Beyond Sarbanes-Oxley: Three Emerging Trends in Corporate Compliance
by Howard T. Anderson

Criminal trials, SEC actions, shareholder lawsuits, and investigations by New York’s attorney general all help concentrate the mind on once esoteric corporate compliance issues and the consequences of being on the wrong side of them. To stay on the right side of these issues, business leaders and their advisers need to do more than simply comply with the letter of post-Enron reform mandates such as Sarbanes-Oxley; they also must understand the spirit of these reforms and the long-term trends of which they are a part. This article will present an overview of three broad trends that have influenced today’s corporate compliance standards and will continue to do so: the emerging duty to investigate, the emerging duty to be transparent, and the emerging duty to be independent. Taken together, these trends represent a sea change from the way corporate compliance issues were approached a generation ago.

The emerging duties cannot be traced to a single dominant source; there is no counterpart to the roles played by Brown v. Board of Education or the Sherman Antitrust Act in other areas of the law. There are instead diverse sources that include: federal and state statutes, regulations, and administrative rulings; court decisions at various levels of the federal and state systems; the policies of prosecutorial and regulatory agencies; and the rules of industry self-policing organizations. Change has not proceeded at an even pace, as periods of intense reform pressure have alternated with backsliding. Nevertheless, the trends have moved steadily forward, each step creating a logic that leads inexorably, if not always quickly, to other steps that finally coalesce into legal and regulatory standards. The emerging duties likely will expand into new areas and, where they have already gained a foothold, become more institutionalized. Consequently, businesses should be prepared not only to respond to current mandates like Sarbanes-Oxley, but to position themselves ahead of the curve with respect to the dominant trends in corporate compliance.

The Emerging Duty to Investigate

How well an organization monitors itself and reacts to evidence of misconduct within its ranks is the ultimate test of its commitment to legal, regulatory, and ethical standards. To pass this test, a company must obtain accurate information on an ongoing basis—sometimes in the face of attempts to conceal it. Not surprisingly, some of the most important developments in corporate compliance have centered around how companies monitor themselves to uncover and disseminate material information.

Auditing, accounting, and other financial controls, which have been the focus of recent government actions such as Sarbanes-Oxley and numerous media accounts, are important components of a company’s monitoring system. The major focus of this article, however, will be the process used to investigate and resolve issues once auditors or others have identified them. This investigative process, which includes documenting and reporting information as well as gathering it, lies at the heart of any compliance program, yet the still evolving standards applicable to internal investigations often are poorly understood.

As described below, the duty to investigate has evolved in conjunction with two parallel trends that have reinforced each other: the development and expansion of affirmative duties to seek out information, and the erosion of protections for the uninformed.

The development and expansion of affirmative duties to seek out information

For generations corporate managers and directors have been under a fiduciary duty to exercise due care in the operation and oversight of their companies. Implicit in this duty is the need for corporate fiduciaries to inform themselves about matters that could materially affect the company. As a 1930 manual on corporate law explained the duty of care, directors must “take the usual methods to inform themselves of the true condition of the affairs of the company.”¹ However, the “usual methods” have changed dramatically since 1930. Some of this change can be seen in the contrast between the Delaware Supreme Court’s 1963 view of a director’s duty to acquire information in Graham v. Allis- Chalmers Manufacturing Co.² and the Delaware Chancery Court’s 1996 treatment of the same issue in In re Caremark International Derivative Litigation.³

In Graham, shareholders sued corporate directors after company employees pled guilty to violating federal antitrust laws. Unable to prove that the directors had actual knowledge of the antitrust violations, the plaintiffs argued that they had a duty to detect and prevent such violations. The Delaware Supreme Court rejected this argument, stating that “absent cause for suspicion there is no duty upon the directors to install and operate a corporate system of espionage to ferret out wrongdoing which they have no reason to suspect exists.”⁴

In 1996 the Delaware Chancery Court revisited this issue in Caremark, a case arising from circumstances similar to those present in Graham: a shareholder derivative suit against directors in the wake of the company’s guilty plea to a criminal charge. By then, many companies had installed various kinds of compliance programs that might have struck the Graham court as precisely the kinds of “corporate system[s] of espionage to ferret out wrongdoing” the court had ruled were not required to fulfill the duty of care. Among the incentives to establish such programs were the 1991 Federal Organizational Sentencing Guidelines, which offered a carrot-and-stick approach that combined significant criminal fines with incentives to promote voluntary compliance.⁵ Citing these guidelines—and deftly reinterpreting the Graham decision—the Delaware Chancellor in Caremark found that “a director’s obligation includes a duty to attempt in good faith to assure that a corporate information and reporting system” exists, and that it is “adequate to assure the board that appropriate information will come to its attention in a timely manner as a matter of ordinary operations.”⁶

