Upload
independent
View
0
Download
0
Embed Size (px)
Citation preview
Law and Economics Working Papers Series Working Paper No. 00-26
August 2001
Jay P. Kesan* Birendra K. Mishra**
*Assistant Professor of Law, University of Illinois at Urbana-Champaign **Assistant Professor, Department of Accounting and Information Science,
University of Texas at Dallas
This paper can be downloaded without charge from the Social Science Research Network Electronic Paper Collection:
http://papers.ssrn.com/abstract=279300
DO WE NEED THE CORPORATE SELF-EVALUATIVE PRIVILEGE?
DO WE NEED THE CORPORATE SELF-EVALUATIVE PRIVILEGE?1
Jay P. Kesan2 and Birendra K. Mishra3
1 The authors acknowledge the helpful comments provided by the faculty seminar participants at the Duke
University School of Law and the University of Illinois College of Law. We are also grateful to Richard
McAdams, Alan Meese, Richard Painter, and Tom Ulen for their helpful comments and suggestions to an
earlier draft of this paper. 2 Assistant Professor of Law, University of Illinois at Urbana-Champaign, College of Law. 3 Assistant Professor, Department of Accounting and Information Science, University of Texas at Dallas.
DO WE NEED THE CORPORATE SELF-EVALUATIVE PRIVILEGE?
ABSTRACT
This article critically examines the common justification for the corporate self-evaluative
privilege (SEP) that such privilege protection is essential in order to avoid chilling corporate self-
policing. We develop a formal game theoretic model to study the strategic interaction between a
regulator and a firm considering a self-audit. We show that the protection accorded by the self-
evaluative privilege removes the disincentive for self-auditing but does not create any positive
incentive for self-auditing. In contrast, a legal regime that grants regulatory access to a firm's
internal audit materials creates a positive incentive for firms to engage in self-policing and
results in a higher self-auditing rate compared to an inspection regime (i.e., no regulatory access,
thereby permitting inspections only). In addition, any disincentive to the firm to engage in self-
policing can be minimized by limiting the admissibility of audit materials in third-party legal
proceedings. Finally, mitigating possible penalties for firms engaging in good faith compliance
auditing, can further encourage self-policing. Thus, as an alternative to the corporate SEP, we
envision a combination of measures that maximizes the extent and probability of corporate self-
policing comprising: (a) permitting regulatory access to self-audits; (b) limiting the admissibility
of audit materials in third-party proceedings against the firm; and (c) providing mitigated
penalties for firms engaging in good faith self-policing. These measures capture the societal
benefits of increased corporate self-policing in terms of early detection and remedy of violations
while minimizing the fear of collateral liability arising from one's self-evaluation efforts.
2
I. INTRODUCTION
II. MODEL
A. Expected Costs for Scenario 1: Inspection Only Regime
B. Expected Costs for Scenario 2: Privilege Regime
C. Expected Costs for Scenario 3: Regulatory Access, No Admissibility of Audit
Materials in Third Party Proceedings and Mitigated Penalty
III. EQUILIBRIA
A. Scenario 1: Inspection Only Regime
B. Scenario 2: Privilege Regime
C. Scenario 3: Regulatory Access, No Admissibility of Audit Materials in Third
Party Proceedings and Mitigated Penalty
IV. IMPLICATIONS OF THE MODEL
A. Corollary 1–Comparing the self-auditing probability with and without regulatory
access to the firm’s self-audits
B. Corollary 2–Comparing the privilege asserted and the privilege waived cases
C. Corollary 3–Comparing an independent penalty regime with a mitigated penalty
regime
V. SENSITIVITY ANALYSIS
VI. CONCLUSION
3
I. INTRODUCTION
The corporate self-evaluative privilege4 (SEP) has been a mainstay in the law for several
decades. Almost thirty years ago, courts recognized the self-evaluative privilege in Bredice v.
Doctors Hospital,5 a medical malpractice case widely regarded as the first case recognizing such
a privilege. The Bredice court reasoned that privilege protection was essential in order for firms
to engage in “candid and conscientious evaluation” since “[c]onstructive professional criticism
cannot occur in an atmosphere of apprehension...”6 The court also noted that there was
overwhelming public interest in preserving the confidentiality of such evaluations. Since then,
courts have recognized the corporate self-evaluative privilege in several areas of the law, such as
securities litigation, discrimination law, and environmental law. Over twenty states have passed
laws recognizing such a privilege to protect the confidentiality of communications relating to
voluntary internal self-audits conducted by firms.7 While the specific scope of protection
accorded by the privilege varies greatly among the states, it generally protects self-audit
4 The self-evaluative privilege is also referred to as the privilege of self-critical analysis. See, for
example, David P. Leonard, Codifying a Privilege for Self-Critical Analysis, 25 Harv J on Legis 113
(1988); Note, The Privilege of Self-Critical Analysis, 96 Harv L Rev 1083, 1083 (1983). 5 50 F.R.D. 249 (D DC 1970), aff’d without opinion, 479 F2d 920 (DC Cir 1973). 6 Bredice, 50 FRD at 250. 7 See, for example, John-Mark Stensvaag, The Fine Print of State Environmental Audit Privileges, 16
UCLA J of Envt L & Policy 69, 79 (1997-98); Lisa Koven, Comment, The Environmental Self-Audit
Evidentiary Privilege, 45 UCLA L Rev 1167, 1181-82 n 97 (1998); D. Marsh Prause, Environmental
Auditing: Stuck Between A Progressively Softer Rock and a Hard Place, 17 E Min L Found § 6.04. 4
materials from discovery and renders them inadmissible in any civil, criminal, or administrative
action. States such as Texas and Idaho grant absolute immunity from administrative, civil, and
criminal penalties as long as violations discovered by an internal audit are disclosed and
remedied. Many states permit privilege protection subject to the following exceptions: waiver of
privilege by the firm; assertion of privilege for fraudulent purpose; and loss of privilege if the
firm does not achieve compliance within a reasonable period of time after disclosure of the
violation.8
The U.S. Department of Justice (DOJ) and numerous civic groups wish to preserve their
access to corporate internal audit materials and are against the recognition of a corporate self-
evaluative privilege. As a senior DOJ official has noted, these privileges “shield illegal
misconduct, interfere with law enforcement, conceal information vital to public health and
safety, create an atmosphere of distrust between regulators and regulated entities, and conflict
with public policies of openness and corporate accountability.”9
The issue of whether regulatory bodies should have access to internal self-audits and the
self-evaluative privilege’s role in encouraging corporate self-evaluation is also controversial in
the academic literature. On one hand, it is urged that the public has a right to know about
8 See Eric W. Orts & Paula C. Murray, Environmental Disclosure and Evidentiary Privilege, 1997 U Ill L
Rev 1, 22-24. 9 Attorneys Debate Merits of Audit Bill, Interim EPA Policy on Voluntary Disclosure, 26 Env’t Rep
(BNA) 690, 690 (Aug 11, 1995) (quoting Assistant Attorney General for the Environmental and Natural
Resources Division of the Justice Department Lois Schiffer). 5
corporate wrongdoing; therefore, the SEP, to the extent that it encourages corporate secrecy,
should not be tolerated.10 On the other hand, there is concern that without the protection
accorded by the SEP, companies will not engage in any internal auditing for fear of generating a
litigation roadmap for potential plaintiffs. Commentators urge that this disincentive to
establishing effective compliance programs must be removed by providing adequate protection
for confidential audit materials.11
This article develops a formal game theoretic model of the strategic interaction between a
regulator12 and a firm contemplating an internal self-audit. The goal is to study the affect of:
(a) the existence of the self-evaluative privilege; (b) the regulator’s ability to access the firm’s
internal self-audits on the likelihood and extent of corporate self-auditing in a strategic setting;
and (c) the influence of mitigated penalties on the firm’s decision to engage in self-policing. In
addition, we also investigate the impact of limiting the admissibility of audit materials in third
party proceedings against the firm on corporate self-policing.
Our key insights are the following: permitting regulatory access is superior to privilege
protection in terms of increasing the probability of corporate self-policing because the existence
10 See Michael Ray Harris, Promoting Corporate Self-Compliance: An Examination of the Debate Over
Legal Protection for Environmental Audits, 23 Ecology L Q 663, 706-07 (1996). 11 See, for example, Jennifer Arlen, The Potentially Perverse Effects of Corporate Criminal Liability, 23 J
Legal Stud 833, 833-37 (1994); Jennifer Arlen & Reinier Kraakman, Controlling Corporate Misconduct:
An Analysis of Corporate Liability Regimes, 72 NYU L Rev 687, 743-44 (1997).
6
of the privilege merely removes the disincentive to engage in self-policing but does not, by itself,
create any positive incentive for self-policing. Regulatory access creates a positive incentive for
self-policing and increases the probability that a firm will engage in compliance auditing when
compared to a legal regime that does not permit access to audit materials (i.e., an inspection
regime). Furthermore, limiting the admissibility of audit materials in third-party legal
proceedings minimizes the firm’s disincentive to engage in self-policing. Finally, mitigated
penalties for firms engaging in good faith compliance auditing can further encourage self-
policing. To maximize the extent and probability of corporate self-policing, we propose
permitting regulatory access to self-audits; limiting the admissibility of audit materials in third-
party proceedings against the firm; and providing mitigated penalties for firms engaging in good
faith self-policing. Our proposal captures the societal benefits of increased corporate self-
policing (brought about by regulatory access and mitigated penalties) in terms of early detection
and remedy of violations, while minimizing the fear of potential collateral liability due to
increased compliance auditing (by limiting the admissibility of audit materials in third party legal
proceedings).
Previous justifications for maintaining privilege protection do not consider the full scope of
the strategic interaction between a regulator and a firm. In analytic terms, the argument is based
on decision theoretic reasoning and does not simultaneously take into account the strategies and
12 In our model, it does not matter whether the regulator is a government agency or an industry
consortium or other self-regulating entity. 7
reactions of both the firm and the regulator. By formally modeling the expected costs under the
different strategies employed by the firm and the regulator, and then deriving the equilibrium
conditions, we demonstrate the importance of regulatory access in increasing the probability of
self-policing by the firm, i.e., creating a positive incentive to engage in self-policing. What
seems to be counterintuitive at first glance can be understood by examining the strategies
employed by the firm and regulator simultaneously and analyzing them interdependently. When
confronted with a regulatory regime where access to self-audits is unavailable (i.e., akin to an
absolute privilege regime), the regulator can only independently inspect and audit the company’s
activities even though accessing would have been a more efficient tool. Knowing that audit
access is not available to the regulator, the firm engages in self-policing at a lower level. When
the regulatory regime is modified to include access, the regulator uses access as a substitute for
inspection only when it is more efficient to do so. This creates the positive incentive for the firm
to switch to good faith self-policing in order to capture the benefits of early detection and remedy
of violations to minimize the regulatory fines and penalties that may otherwise be imposed by
the regulator. Our analysis clearly demonstrates that a firm’s knowledge that the regulator can
access its internal audit records increases the probability that the firm will engage in self-
policing. Thus, we cannot readily assume that regulatory access to self-audits will chill
corporate self-evaluation and remediation. Instead of privilege protection, alternative legal
regimes can be designed that remove the fear of self-incrimination, while creating positive
incentives for firms to engage in self-policing.
