Worth Taking Notice: Whistleblower Rules Regarding Auditing Firms
The Dodd-Frank Act and the U.S. Securities and Exchange Commission’s (SEC’s) final whistleblower rules generally preclude employees of public accounting firms from receiving whistleblower awards for information about an engagement client. The SEC has advised, however, that auditors will be permitted to make whistleblower submissions alleging that their public accounting firms violated the federal securities laws or professional standards. If the auditor’s submission leads to a successful enforcement action against an engagement client, the auditor will be eligible for an award based on the total monetary sanctions collected from the engagement client. The SEC’s back-door invitation may put audit clients in harm’s way of an auditor’s whistleblowing, contrary to the statute and auditor-client confidentiality.
On May 25, 2011, the U.S. Securities and Exchange Commission (SEC) released its final rules implementing the whistleblower provisions of the Dodd-Frank Wall Street Reform and Consumer Protection Act (Dodd-Frank). Under the new program, whistleblowers who voluntarily report securities violations to the SEC stand to reap a bounty of 10 to 30 percent of the SEC’s monetary recovery, provided that the whistleblower’s information leads to a successful enforcement action resulting in total monetary sanctions of more than $1 million.
Dodd-Frank and the SEC’s final rules generally preclude employees of public accounting firms from receiving whistleblower awards for information about an engagement client that was obtained through the performance of an audit required by the federal securities laws. (See 15 U.S.C. § 78u-6(c)(2)(C) and Rule 21F-4(b)(4)(iii)(D).) The SEC recognized that the exclusion for auditors “reflects the fact that these individuals occupy a special position under the securities laws to perform a critical role for investors.” (SEC Adopting Release, May 25, 2011, at 55.) There are, however, several exceptions to this general prohibition. For example, an auditor may report possible violations by the engagement client if the auditor has a “reasonable basis to believe that disclosure of the information to the SEC is necessary to prevent the [client] from engaging in conduct that is likely to cause substantial injury to the financial interest or property of the entity or investors.” (Rule 21F-4(b)(4)(v)(A).) Similarly, an auditor may report violations by the engagement client if the auditor has a “reasonable basis to believe that the [client] is engaging in conduct that will impede an investigation of the misconduct.” (Rule 21F-4(b)(4)(v)(B).) To establish that there was a reasonable basis for his or her belief, the whistleblower will likely need to “demonstrate that responsible management or governance personnel at the entity were aware of the imminent violation and were not taking steps to prevent it.” (Adopting Release, at 74.)
In addition to the general exceptions to the auditor preclusion, the SEC’s adopting release clarifies that an auditor is not precluded from making a “specific and credible submission alleging that [the auditor’s] public accounting firm violated the federal securities laws or professional standards.” (Adopting Release, at 73.) “If such a submission is made, then . . . the whistleblower will also be able to obtain an award if the information leads to a successful action against the engagement client.” (Adopting Release, at 141.)
The adopting release makes clear that auditors will be allowed to make whistleblower submissions alleging that a public accounting firm violated Section 10A of the Securities and Exchange Act, which requires the auditor to take certain actions in response to becoming aware that illegal acts have or may have occurred. In its adopting release, the SEC advises, “a person can make a submission that alleges that the auditing firm failed to follow any procedures set forth in Section 10A or professional standards.” (Adopting Release, at 141, emphasis added.) If an employee observes independence failures or other quality control failures, for example, “then a submission containing those allegations is permitted.”
In assessing whether the whistleblower has made a specific and credible submission alleging the auditing firm’s violation of Section 10A, the SEC may consider the following factors, among other things:
- Whether the audit firm conducted an assessment of or investigation into the alleged illegal act by the public company audit client and the quality of that investigation
- Whether the audit firm followed the requirements of Section 10A and its response to the allegation of an illegal act
- The position or title of the whistleblower and the role the person played in the firm’s violations
- The role of the whistleblower in the Section 10A investigation or assessment
- The timing of the submission (Adopting Release, at 142)
Importantly, if an auditor reports an alleged 10A violation or breach of any professional standard committed by the accounting firm, and the auditor’s information relating to that violation leads to a successful enforcement action against an engagement client, the whistleblower will be entitled to a percentage of the total monetary sanctions recovered from the engagement client. Thus, while the final rules generally preclude an auditor from receiving a whistleblower award based on reported information that the engagement client and/or the client’s directors, officers or other employees breached the securities laws, the SEC’s policy allows auditors to qualify for an award if the auditor reports information about a violation of professional standards in connection with the audit “or interim review work” that leads to SEC recovery against the audit client.
The SEC has, in effect, permitted a mechanism through which auditors can indirectly blow the whistle on their engagement clients and embroil them in unnecessary, prolonged investigations. Moreover, it appears that the SEC has created a tug-of-war between its invitation to auditors to report and state and foreign law duties of confidentiality. Indeed, top auditing firms commented during the rulemaking that it would be difficult for an auditor to report another auditor without breaching duties of auditor-client confidentiality because audit violations will be intertwined with information about the client. However, the SEC refused to exclude “information that is received in breach of state-law confidentiality requirements, such as those imposed on auditors, because to do so could inhibit important federal-law enforcement interests.” Although the SEC has attempted to encourage auditors to blow the whistle, while discouraging opportunistic behavior, allowing auditors to receive an award based on enforcement actions against their engagement clients could produce an “exclusion to the exclusion” and the need for the SEC to reconsider its position.
In its final rules implementing the Dodd-Frank whistleblower program, the SEC invites auditors to report their own auditing firms for potential violations of the securities laws and professional standards. The new program offers strong monetary incentives for whistleblowing. However, auditing firms can reduce their risk by reviewing and refining their internal compliance programs and Section 10A procedures (including early involvement by in-house counsel). Firms should encourage auditors to use internal compliance mechanisms to address any potential violations of federal securities laws or professional standards, and reward auditors who do so. In addition, firms should review the adequacy of training on GAAS standards relating to the consideration of fraud and illegal acts, and the factors which the SEC considers “red flags” of illegal activity (e.g., unsupported and/or high commissions to sales agents, excessive travel or entertainment expenses for employees of state-owned enterprises, and payments to tax havens and other locations unrelated to parties to the underlying transaction). Firms should also continue to engender a corporate culture that, from the top down, prides itself on audit excellence and integrity.
Lastly, firms should monitor the impact of the new rules on the auditor-client relationship and commence a dialogue with the SEC on any adverse consequences arising from allowing auditors to receive an award when their reporting on their employer leads the SEC to recover against the audit client.