Title: Helping Your Audit Committee Implement Complaint Handling
1Helping Your Audit Committee Implement Complaint
Handling
- The Institute of Internal Auditors
- Webcast Series on Sarbanes-Oxley Act
- June 10, 2003
- 100 230 pm Eastern Time
2The IIA Webcast Moderator
- Jim Key, CIA
- Managing Partner
- Shenandoah Group, L.L.P
3Disclaimer
- The views expressed in this web cast are
solely those of the panelists and moderators and
do not necessarily reflect the views or policies
of the Institute of Internal Auditors or its
directors, officers, employees and members.
4Emerging Trends and Best Practices in
Implementing SOA
- May 21 Section 404 Readiness Review How to
document your system of internal control. - June 10 - Helping your audit committee implement
complaint handling - July 8 Leveraging the COSO framework to meet
Section 404 requirements - August 12 Project Administration Setting and
revising priorities in the wake of the Final 404
Rules - September 9 Internal Audit support of Audit
Committees What works best - September 30 The Road Ahead Meeting the
challenges in complying with The Sarbanes-Oxley
Act
5Sarbanes-Oxley Implications and Impact for
Internal Audit
- Seminar Offering 2.5 Days
- Chicago, July 30 August 1
- Seattle, August 4 6
- West Palm Beach, August 25 27
- Phoenix, September 10 12
- San Francisco, September 24 26
- Orlando, December 10 12
- New York, December 17 - 19
6Other Resources
- IIA Web Page www.theiia.org
- Click on Guidance
- Click on Tools and Resources for Corporate
Governance - IIA Position Papers
- Responses to exposure drafts
- IIA Research Foundation Master Key Series
- The Sarbanes-Oxley legislation
- Stock listing exchanges key requirements
7SOA Section 301.4
- Each audit committee shall establish procedures
for - The receipt, retention, and treatment of
complaints receivedregarding questionable
accounting or auditing matters. - The confidential, anonymous submission by
employeesof concern regarding questionable
accounting or auditing matters.
8Timeline to Implement 301.4
- Under the final rule effective April 25, 2003,
listed issuers must be in compliance with the new
listing rules by the earlier of their first
annual shareholders meeting after January 15,
2004 or October 31, 2004.
9Agenda
- 100 Welcome and Overview
- 110 How to Get Started Maureen Mohlenkamp
- 120 Large Enterprise Approach Kimberly
Gavaletz - 130 Small Company Handling Options Don
Eichenauer - 140 Break
- 145 Questions and Answers Panel
- 225 Wrap up Jim Key
10Helping the Audit CommitteeImplement Complaint
Handling
- Maureen Mohlenkamp
- Senior Manager
- Ethics and Corporate Compliance
- Deloitte Touche LLP
11Reporting Systems are Strongly Encouraged
- Federal Sentencing Guidelines require companies
to have in place and publicize a reporting
system. - The hallmark of an effective program is that the
organization exercises due diligence in seeking
to prevent and detect criminal conduct by its
employees and other agents.
12Reporting Systems are Strongly Encouraged
- Sarbanes-Oxley requires companies to establish
procedures for the receipt, retention, and
treatment of complaints received by the issuer
regarding accounting, internal accounting
controls, or auditing matters, as well as the
confidential and anonymous submission by
employees of the issuer of concerns regarding
questionable accounting or auditing matters.
13How to Report Complaints or Ask Questions
1- 800
Office Phone
Interoffice
Slide under door
US Mail
Fax
In person
E-mail or Web based
14A Helpline Reporting System
- Provides a confidential place for employees to
clarify policy and discuss or report concerns - Provides a communications channel beyond the
rumor mill - Directs employee questions to the appropriate
resource - Is an opportunity to provide guidance before a
poor decision is made - Provides an early warning system of issues or
problem locations - Is the last internal stop for whistleblowers
15Implementing a Helpline Some Things to Consider
- One line vs. two lines
- Answered
- In-house
- External
- Both
- Cost of outside services for a large company may
be about 1 per employee per year - Outside services allow 24/7/365 service
- Available to non-employees
- International access
- Locations and hours of your workforce
16Planning
- Who answers the phone
- Hours of operation
- Types of calls you will take
- Handling anonymous calls
- Impact of collective bargaining agreements
- Standards of quality in the process
- Protecting confidentiality
- Non-retaliation policy
- Scope of the issues to be addressed
17Planning
Communicating the process to employees and others
- Wallet cards
- Posters
- Screensavers
- Letters
- References in training sessions
- Intranet
- Newsletters
- Payroll inserts
- Brochures
- Employee orientation
- Code of Conduct
- Contests/games
Investigative process including referrals
(Ethics/ Compliance Office, IA, HR, OGC,
Security, local management, outside investigators)
18Planning
- Reporting requirements and protocols
- Call tracking systems
- Document retention
- Reporting back to the caller
- Measuring effectiveness of the system
- Surveys
- Focus groups
- Check with existing callers
- Call volume
- Internal monitoring
- Exit interviews
- External assessments
- Walk the halls
- Ultimate effectiveness measure NO SURPRISES!
