Whistleblowing and Good Governance
Policies for Universities, Government Entities, and Nonprofit Organizations

By Tim V. Eaton and Michael D. Akers

JUNE 2007 - The Sarbanes-Oxley Act of 2002 (SOX) has forever changed corporate governance for publicly held corporations. Recent data suggest that the costs of compliance with the provisions of SOX can be very significant. Because these mandated requirements apply almost exclusively to publicly held corporations, some companies have cited the high costs of SOX compliance as a rationale for going private. After all, SOX was developed in response to high-profile corporate scandals that included Enron, WorldCom, and Tyco, and was not designed to address problems in other sectors. Unfortunately, problems in corporate governance are not unique to public corporations.

Problems in the Government and Nonprofit Sectors

Problems exist in the government and nonprofit sectors just as they do in the corporate sector. Recent alleged problems at the World Bank (reported in U.S. News and World Report) include kickbacks, payoffs, bribery, embezzlement (a midlevel manager took over $2 million), and collusive bidding.

According to EthicsPoint, a leading provider of technology-based governance, risk, and compliance services, more than 20 separate states’ attorneys general have launched 30 investigations into nonprofits all over the United States. In 2002, the United Way scandal (where a director took funds through questionable payments and other executives charged the organization for personal expenses) came to the public’s attention. Its aftermath has had a dramatic impact on fundraising. The Washington Post reported that the United Way’s fall fundraising drive had dropped from a high of $90 million in 2001 to $19 million in 2004. Other notable nonprofit organizations such as the American Red Cross and the Nature Conservancy have also had to deal with scandals and the resulting negative impacts. The Red Cross had funds stolen and additional bonuses taken because of poor internal controls. The Nature Conservancy encountered problems when the organization engaged in inappropriate business and real estate transactions with its trustees.

Even universities are not immune from scandals. Scandals such as that involving presidential spending at American University often relate to the misuse of athletic, research, or university funds. As part of the termination decision, American University’s board of trustees asked its former president to reimburse the institution $125,000 for personal expenses as well as authorize the audit committee to disclose $398,000 in unreported taxable income. Because of the increasing prevalence and publicizing of these incidents, many government and nonprofit entities are not only more aware of SOX, but have already begun the process of implementing certain provisions of SOX within their organizations.

According to a 2004 Grant Thornton study, nearly half of nonprofits have made corporate governance policy changes in the wake of SOX. The study highlights the following statement from Grant Thornton’s Larry Ladd: “Many not-for-profits believed that Sarbanes-Oxley was a passing fad or bubble. Today, however, awareness of the act and actions based on the provisions of Sarbanes-Oxley are on the rise. Board members and regulators are now pressing for reform.”

While the costs of implementing the provisions of SOX are unquestionably high, certain provisions do have significant benefits. These beneficial components can be selectively applied by noncorporate entities to provide good organizational governance and reduce the potential for fraudulent activity. Additionally, all organizations should consider that failure to respond appropriately today could lead to potential disaster in the future. The consequences may include not only the loss of funds but also the high-profile negative publicity that can severely damage an organization’s reputation.

One specific component of SOX that is particularly applicable to noncorporate organizations is whistleblowing, the act of reporting wrongdoing to another party. At the time of the Grant Thornton study, only 29% of nonprofits had a whistleblower policy in place. Organizations of all kinds should better understand what whistleblowing is, what the components of a whistleblowing policy are, and where to turn for more information.

What Is Whistleblowing?

Whistleblowing can be defined in a number of ways. In its simplest form, whistleblowing involves the act of reporting wrongdoing within an organization to internal or external parties. Internal whistleblowing entails reporting the information to a source within the organization. External whistleblowing occurs when the whistleblower takes the information outside the organization, such as to the media or regulators. Establishment of a clear and specific definition of whistleblowing itself should be a fundamental component of every whistleblower policy.

