Almost all organisations are familiar with financial audits – formal processes against defined accounting standards which are carried out by an external audit or accounting firm, reported on by them to the board, members and stakeholders of the organisation, and recorded in a formal set of report and accounts.
Many larger organisations will also carry out internal audit processes, which look not just at defined financial issues, but also at a broader range of operational issues, or at specific areas of the systems around financial organisation in more detail. Internal audit might, for example, look at payroll, accounts payable, financial controls or processes.Typically, though, there is no formal structure for a legal audit defined by any of the audit bodies. Although internal audit may from time to time look at legal, it is likely only to look at specific processes such as management organisation and process.
You may also have come across the auditing of legal functions through the Law Society’s Lexcel processes, or through the ISO 9001 quality standard, both of which can apply to legal teams and to the way they work. We will look at those in more detail later, but for our purposes, we will define a legal audit as a formal, structured review of the legal situation of the organisation.
It should look at the legal issues and risks impacting the organisation, both now and in the future, and at the way in which the organisation deals with those issues and risks – processes, documentation, reporting and outcomes.
Why consider a legal audit?
A legal audit is a powerful tool which allows you to establish a baseline for your legal position and response.
It gives you a clear understanding of your real legal situation and a formal record of what your organisation knows. It can identify risks which have otherwise not been clearly understood, or which have been masked through other controls.
It can also ensure that your organisation own the assets it thinks it owns – and indeed provide an opportunity to exploit assets which had been forgotten. Most importantly, it can remove the element of surprise about legal exposure and legal issues which have not been identified by the organisation’s day-to-day work.
It can be a real source of power and influence for the in-house legal team, who can advise from a position of strength, and can establish a sound argument for new resourcing based on the need identified by the audit.
What should be audited?
The aim of a legal audit will generally be to achieve a full health check of your legal position. Unlike a financial audit, there is no defined standard against which to audit. It is therefore for you to define the audit for your organisation in consultation with your chosen auditors.
To some extent, what is audited will depend on the nature, type and scale of your operations, but it can also include a deep dive into a particular area which is of concern. It should also be used to highlight where legal issues become real business risks to the organisation – and perhaps even threaten its survival.
Areas of audit might include:
- Organisational structure
The constitutional documentation of the organisation and its subsidiaries; whether they reflect current good practice; whether reporting, the appointment of directors and secretaries (if used) are up-to-date; whether there are any issues of concern on the public register. - Ownership documentation of organisational property and assets – is it in order?
Are there gaps or risks? Does the organisation have a system in place to track expiry and renewal dates, for example for leases? - Contractual arrangements
These will differ for various types of organisation – more complex and detailed for a contractor than for an organisation which simply provides services, for example – but should include sale and purchase documentation, key contracts, documentation and agreements. - Litigation and disputes
Both present, possible, and (if any) past, whether they impact current arrangements in any way. - Intellectual property
Trademarks, patents and other intellectual property rights and licenses. - Formal operating
Agreements, joint ventures and shareholder agreements for associated organisations. - Human resources
Policies and procedures, including employee contracts, handbooks and any trade union agreements - Risk transfer
Arrangements such as limitation of liability, insurance and third-party risk transfer agreements.
Equally, of course, if this is your first legal audit, inevitably the potential scope of the audit is much greater than if you are carrying out a regular review.
Audit and compliance
Most organisations are subject to some form of regulatory compliance; many ‘regulated’ industries such as finance and banking are subject to complex and detailed regulatory requirements, and may well have a large formal compliance function internally.
Even without that, many organisations will be subject to compliance not only with general laws and regulations but with those applicable to competition and anti-trust, health and safety, modern slavery and many other areas for which a compliance programme may be in place. Is the compliance programme up-to-date? Is it enforced?
Your legal audit might also look at the extent to which your organisation’s training programmes are current, and where training or compliance is said to be mandatory, the extent to which they are actually carried out, and actually recorded.
Many organisations have so-called mandatory training which in practice is anything but, and if an issue arises the organisation is likely to be at greater risk by having the policy but failing to enforce it. A legal audit provides an ideal opportunity to look at the range of key legal and compliance risks and establish a baseline from which to develop an action plan covering both areas.
Auditing policies, systems and structures
You may also find it helpful for your legal audit not just to examine the legal issues you may face, but the way your organisation handles them. These might include, for example:
- What is your policy on accepting different levels of risk? What approvals are needed, for example, for accepting unlimited risk or giving a parent company guarantee or bond? How do you record details of bonds and guarantees you have given?
- How do you deal with possibly contentious issues, such as non-disclosure and non-compete agreements? Who has the authority to issue and agree to them?
- What delegation of authority arrangements are in place across the organisation?
- What controls are in place for legal risk?
- How do you ensure that lawyers are not put under inappropriate pressure from clients within the organisation?
