• Risk and Reward: Avoiding Pitfalls When Conducting Compliance Audits
  • March 8, 2005 | Authors: Stephen G. Schrey; Jeffrey M. Tanenbaum; Tamara M. Rudolph
  • Law Firm: Nixon Peabody LLP - San Francisco Office
  • I. Overview: Survival of the "Most Compliant"?

    Considering the thousands of laws and regulations that apply to every business, the importance of engaging in voluntary, preventive self-analytical compliance audits cannot be overstated. Such audits are one of the most valuable compliance tools available to every organization. Without conducting such reviews, it is often difficult, if not impossible, to determine whether the organization has all required policies and procedures in place -- and whether these policies and procedures are being followed in actual practice. And, drawing on lessons learned from the cautionary tales arising out of tarnished or fallen corporate giants such as Enron, WorldCom, Tyco, and Arthur Andersen, it is much more common today for companies to engage in proactive audits of compliance policies and practices to minimize exposure to both criminal and civil liability when those practices may be suspected of falling below standards set by state and/or federal law. This is especially true for new and more onerous laws imposed upon the business community with which management may not be fully familiar.

    As just one example, in the past, employers sometimes engaged in "self-audits" of employment practices to ensure that those practices comply with applicable law. Conducting such audits is now far more important to help minimize exposure to liability under California 's new "bounty hunter" law, which allows employees to sue employers for civil penalties arising from just about any California Labor Code violation, no matter how obscure, which is not cited by a governmental agency.1 The importance of conducting compliance audits to protect an organization's interests cannot be overstated since the aphorism that "knowledge is power" has never been truer in managing corporate regulatory compliance than today. However, there are also significant risks inherent in conducting such audits. This article discusses some of the common pitfalls encountered when conducting internal audits, and offers suggestions as to how to best utilize and conduct voluntary compliance audits so as to maximize the benefits and minimize the risks.

    II. The Risks Inherent In Conducting Voluntary Compliance Audits

    Any organization can, of course, face liability as a result of having noncompliant policies and procedures -- or for the actions of its agents in failing to follow legal requirements. Thus, every organization must stay abreast of both its stated policies and its employees' actual practices. Conducting an internal audit helps to accomplish those goals because the auditing entity gathers information within the organization and then advises the appropriate decision-makers of deficiencies noted and potential liability. Though the audit is an invaluable tool aimed at reducing a company's liability, even an organization possessing the most altruistic intentions may find itself in a precarious position should a court later order discovery of audit reports. This may occur for one of two reasons. First, the report may not qualify for protection under the attorney-client privilege, work product doctrine, or the elusive "self-critical analysis" privilege. Second, even if a court finds the audit report qualifies for protection, that protection can be lost by waiver.

    A. Audit Reports and the Attorney-Client Privilege and Work Product Doctrine

    The attorney-client privilege under California law protects confidential communications between an attorney and a client when obtaining legal advice.2 The privilege applies to attorney communications in the corporate context if the communication is for the purpose of securing legal advice for the corporation, relates to matters within the scope of the employees duties, and the corporation treats the communication as confidential.3 However, this privilege does not always protect routine compliance audits.4

    It is also important to note that this privilege does not apply to facts underlying a communication or where communications are used mainly as a management tool.5 Because audit reports assess a corporation's operation, the privilege may not extend to the facts contained in the report. Similarly, where audits are used as a management tool to aid in operation of the corporation, the audit may not be privileged where it is not related to legal advice.

    Likewise, the work product doctrine does not always shield an audit report from discovery. In federal jurisdictions, the doctrine only applies to work prepared "in anticipation of litigation," and this phrase is usually interpreted narrowly.6 Because compliance audits are often performed to shield a corporation from litigation as a preventive measure, they are not always prepared in "anticipation" of litigation. In California, the work product doctrine is broader and absolute, i.e., regardless of an adversary's needs, the doctrine protects "any writing that reflects an attorney's impressions, conclusions, opinions, or legal research or theories" to facilitate an attorney's ability to investigate and prepare cases for trial.7 Even under a broader work product doctrine, however, internal audits may not be protected.8 In any event, as with the attorney-client privilege, even if the work product doctrine applies, it often may not protect the underlying facts from discovery.9

    B. The Limited Availability of the "Self-Critical Analysis" Privilege

    In some jurisdictions, an audit may be afforded confidentiality under a "self-critical analysis" privilege. The privilege protects subjective materials that analyze an entity's policies and practices.10 The common-sense policy consideration behind such protection is that an organization should be encouraged to candidly assess its own practices in order to remedy any deficiencies in compliance with state and federal law.

