Opinion
Opinion By: Jack Conway, Attorney General; Amye L. Bensenhaver, Assistant Attorney General
Open Records Decision
This matter having been presented to the Attorney General in an open records appeal, and the Attorney General being sufficiently advised, we find that the Lexington-Fayette Urban County Government did not violate the Open Records Act in partially denying Lexington Herald-Leader reporter Linda Blackford's April 29, 2010, seven part request for records that included "all fraud or risk assessment reports" returned to LFUCG's external auditor, Mountjoy & Bressler, LLP, by LFUCG employees from 2006 to 2010. Although LFUCG provided barely sufficient support for its position by briefly referencing "industry standards," it is apparent that the 2008 questionnaire retained by Mountjoy was Mountjoy's work paper within the express meaning of KRS 325.420(3) and 200 KAR 1:300 Section 7, as well as Government Auditing Standard (GAGAS) 2.12, incorporated into 200 KAR 1:300 at Section 12. We concur with LFUCG in its view that the 2008 questionnaire was not a public record, notwithstanding the fact that it owed its existence to the contractual agreement between Mountjoy and LFUCG, because it was the "property of the licensee" (Mountjoy). KRS 325.420(3). Notwithstanding the fact that Mountjoy provided LFUCG's Director of Internal Audit with a copy of the 2009 questionnaire "to satisfy the requirements of [LFUCG's] Statement on Auditing Standards," that questionnaire, although its nonpublic character was altered after it was "owned, used, and possessed" by LFUCG, was nevertheless subject to the same statutory and regulatory restrictions on access as its 2008 equivalent, all of which were incorporated into the Open Records Act by KRS 61.878(1)(l), 1 as well as KRS 61.878(1)(i) and (j).
By letter dated May 14, 2010, 2 LFUCG notified the Herald-Leader that LFUCG was not the custodian of the reports, or questionnaires, to which Ms. Blackford's request referred. The disputed records' custodian was, instead, Mountjoy & Bressler, and "industry standard" required the firm to accord the records confidential treatment. Alternatively, LFUCG argued, the returned questionnaires constituted preliminary records, within the meaning of KRS 61.878(1)(i) and (j), insofar as they were "work papers gathered by the auditor for completion in the audit report. " On June 4, 2010, the Herald-Leader initiated this appeal, asserting that the questionnaires are "nothing more or less than a report of internal fraud made by an employee" and that existing authority mandates that "complaints which initially spawn an investigation may not be excluded from inspection because the public has a right to know what complaints have been made and the final action taken . . . ." Citing OAG 91-160.
In correspondence directed to this office following submission of the Herald-Leader's appeal, Terry Sellars, an attorney retained by LFUCG "to give independent legal advice regarding whether [LFUCG] may allow third parties to inspect a Fraud Risk Assessment Questionnaire prepared by a LFUCG management employee," elaborated on the advice he provided to his client. By way of background, he explained:
Mountjoy & Bressler, LLP, was LFUCG's external auditor of its financial statements in 2008 and 2009. In the audit agreement, LFUCG agreed to cooperate in the audit by "making all financial records and related information available" to Mountjoy & Bressler and, more particularly, agreed that its management employees would inform Mountjoy & Bressler of "all known or suspected fraud or illegal acts affecting the government . . ." The agreement also provided that all 'audit documentation for this engagement is the property of Mountjoy & Bressler, LLP and constitutes confidential information. '
Mountjoy & Bressler sent LFUCG management employees an email on June 15, 2009 stating as part of its 'audit procedures' it was required to make inquiries of Government personnel regarding risks of fraud in the Government. The email attached a Fraud Risk Assessment form, a 'brief questionnaire which is designed to gather and document information regarding the nature and likelihood of fraudulent activities in the Government.' The email assured employees that 'responses will be confidential and only used as part of our audit analysis.' (Footnotes omitted.)
Mr. Sellars indicated that a management employee returned the questionnaire to Mountjoy in 2008, reporting possible fraud. Mountjoy investigated "and found no evidence that LFUCG's financial statements were materially misstated due to fraud." The same employee reported the same possible fraud during the 2009 audit, and Mountjoy "consulted with LFUCG's management . . . 'solely as a precautionary matter to satisfy the requirements of their Statement on Auditing Standards.'" LFUCG's Director of Internal Audit reviewed the questionnaire, conducted a "preliminary review," and notified the employee that LFUCG "agreed with Mountjoy's . . . opinion that there was no credible evidence that a fraudulent act has occurred . . . ." Mr. Sellars identified the record in dispute as "a copy of the [questionnaire] retained by [LFUCG's] Office of Internal Audit . . . ." He did not indicate whether LFUCG maintained copies of the 2008 and 2009 questionnaires or the 2009 questionnaire only or provide an explanation of "industry standard" or legal authorities supporting it.