19Planning
- Reporting general results to employees
- Testing the outsource company
- Training those who answer the phone
- Dont turn helpline on until youre ready
20Planning
- Remember a helpline or reporting mechanism is
just one piece of an effective ethics and
compliance program - Standards and procedures to prevent criminal
conduct - Oversight by high-level person(s)
- Care in delegation of substantial discretionary
authority to individuals - Effective communication of standards and
procedures - Reasonable steps taken to achieve compliance
(e.g., reporting mechanisms, helpline) - Consistent enforcement of disciplinary mechanisms
- Appropriate response after detection of an offense
21Internal Audit Role
- Conduct audits of ethics/compliance program
- Be represented on the Ethics/ Compliance
Committee - Partner with Ethics/Compliance on
- Program design and implementation
- Annual Risk Assessment
- Annual Audit Plan
22Large Enterprise ApproachHelping the Audit
Committee Handle Complaint Calls A Working Model
- Kimberly Gavaletz
- VP, Internal Audit
- Lockheed Martin Corporation
23Components
- Tone at the Top
- Infrastructure
Culture of Ethics Integrity
24Tone at the Top
- Chairman of the Board
- Board of Directors
- Management
- Employees
Ethics Excellence Can-Do Integrity People Te
amwork
Values
25Infrastructure
- Board of Directors
- Audit Ethics Committee (AE)
- Code of Conduct
- www.lockheedmartin.com
- Ethics Officer
- Reports to CEO and AE Committee
- Already Handles Overall Ethics Complaint Process
- Hotline, Ethics Officers in Business Areas
26Infrastructure
- Quarterly Ethics Steering Committee
- Chaired by COO
- Business Areas Corporate Represented
- Includes VP, Corporate Internal Audit
- Annual Mandatory Ethics Training
- Ongoing Internal Auditing Involvement
- Policies/Training/Compliance/DII Auditing
- Investigation Support
- Monthly Meetings (Audit Ethics Officers)
27Complaint Handling
- Code of Conduct Modified to Include
How to Contact the Audit and Ethics
Committee The Audit and Ethics Committee of the
Lockheed Martin Board of Directors has created a
process for employees to use to transmit
complaints to the Committee about accounting,
internal controls, or auditing matters. This
includes the confidential or anonymous submission
of concerns regarding questionable accounting or
auditing matters. If you wish to raise a
question or concern or report a violation to the
Audit and Ethics Committee, you should contact
the Office of Ethics and Business Conduct at
Corporate Headquarters. Your concern will be
promptly communicated to the Chair of the Audit
and Ethics Committee of the Board.
28Complaint Handling Process
- Primary Contact Corporate Ethics Officer
- Works with Legal, Internal Audit and Others as
Appropriate to Investigate the Complaint - Chairman of AE Committee Notified of
- All Complaints Directed to the Audit Committee
- Items Not Specifically Directed to AE involving
- Integrity of Financials
- Significant Matters
- Investigation Results to AE Committee
29Complaint Process Flow
Audit Ethics Chairman
Ethics Officer
Audit Ethics Committee
Hotline
Business Area Ethics Offices
Reported to AE - Any Items Requested to go to
AE - - Other Significant Items -
30Small Company Handling Options
- Donald T. Eichenauer, CPA
- Partner
- Bonadio Co., LLP
31Responsibilities
- Audit Committee complaint responsibilities
- Receipt
- Retention
- Treatment
- Fiduciary responsibility and significant
liability regarding complaint handling rests with
the audit committee.
32Audit Committee Dilemma at Many Companies
- Once received, what do they do with the complaint?
33Not all Public Companies
- Have an Independent Ethics and Compliance Office
- Have an in-house internal audit department
- Have an audit committee that is comfortable with
handling the process through internal audit or
other internal departments
34Some Audit Committees have Responded by
Establishing Complaint Procedures that Include
- Providing home e-mail addresses of audit
committee members - Helpline forwarded to
- audit committee member
- internal audit
- staff of CFO
- other internal department
35Issues to Consider
- Are the internal departments involved truly
independent? - Will the process protect confidentiality?
- How is the course of treatment of the complaint
determined? - How is the administrative function and retention
handled? - Does the process instill the confidence of
employees? - Is the process sufficiently independent of
management? - Is the best interest of the company and the audit
committee achieved?
36Processes Established to Assist Audit Committees
Fulfill Their Responsibilities
37I Independent Complaint Management
Complaints forwarded to independent third-party
for
- Logging control
- Filtering and review with audit committee
- Forwarding for handling/investigation
- Ongoing monitoring
- Retention of complaint documentation of handling
38II Independent Complaint Process Oversight
- Complaints forwarded to internal audit or
compliance department - Complaints logged and filtered by a committee
including independent third-party - Committee initiates handling and reports
complaints to the audit committee
39Summary
- Any helpline implementation requires planning,
promoting, and monitoring - Complaint process must meet independence test
- Tone at the Top is critically important