The Securities and Exchange Commission (“SEC”) adopted rules implementing the new whistleblower program mandated by the Dodd-Frank Wall Street Reform and Consumer Protection Act on May 25, 2011 (“Dodd-Frank”).1 In broad terms, Congress believed that authorizing the SEC to pay substantial cash bounties to individuals who voluntarily come forward with credible information that leads to the successful prosecution of federal securities laws violations would strengthen the agency‟s ability to enforce those laws. Dodd-Frank requires the SEC to pay cash rewards of between 10–30% of any monetary sanctions in excess of $1 million that the Government, as a result of a whistleblower‟s assistance, recovers through administrative, civil, or criminal proceedings based on a violation of the securities laws. Such violations can involve private firms, public companies, or individuals.
This article discusses aspects of the SEC‟s new whistleblower rules that have special relevance to public accounting firms.2 They include (1) the treatment of whistleblower claims by personnel at a CPA firm relating to potential federal securities law violations by a firm‟s clients; (2) the treatment of whistleblower claims relating to potential federal securities law violations by a public accounting firm; and (3) practical considerations for CPA firms in light of the new rules. These considerations include the need for firms to review their existing quality controls for handling internal disagreements and situations within the scope of Section 10A of the Securities Exchange Act of 1934 (“Section 10A”), which requires CPA firms to craft procedures designed to detect illegal acts by issuer clients and to assess the adequacy of a client‟s response to allegations of potential wrongdoing.
The SEC’s Dodd-Frank Whistleblower Rules
While Dodd-Frank set forth minimum requirements for a whistleblower program, the statute left the details of the program to the SEC to address through rulemaking. The SEC released its proposed rules last November and received more than 1,500 comments. Many commenters expressed concern that the SEC‟s proposals would subvert companies‟ existing compliance programs by permitting whistleblowers to bypass internal reporting mechanisms. For example, the Center for Audit Quality (the “CAQ”) noted that, if employees failed to report concerns promptly through existing internal reporting mechanisms, the rules might have the unintended effect of increasing the number of instances where companies issued inaccurate financial statements.3 In addition, the CAQ and other commenters argued that the SEC‟s proposals failed to adequately recognize the existing legal and ethical obligations of CPAs and other professionals to maintain the confidentiality of client information.4 Despite these concerns, the SEC adopted the whistleblower rules substantially as proposed, with relatively minor revisions.
The final rules are quite detailed; indeed, the SEC‟s Adopting Release accompanying the new rules runs for over 300 pages. They generally preclude public accounting firm professionals from receiving whistleblower awards based on information about clients that was obtained through an audit or other mandatory engagement. There are exceptions to this general prohibition if the auditor believes that disclosure is necessary to prevent “substantial injury” to the company or investors, or if the auditor believes the client is engaging in conduct that “will impede an investigation of the misconduct.” In addition, accounting firm personnel are allowed to allege that their own firms violated professional standards or securities laws, potentially entitling them to whistleblower awards based on successful enforcement actions against their firms or against clients. Although the SEC acknowledged that auditors “occupy a special position,” the exceptions may overwhelm the general prohibitions against blowing the whistle on audit clients, impair auditor-client relationships, and pose new challenges for public accounting firms.
The SEC‟s new whistleblower rules also raise distinct issues for public accounting firms. Under the Sarbanes-Oxley Act of 2002 (“Sarbanes-Oxley”), virtually any violation of professional standards by a CPA firm involving an audit of an issuer can be cast as a federal securities law violation.5 Moreover, while the rules limit whistleblower awards to accountants in situations involving potential securities law violations by their clients, whistleblowers at a CPA firm are subject to fewer restraints when blowing the whistle on their own firms. Indeed, the SEC emphasized in its Adopting Release that accounting firm personnel could seek to recover whistleblower awards by alleging that their firms had failed to comply with Section 10A.6 Public accounting firms are required to exercise considerable judgment in many aspects of their practices, including when evaluating their duties under Section 10A. They may now find those judgments, which are already reviewable by the Public Company Accounting Oversight Board (the “PCAOB”), subjected to yet additional scrutiny, due to the incentives that have been created for whistleblowers.
Treatment of Claims Relating to Potential Violations by Firm Clients or Their Employees
Subject to several exceptions, which we discuss below, the SEC‟s new rules exclude whistleblower awards based on information obtained by CPA firm personnel in connection with audits and other engagements that are required under the federal securities laws. The rules also exclude information obtained when accounting firms provide certain services that are not required under the federal securities laws, but nevertheless support a client‟s compliance or internal audit functions, or a client‟s efforts to investigate possible violations of law. In addition, information that accounting firm personnel obtain in connection with a lawyer‟s engagement generally cannot serve as the basis for a whistleblower award. In comparison, information learned by accounting firm personnel while rendering other non-audit services to clients is not subject to similar restrictions.