8
II. MODEL
We model the strategies employed by a firm and a regulator as a single period, two player,
compliance game. We consider three scenarios in this game. First, we analyze a baseline
scenario – an inspection only regime (i.e., no possibility of regulatory access to internal audits
and equivalent to according absolute privilege protection to the firm). Second, we consider a
privilege setting in which privilege protection may be asserted or waived by the firm in response
to a regulator’s action seeking access to internal audits. Third, we examine a scenario, which we
show to be optimal, in which regulatory access is allowed, the admissibility of audit materials in
third party proceedings against the firm is not permitted and mitigated penalties are imposed on
firms engaging in good faith self-policing.
Figure 1 shows the time line of events in the game for the privilege scenario.13 To start with
the firm is stochastically in compliance or out of compliance with governing regulations with a
probability, , typical for the industry to which the firm belongs.β 14 The firm may or may not
13 The time line for other scenarios are similar and we note the differences when describing the specific
scenario. 14 This representation is quite standard in the economics and management science literature. is the
steady state rate at which the firm goes out of compliance (i.e., the rate in the industry that the firm
belongs to) is a function of several factors including the regulatory regime (including the penalty), the
technology requirements, and compliance training for employees. Since any shift or adjustment in
industry non-compliance rates evolve over a long period of time, and our focus is on regulatory access to
β
9
Firm
is in
co
mpl
ianc
e or
not
st
ocha
stic
ally
Firm
ch
oose
s to
self-
audi
t or
not
Reg
ulat
or
choo
ses t
o ac
cess
firm
’s
audi
ts o
r no
t
Firm
ch
oose
s to
asse
rt p
rivi
lege
pr
otec
tion
or
wai
ve
priv
ilege
pr
otec
tion
Reg
ulat
or
choo
ses t
o in
spec
t fir
m
or n
ot
Payo
ffs
real
ized
Figu
re 1
: T
ime
line
of e
vent
s in
the
gam
e. N
ote
that
step
s 2
and
3 in
the
time
line
of e
vent
s do
not o
ccur
in S
cena
rio
1 –
an
insp
ectio
n on
ly r
egim
e (i.e., a
kin
to a
bsol
ute
priv
ilege
) bec
ause
ther
e is
no
poss
ibili
ty o
f reg
ulat
ory
acce
ss to
aud
it m
ater
ials
.
choose to conduct a compliance audit. We assume that if an audit is conducted, the firm will
detect non-compliance and will remedy any violations. It is also implicitly assumed that the
direct costs (i.e., regulatory penalties) and the indirect costs (e.g., bad publicity) of not correcting
violations exceeds the firm’s cost of correcting violations.
As shown in Figure 1, the regulator may choose to access the firm’s audit records, proceed
directly to conduct his own inspection, or do nothing (i.e., neither access nor inspect). If the
regulator attempts to access the audit records, the firm may choose to assert privilege in order to
fight regulatory access or waive privilege and permit access. In this model, a firm chooses to
assert privilege if it believes that its costs of fighting regulatory access (e.g., litigation-related
costs) are less than the potential liability arising from having its audit reports made available to
the public. In the opposite situation, a firm may choose to waive privilege if it believes the
potential liability from its audit reports is less than the costs associated with asserting privilege.
Regardless of whether the regulator is able to access the firm’s audit reports, he may or may not
choose to conduct his own independent inspection. Finally, the payoffs of the firm and regulator
are realized.
Table I provides a summary of notations of the parameters and strategies used in this paper.
self-audits which can be adjusted rather quickly, we keep this rate fixed in our model to study the affect of
our variables of interest. This is in the spirit of controlling for confounding factors to see the effect of
other variables in an experiment (the ceteris paribus argument).
10
As shown in the list of parameters in Table I, the model assumes that there is a cost, , to the
firm of conducting an audit and a cost, C , to comply when non-compliance is detected and
remedied. If the firm is non-compliant but does not conduct an audit, the costs of complying
increase as additional damage is accrued ( ). The regulator’s cost of inspection is C .
The access costs to the regulator depend upon whether the firm chooses to fight access by
asserting privilege, , or instead permits access by waiving privilege, . There are two types
of penalties in the model. In one case, the regulator may choose to impose a penalty independent
of whether the firm or the regulator detected the non-compliance, V . Alternatively, the
regulator may choose to impose a reduced penalty, V , if the firm discovered and remedied the
non-compliance.
Cf
0
D Cf > 0 r
K p Kw
0
a
In each of the three scenarios the firm and the regulator minimize their total expected costs.
The firm’s expected total costs, include audit costs, costs associated with waiving or asserting
privilege, and the costs of non-compliance (costs of bringing to compliance and associated
fines/penalties). The regulator’s expected total costs include inspection costs, privilege-
dependent access costs, and the cost due to undetected damage when the firm is non-compliant.
Before discussing the detailed expected costs for each scenario, we state two results in Lemma 1
and Lemma 2 that we use to simplify our analysis.
Lemma 1: When the firm has conducted a compliance audit, and the regulator accesses the
firm’s audit report, the regulator does not inspect, i.e., (All proof s are given in the 1 0.ρ =
11
Appendix).
By accessing the firm’s audit report, the regulator knows that the firm either has committed
no violations or has already detected and corrected any non-compliance.15 Because the firm is in
compliance at the time the regulator accesses the audit materials, any additional inspection effort
by the regulator is unnecessary and inefficient. Hence, the regulator does not inspect. When the
regulator accesses the firm’s compliance audit report, his subsequent action may include an
independent inspection, if the firm has not already conducted a compliance audit.
Lemma 2: If the firm has not conducted an audit and the regulator attempts to access the audit
reports, the firm will not assert the self-evaluative privilege, i.e., π = 3 0.
When the firm has not conducted an internal audit, it has no fear that its audit materials may
be a source of potential liability. In these circumstances, the firm will not assert the self-
evaluative privilege since the costs of asserting and maintaining privilege protection are greater
than the third-party liability costs (which, in this case, is non-existent since no audit was
conducted), when privilege is waived.
Next, we describe the details of the total expected cost for the firm and the regulator for
each of the three different scenarios.
15 Assuming that the regulator can only imperfectly determine (with some probability) whether the firm
has engaged in proper self-auditing does not qualitatively change any of our insights. Thus, this is not a
critical assumption in our model. 12
A. Expected Costs for Scenario 1: Inspection Only Regime (i.e., no regulatory access)
In this scenario, the regulator cannot access the firm’s compliance self-audit materials and
thus cannot determine if the firm has audited. Therefore, this particular setting can be modeled
as a simultaneous game. The firm can conduct a compliance audit or not, and the regulator can
inspect or not (but is unable to access any existing audits in the firm’s possession). In other
words, this inspection only scenario corresponds to the situation in which there is absolute
privilege protection and regulatory access to internal audits is denied. Let α and γ denote the
probability of audit by the firm and inspection by the regulator, respectively.
The expected cost to the regulator is:
ER ( )( )1 1r rC Dγ γ α= + − − β
o
o
)
) ,fD
The regulator’s expected cost is composed of two elements: the expected cost of inspection
and the expected undetected damages due to non-compliance . ( ) ,rCγ ( ) ( )( )1 1 rDγ α β− −
The expected cost to the firm is given by:
EF ( ) ( ) ( )1f o o fC C V D Vα β βγ α βγ= + + + − +
Rearranging the above, we get,
EF { } ( ){ } { }1 .f o fC C D Vα αβ α βγ βγ= + + − +
The firm’s expected cost is composed of three elements: expected audit cost expected
cost of complying and the expected penalty
( ,fCα
( )( 1oCαβ α βγ+ − ( ).oVβγ
13
B. Expected Costs for Scenario 2: Privilege Regime
The expected cost to the regulator for its three different strategies are:
Access: 1|ER s =
( ) ( )( ) ( ) ( )( ) ( )( ) ( ) ( )
1 1 2 2 3
2 2
1 1 1 1 1 1
1 1 1w p w p w
r r
K K K K K
C D
αβ π αβπ α β π α β π α π α π
α ρ α β ρ
− + + − − + − + − − + −
+ − + − −31 pK
rC
3|
The terms with denote the access cost to the regulator when the firm waives its privilege.
The terms with denote the access cost to the regulator when the firm asserts privilege. The
term with C denotes the expected cost of inspection when the regulator accesses and finds that
the firm has not conducted self-audit and chooses to inspect. The last term denotes the expected
undetected damage as assessed by the regulator when using this strategy.
Kw
Kp
r
No access, inspection: 2|ER s =
( ) ( )( ) ( )1 1 1 1r r r rC C C Cα β αβ α β α β− + + − − + − =
No access, no inspection: 3|ER s =
( )( ) ( ) ( )( )( ) ( ) ( )1 0 0 1 1 0 1 1r rD Dα β αβ α β β α β α− + + − − + − = −
The total expected cost for the regulator is given by:
( )1 1 2 2 1 2| | 1ER ER s ER s ER sδ δ δ δ= + + − −
Recalling that π = from lemma 2 we get 3 0
14
( ) ( )( ) ( )( ) ( ) ( ) ( )
( ) ( )
1 1 1 1 1 2 1 2
1 1 2 1 2 2
1 2
1 1 1
1 1 1 1
1 1
w p w
w r r r
r
ER K K K K
K C D C
D
δ αβ π δ αβπ δ α β π δ α β π
δ α δ α ρ δ α β ρ δ
δ δ β α
= − + + − − + −
+ − + − + − − +
+ − − −
1 p
1 t
C
2
(1)
The expected cost to the firm for its two different strategies are:
Auditing:
( ) ( ) ( )( )
1
0 1 0 2 0 1 1 1 1 1 2
1 2
|1 1
1f t l
l
EF aC C V V C C C
C
β βδ βδ βδ π βδ π β δ π
β δ π
= + + + + − + + − −
+ −
The costs for this strategy includes the audit and compliance cost . The terms with V
are the expected penalty cost, the terms with C are the expected third party liability cost and the
terms with C are the expected litigation costs to assert privilege.
