Internal Disclosures from Compliance Audits –What Could Go Wrong?

Compliance or internal audit departments frequently carry out audits intended to assure that business partners in an organization, such as human resources or legal departments, have in place policies and procedures that are effective for maintaining corporate compliance and consistent with the myriad laws with which the organization must comply, including employment, whistleblower, and anti-bribery and corruption.  These reviews are often not confined to policies but may also seek review of actual compliance events and sensitive contemporaneous records.  For example, in the case of an internal anti-discrimination and harassment policy, or a public and employee-facing whistleblower policy, the compliance department (“Compliance”) may wish to review logs of previous complaints and investigation files.  These records may contain the names of whistleblowers, allegations of unethical or illegal conduct, and legal conclusions. 

To assess effectiveness, Compliance or Internal Audit departments may want to understand the status of each internal complaint:  what was the allegation, how was it handled, what was the conclusion; did the company retain outside counsel or any investigators; whom did the company retain; what did the investigation conclude; was there a violation of law; did the company impose discipline, and if so, what was it and against whom; and what information was shared with the complaining party? 

Of course, internal reviews of this nature are usually quite essential and legitimate. They are forward-thinking and intended to improve the company’s overall compliance efforts. However, it is important for Compliance and Internal Audit to recognize that in-house counsel, human resources, and other departments may have legitimate concerns that an internal audit may result in inappropriate disclosure of confidential business or personal information, and, critically, an unintentional waiver of the attorney-client privilege or attorney work product. 

For instance, details regarding an investigation may contain damaging evidence of wrongdoing on the part of the company or an employee.  The underlying investigation may have revealed shortcomings in the company's internal compliance procedures.

Plaintiffs’ counsel often set their sights on discovering the fruits of internal investigations.  This evidence may include the underlying interview notes and other raw materials created when carrying out the investigation, in the hope that they can bolster their claims, either by demonstrating that the employer’s investigation was inadequate or by using damaging evidence the investigation may have uncovered.

Considering these risks, Compliance, Internal Audit, and the departments whose activities they review should have in place guidelines to avoid disclosure of sensitive or privileged information and limit, to the maximum degree possible, the disclosure of sensitive and confidential information.

Internal investigations carried out by Human Resources or Legal in response to employee or anonymous whistleblower complaints often involve confidential topics, such as government-mandated remedial actions not known outside of the legal department.  The investigations may involve sensitive allegations of alleged sexual harassment, in which the alleged victim has requested that their identity remain confidential.  Investigation findings are likely to be highly sensitive, whether or not they bear out the victim’s claims.  And the investigations, if carried out at the direction of the legal department, may have been structured to be protected by the attorney-client privilege and/or work product doctrine. 

In the event of a waiver of the attorney-client privilege, the material may become available to government agencies, shareholders, plaintiff’s counsel and disgruntled former or current employees, who may seek to use the information in litigation against the company or its management.  Further, a request to provide details regarding the investigations could result in disclosure of the identities of whistleblowers, while guidelines of regulators may demand that such information be kept confidential to the maximum degree possible. 

Again, the importance and legitimacy of internal reviews carried out by Compliance and Internal Audit is beyond question.  The federal Sentencing Guidelines provide in part that “[d]ue diligence and the promotion of an organizational culture that encourages ethical conduct and a commitment to compliance with the law . . . minimally require . . . [that the organization] take reasonable steps . . . to ensure that the organization’s compliance and ethics program is followed, including monitoring and auditing to detect criminal conduct.”1

Nevertheless, these reviews can unintentionally create not only internal disruption—they may also unintentionally increase the risk of legal challenge and possibly liability. 

Three Lines of Defense Model

Internal audits are often the product or result of the “Three Lines of Defense” (3LOD) model issued by the Institute of Internal Auditors.  The 3LOD model is designed to provide a framework for corporate governance.2

Some commentators fear that the heightened regulatory environment, along with strengthening of these lines of defense, have cause confusion and overreaction.  As a result, “compliance functions are undertaking increased regulatory monitoring reviews, which include regulatory controls testing. …  This has left [Internal Audit] functions undertaking risk-based assurance reviews over the same risk areas as the second line, increasingly with a very similar assurance skill set, leading to a duplication of assurance activities between the 3LOD.”3

This has caused:

. . . several negative side effects for more mature 3LOD models. The first line can have audit fatigue due to duplicative testing from both second and third lines, resulting in less time to focus on the business at hand. There are also cases where the over-fitting or over-strengthening of the second line has resulted in issues because the first line stops performing activities, believing they have responsibility of the second line. In times of crisis, many organizations fall into the trap of overreaction, whereby additional activities are added to the portfolio for the second and third lines.4

Protecting Privileged Information

In-house counsel, human resources, and other departments whose policies and practices are scrutinized by Compliance or Internal Audit have legitimate concerns about maintaining the confidentiality of their activities.

