Audit Committees are facing increased demands from many quarters in 2015, which expand their responsibilities, expose themto greater regulatory scrutiny and potential liabilities, and provide the basis for proxy and shareholder activists to oppose the re-election of Audit Committee members to the board of directors of the company.

This Legal Update focuses on three issues that should be considered by Audit Committees of public companies in 2015: (i) Internal Investigation Privilege and Confidentiality, (ii) Expanding PCAOB-Mandated Rules for Audit Committees, and (iii) Continued ISS Corporate Governance Scrutiny of Audit CommitteeMembers. This Update follows our early 2015 Legal Update in which we addressed Tax, Whistleblower, and Revenue Recognition issues for Audit Committees1 and our Fourth Quarter 2014 Legal Update in which we addressed Auditor Independence, Cybersecurity, and FCPA/Bribery issues for Audit Committees.2

These Audit Committee considerations are important even for companies that may not consider themselves subject to "public companytype" corporate governance requirements: for example, US private companies considering an initial public offering (IPO) or foreign private issuers considering accessing the US capital markets and having their securities listed on an exchange.

Internal Investigation Privilege and Confidentiality.

Audit Committees are often responsible for directing or overseeing a wide variety of internal corporate investigations as part of their oversight of company financial statements, whistleblowers compliance, and corporate risk. While pursuing these investigations, the Audit Committee needs to be mindful of risks to the company of disclosures of the internal investigation to company outsiders, because otherwise the work product created during the course of a company's internal investigation is not necessarily protected from disclosure to third-parties, including the government, private litigants, or the public at large. Regulators or litigants may seek the results of, or documents created during the course of, an internal investigation if there have been public statements with respect to the investigation. These concerns are magnified in today's technological environment where companies are highly scrutinized and information is always accessible and rapidly spread.

Assuming the company seeks to maintain the confidentiality of investigative material, Audit Committee members and others conducting internal investigations should take precautions to limit the possibility that confidential material is disseminated to outsiders. Several recent cases have provided clarity regarding the scope of attorney-client privilege in internal investigations and approaches for protecting the confidentiality of information created by the corporate investigations.3

A company may undertake an internal investigation for any number of reasons, and in some cases the organization may want the results to be shared with outside parties.More often, however, companies prefer to shield the investigative material and results from access by third parties. An investigation conducted by legal counsel is more likely to be protected by the attorney-client privilege than an investigation conducted by non-legal employees. Furthermore, if the matter involves anticipated litigation, having a lawyer lead the investigation may also implicate attorney work product protections that could shield confidences from disclosures in later ligitation. In-house general counsel may be well-suited for this task, though, in many situations, strong consideration should be given to hiring outside counsel to lead the inquiry, which increases the appearance of the investigation's independence.4

Overall responsibility for the investigation should be delegated to counsel, rather than simply involving attorneys in the investigation. In one case, the Southern District of New York denied a party's claims of privilege because, among other things, the audit was commissioned jointly by counsel and by management.5 It is perfectly fine to utilize nonlegal personnel—from within or outside the organization—so long as they are retained by or work at the direction of counsel with whomthe primary authority for the investigation is maintained.

Of course, the fact that an attorney is leading the investigation does not necessarily mean that the investigative materials will be protected from disclosure. It must be clear that the investigation was undertaken mainly to obtain legal advice (in order for the attorney-client privilege to apply), or in anticipation of litigation (in order for the work product doctrine to apply). This is true even if the investigation was conducted for more than one purpose, as long the predominant purpose was to obtain legal advice or to prepare for litigation. In establishing an internal investigation and its contours, Audit Committees, and their advisors, should be careful to document the reason for undertaking the investigation consistent with these proper objectives.

The US Court of Appeals for the District of Columbia recently went a step further in broadening the privilege attached to attorneyclient communications. The court felt that trying to find the primary purpose for a communication could be an inherently impossible task, so the court articulated the following test to apply the attorney-client privilege: "was obtaining or providing legal advice a primary purpose of the communication, meaning one of the significant purposes of the communication?"6 Importantly, the court clarified that an employee's communication with counsel during an internal investigation will not lose its privileged status so long as one of the significant purposes of the investigation is to obtain or provide legal advice. This is true even if the company had other reasons for conducting the investigation as well; for example, if the investigation was mandated by statute or regulation.7 Although it does not necessarily reflect the law on this point in other jurisdictions, this decision serves to emphasize that Audit Committee members or others authorizing an internal investigation should document the reasons for the investigation. A clear record that at least one significant purpose of the investigation was to obtain or provide legal advice, or was conducted by counsel in anticipation of litigation,8 could serve to protect the investigative communications and materials from disclosure.