Cf + β 0 0
t
l
Not auditing:
( ) ( )2
2 1 2
|
f o f o
EF a
D V D Vβ ρ δ δ= + + +
When the firm does not audit the expected costs are the expected cost of compliance and penalty
imposed on the firm by regulator when she discovers the non-compliance.
Thus, the total expected cost to the firm is given by:
( )1| 1 |EF EF a EF aα α= + −
15
( ) ( ) ( )( ) ( ) ( )
( ) ( )( )
2 1 2 1 1 1 1
1 2 1 2
1 2 2 1 2
1 1
1 1 1
1
f o f t
t l
o
EF C C D C C
C C
V
α αβ α β ρ δ δ αβδ π αβδ π
α β δ π α β δ π
β α δ δ α ρ δ δ
= + + − + + − +
+ − − + −
+ + + − +
l
(2)
B-1. Expected Costs for Scenario 2–Case (I): When Privilege Is Asserted by the Firm
In this case, the firm’s expected litigation costs for asserting privilege are less than the
expected third party liability if privilege is vitiated ( i.e., C ). Hence, the firm asserts
privilege protection whenever the regulator tries to access the self-audits, and the firm has
audited, i.e., . Note that the firm does not assert privilege if it has not conducted
voluntary audits as the expected third party liability is zero in this case. Substituting π π
in equations (1) and (2), the expected costs to the regulator and the firm are:
Cl < t
r
r
2
f)
π π1 2 1= =
1 2 1= =
ER K K CD C D
p w
r r
( ) ( ) ( )( )( ) ( )( )π π δ α δ α δ α ρ
δ α ρ β δ δ δ α β1 2 1 1 1
1 2 2 1 2
1 1 11 1 1 1= = = + − + −
+ − − + + − − − (3)
EF C C DC V
f
l
( ) ( ) ([ ( ) ( )( )]
π π α αβ α β ρ δ δ
δ α α δ δ α ρ δ δ β1 2 0 2 1 2
1 1 2 2 1 2 0
1 11
= = = + + − +
+ + + + − + (4)
B-2. Expected Costs for Scenario 2–Case (II): When Privilege Is Waived by the Firm
In this case, the firm’s expected litigation costs for asserting privilege are greater than the
expected third party liability if privilege protection is vitiated (i.e., ). Hence, the firm
waives privilege and π π . Substituting π π in equations (1) and (2), the expected
costs to the regulator and the firm are:
lC C> t
)1
1 2 0= = 1 2 0= =
( ) ( ) ( ) ( ) (1 1 2 2 1 2 1 21 1 1 1w r r r rER K C C D Dδ δ α ρ δ δ α β ρ δ δ β α= + − + + − − + − − − (5)
16
( ) ( )( ) ( )( )
2 1 2 1
1 2 2 1 2
1
1f o f
o
EF C C D C
V
α αβ α β ρ δ δ αδ
β α δ δ α ρ δ δ
= + + − + +
+ + + − +
t (6)
C. Expected Costs for Scenario 3: Regulatory Access, No Admissibility of Audits Materials in
Third-Party Proceedings and Mitigated Penalty
In this scenario, the firm never asserts privilege since the fear of third party liability from
audit materials is eliminated and regulatory access to audit materials is always permitted. In
addition, the penalty for non-compliance is reduced based on good-faith self-policing efforts by
the firm. Here, the firm faces the penalty, V , if the firm is out of compliance and the regulator
finds non-compliance by independent inspection. However, if the firm has conducted a
compliance audit and corrected the problem, then the alternate penalty, V is assessed, where
Because the penalty is assessed on the firm, the conditional penalty structure does not
affect the regulator’s expected costs. Hence the regulator’s expected cost is given by equation
(5). However, the firm’s expected cost changes, depending on whether the firm has conducted a
compliance audit. The firm’s expected costs for auditing ( and not auditing ( are:
o
,a
.aV V< o
2 a
)+
)
)1a )2a
EF and 1 1| f o aa C C V Vβ βδ βδ= + + +
EF ( ) (2 2 1 2| f o f oa D V D Vβ ρ δ δ = + +
The (unconditional) expected cost to the firm is given by:
( ) ( ) (1 2 2 1 21f o a a f o f oEF C C V V D V D Vα β βδ βδ α β ρ δ δ + + + + − + + + = (7)
17
The first term in equation (7) is the expected cost when the firm conducts a compliance audit and
may incur the mitigated penalty, V The second term is the expected cost when the firm does
not conduct a compliance audit and the penalty, V , may be incurred.
.a
o
III. EQUILIBRIA
A. Scenario 1: Inspection Only Regime
This scenario corresponds to a regulatory regime that provides regulators no access to a
firm's audit materials under any circumstances. In other words, the regulator may either choose
to conduct inspections or do nothing.
The following proposition characterizes three possible Nash equilibria for this inspection
only setting in which no regulatory access to the firm’s compliance audit is permitted (see Figure
2).
Proposition 1: Where the regulator has no access to the firm’s compliance audit report, the
following Nash equilibria exist:
(I) High inspection cost.16
If C then γ α That is, the firm does not audit, and the regulator does not inspect. r rβ> D
0.= =
(II) Low inspection cost, high audit cost.
16 While for expositional purposes we use the descriptors high and low, they are relative. High inspection
cost is relative to regulator's estimate of expected harm from non-compliance. This caveat applies all
through our analysis. 18
rD
β
Firm
’s
Aud
it C
ost,
f
C
III II
I (
)f
oD
Cβ
−
Reg
ulat
or’s
In
spec
tion
Cos
t,
rC
Equ
ilibr
ium
reg
ions
for
scen
ario
1 c
orre
spon
ding
to a
n
insp
ectio
n on
ly r
egim
e w
ith n
o re
gula
tory
acc
ess (
i.e.,
akin
to w
hen
abso
lute
pri
vile
ge is
acc
orde
d to
the
firm
).
Figu
re 2
:
If C and C D then γ = and α = That is, the firm does not audit, and
the regulator always inspects.
D o
β .rβ
)
r r< β ( ) ,f f Cβ> − 1 0.
(III) Low inspection cost, low audit cost.
If C D then γ β and α That is, the firm
mixes between auditing and no-auditing, and the regulator mixes between no-inspection and
inspection.
( ), ,r r f f oC D Cβ β< < − = +( ) /C C Df f0 1 /rC D= −
(a) Equilibrium I (high inspection cost regime): The first equilibrium corresponds to the
situation when violations accumulate. This outcome occurs when the regulator’s inspection cost
exceeds the expected damage from non-compliance as assessed by the regulator
As a result, the regulator does not inspect. Since the regulator does not
inspect, the firm has no incentive to conduct an internal audit. Thus, neither the firm nor the
regulator conducts an investigation. This situation occurs when the expected fallout from non-
compliance is quite small or the firm has a low probability of causing damage from non-
compliance relative to the regulator’s inspection costs.
( . ., . β>r ri e C D
(b) Equilibrium II (low inspection cost, high audit cost): This equilibrium corresponds to a
situation where there is a comparatively large amount of damage from non-compliance. In this
equilibrium, the regulator always inspects, and the firm does not audit because its audit and
compliance procedures are inefficient and expensive compared to the expected costs the
regulator will impose when she detects the firm’s violations (i.e., ). In this C D Cf f− − >β( )0 0
19
situation, the regulator has efficient inspection procedures and technological support, and the
firm has relatively high cost of compliance auditing compared to additional expected damages
that will accrue due to non compliance.
(c) Equilibrium III (low inspection cost, low audit cost, no access allowed (e.g., near absolute
privilege protection)): This is a mixed equilibrium in which the regulator mixes his strategies
between inspecting and not inspecting. The regulator cannot access the firm’s audit records
since access is not allowed, as is the case when the applicable law provides strong immunity or
near absolute privilege protection. In response to the regulator’s strategy, the firm also mixes
between auditing and not auditing. Here, no pure strategy equilibrium is possible because if the
regulator always inspects the firm will always audit, but if the firm always audits, the regulator
will prefer not to inspect. But if the regulator does not inspect then the firm will prefer not to
audit. Thus, there is no pure strategy equilibrium.
B. Scenario 2: Privilege Regime
This scenario corresponds to a regulatory regime in which a firm may choose to assert
privilege protection to protect audit materials if certain, specified conditions are satisfied (e.g.,
prompt detection and remediation of violations, absence of fraudulent conduct, and the like).
However, under this regime, privilege protection can be vitiated if the regulator makes a showing
that one of these specified conditions has been violated by the firm.
For the scenario where the regulator attempts to access the firm’s internal audit records, and
the firm asserts or waives the self-evaluative privilege, there are eight equilibria that correspond
20
to the strategies employed by the firm and the regulator. These equilibria span the complete
parameter space (see Figures 3 and 4 for all the equilibrium regions for this scenario).
Proposition 2: Where the regulator attempts to access the firm’s internal audit records and the
firm has qualified privilege, the following eight Bayesian equilibria exist:
CASE (I)–Privilege Asserted by the Firm: C , that is third party liability is greater than
legal cost of asserting privilege. Thus, the firm asserts privilege.
Ct > l
=
r/
(I) High inspection cost.
If C D . That is, the firm does not audit, and the regulator
does not access or inspect.
1 2 3, then 0 and 1r rβ δ δ α δ> = = =
(II) Low inspection cost, high audit cost.
If and C then δ δ and are equilibrium
strategies. That is, the firm does not audit, and the regulator does not access the audit reports,
but he always inspects.
C Dr r< β ( )ρ2 1= D Cf f> −β( )0 α1 3 0= = = δ 3 1=
(III) Low inspection cost, low audit cost, high access cost. If , ,
and then
C Ct l> C Dr r< β ( )ρ2 1=
C D Cf f< −β( )0 K C K D C Dp r r r> + −( )∆ β β α β , δ ,
andδ are equilibrium strategies. That is, the firm mixes between
auditing and not-auditing, and the regulator mixes between [no-access, no-inspection] and [no-
access, inspection].
= −1 C Dr r 1 = 0
δ β2 = +(C C βD δ3 21= −0 ) /f f
(IV) Low inspection cost, low audit cost, low access cost.
