I continue my blog post series on the Holder Report (Report) to the Board of Directors of Uber Technology, Inc. (Uber) where the Board asked Holder’s law firm, Covington & Burling LLP (Covington), to evaluate three issues: (1) Uber’s workplace environment as it related to the allegations of discrimination, harassment, and retaliation; (2) whether the company’s policies and practices were sufficient to prevent and properly address discrimination, harassment, and retaliation in the workplace; and (3) what steps the company could take to ensure that its commitment to a diverse and inclusive workplace was reflected not only in the company’s policies but made real in the experiences of each of Uber’s employees.

As usual, once I start considering a subject I get carried away in writing about it so what I thought would be a two-part series has morphed into something longer. Where it will end, I am not sure. Yesterday, I considered the corporate governance suggestions, Board Ethics committee proposal and the recommendations to tie some portion of executive compensation to ethics and compliance. Today, I want to look at the internal controls aspect of the Report.

According to the International Federation of Accountants, “Proper risk management and internal control help organizations understand the risks they are exposed to, put controls in place to counter threats, and effectively pursue their objectives. They are therefore an important aspect of an organization’s governance, management, and operations.” Internal controls not only help companies recognize the risk they face but also work to protect against that risk. The Report listed several different areas of risk at Uber where internal controls could help in both areas.

At the Board

The Report noted the Uber Board “should take steps to enhance the size, role, and independence of the Audit Committee” believing the Audit Committee could be enhanced through expansion to include more independent directors and a clear articulation of the oversight role that the Audit Committee is intended to play. Some of the key “potential roles that the Audit Committee could play is to have a direct reporting line from Uber’s Compliance organization, an appointed ombudsman, and/or Uber’s internal auditor.” Most interestingly, the reason for “this structure would be to ensure that the person(s) playing those roles will have the ability to bring significant compliance or harassment issues to the attention of the Audit Committee without having to go through management or the CEO.” It ended with the notation that the Audit Committee should be empowered to oversee the final resolution, including commissioning a full investigation, if warranted.

This paragraph is fairly remarkable when you consider this final recommendation, basically that employees must be protected from both senior management, up to and including the Chief Executive Officer (CEO). It also specifies reporting lines from compliance and internal audit up to the Board. While you might not recognize reporting lines as an internal control, such are clearly contemplated in the COSO 2013 Internal Control Framework Update. Under the first objective, Control Environment; Principle 3 – Structures, reporting lines, authority and responsibility, a company must consider all of the structures throughout an organization and then move to define the appropriate roles of compliance responsibility. This Principle also requires establishment of the appropriate authority within the compliance function. Here your auditors must be able to assess whether compliance responsibilities are appropriately assigned to establish accountability.

Policies and Procedures

As dull and mundane as policies and procedures may seem, in reality, they form the backbone of a culture of compliance. The Report makes clear “Uber should take steps to enhance its internal controls with respect to policy compliance.” With yesterday’s notation that illegal drug use and excessive alcohol consumption during working hours it is probably no surprise that the company had similar problems during company-sponsored travel. The Report stated, “In particular, Uber should review its policies and procedures with respect to travel and expense reimbursements and enhance such policies to ensure that items that are inconsistent with Uber policies and procedures are not reimbursable and not reimbursed, and that proper controls are put in place to ensure compliance.” Rather amazingly the level of control detail went down “into the weeds” to expense reimbursement, stating “these procedures should require that Uber personnel at every level of the organization submit receipts as a condition to receiving reimbursement.” One might reasonably wonder how any auditor would approve reimbursement of business expenses where receipts were not provided.

Finally, the Report recommended training, stating “Uber should provide training to senior management and other employees regarding these new policies and procedures.” Training and communications more generally are always listed as a component in any best practices compliance program. Yet here it is listed as an internal control. The effect is not only to put employees on notice of the enhancements but also to set the standard which must be followed.

HR Internal Controls

One thing the past year in the Foreign Corrupt Practices Act (FCPA) enforcements has taught the compliance profession is the need for internal controls around the Human Resources (HR) function. The JPMorgan Chase and Qualcomm FCPA enforcement actions were replete with non-existent HR internal controls, failures of HR internal controls and over-ride of HR internal controls by non-HR executives. While the Report did have some recommendations around hiring controls, it focused on keeping track of the employment agreements the company had with its employees, stating “All settlement and separation agreements with employees should be logged and tracked to ensure proper record-keeping, compliance with the agreements, and consistency in terms.”

The Report was even more damning around the company’s HR function in its core function of preventing discrimination and harassment. It was clear from the blog post by Susan Fowler back in February, which led to the retention of Covington, that the Uber HR function acted as department to protect those alleged to have engaged in discrimination and harassment. So not only did the Report posit better tracking of complaints but also personnel records and employee data. One can only imagine what type of slipshod HR function existed at Uber where the company must be told to keep better track of personnel records. The Report had the following (almost chilling) recommendation that “Uber should also emphasize the importance of record-keeping to all Human Resources staff, and impose consequences for failure to adhere to record-keeping requirements.”

How bad was the environment for discrimination and harassment? This section of the Report gives a hint when it noted HR internal controls should “easily identify whether prior complaints have been lodged to ensure that appropriate action is taken with respect to repeat offenders. Likewise, organizations or managers give rise to multiple complaints such that intervention with the manager is needed.”

The lack of and failure around internal controls at Uber tells quite a sordid tale. Yet the Report makes clear the importance of internal controls in turning things around for the company. For the compliance practitioner, the Report is a useful way to consider the internal control regime in your company and how it can work to operationalize compliance in your business.


This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2017