The contrast between the 1963 and 1996 Delaware cases is but one example of the trend toward requiring corporate decision-makers to take more aggressive and effective steps to ensure that they have sufficient information—if not always to prevent misconduct, then to respond appropriately when it occurs. Among the earliest harbingers of the trend toward requiring corporate self-examination were the affirmative action plans that began to be implemented in response to the Civil Rights Act of 1964 and other equal employment opportunity laws and administrative standards. Later developments in employment discrimination law illustrate how the emerging duty to investigate has evolved from disparate sources. By the 1980’s, for example, the Civil Rights Act of 1964 had spawned an area of compliance that few sponsors of that statute could have envisioned: namely, the body of law that has grown up around sexual harassment. Supreme Court decisions have made it all but mandatory for companies confronted with evidence of such harassment to conduct immediate investigations. Companies that promptly investigate and take appropriate corrective action can avoid or minimize liability, even when harassment has occurred.⁷ As discussed in the next section, however, it may be impossible to maintain privileges in connection with these investigations.

The erosion of protections for uninformed corporate fiduciaries

The prevailing standards of yesteryear often encouraged a “what you don’t know can’t hurt you” culture. These standards began to change in the 1980’s;⁸ they have changed dramatically since then and are continuing to do so. The essence of the change has been to reduce incentives to remain ignorant and to erode protections for directors, managers, and other corporate fiduciaries who remain uninformed about misconduct in their organizations.

Potential liability of corporate directors. As the Caremark decision illustrates, standards for evaluating prudent business judgments are changing in the direction of requiring directors, in particular, to take affirmative steps to ensure that they receive early warning of waste, mismanagement, and wrongdoing. The standards for evaluating director oversight of corporations also may be changing in response to Sarbanes-Oxley and other recent legislative and regulatory actions. As a former Chief Justice of the Delaware Supreme Court has observed:

[I]t is arguable . . . that [board conduct] may be measured not only by the evolving expectations of directors in the context of Delaware common law fiduciary duty, but also it may well be measured against the backdrop of relevant Sarbanes-Oxley SEC rules and the SRO [Self-Regulatory Organization] requirements even though there may be no express private right of litigation in the federal legislation.⁹

Changes in accounting standards. Accounting and auditing functions are at the center of the changes imposed by Sarbanes-Oxley and other post-Enron regulatory measures. As a result of these changes, it will be more difficult to rely on traditionally defined “generally accepted accounting principles” as a defense. Businesses and their internal and external auditors will have to demonstrate a more probing, critical approach to the financial information they receive from an organization’s managers if they are to be seen as credible in a changed environment. The rise of “forensic accounting” services—those that merge accounting and investigative techniques to detect fraud and other misconduct—is in line with this trend.

Privileges and burdens of proof. The attorney client relationship and privileges associated with it are still available and are in no danger of disappearing. Companies that elect to challenge government enforcement actions are still entitled to the protections afforded by the adversary system of justice, such as burdens of proof. In an increasing number of situations, however, businesses are finding it unwise to invoke privileges and are asking attorneys to play the role of neutral investigator instead of advocate. A company can still have its day in court and make the government prove its case, but foregoing the adversarial route often is a smarter strategy.

Penalties for willful ignorance. A line of cases beginning with United States v. Bank of New England¹⁰ has made it more difficult for corporations to ignore misconduct by establishing the principle that the “flagrant indifference” or “willful blindness” of employees can, under some circumstances, satisfy the intent requirement in a criminal case. “Know your customer” rules in banking and recent anti-terrorism measures are likely to expand this trend.

Whistleblower protection laws. Discouraging employees from reporting wrongdoing and retaliating against those who do have helped unethical business leaders keep themselves and outsiders in blissful ignorance. The anti-retaliation provisions of Section 806 of Sarbanes-Oxley offer but one example of statutory protections for whistleblowers that now make it more risky for companies to maintain “shoot the messenger” cultures that stifle the flow of information about misconduct in the organization.

The Emerging Duty to Be Transparent

Increasingly a company not only has to investigate itself, but also must demonstrate to outsiders that it has done so adequately and has taken appropriate corrective action based upon the investigation’s findings. The logic behind this trend is straightforward: to the extent a company seeks a legal, regulatory, or public relations benefit from having policed itself, it should be willing to satisfy courts, government agencies, and other interested outsiders that its self examination was genuine.

