Printer Friendly

An uncertain protection: internal auditors may not be protected as corporate fraud whistleblowers under Sarbanes-Oxley Section 806.

INVESTIGATORS. GATEKEEPERS. WHIS-tleblowers. Internal auditors adopt each of these titles at various times as they fight the ongoing and very public battle against corporate fraud and malfeasance. Given the very nature of the job, the internal auditor is in a better position than just about any other employee to discover fraudulent activity and report it to the appropriate internal or external authorities--but at what cost?

Internal auditors sometimes fear adverse employment action from reporting fraudulent activity, especially when high-level company officers are involved. Are auditors entitled to legal protection from such retaliation? Perhaps, but the answer is not nearly as clear as internal auditors would undoubtedly prefer.

In late 2001 and early 2002, the U.S. Congress faced an acute crisis: revelations of mass corporate fraud threatened to destroy investors' faith in U.S. financial markets and jeopardize the stability of those markets and the economy. In response, Congress passed the Sarbanes-Oxley Act of 2002 with strong enforcement tools, including new regulations and reporting requirements, expanded corporate oversight, and new criminal provisions.

Key to the success of these new tools was protecting whistleblowers from retaliation. Recognizing the critical role of whistleblowers in combating corporate fraud, Congress observed that "often, in complex fraud prosecutions ... insiders are the only firsthand witnesses to the fraud." That, it would seem, is where internal auditors prominently enter the picture.

Internal auditors obviously serve an important risk management and risk control function. More and more, internal auditors are taking on the challenge of proactive risk-based assurance, rather than limiting themselves to the traditional reactive, control-based functions. Public and private companies alike increasingly rely on internal auditors to help management understand, assess, and manage risks, and report on the effectiveness of the organization's risk management process. This is in addition to the expectation that internal auditors will evaluate the system of internal control objectively. Unlike external auditors, whose focus is generally limited to a periodic audit of the company's financial statements and the assessment of controls over financial reporting, internal auditors more comprehensively examine the organization's operations and controls, and they are interested in the prevention of fraud in any form.

Quite naturally, internal auditors must remain ever vigilant to the risks the organization confronts. They should regularly advise the organization's executive management and the audit committee on significant risk exposures and control issues, including corporate governance issues and fraud prevention and detection. Internal auditors may be precisely the type of "insider" Congress had in mind when it recognized that whistleblower protection was key to its statutory response to corporate fraud.

Section 806 of Sarbanes-Oxley imposes significant civil penalties on employers who retaliate against corporate fraud whistleblowers (the act also separately imposes criminal liability for retaliation). Essentially, Section 806 protects employees from retaliation or discrimination for blowing the whistle about conduct that may defraud shareholders. One judge observed, "it is sufficient for an employee to provide information regarding possible fraudulent conduct to a person with supervisory authority over the employee." (Richards v. Lexmark International Inc., 2004-SOX-00049 at 14, Oct. I, 2004). Does that protection apply to internal auditors who may be uniquely positioned within the organization to identify and disclose potentially fraudulent activity?

It would seem obvious from the legislative history, public comments, and very goal of the statute that internal auditors are protected under Section 806. Congress, after all, drafted Sarbanes-Oxley to battle corporate fraud broadly and encourage insiders to blow the whistle on matters about which the public might be unaware. And the statute speaks expansively in terms of protecting "an employee" who blows the whistle.

Not so fast, though. At least one administrative law judge has determined that Section 806 does not necessarily protect internal auditors. In the case, Robinson v. Morgan Stanley, a former senior internal auditor, Beverly Robinson, complained that she was unlawfully terminated after reporting perceived deficiencies in the organization's financial operations, including failures in audit controls and management fraud, to senior executives. As part of the company's response to her complaint, it argued that Robinson did not engage in a protected activity under Section 806 because she identified and reported the issues as part of her regular responsibilities as a company internal auditor, not independently as a whistleblower.