Whistleblowers have garnered attention recently due to the worldwide media exposure of recent accounting scandals. In 2002, Time magazine named whistleblowers Cynthia Cooper of WorldCom, Sherron Watkins of Enron, and Coleen Rowley of the FBI as its “Persons of the Year.” While the first two individuals are well known and involve financial scandals, Rowley’s whistleblowing was a noncorporate case but with very serious ramifications involving lapses in the intelligence community in the weeks prior to the September 11, 2001, terrorist attacks.

Legislative History

The origins of whistleblowing go back well over a century. In fact, whistleblowing initially arose not in connection with corporate malfeasance, but in the federal government’s False Claims Act.

1863: The False Claims Act’s influence. The False Claims Act was established to offer incentives to individuals who reported companies or individuals defrauding the government. It was introduced by Abraham Lincoln in 1863 to target sales of fake gunpowder to the Union during the Civil War. In 1986, the False Claims Act was brought back and Congress added antiretaliation protections. The Act also specifies that the whistleblower can share in up to 30% of the proceeds of the lawsuit. According to the Taxpayers Against Fraud (TAF) False Claims Act Legal Center (, this Act has resulted in more than $17 billion dollars of recoveries for the U.S. government since 1986. Major nonprofits that have paid large settlements in recent years include major universities and government entities (see for a comprehensive list of the largest claims). Financial rewards to whistleblowers can, however, create an incentive to report bogus false claims. The Act imposes monetary penalties on bogus whistleblowers.

1989 and 1994: The Whistleblower Protection Act. Under the Whistleblower Protection Act, passed in 1989 and amended in 1994, federal employees are protected from workplace retaliation when disclosing waste and fraud. The purpose of the Act and subsequent amendments was to strengthen the protections available to federal employees. Congress has considered reforms that would overhaul the act and enhance protections for federal employees who expose fraudulent activity, waste, and threats to public safety. Such legislation was debated last year, and in 2007, the House of Representatives approved the Whistleblower Protection Enhancement Act, which overhauls federal whistleblower law.

2002: SOX requirements. In addition to the changing attitude toward whistleblowing, changes in laws and rights related to whistleblowing have followed. SOX provides an example of how publicly traded companies have been required to reshape their businesses and their attitudes toward workplace crime. Sections 806, 301, and 1107 of SOX provide additional guidance for whistleblowing.

Section 806 extends protection to employees of publicly traded companies who report fraud to any federal regulatory or law enforcement agency, any member or committee of Congress, or any person with supervisory authority over the employee. This regulation states that whistleblowers who provide information or assist in an investigation of violations of any federal law relating to fraud against shareholders or any SEC rule or regulation are protected from any form of retaliation by any officer, employee, contractor, subcontractor, or agent of the company. Employees who are retaliated against will be “entitled to all relief necessary to make the employee whole” (SOX section 806), including compensatory damages of back pay, reinstatement of proper position, and compensation for litigation costs, expert witness fees, and attorney fees.

SOX also requires audit committees to take a role in whistleblowing and reducing corporate fraud. Section 301, amending the Securities Exchange Act of 1934, compels audit committees to develop reporting mechanisms for the recording, tracking, and acting on information provided by employees anonymously and confidentially. By mandating policies and protection for reporting wrongdoing, the SOX standards go beyond merely encouraging companies to be more responsive to employee whistleblowers.

In SOX section 1107, the reach of whistleblowing policies extends beyond public corporations. This section extends protection to any person who reports to a law enforcement officer information related to a violation of a federal law. These whistleblowers are protected from any retaliation by the offender. A violator may be fined and imprisoned for up to 10 years.