For corporations, the attorney-client privilege belongs to the company, and, while employees generally do not have the power to waive the privilege, officers and directors may have such capability. Dissemination of otherwise privileged information to those who do not need to know the information risks a finding that a waiver of the privilege has occurred. In terms of the work product doctrine, disclosure to any third party does not alone effect a waiver. Rather, courts generally find a waiver of the work product privilege only when disclosure "substantially increases the opportunity for potential adversaries to obtain the information."9

Care should therefore be taken not to sabotage the protections afforded by the privilege through, for instance, a company press release or an officer's off-the-cuff remark to investors. For example, an announcement that an internal investigation is being conducted to restore confidence in the company's financial statements may suggest that the audit was undertaken exclusively for business reasons, rather than for obtaining legal advice or for litigation purposes. Such an announcement may have the unintended effect of undermining the attorney-client and work product protections. Therefore, any public statements by management should be scrutinized prior to disclosure to ensure they do not provide a basis for challenging the privilege and waive the privilege through their content.

Another word of caution. Sometimes Audit Committees face a difficult choice when they are asked to disclose the investigative material from counsel's inquiry to outside auditors, who often are the ones to request an investigation. Companies should be aware of the risks involved with such a strategy, including that a waiver of attorney-client privilege may occur. In one case, for example, a court found that a waiver occurred where the Audit Committee and an outside law firm it retained to assist with the investigation had voluntarily disclosed allegedly confidential information. Among other things, the court noted that the outside auditing firm, Ernst & Young, regularly attended meetings with the law firm where sensitive aspects of the investigation were discussed at length.10 Similarly, the Southern District of New York has found that a company's Audit Committee waived the attorney-client privilege when it chose to disclose to an auditor the substantive and detailed results of an outside law firm's investigation.11

Audit Committees and their retained counsel must give thought to how, if at all, investigative information can be disclosed to outside auditors without waiving the privilege. The challenge is that auditors may request information in performing their audit or review of the company's financial statements and may refuse to complete their work if they are not given sufficient information to make them comfortable. At the very least, if the company decides to disclose privileged material to its auditors, it should consider entering into a confidentiality agreement, which will at least decrease the possibility that a waiver of attorney work-product will be found.12 In addition, in any communications with an auditor, it is important to remember that Section 303 of the Sarbanes- Oxley Act of 2002 makes it illegal to, among other things, mislead any independent public or certified accountant engaged in the performance of an audit of the financial statements of an issuer for the purpose of rendering such financial statements materially misleading. While a decision to not disclose information to auditors may be made to protect certain privileges, it is important to remember that a court could be asked to review such a decision and whether it had the effect of rendering any financial statements materially misleading

Similarly, companies are sometimes asked, or affirmatively choose, to disclose to regulatory and enforcement agencies their audit reports, investigative findings, and underlying communications. Audit Committees seeking to keep such material confidential, however, should resist such requests on privilege and work product grounds (where applicable). A clear record that the audit was undertaken for the purpose of obtaining legal advice, or in anticipation of litigation, will bolster those claims, as would appropriately labeling attorneyclient communications and those made in anticipation of litigation.Moreover, companies should refrain from affirmatively using the audit report as a sword in subsequent litigation, which has been found to constitute a waiver.13 Finally, should the corporation decide to make other productions to the requesting agency, the company should state in its discovery responses its intention to preserve privileges and that any disclosure of privileged material is unintentional.

