For years, regulated entities have believed that having a well-documented history of self-audits would be beneficial if they were ever to get into a dispute with the government. In particular, many companies have implemented self-audit policies in hopes of taking advantage of the Environmental Protection Agency’s (EPA) Audit Policy. See Incentives for Self-Policing: Discovery, Disclosure, Correction and Prevention of Violations, 60 Fed. Reg. 66,706 (Dec. 22, 1995), amended at 65 Fed. Reg. 19,618, 19,625 (Apr. 11, 2000). For nearly two decades, the Audit Policy has encouraged industry to engage in “systematic, documented, periodic, and objective” environmental audits. The policy was intended to incentivize self-policing because, in exchange for disclosing violations discovered during routine audits, companies can be rewarded with significantly reduced penalties, including elimination of gravity-based penalties and an agreement by EPA to not recommend criminal charges.
There is good reason for regulated entities to reconsider their positive views of environmental audits and, in particular, EPA’s Audit Policy. The Audit Policy is based on the premise that a company is better off rushing (in twenty-one days, as required by the Policy) to disclose a violation. A quick disclosure was supposed to be better than the risk of having EPA discover the violation later and impose bigger penalties. The theoretical premise of the EPA Audit Policy does not work as well in an era of reduced federal spending on environmental enforcement. The Audit Policy was adopted in an era of healthy federal budgets. In the 1990s, EPA had significantly more resources than it does today to conduct “boots on the ground” inspections. According to data available on EPA’s website, the agency’s budget has been slashed by 23 percent since 2010. Its workforce has been reduced by approximately 1,300 employees during the same time frame. No relief is in sight, as President Obama’s fiscal 2015 budget requests a 3.8 percent cut in EPA’s current funding levels.
Recent budget and staff hits have directly impacted EPA’s enforcement efforts. EPA’s Fiscal Year 2014–18 Strategic Plan calls for 79,000 inspections and evaluations of regulated entities, whereas its 2011–15 Strategic Plan called for 105,000—a 25 percent decrease. The agency’s 2014–18 Strategic Plan also states the agency intends to file 28 percent fewer civil and administrative enforcement actions compared to the goals set forth in its 2011–15 Plan. Cynthia Giles, head of EPA’s Office of Enforcement and Compliance Assurance (OECA) has attempted to put a positive spin on the agency’s declining enforcement efforts by promoting EPA’s “Next Generation Compliance” or “Next Gen” initiative. In an article outlining the initiative, Giles acknowledges EPA’s limited capabilities to uncover violations, stating “a small number of federal and state enforcers cannot effectively police millions of regulated facilities.” See Cynthia Giles, Next Generation Compliance, The Environmental Forum, Sept./Oct. 2013, at 24–25. The Next Gen initiative promotes advanced pollution monitoring technologies, electronic reporting, and increased public access to data submitted by regulated entities. Giles’s article and other information published by the agency makes clear that EPA is moving away from traditional methods of law enforcement in favor of promoting technology and transparency.
While increased use of technology and public disclosure sound good in theory, it remains to be seen how Next Gen will be implemented in practice. The initiative is still in its infancy. Many of the goals cited in Giles’s article are aspirational and may take many years to implement. Over time, EPA may be able to use technology and data sharing to transform how it compels compliance. In the short term, however, the reality is that EPA has fewer resources to investigate and prosecute violations.
EPA’s changing enforcement strategy (and declining budgets) may bring an end to the Audit Policy. In 2012, OECA considered prohibiting EPA regional offices from acting on disclosures made pursuant to the Audit Policy without first obtaining OECA’s approval. OECA also proposed reducing its Audit Policy “work to a minimal national presence” because “the benefit from those disclosures is estimated to be significantly less than from traditional enforcement, and the disclosures have generally not focused on the highest priority areas.” OECA eventually backtracked on this proposal. Its final fiscal year 2013 National Program Manager Guidance, OECA did not require regional offices to obtain advance approval before acting on Audit Policy disclosures. See OECA, FY 2013 National Program Manager Guidance at 15 (April 30, 2012). However, OECA also made clear that it was reconsidering the merits of the Audit Policy, stating the agency “is considering several options” for changing the policy, “including a modified Audit Policy program that is self-reporting.” Id. While it is not clear what a “modified” and “self-reporting” Audit Policy would entail, it is clear that EPA is considering significant changes to its audit program.
The questionable status of EPA’s Audit Policy and declining enforcement resources gives rise to several questions: How should companies evaluate their own compliance, given the changing enforcement environment? If EPA has fewer resources to discover a violation through traditional enforcement methods, and if EPA does not have the budget to review disclosures, why risk turning over the results of an audit? Should companies continue on a “business as usual” approach and conduct routine audits on the assumption they will be able to use EPA’s Audit Policy to their advantage in the future?