    Unfortunately, the self-critical analysis privilege has met with only limited acceptance. Various state and federal courts have been reluctant to extend common law privileges absent legislative approval.11 And, of course, California does not recognize the "self-critical analysis" privilege. In Cloud v. Superior Court, the Court of Appeal declined to recognize a common law self-critical analysis privilege, finding that it was powerless to adopt such a privilege absent legislative codification in the Evidence Code.12

    C. Waiver of Protection May Occur Through Voluntary Cooperation With Government Agencies

    Even where an organization takes proper steps to protect an audit report under the attorneyclient privilege or work product doctrine (and/or where the self-critical analysis privilege provides protection), that protection can be unintentionally, or sometimes intentionally, waived.13 For example, a corporation that becomes the target of a government investigation might commence an internal audit to aid in responding to that investigation. The same investigation will often trigger civil litigation by the corporation's shareholders. The corporation is then confronted by the horns of a dilemma: whether to fully cooperate with the government investigation by releasing its internal audit reports, or maintain the confidentiality of such reports and risk being accused of hiding evidence of wrongdoing or of simply "not cooperating" with the government investigation. A corporation's level of cooperation with the government may well affect its chances of avoiding or minimizing criminal liability. However, should the corporation cooperate by submitting its audit reports, the confidentiality of those reports may well be deemed waived for purposes of the civil litigation, thereby worsening the exposure to civil liability.

    In McKesson HBOC, Inc. v. Superior Court, a California Court of Appeal held that a corporation waived its right to attorney-client privilege and work product protection after submitting audit reports to the SEC, despite a confidentiality agreement between the corporation and the government.14 There, both the U.S. Attorneys' Office and the SEC began investigating McKesson after the corporation discovered accounting irregularities that forced it to write off a substantial amount of revenue resulting in a severe drop in stock price. McKesson retained an outside law firm to conduct an internal investigation that consisted of employee interviews and corresponding memoranda as well as written reports. McKesson negotiated a confidentiality agreement with both agencies under which the company would submit its reports provided that the agencies kept the reports confidential, unless, significantly, the agencies determined that disclosure was required by federal law or for submission to the grand jury for criminal proceedings. McKesson later also argued that it also believed it had a "common interest" with the Government in obtaining information related to the accounting irregularities.

    The SEC thereafter notified McKesson that it had terminated its investigation without recommending any enforcement action against it. Not unexpectedly, however, several shareholder class actions resulted from the stock price drop. Plaintiffs in those actions moved to compel McKesson to produce the audit reports it submitted to the government agencies. The trial court ordered production on the basis that the attorney-client privilege and work product protection had been waived by disclosing the reports to third parties. The Court of Appeal affirmed, finding that McKesson voluntarily disclosed the reports to a third party. The court rejected McKesson's argument that it shared a "common interest" with the Government because the Government had no interest in maintaining confidentiality independent of the agreements.

    Notably, the SEC submitted an amicus curiae brief on McKesson's behalf that requested the court to weigh public policy interests and allow protection to encourage targets of government investigations to cooperate with government agencies. Other amici, such as the Securities Industry Association, urged the court to adopt the "selective waiver" theory that would allow a corporation to disclose a privileged communication to the Government while maintaining protection against other parties. The Court of Appeal acknowledged the importance of cooperation with government investigating agencies, but ultimately determined that absent statutory authority, it was powerless to adopt a "selective waiver" theory.

