According to the Institute of Internal Auditors “Politics of Internal Auditing” (2015), 55% of chief audit executives were directed to commit important findings from their audit reports. 49% of chief audit executives were directed “not to perform audit work in high-risk areas.” 32% of chief audit executives were instructed to audit “low-risk” areas, in part so that executives could “retaliate against another individual.”
Thus, while auditors are the cornerstone of internal compliance, these internal channels often fail, leaving auditors with another option: blowing the whistle on the misconduct directly to the government.
Organisation for Economic Co-operation and Development (OECD) guidelines recommend that countries ensure that auditors are properly equipped to find and report violations of law in companies they audit. As part of this, it is critical that auditors understand their rights and protections under U.S. whistleblower programs.
Under the Dodd-Frank Act U.S. whistleblower programs (those administered by the Securities and Exchange Commission (SEC) and Commodity Futures Trading Commission (CFTC)) external auditors are generally excluded from awards.
These whistleblower rules conflict with other requirements of external auditors that require them to report any violations found to the company and to the SEC if the company does not self-report (see 15 USC § 78j-1(b)).
However, certain exceptions do allow internal compliance officials to qualify for awards under the Dodd-Frank whistleblower programs.
Under the 120 day rule, compliance officials can file claims and obtain awards from the SEC and CFTC if they first report the misconduct internally and then wait 120 days before contacting the Commission when the company does not inform the government that it may have violated the law in a timely and accurate manner.
The company is given 120 days to investigate the original allegation and self-report any violation to the government. After 120 days, executives, directors, and compliance officials who are aware that the company was not fully honest with the government can confidentially file claims and fully qualify for rewards.
Notably, under SEC Rule 21F-4(b)(7) “If you provide information to . . . an entity’s internal whistleblower, legal, or compliance procedures for reporting allegations of possible violations of law, and you, within 120 days, submit the same information to the Commission [in an official Form TCR], then, . . . the Commission will consider that you provided information as of the date of your original disclosure, report or submission to one of these other authorities or persons.”
Another major exception is if the auditor reasonably believes that blowing the whistle to the government is necessary to prevent substantial injury to the financial interests of their entity or investors. In this instance, an auditor can qualify for an award even without waiting the 120 days.
Likewise, an auditor can qualify under the Dodd-Frank programs if they reasonably believe that their company is engaging in conduct that will impede an investigation.
Compliance officials can claim awards through other major U.S. whistleblower laws:
Under the False Claims Act, whistleblowers can receive 15-30% of recovery by filing qui tam lawsuits on behalf of the government, where the government has been defrauded. The FCA does not have restrictions for compliance officials.
Under the AML Whistleblower Improvement Act, auditors can report sanctions violations, Bank Secrecy Act violations and other money laundering violations.
Compliance officials are not bound to restrictive NDAs or agreements such as compliance manuals, settlement agreements, severance, employment contracts when they impede the right to report misconduct.
SEC Rule 21F-17(a) states that “No person may take any action to impede an individual from communicating directly with the Commission staff about a possible securities law violation, including enforcing, or threatening to enforce, a confidentiality agreement (other than agreements dealing with information . . . related to the legal representation of a client) with respect to such communications.”
One’s NDA may be void if it:
- Includes a non-disparagement clause
- Requires you to waive your right to a monetary reward
- Requires prior consent from the company before disclosure to a regulator
- Requires you to notify the company after a disclosure
- Prevents you from initiating contact with a regulator
To ensure internal controls, ethics, and compliance, OECD member countries should encourage the creation of monitoring bodies, independent of management, such as audit committees of boards of directors or of supervisory boards.