act, the rules or the extensive commentary about establishing complaint procedures addresses what the audit committee is required to do with a complaint when one is received. This article briefly discusses some considerations in dealing with such a complaint.

SOX and Its Requirements

Section 301 of SOX required the Securities Exchange Commission to adopt a rule that the issuer's audit committee establish procedures for “the receipt, retention, and treatment of complaints received by the issuer regarding accounting, internal accounting controls, or auditing matters” and “the confidential, anonymous submission by employees of the issuer of concerns regarding questionable accounting or auditing matters.” The Commission adopted Securities Exchange Act Rule 10A-3(b)(3) substantially duplicating the text of the Act, and the stock exchanges and Nasdaq have each adopted rules substantially duplicating the text of the Act and the Commission's rule.

Although SOX and the rules do not address what the committee is to do when a complaint is received, the text of the Act and the rules imply that each complaint is expected reviewed at the very least, and the applicable corporate law is consistent with this conclusion. Directors of a corporation, as a part of their duty of care, have a duty of oversight, and a number of cases have held that this duty of oversight is breached if the directors knew or should have known that violations of law were occurring and the directors took no action. Directors may be protected by the business judgment rule in examining an issue and determining that no action is required, but the business judgment rule will offer no protection if the directors fail to look in to obvious signs of wrong doing (so-called “red flags”) and therefore do not make an informed decision to take no action.

Screening Complaints

Accordingly, almost any complaint should be screened in some manner to determine whether it merits action, further investigation or dismissal. A decision must be made as to who will initially review each complaint. The appropriate procedure will vary from company to company, depending upon its size and the frequency with which complaints are received, but it seems advisable that almost any policy provide for review of each complaint by at least one member of the audit committee or the audit committee's designee. If complaints are rare and a designated representative of the audit committee is reasonably accessible, it may be desirable to have each complaint screened by an audit committee member. In a larger organization, an initial screening might be performed by a designee, such as a member of the internal audit staff, inside counsel or, perhaps, outside counsel, in each case with a report back to an audit committee member. In a recent speech, Stephen Cutler, the Commission's Director of Enforcement, suggested that issuers appoint a permanent ombudsman or business practices officers to investigate complaints. The audit committee member or designee should make a recommendation to the audit committee to refer the matter for investigation, to refer the matter for other appropriate action or to not pursue the matter.

No Guidance

There is no guidance in the Act or rules as to what level of credibility a complaint must possess in order to merit further investigation. It is possible that some complaints, on their face, may be found to be frivolous and to merit no further action, except perhaps to report the receipt and the reasons for disregarding the complaint to the full committee. A complaint might be frivolous because it concerns an unimportant or immaterial matter or perhaps because the complaint is not credible. However, this would appear to be a safe conclusion only if the complaint is demonstrably false. It is important to note that SOX requires that an anonymous complaint procedure be adopted. It is obviously difficult to judge the credibility of an anonymous complaint. Accordingly, the Act implies that anything other than a clearly frivolous complaint should be investigated in some manner.

The manner of the appropriate investigation is left entirely to the reasonable discretion of the audit committee. Similar to screening complaints, it typically will be impractical for the audit committee to conduct any level of investigation as a committee. Like the screening process, the appropriate investigatory procedure will vary from company to company and also will vary depending upon the nature of the complaint. In some instances, such as matters involving finance, accounting or internal controls, the audit committee may determine that an inquiry by an internal audit staff member is appropriate. In other instances, such as matters involving potential liability or violations of law, an inquiry by in-house counsel may be desirable. In yet other circumstances, such as particularly sensitive or complex matters, it may be desirable to have an inquiry made by the issuer's regular outside counsel. In the most extreme circumstances, particularly where the issuer's regular outside counsel was involved in the matter that is the subject of the complaint, it may be appropriate for the audit committee to engage its own counsel to make an inquiry. Section 301 of the Act specifically requires that the audit committee have authority to retain advisers, including counsel, and requires that the issuer provide the funds necessary for it to do so. In selecting the investigator, some consideration should be given to the attorney-client privilege and possible or pending litigation. The committee may wish to consider whether an investigation should be undertaken by inside or outside counsel in order to provide possible attorney-client privilege protection of information obtained through an investigation.