In an opinion issued shortly after the Open Records Law was enacted, the Attorney General determined that the Auditor of Public Accounts could withhold his work papers under authority of KRS 61.878(1)(i) and (j), formerly codified as KRS 61.878(1)(g) and (h). OAG 78-816. Then as now, those exceptions authorized nondisclosure of:
Preliminary drafts, notes, correspondence with private individuals other than correspondence which is intended to give notice of final action of a public agency.
Preliminary recommendations, and preliminary memoranda in which opinions are expressed or policies formulated or recommended.
At page 1 of OAG 78-816, we distinguished between the completed audit report and work papers generated by an auditor or his staff, observing:
[W]hen the complete [audit] report is made, such work papers would be exempted from the right of public inspection under KRS 61.878(1)[(i) and (j)], relating to preliminary drafts, notes, recommendations, memoranda, etc. Such preliminary drafts, notes, etc., are simply part of the tools which a public officer or employee uses in carrying out his statutory functions. See OAG 78-626. The public has a right to inspect a complete public action, namely, the completed report. The work papers are merely the informal and trial and error approach to the problem in the inchoate period leading up to the formulation of the completed report. Thus, there are logical and compelling reasons for their exclusion as expressed in KRS 61.878. During the work period temporary conclusions written down and involving possible bad conduct of officers or employees might, at the later formulation of the complete report, prove to be erroneous or inaccurate.
Accord, OAG 79-470 (Auditor of Public Accounts properly withheld working papers generated in a review of overpayments to Jefferson County Public Schools' bus drivers). We recognized one exception to the general rule of nondisclosure of auditor work papers in OAG 78-816. That exception was for "documents obtained [from] outside of [an auditor's] office which were public records when [the auditor] got them." The confidentiality of the state auditor's work papers is therefore well established and is reflected in administrative regulation at 45 KAR 1:060 Section 1 defining "confidential information" as "originals, copies, and recordings of all work papers, documents, notes, and other written or unwritten information related to the official business of the Office of the Auditor of Public Accounts." 3
OAG 78-816 was directed to the Auditor of Public Accounts. In subsequent opinions/decisions the Attorney General extended the analysis in OAG 78-816 to external auditors. 95-ORD-156 (City of Louisville properly denied request for interview transcripts, tapes, and completed interview questionnaires generated by Coopers & Lybrand in their audit of the city's Revenue Commission); 98-ORD-17 (Jefferson County Sheriff properly denied request for supporting documentation used in the preparation of audits performed on his office). This appeal presents our first opportunity to critically analyze the public's right of access to the work papers of an external auditor. Chapter 325 of the Kentucky Revised Statutes governs the practice of accountancy in the Commonwealth of Kentucky, establishing a State Board of Accountancy to grant, revoke, suspend, or refuse to renew or issue licenses and to proceed against licensees suspected of violating provisions of that Chapter. KRS 325.420 and 325.440 speak directly to ownership of records and confidentiality of information obtained in the practice of accounting. KRS 325.420 provides:
(1) Upon request and reasonable notice, the licensee shall furnish to his client or former client any accounting or other records belonging to the client that were provided to the licensee by or on behalf of the client.
(2) Upon request, reasonable notice, and payment for services previously provided, a licensee shall furnish to his client or former client a copy of a tax return, report, or other document, any of which was previously issued to or for the client or a copy of the licensee's working papers if the working papers include records that would ordinarily constitute part of the client's records and are not otherwise available to the client. These working papers shall include, but are not limited to, adjusting, closing, combining, or consolidating journal entries and information normally contained in books of original entry and general ledgers.
(3) Except as provided in subsection (1) of this section or pursuant to an agreement entered into between a licensee and his client, all statements, records, schedules, working papers, and memoranda prepared by a licensee to or in the course of providing services to a client shall be the property of the licensee.
(Emphasis added.) With respect to the confidentiality of these records, KRS 325.440 provides, in relevant part:
(1) A licensee shall not, without the consent of his client, disclose any confidential information pertaining to his client obtained in the course of performing professional services.
