1

Helping Your Audit Committee Implement Complaint Handling

Helping Your Audit Committee Implement Complaint Handling

The Institute of Internal Auditors

Webcast Series on Sarbanes-Oxley Act

June 10, 2003

1:00 – 2:30 pm Eastern Time

2

The IIA Webcast ModeratorThe IIA Webcast Moderator

Jim Key, CIA

Managing Partner

Shenandoah Group, L.L.P

3

DisclaimerDisclaimer

The views expressed in this web cast are solely those of the panelists and moderators and do not necessarily reflect the views or policies of the Institute of Internal Auditors or its directors, officers, employees and members.

4

Emerging Trends and Best Practices in Implementing SOA

Emerging Trends and Best Practices in Implementing SOA

• May 21 – Section 404 Readiness Review: How to document your system of internal control.

• June 10 - Helping your audit committee implement complaint handling

• July 8 – Leveraging the COSO framework to meet Section 404 requirements

• August 12 – Project Administration – Setting and revising priorities in the wake of the “Final 404 Rules”

• September 9 – Internal Audit support of Audit Committees – What works best

• September 30 – The Road Ahead – Meeting the challenges in complying with The Sarbanes-Oxley Act

5

Sarbanes-Oxley: Implications and Impact for Internal Audit

Sarbanes-Oxley: Implications and Impact for Internal Audit

• Seminar Offering: 2.5 Days Chicago, July 30 – August 1 Seattle, August 4 – 6 West Palm Beach, August 25 – 27 Phoenix, September 10 – 12 San Francisco, September 24 – 26 Orlando, December 10 – 12 New York, December 17 - 19

6

Other ResourcesOther Resources

• IIA Web Page www.theiia.org – Click on Guidance– Click on Tools and Resources for Corporate

Governance IIA Position Papers Responses to exposure drafts IIA Research Foundation Master Key Series The Sarbanes-Oxley legislation Stock listing exchanges key requirements

7

SOA Section 301.4SOA Section 301.4

Each audit committee shall establish procedures for:

1. The receipt, retention, and treatment of complaints received…regarding questionable accounting or auditing matters.

2. The confidential, anonymous submission by employees…of concern regarding questionable accounting or auditing matters.

8

Timeline to Implement 301.4Timeline to Implement 301.4

• Under the final rule effective April 25, 2003, listed issuers must be in compliance with the new listing rules by the earlier of their first annual shareholders meeting after January 15, 2004 or October 31, 2004.

9

AgendaAgenda1:00 Welcome and Overview1:10 How to Get Started –

Maureen Mohlenkamp1:20 Large Enterprise Approach –

Kimberly Gavaletz 1:30 Small Company Handling Options –

Don Eichenauer 1:40 Break1:45 Questions and Answers – Panel2:25 Wrap up – Jim Key

10

Helping the Audit Committee

Implement Complaint Handling

Helping the Audit Committee

Implement Complaint Handling

Maureen MohlenkampSenior Manager

Ethics and Corporate Compliance Deloitte & Touche LLP

11

Reporting Systems are Strongly Encouraged

Reporting Systems are Strongly Encouraged

• Federal Sentencing Guidelines require companies to have in place and publicize a reporting system. – “The hallmark of an effective program is that

the organization exercises due diligence in seeking to prevent and detect criminal conduct by its employees and other agents.”

12

Reporting Systems are Strongly Encouraged

Reporting Systems are Strongly Encouraged

• Sarbanes-Oxley requires companies to establish “…procedures for the receipt, retention, and treatment of complaints received by the issuer regarding accounting, internal accounting controls, or auditing matters, as well as the confidential and anonymous submission by employees of the issuer of concerns regarding questionable accounting or auditing matters.”

13

How to Report Complaints or Ask Questions

How to Report Complaints or Ask Questions

1- 800Office Phone

E-mail or Web based

US Mail

Interoffice

In person

Fax

Slide under door

14

A Helpline Reporting SystemA Helpline Reporting System

• Provides a confidential place for employees to clarify policy and discuss or report concerns

• Provides a communications channel beyond the rumor mill

• Directs employee questions to the appropriate resource

• Is an opportunity to provide guidance before a poor decision is made

• Provides an early warning system of issues or problem locations

• Is the last internal stop for whistleblowers

15

Implementing a Helpline: Some Things to ConsiderImplementing a Helpline: Some Things to Consider

• One line vs. two lines• Answered:

– In-house– External– Both

• Cost of outside services for a large company may be about $1 per employee per year

• Outside services allow 24/7/365 service• Available to non-employees• International access• Locations and hours of your workforce

16

PlanningPlanning• Who answers the phone• Hours of operation• Types of calls you will take• Handling anonymous calls• Impact of collective bargaining agreements• Standards of quality in the process• Protecting confidentiality• Non-retaliation policy• Scope of the issues to be addressed

17

PlanningPlanning

• Wallet cards• Posters• Screensavers• Letters• References in training

sessions• Intranet

• Newsletters• Payroll inserts• Brochures• Employee orientation• Code of Conduct• Contests/games

Communicating the process to employees and others

Investigative process including referrals (Ethics/ Compliance Office, IA, HR, OGC, Security, local management, outside investigators)

18

PlanningPlanning• Reporting requirements and protocols• Call tracking systems• Document retention• Reporting back to the caller• Measuring effectiveness of the system

– Surveys– Focus groups– Check with existing callers– Call volume

– Internal monitoring– Exit interviews– External assessments– Walk the halls

• Ultimate effectiveness measure =NO SURPRISES!