In addition to waiver issues, companies should be aware that certain exceptions exist that pierce the attorney-client privilege. For instance, in Wal-Mart,14 the Supreme Court of Delaware for the first time recognized the "fiduciary exception" to the attorney-client privilege. This exception, derived fromthe case Garner v. Wolfinbarger,15 allows a corporation's shareholders to invade the attorney-client privilege in order to prove fiduciary breaches upon a showing of good cause.16 In Wal-Mart, the plaintiff sought information—including attorney-client communications—regarding the handling of an investigation into allegations of bribery by a Wal-Mart subsidiary, whether a cover-up took place, and what details where shared with the Wal-Mart board.17 After reviewing the "panoply of factors" that the Court of Chancery considered in its Garner analysis, the Delaware Supreme Court affirmed the trial court's conclusion that good cause existed to compel the production of otherwise-privileged documents pursuant to the fiduciary exception.18

This case serves as a reminder that the sanctity of attorney-client communications is not absolute, and that lawyers, including outside counsel, must be wary of what they reduce to writing in communications with their clients, and vice versa. One note of encouragement is that the fiduciary exception does not apply to the work product doctrine.19 Whenever applicable, therefore, attorney-client communications made in anticipation of litigation should be clearly identified as work product, providing extra protection from disclosure. Such labels also protect against inadvertent waiver.

Expanding PCAOB Mandated Roles For Audit Committees

The scope of oversight responsibilities for Audit Committees was effectively expanded in late 2014 through additional standards imposed upon auditors by the Public Company Accounting Oversight Board (PCAOB). With the recent approval by the Securities and Exchange Commission (SEC) of PCAOB Auditing Standard No. 18, Related Parties (AS 18) and Auditing Standard No. 16, Communications with Audit Committees, and associated amendments to other auditing standards, auditors will be required to heighten their attention in three areas: (i) related-party transactions of the company; (ii) significant unusual transactions of the company; and (iii) financial relationships and transactions with executive officers of the company, including executive compensation arrangements.

In the regulatory view, these transactions and relationships pose an increased risk of material misstatement in financials due to fraud, conflict of interest or error, harking back to the complex corporate transactions underscoring the frauds of Enron,Worldcom, Tyco and other corporate scandals of decades past. Auditors are being directed to consider the links between these three areas: to "connect the dots" and, in particular, scrutinize the business purpose (or lack thereof) and context of relationships and transactions falling within the standard. To assist these corporate risk judgments, AS 18 requires the auditor to make inquiries of the Audit Committee or its chairperson about the Audit Committee's understanding of these transactions and whether the Audit Committee has concerns about these transactions. In practical effect, Audit Committees will likely be expected to become familiar with the terms, structure and business purposes of these transactions in order to be able to effectively anticipate and respond to these auditor inquiries as to corporate risks that may arise from these transactions.


Related-party transactions, in the view of PCAOB, can involve difficult measurement and recognition issues; they provide opportunities for management to act in their own (as opposed to company's) interests and, in the extreme, to engage in fraud and conceal misappropriation of assets. In evaluating related-party transactions, the company should appreciate that, for AS 18, the definition of "related-party transaction" comes fromthe accounting literature (Financial Accounting Standards Board Accounting Standards Topic 850) and therefore includes significant intercompany related-party transactions as well as transactions with directors, officers and external affiliates disclosable in the proxy statement under SEC rules (Item 404 of SEC Regulation S-K). Put differently, this view of related-party transactions reaches affiliate intercompany transactions (including with "off balance sheet" or joint venture affiliates) that might not otherwise be monitored, reported and publicly disclosable as an affiliate transaction. AS 18 requires the auditor to:

  • Perform specific procedures to understand related-party relationships and transactions, including the nature, terms and business purpose (or lack thereof). These procedures include inquiring of the Audit Committee or its chairperson as to the Audit Committee's understanding of these related-party matters and whether any member of the Audit Committee has any concerns (including the business purposes) about them. To evaluate the Audit Committee's understanding of these transactions, the outside auditor is likely to ask about the Audit Committee's understanding of the review and approval process for related-party transactions, the business purpose and background, and of how pricing and other terms may be viewed as arms-length.
  • Evaluate whether the company has properly identified its related parties and company relationships and transactions with them. If any such transactions were not properly identified, the auditor will make inquiry of the Audit Committee or its chairperson as to any such transaction that was not properly identified and the reasons for any shortcoming.
  • Communicate to the Audit Committee the auditor's evaluation of the company's identification of, accounting for, and disclosure of its relationships and transactions with related parties.


