United States: When Can The Independent Auditor Become An Sec Whistleblower?

The Dodd-Frank Act created the opportunity for whistleblowers to earn potential multi-million dollar awards for information leading to major SEC cases. The SEC's explanation of its so-called "Final Rule," set forth in nearly 300 pages of complex commentary, is basically "pro whistleblower." The SEC largely resisted the pressure of the business lobby to force whistleblowers to "report up" through company compliance programs, which could have severely restricted the impact of the law.

Virtually unknown, but among the most potent of the whistleblower rule's provisions, is the opportunity it provides for outside auditors to become whistleblowers, not just against clients but also against their own audit firms. Imagine the kind of whistleblower the SEC would most welcome: an intelligent professional with direct knowledge of corporate financial improprieties as a "virtual insider" because of his or her direct access to top management and the books and records of the company. The "gatekeeper" who best fits this description is the independent auditor.

Even so, the Dodd-Frank law and the SEC Final Rule specifically say auditors are not allowed to be whistleblowers when the source of their information is obtained from audits required to be undertaken under the federal securities laws and the whistleblower submission would be "contrary to Section 10A" of the securities laws. As we discuss below, Section 10A, which requires auditors to investigate illegal acts by clients, plays a pivotal role in the determination of auditor whistleblower eligibility.

Likewise, auditors retained to perform "compliance or internal audit functions" for a company, or information learned by an accountant at a firm retained "to conduct an inquiry or investigation into possible violations of law" are not eligible for whistleblower awards. In these respects then, the accounting profession would appear to have joined the ranks of attorneys in being legally banned from obtaining an SEC whistleblowing award in most cases.¹

Exceptions, Exclusions and other Loopholes: When Auditors Can Be Whistleblowers

But, as with most government regulation, all is not as it may initially appear. With respect to auditor whistleblowing, what Dodd-Frank hath taken away the SEC hath given back, at least in part, through the arcane world of federal regulations. In its Final Rule,² the SEC carved out several exceptions to the auditor whistleblower ban which open a back door for auditors to qualify as whistleblowers for reporting to the SEC their client's, as well in some cases their own audit firm's, violation of the securities laws and professional standards. For example, the Final Rule states that external auditors of non-issuers not subject to Section 10A (such a broker dealers and investment advisors) may "blow the whistle" directly to the SEC in several circumstances:

1. If the auditor has "a reasonable basis to believe" that disclosure is necessary to prevent the client entity from "engaging in conduct that is likely to cause substantial injury to the financial interest or property of the entity or investors"; or

2. The auditor "has a reasonable basis to believe that the relevant entity is engaging in conduct that will impede an investigation of the misconduct", or

3. If 120 days or more have passed since the auditor-whistleblower provided the information to the relevant entity's audit committee, chief legal officer, chief compliance officer (or their equivalents), or the whistleblower's supervisor, or since the whistleblower received the information under circumstances indicating any of these parties "was already aware of the information."³

For the "substantial injury" exception to apply the SEC rule explains that the agency "expects" that the whistleblower can show that management is aware of the "imminent violation" and is not taking steps to prevent it; thus informing the SEC must be "necessary to prevent the entity from engaging in that conduct."

Significantly, and a distinction particularly meaningful for auditors, the suspected violation need not be "material"; the SEC will not require auditors to make what is essentially a legal judgment. The key is a reasonable belief they are preventing conduct likely to cause substantial injury to financial interests or property of the client entity or its investors. The key to the exception is ongoing or prospective, not fully completed, bad conduct, unless there is some form of cover up of bad conduct currently taking place, as is frequently the case.

Likewise, the "impeding the investigation" exception can apply if the client is "destroying documents, improperly influencing witnesses", or engaging "in other improper conduct that may hinder [the SEC's] investigation." This is a wide-open exception that is often present in one form or another in many financial fraud cases. It can encompass efforts to alter records or influence witnesses in internal investigations. Or it may simply involve top managers frustrating investigative efforts of the auditor or others. In just about every accounting fraud or malpractice case I have litigated, the auditors complain of being kept in the dark or getting the run-around from management. This conduct, if true, would probably be enough to qualify the auditor who discloses such management stonewalling to the auditors as an SEC whistleblower under this exception, assuming the SEC ultimately finds fraud.