    By obtaining confidentiality agreements with the U.S. Attorneys' Office and the SEC, McKesson may have expected a different result based on suggestions from other courts that a confidentiality agreement with the Government may protect documents from discovery in civil litigation. For example, in In re Steinhardt Partners, L.P., the Second Circuit found work product protection had been waived by disclosure of a memorandum to the SEC but suggested the result may have been different if there had been a confidentiality agreement or a common interest with the government.15 And in Westinghouse Electric Corp. v. Republic of the Philippines, although the Third Circuit found a waiver where a party disclosed documents to the SEC and the Department of Justice, it hinted that confidentiality may have been preserved had the Government and the corporation not been adversaries and the corporation had a reasonable expectation that the Government would have kept the documents confidential.16

    While the McKesson decision may be technically correct in relying on the rules affecting privilege waiver, the California Supreme Court has denied review and thus an opportunity to clarify these rules in this context. California corporations must decide whether to risk added exposure to civil liability by waiving protection to internal audit reports, or perhaps risk criminal liability by refusing to cooperate with a government agency that may assume the corporation is concealing evidence of wrongdoing.

    III. Taking Steps To Preserve the Confidentiality of Audit Reports

    Despite these risks, we return to the fundamental premise that voluntary self-analytical audits are a critically important compliance tool. Thus it behooves any organization to utilize them, but to do so in a way that encourages free and open discussion of problems and solutions, while at the same time minimizing the possibility that the good intentions behind an audit report will be misused against the organization. There are several options available. Clearly, utilizing outside counsel to conduct and prepare audit reports is very important. Consideration should also be given to creating a bifurcated report separating factual findings from legal opinion and analysis of those findings. Lastly, special attention should be paid to language and tone within the report.

    A. Retaining Outside Counsel to Prepare Audits

    Retaining outside counsel to conduct an audit rather than utilizing in-house counsel or non-legal consultants makes it more likely that a court will determine that the corporation's purpose behind creating the report was to specifically secure legal advice. Audits performed by in-house counsel or consultants add a risk that the report will be viewed by a court as a management report prepared in the ordinary course of business, and thus would not qualify for protection.17

    B. Bifurcated Audit Reports

    By creating a bifurcated report that separates factual findings from legal opinion and analysis based on those findings, an organization may be able to ensure confidentiality of at least a large portion of the audit. The report can be separated, for example, into an "eyes only" portion for attorney-client submission to a limited audience that includes upper-level management, and a more general fact-based portion that details what the auditors found in objective terms for submission to a broader audience. By limiting the audience of the attorney-client portion, a court will be more willing to find that confidentiality has not been waived.18 Even if a court orders discovery of the factual findings, it will be reluctant to require an attorney to produce a bifurcated portion of the report containing thoughts, opinions, analysis, and advice related to the factual findings, as such matters are the most guarded form of communication protected by the attorney-client privilege and work product doctrine.

    C. Pay Special Attention to Content and Tone

    An attorney should always prepare an audit report with an eye toward disclosure, i.e., written as though it may be a trial exhibit some day. For example, if the findings of the internal audit are favorable, a well-crafted audit report may become powerful evidence. Where full disclosure is the best defense, the report can be great evidence of the corporation's prompt attention and sincerest intentions. If the findings are less than favorable, a well-crafted report may help display a corporation's desire to immediately rectify deficiencies.

    IV. Conclusion

    Despite the risks of misuse, self-analytical voluntary compliance audits are an invaluable tool. However, steps can be taken to both maximize the benefits and minimize the risks. And under any circumstances, a corporation that finds itself the target of a government investigation will still have to decide whether or not it should cooperate with the investigation or maintain confidentiality where applicable. Given the current state of California law, neither option is appealing where the risk involves either civil or criminal penalties. Nevertheless, the internal audit may still help to minimize exposure to liability.

    1Cal. Lab. Code § 2698 et seq.

    2Cal. Evid. Code § 954

    3Upjohn Co. v. United States,449 U.S. 383, 394-95 (1981); S. Cal. Gas Co. v. Pub. Util. Comm'n, 50 Cal. 3d 31, 38 n.7 (1990) (following federal Upjohn analysis)

    4FTC v. TRW, Inc., 628 F.2d 207, 211-12 (D.C. Cir. 1980) (holding party failed to meet burden of proving attorney-client privilege applied to independent compilation report performed by outside company); but United States v. Cote, 456 F.2d 142, 144 (8th Cir. 1972) (holding that privilege applied to audit prepared by accountant to assist attorney in advising client about whether or not to amend tax return); United States v. Kovel, 296 F.2d 918, 922- 23 (2d Cir. 1961) (holding that attorney-client privilege attached to accountant's report compiled at attorney's request)

