E-Discovery and Legal Process Outsourcing: ESIM Process Design and Choices between Outsourcing vs. Insourcing
December 21, 2009 by Bierce & Kenerson, P.C.
State and federal rules of civil procedure and emerging common law of the discovery process impose significant costs on businesses that are engaged in litigation. Pre-trial “discovery” serves to narrow the issues in dispute by forcing the disclosure of records, including electronically stored information (“ESI”) for judicial economy, to narrow the scope of disputed issues for adjudication (such as through motions for partial summary judgment, admissions and prior inconsistent statements), and to speed the actual trial process. E-discovery has become a daily challenge for the General Counsel, the CIO, the COO and the Risk Management Department. They face a choice of policies, procedures and technologies for insourcing (such as by using forensic software and employed staff) or outsourcing for electronic records discovery management. This article explores some of the differences between insourcing and outsourcing in terms of ESI records management, legal requirements for protection and production of electronic records, project management in forensic record examination, litigation readiness, knowledge management, risk management, ethics and legal compliance.
I. E-DISCOVERY AS A SUB-PROCESS OF RECORDS MANAGEMENT.
Record and Information Management (“RIM”) Policies and ESI Management (“ESIM”). The demands of e-discovery highlight the challenges of developing and managing effective governance policies and procedures for information of all kinds, including ESI, and the challenge of adopting and updating an ESI management (“ESIM”) plan for “business as usual.” The International Standards Organization has developed a records management standard (ISO 15489-1, at www.iso.org). ARMA International (www.arma.org) has identified eight standards for records and information management (“RIM”), namely, accountability, integrity, protection, policy compliance, retrievability/ availability, retention, disposition and transparency.
Memory-storage devices have proliferated, challenging the company’s records custodian. In addition to computers, there are cell phones, cameras (stand-alone or in cell phones), scanners, facsimile machines, USB “key” drives, backup hard drives and other storage devices. All pose a challenge for a fully compliant response to an e-discovery request.
Legal Requirements for Protection and Production of E-Records. Federal and state rules of civil procedure have evolved to include electronic records. See F.R.Civ. P. 26(b), 34 and 45 (subpoenas) and F. R. Evid. 901(a) (authenticity). State procedural rules have been adopted to implement the Uniform Rules Relating to Discovery of Electronically Stored Information issued by the National Conference of Commissioners on Uniform State Laws. [Copy available at http://www.law.upenn.edu/bll/archives/ulc/udoera/2007_final.htm]. Basic common law, statutory and civil procedure rules in e-discovery start with similar requirements:
- Protection: preservation of ESI through a “litigation hold” to prevent inadvertent loss when a third party demand has been made, or it has become reasonably foreseeable that such a demand will be made, and ensuring that the in-house attorney’s instruction is actually implemented (for example, avoiding the inadvertent over-writing of storage and backup tapes).
- Accountability: identifying the scope and “proportionality” of the e-discovery requirements in relation to the overall scope of the dispute.
- Cost allocation: allocating costs that are reasonable to the producing party and costs that are unreasonable to the requesting party.
- Cost management: using search terms and other cost-effective automated search technologies to get the reasonable or “agreed” coverage for the initial triage, fulfilling the approach that information technology can solve the problem of searching massive records databases using search technologies. See, e.g., Zubulake v. UBS Warburg, LLC, 2004 WL 1620866 (SDNY July 20, 2004, Judge Scheindlin) and other rulings in the same case, at 217 F.R.D. 309 (SDNY 2003), 216 FRD 280 (SDNY 2003) and 2003 WS 22410619 (SDNY Oct. 22, 2003).
- Integrity (authenticity and identification of the e-record): identifying appropriate methods and procedures for ESI production, including the appropriate level and nature of legal supervision of forensic inspections, to ensure authentication under F.R.Evid. 901(b) by using circumstantial information such as the file access permissions, file ownership, dates when the file was created and when it was modified, other metadata and hash values for the record when copied to a forensic computer for analysis.
- Accessibility: under the rules of evidence: identifying and managing risks of loss of evidentiary privileges by the mere use of electronic e-discovery tools and procedures.
- Accountability for Non-Compliance: identifying the sanctions for culpable conduct, mainly, “spoliation” (intentional or negligent destruction of evidence) or negligent collection done by the record custodian rather than by an automated process, such as:
judicial issuance of an instruction to the jury that the jury may validly draw a “negative inference” (or “adverse inference”) from the fact that the offending party could not produce the normally available documents in support of its legal arguments, resulting in a conclusion that, if the “lost” or “destroyed” records had been introduced into evidence, they would have supported a negative conclusion as to disputed factual matters; and judicial sanctions including an order to pay the reasonable expenses, including attorney’s fees, caused by the violation of discovery rules, where, for example, the adverse party incurred expenses to overcome the inability to access the “lost” or “destroyed” (spoliated) records.
Project Management in Forensic Record Examination. Within a holistic approach to ESIM, e-discovery tools and techniques can be identified along the continuum of “cradle-to-grave” (or more appropriately, “cradle to judge and jury”) progress. As a sub-process of electronic records management, an e-discovery process model can be used to identify the particular role or function of third-party software, in-house resources and an outsourcer’s resources. By looking holistically at the end-to-end chain of processes leading to satisfactory e-discovery compliance, under such a paradigm, the end-result, production and presentation of ESI, can be managed by effectively adopting either a total control at the “information management” level (when records are initially created and stored). The following is our own view of electronic discovery records management (“EDRM”) as a subset of an enterprise-wide holistic ESIM resource management paradigm for governance, risk management and compliance in e-discovery:
Litigation-Readiness: Converting “Business as Usual” IT into Information Management Operations for E-discovery. Information technology plays a strategic role in the enterprise’s ability to comply with e-discovery mandates. The enterprise’s legal department should team up with the IT department, the records management department and the line-of-business management to participate in the design – or re-design – of the enterprise’s information management operations and records management. E-discovery compliance features are now available through software that can troll the enterprise’s entire ESI, search for information according to a myriad of legal and business terms, technical parameters. In conjunction with the CIO and the records management department, the legal department can:
- Gap Analysis: Conduct a “gap analysis” to identify which features are missing from those that are recommended or required under the applicable rules of civil procedure and common law, particularly those policies and procedures that involve data collection, classification, accessibility, storage, retention and destruction.
- Strategic Access Plan: Develop a strategic access plan for the full life-cycle of “business as usual” and custody and control, including audit, of the company’s information and litigation-relevant information.
- Process Design using an ESIM Paradigm: Apply the e-discovery records management sub-process of the enterprise’s holistic ESIM model to identify and segregate functions that will be performed by in-house or captive resources and those for outside legal counsel and outsourcing service providers.
- Cross-Border Considerations: Integrate multinational and cross-border legal mandates into the design of the information technology and information management systems, at an early stage in the e-discovery process, to avoid breaches of foreign data protection and privacy laws when complying with U.S. judicial rules of procedure.
- Integration of Internal and External Resources: Develop policies and procedures for use of outside litigation support services providers and an array of personnel and technology resources both domestically and internationally to fulfill e-discovery compliance mandates, without adversely impacting the ongoing business operations.
Litigation-readiness must be added to the selection criteria for new IT initiatives such as “cloud computing” (here, the “software as a service” model, not the “variable IT computing-power as a service” model), internal and external social networks, Twitter and internal and external collaboration platforms such as wikis, e-rooms and Google Wave.
Knowledge-Management Readiness: Managing and Protecting Corporate Knowledge. “Knowledge management” refers to policies, procedures and technology that enable an enterprise to capture, organize, identify, re-use and protect the confidentiality of its trade secrets. Knowledge management (“KM”) procedures must also enable the enterprise to distinguish among sources of confidential information that may be trade secrets, copyrights or patents of third parties (including “freeware” and “open source” software) as well. Accordingly, CIO’s must adopt KM planning strategies that, in conjunction with legal and compliance departments, also serve regulatory and legal requirements. The IT infrastructure needs to identify all such trade secrets during the e-discovery process so that, if disclosable, they are subject to non-disclosure and non-use under appropriate protective orders.
II. RISK MANAGEMENT
Risk of Spoliation by Employees and Contractors. According to one e-discovery service provider, a large majority of all corporate litigation is employment-related. If employees have access to change ESI, disgruntled or negligent employees pose a major risk of spoliation. Employees can unknowingly or intentionally destroy ESI evidence. Such actions can range from concealment (through downloading pirated software that deletes files on the employee’s web surfing history) to sabotage (actually deleting documents).
As a result, the legal department and the CIO need to develop IT-enabled solutions to prevent such acts. This article does not address this particular issue, but it highlights the need for appropriate design of the overall information management architecture as a preventive measure.
Risk Management. From the risk-management perspective, a proper defensive strategy will require an alliance between the company’s Legal Department, its Risk Management department and its IT department.
- IT Role. The IT department needs to work with the Legal Department to ensure a proper chain of custody and proofs of authenticity.
- Insurance. The Risk Management Department needs to help design and review the e-discovery process. Sanctions for spoliation have implications for coverages for directors and officers, employment practices, errors and omissions and general liability. The records manager needs to understand how the company’s Records Management (destruction) Policy meets e-discovery requirements.
- Legal Department. The in-house Legal Department must not only manage the e-discovery process. It must design and manage effective records management policies, educate all employees about the e-discovery process and its role in management of risks, knowledge and records.
III. BUSINESS MODELS: INSOURCING, CAPTIVES AND OUTSOURCING
Business Models for Insourcing. Before comparing outsourcing and insourcing, it is helpful to consider the different business models in which an internal e-discovery operation can be financed. These models can be summarized:
- Infrastructure Investment in a Complete e-discovery Toolkit. At the “high end,” the enterprise can make a capital investment in the essential tools of a fully “in-sourced” e-discovery operation. Such an investment will have significant payback for enterprises having a high volume of litigation with predictable volumes of e-discovery demands. Such enterprises will need to invest in all the people, process and technology necessary for the operation. If the operation is highly automated, it can be effectively managed onshore. If it requires substantial human review, part of the operation may be handled in offshore locations with remote access, security controls and other measures to prevent loss of confidentiality, competitive advantage and effectiveness. This leads to consider a captive e-discovery service delivery center. In this case, outsourcing can be a viable solution for that portion of the e-discovery process that requires supervised human review and analysis.
- Pay-Per-Use Pricing. Where litigation is more volatile in terms of volume and timing, a “pay-per-use” pricing for insourced use of third-party technologies can prove cost-effective. This pricing model provides some benefits to enterprises that have very few litigations, but a large volume of ESI for assembly, analysis, protection and disclosure.
- Consumption-Based Pricing. Consumption-based pricing reflects the volume of ESI being sorted and analyzed. This pricing model provides benefits for enterprises that want to allocate litigation costs to individual lines of business or affiliated companies, as a charge-back accounting principle that effectively rewards litigation-free business managers for staying away from the judicial system.
Relative Advantages of Insourcing.
- Industries Affected by Persistent Litigation. Several software tools exist that allow in-house counsel and the CIO to conduct the full forensic discovery using staff employees. Internalization of the discovery process makes economic sense where the company is constantly involved in litigation. Such companies typically include insurance companies, banks, consumer products manufacturers, and can include food service chains and franchisees. Other companies that are subject to class action claims for torts or securities law violations can fall into this category as well, impacting virtually any publicly traded company that has a volatile stock price.
- Control of Records Management; Cost Management. Software and IT services companies argue that insourcing can significantly reduce the costs of e-discovery. They argue that, by taking control of the forensic search, collection, analysis and processing of a company’s electronic records, companies have more flexibility and control over the manner in which these critical discovery processes are conducted. This control can translate into cost savings by enabling a closer supervision on-site by the internal lawyers.Cost savings must be compared to comparable external services.Cost savings that might arise from an easier ability to make small changes in the search criteria, for example, may result in a loss of the hard-wired “e-discovery plan” that serves as the basis of justifying to the court that the discovery disclosures comply with civil procedure to locate and disclose all relevant records.
- Protection of Trade Secrets and Intellectual Property. Insourcing, or using captives, can provide a significant level of additional protection for knowledge management, trade secrets and intellectual capital. Such protection comes at the cost of maintaining internally controlled resources. Outsourcers will claim that their security levels are higher than those in many global enterprises. Outsourcers offer personal non-disclosure covenants by individual employees. But there is always a risk, whether through insourcing or outsourcing, that the personnel having access to trade secrets, for example, might abuse their positions of trust through tipping a securities investor, selling the ideas to a competitor of the enterprise or other tortious conduct. Even a non-disclosure agreement does not constitute a valid non-competition covenant, and even non-competition covenants are unenforceable as a matter of public policy unless strictly limited in time, territory and scope, and (in California and some other jurisdictions) they may require additional payments of consideration. In short, neither insourcing nor outsourcing appears to have a clear advantage in this field, except that e-discovery managers who are employed by the enterprise might offer an advantage by having ongoing knowledge of what is (and is not) a trade secret for faster, better, “cheaper” claims to a protective order.
- Effectiveness of Coordination and Collection of ESI. The use of skilled internal people who know the company’s operations may be able to provide better collection and coordination of ESI. However, “professional” e-discovery service providers may have the advantage in skills at the beginning as the company’s internal personnel become familiar with the processes and technology of e-discovery. Hence, insourcing might follow outsourcing until the processes can be internalized.
- Reduction of Risks of Noncompliance with e-discovery Rules. Well-trained, well-supported internal personnel might be able to reduce risks of non-compliance in the typical e-discovery process.
Relative Advantages of Outsourcing e-discovery. Outsourcing of e-discovery processes may be costly, but it may be the best solution for several reasons. This requires an analysis of the relative merits. This “gating analysis” should include appropriate considerations of staffing, quality, ethical risks and speed.
- Staffing. One of the key benefits of outsourcing, and one of the key parameters in selecting the right outsourcing service provider, is the service provider’s staff. The best outsourcers have developed a methodology for human capital management in the specialized field of e-discovery and related disciplines. The outsourcer designs a service delivery platform, recruits, trains and tests its staff in generic functions (including project management, information technology and security) and then offers this staff for custom-training on the litigating company’s particular process and e-discovery requirements.Using a business company to provide litigation support can run afoul of ethics and disciplinary rules applicable to the litigating company’s (or its law firm’s) lawyers. Law society rule in England will be changed if and when a pending draft law is modified to permit competent non-lawyers to perform tasks that might be considered the practice of law. Under applicable ethics opinions of the American Bar Association and various city and state bar associations, the in-house lawyer or outside law firm cannot escape certain core ethical duties:
- to supervise the work of the outside service provider;
- to avoid assisting in the unauthorized practice of law (“UPL”)
- to ensure the protection of client confidences;
- to avoid waiving any rule permitting a claim of legal privilege (and to rectify innocent or mistaken disclosures, see e.g., Fed. R. Evid. 502);
- to avoid conflicts of interest;
- to protect against data loss, theft or other act or omission that might constitute sanctionable spoliation;
- to comply with the rules of court relating to e-discovery and management of ESI at all stages.
- Vendor selection involves finding the right fit for the particular litigating company’s legal, regulatory, compliance, privacy, legal ethics and security requirements.
- Service Level Metrics and Quality Considerations. Few internal employees want to live by performance metrics. Outsourcers live by “guaranteeing” service metrics and other quality parameters.
Offshoring Issues. In considering an offshore captive or an offshore LPO outsourcing, the company’s lawyers must evaluate special cross-border legal issues.
- Export Controls. By transferring any U.S. data abroad, the company may require a license from one or more branches of the U.S. government. While commercial information may be subject to a general export license that does not require any notification, filing or administration, some information (such as software or design information that may have dual civilian and military uses) may require a specific license. Similar issues arise where the company’s ESI includes trade secrets, pending patent applications and other information that is subject to a required export license.
- Data Protection. Data protection rules under HIPAA and other legislation may apply to the data being processed. Foreign LPO service providers must ensure compliance.
- Privacy. Privacy rights arise from many legal sources and different jurisdictions. Depending on the source of any personally identifiable information (“PII”), any transfer of company records to a foreign LPO service provider may violate applicable rules. This issue suggests a proactive approach in the design and implementation of the company’s overall information management systems.
- Third-Party Consent. The information in a company’s database may include information that is licensed under restrictive disclosure conditions or where a third-party’s consent is required by an applicable law. Third-party consent may be required.
- Client Consent. The information in a company’s data base may also require the client’s consent
- Political Risk. Foreign service providers come with a suite of political risks that could impair service quality, timeliness of service, confidentiality and other custody and control issues for the ESI and the foreign nationals accessing such ESI.
IV. PROJECT MANAGEMENT
Most effective e-discovery procedures will require effective integration of internal and external resources. The design, planning, implementation, performance, intermediate re-balancing and supervision of all resources remain, of course, in the hands of the company, and, in particular, in-house attorneys. The Legal Department (which is ultimately responsible) may wish to consult with “outsourcing lawyers” not merely with litigation counsel on achieving a flexible, cost-effective, efficient design, vendor selection and supervision, review of compliance with ethics rules and project management.
Evaluation Process. Companies evaluating an LPO solution for e-discovery (or any other LPO) should therefore carefully explore all relevant implications, design the program for compliance and quality of service, address special issues involving any cross-border data flows and other commercial, judicial rules, legal and ethical requirements.
Project Management Roles. Each LPO project requires thoughtful and careful attention to ensuring that all responsibilities of the different parties are aligned with their roles. Within the outsourcing model, there is room for designing and allocating roles and responsibilities to give in-house attorneys control of the process so that they can manage the ethical responsibilities. The introduction of the LPO service provider raises new questions whether the cost-controlling measures will impair (or improve) the quality of the outcome. External lawyers could also manage the service providers.
V. BUSINESS MODELS
- Business Models. Currently, most LPO e-discovery services are conducted under business models of insourcing (including contract attorneys), captives and outsourcing.
- New Models. Over time, companies and their legal counsel will become more familiar with the tools, alternatives and strategies for effective LPO, including identifying and assessing risks and evaluating a risk-benefit matrix. With greater maturity in capabilities, new business models for identifying and managing e-discovery processes, tools and personnel may evolve. The impact of cloud computing, platform-as-a-service, software-as-a-service, virtualization of both servers and client computing and mobile computing will challenge enterprises and their technology and legal service providers to integrate a holistic and global ESIM process to incorporate the EDRM subset as “business as usual.”
Code of Ethics for Auditors: Some Case Studies and Legal Principles in Auditing Standards
October 9, 2009 by Bierce & Kenerson, P.C.
Auditors have their own codes of ethics. Where there is no code of ethics, or where the code of ethics permits a degree of conflict of intere+/st, the auditors tread at their own risk. The following case study underscores the traditional common law obligations of auditors as fiduciaries, even before the adoption of the Sarbanes-Oxley Act of 2002. This section covers some basic issues in auditing standards.
Case Study #1: Cap Gemini and Ernst & Young, Potential Self-Dealing
Responding to SEC criticism of ostensible conflicts of interest, some major accounting firms, such as KPMG and Arthur Andersen, have spun off their consulting arms as independently owned and managed entities. Ernst & Young LLP chose another route. The story of E&Y and its alliance with Cap Gemini leads from a regulatory no-action letter to a court case alleging breach of the accountant’s fiduciary duty. The tale leads to “lessons learned.”
Independence of Auditors: SEC No-Action Letter to Ernst & Young LLP on Alliance with Cap Gemini Ernst & Young LLC.
By no-action letter dated May 25, 2000, the SEC’s Chief Accountant advised Ernst & Young LLP that it would consider E&Y to maintain its independence even though Cap Gemini Ernst & Young were to provide IT services to E&Y audit clients. The no-action letter imposed a number of conditions that ” (1) limit at the outset and within five years end E&Y’s equity interest in Cap Gemini; (2) impose limitations on Cap Gemini’s use of the E&Y name; (3) require a strict separation of E&Y and Cap Gemini’s corporate governance; (4) forbid any revenue sharing between E&Y and Cap Gemini; (5) forbid any joint marketing agreements between E&Y and Cap Gemini; and (6) restrict any shared services between E&Y and Cap Gemini. Letter of Lynn E. Turner, Chief Accountant of SEC, to Kathryn A. Oberly, Esq., Ernst & Young, May 25, 2000. http://www.sec.gov/info/accountants/noaction/lteyltr.phpLitigation Alleging Breach of Accountant’s Fiduciary Duty; Liability for Systems Integrator’s Nonperformance.
Unfortunately, an SEC no-action letter is not a vaccine against client lawsuits. Accountants engaged in management consulting should pay careful attention to a ruling against Ernst & Young, LLP (“E&Y”) and its successor in interest (by sale of consulting business), Cap Gemini Ernst & Young, U.S. LLC (“CGEY”). This case is instructive to anyone in a licensed professional capacity engaged in ancillary or multidisciplinary consulting practice.Pre-Trial Ruling.
In a pre-trial ruling in early January 2002 on a motion to dismiss, without deciding the final outcome, the court found that E&Y was potentially legally subject to claims of breach of fiduciary duty and punitive damages arising out of a failed software implementation by CGEY, a company in which apparently E&Y is a substantial owner. (The was no allegation or showing of a failure to exercise the skill and care of a reasonably diligent accountant, so the court noted that there were no claims of professional malpractice (whether relating to accounting or computer consulting).Alleged Misrepresentations by Accountants.
The alleged facts of the case, if true, would be particularly egregious. The following reports are provided according to the court’s pre-trial decision. Whether the allegations will be proven remains to be seen.
In June 2000, E&Y recommended to a client, a medical and nutritional company, to retain CGEY as the vendor to implement a commercial off-the-shelf software package that the client had selected, based on E&Y’s recommendation, for its short and long-term business needs. E&Y made a number of representations to the client to induce the client to hire CGEY, and the court concluded that, without those representations, the client would probably have selected another IT service provider. E&Y reportedly represented that (1) CGEY was competent, experienced and qualified to implement the system selected by E&Y, and (2) CGEY’s performance of services had already been “coordinated” with E&Y.Existence of Fiduciary Duty.
A fiduciary relationship existed between the accounting firm and its client for several reasons. First, the client had developed a relationship of trusting the accounting firm’s judgment based on prior professional services. Second, the accounting firm offered to provide additional consulting services. Third, the medical and nutritional company was less sophisticated than the accounting firm in the “specialty” for which the accounting firm and the services firm were hired.Potential Breach of Accountant’s Fiduciary Duty.
Thus, “[w]hen a fiduciary fails to disclose personal interests preliminary to contract, and/or represents the existence of a questionable competence and experience critical to the contract and procures a benefit such as that alleged to E&Y and the newly formed CGEY, the risk of liability for the negligent misrepresentations and a question of fraud is properly alleged.”Atkins Nutritionals, Inc. v. Ernst & Young, LLP,
NYLJ, Jan. 10, 2002. Accordingly, a fiduciary relationship arose and could have been breached if proven at trial.
Case Study #2: KPMG Canada: Lack of Independence.
In June 2005, the Securities and Exchange Commission entered into a settlement, in an enforcement action, with KPMG LLP (KPMG Canada), a Canadian audit firm, and two of its partners, Gary Bentham, the audit engagement partner, and John Gordon, the concurring and SEC reviewing partner. The SEC asserted that KPMG Canada, Bentham and Gordon lacked independence when they audited the 1999 through 2002 financial statements of Southwestern Water Exploration Co. (Southwestern), a now-bankrupt Colorado corporation.
The SEC claimed that KPMG Canada provided bookkeeping services to Southwestern and then audited its own work. Specifically, after KPMG Canada prepared certain of Southwestern’s basic accounting records and financial statements, it issued purportedly independent audit reports on those financial statements. KPMG Canada’s audit reports were included in Southwestern’s annual reports that were filed with the Commission.
The SEC found that KPMG Canada, Bentham and Gordon engaged in “improper professional conduct” within the meaning of Rule 102(e) of the SEC’s Rules of Practice by virtue of their violations of the auditor independence requirements imposed by the Commission’s rules and guidance and by generally accepted auditing standards in the United States.
Some Rules of Ethics for Auditors
The Sarbanes-Oxley Act sets new standards of independence for auditors.
Public Companies.
Such standards created such friction between public companies and their auditors that decisional gridlock set in. On May 16, 2005, the Public Company Accounting Oversight Board (established under the Sarbanes-Oxley Act, to oversee the auditors of public companies in order to protect the interests of investors and further the public interest in the preparation of informative, fair, and independent audit reports) issued a policy statement on its Auditing Standard No. 2. The PCAOB’s Policy Statement sought to give ensure some level of reasonableness and flexibility in the conduct of audits. As it noted,In particular, the staff questions and answers seek to correct the misimpression that certain provisions of Auditing Standard No. 2 need to be applied in a rigid manner that discourages auditors from exercising the judgment necessary to conduct an internal control audit in a manner that is both effective and cost-efficient. The Policy Statement expresses the Board’s view that, to properly plan and perform an effective audit under Auditing Standard No. 2, auditors should –
- integrate their audits of internal control with their audits of the client’s financial statements, so that evidence gathered and tests conducted in the context of either audit contribute to completion of both audits;
- exercise judgment to tailor their audit plans to the risks facing individual audit clients, instead of using standardized “checklists” that may not reflect an allocation of audit work weighted toward high-risk areas (and weighted against unnecessary audit focus in low-risk areas);
- use a top-down approach that begins with company-level controls, to identify for further testing only those accounts and processes that are, in fact, relevant to internal control over financial reporting, and use the risk assessment required by the standard to eliminate from further consideration those accounts that have only a remote likelihood of containing a material misstatement;
- take advantage of the significant flexibility that the standard allows to use the work of others; and
- engage in direct and timely communication with audit clients when those clients seek auditors’ views on accounting or internal control issues before those clients make their own decisions on such issues, implement internal control processes under consideration, or finalize financial reports.
Private Companies.
Where the audit client is a privately owned business (such as a private enterprise customer or a private service provider), auditor independence rules still apply. Reviewing Case Studies #1 and 2, the auditors could probably have avoided the claims of breached fiduciary duty if they had made suitable disclosures and had remedied, or caused their consulting affiliate, to remedy a failed software installation.
In that case, the auditors should:
- disclose their conflict of interest to the client and obtain waivers (similar to the waivers obtained from medical patients undergoing surgery);
- remedy the flaws in the selection of off-the-shelf software, the systems integrator, and the systems integrator’s lack of skills to cure the defects impeding software performance; and
- learn from similar client-relationship mistakes that had been subject to prior, unrelated litigation.
The court’s ruling is based under existing rules governing independence of auditors.