21
rD
β
Firm
’s
Aud
it C
ost,
f
C
III
II
III
IV
I
()
fo
lD
CC
β−
−
()
fo
DC
β−
Reg
ulat
or’s
In
spec
tion
Cos
t,
rC
priv
ilege
pro
tect
ion
is a
sser
ted
by th
e fir
m.
Figu
re 3
: E
quili
briu
m r
egio
ns fo
r sc
enar
io 2
-cas
e (I
) whe
n
f
C
Reg
ulat
or’s
In
spec
tion
Cos
t,
rC
fo
II
III
IV
I
III
()
fo
DC
β−
()
tD
Cβ
−−C
Firm
’s
Aud
it C
ost,
e fir
m.
rD
β ur
e 4:
whe
n pr
ivile
ge p
rote
ctio
n is
wai
ved
by th
Fig
Equ
ilibr
ium
reg
ions
for
scen
ario
2-c
ase
(II)
If C , , and then Ct l> C Dr r< β ( )ρ2 1= C D C Cf f< − −β( )0 l r/K C K D C Dp r r r< + −( )∆ β β
α β+K K∆
1= π 3 =
= −1
π π1 2=
−D Cp r( )
0
r 1 0= +( ) / (C Cf f, δ β , δ , δ and
and are equilibrium strategies. That is, the firm mixes between [audit|assert]
and [no-audit|waive], and the regulator mixes between [access; no-inspection | audit, inspection
| no-audit] and [no-access, no-inspection].
β −D )Cl 2 0= δ3 11= −
CASE (II)–Privilege Waived by the Firm: , that is third party liability cost is less than
legal cost of asserting privilege. Hence, the firm waives privilege in this case.
C Ct < l
=
r
(I) High inspection cost.
If C D . That is, the firm does not audit, and the regulator
does not access or inspect.
1 2 3, then 0 and 1r rβ δ δ α δ> = = =
(II) Low inspection cost, high audit cost.
If and C then δ δ and are equilibrium
strategies. That is, the firm does not audit, and the regulator does not access the audit reports,
but he always inspects.
C Dr r< β ( )ρ2 1= D Cf f> −β( )0 α1 3 0= = = 2 1δ =
(III) Low inspection cost, low audit cost, high access cost. If C C , ,
and then
t l< C Dr r< β ( )ρ2 1=
C D Cf f< −β( )0 ( ) /w r r rK C D C Dβ β> − α β , ,
andδ are equilibrium strategies. That is, the firm mixes between
auditing and no-auditing, and the regulator mixes between [no-access, no-inspection] and [no-
access, inspection].
= −1 C Dr r δ1 0=
δ β2 = +(C C βD δ3 21= −0 ) /f f
22
(IV) Low inspection cost, low audit cost, low access cost.
If C , , C D and then Ct l< C Dr r< β ( )ρ2 1= 0( )f f Cβ< − − tC r( ) /w r r rK C D C Dβ β< −
1 (w rK Dα β −
3 0π =
)rC 1 == −
1 2π π= =
, ρ , ρ , δ β , δ , δ δ and
are equilibrium strategies. That is, the firm mixes between [audit|waive] and
[no-audit|waive], and the regulator mixes between [access; no-inspection | audit, inspection | no-
audit] and [no-access, no-inspection].
0 2 1= C C= +1 0( ) /( )f f tD Cβ − 2 0= 3 11= −
Although the first two equilibria in Case (I) and Case (II) are qualitatively similar, they are
supported by different out-of-equilibrium beliefs, as noted in the Appendix.
(a) Equilibrium I (high inspection cost regime): Similar to equilibrium I in proposition 1.
(b) Equilibrium II (low inspection cost, high audit cost): Similar to equilibrium II in proposition
1.
(c) Equilibrium III (low inspection cost, low audit cost, high access cost): Similar to equilibrium
III in proposition 1.
Note that equilibrium III exists on both sides of equilibrium IV in both Case (I) and Case
(II). Equilibrium III occurs when the cost of access is relatively high compared to independent
inspection in which case the regulator may choose to conduct his own inspections. This is more
likely to occur in the case of strong privilege protection as it increases regulatory access costs.
(d) Equilibrium IV (low inspection cost, low audit cost, low access cost, low third party liability
cost): Like equilibrium III in scenario 1, this is a mixed equilibrium. The regulator mixes
23
between accessing the firm’s audit records and doing nothing (i.e., neither accessing nor
inspecting).17 Responding to the regulator’s strategy, the firm also mixes between auditing and
not auditing. The extent of this equilibrium, (i.e., the vertical parameter span of equilibrium IV)
is reduced by litigation-related costs accrued by the firm of asserting privilege when it asserts
privilege (Figure 3). On the other hand, if the firm waives privilege protection, this region is
again reduced by potential third party related liabilities if the audit records are made generally
available to the public. This reduction in the extent of equilibrium IV corresponds to the
disincentive to the firm to engage in potentially self-incriminating compliance auditing. We
focus on this region more below.
If the regulator’s penalty structure is independent of whether the firm has conducted a
compliance audit (i.e., no mitigation for good-faith self-auditing), then the penalty itself does not
directly affect the strategies employed by the firm or the regulator, as is obvious from the
equilibria noted above. This is because the penalty is pervasive whether the firm finds the non-
compliance by self-audit or the regulator finds the non-compliance through access or
independent inspection. Thus, the usefulness of a penalty as a deterrent mechanism is non-
existent.
17 Note that the regulator never accesses the firm’s audit records all the time. When the regulator always
accesses, the firm never audits thus making access worth less for the regulator. If the firm never audits,
the regulator would want to always conduct independent inspections. But if the regulator always
conducts inspections, the firm would like to always audit, and in response, the regulator would always
like to access. Thus, there is no pure strategy equilibrium when the regulator always access. 24
C. Scenario 3: Regulatory Access, No Admissibility of Audits Materials in Third-Party
Proceedings and Mitigated Penalty
This scenario corresponds to a hypothetical legal regime, that we believe is optimal to
maximize the extent and likelihood of corporate self-policing.
The following proposition characterizes perfect Bayesian equilibria for this setting with
regulatory access (i.e., no privilege protection), no third party liability and a penalty conditional
on the efforts of the firm (see Figure 5).
Proposition 3: In this scenario with regulatory access (i.e., no privilege protection or privilege
protection waived), no third party liability and a conditional penalty structure, the following four
perfect Bayesian equilibria exist:
(I) High inspection cost.
If C then δ δ and δ = The firm does not audit, and the regulator does
not access or inspect.
,r Dβ> r
r )
)
1 2 0α= = = 3 1.
(II) Low Inspection cost, high audit cost.
If C and C D then δ δ and δ = The firm does
not audit, and the regulator does not access but always inspects.
,r Dβ< ( ,f f o o aC V Vβ > − + − 1 3 0α= = = 2 1.
(III) Low inspection cost, low audit cost, high access cost.
If C D and (, ,r r f f o o aC D C V Vβ β < < − + − K C D C Dw r r r> −( )β β
3 20, 1δ δ= − 1 /rC= −
r
.r
then
and α The firm mixes ( ) ( )2 1/ ,f o o a fD C V V Dδ β β δ= + − + = Dβ
25
f
C
Reg
ulat
or’s
In
spec
tion
Cos
t,
rC
II
III
IV
I
III
()
fo
oD
CV
Vβ
−+
−a
()
fo
DC
β−
Firm
’s
Aud
it C
ost,
rD
β
Figu
re 5
: E
quili
briu
m r
egio
ns fo
r sc
enar
io 3
, the
opt
imal
reg
ime
char
acte
rize
d by
regu
lato
ry a
cces
s, no
thir
d pa
rty
liabi
lity
and
miti
gate
d pe
nalti
es.
between auditing and no-auditing, and the regulator mixes between [no-access, no-inspect] and
[no-access, inspect].
(IV) Low inspection cost, low audit cost, low access cost.
If C then and ,r Dβ< r 1δ( ) ( )1 2 1 2 30, 1, / , 0, 1f o o a fC C V V Dρ ρ δ β β δ δ= = = + − + = = −
α β= − −1 K D Cw r( r ) The firm mixes between auditing and no-auditing, and the regulator
mixes between [access; no inspect | audit, inspect | no audit] and [no-access, no-inspect].
(a) Equilibrium I (high inspection cost regime): The first equilibrium here is similar to
equilibrium (I) seen in all three previous propositions. In this case, neither the regulator nor the
firm conducts an investigation. Hence, a change in the penalty structure has no effect on this
equilibrium.
(b) Equilibrium II (low inspection cost, high audit cost): The strategies of the firm and the
regulator are also similar in the second equilibrium for all four propositions; however, the set of
parameter values for which this equilibrium occurs differs due to the mitigated penalty.
(c) Equilibrium III (low inspection cost, low audit cost, high access cost): This equilibrium is
similar to equilibrium III in proposition 2, Case (II).
(d) Equilibrium IV (low inspection cost, low audit cost, low access cost, no privilege protection
and no third party liability): This equilibrium is very similar to equilibrium IV in proposition 2,
Case (II), the privilege waived case -- except that the vertical span of this equilibrium is
increased since third party liability costs and litigation cost related to privilege protection are
26
eliminated by limiting the admissibility of audit materials in third party proceedings against the
firm.
The third and fourth equilibria are both mixed-strategy equilibria just as in the privilege
scenario in proposition 2 with the firm’s probability of compliance auditing being similar in both
scenarios. We provide a more detailed comparison of these scenarios in the next section.
IV. IMPLICATIONS OF THE MODEL
When the regulator can only conduct her own inspections (i.e., there is no possibility of
regulatory access), equilibria I through III exist (see proposition 1). By comparing the firm’s
auditing probability in equilibrium III in scenario 1 (regulatory inspection only regime with no
access to the firm’s audits) and equilibrium IV (regulatory access regime in scenarios 2-3), we
can compare the influence of privilege protection versus regulatory access to audit materials on
the firm’s self-auditing behavior. Note that regulatory access does not affect strategies in
equilibria I or II or the parameter values for which they are realized. Second, by comparing the
height of equilibrium IV in proposition 2—Case (I) and Case (II), with equilibrium IV in
scenario 3, we can examine the effect of limiting the admissibility of audit materials in third
party proceedings against the firm on the extent of self-policing conducted by the firm. Third, by
comparing the width of equilibrium IV between Case (I) and Case (II) in proposition 2, we can
determine the impact of asserting privilege and the consequent higher access cost to the regulator
on the extent of self-policing conducted by the firm.
