A Roadmap for Audit Committees in Meeting the Challenges Posed by Enhanced Regulatory Scrutiny Under the Dodd-Frank Act

by Manatt, Phelps & Phillips, LLP

Audit committees must aid management in navigating an increasingly complex regulatory framework. Two recent developments arising from the passage and implementation of the Dodd-Frank Act1 have led to further challenges for audit committees and increased the importance of their oversight role. 

First, Dodd-Frank created new monetary incentives for whistleblowers and increased the breadth and scope of anti-retaliation protections for whistleblowers. Second, Dodd-Frank gave the SEC authority to initiate enforcement actions against entities and individuals that “recklessly provide substantial assistance in violation of the securities laws.” As a result, public companies and their officers and directors may be liable for securities violations of which they were unaware if the government can establish that they failed to maintain proper internal controls or to create a culture of regulatory compliance. This newsletter discusses the new regulations and their ramifications for public companies and also suggests a set of best practices for audit committees going forward.

Enhanced Whistleblower Provisions and Protections
In May 2011 the SEC adopted final rules to implement the whistleblower bounty program mandated by Section 922 of the Dodd-Frank Act.2 Since the new measures went into effect in August 2011, the number and quality of tips the SEC has received have reportedly increased.3 The new rules provide monetary awards for whistleblowers who voluntarily provide the SEC with original information that leads to a successful enforcement action yielding more than $1 million in sanctions. The bounty applies both to public companies and to nonpublic subsidiaries whose financials are consolidated into the parent. The amount of the award is ultimately at the Commission’s discretion, but will range anywhere from 10 to 30 percent of the total monetary sanctions collected in successful Commission and related actions.4

The final rules encourage, but do not mandate, that employees utilize internal compliance and reporting systems before reporting to the SEC.5 Given the increase in monetary awards, there is a risk that whistleblowers may bypass internal reporting systems and report directly to the SEC. As a result, audit committees should ensure that management creates a protected, anonymous system (when allowed under the country’s laws where the employee and alleged malfeasor are located) for employee complaints and that it communicates to employees that reports will be taken seriously. It should be recognized, however, that such efforts may be less successful when a whistleblower has already retained outside counsel. 

Dodd-Frank also enhanced anti-retaliation protections for whistleblowers. The Act prohibits the SEC from disclosing information that could reveal a whistleblower’s identity. Internal complaints constitute protected activity provided the whistleblower had a reasonable belief that the information provided related to possible securities law violations. Aggrieved employees can bring claims up to a maximum of ten years from the last retaliatory act (versus 180 days under Sarbanes-Oxley).6 Whistleblowers who have been retaliated against can also earn double the potential damage recovery under Dodd-Frank than was previously available under Sarbanes-Oxley.7

SEC Enforcement Actions for “Recklessly Providing Substantial Assistance”
Perhaps Dodd-Frank’s greatest impact on the responsibilities of audit committees arose from its expansion of scienter requirements. Sections 929M-O of the Dodd-Frank Act lowered the standard for “aiding and abetting” violations of the securities laws from “knowingly providing substantial assistance” to “knowingly or recklessly providing substantial assistance” and expanded the Commission’s authority to bring aiding and abetting actions beyond the Securities and Exchange Act of 1934 to the Securities Act of 1933, the Investment Company Act and the Investment Advisers Act. Prior to Dodd-Frank the SEC had to prove that an individual had actual or constructive knowledge of the securities violation. Now the SEC need prove only that the individual acted recklessly.8 Recklessness has been defined by the courts as “highly unreasonable [conduct], involving not merely simple, or even inexcusable negligence, but an extreme departure from the standards of ordinary care, and which presents a danger of misleading buyers or sellers that is either known to the defendant or is so obvious that the actor must have been aware of it.”9 This should make it easier for the Commission to bring aiding and abetting actions in the future. These changes might be particularly significant for audit committees, given their responsibility for assessing risk management and compliance.

At present there is no private right of action for aiding and abetting another in violation of the securities laws; however, that may change, as Section 929Z(a) of the Dodd-Frank Act provided that the “Comptroller General of the United States shall conduct a study on the impact of authorizing a private right of action against any person who aids or abets another person in violation of the securities laws.”

In light of this new standard, audit committees of public companies should ensure that procedures and systems are in place to guard against reckless securities violations. Here are some recommendations:


Recommended Best Practices for Audit Committees


  • Ensure members’ independence, lack of conflicts, and financial expertise.
  • Perform rigorous self and peer evaluations.

Monitoring the Effectiveness of Internal Controls/Internal Audit Process

  • Ensure that the company has a robust internal audit function.
  • Critically challenge reports from management about the company’s processes and internal controls.
  • Discuss the evaluation of and response to any control deficiencies with auditors and management.