The nature and scope of the appropriate investigation is also left to the reasonable discretion of the audit committee. However, the audit committee should exercise reasonable oversight to make sure that a reasonable investigation is conducted. In a recent speech, Giovanni Prezioso, the Commission's General Counsel, warned against investigations that are improperly structured. He noted, in particular, investigations in which the persons making the investigation were not given sufficient authority or resources or in which the scope of the inquiry was unduly circumscribed.

It is desirable that the designated person be familiar with all of the aspects of conducting an investigation. If the complaint is from an identified individual, the obvious initial inquiry will be for the designated investigator to interview that person, and accordingly, it is particularly important that the investigator be familiar with conducting investigatory interviews. If the complaint is anonymous, perhaps even greater investigatory skills are required, because the investigator must be able to determine the person or persons who would reasonably be expected to have information about the subject topic as well as be capable of conducting the necessary interviews.

How to Conduct the Inquiry

The conduct of all but the most basic inquiry, involving only a few interviews, probably should be an interactive process between the designated investigator and the committee or the investigator's designated contact with the committee. The committee or the designated committee contact should discuss with the investigator the initial plan of inquiry, the results of that initial inquiry, proposed plans for further inquiries and the results of those inquiries. Depending upon the extent and complexity of the investigation, this process may need to be repeated a number of times, with the investigator keeping the committee informed and involved in the progress of the investigation.

Ultimately, the investigator should be required to render a report to the committee, which may include a description of the original complaint, the investigation procedure and scope, a summary of the information obtained, an analysis of the information obtained and, depending upon the complexity of the matter and the sophistication of the investigator, a possible recommendation for action, further investigation or disposition of the inquiry.

Informed by the report of the investigator, the committee should be in a position to exercise its business judgment with respect to the action, if any, to be taken. Many different responses are possible, based upon the circumstances and the results of the investigation. For example, after due investigation and consideration, the committee might conclude, among other things, that:

• changes should be made to internal procedures or controls;
• additions or corrections should be made to public disclosure;
• disclosure should be made to a governmental agency;
• employee disciplinary measures should be initiated;
• further investigation should be made, possibly requiring the assistance of outside experts, such as counsel, accountants or other investigators;
• interim action should be taken while further investigation is made; or
• the complaint should be dismissed.

Many of these determinations, of course, would require additional steps beyond the scope of this article, including consultation with counsel, accountants and the issuer's disclosure committee.

Internal and External Disclosure

Whatever determination is reached, the committee should consider the appropriateness of internal and external disclosure. The committee should report at least periodically to the full board on complaints received and actions taken. More serious matters may require more rapid reporting and may involve the full board in determinations beyond those of the committee. Also, if the complaint was not anonymous, the committee should consider making some reply to the person who made the complaint, disclosing, if appropriate, the inquiry made and the action taken. Even if the issuer determines not to pursue the complaint, a carefully considered response may help establish the issuer's commitment to compliance and taking the complaint procedure seriously. Further, the committee should consider appropriate reporting of complaints and responses to company employees. Although not all complaints, and perhaps not even most complaints, need be generally disclosed, some reporting of the receipt and response to complaints again may help demonstrate the issuer's commitment to compliance. Finally, although only likely in connection with the most serious matters, some consideration should be given, in conjunction with the disclosure committee, of the materiality of the subject matter of the complaint and the possible need for public disclosures.

Finally, in order to demonstrate compliance with the Act and the directors' duty of care, procedures should be adopted for creation and retention of documentation relating to the receipt, investigation and response to complaints.

Conclusion

There has been a tendency in responding to the requirements of SOX to focus on procedures and checklists. But the procedures and checklists are not ends unto themselves, but means to the objectives of better corporate compliance and governance. This article is intended to provide suggestions to the members of audit committees and the persons who counsel audit committees to assist them in moving beyond complaint receipt procedures to a process that encourages the reasonable handling of complaints, thereby providing the potential for the complaint process to improve corporate compliance and to help instill a corporate theme of compliance.