Considering Internal Whistleblower Systems When Evaluating External Risk

Whistleblowers can serve as an integral component for identifying and stopping securities fraud. According to PricewaterhouseCooper’s 2016 Global Economic Crime Survey, 33% of suspicious activity was identified by internal reporting from staff and an additional 10% of suspicious activity was identified by tip-offs or leads from a Financial Crime Intelligence Unit.

In 2010, the Dodd-Frank Act amended the Exchange Act, establishing Section 21F “Securities Whistleblower Incentives and Protection” and in 2012, the SEC formed the Office of the Whistleblower. Under the policy, the SEC can give monetary rewards to individuals who voluntarily provide original information leading to a successful SEC enforcement action that also results in monetary sanctions exceeding $1 million.

The amount of money rewarded and the volume of tips has increased since the policy’s inception, with the SEC awarding “more dollars in FY 2018 to meritorious whistleblowers who provided new and critical information than in all prior years combined.” Just recently, on June 3, 2019, the SEC awarded $3 million to individuals that exposed an alleged securities law violation.

With a potential monetary incentive for whistleblowers to report misconduct to the SEC – misconduct that could potentially lead to regulatory fines and litigation for the company – companies may have increased motivation to bolster their own internal whistleblowing programs.

Section 301 of SOX requires audit committees of issuers listed on U.S. exchanges to establish procedures for employee complaints regarding accounting, internal controls, or auditing matters. Additionally, procedures must be established for the confidential, anonymous submission by employees of concerns regarding questionable accounting or auditing matters.

However, do all companies comply with Section 301? According to data by Audit Analytics, since 2008, 244 SEC registrants have identified a missing or inadequate whistleblower policy or ethics hotline as a material weakness in controls. There have been recent SEC Enforcement Actions related to a lack of effective controls and unremediated material weakness, suggesting that companies should take steps to remediate issues with their controls, including establishing a whistleblower policy if necessary.

A recent academic article, Evidence on the Use and Efficacy of Internal Whistleblowing Systems composed by Stephen R. Stubben [University of Utah] and Kyle T. Welch [George Washington University], has found that, despite the SOX requirement for U.S. public firms to establish an internal whistleblower system, there is substantial variation in how the systems are used. The researchers looked at differences among the types of individuals making reports, the amount of detail provided, management’s review of the reports, and the overall outcomes. A unique attribute studied by the researchers is how the use of internal whistleblower systems can affect the amount of incurred fines and litigation costs.

The paper looked at nearly two million whistleblower reports gathered from NAVEX Global for 1,000 public companies. The researchers analyzed the association between internal whistleblower report volume and outcomes involving government and lawsuits. The study found counterintuitive results: a higher internal whistleblower report volume is associated with fewer government fines, fewer material lawsuits, and lower legal settlement amounts.

The researchers propose that the overall number of reports seem to help managers gain insight into internal problems, thus allowing them an opportunity to rectify the problem before it escalates into a situation that would result in a government fine or material litigation. Therefore, having more internal reports is not necessarily an indication of more problems.

Other findings from the paper provide characteristics of companies that are most likely to have active use of their internal whistleblower reporting, including more profitable firms with a strong corporate governance and multiple geographic reporting segments.

Considering these findings, evaluating a firm’s internal whistleblower system may be an important point to consider when evaluating risk for future fines or litigation. While Section 301 only requires an internal reporting process for accounting or audit-related events, many companies use their internal whistleblower for a variety of issues, including human resources complaints and workplace safety concerns.

Importance of Internal Whistleblowing Systems

Recent events at MiMedx Group, Inc. [MDXG] bring awareness to the importance of internal reporting capabilities.

In November 2016, whistleblowers at MiMedx submitted a report to corporate officials regarding illegal “channel stuffing” revenue recognition practices. MiMedx denied the allegations and proceeded to sue the two employees. The whistleblowers subsequently filed a lawsuit against the Company after experiencing retaliation from management.

It was later determined, through an extensive internal investigation, that misconduct had indeed occurred at the Company and a restatement of financial statements was necessary to correct the errors. MiMedx is currently under investigation by both the SEC and the Department of Justice.

It is impossible to know at this time the costs that MiMedx has incurred in association with the lengthy internal investigation, lawsuits, and related legal costs or regulatory fines, as the Company has not filed a quarterly or annual report with the SEC since the period ended September 30, 2017. However, at that time, MiMedx disclosed “litigation costs tied to general and patent litigation were at $3.5 million for the quarter as compared to $1.2 million in the prior year”, suggesting a further increase in litigation costs could be disclosed when the Company files its reports.  

MiMedx is obviously an extreme example, but according to results from the paper, would the unethical behavior have been addressed before it escalated?  Findings from the paper suggest that a report of illegal revenue recognition practices is more likely to be reviewed than other types of reports, as accounting-related reports, reports of retaliation and reports that allege management involvement were found to be reviewed more frequently than other types of reports, such as human resource complaints.  

Under different circumstances, the whistleblowers at MiMedx could have used an internal reporting system that brought attention to the issue and misconduct, potentially mitigating some of the financial harm.

In conclusion, an important takeaway from the paper is that a high volume of internal feedback through whistleblower systems is not necessarily indicative of more problems. Instead, it indicates an effort by management to resolve issues prior to escalation. However, a formal whistleblower policy or hotline does not by itself provide assurance that the policy is effective for the early detection of issues within a company.  

Audit Analytics’s Litigation Database provides analysis and breakdown of all federal securities class action claims, SEC actions and material federal civil litigation.

Audit Analytics has become an integral part of the public company archival accounting research community. Cited in numerous scholarly papers, Audit Analytics is seen as one of the best resources for research and data. We are proud to contribute to the cutting-edge research that seeks to improve the quality of financial reporting.

For more information please contact us at or (508) 476-7007.