For every general counsel or public company audit committee member, much of the response to allegations of corporate wrongdoing is familiar: preserve evidence, consider whether to retain outside counsel, inform necessary constituencies inside the company, and scope out the investigation. One disclosure that might be required is to the company’s outside auditor, and this disclosure may lead to a frequently overlooked consideration of the internal investigation: What does the outside auditor need to accept the results of the investigation? In many cases, the inquiries of the outside auditor may appear to constitute unnecessary second-guessing and a revisiting of issues and work, including expensive and time-consuming electronic discovery, that already were deemed resolved.
From the perspective of the outside auditor, however, the depth of some of its inquiries is essential, and, unless satisfied, the auditor will not sign off on the company’s financials. Consequently, the company—ordinarily through its outside counsel—must anticipate and address the auditor’s concerns from the outset and understand how to successfully push back on the auditor’s requests.
Understanding the Auditor’s Obligation: GAAS and Section 10A
Auditors’ obligations with respect to possible illegal acts are dictated by both Generally Accepted Auditing Standards (GAAS) and Section 10A of the Securities Exchange Act of 1934 (Section 10A), 15 U.S.C. § 78j–1, which was enacted in 1995 as part of the Private Securities Litigation Reform Act. Where an auditor becomes aware that an illegal act has or may have occurred at a client, Section 10A requires the auditor to determine the likelihood that an illegal act has in fact occurred, and assess the potential impact of the act on the client’s financial statements. Section 10A’s application is expansive. It defines “illegal act” broadly as “an act or omission that violates any law, or any rule or regulation having the force of law.” Section 10A’s requirements also are triggered regardless of the materiality of the possible illegal act. Section 10A imposes reporting requirements on the auditor—specifically, to inform management of the possible illegal act and to ensure that the audit committee and/or board of directors are “adequately informed” of it. These reporting requirements are triggered unless the act is “clearly inconsequential.”
To assess the impact of a possible illegal act, the auditor must consider both the quantitative and qualitative materiality of the act under the Auditing Standard 2405 Illegal Acts by Clients ¶¶ 12–16, 19–20 (AS 2405) and the SEC Staff Accounting Bulletin No. 99—Materiality. The auditor must evaluate the impact of the illegal act on certain amounts presented in the financial statements, such as loss contingencies, and consider the adequacy of disclosures related to the illegal act. Apart from financial statement impact, the auditor must determine whether the illegal act impacts the audit itself by impairing the reliability of representations made by management. This requirement is critical in investigations where the members of management making representations to the auditor are in any way implicated in the possible illegal act. For this reason, auditors usually expect that outside counsel, and not members of the company’s office of the general counsel, will conduct the investigation because in-house counsel may have pre-existing relationships with members of management under investigation, or knowledge of the facts at issue, that could call their objectivity into question. Similarly, auditors routinely inquire of outside counsel the extent and nature of prior engagements to assess whether outside counsel is sufficiently independent.
The auditor’s ability to fulfill these obligations ultimately impacts its ability to issue an unqualified opinion. If the auditor concludes that it has not received sufficient evidence to evaluate the materiality of an illegal act’s impact on the financial statements, the auditor can disclaim an opinion on the financial statements. In certain circumstances, such a disclaimer could result in the auditor’s withdrawal from the engagement.
In addition to assessing the impact of an illegal act on the financial statements and audit under AS 2405, Section 10A also requires the auditor to assess management’s response to the illegal act. If the auditor concludes that appropriate remedial action has not been taken to address an illegal act materially impacting the financial statements, and the auditor issues a nonstandard opinion or withdraws as a result thereof, the auditor must report those conclusions to the client’s board of directors. The client’s board of directors then has one business day to report the auditor’s findings to the SEC.
In sum, the auditor ultimately has four obligations with respect to possible illegal acts:
- determine whether an illegal act occurred;
- understand the quantitative and qualitative impact of the illegal act on the client’s financial statements and on the audit itself;
- determine whether management has taken sufficient remedial action to address the illegal act; and
- make required reporting to the client’s management, board of directors, and audit committee.
The procedures performed by the auditor in response to the detection of a possible illegal act should be geared toward fulfilling these obligations.
Understanding the Lawyer’s Obligation: Privilege in Internal Investigations
Given the auditor’s obligations under GAAS and Section 10A, it is unquestionably in the auditor’s best interest to seek as much information as possible when conducting procedures in response to a potential illegal act. It is axiomatic that the more information and evidence the auditor has, the more informed the auditor believes its ultimate conclusions will be. However, the auditor’s interest in information is at odds with counsel’s obligations to protect the client from overreaching inquiries and to preserve the attorney-client privilege.
Both the attorney-client privilege and work-product doctrine apply in the context of internal investigations. The attorney-client privilege, which protects confidential communications between attorney and client for the purpose of securing legal advice, undoubtedly applies to internal investigations. Upjohn Co. v. United States, 449 U.S. 383, 389, 396–97 (1981). Under Upjohn, this privilege protects disclosure of communications, not disclosure of the facts underlying them. It is also subject to waiver, and external auditors are not privileged parties under federal law. See, e.g., Couch v. United States, 409 U.S. 322, 335–36 (1973). Disclosure of attorney-client privileged communications to auditors constitutes a subject matter privilege waiver. See e.g., Chevron Corp. v. Pennzoil Co., 974 F.2d 1156, 1162 (9th Cir. 1992); In re John Doe Corp., 675 F.2d 482, 488–89 (2d Cir. 1982). Essential to this analysis is whom the attorney represents. In virtually all cases, counsel should inform witnesses that the client is the company, board of directors, or the board committee, not the witness, and that no privilege attaches to the information the witness provides. Accordingly, the focus of counsel’s concerns relating to privilege will be on communications with the client—the company, board, or board committee—and counsel’s mental impressions, as opposed to the factual information witnesses provide.