How can a legal audit be conducted?
There can be a temptation to carry out the legal audit internally – either using the team responsible for the relevant issue, or perhaps by some form of peer review, using colleagues from another legal team. These can be attractive options in terms of ensuring you have particular specialist knowledge of the issues.
Equally, though, you can introduce new risks – you and your teams may well not have the time to carry out the audit properly given all the pressures of your own work, and you may introduce your own unconscious bias to issues and apply an organisational lens rather than one orientated to the full range of external and sector risks.
For all these reasons, it can be well worthwhile to consider bringing in an external resource to carry out the audit. This could be a law firm – or a combination of law firms – to address your particular issues. It could, at least in theory, be one of the major audit firms – ideally one independent from either your own external or internal audit teams. It could be a specialist compliance auditor.
Equally, you may want to separate the purely legal issues from the organisational ones, and have a specialist legal sector organisational consultant look at your structures, systems and processes with the advantage of the output of the audit of the legal issues.
Whichever option, or combination of options, you choose, you should be clear on the scope and output of the audit. You will want to:
- define the areas to be audited, and how;
- agree on a timetable and process, and to ensure that the documentation, and the people, the auditors need to discuss are available for the audit, probably using some form of portal for the documentation; and
- have least one formal kick-off meeting to ensure that the organisation and auditors understand what is needed, and you will also find it helpful to appoint an organisational sponsor – possibly the general counsel or deputy – to be seen to have overall oversight of the process.
It is easy for colleagues to feel that a review of this nature does not have the appropriate priority, and you may well want to communicate with the team about the process, its advantages and outcomes.
It is very helpful to identify and agree the timescale and format of the outcomes in advance. You will bear in mind that the audit report is unlikely to be privileged, so if the auditor is reviewing areas of dispute and litigation you will want to agree on what can be reported, and how, in a way that will not prejudice the organisation.
You will also want to ensure that the organisation gets the most benefit from the work. It’s clear this is not simply a case of receiving a report indicating issues, risks and areas of improvement, but also areas of good practice and, crucially, a post-audit action plan.
Post-audit action plan
The real benefit of a legal audit is the preparation and delivery of a detailed post-audit action plan, and its agreement with the legal team and (if necessary) colleagues in the broader organisation as part of the audit work. If issues are identified, how will you resolve them? If documentation needs to be changed, what is the plan for reviewing and revising it? If processes and structures need to change, who needs to be involved in agreeing them?
Bear in mind that in the same way that law pervades almost every element of an organisation, it is more than likely that the actions identified as a result of a legal audit will be significant and will go across the organisation. This is not a matter for concern that they have not been addressed in the past; rather it is a matter of value that they can now be addressed.
If, as may be the case, there are a number of recommendations, you will want to ensure that they are prioritised so it can be seen what is urgent, what is important, and what can be dealt with over a longer period.
Ideally, you will want to ensure that you agree the recommendations and the post-audit action plan with the auditors, so that the legal team is seen to own the audit, the outcomes and the recommendations.
Integrating a legal audit with internal and external audit work
Some of the areas included in a legal audit may well overlap with those of the organisation’s internal and external auditors. You may well find that the best course of action is to advise those auditors of the plan to carry out a legal audit, to discuss any overlap, and to agree to share the outcome and action plan of the legal audit with them.
How can you prepare for future audits?
In essence, a legal audit is a formal, structured look at the legal issues, risks, processes and outcomes of the organisation. When you have completed the audit, you may well want to put in place formalised processes to help prepare for future audits, and benefit from this one – for example to document procedures around risk transfer, liability, documentation management and storage, intellectual property and compliance.
You may also find it worthwhile to consider adopting a formal legal quality control process to ensure that you keep those processes and procedures up-to-date and in place, perhaps by using either the Law Society’s Lexcel process or the ISO 9001 process for quality assurance, both of which are used by some in-house teams for this process.
Is it worth it?
Many legal teams will come at the question of a legal audit with some trepidation, not least because the level of legal work which they are dealing with may well be overwhelming. Many teams find it difficult to do anything except trying to cope with the day-to-day work at hand, let alone to accept new responsibilities.
The advantage of a legal audit, though, is that it gives the opportunity to allow someone else to take a dispassionate, informed, look inside, which can be immensely valuable. It can allow you to talk about legal risk, controls and resourcing with the organisation from a position of strength. It can identify opportunities to integrate yourselves with the organisation, to build stronger internal relationships, and showcase the value of your internal specialisms.
In short, it should be well worth the modest investment, and could well be used as a platform for the transformation of the way the legal team works, and to enhance the team’s standing and reputation in the organisation.
Further reading:
Lexcel: The Law Society Accreditation Lexcel | The Law Society
ISO: ISO - ISO 9000 family — Quality management