19

PlanningPlanning

• Reporting general results to employees

• Testing the outsource company

• Training those who answer the phone

• Don’t turn helpline on until you’re ready

20

PlanningPlanning• Remember a helpline or reporting mechanism is

just one piece of an effective ethics and compliance program– Standards and procedures to prevent criminal conduct– Oversight by high-level person(s)– Care in delegation of substantial discretionary

authority to individuals– Effective communication of standards and procedures– Reasonable steps taken to achieve compliance (e.g.,

reporting mechanisms, helpline)– Consistent enforcement of disciplinary mechanisms– Appropriate response after detection of an offense

21

Internal Audit RoleInternal Audit Role

• Conduct audits of ethics/compliance program

• Be represented on the Ethics/ Compliance Committee

• Partner with Ethics/Compliance on:– Program design and implementation– Annual Risk Assessment– Annual Audit Plan

22

Large Enterprise Approach

Helping the Audit Committee Handle Complaint Calls: A Working Model

Large Enterprise Approach

Helping the Audit Committee Handle Complaint Calls: A Working Model

Kimberly Gavaletz

VP, Internal Audit

Lockheed Martin Corporation

23

ComponentsComponents

• Tone at the Top

• Infrastructure

Culture of Ethics & Integrity

24

Tone at the TopTone at the Top

• Chairman of the Board

• Board of Directors

• Management

• Employees

Values

Ethics

Excellence

Can-Do

Integrity

People

Teamwork

25

InfrastructureInfrastructure

• Board of Directors:– Audit & Ethics Committee (A&E)

• Code of Conduct – www.lockheedmartin.com

• Ethics Officer– Reports to CEO and A&E Committee– Already Handles Overall Ethics Complaint Process

• Hotline, Ethics Officers in Business Areas

26

InfrastructureInfrastructure

• Quarterly Ethics Steering Committee– Chaired by COO– Business Areas & Corporate Represented

• Includes VP, Corporate Internal Audit

• Annual Mandatory Ethics Training

• Ongoing Internal Auditing Involvement– Policies/Training/Compliance/DII Auditing– Investigation Support– Monthly Meetings (Audit & Ethics Officers)

27

Complaint HandlingComplaint Handling

Code of Conduct Modified to Include:

How to Contact the Audit and Ethics Committee

The Audit and Ethics Committee of the Lockheed Martin Board of Directors has created a process for employees to use to transmit complaints to the Committee about accounting, internal controls, or auditing matters. This includes the confidential or anonymous submission of concerns regarding questionable accounting or auditing matters. If you wish to raise a question or concern or report a violation to the Audit and Ethics Committee, you should contact the Office of Ethics and Business Conduct at Corporate Headquarters. Your concern will be promptly communicated to the Chair of the Audit and Ethics Committee of the Board.

28

Complaint Handling Process

Complaint Handling Process

• Primary Contact: Corporate Ethics Officer – Works with Legal, Internal Audit and Others as

Appropriate to Investigate the Complaint

• Chairman of A&E Committee Notified of: – All Complaints Directed to the Audit Committee– Items Not Specifically Directed to A&E involving:

• Integrity of Financials• Significant Matters

• Investigation Results to A&E Committee

29

EthicsOfficer

Business Area

EthicsOffices

Complaint Process Flow

Hotline

Audit & Ethics

Chairman

Audit &

Ethics

Committee

Reported to A&E:

- Any Items Requested to go to A&E -

- Other Significant Items -

30

Small Company Handling Options

Small Company Handling Options

Donald T. Eichenauer, CPA

Partner

Bonadio & Co., LLP

31

ResponsibilitiesResponsibilities

• Audit Committee complaint responsibilities:– Receipt– Retention– Treatment

• Fiduciary responsibility and significant liability regarding complaint handling rests with the audit committee.

32

Audit Committee Dilemma at Many Companies

Audit Committee Dilemma at Many Companies

Once received, what do they do with the complaint?

33

Not all Public CompaniesNot all Public Companies

• Have an Independent Ethics and Compliance Office

• Have an in-house internal audit department

• Have an audit committee that is comfortable with handling the process through internal audit or other internal departments

34

Some Audit Committees have Responded by Establishing

Complaint Procedures that Include

Some Audit Committees have Responded by Establishing

Complaint Procedures that Include

• Providing home e-mail addresses of audit committee members

• Helpline forwarded to– audit committee member– internal audit– staff of CFO– other internal department

35

Issues to ConsiderIssues to Consider• Are the internal departments involved truly

independent?• Will the process protect confidentiality?• How is the course of treatment of the complaint

determined?• How is the administrative function and retention

handled?• Does the process instill the confidence of

employees?• Is the process sufficiently independent of

management?• Is the best interest of the company and the audit

committee achieved?

36

Processes Established to Assist Audit Committees

Fulfill Their Responsibilities

Processes Established to Assist Audit Committees

Fulfill Their Responsibilities

37

I – Independent Complaint Management

I – Independent Complaint Management

• Logging & control• Filtering and review with

audit committee• Forwarding for

handling/investigation• Ongoing monitoring• Retention of complaint &

documentation of handling

Complaints forwarded to independent third-party for:

38

II – Independent Complaint Process Oversight

II – Independent Complaint Process Oversight

• Complaints forwarded to internal audit or compliance department

• Complaints logged and filtered by a committee including independent third-party

• Committee initiates handling and reports complaints to the audit committee

39

SummarySummary

• Any helpline implementation requires planning, promoting, and monitoring

• Complaint process must meet independence test

• Tone at the Top is critically important