Do We Need the Corporate Self-Evaluative Privilege?

Law and Economics Working Papers Series Working Paper No. 00-26

August 2001

Jay P. Kesan* Birendra K. Mishra**

*Assistant Professor of Law, University of Illinois at Urbana-Champaign **Assistant Professor, Department of Accounting and Information Science,

University of Texas at Dallas

This paper can be downloaded without charge from the Social Science Research Network Electronic Paper Collection:

http://papers.ssrn.com/abstract=279300

DO WE NEED THE CORPORATE SELF-EVALUATIVE PRIVILEGE?

http://papers.ssrn.com/abstract=279300

DO WE NEED THE CORPORATE SELF-EVALUATIVE PRIVILEGE?1

Jay P. Kesan2 and Birendra K. Mishra3

1 The authors acknowledge the helpful comments provided by the faculty seminar participants at the Duke

University School of Law and the University of Illinois College of Law. We are also grateful to Richard

McAdams, Alan Meese, Richard Painter, and Tom Ulen for their helpful comments and suggestions to an

earlier draft of this paper. 2 Assistant Professor of Law, University of Illinois at Urbana-Champaign, College of Law. 3 Assistant Professor, Department of Accounting and Information Science, University of Texas at Dallas.

DO WE NEED THE CORPORATE SELF-EVALUATIVE PRIVILEGE?

ABSTRACT

This article critically examines the common justification for the corporate self-evaluative

privilege (SEP) that such privilege protection is essential in order to avoid chilling corporate self-

policing. We develop a formal game theoretic model to study the strategic interaction between a

regulator and a firm considering a self-audit. We show that the protection accorded by the self-

evaluative privilege removes the disincentive for self-auditing but does not create any positive

incentive for self-auditing. In contrast, a legal regime that grants regulatory access to a firm's

internal audit materials creates a positive incentive for firms to engage in self-policing and

results in a higher self-auditing rate compared to an inspection regime (i.e., no regulatory access,

thereby permitting inspections only). In addition, any disincentive to the firm to engage in self-

policing can be minimized by limiting the admissibility of audit materials in third-party legal

proceedings. Finally, mitigating possible penalties for firms engaging in good faith compliance

auditing, can further encourage self-policing. Thus, as an alternative to the corporate SEP, we

envision a combination of measures that maximizes the extent and probability of corporate self-

policing comprising: (a) permitting regulatory access to self-audits; (b) limiting the admissibility

of audit materials in third-party proceedings against the firm; and (c) providing mitigated

penalties for firms engaging in good faith self-policing. These measures capture the societal

benefits of increased corporate self-policing in terms of early detection and remedy of violations

while minimizing the fear of collateral liability arising from one's self-evaluation efforts.

2

I. INTRODUCTION

II. MODEL

A. Expected Costs for Scenario 1: Inspection Only Regime

B. Expected Costs for Scenario 2: Privilege Regime

C. Expected Costs for Scenario 3: Regulatory Access, No Admissibility of Audit

Materials in Third Party Proceedings and Mitigated Penalty

III. EQUILIBRIA

A. Scenario 1: Inspection Only Regime

B. Scenario 2: Privilege Regime

C. Scenario 3: Regulatory Access, No Admissibility of Audit Materials in Third

Party Proceedings and Mitigated Penalty

IV. IMPLICATIONS OF THE MODEL

A. Corollary 1–Comparing the self-auditing probability with and without regulatory

access to the firm’s self-audits

B. Corollary 2–Comparing the privilege asserted and the privilege waived cases

C. Corollary 3–Comparing an independent penalty regime with a mitigated penalty

regime

V. SENSITIVITY ANALYSIS

VI. CONCLUSION

3

I. INTRODUCTION

The corporate self-evaluative privilege4 (SEP) has been a mainstay in the law for several

decades. Almost thirty years ago, courts recognized the self-evaluative privilege in Bredice v.

