The Sarbanes-Oxley Act of 2002 requires an anonymous and easy-to-use complaint procedure. Implementing an electronic complaint procedure may make it easier to file complaints; however, anonymous usage remains a challenge. Intranet web forms are the easiest to use; Internet-accessible forms are better at protecting anonymity. E-mail is an excellent alternative if used correctly. However, remailer usability is generally poor. Therefore, knowing about the tradeoffs between ease-of-use and anonymity is essential for selecting an appropriate system.
The adoption of Sarbanes-Oxley in the wake of the Enron1 accounting scandal has brought about a wave of tight financial regulations for companies that publicly offer their securities in the US or have securities listed on a US stock exchange. Some provisions of the Sarbanes-Oxley Act apply directly, while many require the US Securities and Exchange Commission (SEC) to adopt implementing rules and regulations.
A central element of the Sarbanes-Oxley Act is the legal protection it affords corporate whistleblowers. The protections provided are scattered throughout the Act and, although they are modeled on traditional whistleblower laws,2 they are not limited to remedies for wrongfully discharged employees. In addition to legal provisions aimed at protecting a whistleblower’s employment relationship, the Sarbanes-Oxley Act establishes several other layers of protections. A key element of the regulatory framework is the requirement for companies with a stock exchange listing in the US and companies whose securities are otherwise listed on a US-regulated market, such as the NASDAQ stock market, to create internal and independent audit committees. As part of the requirement to establish an audit committee, publicly traded corporations are required to establish procedures for employees to file internal whistleblower complaints regarding financial and accounting matters and procedures designed to protect the confidentiality of employees who file allegations with the audit committee.3
This article outlines the requirements for a Sarbanes-Oxley Act-compliant audit committee complaints procedure and provides some suggestions for how such a procedure might be implemented.
Audit Committee Complaints Procedures
Though the legal framework established by Sarbanes-Oxley is relatively clear, there remain a number of practical questions as to how exactly a complaints procedure must be structured to be compliant. Moreover, the implementation of such a system raises a number of technical questions.
The Legal Framework
Pursuant to Rule 10A-3 under the US Securities Exchange Act of 1934, US stock exchanges are required to adopt (and have adopted) rules that require the audit committees of listed companies to establish procedures for:
- The receipt, retention and treatment of complaints received by the company regarding accounting, internal accounting controls or auditing matters
- The confidential, anonymous submission by employees of concerns regarding questionable accounting or auditing matters
Accordingly, companies face a choice. They may either adopt two separate sets of complaints procedures—one that permits anyone (whether employed by the company or not) to submit complaints regarding a company’s “accounting, internal accounting controls or auditing matters” and one that permits employees of the company to submit confidential and anonymous complaints regarding “questionable accounting or auditing matters.” Alternatively, they may establish a uniform complaints procedure covering both internal and external complaints. Though the required internal complaints procedure has a slightly narrower scope in that it does not cover internal accounting controls and extends only to those accounting and auditing matters that are “questionable,” and though it requires measures to secure anonymity and confidentiality, many companies find it easier to establish a single complaints procedure.
Rule 10A-3 does not provide any further guidance as to how a Sarbanes-Oxley Act-compliant complaints procedure should be structured. The release by which the SEC has adopted the rule makes it clear that no specific procedures are mandated. Instead, each audit committee should develop procedures that work best with the company’s specific circumstances.
While the audit committee may hire dedicated staff to establish a complaints procedure, this is not a requirement, and the audit committee may also outsource the function to an external IT firm. In either case, the company is obligated to reimburse the audit committee for any necessary or appropriate expenses it may incur in connection with establishing the procedure.
A related question is whether the audit committee may rely on company support in establishing a Sarbanes-Oxley-compliant complaints procedure. The SEC has not declared whether, and to what extent, the audit committee may rely on administrative support from management (such as through the office of the corporate secretary, general counsel or internal auditor). However, the SEC staff has informally stated that the use of management resources should be permissible as long as the confidentiality and anonymity of the submission and employee can be assured.
