Back in the summer of 2005, I joined the team that audits PwC the Firm, itself. I was thrilled. Although I was giving up being on my own and spending most of my time on Mexico and South America, I was joining what I thought at the time was a world-class firm, I had been told I was on the partner track, and I was going to be privileged to see the firm from the inside out. For someone like me, interested in how the business side of the firms work, it was going to be a dream job.
Unfortunately, as I have mentioned before, what we were able to do during my tenure was much less than I had expected, partially due to the fact that the team was fairly new in its latest incarnation and so had not yet gotten itself organized the way a world class internal audit function at one of our clients would have been set up. The other challenge was the firm itself, its management structure, management style and the expectations of the senior partners for this team. My expectations and the reality of what we were going to be able to do and how we were going to have to do it were way out of synch.
Post-Enron, the audit firms are all very litigation conscious. Although they may publicly tout openness, transparency and accountability, as if they were a public company like their clients, they instead wallow in secrecy, revert to pettiness and hide behind their lawyers more often than not, especially when addressing their own internal failings.
Many of their clients are also hugely litigation conscious. That extreme aversion to potential litigation is having an impact on the development of their internal audit functions. Many public companies still have not clearly and strongly defined the position of the internal audit function in the organizational hierarchy and the realistic range of responsibilities and involvement of this function in issues such as investigations, risk management, litigation, C-level executive compensation and external financial reporting. Many companies now have Chief Risk Officers, Chief Compliance Officers, newly empowered General Counsels, and Chief Financial Officers that still see the head of Internal Audit as a second or third class citizen, reporting “administratively” to the CFO, with direct access in name only to the Audit Committee. Many Audit Committee Chairs still can’t be bothered to meet with the Chief Audit Executive separately and more often than absolutely necessary.
As such, activities such as an Enterprise Risk Assessment, with the purpose either directly or via risk self-assessment questionnaires, of documenting the organization’s risks and vulnerabilities across all aspects of the business, are being conducted under the auspices of the Law Department.
The reason is privilege.
At PwC, I ran into this and was flummoxed. I was planning an audit of a particularly interesting firm activity and the management team for the activity was resistant to spend time or answer more questions. They had already undergone an extensive interview process conducted by members of the firm’s Risk Management team earlier in the year. The process had been conducted at the behest and under the direction of the firm’s Law Department.
Based on my own independent research, I surmised that the review was conducted in this way to maintain attorney-client privilege over the results and disclosures made by the management teams across the firm. The theory would be that such a firm is always under the threat of litigation so this activity and its results were obtained under the threat of one lawsuit or another, considered work-product and, therefore, privileged.
I never found out the official theory, because I was told to live without this report. I had to duplicate the interview effort, a process which was both time consuming and frustrating for all involved.
I was reminded of this legal strategy, one I felt was a bit of a stretch at the time, when I saw the New York Times article today about the growing conflict between external auditors and their clients with regard to confidential information generated often as the result of internal investigations or impending litigation.
…Companies are increasingly concerned that (external) auditors could be required to turn over confidential records to outsiders, exposing corporations and executives to lawsuits from shareholders or whistle-blowers and unwanted scrutiny by regulators.
…the post-Enron standards also force companies to do more to prevent fraud, by examining confidential areas like pending litigation, internal investigations, tax reserves and tax shelters, stock option plans and exposure to environmental liabilities.
To comply, corporate lawyers have been generating large amounts of confidential documents on issues that could affect a company’s bottom line. Those company lawyers want to keep the information from becoming ammunition in lawsuits — but not at the risk of withholding it and losing an auditor’s seal of approval, a red flag to shareholders and regulators.
“The number of internal investigations conducted in response to whistle-blower allegations and other matters has increased substantially in recent years,” said Thomas Riesenberg, Ernst & Young’s general counsel. And with that, he said, has come a greater need for requesting materials in an audit that could be considered confidential.
Well-established rules that are a bedrock of the American legal system protect the confidentiality of communications between lawyers and clients, a concept known as attorney-client privilege. The rules also protect from disclosure a lawyer’s written impressions, conclusions, opinions and research, known as work-product privilege.
The trend of auditors looking further behind the corporate curtain is a major shift from the “don’t ask, don’t tell” mentality of the years before Enron, when they typically signed off on financial statements without asking to see confidential documents…
Lawyers typically say that such legal opinions are confidential. Legal rules dictate that if confidential documents are shown to any outside party, including to auditors, they are no longer confidential and are thus fair game in proceedings like lawsuits.
This is just another good reason why your external auditor should not be involved in any special investigations as an investigator rather than a monitor or an entity that gets a copy of the final report. In addition to the fact that then they know everything in detail from the beginning, they may have also been part of the original problematic behavior or condoned it.
There are so many other reasons that the standard audit report and internal control report prepared by a public accounting firm is now essentially worthless. If auditors are also now considered outside the circle of privilege, then what they are told, if anything, about confidential company activities will be worth even less.