Doctors Hospital,5 a medical malpractice case widely regarded as the first case recognizing such

a privilege. The Bredice court reasoned that privilege protection was essential in order for firms

to engage in “candid and conscientious evaluation” since “[c]onstructive professional criticism

cannot occur in an atmosphere of apprehension...”6 The court also noted that there was

overwhelming public interest in preserving the confidentiality of such evaluations. Since then,

courts have recognized the corporate self-evaluative privilege in several areas of the law, such as

securities litigation, discrimination law, and environmental law. Over twenty states have passed

laws recognizing such a privilege to protect the confidentiality of communications relating to

voluntary internal self-audits conducted by firms.7 While the specific scope of protection

accorded by the privilege varies greatly among the states, it generally protects self-audit

4 The self-evaluative privilege is also referred to as the privilege of self-critical analysis. See, for

example, David P. Leonard, Codifying a Privilege for Self-Critical Analysis, 25 Harv J on Legis 113

(1988); Note, The Privilege of Self-Critical Analysis, 96 Harv L Rev 1083, 1083 (1983). 5 50 F.R.D. 249 (D DC 1970), aff’d without opinion, 479 F2d 920 (DC Cir 1973). 6 Bredice, 50 FRD at 250. 7 See, for example, John-Mark Stensvaag, The Fine Print of State Environmental Audit Privileges, 16

UCLA J of Envt L & Policy 69, 79 (1997-98); Lisa Koven, Comment, The Environmental Self-Audit

Evidentiary Privilege, 45 UCLA L Rev 1167, 1181-82 n 97 (1998); D. Marsh Prause, Environmental

Auditing: Stuck Between A Progressively Softer Rock and a Hard Place, 17 E Min L Found § 6.04. 4

materials from discovery and renders them inadmissible in any civil, criminal, or administrative

action. States such as Texas and Idaho grant absolute immunity from administrative, civil, and

criminal penalties as long as violations discovered by an internal audit are disclosed and

remedied. Many states permit privilege protection subject to the following exceptions: waiver of

privilege by the firm; assertion of privilege for fraudulent purpose; and loss of privilege if the

firm does not achieve compliance within a reasonable period of time after disclosure of the

violation.8

The U.S. Department of Justice (DOJ) and numerous civic groups wish to preserve their

access to corporate internal audit materials and are against the recognition of a corporate self-

evaluative privilege. As a senior DOJ official has noted, these privileges “shield illegal

misconduct, interfere with law enforcement, conceal information vital to public health and

safety, create an atmosphere of distrust between regulators and regulated entities, and conflict

with public policies of openness and corporate accountability.”9

The issue of whether regulatory bodies should have access to internal self-audits and the

self-evaluative privilege’s role in encouraging corporate self-evaluation is also controversial in

the academic literature. On one hand, it is urged that the public has a right to know about

8 See Eric W. Orts & Paula C. Murray, Environmental Disclosure and Evidentiary Privilege, 1997 U Ill L

Rev 1, 22-24. 9 Attorneys Debate Merits of Audit Bill, Interim EPA Policy on Voluntary Disclosure, 26 Env’t Rep

(BNA) 690, 690 (Aug 11, 1995) (quoting Assistant Attorney General for the Environmental and Natural

Resources Division of the Justice Department Lois Schiffer). 5

corporate wrongdoing; therefore, the SEP, to the extent that it encourages corporate secrecy,

should not be tolerated.10 On the other hand, there is concern that without the protection

accorded by the SEP, companies will not engage in any internal auditing for fear of generating a

litigation roadmap for potential plaintiffs. Commentators urge that this disincentive to

establishing effective compliance programs must be removed by providing adequate protection

for confidential audit materials.11

This article develops a formal game theoretic model of the strategic interaction between a

regulator12 and a firm contemplating an internal self-audit. The goal is to study the affect of:

(a) the existence of the self-evaluative privilege; (b) the regulator’s ability to access the firm’s

internal self-audits on the likelihood and extent of corporate self-auditing in a strategic setting;

and (c) the influence of mitigated penalties on the firm’s decision to engage in self-policing. In

addition, we also investigate the impact of limiting the admissibility of audit materials in third

party proceedings against the firm on corporate self-policing.

Our key insights are the following: permitting regulatory access is superior to privilege

protection in terms of increasing the probability of corporate self-policing because the existence

10 See Michael Ray Harris, Promoting Corporate Self-Compliance: An Examination of the Debate Over

Legal Protection for Environmental Audits, 23 Ecology L Q 663, 706-07 (1996). 11 See, for example, Jennifer Arlen, The Potentially Perverse Effects of Corporate Criminal Liability, 23 J

Legal Stud 833, 833-37 (1994); Jennifer Arlen & Reinier Kraakman, Controlling Corporate Misconduct:

An Analysis of Corporate Liability Regimes, 72 NYU L Rev 687, 743-44 (1997).