27
A. Corollary 1–Comparing the self-auditing probability with and without regulatory
access to the firm’s self-audits: The probability of corporate self-auditing in equilibrium (IV)
in Scenario 2 (privilege regime)–both cases (I)&(II) is strictly greater than the probability of
self-auditing in equilibrium III in Scenario 1 (inspection regime, no access permitted).
As shown in the proof of corollary 1 in the Appendix, the firm’s auditing probability is
strictly higher in equilibrium (IV) in Scenario 2 – both cases (I)&(II) than in equilibrium III in
Scenario 1. When there is no possibility of regulatory access, the firm modifies its auditing
strategy according to an incentive structure that permits inspection only. When the possibility of
regulatory access is introduced, the firm modifies its auditing strategy to respond to this new
incentive structure by increasing its self-auditing rate. This result may seem counterintuitive
when considered in light of the common argument that a firm is likely to audit more if access is
denied, since the fear of third-party liability or self-incrimination is eliminated. This argument
presumes that the firm’s audit strategy (auditing more or less) would be independent of the
regulatory regime (either permitting or denying access to audits). However, the regulator would
make changes to her own strategy based on the firm’s new incentives and firm would respond to
that. By conducting an equilibrium analysis, it is possible to consider the responses of both the
firm and the regulator simultaneously. When confronted with a regulatory regime where access
to self-audits is unavailable, the regulator switches to inspection regime or conducts no audit at
all depending on its assessment of expected damages due to non-compliance. This creates little
problem when access is costly so that regulator would prefer to use inspection only (equilibrium-
28
III in proposition 2 in both cases). When the regulatory regime is modified to include access, the
regulator uses access as a substitute for inspection only when it is more efficient to do so
(equilibrium-IV in proposition 2 in both cases). This creates the positive incentive for the firm to
switch to good faith self-policing in order to capture the benefits of early detection and remedy
of violations to minimize the regulatory fines and penalties that may otherwise be imposed by
the regulator and which is more costly for the firm. The importance of regulatory access in
increasing the firm’s auditing probability is demonstrated by the equilibrium analysis presented
here, which shows that the firm’s auditing rate is strictly higher when regulatory access is
permitted. In contrast, denying regulatory access through privilege protection merely reduces the
disincentive for firms to engage in self-auditing but does not create a positive incentive to
undertake self-auditing.
B. Corollary 2–Comparing the privilege asserted and the privilege waived cases: The
extent of the access equilibrium when privilege is asserted (Case-I equilibrium IV in proposition
2) is smaller than the access equilibrium when privilege is waived (Case-II equilibrium IV in
proposition 2).
In equilibrium III and equilibrium IV, the firm conducts self-audits. Self-auditing occurs
when the audit cost and the cost of complying associated with the audit is less than the non-
compliance costs resulting from not self-auditing. Although equilibria III and IV are self-audit
regions, the auditing rate is higher in equilibrium IV (access equilibrium) compared to
equilibrium III (inspection equilibrium).
29
Since the focus of this analysis is on maximizing both the extent and rate of self-auditing, it
is desirable to maximize the range of parameters over which equilibrium IV occurs. In
equilibrium III, the regulator employs an inspecting strategy (or does nothing) since the cost of
accessing the firm’s audit records are high (e.g., litigation costs associated with trying to obtain
access are high). As these access costs are reduced below the cost of inspection, the regulator
changes strategy and pursues an accessing strategy. In equilibrium IV, the regulator employs a
mixed strategy [access; no-inspection | audit, inspection | no-audit] and [no-access, no-
inspection] to keep the firm from adopting a pure no-auditing strategy. In addition, in
equilibrium IV, the firm adopts a mixed strategy [audit|waive] and [no-audit|waive] in the case
the firm waives privilege, and [audit|assert] and [no-audit|assert] in the case the firm asserts
privilege to keep the regulator from adopting a pure strategy of accessing. Since the access cost
to the regulator is relatively lower in the privilege waived scenario compared to the privilege
asserted scenario, the access strategy is more efficient than independent inspection for the
regulator over a wider range of inspection costs in the privilege waived scenario compared to the
privilege asserted scenario. Thus, the width of equilibrium IV in the privilege waived case is
larger than the privilege asserted case.
Next, let us now consider scenario 3 in which audit records and materials are rendered
inadmissible in third-party legal proceedings,18 and regulatory access to self-audits is permitted
18 If audit reports are made available only to the regulator, then it may be necessary to structure
meaningful oversight to ensure that the regulator is diligently performing his duties. There may be a 30
without the possibility of privilege protection. This is the optimal legal regime since the
disincentives for self-policing are minimized but positive incentives for self-policing are
preserved. In this scenario, the firm does not face a disincentive to engage in self-policing due to
third-party liability costs (i.e., the reduction in the height of equilibrium IV due to and in
Figures 3 and 4 (scenario 2 -- Cases (I) & (II)) are eliminated in Figure 5), since audit materials
are inadmissible in third-party proceedings.
Cl Ct
In addition, the access costs to the regulator are reduced since he does not have to incur
litigation costs (we assume that the access cost in this scenario is same as the privilege waived
case in scenario 2) to obtain access to audit materials (compare the width of equilibrium IV in
Figure 5 with Figure 3). As a result, the parameter span of equilibrium IV is expanded both
vertically and horizontally. Recall from the discussion presented above that the firm’s auditing
probability is higher in equilibrium IV. It follows that expanding the range of parameters for
which equilibrium IV (compare the height and width of equilibrium IV in Figures 5 with that of
Figures 3 and 4) exists, promotes early detection and remediation of violations. Here, it is
important to note that limiting the admissibility of audit materials and eliminating privilege
protection, reduces the cost of access incurred by the regulator. All these effects work in tandem
to increase the parameter span of the self-auditing equilibrium region with the higher auditing
concern of regulatory capture with both the firm and the regulator entering into a jointly maximizing
relationship. The regulator’s incentives would have to be tailored to minimize the possibility of capture
31
probability (equilibrium IV in Figure 5).
C. Corollary 3–Comparing an independent penalty regime with a mitigated penalty
regime: (I) As the extent of mitigation in penalty, (i.e., the difference between V0 and Va ) is
increased, the set of parameter values that supports equilibria in which the firm includes self-
auditing in its strategy (i.e., equilibrium III in Scenario 1 and equilibria III and IV for both cases
in Scenario 2) becomes larger.
(II) The probability of regulatory inspection in equilibrium III and regulatory access in
equilibrium IV decreases as the magnitude of the difference between V0 and Va increases.
If the penalty for non-compliance is reduced when the firm engages in good-faith self-
policing, the extent of the firm’s self-auditing can be increased since the firm now finds it more
beneficial to include self-auditing in their strategy. With respect to Figures 3 and 4, the firm
engages in self-auditing in equilibria III and IV. With a mitigated penalty conditioned upon
corporate self-policing, the vertical parameter span for equilibria III and IV is increased (see
Figure 5), thereby increasing the self-policing region. This result is consistent with Arlen and
Kraakman's proposal that the amount of mitigation in the penalty may be used to offset the
additional liability to the firm from engaging in increased self-policing.19 Stated differently,
increasing the extent of self-policing by the firm should not correspondingly increase the firm’s
by the firm. Note, however, that the admissibility of audit evidence against specific agents of the firm for
individual wrongdoing may still be permitted. 19 See Arlen & Kraakman, supra note 10 at 746.
32
liability for non-compliance.
Within equilibrium III, the probability of regulatory inspection decreases as the difference
between V and V is increased. In addition, in the access equilibrium (equilibrium IV), the
probability of access by the regulator decreases as the difference between V and V is increased.
This is advantageous to the regulator, as the regulator can ensure that the firm does self-auditing
and, at the same time, he can decrease his own costly access and inspection efforts.
0 a
0 a
When regulatory access to audit reports is made available only to a regulator, that raises the
probability of regulatory capture. Concerns about regulatory capture make restrictions on third-
party access less appealing. However, by structuring meaningful oversight of regulators and
fashioning other incentives for regulators to minimize the possibility of regulatory capture, we
can try to ensure that a regulator is diligently performing her duties, even without third-party
access to audits. It is important to note that our proposal does not limit third-party civil
enforcement actions against firms and does not advocate switching to a pure regulatory
oversight. It only requires that internal audit reports be kept out of the hands of potential
plaintiffs. As a result, the collateral consequences for third-party civil enforcement actions may
be limited. Moreover, the admissibility of audit evidence against specific agents of a firm for
individual wrongdoing is permitted.
In sum, by formally modeling the strategic interaction between a firm and a regulator, we
identify prescriptive measures that provide maximum incentives for firms to engage in self-
policing. Consistent with Arlen and Kraakman’s study of corporate liability regimes, we find
33
that privilege protection, while minimizing the disincentive to undertake self-auditing by
removing the fear of liability, is overbroad and does not by itself create a positive incentive for
corporate self-auditing.20 As an alternative to privilege protection, in order to maximize the
extent and probability of corporate self-policing, we recommend the following measures: (a)
applicable regulatory regimes should grant regulators access to corporate self-audits and move
away from privilege protection; (b) the admissibility of self-audit evidence in third-party legal
proceedings should be eliminated; and (c) mitigated penalties should be imposed on firms
engaging in good-faith self-policing.
V. SENSITIVITY ANALYSIS
In this section, we discuss the sensitivity of strategies employed by the firm and the
regulator to different parameters in the model. For example, it provides us with insight as to
what kind of equilibriums regions and self auditing probability one might observe in two
different industries where one of these parameters may vary systematically. Similarly, it also
provides insight to the type of change one might expect when the value of a parameter (such as
the imposed penalty) increases or decreases. Table II provides an overall summary of the results
of our sensitivity analysis.
34
20 See Arlen & Kraakman, supra note 10 at 744.
Effect of Change in : β
Scenario 1: An increase in increases the region covered by equilibrium III (the self audit
region) expands to both top and right in Figure 2 thereby decreasing the likelihood of both
equilibriums I and II. In equilibrium III, the probability of self-audit increases and the
probability of inspection by the regulator decreases.
β
Scenario 2–Case (I) & Case (II) and Scenario 3:
Equilibrium III and IV (the self-audit region Figures 3-5) expands thereby effectively decreasing
the likelihood of non self-audit regions (Equilibrium I & II).
