Compliance audits and financial audits are different animals calling for different skill sets. Level 2 Legal’s Leigh Vickery explains why your organization might not want to choose a Big Four firm.
Compliance is a top concern in the business world and an area of increasing concern for corporate board members, executives and legal departments. While privacy is certainly not the only compliance issue facing enterprises today, intense media coverage of the EU’s General Data Protection Regulation (GDPR), which became enforceable two years ago, and the California Consumer Privacy Act (CCPA), which became law this year, has created a new sense of urgency. Concerns around privacy violations on Zoom and other videoconferencing platforms during COVID-19 and massive data breaches at major brands have only heightened the anxiety.
As more states make plans to update their own privacy regulations, compliance officers and internal stakeholders are rightfully concerned about the potential legal, financial and reputational risks of mismanaging data containing personal information. Many recognize this may not be a problem they can solve on their own and are wisely seeking outside expertise. Meanwhile, the Big Four accounting firms are offering enterprise legal services to corporate law departments and, in effect, have become direct competitors to ALSPs and law firms. In their view, the surging demand for compliance audits looks to be another promising new opportunity in the legal services domain both in the U.S. and abroad.
Whether it is a good idea for organizations whose core expertise is in financial audits to cross over into privacy or other compliance audits will vary by country; it is a question that should give us pause. While it’s certainly true that some legal services – the most prominent example of which is probably e-discovery – now lend themselves to outsourcing to a broad range of service and technology providers, including the world’s largest accounting firms, we should recognize from the start that a compliance audit in today’s increasingly complex and dynamic regulatory environment is not a commodity – not even close. It is also something quite distinct from a financial audit—something the Big Four are known for.
How Compliance Audits Are Different
The term “compliance” applies to a broad range of diverse corporate behaviors and practices in areas like finance, IT, data security, antitrust, privacy, human resources, marketing and much more. We should also note that compliance frameworks vary considerably across industries. Credit card and payments companies must be especially concerned with PCI compliance, government agencies with FISMA, health care organizations with HIPAA, investment firms with FINRA and so on.
Compliance challenges are not all the same. The skill sets required to perform an effective audit that provides the client with strategic guidance and practical, lasting remedies differ widely from project to project. Even more to the point, each individual organization has a unique configuration of technologies and internal workflows, as well as a unique organizational structure and workplace culture – not to mention its own budget constraints and tolerance for risk – so compliance challenges and solutions necessarily look very different from one organization to the next.
A financial audit is an objective and independent analysis intended to ensure an organization’s financial statements present a “true and fair” picture of its financial performance and position at a specific point in time. A compliance audit is typically much less narrow and well-defined. A compliance team must be able to look at and interpret the data and be ready to take on any challenge that involves translating data into something meaningful. But the team must also be able to integrate data and technological expertise with a high level of legal expertise. That’s because compliance audits often lead to internal investigations, which may in turn lead to full-blown legal matters.
When a compliance auditor finds an issue that has legal implications, the client may need to act quickly and decisively to mitigate risk and limit potential damage. There can be a significant cost for not getting it right the first time. If an audit is going to serve both the immediate and long-term interests of the client, it makes sense for the compliance auditor to assume the role of a strategic partner that understands legal processes and technologies, has a firm grasp of the legal issues that may arise from a detected problem and can quickly devise and adapt legal workflows that enable an organization to respond to compliance requests appropriately.
How the Compliance Challenge is Comparable to e-Discovery
The Big Four aspire to be full-service and highly scalable “integrators” of legal advice, legal processes and technology and legal staffing to fill demand for niche or project-oriented skills. In theory, they can round up resources at a scale that no other organizations can match, including state-of-the-art technologies. They envision a process of accumulating interdisciplinary talent, advanced tools and process expertise to streamline the legal supply chain. But it’s not at all clear that the inherent complexities, unpredictability and client-specific nuances of compliance challenges are a good fit with the linear logic of a supply chain approach.
There are also conflict-of-interest landmines that must be navigated. Financial accounting firms are obliged to put the public interest first when they perform an audit or attestation, and they are not allowed to ignore or conceal information that may reflect negatively on a client. Organizations that offer legal services, on the other hand, are obligated to attend primarily to their client’s interest. Maintaining the integrity of these two distinct functions across thousands of client relationships on a global scale is likely to be a persistent challenge for the world’s largest accounting firms.
Furthermore, it remains to be seen whether the comparatively high cost of compliance audits by large accounting firms is sustainable in a highly competitive marketplace.
The comparison to e-discovery is instructive. Compliance practice is nowhere near the stage of maturity that e-discovery has reached after decades of intensive technology development, process improvements, best practices guidance from industry associations and landmark legal decisions governing the use of electronically stored information as evidence. We do not have a one-size-fits-all template – something comparable to the electronic discovery reference model (EDRM), for example – that can guide organizations through a sequential, step-by-step, best-practices approach to solving compliance problems. There is not yet a standard playbook for compliance, in part because it is a nascent discipline that we’re only beginning to get a handle on, in part because of the rapid emergence of complex regulatory structures like GDPR and CCPA and also because compliance projects are simply much more diverse and require a broader range of skill sets than e-discovery projects.
It’s clear that a combination of mature technology and managed review teams can be an efficient and often cost-effective way for specialized vendors to take over non-core tasks from law departments. And, in some cases, it may make sense for the legal function to outsource this kind of work on a project-by-project basis to a provider their company already relies on and trusts for financial audits, just as they might turn over routine, labor-intensive contract review to a qualified services provider that has successfully managed such projects before.
But it makes little sense to regard compliance as another service that can be fulfilled by deploying junior-level associates and ad hoc teams of IT and legal professionals who may never have worked together before and may have little, if any, experience in actual litigation or in compliance projects. This is likely to be the case at very large professional services organizations, where compliance is a new offering conceived as an ancillary service to complement core functions like accounting, auditing, consulting and corporate finance.
There is No Universal Compliance Playbook – Yet
Until we have a compliance playbook, or a series of playbooks corresponding to different industries and different regulatory frameworks, a Big Four firm actually may not be the safest or most strategic choice for compliance audits. What we need instead are legal services organizations for which compliance guidance is a core function. Such organizations do not claim to have a template for compliance; instead, they begin by taking the time to ask lots of questions of lots of stakeholders and data custodians across multiple business units. They know they must work hard to understand how each client is unique – how its data is structured, how its employees interact with that data, its information governance plan, the details of its technology infrastructure, the industries it operates in and the culture of the company – before proposing solutions. There must be deep data and technology expertise, real legal practice area expertise, seasoned and compliance-specific project management expertise and exceptional collaboration across a team that, ideally, has years of experience working together on diverse projects.
As we emerge from the COVID-19 crisis, we can expect heightened regulatory scrutiny and subsequent litigation around privacy and liability as governments test the limits of practices like required social distancing, location-based epidemiological tracking and conflicts between the imperatives of disclosure for public health purposes on one hand and protection of individual privacy on the other. The compliance landscape presented by such scenarios is likely to make the challenges of GDPR look like a walk in the park. There is no playbook. Who will you trust to guide you through it?