Key steps for auditing the legal department

Yet despite the prominence of the GC, little is known about the operations of the legal function. Internal auditors do have an opportunity here to examine and improve the efficiency of in-house counsel and its management of external counsel.

Moreover, given the heightened enforcement environment, performing an audit of the legal department has become critical for addressing areas of regulatory compliance, financial reporting, and operational efficiency. However you might view the goals of corporate regulation—whether to increase shareholder value, protect third parties, or rein in corporate power more broadly—the GC, in framing the corporation’s response, affects how much these goals will be realized. The objectives of auditing the legal department may vary but there are several key questions the internal auditor should consider:

• What are the goals and objectives of the legal department? Are they congruent with those of the organization?
• What is the legal function’s role in governance oversight (including managing risk and compliance)? Does that interface effectively with other control functions like compliance, risk, and internal audit?
• Can the efficiency and effectiveness of the legal processes be improved?

Resources are available to assist the auditor in reviewing the legal function. A book from the Institute of Internal Auditors Research Foundation, Legal Services: Auditing the Process, provides a basic foundation for how an internal audit team can perform the audit. Organizations such as the Association of Corporate Counsel routinely survey their members to determine what issues are pressing for a shared agenda for action.

Managing risk and compliance

It’s rare that the legal function can be considered a risk unto itself. But the legal function can expose the company to various hazards. The failure to help the company mitigate risk exposures, or the mishandling of litigation, can create significant liability. So one item you want to pinpoint is the capacity of the legal department to manage activities it believes pose a significant legal risk to the company.

Auditors should be familiar with control criteria involving the legal department under the COSO framework. For example, to test the implementation and effectiveness of the control environment, auditors can compile a list of significant instances of misconduct that occurred in recent years, and then review board or committee minutes and reports to determine whether directors and executive management were apprised of such misconduct in a timely manner. Auditors can also review the minutes to see whether the board or committee followed up on allegations of a breach in internal controls, such as ordering special investigations, hiring outside advisers, requesting follow-up reports, and so forth.

One example of where legal and audit teams can cooperate is in financial statement disclosures. Does (or should) the company have a special litigation committee to approve high-cost legal services or pending litigation containing high-risk exposure? Are the compliance and legal teams involved in the disclosure committee? Among disclosure matters are contingent liabilities to legal counsel, addressed in Financial Accounting Standard No. 5. Lack of adequate disclosure can create an overall misstatement of material facts to the financial statements, even when the related accounting transactions may be conforming.

If the chief compliance officer reports to the general counsel (and your GC then reports to the CFO) consider whether your company has controls that support effective compliance and legal processes, such as:

• Alternative reporting mechanisms that provide the CCO direct reporting to another member of senior management;
• Procedures to have someone other than the GC authorize the CCO to conduct compliance investigations, including the right to hire outside counsel;
• Requiring periodic direct reports from the CCO to the board, balanced by the GC’s consultation, so that both may report to and advise the board, consistent with their responsibilities.

The auditor should examine compliance and legal counsel collaboration as an important component of the overall internal control structure. A system of internal controls with strong compliance, risk, and internal audit activities can militate against inefficient and ineffective legal counsel.

Controls to trim legal costs

The general counsel also faces financial responsibilities such as monitoring budgets and reporting on expenses, so another focus of internal audits should be evaluating controls that can reduce legal costs and improve the department’s efficiency. The auditor can conduct a preliminary walk-through of legal operations to get a feel for how legal services are requested and processed. Problems can result when request for services is informal, without clear parameters. The internal auditor should assess the inventory of legal services performed for the organization. Questions to consider when evaluating legal processes include:

• Does the legal department review agreements and contracts, and advise management on the implications of new contracts and relationships?
• Does the legal function stay abreast of regulatory risks and emerging requirements?
• Does the legal department have processes and procedures for case handling, quality assurance, and documentation?

Analyses of legal operations may involve detailed testing on case files and interviews about case file content. Use analytics, including comparative benchmarking, to see how the legal function compares with others from an efficiency standpoint. Metrics relevant for the GC have become more readily available and the auditor can seek studies, such as those conducted by organizations like General Counsel Metrics Corp., for data. Some interesting fundamental metrics for the legal department provided by legal consultant Rees Morrison include:

• A legal department’s internal expenditures are typically about 40 percent of total legal spending. The other 60 percent goes to law firms and other external service providers;
• Of the external spending, roughly half is litigation related;
• U.S. legal departments have three to seven lawyers per billion dollars of revenue, depending on the industry; and
• To have one lawyer for every non-lawyer in a department is a typical ratio.

Looking at core metrics for comparison can assist in gauging whether the legal department is significantly out of line in a particular area. A GC should consider developing measures of individual lawyer productivity to assist in evaluating individual performance. Not only can suggestions be made to enhance productivity, but often the methods used to evaluate productivity can be improved.

Outside counsel

A complete legal review should also examine the use of outside counsel, to ensure that high standards of quality and cost control are maintained. Having practiced in a law firm, I know too well the drudgery of tracking billable time in six-minute increments.

Of course there are concerns that the billable hour is a metric prone to abuse. Those in the legal profession know some of the stories such as the legendary associate at a Wall Street firm, described by James Stewart in The Partners, who flew to California from New York, worked on the plane, and, by virtue of the change in time zones, billed 27 hours in one day.

An internal auditor can assist the legal department in reviewing and monitoring legal invoices. First consider some basic controls, such as billing software that can check for arithmetic errors, duplicates, and possible abuses. Billing guidelines are another key control. The guidelines should provide clear instructions for how attorneys should operate and bill when providing services. Other controls include the practice of bidding out legal services, and periodically rotating the use of law firms to ensure efficient and effective representation.

The auditor should start substantive testing by running a variety of analytics. Examples include trending legal expenses from month-to-month and year-to-year. Again to enhance the data analysis, auditors can measure analytical results against comparable organizations within the same industry. Auditors should be alert to spikes and dips in the data set as a beginning point for further testing. Another test is to determine whether the rate charged for legal services corresponds to the contract for legal services. Trending hours billed over time, sorted by attorney and by service type, can identify aberrations.

Improving legal services

The internal auditor must always remember that an audit report on legal counsel can potentially be a source of legal liability for the business. Information gathered and reported should emphasize descriptive data and limit evaluative observations—particularly conjecture and opinion. Audit reports that are descriptive and fact-based are less likely to supply litigants and investigators anything more than they would obtain through standard discovery and information requests.

The audit of the legal department can lead to meaningful change within the organization. Internal auditors can make meaningful recommendations regarding the quality of legal work performed. The operational review of legal services can lead to recommendations that result in a reduction in costs. A skillful audit team has the opportunity to provide valuable insight into ways to improve current legal processes.