Skip to content
Best Practices NA Whistleblowing

Going Public in 2024? Don’t Forget Your SOX Whistleblowing Obligation

In the US, all companies planning an initial public offering (IPO) and those with securities outstanding must comply with the whistleblowing requirements of the Sarbanes-Oxley Act (SOX). What do they need to know? 

Over time, misconduct, inappropriate behavior, and illegal practices can become widespread and normalized within a company. Speaking out against wrongdoing in the workplace can be risky – for the whistleblower, colleagues, and the reputation of the business – but a number of federal statutes prohibit US employers in the private sector from retaliating against whistleblowers.  

These include the Sarbanes-Oxley Act 2002 or ‘SOX’, which also applies to companies preparing for an IPO. To ensure compliance with SOX, these businesses must have a whistleblowing system in place before they list.  

SOX and Whistleblowers’ Legal Rights 

SOX is federal legislation that established new and enhanced standards for public company boards, as well as management and public accounting firms. SOX requires companies to adopt a business ethics code of conduct, and create an internal procedure for employees to report fraud or ethical concerns or violations – a whistleblowing program. 

The law applies to all US domestic public companies, as well as non-public companies with publicly traded debt securities. Some sections of SOX apply to companies that do business with publicly traded companies, even if they aren’t publicly traded themselves. Subsidiaries of covered public companies can also be held liable for retaliating against a whistleblower under certain circumstances. 

Among other provisions, Sarbanes-Oxley provides protection for whistleblowers who work for covered companies when they disclose information that they reasonably believe shows a violation of federal securities law, SEC rules, or any federal law related to fraud against shareholders. 

Under SOX, retaliation by an employer against a whistleblower who made a report to a law enforcement agency concerning the commission of any federal offense can incur criminal penalties, including a fine or ten years’ imprisonment (or both). 

SOX contains two different provisions concerning corporate whistleblowers, which companies seeking IPO need to be aware of:  

  1. Whistleblower procedures that audit committees must establish pursuant to Exchange Act Rule 10A-3 (mandated by Sarbanes-Oxley Section 301) 
  2. Whistleblower protections provided by Title 18 of the U.S. Code (mandated by Sarbanes-Oxley Section 806)


Audit Committee Whistleblower Procedures 

Rule 10A-3 of the Exchange Act directs NYSE, Nasdaq and other national securities exchanges or associations to require a listed company’s audit committee to establish formal procedures for addressing complaints relating to accounting and auditing matters. Listed companies must have these whistleblower procedures in place. Specifically, audit committees must establish procedures for: 

  • External complaints: receiving, retaining, and treating complaints that the company receives (from any source) regarding accounting, internal accounting controls or auditing issues. 
  • Internal complaints: Providing a means (for example, through a toll-free number) for the confidential, anonymous submission by employees of concerns regarding questionable accounting or auditing matters. 

Whistleblower Protections Under Section 806 of SOX

Sarbanes-Oxley not only requires that companies have whistleblower procedures in place, but also provides substantial protections to employee whistleblowers who report certain company misconduct. The Sarbanes-Oxley whistleblower protections are set forth in Section 806 of the Act. Section 806, which is currently in effect, applies to any employee who either: 

  • Files, testifies, participates in or otherwise assists in any proceeding relating to an alleged violation of the mail, wire, bank or securities laws; or 
  • Provides information or assists in an investigation regarding any conduct that the employee “reasonably believes” constitutes a violation of the mail, wire, bank or securities laws 

Employers can further the goals of Section 806 and at the same time mitigate the long-term risks of securities violations by making their employees feel that they can safely express their concerns about possible company wrongdoing without fear of retribution. Employers can do this by: 

  • Establishing an independent and reliable system for receiving and investigating employee assertions of misconduct, which incorporates, or supplements, the audit committee’s mandated whistleblower procedures described above. 
  • Reminding employees that the company takes compliance with federal securities laws and company policy seriously. 
  • Reassuring employees that the company will make reasonable efforts to ensure that it thoroughly addresses and explores employee concerns and that it will not retaliate against employees based on their assistance or involvement in any subsequent company investigation. 

For a whistleblowing report to be protected under Section 806 of SOX, the employee must have provided information regarding any action or inaction that the employee reasonably believes is a violation of a covered law to a federal regulatory body or law enforcement agency, member of Congress or committee of Congress, or a supervisor or person authorized by the employer to investigate, discover, or terminate misconduct.

Incident and Policy Management Technology: The Key to SOX Compliance 

Organizations must have the right procedures and protocols in place that make it easy for employees to raise complaints and ensure that each case is dealt with appropriately. Organizations must also report any wrongdoing to the regulators, with clear mitigation and remediation policies in place. By doing so, whistleblowing can be used to the organization’s advantage, bringing to light issues of serious misconduct, and allowing them to be addressed early on, before they lead to large fines and serious reputational damage. 

Partnering with a provider of comprehensive incident and policy management software solutions allows firms to implement consistent whistleblowing protocols and policies, including a robust hotline and case management process. This will enable the intake and collection of employee concerns, and allow each incident to be managed, investigated, and resolved fairly and efficiently.  

Effective incident and policy management compliance software enables the firm to move from passive to proactive employee case management, thereby mitigating employee compliance risk; enhancing performance; and strengthening its position for future growth.  

By enabling anonymous whistleblowing and simplified reporting with full privacy for all employees, Star’s automated Incident and Policy Management (IPM) solution simplifies compliance with SOX. For more information on how to modernize your whistleblower program in 2024 or meet Sarbanes-Oxley Act requirements, attend our live webinar, Considering an IPO in 2024? Whistleblowing Solutions Now Required.