With the latest Sarbanes-Oxley whistleblower provision expanding, it seems like firms of every size and type will...
have to prepare themselves. This could mean huge costs and compliance burdens. What steps can firms take to minimize these costs and burdens while remaining compliant with SOX?
The Sarbanes-Oxley Act (SOX), passed in 2002, protects shareholders and the general public from accounting errors and fraudulent practices within the enterprise, and provides protection for employees of publicly traded companies who bring misdoing to light. Specifically, the law prohibits public companies from terminating or retaliating against employees who provide information or assist in an investigation conducted by a federal agency, member of Congress or the company's internal regulators. If an employee feels that he or she qualifies for whistleblower protection and has been the subject of retaliatory action, he or she may file a complaint with the Occupational Safety and Health Administration (OSHA).
For the past 12 years, this whistleblower protection has applied only to companies that were regulated by SOX. For the most part, this means publicly traded companies. Private firms are not usually subject to SOX so the whistleblower provisions did not apply. On March 4, 2014, the United States Supreme Court issued a decision in the case of Lawson vs. FMR LLC. In this ruling, the Court found that the whistleblower provisions of SOX extend to private firms that are working under contract for public firms regulated by SOX.
What does this mean for private firms? Probably not much. Unless a firm is in the habit of retaliating against whistleblowers, there won't be a significant regulatory burden from this decision. Every firm that is directly or indirectly subject to the SOX whistleblower provision should consult with its HR department to ensure supervisors receive adequate training on the protections afforded to whistleblowers. In addition, supervisors should be briefed on their responsibilities to protect whistleblowers after any regulatory incidents occur. This doesn't need to be a costly training program. For example, someone from Human Resources might create a 10-minute "road show" and bring it around to managers' meetings.
Ask the Expert!
Got a vexing problem for Mike Chapple or any of our other experts? Ask your enterprise-specific questions today! (All questions are anonymous.)
Mike Chapple gives some SOX program management best practices
Dig Deeper on Security audit, compliance and standards
Related Q&A from Mike Chapple
It's not possible to eradicate the risk of DoS attacks, but there are steps infosec pros can take to reduce their impact. Mike Chapple shares ... Continue Reading
The HHS OCR ruled that healthcare ransomware attacks are HIPAA violations, so these covered entities need to react according to the HHS's guidance. ... Continue Reading
HIPAA regulations incorporate NIST guidelines and standards, so do healthcare organizations need to be compliant with both? Expert Mike Chapple ... Continue Reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.