and Good Governance
Policies for Universities, Government Entities,
and Nonprofit Organizations
By Tim V. Eaton and Michael D. Akers
JUNE 2007 -
The Sarbanes-Oxley Act of 2002 (SOX) has forever changed corporate
governance for publicly held corporations. Recent data suggest that
the costs of compliance with the provisions of SOX can be very significant.
Because these mandated requirements apply almost exclusively to
publicly held corporations, some companies have cited the high costs
of SOX compliance as a rationale for going private. After all, SOX
was developed in response to high-profile corporate scandals that
included Enron, WorldCom, and Tyco, and was not designed to address
problems in other sectors. Unfortunately, problems in corporate
governance are not unique to public corporations.
in the Government and Nonprofit Sectors
exist in the government and nonprofit sectors just as they do
in the corporate sector. Recent alleged problems at the World
Bank (reported in U.S. News and World Report) include
kickbacks, payoffs, bribery, embezzlement (a midlevel manager
took over $2 million), and collusive bidding.
to EthicsPoint, a leading provider of technology-based governance,
risk, and compliance services, more than 20 separate states’
attorneys general have launched 30 investigations into nonprofits
all over the United States. In 2002, the United Way scandal (where
a director took funds through questionable payments and other
executives charged the organization for personal expenses) came
to the public’s attention. Its aftermath has had a dramatic
impact on fundraising. The Washington Post reported that
the United Way’s fall fundraising drive had dropped from
a high of $90 million in 2001 to $19 million in 2004. Other
notable nonprofit organizations such as the American Red Cross
and the Nature Conservancy have also had to deal with scandals
and the resulting negative impacts. The Red Cross had funds stolen
and additional bonuses taken because of poor internal controls.
The Nature Conservancy encountered problems when the organization
engaged in inappropriate business and real estate transactions
with its trustees.
are not immune from scandals. Scandals such as that involving
presidential spending at American University often relate to the
misuse of athletic, research, or university funds. As part of
the termination decision, American University’s board of
trustees asked its former president to reimburse the institution
$125,000 for personal expenses as well as authorize the audit
committee to disclose $398,000 in unreported taxable income. Because
of the increasing prevalence and publicizing of these incidents,
many government and nonprofit entities are not only more aware
of SOX, but have already begun the process of implementing certain
provisions of SOX within their organizations.
to a 2004 Grant Thornton study, nearly half of nonprofits have
made corporate governance policy changes in the wake of SOX. The
study highlights the following statement from Grant Thornton’s
Larry Ladd: “Many not-for-profits believed that Sarbanes-Oxley
was a passing fad or bubble. Today, however, awareness of the
act and actions based on the provisions of Sarbanes-Oxley are
on the rise. Board members and regulators are now pressing for
costs of implementing the provisions of SOX are unquestionably
high, certain provisions do have significant benefits. These beneficial
components can be selectively applied by noncorporate entities
to provide good organizational governance and reduce the potential
for fraudulent activity. Additionally, all organizations should
consider that failure to respond appropriately today could lead
to potential disaster in the future. The consequences may include
not only the loss of funds but also the high-profile negative
publicity that can severely damage an organization’s reputation.
component of SOX that is particularly applicable to noncorporate
organizations is whistleblowing, the act of reporting wrongdoing
to another party. At the time of the Grant Thornton study, only
29% of nonprofits had a whistleblower policy in place. Organizations
of all kinds should better understand what whistleblowing is,
what the components of a whistleblowing policy are, and where
to turn for more information.
can be defined in a number of ways. In its simplest form, whistleblowing
involves the act of reporting wrongdoing within an organization
to internal or external parties. Internal whistleblowing entails
reporting the information to a source within the organization.
