Balancing the interests between attorney-client privilege and the auditor's need to know

Companies often face the tricky task of producing privileged and confidential information to their independent auditors for audit purposes. 

This article first examines a company's dilemma regarding whether to disclose any privileged information to its independent auditors. Next, it provides an overview of the existing law, which addresses when the attorney-client privilege and work product protection could be waived when documents are voluntarily disclosed to an independent auditor for the audit. Finally, we'll examine how to successfully manage the conflict between an auditor's need to know and a company's need to protect privileged and confidential information. 

A company's dilemma: To disclose or not to disclose?

Corporations hire independent auditors to perform financial audits and comply with the applicable SEC requirements, shareholder demands, banking regulations and other obligations. In the course of such audits, independent auditors review and test the corporation's financial statements, detailed books and records, and internal controls. Auditors may also request to review certain privileged information that the corporation prepared for any ongoing or anticipated litigation, including internal investigation reports, attorney memoranda evaluating possible liabilities, tax position papers, and other materials. 

Auditors may request privileged materials for several reasons — for example, to verify financial disclosures; to investigate potential "illegal acts" by a company under Section 10A of the Securities Exchange Act of 1934; or to avoid liability under the recent SEC-approved Public Company Accounting Oversight Board's Rule 3502, regarding negligence in the conduct of an audit. Auditors are not required, however, to conduct a legal assessment as to a corporation's compliance or noncompliance with law. 

Companies may comply with the auditor's request for privileged information. The potential downside to such compliance is that a third party may argue that the documents are no longer privileged because they were disclosed to a third party — the company's independent auditor. The privilege protecting such documents could be waived and such materials may become discoverable by third parties, including government agencies and a corporation's litigation adversaries. Conversely, companies may choose to decline to disclose the privileged information to their auditors. With access to less information, a company runs the risk that the auditor could be unable or unwilling to opine on the company's financial statements. 

In June 2023, PCAOB proposed a new audit standard — Noncompliance with Laws and Regulations — that would require auditors to identify and respond to NOCLAR instances, including whether a company is complying with all the laws and regulations or committing any fraud (see PCAOB Release No. 2023-003). While the rule is pending approval, if enacted, the rule may cause auditors to seek access to more privileged material to meet this obligation. 

In a surge of comments on the PCAOB's proposal, companies said the new rule could mean more correspondence with lawyers would have to be shared with auditors, with the result that it loses its legal privilege and could become evidence in litigation (see Stephen Foley's article "Attorney-client privilege at center of clash over new US auditing rules," in the Financial Times). According to one controller, company personnel may be more hesitant to disclose legal violations to their counsel if they fear that the communication will not be privileged. Defending the proposals, PCAOB chair Erica Williams said the companies' noncompliance with laws and regulations, including fraud, can have devastating consequences for investors. Regardless of whether the PCAOB ultimately adopts such requirements, companies have ways to satisfy auditor demands that best protect the applicable privileges.

Applicable law: Privileges and work product doctrines

The attorney-client privilege is designed to protect communications between clients and their attorneys. Depending on the circumstances, the protection can be waived when documents or communications are voluntarily disclosed to an independent auditor for audit purposes. In a 2019 case In re Keurig Green Mountain Single-Serve Coffee Antitrust Litig, PwC was acting as an independent auditor and received information so that it could audit Keurig's financial statements. The court held that disclosure to PwC, as a third party, vitiated the attorney-client privilege.

Unlike the attorney-client privilege, a voluntary disclosure of work product to an independent auditor does not automatically waive work product protection (see New York Times Co. v. United States Dep't of Just., 939 F.3d 479, 496 (2d Cir. 2019). To assert attorney work product protection, the corporation must show that the materials disclosed to its auditor were prepared for an ongoing or anticipated litigation. 

