Prove that your corporation is trustworthy in the eyes of employees, customers, business partners, regulators, and the public
Corporate Directors’ & Officers’ Legal Duties for Information Security and Privacy: A Turn-Key Compliance Audit Process, by Charles Cresson Wood
- Does the Duties Audit™ process always generate a standard type of Professional Opinion? Yes, there are only four types of possible Professional Opinions: “fully compliant,” “close to compliant,” “not compliant,” and “unable to determine compliance.” This standardization of the results produced enables the Duties Audit process to be readily incorporated into contracts using the notion of “incorporation by reference,” and also to be incorporated into other business processes since the Duties Audit process is a fully scripted “black box.” This standardization also enables valid comparisons across different years, and across different firms, regardless of the Lawyer Auditors who performed the work.
- Are there multiple quality controls built into the Duties Audit process? Yes, those organizations using the process do not need to develop their own quality controls, but they are welcome to add additional quality controls if business needs so dictate. Among the rigorous quality controls already in the Duties Audit process is the optional use of an independent attorney, called a Lawyer Validator, to confirm that the Lawyer Auditor performed the Duties Audit process in a manner that was both in accordance with the instructions in this book, and also consistent with state attorney ethics codes. There are many other quality controls, such as the use of a Lawyer Supervisor to oversee the work of a Lawyer Auditor, and specific standards for the Lawyer Auditor’s preparation of working papers.
- Does the auditee firm need to develop its own project management approach so as to be able to conduct a Duties Audit? The book includes an extensively explained suggested project management approach that a Project Manager can employ. That suggested project management approach tightly dovetails with the required steps that the Lawyer Auditor must perform. Auditee firms are at liberty to use their own project management approach, but to expediently perform a Duties Audit, to make sure that all protections over the information examined (such as attorney-client privilege) are maintained, and to assure that Project Managers working on Duties Audits in future years can best use the working papers produced, the suggested project management approach is strongly recommended.
- Are Lawyer Auditors screened for independence before they begin a Duties Audit project? Yes, there are 14 rigorous tests that all prospective Lawyer Auditors must pass before they begin a Duties Audit project. These screens go well beyond the traditional conflicts screening that all attorneys must perform prior to taking on a new client. These screens include: (a) neither the Lawyer Auditor, nor his/her law firm, has performed any other project for the auditee firm in the prior five years (aside from Duties Audits), (b) the Lawyer Auditor will not be reviewing his/her own prior work, nor will the Lawyer Auditor be reviewing the work of others within his/her law firm, (c) the Lawyer Auditor has no existing business relationship with the auditee firm such as a referral arrangement, (d) the Lawyer Auditor has no material financial investment in the auditee firm, (e) the Lawyer Auditor has no relatives or close friends in the auditee firm’s Director & Officer group, (f) the Lawyer Auditor has no financial incentives to provide a certain Professional Opinion, and (g) the Lawyer Auditor no actual or apparent material conflicts of interest. These Duties Audit screens are considerably more rigorous than the independence screens which are used for independent financial auditors.
- What if our firm is not yet ready for a Duties Audit? Can we still use the extensive checklists, legal citations, case summaries, suggested controls, and other materials, found in the book for a compliance review? Yes, there are multiple stages of sophistication with the use of the material in this book. Firms that are not yet ready for a Duties Audit can use the material as a reference, to perform an internal audit or an internal compliance review. The next stage is performing an internal-use-only Duties Audit and using the results to improve the security and privacy at the firm. The stage after that is performing a Duties Audit, but confidentially sharing the results with selected business partners. The most-sophisticated stage involves performing a Duties Audit and sharing the results with the public, to obtain marketing benefits, public relations benefits, and strategic advantage. The book includes a process where the generation of “fully compliant” Professional Opinions every year, like clockwork, reliably, and predictably, is not only possible but quite reasonable, and it is this latter process which allows auditee firms to share the results publicly with confidence.
- Is the product is made in the USA, and are the services your firm provides sourced out of the USA? Yes, the book was researched and developed in the USA (100% US content), it is printed in the USA, and it is shipped from a location within the USA. The Duties Audit process deals only with US law (federal statutes, ratified treaties, state statutes, common law, etc.), and is intended only to be used by US corporations that are incorporated in any US state, district, territory, or jurisdiction. Only those attorneys who are currently licensed to practice in one of those same areas are permitted to perform Duties Audits, and only those types of attorneys are in our network of Lawyer Auditors. While the Duties Audit process can be performed by any attorney licensed by a US jurisdiction, the attorneys on our staff are all based in the US, and therefore are all subject to US state ethics codes, laws, and regulations. At no point in the performance of a Duties Audit project, which is performed using the attorneys in our network, are the legal services of non-US attorneys employed, is work performed at non-US locations, or is auditee firm confidential information stored in offshore information systems.