Q&A #153 – Are nonprofits required to have a whistleblower policy?
Question: I recently started as Executive Director of a nonprofit organization and noticed that the organization does not have a whistleblower policy. It was my understanding that the Sarbanes-Oxley Act requires nonprofits to have a whistleblower policy, but several Board members have questioned whether this law applies to nonprofits. Does the Sarbanes-Oxley Act require nonprofits to have a whistleblower policy?
Answer: Section 1107 of the Sarbanes-Oxley Act prohibits all persons, including nonprofit organizations, from knowingly retaliating against certain whistleblowers. There is no specific requirement under federal law to have a whistleblower policy, but having one is a strongly recommended best practice to prevent violations of this law and to demonstrate the organization’s commitment to transparency and accountability.
The applicability of the Sarbanes-Oxley Act of 2002 to nonprofit organizations is an often-misunderstood topic. The Act (P.L. 107-204), was passed in response to the corporate fraud scandals that occurred in the early 2000s (e.g., Enron and WorldCom) and included widespread corporate governance and financial reforms aimed mainly at publicly traded for-profit companies.
However, there are two main aspects of the Act that do apply to nonprofits: (1) restrictions on destroying, falsifying, or otherwise modifying records to obstruct a federal proceeding or investigation; and (2) restrictions on retaliating against certain whistleblowers.
Specifically, Section 1107 of the Sarbanes-Oxley Act, codified at 18 U.S.C. § 1513(e), provides that:
“Whoever knowingly, with the intent to retaliate, takes any action harmful to any person, including interference with the lawful employment or livelihood of any person, for providing to a law enforcement officer any truthful information relating to the commission or possible commission of any Federal offense, shall be fined under this title or imprisoned not more than 10 years, or both.”
The term “law enforcement officer” generally includes any federal government employee, advisor, or consultant who is authorized to “engage in or supervise the prevention, detection, investigation, or prosecution of an offense.” See 18 U.S.C. § 1515(a)(4). This can include Internal Revenue Service audits, EEOC or Department of Labor investigations, and other federal agency proceedings.
Thus, the Act does not specifically require adoption of a whistleblower policy to prevent the criminal violations referenced in the statute, but having whistleblower policy is a strongly recommended best practice for a few important reasons.
First, having a clearly articulated and consistently followed whistleblower policy will help to establish and sustain an organizational culture that encourages identifying and resolving problems rather than ignoring them. This will not only weigh heavily in the organization’s favor if allegations of retaliation do arise, it will also help to prevent the types of scandals that could result in long-lasting damage to the organization’s reputation and sustainability.
Second, many external auditors strongly urge organizations to have a whistleblower policy, so not having one can impact the financial statement audit process and lead to possible findings in the auditor’s management letter.
Further, the Form 990 (in Part VI, Section B) specifically asks whether the organization has a written whistleblower policy. Answering “no” to this question can reflect poorly on the organization and result in a lower rating by charity watchdog sites, as demonstrated in this explanation of how Charity Navigator computes its Accountability & Finance score.
And many states have laws that require or strongly encourage whistleblower policies applicable to an organization’s employees.
Planning Tip – When drafting or revising your organization’s whistleblower policy, give careful thought to the person(s) designated to receive whistleblower complaints. These persons bear a heavy responsibility to convey the complaint to the Board of Directors or the appropriate committee, and designating the wrong person can potentially inhibit legitimate complaints and investigations. Possible choices could include the Board Chair, CEO, COO and/or a third-party whistleblower hotline service, but this decision will depend on the organization’s size, governance structure, complexity, and other specific circumstances.
For these reasons, it is essential to have a thoughtfully drafted whistleblower policy that applies to the organization’s Board and committee members, management, staff, volunteers, and others who may be in a position to see and report violations of the law, even if a whistleblower policy is not strictly required by federal law.
If you have a question you would like to submit to SE4N, send it to us using the contact form and we will consider answering it in a future post. Please do not send confidential information.
You might also be interested in:
Q&A #59 – What policies are recommended for a newly formed nonprofit?
Q&A #88 – Does theft or fraud need to be reported on the Form 990?