In the face of these uncertainties, some have argued that regulated entities should continue to rely on EPA’s Audit Policy. The EPA’s Audit Policy, however, only provides an incentive for disclosure if there is a real risk that EPA would discover the violation on its own. Moreover, EPA’s Audit Policy contains a major limitation that is a disincentive to self-policing, namely, the lack of privilege protection. Evaluations conducted pursuant to the EPA Audit Policy are, by definition, “systematic” and “periodic.” Such routine audits would not be protected by the attorney-client or work product privileges, as they are conducted pursuant to a routine practice and not for purposes of preparing for litigation. Moreover, EPA has made clear that audit results disclosed to the agency could become public documents. In adopting the Audit Policy, EPA specifically rejected proposals that it treat audits disclosed pursuant to the policy as privileged.
Given EPA’s current limited enforcement budget and uncertain future of the Audit Policy, it may be time for regulated entities to take an alternative approach to audit work. When faced with questions concerning environmental compliance, companies may find it more beneficial to engage in one-time-only “internal investigations,” rather than routine environmental “audits.” A company may be able to accomplish the same goals with an internal investigation that it could with a routine audit—with the added benefit of having a much better chance that the internal investigation will be protected from public disclosure.
While an internal investigation and routine audit may both provide the company with the benefit of assessing a compliance issue, there is a fundamental difference between the two exercises. To gain privilege protection, the internal investigation must be conducted in anticipation of litigation and for the purposes of assisting an attorney with that litigation. For example, in Hickam v. Taylor the United States Supreme Court held that an attorney’s interview summaries concerning a boating accident should be protected because the documents were “essential to the proper preparation of a client’s case.” 329 U.S. 495, 510–11 (1947). The Hickman decision, which established the work product doctrine, provides a good frame of reference for modern responses to potential environmental violations. If the company might have an interest in keeping its self-evaluation confidential, it should design its response as investigation for purposes of preparing for litigation—not as a routine audit.
The precise format of an internal investigation will, of course, depend on the nature of the environmental concern at issue. The following is a nonexhaustive list of best practices that can improve the chances of an internal investigation remaining privileged:
(1) Identify the litigation risk before beginning the investigation, and tailor the investigation to address that risk. The broader the review, the more likely a court may determine it served a general business purpose and is not privileged.
(2) Counsel (whether inside or outside) should manage the investigation. Business divisions of the company should be involved in the investigation only if necessary to support counsel. A company may want to delegate management of the investigation work to outside counsel, as opposed to using its in-house attorneys. Involvement of outside counsel may improve the chances of the review being considered privileged.
(3) To the extent outside consultants or experts will be involved in the investigation, they should be hired by counsel’s office and report to counsel. Any contract or agreement counsel enters into with the outside consultant should identify that the purpose of the engagement is for the consultant to advise counsel on a litigation risk.
(4) Documentation regarding the investigation should be carefully controlled and shared only on a “need to know” basis. For example, broad dissemination of the written results of the investigation throughout the company may cause a court to conclude the analysis was conducted primarily for business (i.e., nonlegal) reasons and is therefore not privileged.
There are two important limitations that any company should consider before engaging in an internal investigation. First, there is no way to guarantee that the results of an internal investigation will remain privileged. For example, the work product doctrine contains an exception that allows disclosure of otherwise privileged information if a party can show “extraordinary circumstances” warrant disclosure of the information. Moreover, internal investigations of environmental violations will often overlap with regulatory requirements that impose burdens of companies to investigate and disclose violations. To keep information privileged, a company will have to carefully distinguish between what it must disclose pursuant to regulatory requirements and what it may legitimately keep confidential under privilege doctrines.
Second, there are good reasons to engage in routine environmental audits notwithstanding changing EPA enforcement priorities. Such systematic reviews can, for example, improve efficiency, identify risks before incidents occur, and be easier to manage than one-time-only internal investigations. In the criminal context, federal sentencing guidelines effectively require corporations to implement compliance controls such as regular audits. Also, routine audits typically will be less expensive than internal investigations, especially if the investigation is managed by outside counsel. No regulated entity should eliminate routine audits entirely, even if EPA withdraws its Audit Policy.
However, environmental attorneys would also be wise to consider whether some issues would be better evaluated through a unique investigation managed by counsel, as opposed to a routine audit. When faced with a clear compliance problem that creates a litigation risk, the company may be better off conducting an internal investigation and foregoing its routine audit process—including any purported advantages it might gain from EPA’s Audit Policy. Given EPA’s diminished enforcement budget, the uncertain future of EPA’s Audit Policy, and the importance of keeping some information privileged, the value of routine audits may have lost some of its luster.