Significant unusual transactions, in the view of PCAOB, can create complex accounting and financial statement accounting issues that increase the risk of material misstatements, or, in the extreme, can result in the company engaging in fraudulent financial reporting, especially with close–to-period-end transactions that pose difficult "substance-over-form" and business purpose type questions. "Significant unusual transactions" for this purpose are defined as transactions that are outside the normal course of business for the company or that otherwise appear to be unusual due to their timing, size or nature. As with related-party transactions, these transactions would likely reach company transactions with "off-balance sheet" and joint venture affiliates. With regard to these transactions, AS 18 requires the auditor to:

  • Perform specific procedures to identify significant unusual transactions, and to understand and evaluate the business purpose and other key elements of such transactions. These procedures include reading the underlying documentation relating to the transaction and evaluating whether the terms and other information about the transaction are consistent with explanations of management about the business purpose of the transaction; determining whether the transaction has been authorized and approved in accordance with the company's established policies and procedures; and evaluating the financial capability of the other parties to the transaction with respect to significant uncollected balances, guarantees, and other obligations.
  • Communicate to the Audit Committee the auditor's understanding of the business purpose of these significant unusual transactions. In practical effect, the Audit Committee will likely be expected to become familiar with the terms, structures, and purposes of these transactions in order to be able to effectively anticipate and respond to these auditor inquiries.


In the view of the PCAOB, a company's financial relationships and transactions with its executive officers (e.g., through compensation) can create incentives and pressure for executive officer to cause the company to engage in conduct in order to meet financial targets, especially short-term targets, which can result in risks of material misstatements to a company's financial statements. In examining these executive officer relationships, the auditor will be required to follow procedures designed to help uncover incentives or pressures for the company to achieve a particular financial position or operating result by virtue of executive officer compensation and incentives. Specifically, the auditor must perform procedures to understand the company's financial relationships and transactions with its executive officers, given the influence these officers have on the company's financial results. AS 18 provides that these additional procedures by the auditor should include:

  • Review of the employment and compensation contracts between the company and its executive officers.
  • Review of the company's proxy statement and other relevant filings with the SEC and other regulatory agencies that relate to the company's financial relationships and transactions with its executive officers, including expense reimbursement.
  • Consideration of whether to inquire of the chairperson of the Compensation Committee and any compensation consultants engaged by either the Compensation Committee or the company regarding the structuring of the company's compensation for executive officers.

In view of AS 18, and its likely impact on auditor expectations of informed discussion with Audit Committees, the Audit Committee might both update its Audit Committee charter to encompass the reviews contemplated by AS 18, while also evaluating the company's monitoring and reporting to the Audit Committee of relatedparty transactions and significant unusual transactions for AS 18 purposes. With regard to the company's related person transaction policy, considerations might be given to the continuing appropriateness of any blanket carve-outs from pre-approval requirements.

Also, in view of AS 18, it is likely that the auditor's responsibility to inquire into the business purpose and basic terms of relatedparty transactions and significant unusual transactions will result in Audit Committees being conversant about these transactions in order to provide effective assurances to the auditors. Complex transactions with off-balance sheet, joint venture or similar financial or funding structures that impact the reporting of revenues, earning and debts of the company might become a particular focus, considering the underlying, initial concerns of AS 18. It is unclear, again, how an Audit Committee will be expected to provide such assurance, although discussing these transactions in advance with management, in detail, perhaps after receiving written summaries and analyses of them, may become an evolving expectation of Audit Committees.

The Audit Committee's role in reviewing executive officer compensation, incentives, reimbursements and other relationships, especially the interaction of the auditor and the Audit Committee with the Compensation Committee is unclear from AS 18. Also unclear is how auditors will apply the new auditing standards to executive compensation, and address or understand company risks presented by the executive compensation structures. However, in practical effect, it is likely that auditors will likely make inquiry of the Compensation Committee and Audit Committee as to the structure, incentives and risks associated with executive compensation, especially as the auditors will now have to report to Audit Committees about executive compensation arrangements as part of the auditors' required communications. The Audit Committee will likely need to consider the circumstances under which company relationships and/or transactions with executive officers have been permitted and whether such relationships and/or transactions are appropriate or necessary and in the best interests of the company or present risks to the company. Any report by compensation consultants or others that advise the Compensation Committee, especially as to the incentive structures of stock, option and bonus awards, will presumably also be provided to Audit Committees.

