my previous post, I discussed some potential challenges that can strain relationships between CAEs and their organizations' general counsels. In it, I included five principles that I believe can help guide those relationships.
Two of those — mutual respect and the recognition that each party can agree to disagree when warranted — frame an important aspect of the relationship that sometimes leads to friction between internal audit and legal: If and when should general counsel influence how audit findings are reported?
The IIA recognizes the importance and complexity of the relationship between internal audit and the general counsel's organization in its professional guidance. Practice Advisory 2400-1 from the International Professional Practices Framework (IPPF), encourages internal auditors to consult legal counsel in matters involving legal issues. It notes there are important distinctions and nuances in the legal system that can "protect information and work performed for, or communicated to, an engaged attorney."
This concept, known commonly as attorney-client privilege, applies in some cases to the work internal audit does. Some courts recognize a privilege of critical self-analysis, such as audit work products, but those protections can be narrowly construed depending on the circumstances and the legal jurisdiction.
The Practice Advisory closes with an important distinction:
Documents prepared and delivered to the attorney before the attorney-client relationship is established are not generally protected by the attorney-client privilege.
This limitation might lead some to consider placing all internal audit work under the purview of legal to provide a level of protection. But that in itself can create problems. First, there is the issue of maintaining internal audit independence when the overseer is focused primarily on the organization's reputational and legal risks. Additionally the courts may view such an arrangement as an abuse of the attorney-client privilege. After all, if everything is privileged, then nothing is.
There are better options, as long as both parties realize they have different, yet complementary roles to play in mitigating risks, and both are trying to best protect the organization from negative outcomes.
As I noted before, disagreements between internal audit and the general counsel about what should be reported, and how, should be taken to the audit committee of the board. If disagreement continues, most audit committee charters (especially since the passage of laws such as the U.S. Sarbanes-Oxley Act of 2002) provide for the audit committee to engage its own outside counsel, if it deems it warranted.
But before things ever get to that level, there are steps CAEs can take to avoid creating legal conflicts that do not compromise the independence and integrity of the internal audit function.
Here it is important to point out a significant aspect of legal liability that CAEs should consider when reporting their findings.
Violations of laws obviously expose an organization to potential loss, but a greater liability exists when the organization has knowledge of the problem and fails to act promptly to correct it. This can expose the organization to additional claims of negligence.
This is why general counsel typically discourages internal audit from using conclusive or absolute language in reports, such as describing a practice as "a violation of regulations." The debate here is not whether internal audit should report suspected violations, but rather whether internal audit is in the position to opine on the legality of those suspected violations.
There also is danger in not making it clear when legal violations are suspected. Often, detailed records support internal audit work, and not all audit reports can be succinct. If conclusive or absolute language is tucked away deep in rather long or complicated reports (or even in an index or appendix to that report), the company may still be found liable, even if company officials didn't note that observation, or it wasn't explicitly brought to their attention.
To be clear, this does not mean internal audit should ever shrink from its conclusions because of pressure from general counsel to change its findings. This is just an example of how a cooperative relationship between internal audit and legal can benefit both areas. A good general counsel can strengthen the internal audit function by helping it understand the legal ramifications of how conclusions are articulated without compromising its independence or objectivity.
Just as internal audit wants each business unit in the organization to recognize its role and value, the CAE should recognize the value that the general counsel's office provides. Internal audit's integrity and mission won't be compromised if the legal staff suggests precise language that minimizes legal and reputational risks, does not change the meaning or intent of what is being reported, and provides better transparency to support good governance.
I know this kind of discussion might make some internal audit practitioners uncomfortable. There are many in the profession who find the concept of allowing general counsel to consult on the wording in an internal audit report anathema to everything upon which the function stands.
But I ask them to consider that just as an internal audit function will bring in a guest auditor or third-party provider to supplement skills that are not on staff, so should it look to general counsel as an extra resource in its toolkit.
As I noted in my previous blog post, the internal audit–general counsel relationship must be guided by five principles: mutual trust, respect for respective roles, continuous communications, collaboration, and recognizing each other's right to disagree.
These principles should help guide us to a pragmatic approach. It's important for auditors to respect that general counsel is trying to protect the organization from legal and reputational risks, and when conflicts occur, we must filter them using our best professional judgment while reserving the right to report what we see in an unfiltered manner.