Risky business managing breach reports to ASIC by auditors

What you need to know

• Auditors have obligations to report to ASIC suspected significant contraventions by a company, registered scheme or disclosing entity of the Corporations Act 2001 (Cth) (Corporations Act) and the National Consumer Credit Protection Act 2009 (Cth) (National Credit Act). Failure by an auditor to do so is an offence attracting penalties including fines and/or imprisonment, or suspension or cancellation of their registration.
• Auditors are not required to forewarn companies of their reporting to ASIC of suspected significant contraventions. This can have a number of implications for the company's subsequent interactions with ASIC, should ASIC choose to investigate.
• Auditors may seek access to a wide variety of company books, in order to inform their decision about whether to make a report. There are particular considerations around treatment of privileged documents in this context.

What you need to do

• Agreeing an appropriate confidentiality regime for the sharing of privileged information with an auditor can provide both a mechanism for preserving privilege, and a means of furnishing auditors with necessary information.

What are auditors required to report to ASIC?

Auditors have an obligation to notify ASIC about matters that they have reasonable grounds to suspect amount to a significant contravention of the Corporations Act. Auditors must also notify ASIC of matters that are suspected contraventions not classified as 'significant', if they believe those matters would not be adequately dealt with by commenting on them in the auditor’s usual report for the company, or by bringing them to the attention of the directors of the relevant entity.¹ Separate reporting regimes apply under the Corporations Act and National Credit Act for auditors carrying out audits of entities that are financial services²  or credit licensees.³

An auditor failing to comply with these reporting obligations commits an offence and can be subject to criminal penalties including fines and/or imprisonment.⁴ ASIC can also seek to suspend or cancel their registration if it considers that an auditor has failed to adequately carry out their duties to report suspected misconduct.⁵

Risks for companies: significance and surprise

There can be significant regulatory and reputational risks for a company arising from an auditor's report to ASIC of suspected contraventions of the Corporations Act or National Credit Act. These risks are heightened where the report concerns what the Corporations Act describes as "significant circumstances".

Whether or not a suspected contravention is "significant" in this context is a matter for the auditor's judgment. Factors relevant to that judgment include the potential impact of the suspected contravention on the company's overall financial position; whether the suspected contraventions are pervasive, systemic, or continuing; the seniority of the persons involved; and any history of past non-compliance.

Importantly, auditors are not required to forewarn the company of a proposed significant circumstances report to ASIC. That means the company may have no immediate insight into any ensuing ASIC investigation into the reported matter, limiting its ability to conduct any internal investigation in advance of, or in parallel with, an ASIC investigation. In turn, that may limit or delay the company's ability to take relevant action internally to address the circumstances in question, either ahead of an ASIC investigation, or in demonstration to ASIC of remediation efforts (assuming the auditor's assessment is accepted).

That position is to be contrasted with a situation where an auditor makes a report concerning "other" (that is to say, not significant) circumstances which may give rise to a breach of the Corporations Act. Auditors making a report of other circumstances must first bring those circumstances to the attention of the company, either in the auditor's report, or by direct notification to the directors.

Mitigating the risk of an adverse auditor's report to ASIC

Self-reporting to ASIC

An auditor will likely only be able to form a view that there has been a suspected significant contravention having regard to material supplied to them by the company. That being the case, it should be that (at least theoretically) the company itself has access to information enabling it to conduct an internal investigation, obtain relevant advice, and determine whether or not to self-report potential breaches of statutory obligations to ASIC, before their auditor does so. (We don't address in this update, the positive breach reporting obligations of holders of financial services licences, which are subject to a specific regime under Part 7.6 of the Corporations Act.)

There are of course advantages and disadvantages associated with self-reporting; a company may be concerned not to make a report that is incomplete, and so may wish to investigate further before taking this step. However, a self-report can be an important first step in building a constructive relationship with ASIC and, if supported by demonstrated and effective remediation of the issue, may prompt ASIC to re-think taking enforcement action or, if enforcement action is taken, may be relevant to what penalty ASIC will seek.

By contrast, a report of significant circumstances to ASIC by an auditor that is not preceded or accompanied by a self-report from the company may contribute to ASIC forming a view that the company either has inadequate internal systems and processes to detect and address issues such as those notified to it by the auditor, or else is not being timely, full and frank in its dealings with ASIC. Such a perception can be difficult to displace, and may potentially lead to a more protracted investigation, and harsher regulatory outcomes, than if a timely self-report had been made.