External whistleblowing occurs when the whistleblower takes the
information outside the organization, such as to the media or
regulators. Establishment of a clear and specific definition of
whistleblowing itself should be a fundamental component of every
have garnered attention recently due to the worldwide media exposure
of recent accounting scandals. In 2002, Time magazine
named whistleblowers Cynthia Cooper of WorldCom, Sherron Watkins
of Enron, and Coleen Rowley of the FBI as its “Persons of
the Year.” While the first two individuals are well known
and involve financial scandals, Rowley’s whistleblowing
was a noncorporate case but with very serious ramifications involving
lapses in the intelligence community in the weeks prior to the
September 11, 2001, terrorist attacks.
of whistleblowing go back well over a century. In fact, whistleblowing
initially arose not in connection with corporate malfeasance,
but in the federal government’s False Claims Act.
The False Claims Act’s influence. The False
Claims Act was established to offer incentives to individuals
who reported companies or individuals defrauding the government.
It was introduced by Abraham Lincoln in 1863 to target sales of
fake gunpowder to the Union during the Civil War. In 1986, the
False Claims Act was brought back and Congress added antiretaliation
protections. The Act also specifies that the whistleblower can
share in up to 30% of the proceeds of the lawsuit. According to
the Taxpayers Against Fraud (TAF) False Claims Act Legal Center
this Act has resulted in more than $17 billion dollars of recoveries
for the U.S. government since 1986. Major nonprofits that have
paid large settlements in recent years include major universities
and government entities (see www.taf.org/top100fca.htm
for a comprehensive list of the largest claims). Financial rewards
to whistleblowers can, however, create an incentive to report
bogus false claims. The Act imposes monetary penalties on bogus
and 1994: The Whistleblower Protection Act. Under
the Whistleblower Protection Act, passed in 1989 and amended in
1994, federal employees are protected from workplace retaliation
when disclosing waste and fraud. The purpose of the Act and subsequent
amendments was to strengthen the protections available to federal
employees. Congress has considered reforms that would overhaul
the act and enhance protections for federal employees who expose
fraudulent activity, waste, and threats to public safety. Such
legislation was debated last year, and in 2007, the House of Representatives
approved the Whistleblower Protection Enhancement Act, which overhauls
federal whistleblower law.
SOX requirements. In addition to the changing attitude
toward whistleblowing, changes in laws and rights related to whistleblowing
have followed. SOX provides an example of how publicly traded
companies have been required to reshape their businesses and their
attitudes toward workplace crime. Sections 806, 301, and 1107
of SOX provide additional guidance for whistleblowing.
extends protection to employees of publicly traded companies who
report fraud to any federal regulatory or law enforcement agency,
any member or committee of Congress, or any person with supervisory
authority over the employee. This regulation states that whistleblowers
who provide information or assist in an investigation of violations
of any federal law relating to fraud against shareholders or any
SEC rule or regulation are protected from any form of retaliation
by any officer, employee, contractor, subcontractor, or agent
of the company. Employees who are retaliated against will be “entitled
to all relief necessary to make the employee whole” (SOX
section 806), including compensatory damages of back pay, reinstatement
of proper position, and compensation for litigation costs, expert
witness fees, and attorney fees.
requires audit committees to take a role in whistleblowing and
reducing corporate fraud. Section 301, amending the Securities
Exchange Act of 1934, compels audit committees to develop reporting
mechanisms for the recording, tracking, and acting on information
provided by employees anonymously and confidentially. By mandating
policies and protection for reporting wrongdoing, the SOX standards
go beyond merely encouraging companies to be more responsive to
In SOX section
1107, the reach of whistleblowing policies extends beyond public
corporations. This section extends protection to any person who
reports to a law enforcement officer information related to a
violation of a federal law. These whistleblowers are protected
from any retaliation by the offender. A violator may be fined
and imprisoned for up to 10 years.