If internal or external counsel carries out or directs the investigation, then the investigation may be protected by the attorney-client privilege under Upjohn Co. v. United States, 449 U.S. 383 (1981).  But to be privileged, the investigation must be carried out for the purpose of obtaining and providing legal advice. 

The privilege will not protect the investigation from discovery if no legal advice is sought or provided, or if the attorney is consulted merely for business advice. The privilege also can be lost if the confidential nature of the investigation is not conveyed to the participants; if the attorney is merely kept informed of the investigation rather than tasked with directing it or to provide legal advice during the investigation; if obtaining legal advice is not the predominant purpose of the investigation; or if the privilege affirmatively is waived.5 

If disclosures are made outside the attorney-client relationship or under a common interest agreement, a waiver may occur.  Overly broad disclosure within the corporation also can trigger a waiver if the individual to whom disclosure was made did not have a “need to know” the contents of otherwise privileged information.6

Even if the attorney-client privilege does not shield the fruits of the investigation from disclosure, the attorney “work product” doctrine may, if the investigation was carried out in anticipation of litigation, whether by or for a party or its representative.  To be protected, the work should be conducted at the direction of counsel to assist counsel to plan or strategize for potential litigation, such as possible legal defenses or affirmative claims.  However, the protection of the work product doctrine has its limits.  Even if a document is prepared in anticipation of litigation, the adverse party possibly may obtain the documents if the party shows “substantial need” for disclosure and an inability to obtain its equivalent by other means.7    


What does all this mean for internal counsel, or the human resources department, where the company’s whistleblower and other compliance policies are being scrutinized by Compliance or Internal Audit, in an environment that may not take account of highly sensitive business or personal information or the attorney-client privilege?

At the end of the day, there may be no way to shield the discovery of internal audits of corporate practices unless the review is being carried out by or at the direction of counsel while counsel is providing legal advice; to assist counsel to provide the corporate client with legal advice; or in anticipation of litigation.

As a result, before carrying out an internal compliance audit that necessarily will involve sensitive complaints or investigations, the company’s respective departments – Legal, Human Resources, Compliance, and Internal Audit – should work together to plan and implement best practices for a working relationship that will best preserve any needed confidentiality, any legal privileges, and protect the company overall.  This often will include putting in place a process whereby counsel, whether internal or external (depending on possible conflicts or other factors), provides legal oversight of and legal advice related to any such audit.

Certainly, if fraud, corruption, or another material legal violation is suspected to have occurred with respect to any corporate compliance measure, practice or process, legal counsel should be brought into the process before carrying out any internal review or audit of any such measure, practice, or process.    

Thus, privileged material generally must only be released to and accessible by individuals with a “need to know.” The company’s legal counsel can determine this by assessing the role in the corporation of the employee or agent who will receive the privileged communication, and whether that role requires their receipt of the protected information. Privileged investigation files and reports also must be held in confidence and maintained in a manner such that they are not accessible to individuals who have no legitimate right to their access or need to know.

See Footnotes

1 U.S.S.G. § 8B2.1(b)(5)(A)

2 The “first line” of defense is made up of business leaders who establish and maintain appropriate structures and processes for the management of operations and risk, and ensures compliance with legal, regulatory, and ethical expectations.  Legal, Compliance, and Human Resources fall into the “second line.”  They provide expertise, support, and monitoring related to the management of risk, including developing, implementing, and improving risk management practices in compliance with laws, regulations, and acceptable ethical behavior.  The “third line” function is carried out by Internal Audit, which maintains primary accountability to the governing body and independence from management responsibilities. 

3 “Modernizing the three lines of defense model:  An internal audit perspective,”

4 Id.

5 See, e.g., United States v. ISS Marine Services, Inc., 905 F.Supp. 2d 121 (D.D.C. 2012).

6 See Scholtisek v. Eldre Corp., 441 F. Supp. 2d 459 (W.D.N.Y. 2006) (“need to know” turns on “(1) the role in the corporation of the employee or agent who receives the communication; and (2) the nature of the communication, that is, whether it necessarily incorporates legal advice”).

7 Fed.R.Civ.P. 26(b)(3).

Information contained in this publication is intended for informational purposes only and does not constitute legal advice or opinion, nor is it a substitute for the professional judgment of an attorney.