Continued ISS Corporate Governance Scrutiny of Audit Committee Members

Institutional Shareholder Services Inc. (ISS), in late 2014, updated its corporate governance benchmarking tool, QuickScore. One of the updated factors to consider is that QuickScore now includes a question regarding the number of financial experts (zero, one or two) serving on the Audit Committee. Quickscore is a scoring system, used by ISS, where every evaluated company is assigned a score from 1 to 10. This question regarding the number of financial experts on the Audit Committee is one question used in creating a score for the Audit & Risk Oversight category. Previously, ISS tracked this information but it was a "zero-weight" factor, meaning that it did not impact companies' scores. The number of Audit Committee financial experts becomes an express factor in ISS' evaluation of corporate governance risk and could ultimately impact ISS proxy recommendations and institutional investors determinations as to director votes.

In light of this change, if a company's board has designated only one financial expert on their Audit Committee, the board might consider designating a second, assuming there are additional Audit Committee members who meet the relevant criteria.

In considering additional "financial experts" for purposes of the securities laws, the board might review the qualifications of its members in confirming which of its members upon reflection might satisfy the relevant criteria. An Audit Committee "financial expert" is viewed as a person who has the following attributes: (i) an understanding of generally accepted accounting principles and financial statements; (ii) the ability to assess the general application of such principles in connection with the accounting for estimates, accruals and reserves; (iii) experience preparing, auditing, analyzing or evaluating financial statements that present a breadth and level of complexity of accounting issues that are generally comparable to the breadth and complexity of issues that can reasonably be expected to be raised by the company's financial statements, or experience actively supervising one or more persons engaged in such activities; (iv) an understanding of internal controls and procedures for financial reporting; and (v) an understanding of audit committee functions.

Contrary to general impression, an Audit Committee financial expert is not necessarily limited to former accounting firm executives or former chief financial or accounting officers of public companies. In its discretion, a board could assess a financial expert's qualifications fromthe perspectives of that person's experience with evaluating financial statements and understanding of Audit Committee functions and other relevant experience.

For this judgement, the key consideration is that a financial expert must have experience actually working directly and closely with financial statements in a way that provides familiarity with the contents of financial statements and the processes and controls behind them. This experience might encompass individuals with experience in banking, financial analysis, private equity, venture capital or principal investment activities. In addition, such experience might have been obtained from overseeing or assessing the performance of companies or public accountants with respect to the preparation, auditing or evaluation of financial statements (such as in the case of individuals who work for governmental agencies and self-regulatory and other private-sector organizations that provide oversight to the banking, insurance and securities industries and are involved on a regular basis with issues related to financial statements). Such experience is not limited to former accounting firm executives and public company chief financial officers. With the broadening responsibilities of Audit Committee members for oversight of company risks, including regulatory, compliance and enterprise risks, boards in their discretion might consider more broadly the pool of candidates for being an Audit Committee member and their application of criteria for determining who qualifies as Audit Committee financial experts.

In considering the identification of a financial expert on an Audit Committee, it's important to recognize that the SEC20 has stated that the it did not believe that the mere designation of the Audit Committee financial expert would impose a higher degree of individual responsibility, obligation or liability on that person. The SEC, in establishing the disclosure rules requiring financial expert disclosure, clarified that:

  • A person who is determined to be an Audit Committee financial expert, and is so identified, will not be deemed an "expert" for any purpose, including, without limitation, for purposes of Section 11 of the Securities Act of 1933, as amended;
  • The designation or identification of a person as an Audit Committee financial expert pursuant to the new disclosure item does not impose on such person any duties, obligations or liabilities that are greater than the duties, obligations and liabilities imposed on such person as a member of the Audit Committee and board of directors in the absence of such designation or identification; and
  • The designation or identification of a person as an Audit Committee financial expert does not affect the duties, obligations or liability of any other member of the Audit Committee or board of directors.21

1 "Three Things US Audit Committee Members Should Consider in 2015," available at

2 Three Things US Audit Committee Members Should Consider Now," available at

3 For a more in-depth discussion on these and other topics relating to internal investigations, see MAYER BROWN LLP, SECURITIES INVESTIGATIONS - INTERNAL, CIVIL AND CRIMINAL (Steven Wolowitz et al. eds., 2nd ed. 2014).