In sexual harassment cases, for example, the availability of a corporate defense based on prompt investigations and corrective action eventually gave rise to the issue of whether attorney-client and other privileges could be asserted with respect to the investigation. In Payton v. New Jersey Turnpike Authority,¹¹ a landmark 1997 case, the New Jersey Supreme Court reaffirmed an employer’s duty to investigate and remediate sexual harassment allegations, and ruled that attorney-client and attorney work product privileges do not apply to investigations undertaken to fulfill this legal duty; nor can those privileges be invoked in litigation when the company seeks to use the investigation and remedial action flowing from it as a defense. While Payton was decided in the context of a sexual harassment case, its logic can be applied to other situations in which a company seeks to assert its self-policing efforts to avoid or reduce liability.¹² In a New York securities case, for example, a federal court disallowed a work product claim and ordered production of an internal investigative report because the company had publicly announced a non-litigation reason for the investigation.¹³

The Federal Organizational Sentencing Guidelines follow logic similar to Payton’s and have helped accelerate the trend toward transparency as well as the other two compliance trends discussed in this article. The guidelines reinforce the emerging duty to investigate by rewarding companies that implement effective compliance programs and penalizing those that ignore noncompliance; they encourage transparency by providing incentives to waive attorney-client and other privileges; and in their totality the guidelines reward companies that exercise independent judgment from that of managers and directors who may have engaged in wrongdoing, thereby reinforcing the duty to be independent.¹⁴

It is far better, of course, to avoid the sentencing stage altogether. The best way to do that is to convince the prosecutor not to indict the corporation. Transparency, including the waiver of privileges, will be essential if the company is to make a persuasive case to prosecutors that the organization should not be charged. One sign of this was a 2003 memorandum from the U.S. Deputy Attorney General to United States Attorneys around the country concerning principles to be followed in deciding whether to charge corporations. A factor in this decision was “the corporation’s timely and voluntary disclosure of wrongdoing and its willingness to cooperate in the investigation of its agents, including, if necessary, the waiver of corporate attorney-client and work product protection.”¹⁵

The Emerging Duty to Be Independent

The third emerging duty is logically related to the first two. Corporate fiduciaries who take steps to satisfy the duty to inform themselves, and who are required by emerging transparency standards to reveal to skeptical outsiders the means by which they did so, will increasingly find themselves evaluated on the basis of how independent and objective they were. A corporate investigation that is thorough and transparent, for example, can still fail the test of independence if scrutiny by outsiders reveals it to have been an exercise in advocacy rather than objective fact-finding.

The emerging duty of independence is far better defined in some areas than in others. Sarbanes-Oxley and regulatory actions taken pursuant to it provide both a mandate for independence and detailed guidance of what it means in some contexts, such as board composition.¹⁶ While there also is an implicit mandate for independence in internal investigations (the audit committees of listed companies must have sufficient authority and funding to conduct independent investigations, for example, and the role of special counsel to such committees is becoming a specialty¹⁷ ), there is little statutory or regulatory guidance concerning what independence means in the investigative context. Based upon the logic of standards that do exist, however, it is possible to identify the major components of independence as applied to internal investigations. These can be grouped into two categories: “relational” and “process” independence.¹⁸

Relational independence

The relational test of independence asks whether the investigating individual or firm has a relationship with the subject matter of the investigation, the company being investigated, or key individuals involved in the investigation. An obvious failure of relational independence occurred in the Enron matter when the CEO asked his regular outside law firm to investigate alleged wrongful transactions in which the law firm itself had participated. Another obvious case is presented when the investigator has a prior relationship, whether social or professional, with a key individual involved in the investigation. If allegations implicate top management, for example, it will not do to have the CEO’s college fraternity brother investigate them.¹⁹

A more difficult issue, especially for law firms that offer “independent” investigative services, is whether performing other legal work for a company, even if it is unrelated to the subject of the investigation, is consistent with a claim of independence. In most cases, the answer is no. Recognizing this inconsistency, a recent report by the Conference Board’s Commission on Public Trust and Private Enterprise concluded:

Special counsel retained to conduct independent investigations with likelihood to implicate company executives should report directly to the board or an appropriate committee and should not be an individual or firm that the company regularly uses as outside counsel or that derives a material amount of revenues from the firm. (Emphasis added.)²⁰

Process independence

Even investigators with no relationship to the subject matter, company, or individual targets can conduct an inquiry in a way that leaves room to question their independence. Thus, the methods used to conduct the investigation and report its findings must satisfy interested outside parties, such as government agencies and company shareholders, that the investigation was thorough and objective, and that its results are reliable.