Oversight of Financial Reporting/Accounting

  • Ensure the accuracy of the company’s financial statements.
  • Discuss with management and auditors the timing and nature of disclosures.
  • Look for any inconsistencies in the company’s financials to determine when restatements may be warranted.

Oversight of External Auditor

  • Ensure the qualifications and independence of the company’s outside auditor.
  • Consult with the outside auditor to ensure appropriate testing.
  • Review company financials with the outside auditor to understand them in detail. 

Oversight of Regulatory/Legal Compliance

  • Ensure the company’s compliance with legal and regulatory requirements in the U.S. and abroad.
  • Emphasize the importance of an appropriate “tone at the top” regarding compliance.
  • Consider splitting the legal and compliance functions and, under any circumstances, ensure that the Chief Compliance Officer reports directly to the Board or the Audit Committee.
  • Review business codes of conduct. 
  • Review incentives for reporting.
  • Keep appropriately translated compliance materials up to date and accessible to all employees.
  • Ensure employees receive frequent training on compliance with applicable laws, including the FCPA.

Ensure Reporting and Investigation of Allegations of Misconduct

  • With Chief Compliance Officer, develop policies and procedures for confidential reporting of allegations of misconduct through a well-publicized “hotline.”
  • Ensure that allegations reach senior leadership in a timely fashion.
  • Regularly review management’s response to allegations. 
  • Triage allegations so that those requiring more time are handled first. A company has 120 days before an employee can report to the SEC without losing his or her “first in line” status as a whistleblower.
  • Conduct thorough investigations in response to allegations, but not at the expense of implementing timely remedial action to correct any problems. 
  • Use outside counsel if the allegations involve senior management.
  • Use outside counsel to preserve and collect documents and conduct employee interviews.
  • Allow outside counsel to determine what other third parties (e.g., investigators, forensic accountants, e-discovery vendors) should be retained.
  • Protect the company’s privilege when interacting with the SEC or law enforcement agencies (courts do not always honor limited waiver agreements entered into with the government). Carefully define the scope of communication to the Commission and guard against unauthorized disclosures of privileged information or attorney work product.

Oversight of Risk Management

  • Educate senior officers and country managers as to potential whistleblower signs (e.g., criticism regarding third-party relationships, requests for closed files, questions regarding company procedures as well as applicable foreign laws).
  • Foster information sharing among risk management personnel, and ensure that this information is regularly presented to the Audit Committee.
  • Ensure segment reporting when appropriate, and require a closer look at any region that has a significant shift in sales volume.
  • Encourage management to perform due diligence in advance of hiring third parties. Particularly for those operating abroad, ask for representations regarding third parties’ compliance/internal control procedures, provide third parties with summaries of applicable company policies, and train third parties in key compliance areas.
  • Ensure that a thorough due diligence assessment, including anticorruption, is conducted before any foreign acquisition.
  • Review and revise, if necessary, the policies of newly acquired companies (particularly those from countries that are low on the Transparency International Corruption Perceptions Index).10

Remember, “an ounce of prevention is worth a pound of cure.” Furthermore, even if these measures are not completely successful in preventing violations, the Department of Justice’s Principles of Federal Prosecution of Business Organizations gives significant weight to robust compliance programs in determining whether a prosecution is appropriate.11 In addition, even when the DOJ decides that prosecution is appropriate, the U.S. Sentencing Guidelines provide for a reduction in penalties if the company had in place an “effective compliance and ethics program” that was well-publicized, monitored by the company’s Board and contained anti-retaliation provisions for whistleblowers.12

1. Dodd-Frank Wall Street Reform and Consumer Protection Act, Pub. L. No. 111–203 (2010), was enacted on July 21, 2010 in order to address oversight and supervision of financial institutions and to enhance corporate governance and whistleblower provisions. back to text

2. See SEC Final Rules, 17 C.F.R. §§ 240.21F-1—240.21F-17 (2011), publicly available at http://www.sec.gov/rules/final/2011/34-64545.pdf. back to text

3. See Speech by Sean McKessy, Chief, Office of the Whistleblower (Aug. 11, 2011), publicly available at http://www.sec.gov/news/speech/2011/spch081111sxm.htm. back to text

4. See SEC Final Rule, 17 C.F.R. § 240.21F-5 (2011). back to text

5. For example, see SEC Final Rule, 17 C.F.R. § 240.21F-6(a)(4) (2011), listing participation in internal compliance programs as one factor the Commission may consider in increasing the amount of the whistleblower's award. back to text

6. See Kramer v. Trans-Lux Corp., 3:11CV1424 SRU, 2012 WL 4444820 (D. Conn. Sept. 25, 2012). back to text

7. See 15 U.S.C. § 78u-6(h)(1)(C) (2010). back to text

8. See 15 U.S.C. § 78t(e) (2010). back to text

9. Hollinger v. Titan Capital Corp., 914 F.2d 1564, 1569 (9th Cir. 1990), quoting Franke v. Midwestern Oklahoma Dev. Auth., 428 F. Supp. 719, 725 (W.D. Okla. 1976). back to text

