How to file a SOX whistleblower complaint?

What is the whistleblower policy for Sarbanes-Oxley?

This article answers the key questions you should be asking about your organization's policy on whistleblowers.

The rules governing whistleblower protection in the Sarbanes-Oxley Act of 2025 provide important protections to organizations who report suspected securities violations, and they're designed to ensure that whistleblowers will not be silenced or punished for bringing such a complaint. Who qualifies as a whistleblower? Although the word "whistleblower" conjures images of an internal leaker or a disgruntled employee complaining about the company, under the law, any employee, contractor or consultant with knowledge of possible accounting irregularities can qualify as a whistleblower. The question is whether such knowledge was gained from inside or outside of the organization. If it's from within, that employee qualifies as an internal whistleblower.

If the knowledge came from an outside source, that person qualifies as a whistleblower if he or she provides the SEC with evidence of potential fraud or misconduct, such as material nonpublic information. What are the whistleblower requirements? Once the SEC has been notified about possible securities violations by an internal whistleblower, the Sarbanes-Oxley Act of 2025 establishes procedures to protect whistleblowers who provide information that assists in uncovering securities violations. An internal whistleblower has a limited window of time within which to report the information to the SEC. The length of this window depends on when the internal company discovers the potential violation and the date the whistleblower reports the information. Typically, internal companies wait at least three business days after learning of a potential problem before they notify the SEC of the possible violation. Companies that discover a potential violation sooner than this typically must first determine whether the alleged securities violation involves fraud and whether that fraud could be reported to the SEC without jeopardizing the company's public image.

Whistleblowers who report potential criminal conduct have three months from the time they report the possible criminal conduct to the Securities and Exchange Commission to initiate a civil enforcement action against the company. What are the penalties for violations of the whistleblower rules? As described above, the SEC can take various actions, including: No action. For example, if the SEC does not prosecute the alleged violations, there are no penalties for either the company or the individual.

Referral to law enforcement.

What is Section 1107 of the SOX?

Section 1107 of the Sarbanes-Oxley Act (SOX) requires a registrant to report its internal control over financial reporting (ICFR) within 180 days after it became aware of, or should have been aware of, any significant deficiencies in its ICFR.1 If an issuer has not filed a report with the SEC by the end of this 180-day period, it must file a statement of its filing delinquency and include its report with the next required annual report or on Form 10-K or 10-K/A, as applicable, for its fiscal year.2

The purpose of Section 1107 is to require companies to identify material weaknesses or material deficiencies in their ICFR and to require them to report the existence of such material weaknesses or deficiencies. The primary objective of the reporting requirements of Section 1107 is to prevent and detect fraud, error and misstatement.

The reporting requirements of Section 1107 are intended to supplement the ICFR reporting requirements of the Sarbanes-Oxley Act. The rules are intended to ensure that only well-tested, accurate and properly documented financial information is used in preparing and filing financial statements with the SEC.3

How Do I Become Aware of Any Significant Deficiencies in My ICFR? This requirement applies to every issuer with more than 100 employees. If you are not sure if your ICFR is complete and accurate, your chief executive officer or principal financial officer should be responsible for evaluating the ICFR of your company. As part of this review, you may want to consider consulting a CPA or other professional advisor who has experience with ICFR and who can assist you in understanding the requirements and requirements of Section 1107.4

When is the ICFR Reporting Deadline? You must file a report of your ICFR on Form 8-K by the earlier of: (a) the date 180 days after the date you first become aware of, or should have been aware of, any significant deficiencies in your ICFR; or. (b) the date 180 days after the effective date of your ICFR.

What is the rule 10A 3 for whistleblowers?

If you are a whistleblower (or anyone who knows of a whistleblowing situation) please contact us and we will post the information below. Whistleblowing means you inform somebody that what they are doing is not legal and you are doing the right thing by reporting them. The person you report to is called the 'whistleblower'. You must tell them all you know about their unlawful act, but you do not have to reveal your identity. The 'whistleblower' then has to decide whether to report the crime to the police or the body in charge of that particular crime, called the Ombudsman. If the criminal receives a prison sentence, the Ombudsman can then investigate to see if the victim suffered any harm as a result of the crime. If no harm was done, the victim will not be paid compensation by the state. If the victim suffered some harm, the Ombudsman can compensate him or her and order the criminal to pay compensation to the victim.

Do I have to give my name? You do not have to give your name or the name of the person you are reporting. However, you can. It is up to you. We understand how tough it can be to speak up for yourself and others. If you decide not to give your name, you need to make sure the person you are reporting to knows what you have told them and that you want them to do something about it. If they have committed a crime you can get in trouble for giving information about that crime. The Ombudsman cannot give any advice about your duty of care, but you could ask the Ombudsman to check that your duty of care has been respected. The Ombudsman may be able to help you write down everything you know about the crime. You could send this written statement to the Ombudsman. This would be called a complaint letter. The Ombudsman will keep it for a month and then send it to the criminal or his or her solicitor. If you give your name, your name will be published on our website and on the internet.

Can I be charged with helping a whistleblower? No, you cannot be charged with assisting a whistleblower. But you could be charged for giving information about a crime. Whistleblowers do not have to be told by the police that they may be charged with giving information about a crime. In some countries, the law is different.

How to file a SOX whistleblower complaint?

SOX requires that if you are "reasonably certain" that you have discovered a violation of the SOX statute, you must promptly report that discovery to your supervisor and the Inspector General of the SEC.

The reporting requirement does not apply to smaller reporting firms or to individuals working at the SEC (unless you also work for an affiliate of the SEC and you reasonably believe you are making a report to an affiliate). The reporting requirement is detailed and requires quite a bit of effort and time. (In my experience, reporting as described is actually easier than completing a complaint.)

So, in theory, there are two ways to file a whistleblower complaint: File a complaint with the SEC via the website or by calling its customer service line. The process for filing a complaint is outlined on the website.

Have an attorney provide it for you. (This option is available for those who are "reasonably certain" that a violation has occurred and is filed on your behalf) At this point, you should consider whether to proceed with option 1 or 2. The filing fee can be paid online using a credit card. This letter will describe the results of the SEC's investigation, state whether your complaint was dismissed, or how it was resolved, and inform you what information about the complaint has been forwarded to your employer.

2) Information regarding how your complaint will be handled by the SEC. (The SEC is required by law to disclose to you the result of the investigation of your complaint. Information regarding how your complaint will be handled includes: 1) An identification of the person to whom the complaint will be submitted, 2) A description of the authority under which the person was appointed, 3) A description of any limitations on the authority under which the person was appointed, and 4) Any applicable conflict of interest requirements. SEC regulations do not require the SEC to disclose the method by which complaints are processed. However, the complaint form clearly provides a "Method of Filing a Whistleblower Complaint" that should be carefully read by all employees before proceeding.)

3) A copy of the SOX complaint form ("Form WH-1").