To demonstrate independence through the investigative process, it is necessary to use fair procedures, document the evidence thoroughly, and demonstrate the soundness of conclusions through a reasoned analysis. Even if these criteria are satisfied, however, the investigation will not appear independent to skeptical outsiders unless the details of it are shared with them. In this respect, the duty to be independent merges with the duty to be transparent which, as noted, often will require a company to waive the attorney-client and other applicable privileges. The practical need to do this makes independent investigations part of a distinct strategy that foregoes some of the protections afforded by the adversarial system of justice in order to achieve larger goals.²¹

Regardless of how open and transparent the company is in releasing its investigative report and supporting evidence, the results will not be accepted as independent and reliable if the investigators have not confronted and resolved the issues in a demonstrably thorough and objective manner. Interested outsiders will be especially alert for signs that, notwithstanding disclaimers to the contrary, the “independent” investigation and report was an exercise in advocacy and spin control rather than objective fact-finding. Recent controversy over an internal investigation conducted on behalf of CBS News into issues surrounding a September 2004 television report on President Bush’s National Guard service illustrates the kinds of questions that will be raised.

In many respects, the CBS News investigation appeared to satisfy both the relational and process tests of independence. Moreover, the report’s findings were highly critical of CBS News’s handling of the Bush National Guard story. Critics nevertheless charged that in key areas, the investigative report was unjustifiably favorable to CBS News. Most of the controversy centered on the investigating panel’s claim that it could not conclude that political bias had contributed to the journalistic deficiencies it found.²² These and other conclusions led some critics to charge that the investigators were not truly independent and objective.²³

Investigations that satisfy every reasonable test of independence, thoroughness, and objectivity can still come under attack—particularly from those whose interests are threatened by the investigation’s findings—and it is beyond the scope of this article to evaluate whether criticisms of the CBS News investigation have any merit. These criticisms do, however, illustrate a general rule: the credibility of an internal investigative finding is likely to be attacked in proportion to how favorable it is to the company that commissioned the investigation. Thus, if investigative results that are wholly or partly favorable to the company are to be accepted, great care must be taken to avoid leaving room for collateral attacks on the objectivity of the investigators. This means selecting investigators with no compromising relationships and ensuring that they follow a process that is transparent and reinforces confidence in their conclusions.

Conclusion

Sarbanes-Oxley and other post-Enron reforms are affecting the way corporate compliance issues are addressed and currently are receiving a great deal of attention. If past experience is any guide, this intense period of change and reform-awareness will be followed at some point by a period of relative inattention to these issues, allowing some organizations to backslide into practices that will set the stage for future corporate scandals. Organizations that position themselves correctly with respect to the major compliance trends outlined above, however, will be able to survive and prosper as these trends become more entrenched and are applied to more areas, and in the event a new round of scandals triggers additional enforcement and legislative activity.

Staying ahead of the curve with respect to these trends need not involve elaborate new programs, endlessly detailed rules, or burdensome paperwork. What it does require is clear thinking in the selection of a compliance strategy and adherence to the logic of that strategy when it is tested in the heat of a crisis.

Notes

1. Henry W. Ballantine, BALLANTINE’S MANUAL OF CORPORATION LAW AND PRACTICE § 114 at 359 (1930), quoted in Charles W. Elson and Christopher J. Gyves, “In Re Caremark: Good Intentions, Unintended Consequences,” 39 WAKE FOREST L. REV. No. 3 (Fall 2004), at 692 n.4.

2. 188 A.2d 125 (Del. 1963).

3. 698 A.2d 959 (Del. Ch. 1996). See Elson and Gyves, supra note 1, at 692-702.

4. 188 A.2d at 130.

5. See Jeffrey M. Kaplan, “Sentencing Guidelines 2.0: The Next Generation in Compliance Programs,” CORPORATE GOVERNANCE ADVISOR (Nov./Dec. 2004), at 10. As Kaplan points out, in the 1980’s the average federal criminal fine for an organization was approximately $10,000, while under the corporate sentencing guidelines fines have gone as high as $500 million.

6. 698 A.2d at 970.