The work-product doctrine protects materials prepared by an attorney in anticipation of litigation under Fed. R. Civ. P. 26(b)(3). The work-product privilege generally is understood to apply in the internal investigation context, although case law addressing this question is not uniform. See e.g., In re Grand Jury Investigation, 599 F.2d 1224, 1229 (3d Cir. 1979). Unlike the attorney-client privilege, most courts have held that work-product privilege is not waived by disclosure to auditors. See e.g., United States v. Deloitte, 610 F.3d 129, 139 (D.C. Cir. 2010); Merrill Lynch & Co, Inc. v. Allegheny Energy, Inc., 229 F.R.D. 441, 445–49 (S.D.N.Y. 2004). However, disclosure should be avoided whenever possible because some courts have held that disclosure of work product to an auditor waives work-product privilege. See e.g., United States v. Hatfield, No. 06-CR-0550 (JS), 2010 WL 183522, at *3 (E.D.N.Y. Jan. 8, 2010).
Mutual Understanding and Informed Communication
On their face, the obligations of attorneys and auditors appear incompatible. Auditors require sufficient information to satisfy their obligations under GAAS and Section 10A, whereas counsel must satisfy their own obligation to preserve privilege. The key to striking the appropriate balance between these competing interests is informed communication. To achieve informed communication, each party must consider the legal obligations driving the other, and the parties must communicate early and often. This section provides some practical tips for maintaining informed communication throughout the various stages of an investigation.
Planning and Scope
Counsel should involve the client’s auditor from the beginning of the investigation. Consulting with the auditor at the outset sets the tone for the relationship between the parties throughout the investigation. The initial meeting should cover the scope of the investigation, including all planned procedures. When designing those procedures, counsel should consider the auditor’s obligations—namely, to understand the nature and potential impact of the illegal act. This is particularly the case with electronic data review and evidence preservation. Counsel should anticipate that the company’s outside auditors will apply rigorous review to whether and how electronic data is captured and processed, and which search terms are applied against that data. Audit firms, particularly large ones, often have their own forensic groups that are well versed in document preservation, collection, and review. It is not uncommon for the outside auditors to suggest additional procedures or search terms. On the other hand, mindful of the limited nature of the auditor’s review, counsel reasonably can resist expanding the scope of data and document review where the auditor’s suggestions are overbroad.
Engaging with the auditor at the planning stage also has the practical benefit of achieving consensus among the parties before any real work begins. This consensus diminishes the possibility that the attorney will have to perform additional, unplanned procedures later in the investigation.
Executing Planned Procedures
Virtually every investigation will involve document review and witness interviews. To be comfortable with counsel’s document review, the auditor must understand the completeness of the data reviewed and the effectiveness of the review procedures performed. Counsel should be prepared to discuss the technical details of the review with the auditor; auditors frequently test the rates at which search terms generate “hits.” Auditors also occasionally sample documents deemed to be nonresponsive to test the thoroughness of the review. Accordingly, counsel should anticipate these procedures by installing robust quality control over the document review both in order to improve the accuracy of the review and to add to its defensibility when dealing with the auditors.
Counsel should also bear the auditor’s obligations in mind when planning witness interviews. Specifically, counsel should consider the auditor’s need to assess the continued reliability of management assertions when determining which witnesses to interview and what questions to ask during an interview. After the interviews occur, auditors routinely request summaries of key interviews (not including counsel’s mental impressions or other privileged aspects of the interviews) and inquire about the questions asked and responses provided. Depending upon the nature of the investigation, counsel might consider whether to consult with the auditor prior to a witness interview to review whether the auditor (or more likely the auditor’s national office or office of the general counsel) is looking for responses to specific questions. Doing so may avoid duplicative work, such as reinterviewing witnesses to cover additional topics.
Communicating Results
The conclusion of the investigation presents the greatest risk to counsel in terms of waiver of privilege. Auditors frequently request complete access to written reports prepared by counsel, but regularly will accept less than the complete report presented to the client. As a result, counsel should take care in drafting the report (if one is drafted at all), particularly with respect to whether to state conclusions or recommendations in the text of any report, and should consider alternative methods to communicate the substance of the report, including through tailored presentations. Regardless of how the facts learned through the investigation are presented, counsel should expect to engage with the auditor with follow-up to that presentation. Here, in particular, the scope of the auditor’s review is critical. Although the auditor’s curiosity may, at times, seem limitless, the scope of information it actually needs to satisfy its obligations is narrow. This, therefore, is an area where the company readily can explore what information the auditor truly needs to satisfy its inquiry.
In sum, the tension between an investigating attorney and auditor can be alleviated through regular, informed communication throughout an investigation. Understanding the legal obligations of the other party is essential to achieve this result. Accordingly, attorneys conducting internal investigations should consider the obligations of the auditor when planning and executing investigation procedures. At the same time, attorneys should remember that the auditor’s obligations are not boundless, and should use their understanding of the limits of the auditor’s obligations to push back on auditor requests where necessary. Attorneys also should ensure that the auditor understands and considers counsel’s obligation to preserve privilege when requesting information or communications from counsel. Although the interests of auditors and attorneys in an internal investigation may never perfectly align, informed communication can help point them in a similar direction.