    5Upjohn, 449 U.S. at 395; Cote, 456 F.2d at 144-45 (finding that submission of amended tax return waived privilege as to details underlying tax information and work papers used in preparing data)

    6Fed. R. Civ. P. 26(b)(3); United States v. Adlman, 134 F.3d 1194, 1202 (2d Cir. 1998); In re Grand Jury Investigation, 599 F.2d 1224, 1229 (3d Cir. 1979)

    7Cal. Civ. Proc. Code § 2018; Rodriguez v. McDonnell Douglas Corp., 87 Cal. App. 3d 626, 647-48 (1978) (finding that portion of notes containing attorney's comments were absolutely protected from disclosure)

    8Cloud v. Superior Court, 50 Cal. App. 4th 1552 1559-60 (1996) (finding that analysis of affirmative action plan did not qualify for work product protection because it was created with the expectation that it would be revealed to federal authorities)

    9Hickman v. Taylor, 329 U.S. 495, 511 (1947) (the doctrine will not protect "relevant and nonprivileged facts hidden in an attorney's file...")

    10EEOC v. General Tel. Co., 885 F.2d 575, 578-79 (9th Cir. 1989) (holding trial court committed prejudicial error by admitting evidence of employer's equal opportunity when contrary evidence was exempted from discovery); New York Stock Exch. v. Sloan, 22 Fed. R. Serv. 2d (Callaghan) 500, 504 (S.D.N.Y. 1976) (holding employee evaluations prepared by corporate auditor were privileged); Banks v. Lockheed-Georgia Co., 53 F.R.D. 283, 284-85 (N.D. Ga. 1971) (holding employer's evaluation of equal employment opportunities was not discoverable because it was a "candid" self-analysis)

    11See In re Burlington N., Inc., 679 F.2d 762, 767 (8th Cir. 1982) (refusing to apply selfcritical analysis privilege to employer's affirmative action plan); FTC v. TRW, Inc., 628 F.2d 207, 211-12 (D.C. Cir. 1980) (holding self-critical analysis privilege did not apply to documents subpoenaed by government agency); Reynolds Metals Co. v. Rumsfeld, 564 F.2d 663, 667 (4th Cir. 1977), cert. denied, 435 U.S. 995 (1978) (rejecting privilege because reports "not prepared solely for internal use")

    1250 Cal. App. 4th 1552, 1559 (1996)

    13United States v. Cote, 456 F.2d 142, 144-45 (finding that submission of amended tax return waived attorney-client privilege for reports used in preparing tax return)

    14115 Cal. App. 4th 1229 (2004), review denied, 2004 Cal. LEXIS 4902 (June 9, 2004)

    159 F.3d 230, 236 (2d Cir. 1993)

    16951 F.2d 1414, 1431 (3d Cir. 1991)

    17Georgia-Pacific Corp. v. GAF Roofing Mfg. Corp., 1996 U.S. Dist. LEXIS 671, *10 (S.D.N.Y. 1996) ("It is a general rule that 'courts will not recognize the privilege when the attorney is acting...as a business advisor.'"); United States Postal Serv. v. Phelps Dodge Ref. Corp., 852 F. Supp. 156, 160 (E.D.N.Y. 1994) (holding that communication is not privileged if it is made to an in-house attorney who is acting as a business advisor); Western Trails, Inc. v. Camp Coast to Coast, 139 F.R.D. 4, 13 (D.D.C. 1991) ("Assuming that these memoranda were maintained in confidence and were not waived by disclosure, the memoranda do not enjoy protection under the attorney-client privilege or the work product doctrine because they communicate business advice provided in the ordinary course...of business.")

    18Westinghouse Electric Corp. v. Republic of the Philippines, 951 F.2d 1414, 1426 n.7 (3d Cir. 1991) (noting that "[w]hen a party discloses a portion of otherwise privileged materials while withholding the rest, the privilege is waived only as to those communications actually disclosed, unless a partial waiver would be unfair to the party's adversary.")