Co-operating with auditors

Working constructively with auditors can significantly reduce the likelihood of a report of significant circumstances being made to ASIC (particularly without any advance notice to the company).

Auditors are required to notify the entity being audited of non-significant suspected statutory breaches, either in the audit report, or to the directors directly. Addressing potential breaches notified in this way promptly and completely can help to ensure that they do not take on the systemic or repetitive character which may see them rise to the level of significant breaches over subsequent audit periods.

If a company decides to address a potential breach notified to it by an auditor by way of an internal audit or investigation, questions can often arise as to what extent the work product of that internal audit or investigation should be shared with the company's external auditor. Where the audit or investigation is carried out by finance or accounting personnel – as distinct from lawyers, which gives rise to a different set of considerations discussed below – it would generally be in the company's interests to share that work with external auditors.

Sharing the work product of internal audits and reviews with external auditors will allow the auditors to more easily satisfy themselves that any prior notifications of potential non-significant statutory breaches have been appropriately addressed and remediated by the company, and also form the view that the company has given all information and assistance necessary for the proper conduct of the audit.

Open communication and regular dialogue with auditors generally may be repaid by the auditors in the form of an advanced warning to the company of an impending significant circumstances report to ASIC. This may permit, amongst other things, commencement of appropriate internal investigations; obtaining relevant legal advice; taking steps to remediate the issues identified; and/or the company self-reporting to ASIC ahead of, or at least at simultaneously with, the auditor's notification.

Preserving privilege

In some cases, the issue that is the subject of a potential auditor notification to ASIC is one that is already known to the company, and one that may have already been the subject of internal investigation by the company. A company may decide to share information about that matter with its auditor. This may be for any of the reasons considered above, or because the company believes that the auditor may form an incorrect view that the known issue is significant (or even an issue at all), without the benefit of that information.

The position is more complicated when the auditor seeks access to documents or information the subject of a claim of legal professional privilege by the company. While auditors have broad powers to request that books be made available to them for inspection,⁶ provided that is necessary for the proper conduct of the audit, that power does not extend to requiring the company to provide the auditor with privileged materials. Doing so without appropriate protections in place may result in the company losing the ability to maintain privilege over the materials.

If a company considers that sharing privileged documents with its auditors may be advantageous (for any of the reasons considered above), that can be facilitated by the company and auditors entering into a confidentiality agreement, detailing the specific limited purpose for sharing the documents, and how and with whom the privileged documents are to be shared. Such a document should be carefully drafted to ensure, for example, that the number of persons entitled to view the documents is not too large and is carefully controlled by the company, to ensure that the circumstances of confidentiality necessary for the preservation of privilege are not lost.

The case law illustrates the dangers of sharing privileged information with auditors without appropriate controls in place. Specifically, an auditor's letter to a solicitor requesting assistance for an audit of the solicitor's client, and the subsequent sharing of the solicitor's legal advice with the auditor, will not attract legal professional privilege if the dominant purpose of the communication is to provide information to the auditor to assist in the conduct of the audit, rather than for the dominant purpose of providing the client with legal services (even if there is a confidentiality agreement in place): 789TEN Pty Ltd v Westpac Banking Corporation [2005] NSWSC 123, upheld on appeal in Westpac Banking Corporation v 789TEN Pty Ltd [2005] NSWCA 321. In contrast, legal advice provided to a client, and shared with the client's auditor on a strictly confidential basis and only for the purposes of the audit, did not result in any general waiver of privilege in the advice: Re Northern Energy Corporation Ltd [2020] NSWSC 1073.

In any given scenario, there will be factors that are in favour of, and against, the sharing of privileged material. Each situation will turn on its own facts and circumstances, and will involve a weighing and balancing of often competing and difficult considerations. Any decision to disclose should be taken only after receiving legal advice.

^{Authors: Rani John, Partner; Peter Richard, Counsel, Phimister Dowell, Lawyer; and Michael Wu, Lawyer.} 

^Footnotes

^{1. Corporations Act 2001 (Cth) ss 311 and 601HG.}

^{2. Corporations Act 2001 (Cth) s 990K.}

^{3. National Consumer Credit Protection Act 2009 (Cth) s 104.}

^{4. ASIC Regulatory Guide 34, RG 34.42, RG 34.55 and RG 34.66.}

^{5. ASIC Regulatory Guide 34, RG 34.43, RG 34.67.}

^{6. Corporations Act 2001 (Cth) ss 312, 601HG(5).}