Supreme Court decision. In May 2006, the Supreme
Court ruled in Garcetti v. Ceballos that whistleblowers
who make statements while performing their jobs may not be constitutionally
protected. Richard Ceballos, a supervising deputy attorney, was
asked by defense counsel to review a case where defense counsel
claimed the affidavit used by the police to obtain a search warrant
was inaccurate. Ceballos concluded upon his review that there
were significant misrepresentations in the affidavit, and he communicated
his findings in a memo to his supervisors, the petitioners, and
the trial court. Ceballos later claimed that the petitioners retaliated
against him for his memo. Reversing the ruling of the Ninth Circuit
Court of Appeals, the Supreme Court found that the memo was not
protected because Ceballos wrote it while performing his employment
duties. Congress has approved
legislation (the Senate approved an amendment to the 2007 National
Defense Authorization Act and the House approved the Whistleblower
Protection Enhancement Act) that addresses the possible ramifications
of this decision. A complete description of this case can be found
Implement a Whistleblower Policy?
including universities, governmental entities, and nonprofits,
should consider implementing whistleblowing provisions. Consider
these important facts from the Association of Certified Fraud
Examiners’ 2006 “Report to the Nation on Occupational
Fraud and Abus”:
than $600 billion in annual losses is attributed to fraud.
reporting mechanisms are the antifraud measure with the greatest
impact on reducing losses: Companies with anonymous reporting
mechanisms reported median losses of $100,000, while those without
reported median losses of $200,000.
from employees, customers, and vendors and anonymous tips account
- 34% of
the detection of all fraudulent activity;
- 34% of
the detection of fraudulent activity for not-for-profit organizations;
of the detection of fraudulent activity for government agencies;
- 48% of
the detection of owner/executive fraud schemes.
on internal controls was recommended to the corporate community
in the late 1970s, but it took the large scandals (such as Enron)
for the SOX legislation to impose such reporting. Recent legislation
in California (California’s Nonprofit Integrity Act of 2004)
and proposed legislation in other states suggest that nonprofit
organizations should consider “best practice” governance
policies and mechanisms similar to the provisions of SOX, as doing
so may prepare them for future legislative requirements.
indicate that many nonprofit organizations would be categorized
as small businesses. Most small businesses struggle with an appropriate
level of segregation of duties, making a whistleblower policy
a good mitigating control. A whistleblower policy and effective
enforcement has the potential not only to significantly reduce
fraudulent activity but also to send a signal to both internal
and external constituencies that the organization exercises good
corporate governance. Just as corporations must answer to shareholders,
universities, government entities, and nonprofit organizations
must answer to the public regarding the stewardship of resources.
agree with the commentary in The CPA Journal (Mary-Jo
Kranacher, “Whistleblowing: The Devil in the Details,”
July 2006) that whistleblowing can significantly affect a whistleblower’s
life and livelihood. The authors believe that the potentially
huge personal impact whistleblowing can have on individual whistleblowers
means there is an even greater need for organizations to develop
clear whistleblower policies.
organizations associated with universities, government entities,
or nonprofit organizations have recognized certain mechanisms
as a best practice and recommend that their constituents implement
whistleblower polices. The following are a few examples.
Association of College and University Business Officers. NACUBO
provided whistleblowing guidelines in its Advisory Report 2003-3,
“The Sarbanes-Oxley Act of 2002: Recommendations for Higher
Education.” Although SOX is not required for colleges and
universities, NACUBO’s recommendations are based on SOX
section 301. NACUBO Advisory Report 2003-3 states:
recommends that institutions publicize the complaint mechanism
and have it periodically reviewed by the audit committee. Institutions
could incorporate the complaint mechanism within existing human
resource communication policies. Colleges and universities should
also consider establishing hot lines, anonymous voicemail, and
anonymous e-mail or secure suggestion drop boxes to facilitate
the complaint process. Regardless of the specific mechanisms
selected, there should be a process for communicating with employees,
receiving information, and addressing identified concerns.
and Independent Sector. BoardSource (formerly the
National Center for Nonprofit Boards) and Independent Sector (a
leadership foundation for charities, foundations, and corporate
giving programs) published a joint report, “The Sarbanes-Oxley
Act and Implications for Nonprofit Organizations.” It overviews
the SOX provisions and makes several recommendations to nonprofits,
such as the following:
must develop, adopt, and disclose a formal process to deal with
complaints and prevent retaliation. Nonprofit leaders must take
any employee and volunteer complaints seriously, investigate
the situation, and fix any problems or justify why corrections
are not necessary.
