• Increase font size
  • Default font size
  • Decrease font size
Home News Archive Disclose Internal Audit Reports at Your Own Risk

Disclose Internal Audit Reports at Your Own Risk

Wednesday, 22 June 2011 00:00 Nick Sanders
E-mail Print PDF

Recently we wrote about how Fluor Hanford’s own internal audit reports were used against it, in order to support allegations that the company’s management was well aware that its “weak internal control systems” created opportunities for its employees to misuse purchase cards (and to receive supplier kick-backs). We asserted that—

  • Internal audit reports are important. Internal auditors should be of high quality and so should their reports. Internal audit reports that report bad facts should not be ignored; indeed, management should take quick and decisive action to address the findings.

  • Internal audit reports that point out lax internal controls, which management ignores, become really effective “smoking guns” that will be used against the organization in a court of law.

But we were reminded that there’s another aspect of internal audit reports that must be considered during litigation. Our readers understand that some internal audit and/or compliance reports are prepared under privilege for internal and/or external counsel. Disclosure of such reports can prove problematic.

Karen Manos, writing in the May 2011 edition of West’s Government Contract Costs, Pricing & Accounting Report, reported that—

A U.S. Magistrate Judge ruled from the bench that Oracle’s disclosure of a privileged report in response to a General Services Administration Inspector General subpoena resulted in a broad subject matter waiver of all communications related to the report. … Oracle provided the IG a copy of the report of its outside counsel’s compliance review [related to compliance with the GSA Price Reductions clause]. … The Judge [found that] 'Defendants attorney-client privilege is waived with respect to all communications between defendants and [outside law firm] relating in any way to the contract in issue and/or the review performed.' ...

Ms. Manos, a widely respected Government Contracts attorney with Gibson Dunn, cited the case as: U.S. ex rel Frascella v. Oracle Corp., No. 1:07 cv529 (E.D. VA Mar. 30, 2011), ECF No. 186. A client advisory from McKenna, Long & Aldridge can be found here. The MLA attorneys wrote, “… as the Oracle case demonstrates, clients and counsel must carefully consider the potential implications -- both good and bad -- of disclosing to the government any compliance-related information prepared by counsel. “

On a related note, Francine McKenna posted an article on her Forbes blog discussing the interplay between the Sarbanes-Oxley Act of 2002 (SOX), internal controls, and fraud. In that article, she reported a KPMG conclusion that, “Companies with weak or non-existent internal controls over financial reporting are more susceptible to fraud and they take longer to uncover.“ She also noted a recent Financial Executives International (FEI) survey that, “the primary owner of Sarbanes-Oxley compliance initiatives in most organizations is still the internal audit function.” She quoted Richard Chambers (CEO of the Institute of Internal Auditors or IIA) as saying—

While nothing about that contravenes our professional standards, the best role for Internal Audit to play in Sarbanes-Oxley compliance initiatives is to provide overall assurance on the effectiveness of the organization’s documentation and testing of internal controls and Section 302 certification process, rather than to be down in the weeds doing the actual documentation and testing of controls instead of management.

To wrap this up, we want to emphasize the importance of performing internal audits and testing internal controls. That said, we think companies ought to distinguish between internal audits that test SOX-related controls over financial reporting, and internal compliance reviews that test the operational controls embedded in contractor “business systems”. We are skeptical that the knowledge and skill sets between the two are easily transferable.

And, as noted by Ms. Manos and by the MLA attorneys, there’s a third category of internal reviews—the extraordinary internal reviews performed under attorney-client privilege. Such reviews should only be provided to outsiders (including government personnel such as DCAA auditors or Agency Inspectors General) under very carefully considered circumstances, lest the door be opened for qui tam relators and opposing counsel to obtain a bounty of documents that would have otherwise been protected.

Ask yourself how your company addresses its internal audit function, and whether there is a separate group that evaluates your “business systems”. Are you investing enough into detecting wrong-doing or, like other contractors in the news, are you pretending there’s no risk to your company or its shareholders?

< Prev   Next >
 

Newsflash

Effective January 1, 2019, Nick Sanders has been named as Editor of two reference books published by LexisNexis. The first book is Matthew Bender’s Accounting for Government Contracts: The Federal Acquisition Regulation. The second book is Matthew Bender’s Accounting for Government Contracts: The Cost Accounting Standards. Nick replaces Darrell Oyer, who has edited those books for many years.