In part, the judge agreed with Morgan Stanley; however, the judge concluded that Robinson had engaged in an activity protected by Section 806 based on the specific facts of her situation. Examining Robinson's complaint, the judge started with the legal proposition that to engage in a protected activity, "the report or complaint must involve actions outside the complainant's assigned duties." In other words, if the employee's job is to report instances of potential shareholder fraud to the audit committee, blowing the whistle to the audit committee about shareholder fraud may not be protected under Section 806 provisions. To arrive at this seemingly odd result, the judge noted that the concept of whistleblower protection is to protect employees who risk their job security by taking steps to protect the public good. If whistleblowing is your job, blowing the whistle does not pose a risk to your job, and you are, therefore, not entitled to protection.

Internal auditors should obviously be interested in such a result. The judge ultimately determined that Robinson had engaged in a protected activity because while she discovered the fraud "in course of her auditor work, the manner and method she chose to convey that finding to the president and chief financial officer went beyond her role as a senior auditor. Consequently, despite her job status as a senior auditor, Robinson engaged in a Sarbanes-Oxley protected activity on Feb. 5, 2004, since she did not prepare and present the complaint as part of her assigned senior auditor duties."

That fact-dependent conclusion is of little consolation. At the end of the day, the judge still requires a whistleblower to be acting outside the scope of his or her job duties to qualify for protection. For internal auditors, that may mean focused, critical scrutiny of their job duties and the manner of their reports to determine whether they are protected under Sarbanes-Oxley Section 806.

For now, the opinion is just that: an opinion by a single administrative law judge. There does not appear to be a consensus among administrative law judges, and the U.S. Department of Labor's Administrative Review Board has yet to address the issue. Room still exists for arguing the point.

That said, employers facing Section 806 complaints brought by internal auditors will likely rely on the Robinson case to suggest that there was no protected activity. Internal auditors, on the other hand, may respond by arguing both that the decision is wrong and that, based on the facts, they did not act strictly within the scope of their job duties in making the report at issue. One wonders whether it would be worthwhile for internal auditors to make such reports outside their normal chain of command to bolster an argument that the conduct was in the nature of whistleblowing rather than simply doing their job.

There is little doubt that the Robinson case gives rise to uncertainty as to the scope of corporate fraud whistleblower protection. This is an issue that may ultimately require definitive treatment by the administrative review board or the federal courts. In the meantime, internal auditors should be aware of the issue and proceed cautiously in reporting corporate fraud within or outside of the delineated chain of command.


FLOYD R. HARTLEY JR. is a partner with Kirkpatrick & Lockhart Preston Gates Ellis in Dallas. His practice includes the investigation and litigation of white-collar, whistleblower, employment, and civilrights matters.

To comment on this article, e-mail the author at
COPYRIGHT 2008 Institute of Internal Auditors, Inc.
No portion of this article can be reproduced without the express written permission from the copyright holder.
Copyright 2008 Gale, Cengage Learning. All rights reserved.

Article Details
Printer friendly Cite/link Email Feedback
Author:Hartley, Floyd R., Jr.
Publication:Internal Auditor
Geographic Code:1USA
Date:Jun 1, 2008
Previous Article:Putting IT governance into action: as internal control experts, auditors can help turn desired IT strategies into reality.
Next Article:A broader array of skills: after years of narrowly focused compliance work, many audit departments are seeing a shift in priorities and a new set of...

Related Articles
Accommodating would-be whistleblowers: Sarbanes-Oxley's Section 301 requires companies to establish effective procedures for handling whistleblower...
Cherry-picking Sarbanes-Oxley: provisions that deserve a second look.
Sarbanes-Oxley criminal whistleblower provisions and the workplace: more than just securities fraud.
Hotlines helpful for blowing the whistle: required for public companies under the Sarbanes-Oxley Act, corporate hotlines for whistleblowers have...

Terms of use | Privacy policy | Copyright © 2019 Farlex, Inc. | Feedback | For webmasters