Pursuant to its authority to adopt "rules of professional conduct appropriate to establish and maintain a high standard of integrity and dignity in the profession of public accounting, " 4 the Board has promulgated 200 KAR 1:300 Section 7 and 8, affirmatively establishing a licensee's duty to "comply with the requirements of KRS 325.440 relating to the disclosure of confidential client information" and "KRS 325.420 relating to the ownership of accountant's working papers - client records." Additionally, the Board has incorporated by reference into its regulations, inter alia, the (Generally Accepted) Government Auditing Standards (GAGAS), "Yellow Book," issued by the General Accounting Office.
The first standard that appears in GAGAS, 1.01, recognizes that:
Auditing is essential to government accountability to the public. Audits and attestation engagements provide an independent, objective, nonpartisan assessment of the stewardship, performance, or cost of government policies, programs, or operations, depending upon the type and scope of the audit.
The standard that immediately follows declares:
The concept of accountability for use of public resources and government authority is key to our nation's governing processes. Government officials entrusted with public resources are responsible for carrying out public functions legally, effectively, efficiently, economically, ethically, and equitably. Government managers are responsible for providing reliable, useful, and timely information for accountability of government programs and their operations . . . Legislators, government officials, and the public need to know whether (1) government manages public resources and uses its authority properly and in compliance with laws and regulations; (2) government programs are achieving their objectives and desired outcomes; (3) government services are provided effectively, efficiently, economically, ethically, and equitably; and (4) government managers are held accountable for their use of public resources.
Significantly, "GAGAS incorporate the AICPA [American Institute of Certified Public Accountants] field work and reporting standards and the related Statements on Auditing Standards (SAS) 5 unless specifically excluded or modified by GAGAS."
As LFUCG's external financial auditor, Mountjoy was bound to conduct its work in accordance with ethical principles found at 2.05 of GAGAS that include both "the public interest" (2.06) and "proper use of government information, resources, and position" (2.12). The latter standard recognizes that:
In the government environment, the public's right to the transparency of government information has to be balanced with the proper use of that information. In addition, many government programs are subject to laws and regulations dealing with the disclosure of information. To accomplish this balance, exercising discretion in the use of information acquired in the course of auditors' duties is an important part in achieving this goal. Improperly disclosing any such information to third parties is not an acceptable practice.
GAGAS addresses, in considerable depth, the scope of an auditor's responsibility to detect fraud and illegal acts that have a material effect on financial statements and to determine whether "those charged with governance are adequately informed about fraud and illegal acts. " 5.15, et seq.
In October 2002, the Auditing Standards Board of the American Institute of Certified Public Accountants issued Statement on Auditing Standard No. 99: Consideration of Fraud in a Financial Statement Audit. SAS No. 99 was prompted by the Enron and other accounting scandals and became effective for audits of financial statements for periods beginning on or after December 15, 2002. It is aimed at identifying risks of material misstatements due to fraud by, among other things, requiring an auditor to gather information from management, internal audit personnel, and others within the audited entity. A key feature of this information gathering process, as we understand it, is the need to insure confidential reporting of fraud under conditions that preclude employee retaliation. It was under this standard, and these conditions, that Mountjoy circulated its Fraud Risk Assessment to LFUCG management employees in 2008 and 2009, assuring the recipients that their "responses will be confidential and only used as part of our audit analysis." 6
As noted, Mountjoy retained the only copy of the 2008 questionnaire but transmitted a copy to LFUCG's Department of Internal Audit "to satisfy the requirements of [LFUCG's] Statement on Auditing Standards." As a result, the 2009 questionnaire assumed the character of a public record, within the meaning of KRS 61.870(2), because it was "owned, used, and possessed" by a public agency. Notwithstanding this fact, the 2009 questionnaire retained its protected status as a work paper, not of Mountjoy, but of the Department of Internal Audit. As noted, the Department is an independent body within LFUCG that is subject to the referenced statutes, regulations, and audit standard as well the Institute of Internal Auditor's Code of Ethics and Standards adopted by the Internal Audit Board that supervises it per LFUCG Ordinance No. 63-2002. 7
Clearly, the 2008 questionnaire is not now, nor was it ever, a public record as defined at KRS 61.870(2). Ownership of the 2008 questionnaire was and is vested in Mountjoy & Bressler under the referenced legal authorities. While there is a temptation to treat the 2009 questionnaire that became a public record when Mountjoy transmitted it to LFUCG's Department of Internal Audit as a "complaint that spawned an investigation ending in the decision to take no action," we believe this argument oversimplifies the question. Mountjoy's purpose in securing the information in the questionnaire was to identify risks of material misstatement in LFUCG's financial statements owing to fraud, not to conduct an investigation into allegations of fraud for the purpose of imposing disciplinary action or determining that no disciplinary action was warranted. Such an inquiry would have greatly exceeded the scope of its engagement. By the same token, the review conducted by LFUCG's Department of Internal Audit, with which the 2009 questionnaire was shared, was aimed at determining if there was credible evidence of a fraudulent act, not to initiate and pursue an investigation and take action thereupon. Its analysis of the questionnaire was substantially equivalent to the analysis conducted by Mountjoy. As such, it remained a work paper excluded from disclosure as a preliminary note or a memorandum in which opinions were expressed and not a complaint that spawned an investigation. Accord OAG 78-816; OAG 79-470; 95-ORD-156; 98-ORD-17.
