ComplianceRisk Management

Drawing Legal Lines: Internal Audit and Attorney-Client Privilege

By January 26, 2022No Comments

Insights on when and how internal auditors involve lawyers to protect information in an audit report.

Most members of NeuGroup for Internal Audit Executives either don’t have a formal process to secure attorney-client privilege (ACP) for their audit reports or are working to formalize one. That takeaway emerged at a recent group session where other members shared how the process works at their companies. But first, some context:

  • According to the law firm Gibson Dunn, “Generally speaking, internal audit reports and work papers are not protected by privilege. Attorney-client privilege does not attach if the audit is not directed by counsel.
    • “Work product protection does not apply if the audit was conducted in the ordinary course of business rather than ‘in anticipation of litigation.’ Internal audit reports may be subject to discovery.”
  • The meeting highlighted that internal audit (IA) and legal teams are not always on the same page, or approach issues differently. “Legal doesn’t want anything documented, internal audit wants everything documented,” one member said.

Coordination with legal. Several members walk through their audit plans with legal to provide a heads-up where an ACP issue may arise. One member said his team has been doing more audits designated as having ACP over the past few years. He said:

  • “We have a process that determines this designation. It is a procedure that was developed in conjunction with legal. At a high level, it details the steps to follow if an audit is going to be conducted under privilege from the beginning, or if during the course of audit work the team comes across a potential legal issue.
    • “Final determination on whether the work will be classified as privileged is from the legal department.”
  • Another member says if IA is auditing “in areas where we have some history of litigation, we will involve legal from the planning stage and may put it under privilege/attorney work product at their direction.
    • “[Audits] where we are asked by legal to look at a certain issue, are generally privileged from the start. Occasionally, issues arise during the audit and we ask legal if they want to put material under privilege from that point.”
  • One member said that any material that is designated ACP should be clearly marked as such. “Denote every email, work paper and report—usually with something like ‘Attorney-Client Privileged/Attorney work Product’ to assist in the event of discovery,” he suggests.

Documentation and distribution. One member said work papers and a copy of the final report with privileged information are retained in the IA system and access is restricted to individuals who have been deputized by legal for the project. “We keep a record of who in audit has been deputized,” he said.

  • In terms of distribution, members report limiting it to small groups. One said his report format “is under the direction of the attorneys and not necessarily our standard audit report template. Report issuance and distribution is handled by legal instead of by audit; audit does provide a suggested distribution list.”
  • Another member said IA limits distribution to those who need to know and excludes external auditors and the broader audit team. “Most of our work here is done under attorney work product doctrine, which allows us to have internal team discussions and emails without involving the attorney in every email, but I’ve found this differs by company,” he said.

Words to the wise. One member suggested that IA be careful about “what goes in your audit committee (AC) deck, since external audit has visibility to it, and this can break privilege; maybe use separate AC meetings or executive sessions to brief the committee on privileged issues.” IA also has legal “come into my team meeting and do a periodic briefing of ACP sensitivities and protocol,” he added.

  • Related to this is education, one member said. Be sure that everyone in the organization knows what is privileged and what isn’t. “Lots of information goes out and it could be breaking the ACP process.”
  • And just because someone cc’s an attorney in an email chain doesn’t mean the email is protected by ACP, one member noted.
Justin Jones

Author Justin Jones

More posts by Justin Jones