1 helping your audit committee implement complaint handling the institute of internal auditors...
TRANSCRIPT
1
Helping Your Audit Committee Implement Complaint Handling
Helping Your Audit Committee Implement Complaint Handling
The Institute of Internal Auditors
Webcast Series on Sarbanes-Oxley Act
June 10, 2003
1:00 – 2:30 pm Eastern Time
2
The IIA Webcast ModeratorThe IIA Webcast Moderator
Jim Key, CIA
Managing Partner
Shenandoah Group, L.L.P
3
DisclaimerDisclaimer
The views expressed in this web cast are solely those of the panelists and moderators and do not necessarily reflect the views or policies of the Institute of Internal Auditors or its directors, officers, employees and members.
4
Emerging Trends and Best Practices in Implementing SOA
Emerging Trends and Best Practices in Implementing SOA
• May 21 – Section 404 Readiness Review: How to document your system of internal control.
• June 10 - Helping your audit committee implement complaint handling
• July 8 – Leveraging the COSO framework to meet Section 404 requirements
• August 12 – Project Administration – Setting and revising priorities in the wake of the “Final 404 Rules”
• September 9 – Internal Audit support of Audit Committees – What works best
• September 30 – The Road Ahead – Meeting the challenges in complying with The Sarbanes-Oxley Act
5
Sarbanes-Oxley: Implications and Impact for Internal Audit
Sarbanes-Oxley: Implications and Impact for Internal Audit
• Seminar Offering: 2.5 Days Chicago, July 30 – August 1 Seattle, August 4 – 6 West Palm Beach, August 25 – 27 Phoenix, September 10 – 12 San Francisco, September 24 – 26 Orlando, December 10 – 12 New York, December 17 - 19
6
Other ResourcesOther Resources
• IIA Web Page www.theiia.org – Click on Guidance– Click on Tools and Resources for Corporate
Governance IIA Position Papers Responses to exposure drafts IIA Research Foundation Master Key Series The Sarbanes-Oxley legislation Stock listing exchanges key requirements
7
SOA Section 301.4SOA Section 301.4
Each audit committee shall establish procedures for:
1. The receipt, retention, and treatment of complaints received…regarding questionable accounting or auditing matters.
2. The confidential, anonymous submission by employees…of concern regarding questionable accounting or auditing matters.
8
Timeline to Implement 301.4Timeline to Implement 301.4
• Under the final rule effective April 25, 2003, listed issuers must be in compliance with the new listing rules by the earlier of their first annual shareholders meeting after January 15, 2004 or October 31, 2004.
9
AgendaAgenda1:00 Welcome and Overview1:10 How to Get Started –
Maureen Mohlenkamp1:20 Large Enterprise Approach –
Kimberly Gavaletz 1:30 Small Company Handling Options –
Don Eichenauer 1:40 Break1:45 Questions and Answers – Panel2:25 Wrap up – Jim Key
10
Helping the Audit Committee
Implement Complaint Handling
Helping the Audit Committee
Implement Complaint Handling
Maureen MohlenkampSenior Manager
Ethics and Corporate Compliance Deloitte & Touche LLP
11
Reporting Systems are Strongly Encouraged
Reporting Systems are Strongly Encouraged
• Federal Sentencing Guidelines require companies to have in place and publicize a reporting system. – “The hallmark of an effective program is that
the organization exercises due diligence in seeking to prevent and detect criminal conduct by its employees and other agents.”
12
Reporting Systems are Strongly Encouraged
Reporting Systems are Strongly Encouraged
• Sarbanes-Oxley requires companies to establish “…procedures for the receipt, retention, and treatment of complaints received by the issuer regarding accounting, internal accounting controls, or auditing matters, as well as the confidential and anonymous submission by employees of the issuer of concerns regarding questionable accounting or auditing matters.”
13
How to Report Complaints or Ask Questions
How to Report Complaints or Ask Questions
1- 800Office Phone
E-mail or Web based
US Mail
Interoffice
In person
Fax
Slide under door
14
A Helpline Reporting SystemA Helpline Reporting System
• Provides a confidential place for employees to clarify policy and discuss or report concerns
• Provides a communications channel beyond the rumor mill
• Directs employee questions to the appropriate resource
• Is an opportunity to provide guidance before a poor decision is made
• Provides an early warning system of issues or problem locations
• Is the last internal stop for whistleblowers
15
Implementing a Helpline: Some Things to ConsiderImplementing a Helpline: Some Things to Consider
• One line vs. two lines• Answered:
– In-house– External– Both
• Cost of outside services for a large company may be about $1 per employee per year
• Outside services allow 24/7/365 service• Available to non-employees• International access• Locations and hours of your workforce
16
PlanningPlanning• Who answers the phone• Hours of operation• Types of calls you will take• Handling anonymous calls• Impact of collective bargaining agreements• Standards of quality in the process• Protecting confidentiality• Non-retaliation policy• Scope of the issues to be addressed
17
PlanningPlanning
• Wallet cards• Posters• Screensavers• Letters• References in training
sessions• Intranet
• Newsletters• Payroll inserts• Brochures• Employee orientation• Code of Conduct• Contests/games
Communicating the process to employees and others
Investigative process including referrals (Ethics/ Compliance Office, IA, HR, OGC, Security, local management, outside investigators)
18
PlanningPlanning• Reporting requirements and protocols• Call tracking systems• Document retention• Reporting back to the caller• Measuring effectiveness of the system
– Surveys– Focus groups– Check with existing callers– Call volume
– Internal monitoring– Exit interviews– External assessments– Walk the halls
• Ultimate effectiveness measure =NO SURPRISES!