The key requirement, therefore, is to ensure that company employees are in a position to submit complaints to the audit committee, either directly or through a company office (e.g., the general counsel of the company) in a way that ensures their anonymity. At the same time, the procedure must not be so burdensome on employees that it discourages them from submitting complaints.
The dual requirements of confidentiality and ease of making complaints to the company’s audit committee pose significant practical obstacles. For example, a letterbox next to the in-house cafeteria, while undoubtedly convenient for employees, will hardly satisfy the required confidentiality standard. In contrast, a postbox to which employees address anonymous letters may create an undue burden. Similar considerations would apply to an e-mail address to which employees could send e-mails from a special-purpose e-mail account with their private Internet service provider (ISP). Therefore, the question has arisen whether companies could satisfy the Sarbanes-Oxley Act standard for a confidential and anonymous complaints system by setting up an electronic submission form on their intranet.
Before identifying the various options available to protect anonymity, it is necessary to define often-used terms such as anonymity and pseudonymity:
Anonymity ensures that others cannot determine your true identity. An anonymous person effectively does not have an identity. A pseudonym…is an alternative (fictitious or assumed) identity for a person…Pseudonyms and aliases will usually not prevent the true identity of a person from being determined, although it may be difficult and may require law enforcement to enable it. Anonymity on the other hand should ensure that the true identity of a person is never found out.4
Various technical solutions can be used to address the aforementioned requirements. There are four possible ways to implement a complaints procedure, though not all of them may achieve the goal of anonymity:
- Intranet web forms
- Internet web forms
- Anonymous remailer
Intranet Web Form
Providing intranet-based web applications is a common way of interacting with employees in large companies. Self-service applications are generally favored by management to reduce the need for administrative staff to process standard workflows, such as reimbursement of travel expenses. Similar applications can also be created to allow anonymous feedback and complaints. These systems can be implemented relatively easily; employees are usually familiar with the interface, and the procedure is not too burdensome.
The obvious drawback of this approach is that it lacks anonymity. Although users may not be required to reveal their identity on the complaint form, intranets are usually well-surveyed for performance and security reasons. Therefore, log files will show which user was logged on which computer at what time. Based on connection logs to the server hosting the complaint application, and the time recorded with a complaint filing, the user can be identified.
Internet Web Form
Instead of providing an intranet application for internal complaints, a similar application can be made accessible from the Internet. The obvious advantage is that both internal employees and external people may use it. Moreover, employees may file their complaints from Internet cafés and other sites not under the influence of the company. To avoid identity disclosure issues similar to those associated with intranet forms, it is advisable to allow only company-external IP addresses to access complaint applications. This will make it considerably harder to determine the true identity of whistleblowers, even though the process is a little more burdensome for users.
Clearly, this open access has its drawbacks. One of them is the danger of spamming. Attackers may misuse the reporting form to flood the company with fake complaints, thereby causing considerable cost. In addition, valid complaints might be lost if automated attacks create thousands of invalid complaints. A simple way of avoiding automated spamming is to force users to confirm their submission by typing in a code that is displayed as a graphic (e.g., CAPTCHAs).5 However, this might pose an inappropriate burden on visually impaired users. For example, screen readers and Braille lines will not display the image, thus preventing users from submitting the form.
|Figure 1—Automatic Reply to a Remailed E-mail|
This message is being sent to you automatically in response to an e-mail that you sent to .
Most likely, you tried to reply to an e-mail that has been sent through this service. If you did not send an e-mail to , please ignore this message.
The Melon Traffickers' Remailer is a free service that allows individuals, including crime victims, domestic violence victims, persons in recovery, and others, such as those living under oppressive regimes, to communicate confidentially in a manner that ensures their privacy under even the most adverse conditions.