In Equilibrium III: α increases, δ decreases and δ increases 2 3
In Equilibrium IV: α increases, δ decreases and δ increases 1 3
For example, if we are dealing with an industry in which many firms are out of compliance (high
), then permitting regulatory access to self-audits increases the probability that the firms will
self-audit. This is because in such a non-compliant industry, these firms have more to gain by
increasing the frequency of their self-audits. At the same time, as the self-auditing probability
increases, the regulator finds it more efficient to access the firm’s self-audits instead of
conducting her own inspections, and as a result, the probability of regulator inspections
decreases.
β
35
Effect of Change in C : r
Scenario 1: An increase in increases the region covered by equilibrium I (no self audit and
no inspection region) expand to the left in Figure 2, there by decreasing the likelihood of both
equilibriums II and III. In equilibrium III, the probability of self-audit decreases, but the
probability of inspection by the regulator remains unchanged.
rC
Scenario 2–Case (I) & Case (II) and Scenario 3:
Equilibrium I (no self audit and no inspection region) expand to the left thereby decreasing the
likelihood of Equilibrium II-IV.
In Equilibrium III: α decreases, δ unchanged and δ unchanged 2 3
In Equilibrium IV: α decreases, δ unchanged and δ unchanged 1 3
Effect of Change in C : f
Scenario 1: An increase in increases the region covered by equilibrium II (no self audit and
inspection region) expands to the bottom in Figure 2, there by decreasing the likelihood of
equilibrium III. In equilibrium III, the probability of inspection by the regulator increases but the
probability of self-audit by the firm remains unchanged.
fC
Scenario 2–Case (I) & Case (II) and Scenario 3:
Equilibrium II (no self audit and inspection region) expands to the bottom thereby decreasing the
likelihood of Equilibrium III and IV.
Equilibrium III: α unchanged, δ increases and δ decreases. 2 3
36
Equilibrium IV: α unchanged, increases and δ decreases. 1δ 3
The effect of change in is similar to C as shown above. 0C f
Effect of Change in : fD
Scenario 1: An increase in increases the region covered by equilibrium III (self audit and
inspection region) expands to the top in Figure 2, there by decreasing the likelihood of
equilibrium II. In equilibrium III the probability of inspection by the regulator decreases but the
probability of self-audit by the firm remains unchanged.
fD
Scenario 2–Case (I) & Case (II) and Scenario 3:
Equilibrium III and IV (self audit region) expands to the top thereby decreasing the likelihood of
Equilibrium II.
Equilibrium III: α unchanged, δ decreases and δ increases. 2 3
Equilibrium IV: α unchanged, decreases and δ increases. 1δ 3
Effect of Change in : rD
Scenario 1: An increase in increases the region covered by equilibrium II and III expands to
the right in Figure 2, there by decreasing the likelihood of equilibrium I. In equilibrium III the
probability of self-audit by the firm increases but the probability of inspection by the regulator is
unchanged.
rD
37
Scenario 2–Case (I) & Case (II) and Scenario 3:
Equilibrium II, III and IV (self audit and inspection region) expands to the top thereby
decreasing the likelihood of Equilibrium I.
Equilibrium III: α increases, δ and δ are unchanged. 2 3
Equilibrium IV: α increases, δ and δ are unchanged. 1 3
Effect of Change in and : pK wK
An increase in and affects only the self-audit probability in equilibrium IV in both cases
of scenario 2 and scenario 3. The self-audit probability decreases in all these cases. Thus, an
increase in access cost is detrimental to self policing.
pK wK
VI. CONCLUSION
This article reexamines the common justification for the corporate self-evaluative privilege
(SEP) that privilege protection is necessary in order to avoid creating a disincentive for firms to
engage in self-evaluation. Courts and commentators have repeatedly urged that if a firm knows a
regulator can access its internal audit records, it will correspondingly not engage in diligent
compliance monitoring. Our analysis demonstrates that self-evaluative privilege removes the
disincentive for self-auditing but does not create any positive incentive for self-auditing. In
contrast, a legal regime that grants regulatory access to internal audit materials creates a positive
incentive for firms to engage in self-policing and results in a higher auditing rate than an
inspection only regime, without regulatory access. Increased corporate self-evaluation achieved 38
through a higher self-auditing rate then enables us to capture the societal benefits of early
detection and remedy of violations. Under our analysis, as an alternative to the corporate SEP,
we propose a multi-pronged legal regime that enhances the probability and extent of corporate
self-policing and embraces measures that create positive incentives for firms to engage in self-
auditing, such as: (a) permitting regulatory access to audit materials, and (b) providing mitigated
penalties for firms engaging in self-evaluation. As part of such a legal regime, an additional
measure that limits the admissibility of audit materials in third-party proceedings reduces the
disincentive for firms to engage in self-auditing. Instead of blanket privilege protection, we
propose optimally-designed legal regimes that minimize the disincentive to engage in self-
policing while creating and maintaining positive incentives to undertake corporate self-auditing.
39
TABLE I: SUMMARY OF NOTATION
Parameters:
β = Probability that the firm is out of compliance.
fC = Firm’s audit cost.
oC = Firm’s cost of complying if firm audits.
fD = Firm’s cost of complying if firm does not audit.
tC = Firm’s liability to third parties from audit reports when privilege is waived.
lC = Firm’s cost (e.g., litigation costs) for asserting privilege.
oV = Firm’s penalty if detected out of compliance by regulator.
aV = Mitigated penalty for good faith self-audit by firm in scenario 3.
rC = Regulator’s inspection cost.
wK = Regulator’s assessing cost when the self-evaluative privilege is waived.
pK = Regulator’s assessing cost when the self-evaluative privilege is asserted.
rD = Regulator’s assessment of damage cost.
40
Strategy Elements:
α = Firm’s probability of auditing.
1π = Firm’s probability of asserting the self-evaluative privilege when the firm audits, finds non-
compliance and fixes it, and regulator assesses the audit reports.
2π = Firm’s probability of asserting privilege when the firm audits, finds it is compliant, and the
regulator assesses the audit reports.
3π = Firm’s probability of asserting the self-evaluative privilege when the firm does not audit
and regulator assesses the audit reports.
1δ = Regulator’s probability of accessing.
2δ = Regulator’s probability of not accessing and inspecting.
3δ = Regulator’s probability of not accessing and not inspecting.
1ρ = Given regulatory access, regulator’s probability of inspecting if the firm has audited.
2ρ = Given regulatory access, regulator’s probability of inspecting if the firm has not audited.
γ = Regulator’s probability of inspecting given that accessing is unavailable.
41
TABLE II: SUMMARY OF SENSITIVITY ANALYSIS Change
On→ Of ↓
Self-auditing
probability (α )
Probability of regulatory
access (δ ) 1
Probability of
inspection and no access (δ ) 2
Probability of no
access & no
inspections (δ ) 3
Probability of inspections
when there is no access
(γ )
Penalty, V 0 = = = = = Probability that the firm is not compliant, β
↑
↓
↓
↑
↑
Regulator’s audit cost, rC
↓
=
=
=
=
Firm’s audit cost, C f
=
↑
↑
↓
↑
Firm’s cost of complying, if it audits, 0C
=
↑
↑
↓
↑
Regulator’s assessment of the damage due to the firm’s non-compliance,
rD
↑
=
=
=
=
Firm’s cost of complying if it does not audit,
fD
=
↓
↓
↑
↓
Regulator’s cost of accessing the firm’s audits when privilege is waived, pK
↓
=
=
=
NA
Regulator’s cost of accessing the firm’s audits when privilege is asserted, wK
↓
=
=
=
NA
Legend: increase (↑); decrease (↓); unaffected (=); not applicable (NA)
42
APPENDIX
A. PROOF OF LEMMA 1:
If the regulator accesses and the firm has conducted a compliance audit, the expected cost to the
regulator from inspecting ( and not inspecting ( are: 1ρ =1) 0)1ρ =
1
1
| ( 1) and| ( 0) 0
rER CER
ρρ
= == =
If the firm has conducted a self-audit, it finds and corrects any non-compliance. Hence, an
additional inspection by the regulator simply incurs additional cost, C with no corresponding
benefit. Therefore, the accessing regulator’s dominant strategy is to not inspect if the firm has
conducted a good-faith audit.
,r
B. PROOF OF LEMMA 2:
The expected cost to the firm in the three scenarios when the firm asserts the self-evaluative
privilege are as follows:
olt VCCEF ++−= 111 )1()( πππ (A1)
(Firm audits, finds non-compliance and fixes it, and regulator accesses the audit report.)
lt CCEF 222 )1()( πππ +−= (A2)
(Firm audits, finds it is compliant, and regulator accesses the audit report.)
3 3 2 3 2( ) [ ( )] (1 ) [ ( )l f o fEF C D V D Vπ π βρ π βρ= + + + − + ]o (A3)
(Firm does not audit and regulator accesses the audit report.)
The first order conditions for cost minimization are:
1
1l
EF C Cπ
∂= −
∂ t (A4)
2l
EF C Cπ
∂= −
∂ t (A5)
3l
EF Cπ
∂=
∂ (A6)
If then lC C> t 1 0EF π∂ ∂ > and 2 0EF π >∂ ∂ implying If C then 1 2 0.π π= = l C< t
1EF π∂ ∂ 0< and 2 0EF π <∂ ∂ implying Since 1 2 1.π π= = 3EF π 0lC= >∂ ∂ , we always
have . Note that these three equilibria span the parameter space excluding the razor edge
equilibria.
3 0π =
C. PROOF OF PROPOSITION 1:
In an inspection only regime, there is no regulatory access, and we have an unconditional
penalty. Therefore, the game can be modeled as a simultaneous play, and we derive the Nash
equilibria of the game as follows:
The expected cost to the regulator and firm are:
(A7) (1 )(1 )rER C Dγ γ α= + − − rβ
0f (A8) 0 (1 )fEF C C D Vα αβ α βγ βγ= + + − +
The first-order conditions for expected cost minimization are:
(1 )rER C α βγ
∂= − −
∂ rD (A9)
0fEF C C Dβ βγα
∂= + −
∂ f (A10)
2
1. Equilibrium (I):
Assume . Then C Dr > β r ER γ∂∂ > 0 for any , and is a dominant strategy for the
regulator. Given ,
[0,1]α ∈ 0γ =
0=γ 0,>EF α∂ ∂
0=
implying that the firm’s best response is .
Therefore, and represent equilibrium strategies.