There are two categories of work product, each of which is afforded a different level of protection. First, there is "ordinary" work product, which includes facts and evidentiary documents prepared for an ongoing or anticipated litigation. Ordinary work product is generally subject to protections from discovery, but those protections can be overcome by the opposing party upon a showing of "substantial need" and "undue hardship." Second, there is "opinion" work product, which consists of work product that is narrowly confined to the attorney's legal analysis, mental impressions, conclusions, opinions or legal theories. Because opinion work product reflects the attorney's analysis of the client's legal position, courts typically afford it near-absolute protection from disclosure to third parties. Determining whether the work product is ordinary or opinion involves a fact-intensive inquiry. 

There is a split among the courts regarding waiver of work product doctrine for materials shared with auditors. Under the majority view, auditors are not considered "adversaries" and any disclosure of work product to them does not waive protection. In other words, a corporation's disclosure of privileged information to its independent auditor does not waive work product protection, because an auditor's role — including scrutiny and investigation of a corporation's records and bookkeeping practices — does not constitute an adversarial relationship. In a 2010 case, United States v. Deloitte LLP, 610 F.3d 129 (D.C. Cir. 2010), the court held that Dow had not waived work product protection over documents it had provided to Deloitte, its independent auditor. Id. at 140–41. The key analysis was whether "Deloitte could be Dow's adversary in the sort of litigation the [withheld] [d]ocuments address" and not "whether Deloitte could be Dow's adversary in any conceivable future litigation…." Under the minority view, however, independent auditors can be considered inherently adversarial to the companies they audit, so the work product protection could be waived by disclosing privileged materials to them. 

In the event that an opinion work product is disclosed to an auditor, courts are not likely to deem it a waiver and will protect the opinion work product from disclosure to third parties. The same level of protection may not apply to ordinary work product shared with auditors, although the majority rule still would likely provide some protection from disclosure to third parties. 

Managing the conflict: Planning, balancing and taking charge

As in any conflict situation, the means to a successful resolution is understanding the needs of all interested parties and narrowing the areas of dispute to the core issues. The key to achieving this includes planning ahead, balancing the needs of the interested parties and taking charge of the situation. 

First, consider negotiating a strong confidentiality and non-waiver agreement in an audit engagement letter from the outset. Before a company receives a request for production of any privileged materials by its auditor, the objectives of the auditor's engagements and responsibilities should be clearly defined. Any engagement letters, work plans and other documents should memorialize the scope of the auditor's confidentiality requirements. The corporation and auditor should have a mutual understanding that any information sent to the auditor would remain confidential and any disclosure to the auditor is not intended to waive any applicable privileges. 

Second, balancing the auditor's need to know with the attorney's need to protect is crucial. Blanket demands by auditors for all information possessed by counsel are intrusive and unnecessary. Equally unhelpful is the counsel who refuses to understand that the client's interests are best served by working with the auditors to help them discharge their audit responsibilities. It is essential that the auditor and the counsel communicate in detail and plan an approach that allows the auditor to gather the maximum amount of information independent of counsel, thereby lessening the burden and reliance on privileged communications and protected materials. This may involve the auditor's review of historical information and third-party documents that are not privileged. The auditor should also confer with the audit team and company counsel, and find ways of mitigating the audit's need for privileged materials. 

At the same time, company counsel should carefully examine the materials to be disclosed to the independent auditor to reduce the risk of any waiver. Although the corporation should provide all the necessary materials required by the auditor, it should do so only after conducting a thorough review of documents to ascertain whether they are truly responsive to the auditor's requests and whether there are nonprivileged materials that would suffice. Even though the majority rule protects work product, a company should limit disclosure to materials that are necessary for the auditors to complete their audit. 

To the extent possible, attorneys should limit the amount of written work product that is shared. Where feasible, the corporation should consider oral briefings that focus on nonprivileged facts. A telephonic or in-person conversation responding to the auditor's specific questions might limit the amount of written work product that needs to be disclosed. It is important to note that counsel should exercise caution even when presenting work product orally, as an auditor's notes from an oral presentation might be subject to discovery. 

If litigation arises and the auditor is subpoenaed, company counsel should closely work with the auditors and review any materials that may contain privilege or work product before they are produced. Being proactive and working cooperatively with the auditors will mitigate and avoid unnecessary disclosures.