10. The Corruption Perceptions Index for 2012 is publicly available at http://www.transparency.org/cpi2012/results. back to text

11. See United States Attorney's Manual, 9-28.800. back to text

12. See U.S.S.G. § 8C2.5(f)(1). back to text

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Manatt, Phelps & Phillips, LLP | Attorney Advertising

Written by:

Manatt, Phelps & Phillips, LLP

Manatt, Phelps & Phillips, LLP on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign up using*

Already signed up? Log in here

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
Privacy Policy (Updated: October 8, 2015):

JD Supra provides users with access to its legal industry publishing services (the "Service") through its website (the "Website") as well as through other sources. Our policies with regard to data collection and use of personal information of users of the Service, regardless of the manner in which users access the Service, and visitors to the Website are set forth in this statement ("Policy"). By using the Service, you signify your acceptance of this Policy.

Information Collection and Use by JD Supra

JD Supra collects users' names, companies, titles, e-mail address and industry. JD Supra also tracks the pages that users visit, logs IP addresses and aggregates non-personally identifiable user data and browser type. This data is gathered using cookies and other technologies.

The information and data collected is used to authenticate users and to send notifications relating to the Service, including email alerts to which users have subscribed; to manage the Service and Website, to improve the Service and to customize the user's experience. This information is also provided to the authors of the content to give them insight into their readership and help them to improve their content, so that it is most useful for our users.

JD Supra does not sell, rent or otherwise provide your details to third parties, other than to the authors of the content on JD Supra.

If you prefer not to enable cookies, you may change your browser settings to disable cookies; however, please note that rejecting cookies while visiting the Website may result in certain parts of the Website not operating correctly or as efficiently as if cookies were allowed.

Email Choice/Opt-out

Users who opt in to receive emails may choose to no longer receive e-mail updates and newsletters by selecting the "opt-out of future email" option in the email they receive from JD Supra or in their JD Supra account management screen.


JD Supra takes reasonable precautions to insure that user information is kept private. We restrict access to user information to those individuals who reasonably need access to perform their job functions, such as our third party email service, customer service personnel and technical staff. However, please note that no method of transmitting or storing data is completely secure and we cannot guarantee the security of user information. Unauthorized entry or use, hardware or software failure, and other factors may compromise the security of user information at any time.

If you have reason to believe that your interaction with us is no longer secure, you must immediately notify us of the problem by contacting us at info@jdsupra.com. In the unlikely event that we believe that the security of your user information in our possession or control may have been compromised, we may seek to notify you of that development and, if so, will endeavor to do so as promptly as practicable under the circumstances.

Sharing and Disclosure of Information JD Supra Collects

Except as otherwise described in this privacy statement, JD Supra will not disclose personal information to any third party unless we believe that disclosure is necessary to: (1) comply with applicable laws; (2) respond to governmental inquiries or requests; (3) comply with valid legal process; (4) protect the rights, privacy, safety or property of JD Supra, users of the Service, Website visitors or the public; (5) permit us to pursue available remedies or limit the damages that we may sustain; and (6) enforce our Terms & Conditions of Use.

In the event there is a change in the corporate structure of JD Supra such as, but not limited to, merger, consolidation, sale, liquidation or transfer of substantial assets, JD Supra may, in its sole discretion, transfer, sell or assign information collected on and through the Service to one or more affiliated or unaffiliated third parties.

Links to Other Websites

This Website and the Service may contain links to other websites. The operator of such other websites may collect information about you, including through cookies or other technologies. If you are using the Service through the Website and link to another site, you will leave the Website and this Policy will not apply to your use of and activity on those other sites. We encourage you to read the legal notices posted on those sites, including their privacy policies. We shall have no responsibility or liability for your visitation to, and the data collection and use practices of, such other sites. This Policy applies solely to the information collected in connection with your use of this Website and does not apply to any practices conducted offline or in connection with any other websites.

Changes in Our Privacy Policy

We reserve the right to change this Policy at any time. Please refer to the date at the top of this page to determine when this Policy was last revised. Any changes to our privacy policy will become effective upon posting of the revised policy on the Website. By continuing to use the Service or Website following such changes, you will be deemed to have agreed to such changes. If you do not agree with the terms of this Policy, as it may be amended from time to time, in whole or part, please do not continue using the Service or the Website.

Contacting JD Supra

If you have any questions about this privacy statement, the practices of this site, your dealings with this Web site, or if you would like to change any of the information you have provided to us, please contact us at: info@jdsupra.com.

- hide
*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.