0α =
0γ = α
2. Equilibrium (II):
Assume and . Then r rC β< D )0(f fC D Cβ> − 0,EF α∂ ∂ > implying that the firm’s dominant
strategy is . Given and , 0α = 0α = <r rC Dβ ER γ∂ ∂ < 0, implying that the regulator’s best
response is . Therefore, and represent equilibrium strategies. 1γ = 1γ = α 0=
3. Equilibrium (III):
Assume and . Given r rC β< D )0(f fC D Cβ< − 1 rC Dα = − rβ , the regulator’s best response
is obtained by solving equation (A10). This gives 0( )f fC C Dγ β β= + , where by
. Similarly given
1γ <
0( fC D C− )f β< 0( fC Cγ β= + ) fDβ , the firm’s best response is obtained by
solving equation (A9): 1 r rC Dα β= − , where by . Therefore, 0α > rC β< rD
1= − r rC Dα β and 0 ) fDβ( fC Cγ β= + represent equilibrium strategies.
D. PROOF OF PROPOSITION 2:
CASE (I): , that is, the third party liability cost is greater than legal cost of asserting
privilege.
C Ct > l
1 p
From (5) and (9), the expected cost to the regulator and firm are
(A11)
( ) ( )( ) ( )( ) ( ) ( ) ( )
( ) ( )
1 1 1 1 1 2 1 2
1 1 2 1 2 2
1 2
1 1 1
1 1 1 1
1 1
w p w
w r r r
r
ER K K K K
K C D C
D
δ αβ π δ αβπ δ α β π δ α β π
δ α δ α ρ δ α β ρ δ
δ δ β α
= − + + − − + −
+ − + − + − − +
+ − − −
3
( ) ( ) ( )( ) ( ) ( )
( ) ( )( )
2 1 2 1 1 1 1
1 2 1 2
1 2 2 1 2
1 1
1 1 1
1
f o f t
t l
o
EF C C D C C
C C
V
α αβ α β ρ δ δ αβδ π αβδ π
α β δ π α β δ π
β α δ δ α ρ δ δ
= + + − + + − +
+ − − + −
+ + + − +
l
t
r
r
2
f)
(A12)
In this case the firm’s expected litigation costs for asserting privilege are less than the expected
third party liability costs ( ). Hence, the firm asserts privilege and .
Substituting in equation (A11) and (A12) the expected cost to the regulator and the
firm are:
C Cl < π π1 2 1= =
π π1 2 1= =
ER K K CD C D
p w
r r
( ) ( ) ( )( )( ) ( )( )π π δ α δ α δ α ρ
δ α ρ β δ δ δ α β1 2 1 1 1
1 2 2 1 2
1 1 11 1 1 1= = = + − + −
+ − − + + − − − (A13)
EF C C DC V
f
l
( ) ( ) ([ ( ) ( )( )]
π π α αβ α β ρ δ δ
δ α α δ δ α ρ δ δ β1 2 0 2 1 2
1 1 2 2 1 2 0
1 11
= = = + + − +
+ + + + − + (A14)
1. Equilibrium (I):
Assume that . Define . Using this in equation (A13) and
(A14), the simplified expected costs to the regulator and firm are:
C Dr r> β (ρ2 0= )
r
2 01
∆K K Kp w= −( )
ER K K D C Dp w r r= + − + − + + − − −δ α δ α δ α β δ δ δ α β1 1 1 2 1 21 1 1 1( ) ( ) ( )( ) (A15)
EF C C D C Vf f l= + + − + + + + −α αβ α βδ δ α α δ δ α δ β0 2 1 1 21( ) [ ( ) ( ) ] (A16)
The first-order conditions for cost minimization for the regulator and firm are:
∂∂
= + − = +ER K K Kp w wδ
α α α1
1( ) ∆K (A17)
∂∂
= − −ER Crδ
α β2
1( ) Dr (A18)
∂∂
= + − + +EF C C D Cf f lα
β βδ δ α βδ0 2 1 1V0 (A19)
4
Since , and , the right hand side of (A17) and (A18) is always
positive implying . Using , (A19) reduces to:
K Kw + >α∆ 0 C Dr r> β
δ δ1 2 0= =
0 1≤ ≤α
δ δ1 2= 0=
∂∂
= + >EF C Cfα
β 0 0 , indicating in equilibrium. α = 0
Thus, if , the equilibrium strategies are: , and . This is based
on the out-of-equilibrium beliefs (Lemma 1), , and
C Dr > β r α = 0
ρ2
δ δ1 2 0= =
0= π π1 2=
δ 3 1=
π 3ρ1 0= 1= 0= .
2. Equilibrium (II):
Assume that and . Using in equation (A13) and
(A14), the simplified expected cost to the regulator and firm are:
C Dr r< β ( )ρ2 1= C D Cf f> −β( 0 )
r
0
( )ρ2 1=
ER K K C C Dp w r r= + − + − + + − − −δ α δ α δ α δ δ δ α β1 1 1 2 1 21 1 1 1( ) ( ) ( )( ) (A20)
EF C C D C Vf f l= + + − + + + +α αβ α δ δ β δ α δ δ β0 1 2 1 1 21( )( ) ( ) (A21)
The first-order conditions for cost minimization for the regulator and firm are:
∂∂
= + − + − − −ER K K Cp w rδ
α α α α1
1 1 1( ) ( ) ( ) Drβ (A22)
∂∂
= − −ER Crδ
α β2
1( ) Dr (A23)
∂∂
= + − + +EF C C Dfα
β δ δ β δ0 1 2 1( ) Cf l (A24)
Since , and we have C C Df f+ >β β0 ( )δ δ1 2 1+ ≤ ∂ ∂ >EF α 0 implying . α = 0
Substituting in (A13), we get α = 0 ∂ ∂ = − <ER C Dr rδ β2 0 because C Dr r< β
by assumption. This means . Hence, for C and , δ 2 1= Dr r< β C D Cf f> −β( )0
δ 2 1= , , and are equilibrium strategies. This is based on the out-of-
equilibrium beliefs (Lemma 1), , and
δ1 0= δ 3 0=
ρ1
α = 0
0= ρ2 1= π π1 2 1= = π 3 0= .
5
3. Equilibrium (III):
Assume that , and . Since
, the expected payoff to the regulator and firm are same as (A20) and (A21). Therefore,
(A22), (A23) and (A24) give the first-order conditions. Suppose the firm’s strategy is
C Dr r< β ( )ρ2 1= C D Cf f< −β( )0 K C K D C Dp r r r> + −( )∆ β r/ β
ρ2 1=
α = −1 C Dr
K Cp r ∆
β r
r) / β
. Substituting this in the regulator’s first order condition (A22) and using the fact
that , we have K D C Dr r> + −( β ∂ ∂ >ER δ1 0
f
, implying . Substituting
in (A24), we get , which is less than one. This means (A23) equals zero.
So, solving for from (A23) gives
δ1 0= δ1 0=
δ β2 = +(C Cf
α
β0 ) / D
α βC Dr r= −1 .
Thus, α β= −1 C Dr r
0.
, , and are equilibrium strategies.
This is based on the out-of-equilibrium beliefs (Lemma 1), , and
δ1 0= δ β2 0= +( ) /C C Df f
ρ1 0=
β δ 2δ 3 1= −
ρ2 1= π π1 2 1= =
π 3 =
4. Equilibrium (IV):
Assume that , and . Since
, the expected payoff to the regulator and firm are same as (A20) and (A21). Therefore,
(A22), (A23) and (A24) give the first-order conditions. Suppose the firm’s strategy is
C Dr r< β ( )ρ2 1= C D Cf f< − −β( )0 Cl r/ βK C K D C Dp r r r< + −( )∆ β
ρ2 1=
α β= − + −1 K K D Cp r(∆
K C K D Cp r r r< + −(∆ β
r )
r) / β
. Substituting this in (A23) and using the fact that
, we have D ∂ ∂ >ER δ 2 0
− )Cf l
, implying . Substituting this in
(A24), we get , which is less than one. This means we can solve
(A22) as an equality to get
δ 2 0=
δ β1 0= +( )C Cf β/ ( D
α = −1 K Kp ∆ β+ −D Cr( )r . Thus, α β+ −K K D Cp r( )∆
1 2 1= 3 0π =
= −1
1 π π=
r ,
, , , , , and are
equilibrium strategies.
δ β β1 0= + −( ) / (C C D Cf f )l δ 2 0= δ δ3 11= − ρ1 = 0 ρ2 =
6
CASE (II): , that is third party liability cost is less than legal cost of asserting privilege.C Ct < l
t
)1 α
t
In this case, the firm’s expected litigation costs for asserting privilege are less than the expected
third party liability ( ). Hence, the firm waives privilege protection and .
Substituting in equation (A11) and (A12), the expected cost to the regulator and the
firm are:
lC C>
0=
1 2 0π π= =
1 2π π=
( ) ( ) ( ) ( ) (1 1 2 2 1 2 1 21 1 1 1w r r r rER K C C D Dδ δ α ρ δ δ α β ρ δ δ β= + − + + − − + − − − (A25)
( ) ( )( ) ( )( )
2 1 2 1
1 2 2 1 2
1
1f o f
o
EF C C D C
V
α αβ α β ρ δ δ αδ
β α δ δ α ρ δ δ
= + + − + +
+ + + − + (A26)
1. Equilibrium (I):
Assume that . Using this in equation (A25) and (A26), the simplified expected
cost to the regulator and firm are:
C Dr r> β (ρ2 0= )
)α
)2
( ) (1 2 21 1w r rER K C Dδ δ δ β= + + − − (A27)
( ) (2 1 11f o f t oEF C C D C Vα αβ α βδ αδ β αδ δ= + + − + + + (A28)
The first-order conditions for cost minimization for the firm and regulator are:
1w
ER Kδ
∂=
∂ (A29)
( )2
1rER C α βδ
∂= − −
∂ rD and (A30)
2 1f o f t oEF C C D C Vβ βδ δ βα
∂= + − + +
∂ 1δ (A31)
Since , and , the right hand side of (A29) and (A30) is always
positive, implying . Using , (A31) reduces to:
0wK > C Dr r> β
δ δ=
0 1≤ ≤α
0=1 2 δ δ1 2 0= =
7
∂∂
= + >EF C Cfα
β 0 0 , indicating in equilibrium. α = 0
Thus, if the equilibrium strategies are: C Dr > β r
α = 0
ρ2
, and . This is based on the out-of-equilibrium beliefs (Lemma
1), and .