Information Learned Through Financial Statement Audits and Other Engagements Required Under the Federal Securities Laws: Under Rule 21F-8(c)(4), information obtained through an audit of an issuer‟s financial statements is excluded from eligibility for whistleblower awards, if “making a whistleblower submission [based on such information] would be contrary to requirements of Section 10A.” In the Adopting Release, the SEC noted that the most obvious example of such a situation would arise if an auditor neglected to file a report with the SEC‟s Office of the Chief Accountant that was required under Section 10A disclosing a client‟s failure to respond appropriately to evidence of violations, but instead made a whistleblower claim directly to the Enforcement Division.7 The SEC concluded that, absent such an exclusion, Section 10A would not function as intended because CPAs might have an incentive to disregard the provision‟s requirements in the hope of receiving a monetary award.
Rule 21F-4(b)(4)(iii)(D) creates a similar exclusion for information that a would-be whistleblower obtains while serving as “[a]n employee of, or other person associated with, a public accounting firm, if [the whistleblower] obtained the information through the performance of an engagement required of an independent public accountant under the Federal securities laws,” and the information relates to a potential violation by a client or its directors, officers, or other employees. This rule applies to engagements other than audits of issuers covered by Rule 21F-8(c)(4). Examples of such engagements would include audits of registered broker-dealers required under the federal securities laws, as well as custody examinations of SEC-registered investment advisers.
The exclusions in Rules 21F-8(c)(4) and 21F-4(b)(iii)(D) bar accounting firm personnel from obtaining whistleblower awards based on most information about clients obtained during the course of audits or other engagements required under the federal securities laws. However, Rules 21F-4(b)(4)(v)(A)–(C) set forth exceptions to these exclusions. Specifically, with respect to information learned in connection with a required audit of an issuer or another engagement required under the federal securities laws, a whistleblower may seek an award if either:
- The whistleblower has “a reasonable basis to believe that disclosure of the information to the Commission is necessary to prevent the relevant entity from engaging in conduct that is likely to cause substantial injury to the financial interest or property of the entity or investors;”8 or
- The whistleblower has “a reasonable basis to believe that the relevant entity is engaging in conduct that will impede an investigation of the misconduct.”9
In addition, a whistleblower may seek a monetary award in connection with information obtained through other engagements that are required under the federal securities laws, but not subject to Section 10A, if at least 120 days have passed since the whistleblower “provided the information to the relevant entity‟s audit committee, chief legal officer, chief compliance officer (or their equivalents), or [the whistleblower‟s] supervisor, or since [the whistleblower] received the information, if [the whistleblower] received it under circumstances indicating that the entity‟s audit committee, chief legal officer, chief compliance officer (or their equivalents), or [the whistleblower‟s] supervisor was already aware of the information.”10
Information Learned Though Engagements to Support a Client‟s Compliance or Internal Audit Functions or to Investigate Potential Violations of Law: Rule 21F-4(b)(4)(iii)(B) provides that a whistleblower will not be eligible for a cash award if he or she was employed by a firm that had been retained to “perform compliance or internal audit functions” for an entity. Rule 21F-4(b)(iii)(C) creates a similar exclusion for information learned by employees at a firm retained “to conduct an inquiry or investigation into possible violations of law.” These exclusions would cover, for example, engagements where a public accounting firm is retained by a corporation or audit committee to perform internal audit services on an outsourced basis, or a “forensic audit” to investigate potential fraud or other accounting irregularities. These exclusions are subject, however, to the same exceptions under Rule 21F-4(b)(4)(v)(A)-(C), discussed above, that apply to information learned by individuals during the course of engagements required of public accounting firms under the federal securities laws. As a result, circumstances could arise where whistleblowers could file reports and receive awards based on information learned during such engagements.
Information Obtained in Connection with Legal Representations or Privileged Communication: Rule 21F-4(b)(4)(i) contains an exclusion that generally renders would-be whistleblowers ineligible for awards for information obtained through a communication subject to the attorney-client privilege. Rule 21F-4(b)(4)(ii) sets forth a similar exclusion for information obtained in connection with the “legal representation” of a client on whose behalf the whistleblower or his or her firm is providing services. Under these provisions, if a lawyer retains an accounting firm to provide tax, consulting, or other support services for a client matter, then information learned by accounting-firm personnel in connection with such an engagement generally should not be eligible for a whistleblower award.11
These provisions do not require that legal counsel engage an accounting firm under a formal Kovel letter.12 Instead, the applicability of the exclusion would turn on the circumstances under which the accounting firm or its personnel obtained the information. These two exclusions are not subject to the exceptions, discussed above, in Rules 21F-4(b)(4)(v)(A)-(C). However, each provision authorizes a whistleblower claim by an employee at an accounting firm if disclosure of the information would be permitted by an attorney under the SEC‟s lawyer conduct rules,13 applicable state attorney conduct rules, or otherwise.