Council of Nonprofit Associations. The NCNA, a network
of state and regional nonprofit organizations, developed a sample
whistleblower policy for use by small and mid-sized nonprofits.
The sample policy covers the following areas: responsibility for
reporting violations, preventing retaliation against whistleblowers,
methods for reporting violations, the compliance officer’s
duties, applicable areas of complaints and those responsible for
addressing them, the involvement of the audit committee in complaints
involving internal controls and auditing, the treatment of malicious
or false allegations, confidentiality, and procedures for acknowledging
a Whistleblower Policy
policy may be drafted and implemented by management, but it should
then be submitted to the audit committee or board of directors.
The foundation of any whistleblower policy is a clear and specific
definition of whistleblowing. Other key aspects of a whistleblower
policy include the following:
definition of individuals covered by the policy.
A whistleblower policy should cover individuals within the organization
as well as external parties who conduct business with the organization.
For example, for a university, those covered could include faculty,
staff, student employees, vendors, and customers.
provisions. Whistleblower policies should prevent
discrimination or retaliation against employees who report problems.
Policies should also include methods to encourage employees,
vendors, customers, and shareholders to report evidence of fraudulent
activities. In addition, a whistleblower policy should include
a disclaimer that anyone filing a claim must have reasonable
belief that an issue exists and act in good faith.
Protecting whistleblowers’ confidentiality is an important
part of any whistleblower policy. Confidentiality is of great
concern because the goal is to create an atmosphere where employees
will feel comfortable submitting their names with claims to
allow for further questioning and investigation. Allowing employees
to file anonymous claims may increase the possibility of claims
actually being reported; however, it may also increase the possibility
of false claims being filed. The policy should explain how the
claims will be investigated once received and whether the employee
should expect to receive any feedback.
A whistleblower policy needs to address the process employees
should follow in filing their claims. Organizations may require
whistleblowers to direct their claims to a certain person, such
as a compliance officer, or, alternatively, to follow a ladder
of reporting until they reach the top of management. The latter
helps ensure that the employee addresses the claim with a supervisor
before heading straight to the CEO or an external party. Specific
reporting mechanisms within the process could include telephone
or e-mail hotlines, websites, or suggestion boxes.
A whistleblower policy cannot be effective unless it is communicated
to employees, vendors, customers, and shareholders. Employees
can be informed through employee handbooks. Training could be
provided internally during the human resources orientation process
or by an outside party. Information can be posted throughout
the company and on intranet sites. Customer service representatives
can be trained to answer questions about the whistleblower policy.
of the whistleblower policy, the organization should develop implementation
and enforcement mechanisms that are consistent with the policy.
Although the first step—creating an environment where a
whistleblower will report problems that exist—is the crucial
one, to be fully effective a whistleblower policy must be consistently
implemented, claims investigated and evaluated, and proper enforcement
taken when necessary.
of this article is to increase awareness of the need for whistleblower
policies for universities, governmental entities, and nonprofit
organizations. Important components of these policies have been
introduced above, but organizations should do additional research
before adopting their final policies. Those wishing to develop
a whistleblower policy can consult the actual text of SOX, examine
the sample whistleblower policy from the National Council of Nonprofit
Associations (see www.ncna.org),
and look at actual policies developed by other organizations.
The Sidebars provide information to help begin the process.
here to view Sidebar 1.
here to view Sidebar 2.
V. Eaton, PhD, CPA, is an associate professor of accountancy
at Miami University, Oxford, Ohio.
Michael D. Akers, PhD, CPA, CMA, CFE, CIA, CBM,
is the Charles T. Horngren Professor of Accounting and chair of
the department of accounting at Marquette University, Milwaukee,