δ δ1 2 0= =
0=
δ 3 1=
3 0π =
ρ1 0=
1 2π π= =
2. Equilibrium (II):
Assume that and . Using in equation (A25) and
(A26), the simplified expected cost to the regulator and firm are:
C Dr r< β ( )ρ2 1= C D Cf f> −β( 0 )
)1 α
)
( )ρ2 1=
( ) ( ) (1 1 2 1 21 1w r r rER K C C Dδ δ α δ δ δ β= + − + + − − − (A32)
( ) ( ) (1 2 1 1 21f o f t oEF C C D C Vα αβ α β δ δ αδ β δ δ= + + − + + + + (A33)
The first-order conditions for cost minimization for the regulator and firm are:
1
(1 ) (1 )w rER K Cα αδ
∂= + − − −
∂ rDβ (A34)
∂∂
= − −ER Crδ
α β2
1( ) Dr (A35)
∂∂
= + − + +EF C C Dfα
β δ δ β δ0 1 2 1( ) Cf l (A36)
Since and , we have C C Df f+ >β β0 ( )δ δ1 2 1+ ≤ ∂ ∂ >EF α 0 , implying . α = 0
Substituting in (A13), we get α = 0 ∂ ∂ = − <ER C Dr rδ β2 0 because , C Dr r< β
by assumption. This means . Hence, for C and , δ 2 1= Dr r< β C D Cf f> −β( )0
δ 2 1= , , and are equilibrium strategies. This is based on the out-of-
equilibrium beliefs (Lemma 1), and .
δ1 0= δ 3 0=
ρ1
α = 0
0= ρ2 1= 1 2 3 0π π π= = =
8
3. Equilibrium (III):
Assume that , and . Since ,
the expected payoff to the regulator and firm are same as (A32) and (A33). Therefore, (A34),
(A35) and (A36) give the first-order conditions. Suppose the firm’s strategy is
C Dr r< β ( )ρ2 1= C D Cf f< −β( )0 ( ) /w r r rK C D C Dβ> − rβ ρ2 1=
α = −1 C Dr
(w r rK C Dβ> −
β r
rβ
. Substituting this in the regulator’s first order condition (A34) and using the fact
, we have ) /rC D ∂ ∂ >ER δ1 0 , implying . Substituting in (A36)
we get , which is less than one. This means (A35) equals zero. So solving
for from (A35) gives
δ1 0= δ1 0=
δ β2 = +(C Cf
α
β f0 ) / D
α C Dr β r= −1 . Thus, α β= −1 C Dr r δ1, ,
and are equilibrium strategies. This is based on the out-of-equilibrium beliefs
(Lemma 1), and
0= δ β2 0= +( )C C β/ Df f
ρ1 0=δ δ3 21= −
ρ2 1= 1 2 3 0.π= = =π π
4. Equilibrium (IV):
Assume that , and . Since
, the expected payoff to the regulator and firm are same as (A32) and (A33). Therefore,
(A34), (A35) and (A36) give the first-order conditions. Suppose the firm’s strategy is
C Dr r< β ( )ρ2 1= 0( )f fC D Cβ< − − tC rβ( ) /w r r rK C D C Dβ< −
ρ2 1=
1 (w rK D Cα β= − −
(w r r rK C D Cβ< −
)r
rβ
. Substituting this in (A35) and using the fact that
, we have ) / D ∂ ∂ >ER δ 2 0
)f tC
, implying . Substituting this in (A36),
we get , which is less than one. This means we can solve (A34) as
an equality to get
δ 2 0=
1 0( )fC Cδ β= + /( Dβ −
1 (w rK D )rCβ −α = − . Thus, 1 (w rK Dα β
1 2 π= =
)r ρ1 0=C= − −
δ 3 0π π =
, , ,
, , and are equilibrium strategies.
ρ2 1=
1 0( ) /(f fC C Dδ β β= + )tC− δ 2 0= δ 3 11= −
E. PROOF OF PROPOSITION 3:
9
In this case the firm is protected from third party liability for the information accessed by the
regulator (privilege is waived) and the penalty is reduced for good faith self-policing efforts, i.e.,
if the firm audits and fixes any non-compliance, the firm is penalized an amount which is less
than the unconditional penalty, V 0.a V<
( ) ( ) ( ) ( ) (1 1 2 2 1 2 1 21 1 1 1w r r r rER K C C D Dδ δ α ρ δ δ α β ρ δ δ β= + − + + − − + − − − )1 α
0( )
(A37)
1 2 2 1 0 2[ ] (1 ) ( )f o a a f fEF C C V V D V D Vα β βδ βδ α β ρ δ δ = + + + + − + + + (A38)
1. Equilibrium (I):
Assume that . Using this in equation (A37) and (A38), the simplified expected
cost to the regulator and firm are:
C Dr r> β (ρ2 0= )
)α
0( )
( ) (1 2 21 1w r rER K C Dδ δ δ β= + + − − (A39)
1 2 2 1 0 2[ ] (1 ) ( )f o a a f fEF C C V V D V D Vα β βδ βδ α β ρ δ δ = + + + + − + + + (A40)
The first-order conditions for cost minimization for the firm and regulator are:
1w
ER Kδ
∂=
∂ (A41)
( )2
1rER C α βδ
∂= − −
∂ rD and (A42)
1 2 2( ) (f o a oEF C C V V Dβ β δ δ βδα
∂= + + + − +
∂)f (A43)
Since , and , the right hand side of (A41) and (A42) is always
positive, implying . Using , (A43) reduces to:
0wK > C Dr r> β
δ δ=
0 1≤ ≤α
0=1 2 δ δ1 2 0= =
∂∂
= + >EF C Cfα
β 0 0 , indicating in equilibrium. α = 0
Thus, if , the equilibrium strategies are: C Dr > β r
10
α = 0
ρ2
, and . This is based on the out-of-equilibrium beliefs (Lemma 1)
and .
δ δ1 2 0= =
0=
δ 3 1= ρ1 0=
2. Equilibrium (II)-(IV):
Assume that . Using this in equation (A37) and (A38), the simplified expected
cost to the regulator and firm are:
r rC Dβ< 2(ρ = 1)
)1 α
0( )
( ) ( ) (1 1 2 1 21 1w r r rER K C C Dδ δ α δ δ δ β= + − + + − − − (A44)
1 2 1 0 2[ ] (1 ) ( )f o a a f fEF C C V V D V D Vα β βδ βδ α β δ δ = + + + + − + + + (A45)
The first-order conditions for cost minimization for the firm and regulator are:
1
(1 ) (1 )w rER K Cα αδ
∂= + − − −
∂ rDβ (A46)
∂∂
= − −ER Crδ
α β2
1( ) Dr (A47)
0 1 2 0( )(fEF C C V V Dβ β δ δα
∂= + − + − +
∂)a f
D
r
(A48)
Note that the conditions (A46), (A47) and (A48) are identical to conditions (A34), (A35) and
(A36) in Proposition 3, if we substitute for and C Using this identity
we know that the equilibria for the modified game when C are:
*fD 0( )a fV V D− +
<
0.t =
Dr rβ
(II) If C andC D , then , , and are equilibrium
strategies. This is based on the out-of-equilibrium beliefs (Lemma 1) and .
r r< β *0( )f f Cβ> − δ 2 1= δ1 0= δ 3 0=
ρ1 0=
α = 0
ρ2 1=
(III) If C D , and , then r r< β *0( )f fC D Cβ< − ( ) /w r r rK C D C Dβ β> − α β= −1 C Dr r , ,
and are equilibrium strategies. This is based on the out-of-
equilibrium beliefs and .
δ1 0=
*0 ) /f fDβ δ 3 1= −
ρ1 0= ρ2 =
2 (C Cδ β= + δ 2
1
11
(IV) If , and , then C Dr r< β *0( )f fC D Cβ< − ( ) /w r r rK C D C Dβ β< − r 1 (w rK D Cα β= − − )r
δ1
f
,
, , , and are equilibrium strategies. ρ1 0= ρ2 1= 1 0( )C Cδ β= + /(f fDβ )tC− δ 2 0= δ 3 1= −
To convert these equilibria to the ones stated in Proposition 3, substitute for . 0( )aV V D− + *fD
F. PROOF OF COROLLARY 1:
If ( )w, + < - , and K < .r r r
r r f o f tr
C D CC D C C D C
Dβ
β β ββ
−<
( )
Compare equilibrium (IV) in
both cases of Proposition 2 with equilibrium (III) in Proposition 1. Each of this equilibrium will
occur given the conditions noted above. The probability of an audit by the firm is
wK1r rD Cβ
= −−
α in equilibrium (IV) in Case I. In the inspection only equilibrium,
equilibrium (III), the probability of a self-audit by the firm is 1 r
r
CD
αβ
= − .
( )wKThus, if 1 1 r
r r r
CD C Dβ β
− > −−
, the probability that the firm will conduct a compliance
audit is greater when regulatory access is granted. This is same as
KD C
CD
w
r r
r
r( )β β−< . Or, alternatively K C D C
Dwr r r
r
<−(β
β) , is which is true as an assumed
condition for equilibrium (IV) in Case I to occur. Similarly, it can be shown that the probability
of self-auditing for Case II in equilibrium (IV) is greater compared to the self-auditing
probability in the no access situation.
G. PROOF OF COROLLARY 2:
12
Consider equilibrium (IV) in both privilege asserted (Case(I)) and privilege waived (Case(II))
cases. From Proposition 2--Case I and Proposition 2--Case II, values of C for which we get
access equilibria are defined by and in
the privilege asserted and privilege waived cases respectively. Substituting and
rearranging terms, the condition for the privilege asserted case is equivalent to
r
(w rK CK C K D C Dp r r r< + −( )∆ β β r/ r) /r rD C Dβ β< −
∆K K Kp= −( )w
K C D C Dw r r r r< − −( )β β 1
rC
C D Kr r p−( )β . From the continuity of C , we know that the range
of values of for which
r
K C D C Dw r r r r< −( )β β is strictly larger than the range of values for
which K Cw r D Cr< −( ) D C D Kr r r r p− −( )β β β1 .
H. PROOF OF COROLLARY 3:
Assume Then as V increases, the set of parameters for which
> 0 holds becomes smaller. That is, the parameter space for
which equilibrium II (in which the firm never self-audits) occurs is reduced and the parameter
space for which equilibria III and IV occur (i.e., the equilibria in which the firm self-audits with
positive probability), becomes larger.
.rC Dβ<
0 +fD V− −
r 0 aV−
tC+ ( )af oC C Vβ −
The proof for the decrease in the probability of inspections by the regulator in equilibrium III
and the probability of regulatory access in equilibrium IV is straightforward from a comparison
of the regulator’s and firm’s strategies in the respective equilibria for the setting with a
unconditional penalty in Proposition 2 and a mitigated penalty in Proposition 3.
13