Information Obtained by Accounting Firm Professionals While Providing Other Non-Audit Services to Clients: The SEC‟s new rules do not separately address information learned by accounting firm personnel while providing non-audit services to clients in other circumstances. As a result, if the other general requirements for whistleblower awards in the rules are met, professionals and other employees at CPA firms may have a financial incentive to file whistleblower reports alleging potential violations by firm clients based on information learned while providing such non-audit services.14
The prospect that the rules may encourage personnel at accounting firms to “blow the whistle” on firm clients creates a potential dilemma for firms because numerous state laws impose confidentiality obligations on accountants with respect to client information.15 Moreover, the exception in Rule 21F-4(b)(4)(v)(C) allows a whistleblower to bring information to the SEC‟s attention 120 days after elevating it to his or her “supervisor” and potentially receive a whistleblower award. At most accounting firms, junior staff are typically supervised by managers and senior managers below the partner level. As a result, a whistleblower might rely on this exception without ever having brought an issue to the attention of a firm‟s compliance department or a responsible partner at the firm.
Treatment of Claims Relating to Potential Violations by Accounting Firms or Firm Personnel
In its Adopting Release, the SEC emphasized that the exclusions in the new whistleblower rules are not intended to limit the ability of accounting firm personnel to blow the whistle on their own firms. This is illustrated by the Commission‟s discussion of whistleblower claims that accounting firms have failed to comply with their own obligations under Section 10A.
Specifically, while Rule 21F-8(c)(4) provides that a whistleblower would be ineligible for a cash award if he or she obtained information through an audit of a company‟s financial statements, and providing the information “would be contrary” to the requirements of Section 10A, the Commission stated in the Adopting Release that “alleging that [a whistleblower‟s] firm violated Section 10A (or other professional standards)” would not be inconsistent with that restriction “because such a submission is not „contrary to the requirements of Section 10A.‟” Instead, the SEC asserted that a whistleblower‟s allegation that his or her own firm violated Section 10A is consistent with the goals of the Commission‟s whistleblower program, “especially when the allegation is that an audit firm failed to assess or investigate illegal acts or make a report to the Commission [under Section 10A(b)(3)].”16
The SEC also stated in the Adopting Release that whistleblower claims alleging potential violations of the federal securities laws by accounting firms or their personnel need not be limited to information obtained during client audits or quarterly reviews. The Commission specifically identified “insider trading, auditor independence failures at a firm or other quality control failures that are not specific to any particular audit” as examples of other potential violations that could give rise to whistleblower awards.17 The SEC also stated that, if a whistleblower provides the SEC with information that his or her own firm violated Section 10A or other professional standards, and that information leads to a successful enforcement action against a firm‟s client, the Commission will take sanctions against both the firm and the client into account in determining the whistleblower‟s eligibility for an award (and the amount of the payment).18
In practice, enforcement actions against public accounting firms resulting in monetary sanctions in excess of $1 million – the threshold for a potential whistleblower award under the rules – have been relatively rare. The SEC has pursued several large cases against major firms in recent years,19 however, and has also recently brought several actions against accounting firms alleging that firms failed to comply with their obligations under Section 10A.20 These trends may further incentivize whistleblowers to file reports with the SEC alleging potential securities law violations by their firms.
Several other factors may increase the potential for whistleblower claims against accounting firms under the new rules:
- The definition of “monetary sanctions” under the rules includes not only civil penalties, but also “disgorgement.”21 As a result, enforcement actions in which the SEC obtains the disgorgement of significant audit fees from public accounting firms, as an equitable remedy, may fund whistleblower awards.
- Under Sarbanes-Oxley, virtually any breach of professional standards by a PCAOB-registered firm can be cast as a violation of federal securities law. Specifically, Section 3(b)(1) of Sarbanes-Oxley provides that a violation of “any rule of the [PCAOB] shall be treated for all purposes in the same manner as a violation” of the Exchange Act. In turn, PCAOB Rule 3100 requires a registered public accounting firm and its associated persons to “comply with all applicable auditing and related professional practice standards.” Read together, these provisions may encourage would-be whistleblowers to contact the SEC with claims that firms failed to comply with some aspect of detailed professional standards – which the SEC could then treat as equivalent to a violation of the Exchange Act.
- Both professional auditing standards and statutory provisions such as Section 10A require public accounting firms to exercise considerable judgment on a regular basis. For example, in situations covered by Section 10A, auditors may need to assess whether an “illegal act [by a client] . . . has or may have occurred;” whether management has “adequately informed” a company‟s audit committee of potential illegal acts; and whether a company has taken “timely and appropriate remedial actions” with respect to an illegal act that has come to the auditors‟ attention. Congress did not have a whistleblower program in mind when it originally imposed these obligations on auditors in the 1990s, and yet each such judgment by an accounting firm is now subject to being second-guessed. Similarly, professional auditing standards require CPAs to exercise judgment in a host of areas, ranging from the volume of audit documentation assembled during an engagement to the evaluation of the reasonableness of a client‟s significant accounting estimates.