How Narrow are the Exceptions Allowing Auditor Whistleblowing?

As noted, however, the exceptions described above appear to apply only to audits of non-issuers, audits subject to Rule 21F-8(c)(4) not being covered. That part of the Rule, tracking the language of the Dodd Frank act, bans whistleblowing with information obtained in an audit of a company's financial statements when making the submission would violate Section 10A of the Exchange Act (15 U.S.C. Sec. 78j-a). That section covers audits of public companies. But this begs the question: when is a whistleblower submission contrary to Section 10A? How will the SEC go about deciding this? Are there any circumstances in which auditors of public companies can become whistleblowers because providing their information directly to the SEC would not violate Section 10A? Although the SEC has said publicly, and the law indicates, that it may be difficult for auditors of public company issuers to qualify as whistleblowers, the SEC's regulations suggest otherwise. Buried in its lengthy Implementation Release explaining the Final Rule, the SEC appears to have answered the Section 10A question in a way favoring whistleblowers (Release No. 34-64545, pages 145-6, and 76 Federal Register 34336):

"Finally, [an auditor] submission is not contrary to 10A-even where the 21F-8(c)(4) exception would otherwise apply" where the whistleblower has a reasonable basis to believe either of the following: (i) The disclosure of the information to the Commission is necessary to prevent the relevant entity from committing a material violation of the securities laws that is likely to cause substantial injury to the financial interest or property of the entity or investors; or (ii) the relevant entity is engaging in conduct that will impede an investigation of misconduct even if the submission does not contain an allegation of audit firm wrongdoing." (emphasis added).

Thus, the SEC repeats, in essence, two of the same three exceptions it formally places in the Final Rule as applying to audits of non-issuers, but surgically removes them from the Dodd-Frank law's prohibition on auditor whistleblowing on issuers by declaring that disclosure of such information to the SEC "is not contrary to 10A." The italicized language above underscores the significance of the exception" auditors do not have to allege their own firm has committed a Section 10A violation to make a claim against the client, as long as one of the two exceptions described is arguably present. Not having to allege a Section 10A violation by his own audit firm, even if the SEC ultimately determines the firm has committed one, removes perhaps the primary impediment that would deter an auditor from making the disclosure. The only change from the Rule's statement of those exceptions appears to be use of the word "material," for in the SEC Interpretative Release as noted above, the SEC indicated it would not require the auditor to decide if the information is "material." This may be, as we used to say in law school, a "distinction without a difference." In my experience, when it comes to accounting fraud, the SEC ultimately thinks just about everything that smells of fraud is material.

As to the third, and arguably the broadest exception, the "120 day" waiting period to the auditor exclusion in the case of non-issuers, the SEC then explained in a rather cryptic footnote, number 315, at 76 Federal Register 34336:

"We have not adopted the 120-day exclusion...because we believe it is unnecessary here. Section 10A provides that if an issuer fails to report to the Commission any securities law violation discovered in the course of the Section 10A audit, the independent public accounting firm must do so. The firm's failure to promptly report the information to the Commission constitutes a violation of Section 10A. A whistleblower may at any point thereafter report this Section 10A violation to the Commission, and thus become eligible for an award based on a covered action against the public accountant or the issuer." (emphasis in original).

So, for example, if an audit team member discusses with a superior, or enters into her electronic workpapers, a description of what she "reasonably" believes is improper or illegal client activity, thus notifying senior members of her audit team of the issue, the junior auditor has a choice: if the information involves ongoing or likely imminent financial harm to the audit client, or there is evidence of the client's engaging in conduct that will impede an investigation into the misconduct, the auditor can proceed directly to the SEC. If these factors are either not present or in dispute, or may be difficult for the auditor to prove, the auditor can lay back and see how the Section 10A obligation to investigate is addressed by the audit firm and management. If nothing appears to be happening, the auditor is free to pull the SEC trigger at any time, relying on "footnote 315."

