Home > Risk > Working with the General Counsel

Working with the General Counsel

December 6, 2021 Leave a comment Go to comments

Last month, Richard Chambers shared his experience and the challenges he had working with the General Counsel in Internal Audit’s Relationship With the General Counsel Can Be Complicated.

My and Richard’s experience is very different, even though between us we have more than 40 years as internal audit leaders. His was with US government agencies while mine was with for-profit global corporations.

As a CAE, I worked with a number of General Counsels (GC) and they were all different: different personalities, different approaches to their work, and different attitudes towards risk management and internal audit.

I worked with them in several ways:

  • Collaborating on the development of ethics and related policies. In some cases, I wrote the first draft which was then completed by the GC. At one company, we co-chaired the (management) Ethics Council.
  • Engaging them (sometimes reluctantly) on investigations by my team. One attorney shied away from them, while at another company the GC tried (without great success) to tell me how to do my job. Performing investigations “at the direction of counsel” to protect related documents, etc. is important. But that doesn’t mean they tell me how to investigate.
  • Discussing ‘difficult’ issues where, if we are not careful, reporting could create a legal risk for the organization. This is an area that Richard focused on, and I will come back to it.
  • Understanding which were the more significant risks to the organization. One GC refused to share his assessment of the risks, saying that would create potential legal liability and competitive risk should his assessment be discovered. As CAE and later as CRO, I also reviewed what would be disclosed as “risk factors” in the filings with the SEC.
  • Auditing the GC and his team!

Richard says this:

During the course of an audit. one of my audit teams discovered a potential legal violation in the use of government funds for a construction project. Responsible management officials were adamant that they had done everything correctly, and they even obtained a legal opinion prior to construction. Nevertheless, I promptly reported the audit finding to the CEO, who was alarmed at the potential consequences.

My first reaction is that the determination of whether there has been a “potential level violation” is not something that the auditor is qualified to opine on. As every GC has told me, that is a legal opinion and we are not lawyers.

I disagree with Richard’s approach. I would have sat down with the GC, agreed on the facts, and sought his assessment. If he said it was not a violation, I would accept it 99% of the time. In the highly unlikely event that I was certain he or she was incorrect, I would put our relationship at high risk and ask him to obtain the opinion of outside counsel. I recall one situation related to SOX, where I had more experience than the GC, where I asked him how sure he was in his opinion. He replied that he was not 100% sure and volunteered to ask outside counsel (who agreed with me).

Richard also says this:

Too often, CAEs express frustration with general counsels who, they believe, are more concerned about reputational and legal risks than in affording internal audit the opportunity to fully articulate results of its work.

To be sure, reputational and legal risks are important. However, general counsels too often prefer to eliminate those risks altogether in internal audit reports — in effect, silencing internal audit from sharing critical information with the board or audit committee.

Again, I disagree with Richard. We cannot put the organization at risk just because we want to be forthright in our written audit report.

As a reminder, there is no requirement in the IIA Standards to write a formal audit report. The Standards require us to “communicate the results” of our work.

I have been in several situations where it would have been imprudent (at best) or even irresponsible (at worst) to detail everything in the written report.

Instead, I only indicated in the report that there was an issue, using language agreed with the GC. I relied on discussions, led by the GC to preserve privilege, with top management and the audit committee of the board.

This is somewhat similar to the way that GCs write minutes of the board meetings: sufficient to indicate there was a discussion, but not enough detail to create a legal or other (such as reputational) issue if the minutes were disclosed.

Richard suggests these five principles for the relationship:

  • Mutual trust that each party is acting in the best interest of the organization.
  • Respect for the respective roles of each party and the prism through which each views risks.
  • Communication on a continuous basis to foster effective risk management, internal controls, and corporate governance.
  • Collaboration to ensure risks are effectively managed and internal controls are effectively designed and implemented throughout the organization.
  • Recognition of the right of each party to agree to disagree, when warranted.

These are all solid points, with which I agree.

I would add only that the relationship with the GC and his or her team is extremely valuable. The CAE in particular should invest heavily in creating a partnership.

I welcome your thoughts.

  1. David Beer
    December 6, 2021 at 10:30 AM

    Spot on Norman – there may well be legal risks and some of them unacceptable to accept, but assuming reputation is not involved, there are some occasions when GC’s overstate the downside compared to the upside – if we agreed with every GC observation we might remain behind the pack – it is up to Executive to balance the pros and cons. GCs are the same as any other adviser – they advise; Executive decides

    • Norman Marks
      December 6, 2021 at 10:33 AM

      Thank you, David. But surely that discussion can be oral rather than fighting over the wording of the audit report.

  2. John Fraser
    December 6, 2021 at 1:20 PM

    Norman, I am afraid I cannot agree with you. If the GC’s opinion is to be taken because he/she is a lawyer, then who would I be to question every other specialist (e.g. engineers, technology, project managers etc etc) in the company? If it is purely a legal interpretation e.g. based on case law, then I would agree, but there are many issues that someone with our experience can have a differing opinion on.

    • Norman Marks
      December 6, 2021 at 1:34 PM

      I agree if its other than a legal opinion, which is where I was focused.

  3. Richard Fowler
    December 7, 2021 at 7:07 AM

    Many attorneys will state that the law should be plain on its face – that a direct reading of the law or regulation should inform the reader (and not just the attorneys) of the requirements. Yes, there are nuances and exceptions that are addressed in case law, but the auditor can and should be aware of what the regulation or legislation requires and be able to audit against that. Then the discussion with GC can take place. I’ve faced similar issues as an auditor for a state agency and as an auditor for a company, and being able to discuss a legal issue with an attorney goes much smoother when both of us have a more equal footing.

  1. December 6, 2021 at 11:22 AM

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: