Audit Thyself

By: Alex Gertsburg, Esq.

Most companies don’t have an in-house attorney.  If they did, do you know what those corporate attorneys would do most of the time?  As a former in-house General Counsel, I can tell you it all fell into two buckets:  proactive and reactive.  You wanted it to be a lot more of the former and a lot less of the latter.  More planning for disasters and avoiding them equals less time, less energy, less stress and less money spent reacting to them.  Government agencies, plaintiffs and plaintiffs’ lawyers that start investigations when a disgruntled employee or customer or a curious investigator files a complaint; all of them mean one thing with certainty – legal fees.  It seems obvious because it is obvious.

The way to be proactive is to conduct a good old-fashioned internal audit.  You have to take it seriously and you have to pretend to be someone else.  It’s tough, it’s time-consuming, but it’s worth it. 

And here’s the thing:  you don’t need to have an in-house GC in your office to do that for you.  In fact, you really don’t even need an outside attorney to do that for you, though relying on one will be much more helpful, for reasons I’ll mention in a minute.  Like a lot of things in my world (now as outside general counsel to other businesses), if you study up and plan well enough, then doing an audit with a good lawyer is better than doing one with a bad lawyer, doing one with a lawyer is usually better than doing one without one, but doing one without one can be better than not doing one at all, and that’s what most companies do — or don’t do.  Most companies don’t audit themselves.  That keeps their lawyers much busier later on, when they’re reacting and responding to subpoenas, lawsuits and investigations.

Here’s how you do it:

Step 1:     Create a written plan.  I use a gantt chart.  I love gantt charts.  If you don’t know what a gantt chart is, go google gantt charts.  Every good project needs one.  It’s a chart that shows you a visual, calendar-style depiction of who’s doing what and when.  (Another little nugget you pick up in-house, along with how to read financial statements and how to use excel for things other than shopping lists.)  Business people have outpaced lawyers in this area for years.

Your plan or gantt chart will specify all the tasks in your audit, name the person responsible for each task, and state how long that task will go from a start date to an end date.  Go ahead, google it and you’ll see what it looks like.  In fact, google some combination of “internal audit gantt chart” and you’ll see what other folks have done.

Step 2:     Identify the universe of legal exposure areas that your company is likely to have.  One way of thinking about this is picturing your company as a leaky bucket and trying to figure out what’s likely to cause those leaks.  Another image I like to use is something Tony Robbins uses.  It’s a car or bike wheel divided into pie-pieces radiating outwards from the center, with each pie only going out as far as the company is compliant in that area.  When one pie piece is shorter than the other ones (because, for example, hiring practices are 60% compliant while most of the other areas are 90% compliant), your car or bike is going to have a bumpy ride. 

Usually, the exposure areas (or pie pieces) fall into these categories:  employment, tax, corporate, contracts, government regulation, real estate and information technology / security.  You want your wheel to be relatively smooth and well-rounded, your bucket devoid of major leaks.

Step 3:     Next, get specific.  Drill down in those leaky areas to the ones specific to your business. Here, talking to a lawyer helps.

Let’s do an aside here.  Here are a couple of reasons why talking to an attorney at this stage is helpful.  The first is issue-spotting.  For example, on the employment piece of your bucket / wheel, your business lawyer will ask you if you have independent contractors.  If you do, one of the drill-down areas will be proper classification of contractors and employees.  Another issue your business lawyer will spot is proper exemption classification.  A misclassification of a true employee as a disguised contractor, or of a non-exempt employee as an exempt employee, is a major leak, a major bump in the wheel that is your business.  Don’t get that wrong.  But it’s hard to spot those issues if you’re not a lawyer.  So that’s one reason why it helps to talk to one.

Another really good reason to have an attorney run your audit is that she’s more likely to be objective.  Business owners are like parents of small children, or writers of crappy novels.  They think their creations are better, or smarter, or more interesting than they actually are.  I can’t tell you how many times I’ve had to wake clients up from the sweet slumber of blissful ignorance, simply because they had fallen madly in love with the exceptional analytical skills they’d gleaned from that one semester of business law at Cleveland State (no offense to Cleveland State).

One of the best reasons to have a lawyer conduct your audit though is the attorney client privilege.  With few exceptions, you can protect your compliance audit and all the nasty cobwebs it uncovers with a confidentiality that may be far stronger than any non-disclosure agreement you’ve signed with your employees, assuming you’ve signed one (something a good audit would uncover and a good lawyer would issue-spot).  Lawyers don’t need such agreements.  Confidentiality is an ethical obligation for us and we can lose our ticket if we don’t comply with it.  If your lawyer is guiding your audit, and stamping your plan and your findings with a “performed at the direction of counsel” label, and you don’t waive the privilege by (for example) posting it online or sharing it with your girlfriend, your audit should be protected from later subpoenas.

But I digress…

We’re drilling down.  

If your lawyer is involved, he’s creating more specific compliance areas based on the type of business you run and the facts and circumstances inside your business.  If you’re a manufacturer, one specific area within the government regulation pie may be OSHA compliance or environmental compliance.  If you’re a retailer, one specific area under government compliance may be FTC (Federal Trade Commission) or CSPA (Consumer Sales Practices Act) compliance.

If your lawyer is not involved, you may be able to get close by googling (is that a real word now?) “Ohio employment compliance areas” or “[your state] safety compliance” or “[your industry] government regulations”.  Spend a lot of time on this and try to create a hierarchy of compliance areas as best as you can.

Step 4:     Create a compliance checklist for each area.  Again, there’s a lawyer and a non-lawyer answer here.  Lawyers will pull checklists from Lexis or Westlaw or Practical Law or some other research database for each compliance area specific to your business from Step 3.  If you’re not a lawyer, you may still be able to buy access to one of these databases, or you can google that too. Creating good checklists is really important.

Another aside:  whether you do or do not use a lawyer, don’t expect a perfect checklist or a perfect audit.  The goal is to plug big leaks, the ones that either draw the most attention from plaintiffs’ lawyers and government agencies, the ones that have the highest rates of investigation, the ones that have the highest exposure points, the ones that will cost you the most if you get it wrong.  Again, employee classification tends to be a big-ticket item.  Same with IT security and customer contracts.  If you’re in a regulated industry, agency activity among your peers tends to be well known and easy to research.  Your particular business will also have its own priorities. 

I start with Pareto’s Principle:  what are the 20% of compliance issues that tend to be responsible for 80% of the exposure?  I then expand that to 30% or 40%, until I can account for 90%-95% of the exposure points in terms of liability and expense.  This is probably more art than science, but you’re unlikely to create a 100% compliant company without making the audit process more of a pain than it’s worth.

One way to do this is to prioritize your drill-down areas and your checklist items into high-, medium- and low risk items, and note them as such on the checklist.  Later, when you create a report card, you’ll use weighted values to create a sliding scale of scores based on the risk level of each item.

Step 5:   Create your team.  Choose them wisely, assign tasks and then meet with them to explain. Employee communications should be on a need to know basis.  Let employees not involved in the audit go about their business and their lives without worrying about what an audit might mean.  When we do one for our clients, we do an introductory call or meeting with managers at various tiers of the company who will be involved in the audit.  Managing communications is important to avoid panic or anxiety.  We tell managers that this is intended to help the company keep more of its money and stay out of trouble, nothing more.  We tell them it’s not intended to embarrass or punish anyone, just identify and fix legal issues.  They tend to be receptive to this message.  

We also talk about confidentiality, candor and integrity of the process.  This is important and should be carefully scripted.

Step 6:     Document requests and spot checking. 

Here we/you will send a document request to the people in your company most likely to have relevant documents.  If you get any pushback, you’re probably on to something.   Review the documents closely against the checklist items specific to documents.  If you’re in a regulated industry, there are probably disclosure obligations or magic language about privacy or warranties or something similar.  They often need to match the regs verbatim.  

Many of your document requests will involve spot checking.  Sometimes you’ll want to send someone trustworthy to file locations to pull their own documents.  For checklist items that don’t involve documents (for example, is there a proper eye washing station in your garage bay, if one is required; are fire extinguishers located where they’re supposed to be, etc.), you or your lawyer or your designee will physically go to the department to observe compliance or non-compliance.

Step 7:    Conduct interviews.  This is necessary to learn about processes and practices that are difficult to read in a document or observe when spot checking.  I use the “funnel technique”, where you start with open-ended questions and then drill down to the compliance checklist items, veering off when you hear something worthy of a detour.  If you’re delegating to managers, coach them on how to conduct proper interviews.  

Step 8:     Make written findings.  At this point, you’re going to generate a report.  Ideally, your checklist was specific enough to tell you what was necessary to comply or not comply.  Your finding should reference those items.

Step 9:     Create a report card.  Here, you’ll grade your compliance and non-compliance.  We use grades like my kids use.  People seem to like that.  It’s easy to administer, and gives businesses goals to strive for in the next go-round.  Remember that not all compliance areas are equal, and not all checklist items within those compliance areas are equal.  Having an employee handbook with strict anti-discrimination policies, and having the right labor law posters on the wall, may be more important than ensuring that your vacation policy has been properly communicated to that one remote employee you have in Alaska.

Step 10:     Create a fix-it report.  Once you’ve identifies your leaks, create a new checklist to plug them.  This is often a copy/paste job from your report card.  Start with the high dollar / high-risk items and work your way down, flagging any show-stoppers (or as one of my friends calls them, door-closers).  Assign each fix to a particular manager and create a new gantt chart that says who is doing what and when.

Step 11:     Follow up.  You’re almost there.  Don’t waste all that effort.  You need to follow up on the fixes to make sure they’re getting done, and then you need to do a periodic follow up on the entire audit to make sure no one’s sloughing off and that your car is still running on a smooth wheel.  I recommend revisiting your audit at least every six months, at the very least on the high-dollar items.  You also want to revisit your checklists once a year to ensure that new regulations haven’t created new compliance areas or new individual checklist items.

So, okay, I know that seems like a lot.  If you’ve read this far, though, then you’re either my mother or a business-person who’s interested in operating free of legal problems in our business.  Take my word for it — or don’t, you know this already:  be proactive, be a boy scout, be prepared.  You know I’m right.   

And now you know what in-house counsel do for their clients, and what former in-house counsel do for their clients when they start a law firm.

Learn more from The Gertsburg Law Firm