The Many Ways The Auditor Can Find Fraud

How is an auditor likely to run across information that may fit into these exceptions? It may come up in a conversation with a mid-level manager regarding some questionable accounting treatment, unusual period end or beginning entries (such as creation or reversal of reserves), unusual "top-side" entries, or discovery of questionable payments to third-parties who may be acting as conduits for payment to public officials, thus violating the Foreign Corrupt Practices Act. Maybe a mid-level manager required to file a SOX certification form will "privately" express misgivings. Sometimes auditors see or are copied on emails which reveal unguarded comments from managers. Sometimes the CFO, the Controller, or some other key member of upper management will become unavailable or evasive with the audit team. Sometimes another auditor in the firm (or a friend in a prior firm) who had previously audited the client will warn the auditor on the new team to watch out for some squirrely person or practice on his new account. It can happen in countless ways, and just about any auditor who has been around for a while can relate his or her own "war story."

Sometimes these issues are raised in the annual audit team "brainstorming" session that is supposed to occur pursuant to SAS 99 and 109. If these sessions identify areas of potential fraud or other illegality, there will be need for follow-up by the auditors, which may or may not occur. More often than audit firms care to admit, these kinds of "theoretical" allegations do arise in private meetings of the team but are ignored or buried by senior auditors sensitive to business retention concerns. A frustrated junior auditor may eventually decide her career is not worth the sleepless nights (see below), and decide to take action.

While not every auditor's situation will fit into the whistleblower exceptions, many will. Virtually any wrongdoing of any substance at a public company which is ongoing or may impact past or future financial statements can have the potential of "substantial injury" to shareholders. In the case of a valid, substantive allegation, hopefully the SEC will be reluctant to discourage whistleblowing by being too technical or stingy when it comes to rewarding what it should herald as courageous behavior aimed at enforcing the securities laws. The SEC, and the PCAOB, have repeatedly emphasized the important gatekeeping role auditors play. Besides, to be blunt, the SEC currently has about half-a-billion dollars to award (and has, as of late into 2012, made just one small whistleblower award). The SEC has every incentive to start rolling out big awards soon, and should be eager to reward courageous auditors who know of what they speak and have the documents to prove it.

How Should the Auditor Respond to Information Regarding Illegal Acts?

In cases of immediate financial harm and/or acts of obstruction (shredding, intimidation of witnesses, altering of documents), the auditor whistleblower, whether auditing an issuer or non-issuer, can go directly to the SEC. This also avoids the inconvenience and complications of claiming the auditor's firm is violating Section 10A as well, although we have seen above that, depending on the circumstances, that claim may naturally flow from the claim against the client.

Nevertheless, going right to the SEC is risky, as the SEC may frown on the auditor's failure to go up the chain within the firm and at least give the firm the chance to do the right thing and formally consider a Section 10A investigation. Likewise, the audit firm will presumably be unhappy with its junior auditor for running to the SEC. The assumption by the firm will probably be this was done for the money. In general, it may pay, literally and otherwise, to try reporting up within the audit firm, to see how they react. It is important to document that reporting up. It also helps to be familiar with the requirements placed on the firm by Section 10A. On the other hand, senior managers or partners in the audit firm have demonstrably known about the client issue, and the client's actions have reached the point where the illegal acts clearly involve imminent harm and/or obstruction (e.g. an ongoing scheme to materially cook the books, ponzi scheme, an ongoing foreign bribery program, etc.) it may be worth it for the auditor to bypass the firm and quickly establish one's claim for an award directly with the SEC. Footnote 315 would certainly indicate the auditor can make his whistleblower claim directly to the SEC, and cast his claim both against the client and as one against the audit firm for violating Section 10A. It would be prudent to consult a lawyer on this decision, for it has career and financial consequences for the auditor.