4 In the recent case Wal-Mart Stores, Inc. v. Indiana Elec. Workers Pension Trust Fund IBEW, 95 A.3d 1264, 1268, 1279 (Del. 2014), Delaware's highest court took notice of multiple deficiencies in the way the corporation conducted its internal investigation. Though the parent company's general counsel hired outside lawyers and together produced reports on the investigation, senior management dismissed those reports and transferred control of the investigation to "one of its earliest targets," the general counsel of a subsidiary company. These factors had led the Court of Chancery to conclude that there was "a colourable basis that part of the wrongdoing was in the way the investigation itself was conducted." This dicta highlights the need for those conducting the investigation to remain and appear impartial.

5 Cruz v. Coach Stores, Inc., 196 F.R.D. 8, 231-32 (S.D.N.Y. 2000).

6 In re Kellogg Brown & Root, Inc., 756 F.3d 754, 760 (D.C. Cir. 2014) (emphasis in original).

7 Id.

8 Cf. In re Veeco Instruments, Inc. Sec. Litig., 05-MD-01695 (CM)(GAY), 2007 U.S. Dist. LEXIS 169, *15 (S.D.N.Y. Mar. 9, 2007) ("[A] document created for two purposes - a business purpose as well as a litigation purpose - is protected under the work product doctrine as long as the document would not have been prepared in substantially similar form if not for the prospect of litigation.") (citing United States v. Adlman, 134 F.3d 1194, 1195 (2d Cir. 1998)).

9 Merrill Lynch & Co. v. Allegheny Energy, Inc., 9 F.R.D. 441, 445-46 (S.D.N.Y. 2004) (internal citations and quotation marks omitted).

10 S.E.C. v. Microtune, Inc., 258 F.R.D. 310, 317 (N.D. Tex. 2009).

11 In re Subpoena Duces Tecum Served on Willkie Farr & Gallagher, No. M8-85 (JSM), 1997 WL 118369, at *3 (S.D.N.Y. Mar. 14, 1997).

12 See, e.g., In re Steinhardt Partners, L.P., 9 F.3d 230, 236 (2d Cir. 1993) (declining to find waiver of work product where the disclosing party entered into an explicit agreement that the SEC will maintain the confidentiality of the disclosed materials).

13 See In re Leslie Fay Cos. Sec. Litig., 161 F.R.D. 274, 283 (S.D.N.Y. 1995) (citing In re Steinhardt Partners, L.P., 9 F.3d 230, 235 (2d Cir. 1993)).

14 95 A.3d 1264 (Del. 2014).

15 430 F.2d 1093 (5th Cir. 1970).

16 Id. at 1103-04.

17 See 95 A.3d at 1278.

18 Id. at 1279, 1280.

19 Id. at 1280.

20 SEC Release Nos. 33-8177; 34-47235 (Disclaimer Rules Requested by Section 406 and 407 of the Sarbanes Oxley Act of 2002) (January 24, 2003)

21 SEC Release Nos. 33-8177; 34-47235 (Disclaimer Rules Requested by Section 406 and 407 of the Sarbanes Oxley Act of 2002) (January 24, 2003)

Learn more about our Corporate & Securities practice.

Visit us at

Mayer Brown is a global legal services provider comprising legal practices that are separate entities (the "Mayer Brown Practices"). The Mayer Brown Practices are: Mayer Brown LLP and Mayer Brown Europe – Brussels LLP, both limited liability partnerships established in Illinois USA; Mayer Brown International LLP, a limited liability partnership incorporated in England and Wales (authorized and regulated by the Solicitors Regulation Authority and registered in England and Wales number OC 303359); Mayer Brown, a SELAS established in France; Mayer Brown JSM, a Hong Kong partnership and its associated entities in Asia; and Tauil & Chequer Advogados, a Brazilian law partnership with which Mayer Brown is associated. "Mayer Brown" and the Mayer Brown logo are the trademarks of the Mayer Brown Practices in their respective jurisdictions.

© Copyright 2015. The Mayer Brown Practices. All rights reserved.

This Mayer Brown article provides information and comments on legal issues and developments of interest. The foregoing is not a comprehensive treatment of the subject matter covered and is not intended to provide legal advice. Readers should seek specific legal advice before taking any action with respect to the matters discussed herein.