7. See Meritor Savings Bank v. Vinson, 477 U.S. 57, 72-73 (1986).

8. See Howard T. Anderson and Edwin H. Stier, “What You Don’t Know Can Hurt You: The Case for ‘Special Counsel’ Investigations,” CAL. MNGMT. REV., Vol. XXIX No. 3 (Spring 1987), at 77.

9. E. Norman Veasey, “Counseling Directors in the New Corporate Culture,” THE BUS. LAWYER, Vol. 59, No. 4 (Aug. 2004), at 1447, 1453.

10. 821 F.2d 844, 856 (1st Cir.) (upholding jury instruction that willfulness element of criminal charge is established by “flagrant organizational indifference”), cert. denied, 484 U.S. 943 (1987).

11. 148 N.J. 691 (1997).

12. See Edwin H. Stier and Howard T. Anderson, “The Legal Landscape After Payton: Investigating Sexual Harassment Complaints,” 148 N.J. LAW J. 364 (Apr. 28, 1997).

13. In Re Kidder Peabody Securities Litigation, 168 F.R.D. 459 (S.D.N.Y. 1996).

14. Recent amendments to the corporate sentencing guidelines have strengthened their impact in all these areas. See Kaplan, supra note 5, at 11-12. The recent Supreme Court decisions in United States v. Booker and United States v. Fanfan, 125 S. Ct. 738 (2005), which held that the federal sentencing guidelines are advisory and not mandatory, were decided in the context of individual sentences and did not specifically address the sentencing of organizations. Even assuming the holdings apply to the Organizational Guidelines, however, there is no reason to expect that the role of corporate compliance programs will be less influential when judges apply the guidelines in an advisory capacity. See Laura D. Richman, “Compliance and Ethics Programs Under the Federal Sentencing Guidelines After the Supreme Court Booker Decision,” in this issue of WALL STREET LAWYER.

15. “Principles of Federal Prosecution of Business Organizations,” Memorandum from Deputy Attorney General Larry Thompson to Heads of Department Components (Jan. 20, 2003), at 3, available at <www.usdoj.gov/dag/cftf/corporate_guidelines.htm>.

16. See Veasey, supra note 9, at 1457-1458.

17. See Edwin Stier and Jeff Kaplan, “What Makes an Investigation Independent?,” DIRECTORSHIP (Dec. 2003); Geoffrey C. Hazard, Jr. and Edmund B. Rock, “A New Player in the Boardroom: The Emergence of the Independent Directors’ Counsel,” THE BUS. LAWYER, Vol. 59, No. 4 (Aug. 2004), at 1389.

18. These are described in more detail in Howard T. Anderson and Edwin H. Stier, “Corporate Internal Investigations: Independence and Credibility,” BNA, PREVENTION OF CORPORATE LIABILITY, Vol. II, No. 7 (Aug. 18, 2003), at 85-88.

19. See, e.g., Allan Horwich, “Special Litigation Committees: Who the Members Are May Be More Important than What the Committee Does,” WALL STREET LAWYER (July 2003), at 23.

20. The Conference Board Commission on Public Trust and Private Enterprise, Findings and Recommendations (Sept. 17, 2002, and Jan. 9, 2003), at 33, available at <www.conference-board.org/pdf_free/758.pdf>.

21. These strategic choices are discussed in Howard T. Anderson and Edwin H. Stier, “Using Internal Investigations as an Alternative Strategy for Responding to a Crisis,” CORPORATE GOVERNANCE ADVISOR (Sept./Oct. 1997), at 1.

22. See Report of the Independent Review Panel on the September 9, 2004, 60 Minutes Wednesday segment “For the Record,” Concerning President Bush’s Texas Air National Guard Service (Jan. 5, 2005) at 28, 211-216, available at <www.image.cbsnews.com/htdocs/pdf/complete_report/CBS_Report.pdf>.

23. See, e.g., Howard Kurtz, “Critics Question No Bias Finding by CBS Panel,” WASH. POST, Jan. 12, 2005, at C1. Concerning the report’s finding that whether certain memoranda were forgeries could not be proved, one op-ed writer alleged that he had brought information to the attention of the investigators that would have conclusively established the forged character of at least one document, and had supplied supporting witnesses and documentation, but had been ignored. He attributed this omission to “an attorney’s protection of its client,” and ended by stating: “If you want the unambiguous truth look in the yellow pages for a good but inexpensive private investigator.” William Campenni, “Exposing CBS: Fatal Flaw in the Documents,” WASH. TIMES, Jan. 18, 2005, at A15.

About the Author