To the SEC, in the case of the auditor who has reported up the chain, the key issue may be whether those properly communicated concerns should have caused his firm to initiate the 10A process. What the would-be auditor-whistleblower has to avoid is running to the SEC before the Sec. 10A process has a demonstrable chance to work, unless he had a convincing reason not to do so. Precipitous action could put him squarely within the Dodd Frank prohibition on auditor whistleblowing. The SEC may be anxious in the early cases not to appear to be encouraging auditors to bypass their firm's reporting processes. If the SEC concludes that the use of the information constituting the tip "is contrary to Sec. 10A," the whistleblower claim, no matter how credible, may nevertheless be doomed from the outset.

However, when the auditor's tip is "specific and credible" and is "one made in good faith and is not a pretext for circumventing the requirements of Section 10A," the SEC is likely to approve it for an award, provided the penalty threshold is met. It does not hurt that for years the SEC staff has privately suspected that too few audit firms are willing to make Sec. 10A allegation against a client when they are required to do so, presumably for fear of losing the account, or being forced to resign. The whistleblower auditor who credibly alleges that his firm has failed to follow Section 10A may be received with open arms at the SEC.⁴

Blowing the Whistle on Your Audit Firm: Understanding Section 10A

As we have noted above, the new SEC rule, tracking the language of the Dodd Frank Act itself, specifies that no auditor whistleblowing is allowed which "would be contrary to the requirements of Section 10A" of the Exchange Act. Thus, if an auditor personally was responsible for the firm's failure to comply with Sec. 10A, such as a failure to file a Sec. 10A report or trigger a Sec. 10A investigation, but instead runs to the SEC with a whistleblower claim, the auditor will not qualify as a whistleblower. Although this article cannot undertake a detailed analysis of that provision, it is useful for the potential auditor-whistleblower to have some understanding of its requirements.

The risk for audit firms in the new SEC whistleblower rule is that any auditor on the audit team or familiar with the client can make a whistleblower claim not only against the client but also against his own audit firm for a violation of Section 10A. If such a claim also leads to a successful SEC case against the client, the auditor can obtain an award based on the financial penalties assessed against both client and audit firm. The financial potential for such a "double dip" may be enough to convince an erstwhile auditor to make the claims, perhaps motivated by the desire to save the firm from the actions of a few of its members.

Section 10A requires the external auditor to direct management to commence an investigation into any allegation of illegal acts by the audit client. Illegal act is broadly defined to mean "an act or omission that violates any law, or any rule or regulation having the force of law." This covers the entire universe of civil and criminal law and regulations, including violation of PCAOB rules by the auditor's firm. The act must initially be investigated unless it is "clearly inconsequential." It need not be material to the financial statements on its face. It can even include "personal misconduct by the entity's personnel unrelated to their business activities." As the Chief Accountant of the SEC's Enforcement Division has warned (see footnote 4 above): "Whenever we investigate alleged accounting fraud, not only will we assess audit deficiencies, but we will be assessing Section 10A compliance."

Section 10A puts substantial discretion, and significant responsibility, upon the audit firm. If the client does not conduct a bona fide investigation of the auditor's allegations of illegal acts, the audit firm must report to the company's board if it finds the act is material, management has not taken remedial action, and this inaction is reasonably expected to warrant a departure from a standard auditor's report or the auditor's resignation. The board then has only one day to inform the SEC of the auditor's report. If it does not, the auditor must report this to the SEC within one day, or resign, and provide the report. If the audit firm does not take direct, affirmative action on any of these steps, it can be accused of failure to follow Section 10A. The usual problem is that the audit firm simply decides, for whatever reason, not to rock the boat and demand the initial investigation, or to erroneously conclude management's investigation is sufficient. Historically, there was little chance an audit team member, particularly a junior auditor, would claim such a violation against his own audit team, for fear of retaliation. Now, there exists a substantial financial (as well as moral) incentive to do just that.