While this office recognizes the strongly substantiated public interest supporting disclosure of records reflecting allegations of governmental fraud, and how those allegations are addressed, we find that with respect to the records in dispute, records obtained under an auditing standard that attempts to strike a balance between the importance of exposing fraud and promoting candor among employees capable of exposing fraud, the public's right to know must yield to the need for confidentiality. Our conclusion is not altered by the fact that LFUCG subsequently waivered from its original position that the questionnaires are exempt from inspection. We examine the propriety of the denial on the date the decision was made, not on the basis of subsequent events. 06-ORD-260. Consistent with the position set forth above, we affirm LFUCG's denial of the questionnaires containing allegations of fraud circulated by its external auditor, Mountjoy & Bressler, LLP, in 2008 and 2009.
A party aggrieved by this decision may appeal it by initiating action in the appropriate circuit court pursuant to KRS 61.880(5) and KRS 61.882. Pursuant to KRS 61.880(3), the Attorney General should be notified of any action in circuit court, but should not be named as a party in that action or in any subsequent proceeding.
Thomas W. MillerTerry Sellars
Footnotes
Footnotes
1 KRS 61.878(1)(l) authorizes public agencies to withhold "[p]ublic records or information the disclosure of which is prohibited or restricted or otherwise made confidential by enactment of the General Assembly."
- - - - - - - - - - - - - - - - -End Footnotes- - - - - - - - - - - - - - - - -
2 LFUCG originally responded on May 4, 2010, explaining that additional time was needed to gather the requested records. The Herald-Leader did not object to this delay.
- - - - - - - - - - - - - - - - -End Footnotes- - - - - - - - - - - - - - - - -
3 Enabling legislation for these regulations is found at KRS 43.075.
- - - - - - - - - - - - - - - - -End Footnotes- - - - - - - - - - - - - - - - -
4 KRS 325.240.
- - - - - - - - - - - - - - - - -End Footnotes- - - - - - - - - - - - - - - - -
5 We will examine in greater depth SAS No. 99, the standard that produced the records in dispute in this appeal, below.
- - - - - - - - - - - - - - - - -End Footnotes- - - - - - - - - - - - - - - - -
6 In its supplemental response, LFUCG indicated that in itsaudit agreement with Mountjoy:
LFUCG agreed generally to cooperate in the audit by "making all financial records and related information available" to Mountjoy & Bressler and, more particularly, agreed that its management employees would inform Mountjoy & Bressler of "all known or suspected fraud or illegal acts affecting the government . . ." The agreement also provided that all "audit documentation for this engagement is the property of Mountjoy & Bressler LLP and constitutes confidential information. "
With reference to its internal auditing practices, LFUCG explained:
Prior to 2002, LFUCG's internal auditors were supervised by the Urban County Council. Since 2002 they have been independent, in their internal audit function, of both the Council and the Mayor's Office and are supervised by LFUCG's Internal Audit Board, which was created in 2002 by Ordinance No. 63-2002. The Board has adopted a Charter which provides that the Office shall comply with the requirements of the Institute of Internal Auditors (IIA) Code of Ethics and Standards. The IIA Code of Ethics expressly provides that:
Internal auditors respect the value and ownership of information they receive and do not disclose information without appropriate authority unless there is a legal or professional obligation to do so.
(Footnotes omitted.)
- - - - - - - - - - - - - - - - -End Footnotes- - - - - - - - - - - - - - - - -
7 Certainly, it is more than a coincidence that the creation of an independent department within LFUCG to conduct internal audits, free from the influence of the Mayor or the Council, coincides with the issuance of SAS No. 99.
- - - - - - - - - - - - - - - - -End Footnotes- - - - - - - - - - - - - - - - -