To block individuals using this remailer from sending e-mail to your address in the future, please send a message to containing the line destination-block firstname.lastname@example.org anywhere in the body text of the e-mail. You can simply forward this entire e-mail to using your e-mail program for your current e-mail address to be permanently blocked from users of the Melon Traffickers' Remailer.
For more information about the Melon Traffickers' Remailer Administrator's strict anti-abuse policy, please send a blank e-mail to
-- The Melon Traffickers' Remailer Administrator
The simplest way to establish a complaints procedure is to create an e-mail address for complaints. However, this approach has obvious drawbacks. First and foremost, users must send their complaints from web-based freemail accounts such as Hotmail. Furthermore, they must use an e-mail address that protects their anonymity. In addition, they must not accidentally use their normal e-mail program with their company e-mail address to send the complaint. If the complaints procedure is described on a web page, the complaint e-mail address might be coded as a clickable hyperlink (such as mailto:email@example.com). Clicking on the link will open the default e-mail program and mislead users to reveal their identity.
Correctly used, a simple e-mail address provides a fairly anonymous complaints procedure. However, due to typical user errors that would reveal the user’s identity, an e-mail address and a description of correct use will not suffice.
Whenever computer scientists perceive the words “anonymity” and “e-mail” in one sentence, they think of Chaum mixes and anonymous remailers. Anonymizers based on Chaum mixes6 or Dingledine, Mathewson and Syverson’s Tor system,7, 8 can be used to obfuscate traces at ISPs and web servers. Chaum’s system implements anonymity so that eavesdroppers do not know who is communicating with whom at what time. Tor is an improvement of the original Onion Routing system. It routes each request encapsulated in encrypted packages via several nodes to make traffic analysis impossible. At the client side, however, privacy expectations can still be violated by locally installed software such as keystroke loggers.
While Mixmaster remailers offer the best protection of anonymity, they are rarely used. Therefore, users are not familiar with the concept, and it might be considered too burdensome to use it. An alternative is to use a web-based interface such as the Riot Anonymous Remailer.9
When using an anonymous remailer, the complaint department must publish an e-mail address to which complaints can be addressed. To avoid people accidentally revealing their identities by sending e-mails to this account, the account can be set up to accept, for instance, only e-mails from the Riot Anonymous Remailer. This can be done by keeping the incoming e-mail in a hold queue and automatically replying to it. If it has been sent through a remailer, an automated answer such as the one in figure 1 will be returned. Once such an answer has been received, the e-mail is delivered to the complaint department’s inbox.
The issue with this approach is that not all remailers are configured to provide such an answer. Therefore, if no answer is received within 24 hours, the e-mail may or may not have been sent via a remailer. There seems to be no way of determining this. If it were possible to establish reliably that the e-mail was not sent via a remailer, the procedure would be to discard it and send a notification that it had been discarded to the original sender—who is now assumed to use a valid e-mail address.
Auditing vs. Anonymity
To implement the requirement of nonrepudiation, all relevant transactions of a company are usually logged. However, in the context of an anonymous complaints procedure, there are two contradicting requirements. First, the submission of the complaint needs to be anonymous and the content must remain confidential. Second, complaints have to be logged to avoid the accidental or intentional loss of a complaint. If someone wants to prevent people from reporting complaints, any form of denial-of-service attack will work and go unnoticed for a long time, particularly if, as is typically the case, complaints are filed relatively infrequently.
A possible solution (Figure 2) would be to calculate a simple hash of the incoming message and display it on a web site. Thus, the sender of a complaint can check whether his/her complaint was received. Once the complaint has reached its final destination, the usual audit mechanisms can prevent it from vanishing. The inherent danger of this approach is that users may disclose their identities by accessing the complaint on the web page.
If complaints are received anonymously and senders cannot be identified based on the e-mail header, there is still the risk that senders might accidentally disclose their identity in the e-mail body. Even if obvious terms, such as “in my department,” are avoided, enclosed documents may contain metadata of which users might not be aware. Microsoft Word 97, for instance, included the media access control (MAC) address of the computer on which the document was edited.