2006: Supreme Court decision. In May 2006, the Supreme Court ruled in Garcetti v. Ceballos that whistleblowers who make statements while performing their jobs may not be constitutionally protected. Richard Ceballos, a supervising deputy attorney, was asked by defense counsel to review a case where defense counsel claimed the affidavit used by the police to obtain a search warrant was inaccurate. Ceballos concluded upon his review that there were significant misrepresentations in the affidavit, and he communicated his findings in a memo to his supervisors, the petitioners, and the trial court. Ceballos later claimed that the petitioners retaliated against him for his memo. Reversing the ruling of the Ninth Circuit Court of Appeals, the Supreme Court found that the memo was not protected because Ceballos wrote it while performing his employment duties. Congress has approved
legislation (the Senate approved an amendment to the 2007 National Defense Authorization Act and the House approved the Whistleblower Protection Enhancement Act) that addresses the possible ramifications of this decision. A complete description of this case can be found at’garcetti%20v.%20Ceballos.

Why Implement a Whistleblower Policy?

All organizations, including universities, governmental entities, and nonprofits, should consider implementing whistleblowing provisions. Consider these important facts from the Association of Certified Fraud Examiners’ 2006 “Report to the Nation on Occupational Fraud and Abus”:

  • More than $600 billion in annual losses is attributed to fraud.
  • Anonymous reporting mechanisms are the antifraud measure with the greatest impact on reducing losses: Companies with anonymous reporting mechanisms reported median losses of $100,000, while those without reported median losses of $200,000.
  • Tips from employees, customers, and vendors and anonymous tips account for:
  • 34% of the detection of all fraudulent activity;
  • 34% of the detection of fraudulent activity for not-for-profit organizations;
  • 39.7% of the detection of fraudulent activity for government agencies; and
  • 48% of the detection of owner/executive fraud schemes.

Reporting on internal controls was recommended to the corporate community in the late 1970s, but it took the large scandals (such as Enron) for the SOX legislation to impose such reporting. Recent legislation in California (California’s Nonprofit Integrity Act of 2004) and proposed legislation in other states suggest that nonprofit organizations should consider “best practice” governance policies and mechanisms similar to the provisions of SOX, as doing so may prepare them for future legislative requirements.

IRS data indicate that many nonprofit organizations would be categorized as small businesses. Most small businesses struggle with an appropriate level of segregation of duties, making a whistleblower policy a good mitigating control. A whistleblower policy and effective enforcement has the potential not only to significantly reduce fraudulent activity but also to send a signal to both internal and external constituencies that the organization exercises good corporate governance. Just as corporations must answer to shareholders, universities, government entities, and nonprofit organizations must answer to the public regarding the stewardship of resources.

The authors agree with the commentary in The CPA Journal (Mary-Jo Kranacher, “Whistleblowing: The Devil in the Details,” July 2006) that whistleblowing can significantly affect a whistleblower’s life and livelihood. The authors believe that the potentially huge personal impact whistleblowing can have on individual whistleblowers means there is an even greater need for organizations to develop clear whistleblower policies.

Best Practices

Many professional organizations associated with universities, government entities, or nonprofit organizations have recognized certain mechanisms as a best practice and recommend that their constituents implement whistleblower polices. The following are a few examples.

National Association of College and University Business Officers. NACUBO provided whistleblowing guidelines in its Advisory Report 2003-3, “The Sarbanes-Oxley Act of 2002: Recommendations for Higher Education.” Although SOX is not required for colleges and universities, NACUBO’s recommendations are based on SOX section 301. NACUBO Advisory Report 2003-3 states:

NACUBO recommends that institutions publicize the complaint mechanism and have it periodically reviewed by the audit committee. Institutions could incorporate the complaint mechanism within existing human resource communication policies. Colleges and universities should also consider establishing hot lines, anonymous voicemail, and anonymous e-mail or secure suggestion drop boxes to facilitate the complaint process. Regardless of the specific mechanisms selected, there should be a process for communicating with employees, receiving information, and addressing identified concerns.

BoardSource and Independent Sector. BoardSource (formerly the National Center for Nonprofit Boards) and Independent Sector (a leadership foundation for charities, foundations, and corporate giving programs) published a joint report, “The Sarbanes-Oxley Act and Implications for Nonprofit Organizations.” It overviews the SOX provisions and makes several recommendations to nonprofits, such as the following:

Nonprofits must develop, adopt, and disclose a formal process to deal with complaints and prevent retaliation. Nonprofit leaders must take any employee and volunteer complaints seriously, investigate the situation, and fix any problems or justify why corrections are not necessary.