The whistleblower auditor may allege the audit firm either failed to file a required Sec. 10A report, or that the firm "failed to follow any other procedures set forth in Section 10A or professional standards." These can include any allegations against the firm, such as insider trading, independence violations "or other quality control failures that are not specific to any particular audit..." Thus, an auditor with virtually any kind of substantive problem with his firm's behavior may be a whistleblower candidate. The PCAOB has found hundreds of deficient audits in recent investigations, but this process has been shrouded in secrecy, with little scrutiny outside the enforcement team at the PCAOB. That may begin to change now.

Under the new rule, once the SEC gets a claim of an audit firm's Sec. 10A violation, it may conduct a wide review of the firm's conduct, including whether it undertook a proper investigation into the alleged illegal act by the client, and the "quality of that investigation." Both annual audits and interim reviews are subject to scrutiny in a Section 10A review by the SEC. See generally 76 Federal Register 34335.

The SEC review will cover the audit team, including the engagement partner and quality review partner, and may also include review of "foreign affiliates or specialists who are used by the engagement team." There are a myriad of ways the SEC can determine the firm has violated Section 10A. This is clearly not the kind of scrutiny an audit firm wants or needs.

Should The Auditor Become A Whistleblower?

Conventional wisdom in the audit community is that few auditors will be willing to risk their careers by becoming a whistleblower. There is, to be sure, "reputational risk" in filing a whistleblower complaint. Some factors to consider in making the decision to blow the whistle:

• How serious is the client misconduct? Do the illegal acts the client is concealing constitute a major fraud, or are they just limited to narrow situations that will probably not generate an SEC enforcement action, or one that may end up with financial penalties under the $1 million award threshold?
• How well can you document the illegal acts? Have you gathered emails, financial documents, internal reports or other "smoking guns" that can prove both the case against the client and, if necessary, the fact that your accounting firm has knowledge of the activity and has failed to take appropriate action?
• How clear are the violations? If they concern some gray, arcane area of accounting, how confident are you that your firm will be not be able to explain either its actions or the clients' based on applicable law and accounting rules under GAAP, GAAS, or otherwise?
• How well do you sleep at night? Is the matter about which you are considering reporting one that truly bothers you, and perhaps others at your firm? Don't count on getting any support from colleagues if you file a whistleblower claim, even if they privately agree with your assessment. You will in all likelihood be own your own if you move forward.
• Are there employees at the client who can corroborate your allegations? Do you have documentary evidence that others at the audit firm were aware of and concerned about the issue? Was the national office involved? Was the issue reflected in the audit workpapers? Will other members of the audit team be forthcoming if contacted by the SEC? Your claim will be more credible if you can provide the names of anyone at the company or your audit firm who will, when confronted, tell the truth.
• Have you laid the proper predicate within your firm to be able to allege a Sec. 10A violation? Have you documented your concerns expressed to superiors at the audit firm, and their responses?
• Do you have solid evidence of ongoing fraud at the company and/or obstruction of investigations? If so, you may qualify under the first two exceptions described above to go immediately to the SEC, without having to allege a Section 10A violation by your firm.
• Have you considered seeking counsel before making your complaint to the SEC? Given the complex rules that govern auditor whistleblowing, it is prudent to consult a lawyer familiar both with the securities laws and the whistleblowing rules. You can report anonymously to the SEC if you do so through counsel. The worst result is to take the plunge, burn your bridges, and later be disqualified for an award for some technical violation of the SEC rules.

The Duty Imposed on Auditors to Report Illegal Activity

During the comment period for the proposed SEC whistleblower provisions, the accounting industry referred to the professional standards that govern accountants. The Center For Audit Quality, for example, suggested that permitting whistleblowing awards to accountants "would undermine a certified public accountant's (CPA) duties of confidentiality and integrity and other ethical obligations."⁵ It is true that various state accountancy regulations, and AICPA rules, require accountants to keep their clients financial affairs confidential. Any accountant making a whistleblower complaint has to consider that they could well be in violation of such rules, although the SEC itself has taken the position that its regulations take precedence over such industry standards or state law. It is also hard to imagine an accounting firm or professional society that would retaliate against one of its members for reporting illegal activity at a public company. Such a reaction might also expose the audit firm to retaliation accusations, through a legal action by the whistleblower or an action by the SEC itself. The SEC's whistleblower office has recently announced it will give a priority to the investigation of allegations of retaliation against whistleblowers.⁶