This feature became publicly known because in Tony Blair’s “dodgy dossier” on Iraq, various traces were left.10 A way to mitigate this risk is to automatically convert all incoming e-mails to plaintext or block all attachments. Blocking, however, would contradict the and requirement of usability.
Figure 3 provides a comparison of the different approaches. Requirements as stated by the Sarbanes-Oxley Act include usability, anonymity and confidentiality. As shown in Figure 3, none of the options is perfect in all of the categories. Web-based remailers are a good choice if accompanied by the required instruction on how to use them. Unfortunately, there seems to exist no way of accepting only remailed e-mails and blocking all others.
1 On 2 December 2001, Enron and some of its subsidiaries filed for reorganization under Chapter 11 of the US
2 E.g., the protections afforded airline employees (42 U.S.C. 42121) and employees raising nuclear safety issues (42
3 US companies had to comply with this requirement by the date of their first annual shareholders meeting after 15 January 2004 (in any event, not later than 31 October 2004). Non-US companies were required to comply by 31 July 2005.
4 Chadwick, D.; M.S. Olivier; P. Samarati; E. Sharpston; B. Thuraishingham; “Privacy and Civil Liberties,” Research Directions in Database and Application Security, 2003, p. 331-346
5 von Ahn, L.; M. Blum; J. Langford; “Telling Humans and Computers Apart Automatically,” Communications of the
ACM, vol. 47, no. 2, 2004, p. 56-60, http://doi.acm.org/10.1145/966389.966390
6 Chaum, D.L.; “Untraceable Electronic Mail, Return Addresses, and Digital Pseudonyms.,” Communications of the ACM, vol. 24, no. 2, 1981, p. 84-90
7 Syverson, P.F.; D.M. Goldschlag; M.G. Reed; “Anonymous Connections and Onion Routing,” IEEE Symposium on
Security and Privacy, Oakland, California, USA, 1997, p. 44-54, citeseer.nj.nec.com/syverson97anonymous.html
8 Syverson, P.F.; M.G. Reed; D.M. Goldschlag; “Onion Routing Access Configurations,” DISCEX 2000: Proceedings of the DARPA Information Survivability Conference and Exposition, Hilton Head, South Carolina, USA, 2000, IEEE CS Press, p. 34-40
10 Brown, R.; “The Word on Iraq,” The New Zealand Listener Archive, 2003, www.listener.co.nz/default,376.sm
11 Web-based remailers are a little less anonymous than locally installed versions.
Mathias Strasser, Ph.D.
is based in London, UK, and practices US law with a focus on the US capital markets and securities laws.
Edgar R.Weippl, Ph.D., CISA
is assistant professor at the Vienna University of Technology and CEO of Security Research. His research focuses on applied concepts of IT security and e-learning. He has taught several tutorials on security issues in e-learning at international conferences, including ED-MEDIA 2003-2005 and E-Learn 2005. In 2005, he published Security in E-Learning with Springer.
Information Systems Control Journal, formerly the IS Audit & Control Journal, is published by the ISACA. Membership in the association, a voluntary organization of persons interested in information systems (IS) auditing, control and security, entitles one to receive an annual subscription to the Information Systems Control Journal.
Opinions expressed in the Information Systems Control Journal represent the views of the authors and advertisers. They may differ from policies and official statements of the Information Systems Audit and Control Association and/or the IT Governance Institute® and their committees, and from opinions endorsed by authors' employers, or the editors of this Journal. Information Systems Control Journal does not attest to the originality of authors' content.
Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the association. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, Mass. 01970, to photocopy articles owned by the Information Systems Audit and Control Association Inc., for a flat fee of US $2.50 per article plus 25¢ per page. Send payment to the CCC stating the ISSN (1526-7407), date, volume, and first and last page number of each article. Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of the association or the copyright owner is expressly prohibited.