Given such factors and a financial incentive to do so, it takes little imagination to envision scenarios where personnel at a firm may claim that their current or former employers failed to comply with any number of professional obligations.22
Practical Considerations for Public Accounting Firms
In adopting the whistleblower rules, the SEC concluded that the potential benefits of whistleblower claims by – and against – public accountants outweighed the possible interference with firms‟ existing policies and procedures for identifying and resolving difficult client issues.23 Firms, however, should themselves carefully evaluate the impact of the new rules on both their existing auditing procedures and their existing quality controls. Examples of issues that warrant current consideration include the following:
Auditors Should Assess Their Continued Ability to Rely Upon Their Clients‟ Internal Procedures for Identifying Violations from an Internal Controls Perspective: In recent years, and partially in response to requirements imposed under Sarbanes-Oxley, public companies have devoted substantial resources to enhancing their internal procedures designed to detect and investigate potential violations of the federal securities laws and other requirements. Such procedures have frequently included, among other things, whistleblower hotlines and other mechanisms that encourage employees to raise concerns on a timely and confidential basis. Auditors have relied on such procedures as a type of “entity-level” control that can function as a check on management‟s possible override of a company‟s other internal controls.24
Under the SEC‟s new rules, company employees are permitted, but not required, to avail themselves of existing internal procedures for reporting suspected wrongdoing within a company. If employees bypass those procedures and report their concerns directly to the SEC without notifying companies, either in advance or contemporaneously, auditors may determine that they are no longer able to treat companies‟ existing procedures as effective internal controls.25 In that event, auditors would need to perform alternative procedures to assess the effectiveness of a company‟s internal controls over financial reporting, as currently required by Sarbanes-Oxley. While public accounting firms may need to gain experience with the impact of the new rules before making such a judgment, they will need to monitor this risk carefully.
Firms Should Review Their Quality Controls Governing the Escalation and Resolution of Compliance Issues Involving Both Their Clients and Themselves: If the PCAOB‟s creation ensured that decisions made by public accounting firms during public company audit engagements would be subject to inspection and review, the SEC‟s whistleblower rules raise the possibility that those and other professional judgments may now be “third-guessed.” As a result, firms should examine their quality controls governing the internal reporting and resolution of any concerns regarding compliance by either clients or the firms themselves with applicable laws and professional standards, including Section 10A. Additionally, firms should review the adequacy of training on auditing standards relevant to the consideration of illegal acts and fraud. For example:
- Firms‟ business practices and culture should encourage – and internal policies should facilitate – the internal reporting of issues by junior employees and non-professional staff. Establishing an appropriate “tone at the top” is more critical now than ever.
- Firms‟ policies should provide clear “escalation paths,” when needed, for any issues that are raised internally.
- Firms should have specific practices governing the documentation of how issues that were reported internally were handled.
- Firms should consider whether they should (and are able, as a practical matter) keep an employee who initially raises an issue apprised of how the firm is addressing the issue and the reasons for the firm‟s ultimate resolution.
Firms Should Review Their Policies and Internal Guidance to Ensure Their Conduct Would Not Be Viewed as Obstructive or Retaliatory: Under the new rules, firms‟ internal policies must not impede – nor be construed as impeding – any reporting by firm personnel of suspected violations to the SEC.26 In addition, new Section 21F(h)(1) of the Exchange Act provides whistleblowers with an express private right of action against their employers alleging that they were retaliated against for providing the SEC with information. In light of these provisions:
- Firms should review the tone and content of existing training and guidance that was designed to educate employees and staff as to the confidentiality obligations of firm personnel to clients under state laws and ethical codes.
- Human resources staff and other personnel involved in handling employee complaints and discipline should be trained on the risks presented by Section 21F(h)(1) and the rules.
- Senior management at firms should clearly articulate, and widely disseminate, a message of “zero tolerance” for retaliation.
While many of the considerations for accounting firms under the new rules are similar to those that other businesses need to consider, the rules raise distinct issues for public accounting firms. Public accounting firms are subject to numerous legal requirements and professional standards that do not prescribe a single or uniform approach to an issue, but instead require the exercise of informed professional judgment. By their nature, such judgments are susceptible to being challenged, and Congress and the SEC have now provided employees with significant financial incentives to allege that firms made the wrong call. Firms can mitigate, if not avoid entirely, potential pitfalls under the new rules by reviewing their current policies and quality control systems to ensure that they respond appropriately to the new challenges.