Risks in Internal Audits of Compliance Policies

In this edition of his Employment Issues column, Philip Berkowitz writes that if you are internal counsel or a human resources executive, your compliance department may want to review not only policies, but also backup data.

By Philip Berkowitz | July 7, 2021

Human resources and legal departments increasingly face reviews or audits by internal compliance or internal audit departments, which seek to assure that policies and programs are consistent with the myriad laws with which the organization must comply, including employment, whistleblower, and anti-bribery and corruption.

If you are internal counsel or a human resources executive, your compliance department may want to review not only policies, but also backup data. For example, in the case of an internal anti-discrimination and harassment policy, or a public and employee-facing whistleblower policy, your colleagues may ask to review any logs of complaints and investigation files, which may contain the names of whistleblowers, allegations of unethical or illegal conduct, and legal conclusions.

Compliance or internal audit may seek to understand the status of each internal complaint: what was the allegation, how was it handled, what was the conclusion; did the company retain outside counsel or any investigators; whom did the company retain; what did the investigation conclude; was there a violation of law; what was the nature of the resultant discipline, if any; and what information was shared with the complaining party.

The individuals carrying out the review may or may not be attorneys; they may or may not be familiar with the legal standards for establishing whether the underlying conduct was lawful, whether or not unlawful retaliation occurred, and they may not be familiar with the legal standards in carrying out these analyses.

Details regarding an investigation, of course, may contain damaging evidence of wrongdoing on the part of the company or an employee. The investigation may have revealed shortcomings in the company’s internal compliance procedures.

Some investigations may involve confidential topics, such as government-mandated remedial actions not known outside of the legal department.

As internal counsel, you may be concerned that these investigations, which were carried out at the direction of the legal department, are privileged, and that revealing the requested information could result in a waiver of the privilege. In the event of a waiver, the material may become available to government agencies, shareholders, plaintiff ’s counsel and disgruntled former or current employees, who may seek to use it in litigation against the company or its management.

A request to provide details regarding the investigations could result in revealing the identities of whistleblowers, while your policies require that the company keep that information confidential to the greatest degree possible.

The requesting department’s expectation that you will come to a conclusion as to whether the company violated the law may reflect a misunderstanding of the investigation process, and could trigger an obligation on the part of the employer to make an external disclosure to a third-party regulator or government entity.

You may also be concerned that an audit report may fail to take account of the fact that an employer’s position on a particular matter may differ in litigation or if the matter is the focus of a regulatory investigation. Further, an audit report that finds weaknesses in the employer’s compliance programs, or that differs with the legal department’s conclusion in an investigation, could be damaging evidence in a lawsuit surrounding the matter.

Of course, the importance and legitimacy of such internal reviews is beyond question. The federal Sentencing Guidelines provide in part that “[d]ue diligence and the promotion of an organizational culture that encourages ethical conduct and a commitment to compliance with the law … minimally require … [that the organization] take reasonable steps … to ensure that the organization’s compliance and ethics program is followed, including monitoring and auditing to detect criminal conduct.” U.S.S.G. §8B2.1(b)(5)(A).

Banks, in particular, need to have in place “an internal audit function with sufficient authority, stature, independence, resources and access to the board of directors. Independent, competent and qualified internal auditors are vital to sound corporate governance.” Basil Committee on Banking Supervision.

Nevertheless, these reviews can unintentionally create not only internal disruption—they may also unintentionally increase the risk of legal liability.

Three Lines of Defense Model

Internal audits are often the product or result of the “Three Lines of Defense” (3LOD) model issued by the Institute of Internal Auditors (IIA). The 3LOD model is designed to provide a framework for corporate governance.

The “first line” of defense is made up of business leaders who establish and maintain appropriate structures and processes for the management of operations and risk, and ensures compliance with legal, regulatory, and ethical expectations.

Legal, Compliance, and Human Resources fall into the “second line.” They provide expertise, support, and monitoring related to the management of risk, including developing, implementing, and improving risk management practices in compliance with laws, regulations, and acceptable ethical behavior.

The “third line” function is carried out by Internal Audit (IA), which maintains primary accountability to the governing body and independence from management responsibilities.

Some commentators fear that the heightened regulatory environment, along with strengthening of these lines of defense, have cause confusion and overreaction. As a result, “compliance functions are undertaking increased regulatory monitoring reviews, which include regulatory controls testing . … This has left IA functions undertaking risk-based assurance reviews over the same risk areas as the second line, increasingly with a very similar assurance skill set, leading to a duplication of assurance activities between the 3LOD.”“Modernizing the three lines of defense model: An internal audit perspective (https://www2.deloitte.com/us/en/pages/advisory/articles/modernizing-the-...).”

This has resulted in “several negative side effects for more mature 3LOD models. The first line can have audit fatigue due to duplicative testing from both second and third lines, resulting in less time to focus on the business at hand. There are also cases where the over-fitting or over-strengthening of the second line has resulted in issues because the first line stops performing activities, believing they have responsibility of the second line. In times of crisis, many organizations fall into the trap of overreaction, whereby additional activities are added to the portfolio for the second and third lines.”

Protecting Privileged Information

Privilege law surrounding intra-company disclosures is unsettled. If disclosures are made outside the attorney-client relationship or under a common interest agreement, a waiver may occur. Overly broad disclosure within the corporation can trigger a waiver if the individual to whom disclosure was made did not have a “need to know” the contents of otherwise privileged information. See Scholtisek v. Eldre, 441 F. Supp.2d 459 (W.D.N.Y. 2006) (“need to know” turns on “(1) the role in the corporation of the employee or agent who receives the communication; and (2) the nature of the communication, that is, whether it necessarily incorporates legal advice”).

What does all this mean for internal counsel, or the human resources department, whose whistleblower policies are being scrutinized by compliance or IA, in an environment that may not take account of the attorney-client privilege?

Legal, compliance, and audit should work together to implement best practices for a working relationship that will best preserve the privilege and protect the company. They should put in place a process whereby counsel, whether internal or external (depending on possible conflicts or other factors), provides legal oversight of audits of sensitive issues, such as investigations into claims with potential legal implications or regarding the implementation of legally mandated compliance measures.

In formulating its case and making disclosures to third parties, counsel should, as best it can, rely on non-privileged factual information.

Certainly, if fraud, corruption, or another material legal violation is suspected, legal counsel should be brought into the process of carrying out any internal review or audit of processes. It may be helpful to spend some time identifying in advance the risk factors implicated in certain types of investigations, and when to involve counsel.

Of course, when carrying out an internal investigation which could result in litigation, internal or external counsel should be sure to provide Upjohn warnings to witnesses, document that the investigation is being carried out in anticipation of litigation, and ensure that interview memoranda include attorney impressions, rather than simply a verbatim recitation of witness statements. This will help assure that the memoranda are protected from disclosure by the attorney-client privilege and work product doctrine.

Philip M. Berkowitz is a shareholder of Littler Mendelson and co-chair of the firm’s U.S. international employment law and financial services practices.


Read the full article here:


Reprinted with permission from the July 7, 2021 edition of the New York Law Journal©

2021 ALM Media Properties, LLC. All rights reserved.

Further duplication without permission is prohibited. ALMReprints.com – 877-257-3382 – reprints@alm.com