National Council of Nonprofit Associations. The NCNA, a network of state and regional nonprofit organizations, developed a sample whistleblower policy for use by small and mid-sized nonprofits. The sample policy covers the following areas: responsibility for reporting violations, preventing retaliation against whistleblowers, methods for reporting violations, the compliance officer’s duties, applicable areas of complaints and those responsible for addressing them, the involvement of the audit committee in complaints involving internal controls and auditing, the treatment of malicious or false allegations, confidentiality, and procedures for acknowledging reported violations.

Developing a Whistleblower Policy

A whistleblower policy may be drafted and implemented by management, but it should then be submitted to the audit committee or board of directors. The foundation of any whistleblower policy is a clear and specific definition of whistleblowing. Other key aspects of a whistleblower policy include the following:

  • Clear definition of individuals covered by the policy. A whistleblower policy should cover individuals within the organization as well as external parties who conduct business with the organization. For example, for a university, those covered could include faculty, staff, student employees, vendors, and customers.
  • Nonretaliation provisions. Whistleblower policies should prevent discrimination or retaliation against employees who report problems. Policies should also include methods to encourage employees, vendors, customers, and shareholders to report evidence of fraudulent activities. In addition, a whistleblower policy should include a disclaimer that anyone filing a claim must have reasonable belief that an issue exists and act in good faith.
  • Confidentiality. Protecting whistleblowers’ confidentiality is an important part of any whistleblower policy. Confidentiality is of great concern because the goal is to create an atmosphere where employees will feel comfortable submitting their names with claims to allow for further questioning and investigation. Allowing employees to file anonymous claims may increase the possibility of claims actually being reported; however, it may also increase the possibility of false claims being filed. The policy should explain how the claims will be investigated once received and whether the employee should expect to receive any feedback.
  • Process. A whistleblower policy needs to address the process employees should follow in filing their claims. Organizations may require whistleblowers to direct their claims to a certain person, such as a compliance officer, or, alternatively, to follow a ladder of reporting until they reach the top of management. The latter helps ensure that the employee addresses the claim with a supervisor before heading straight to the CEO or an external party. Specific reporting mechanisms within the process could include telephone or e-mail hotlines, websites, or suggestion boxes.
  • Communication. A whistleblower policy cannot be effective unless it is communicated to employees, vendors, customers, and shareholders. Employees can be informed through employee handbooks. Training could be provided internally during the human resources orientation process or by an outside party. Information can be posted throughout the company and on intranet sites. Customer service representatives can be trained to answer questions about the whistleblower policy.

Upon completion of the whistleblower policy, the organization should develop implementation and enforcement mechanisms that are consistent with the policy. Although the first step—creating an environment where a whistleblower will report problems that exist—is the crucial one, to be fully effective a whistleblower policy must be consistently implemented, claims investigated and evaluated, and proper enforcement taken when necessary.

Additional Resources

The purpose of this article is to increase awareness of the need for whistleblower policies for universities, governmental entities, and nonprofit organizations. Important components of these policies have been introduced above, but organizations should do additional research before adopting their final policies. Those wishing to develop a whistleblower policy can consult the actual text of SOX, examine the sample whistleblower policy from the National Council of Nonprofit Associations (see, and look at actual policies developed by other organizations. The Sidebars provide information to help begin the process.

Click here to view Sidebar 1.

Click here to view Sidebar 2.

Tim V. Eaton, PhD, CPA, is an associate professor of accountancy at Miami University, Oxford, Ohio.
Michael D. Akers, PhD, CPA, CMA, CFE, CIA, CBM, is the Charles T. Horngren Professor of Accounting and chair of the department of accounting at Marquette University, Milwaukee, Wisc.