19
PlanningPlanning
• Reporting general results to employees
• Testing the outsource company
• Training those who answer the phone
• Don’t turn helpline on until you’re ready
20
PlanningPlanning• Remember a helpline or reporting mechanism is
just one piece of an effective ethics and compliance program– Standards and procedures to prevent criminal conduct– Oversight by high-level person(s)– Care in delegation of substantial discretionary
authority to individuals– Effective communication of standards and procedures– Reasonable steps taken to achieve compliance (e.g.,
reporting mechanisms, helpline)– Consistent enforcement of disciplinary mechanisms– Appropriate response after detection of an offense
21
Internal Audit RoleInternal Audit Role
• Conduct audits of ethics/compliance program
• Be represented on the Ethics/ Compliance Committee
• Partner with Ethics/Compliance on:– Program design and implementation– Annual Risk Assessment– Annual Audit Plan
22
Large Enterprise Approach
Helping the Audit Committee Handle Complaint Calls: A Working Model
Large Enterprise Approach
Helping the Audit Committee Handle Complaint Calls: A Working Model
Kimberly Gavaletz
VP, Internal Audit
Lockheed Martin Corporation
23
ComponentsComponents
• Tone at the Top
• Infrastructure
Culture of Ethics & Integrity
24
Tone at the TopTone at the Top
• Chairman of the Board
• Board of Directors
• Management
• Employees
Values
Ethics
Excellence
Can-Do
Integrity
People
Teamwork
25
InfrastructureInfrastructure
• Board of Directors:– Audit & Ethics Committee (A&E)
• Code of Conduct – www.lockheedmartin.com
• Ethics Officer– Reports to CEO and A&E Committee– Already Handles Overall Ethics Complaint Process
• Hotline, Ethics Officers in Business Areas
26
InfrastructureInfrastructure
• Quarterly Ethics Steering Committee– Chaired by COO– Business Areas & Corporate Represented
• Includes VP, Corporate Internal Audit
• Annual Mandatory Ethics Training
• Ongoing Internal Auditing Involvement– Policies/Training/Compliance/DII Auditing– Investigation Support– Monthly Meetings (Audit & Ethics Officers)
27
Complaint HandlingComplaint Handling
Code of Conduct Modified to Include:
How to Contact the Audit and Ethics Committee
The Audit and Ethics Committee of the Lockheed Martin Board of Directors has created a process for employees to use to transmit complaints to the Committee about accounting, internal controls, or auditing matters. This includes the confidential or anonymous submission of concerns regarding questionable accounting or auditing matters. If you wish to raise a question or concern or report a violation to the Audit and Ethics Committee, you should contact the Office of Ethics and Business Conduct at Corporate Headquarters. Your concern will be promptly communicated to the Chair of the Audit and Ethics Committee of the Board.
28
Complaint Handling Process
Complaint Handling Process
• Primary Contact: Corporate Ethics Officer – Works with Legal, Internal Audit and Others as
Appropriate to Investigate the Complaint
• Chairman of A&E Committee Notified of: – All Complaints Directed to the Audit Committee– Items Not Specifically Directed to A&E involving:
• Integrity of Financials• Significant Matters
• Investigation Results to A&E Committee
29
EthicsOfficer
Business Area
EthicsOffices
Complaint Process Flow
Hotline
Audit & Ethics
Chairman
Audit &
Ethics
Committee
Reported to A&E:
- Any Items Requested to go to A&E -
- Other Significant Items -
30
Small Company Handling Options
Small Company Handling Options
Donald T. Eichenauer, CPA
Partner
Bonadio & Co., LLP
31
ResponsibilitiesResponsibilities
• Audit Committee complaint responsibilities:– Receipt– Retention– Treatment
• Fiduciary responsibility and significant liability regarding complaint handling rests with the audit committee.
32
Audit Committee Dilemma at Many Companies
Audit Committee Dilemma at Many Companies
Once received, what do they do with the complaint?
33
Not all Public CompaniesNot all Public Companies
• Have an Independent Ethics and Compliance Office
• Have an in-house internal audit department
• Have an audit committee that is comfortable with handling the process through internal audit or other internal departments
34
Some Audit Committees have Responded by Establishing
Complaint Procedures that Include
Some Audit Committees have Responded by Establishing
Complaint Procedures that Include
• Providing home e-mail addresses of audit committee members
• Helpline forwarded to– audit committee member– internal audit– staff of CFO– other internal department
35
Issues to ConsiderIssues to Consider• Are the internal departments involved truly
independent?• Will the process protect confidentiality?• How is the course of treatment of the complaint
determined?• How is the administrative function and retention
handled?• Does the process instill the confidence of
employees?• Is the process sufficiently independent of
management?• Is the best interest of the company and the audit
committee achieved?
36
Processes Established to Assist Audit Committees
Fulfill Their Responsibilities
Processes Established to Assist Audit Committees
Fulfill Their Responsibilities
37
I – Independent Complaint Management
I – Independent Complaint Management
• Logging & control• Filtering and review with
audit committee• Forwarding for
handling/investigation• Ongoing monitoring• Retention of complaint &
documentation of handling
Complaints forwarded to independent third-party for:
38
II – Independent Complaint Process Oversight
II – Independent Complaint Process Oversight
• Complaints forwarded to internal audit or compliance department
• Complaints logged and filtered by a committee including independent third-party
• Committee initiates handling and reports complaints to the audit committee
39
SummarySummary
• Any helpline implementation requires planning, promoting, and monitoring
• Complaint process must meet independence test
• Tone at the Top is critically important