Can Auditors Become Whistleblowers Under the SEC's New Program?

When the Securities and Exchange Commission adopted its controversial new whistleblower rules in May, it incorporated language that excludes outside auditors from participating in the program. But now some corporate lawyers say the rules contain plenty of loopholes that auditors could use to bring complaints against clients to the SEC in pursuit of hefty rewards.

The whistleblower program gives anyone with direct knowledge of corporate misdeeds a new financial incentive to report them directly to the SEC. Whistleblowers can earn up to 30 percent of what the agency ultimately collects in sanctions if regulators settle a legitimate violation for more than $1 million. Critics of the bounty system, including members of the SEC itself, say would-be whistleblowers now have a big incentive to bypass corporate whistleblowing programs in pursuit of the monetary reward.

Initially companies focused on the implications of their own employees becoming whistleblowers. Now some law firms are calling attention to important caveats written into the rule that give even auditors—the firms that companies hire to inspect the accuracy of financial statements in the first place—the opportunity to collect the reward. Companies are sure to wonder whether an audit firm that disagrees with a close call on an accounting judgment might take it to the SEC, says Steven Scholes, a partner with the law firm McDermott Will & Emery.

The SEC generally excluded auditors from qualifying whistleblowers under the rule if they learn of issues as a result of their audit duties. (It also excluded attorneys, including in-house counsel, and compliance officers in most situations.) But the SEC also included some important exceptions that open the door for auditors to take their concerns straight to the SEC. “The net result is that auditors are able to become whistleblowers in some circumstances,” says David Woodcock, a securities litigation and enforcement partner with law firm Vinson & Elkins.

The exceptions essentially create four possible avenues by which auditors can become whistleblowers, says Keith Bishop, a partner in the corporate and securities practice at law firm Allen Matkins. First, auditors can blow the whistle if they are seeking to prevent something that could cause substantial injury to investors. “This one is prospective,” Bishop says. “It's not going to apply when the house is already burned down. It only applies if you see someone run up to the house with a gallon of gas and a lighted torch.”

Auditors can also potentially get a reward if they report actions that are meant to impede an investigation: shredding documents, destroying evidence, or deleting computer records, Bishop says. Third is the “timeout” exception, where auditors can blow the whistle if they raise a concern to a company but see no investigative or corrective action in 120 days to address it. Finally, they can blow the whistle on their own audit firm and collect the bounty if it leads to action against a client of the audit firm.

The rule states that auditors are still obligated under Section 10A of the Securities Exchange Act to report any illegal acts they discover, and the whistleblower rules remind them of that longstanding duty. The point, Woodcock says, is that an auditor should not be permitted to benefit personally by choosing not to comply with his obligations under Section 10A. Rather, the idea is to strike a balance between drawing out high-quality tips, but not paying windfalls to auditors simply for doing their jobs.

“The implications are that in most cases, an auditor is not going to be able to become a whistleblower if the public accounting firm and the issuer take the actions they are required to take once reportable information is submitted to them,” he says.

Among auditors, “there's a very significant question about what does this mean for us? What's our role now? It's an unanswered question.”

—Laura Flippin,

Partner,

DLA Piper

The Public Company Accounting Oversight Board hasn't issued any formal guidance on how auditors can comply with their existing obligations while also reporting actions under the new rules. Spokesman Colleen Brennan, however, said auditors are already bound by a long list of auditing standards to report illegal actions or concerns, beyond Section 10A. She cited PCAOB's standards at AU Sections 150, 316, 317, 508, 561, and others. “We continue to expect auditors to make disclosures required by PCAOB standards and relevant statutes on a timely basis,” she said. She also pointed out the PCAOB hosts a tips center for auditors to report concerns.

Conflicting Interests

The Center for Audit Quality says it raised concerns with the SEC during the rulemaking process about the headache auditors would have under the whistleblower rules compared with professional and regulatory standards regarding confidentiality, integrity, and other ethical obligations. Accountants generally are required under state laws where they are licensed to observe confidentiality over client matters. The CAQ also worries the new rules will complicate auditors' efforts to be candid with their clients and with one another, says CAQ spokesman Jay Hyde.

CAQ COMMENTS

Below is an excerpt from the Center for Audit Quality's letter to the Securities and Exchange Commission regarding the whistleblower provisions proposal:

The Center is concerned that the 90-day “grace period” and potential “credit” for first utilizing employer compliance processes will not sufficiently encourage potential whistleblowers to report first through a company's internal reporting process. The CAQ strongly urges the SEC in its final rules to, at a minimum, require concurrent whistleblower reporting to the company and the Commission as a condition for an award. A failure or delay in the communication of whistleblower reports of potential securities violations to registrants may reduce their ability and the ability of their independent accountants to rely on the efficacy of company internal control systems and could adversely impact registrants' and independent accountants' evaluations of internal control over financial reporting (ICFR) under sections 404(a) and 404(b) of the Sarbanes-Oxley Act of 2002 (SOX). It may also adversely affect the accuracy of registrants' financial reporting. This could have significant negative consequences for investors, registrants, and the audit process alike.

Further, the CAQ supports the SEC's Proposed Rules to the extent that they will not permit whistleblower awards to independent public accountants who report information about a company obtained through the performance of an engagement required under the securities laws. We are concerned, however, that the Proposed Rules do not go far enough in excluding independent public accountants from obtaining whistleblower awards from the SEC in two respects.

As suggested in the Release, the CAQ believes the final rules should clearly and explicitly exclude awards to independent public accountants for information gained through the performance of all engagements (such as permitted non-audit services) for the same company for which the independent public accountant also performs an engagement required under the securities laws.

The CAQ has concerns about the Proposed Rules to the extent that they permit whistleblower awards for information reported by an independent public accountant regarding his or her firm's performance of services related to an engagement required under the securities laws (i.e., whistleblower reporting by an accountant with respect to his or her own firm's performance of services) ...

Source: Center for Audit Quality.

Those may be concerns for the profession, but not the SEC, Bishop says. The rules specifically tell auditors they can still get a bounty even if they have to violate local client confidentiality rules to raise a red flag to the SEC. “The SEC's goal is to enforce federal securities laws,” Bishop said. “They're basically saying we don't care about local confidentiality rules.”

Still, the confidentiality rules should give auditors plenty of reason to think carefully about blowing a whistle in hopes of collecting a reward, Bishop continues. Auditors could conceivably report a concern to the SEC that goes nowhere, then face disciplinary proceedings from state officials for violating confidentiality rules. “There's a lot of uncertainty there,” he says. “It could be a big risk.”

Apart from the clear avenues auditors have to blow the whistle, some murky back alleys may be out there as well. Andrew Wise, a partner with law firm Miller & Chevalier, says the exceptions for auditors in the new rule are broad and have plenty of room for interpretation. “This puts auditors in a very tenable position,” he says. Companies need to establish clear lines for reporting concerns and act on them expeditiously to reduce the risk that the SEC will get involved with an issue before it can be addressed internally. “This is going to put companies on the clock,” he says.

Generally, it will put companies and auditors alike on high alert, says Laura Flippin, a partner with law firm DLA Piper. It may change how auditors record information, and it may make companies more cautious about providing information to auditors. Among auditors, “there's a very significant question about what does this mean for us?” she says. “What's our role now? It's an unanswered question. We're all thinking about it in the industry right now and I don't know that we have any great answers.”