Likewise, the accountant who possesses information possibly implicating his firm, and the firm's client, in illegal activity, is fulfilling his role as a critical gatekeeper in the auditing process. In too many recent scandals, the accountants have been identified as part of the problem. The PCAOB has noted that auditors are bound by a long list of auditing standards to report illegal activities or concerns, internally if not to outsiders. It has identified AU Sections 150, 316, 317, 508, 561 and others. GASS requires no less, see SAS 99. The troubled accountant seeking guidance on what to do with the information burdening his conscience would be well advised to review these provisions. It is often the case that the illegal activity is eventually exposed, but not by the accountants. Audit firms have paid millions to settle class actions arising from client accounting frauds.⁷ Had even one of their accountants stood up and brought the information to light, it might well have saved the firm substantial cost and reputational damage. In the case of Arthur Andersen and Enron, it might even have saved the venerable audit firm itself.

At the end of the day, an accountant who knows "something is rotten in the state of Denmark" ⁸should be proud to represent his profession by making sure the activity is brought to light, if not by his firm or the client then by his own actions as a whistleblower. And if such honesty generates a monetary award, it is well deserved. The accounting profession has a critical gatekeeper responsibility. The accountant who honors the profession by reporting illegal activity is fulfilling a trust owed, not to the firm or the client, but to shareholders and the investing public, as the United States Supreme Court has made clear:

"By certifying the public reports that collectively depict a corporation's financial status, the independent auditor assumes a public responsibility transcending any employment relationship with the client. The independent public accountant performing this special function owes ultimate allegiance to the corporation's creditors and stockholders, as well as to investing public. This "public watchdog" function demands that the accountant maintain total independence from the client at all times and requires complete fidelity to the public trust."⁹

Footnotes

1. Curiously, the analogous whistleblower rules of the CFTC (Commodities Futures Trading Commission) contain no prohibition on auditor whistleblowing. Thus auditors of companies regulated by the CFTC (such as those in the commodities and derivatives markets) may directly report original information to the CFTC and qualify to receive an award.

2. The full text of the Final Rule is available by Googling 17 C.F.R. Sec. 21F-1. The SEC's blockbuster Interpretative Release explaining the Rule is found at 76 Federal Register 34300 (June 13, 2011).

3. Rule 21F-4(b)(4)(v)(A)-(C). These exceptions also apply to engagements in which the auditor is performing internal audit services on an outsourced basis or doing a forensic audit to investigate accounting fraud or similar problems, thus potentially allowing whistleblower awards for information obtained in the course of such work.

4. Recommended reading—the speech given by the Chief Accountant of the SEC's Enforcement Division Howard Scheck to an AICPA conference in December 2011. Mr. Scheck sets out in some detail the factors his office considers in assessing a Section 10A violation. Any auditor considering a whistleblower claim against his firm, not to mention audit firm compliance officers, should read this address, available on the SEC website.

5. Letter to SEC Secretary Elizabeth Murphy from Cynthia Fornelli, Executive Director, Center for Audit Quality, December 23, 2010.

6. AU 317.23 indicates that an auditor's duty of confidentiality may not apply "if the matter affects his opinion on the financial statements." Working with an attorney, it may also be possible to arrange with the SEC that the auditor give testimony under subpoena, which can also release him from the duty of confidentiality. Id.

7. A 2009 Audit Analytics study reported that the big four accounting firms had paid out almost $6 billion in settlements over the preceding decade.

8. Hamlet, Act 1, Scene 4

9. United States v. Arthur Young and Co., 465 U.S. 805, 818 (1984).

Daniel J. Hurson is former Assistant Chief Litigation Counsel at the SEC. He practices securities enforcement and white collar defense law in his own firm in Washington D.C and also represents SEC Whistleblowers. His email is dan@hursonlaw.com. His website is http://www.hursonlaw.com

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.