6

of the privilege merely removes the disincentive to engage in self-policing but does not, by itself,

create any positive incentive for self-policing. Regulatory access creates a positive incentive for

self-policing and increases the probability that a firm will engage in compliance auditing when

compared to a legal regime that does not permit access to audit materials (i.e., an inspection

regime). Furthermore, limiting the admissibility of audit materials in third-party legal

proceedings minimizes the firm’s disincentive to engage in self-policing. Finally, mitigated

penalties for firms engaging in good faith compliance auditing can further encourage self-

policing. To maximize the extent and probability of corporate self-policing, we propose

permitting regulatory access to self-audits; limiting the admissibility of audit materials in third-

party proceedings against the firm; and providing mitigated penalties for firms engaging in good

faith self-policing. Our proposal captures the societal benefits of increased corporate self-

policing (brought about by regulatory access and mitigated penalties) in terms of early detection

and remedy of violations, while minimizing the fear of potential collateral liability due to

increased compliance auditing (by limiting the admissibility of audit materials in third party legal

proceedings).

Previous justifications for maintaining privilege protection do not consider the full scope of

the strategic interaction between a regulator and a firm. In analytic terms, the argument is based

on decision theoretic reasoning and does not simultaneously take into account the strategies and

12 In our model, it does not matter whether the regulator is a government agency or an industry

consortium or other self-regulating entity. 7

reactions of both the firm and the regulator. By formally modeling the expected costs under the

different strategies employed by the firm and the regulator, and then deriving the equilibrium

conditions, we demonstrate the importance of regulatory access in increasing the probability of

self-policing by the firm, i.e., creating a positive incentive to engage in self-policing. What

seems to be counterintuitive at first glance can be understood by examining the strategies

employed by the firm and regulator simultaneously and analyzing them interdependently. When

confronted with a regulatory regime where access to self-audits is unavailable (i.e., akin to an

absolute privilege regime), the regulator can only independently inspect and audit the company’s

activities even though accessing would have been a more efficient tool. Knowing that audit

access is not available to the regulator, the firm engages in self-policing at a lower level. When

the regulatory regime is modified to include access, the regulator uses access as a substitute for

inspection only when it is more efficient to do so. This creates the positive incentive for the firm

to switch to good faith self-policing in order to capture the benefits of early detection and remedy

of violations to minimize the regulatory fines and penalties that may otherwise be imposed by

the regulator. Our analysis clearly demonstrates that a firm’s knowledge that the regulator can

access its internal audit records increases the probability that the firm will engage in self-

policing. Thus, we cannot readily assume that regulatory access to self-audits will chill

corporate self-evaluation and remediation. Instead of privilege protection, alternative legal

regimes can be designed that remove the fear of self-incrimination, while creating positive

incentives for firms to engage in self-policing.

8

II. MODEL

We model the strategies employed by a firm and a regulator as a single period, two player,

compliance game. We consider three scenarios in this game. First, we analyze a baseline

scenario – an inspection only regime (i.e., no possibility of regulatory access to internal audits

and equivalent to according absolute privilege protection to the firm). Second, we consider a

privilege setting in which privilege protection may be asserted or waived by the firm in response

to a regulator’s action seeking access to internal audits. Third, we examine a scenario, which we

show to be optimal, in which regulatory access is allowed, the admissibility of audit materials in

third party proceedings against the firm is not permitted and mitigated penalties are imposed on

firms engaging in good faith self-policing.

Figure 1 shows the time line of events in the game for the privilege scenario.13 To start with

the firm is stochastically in compliance or out of compliance with governing regulations with a

probability, , typical for the industry to which the firm belongs.β 14 The firm may or may not

13 The time line for other scenarios are similar and we note the differences when describing the specific

scenario. 14 This representation is quite standard in the economics and management science literature. is the

steady state rate at which the firm goes out of compliance (i.e., the rate in the industry that the firm

belongs to) is a function of several factors including the regulatory regime (including the penalty), the

technology requirements, and compliance training for employees. Since any shift or adjustment in

industry non-compliance rates evolve over a long period of time, and our focus is on regulatory access to

β

9

Firm

is in

co

mpl

ianc

e or

not

st

ocha

stic

ally

Firm

ch

oose

s to

self-

audi

t or

not

Reg

ulat

or

choo

ses t

o ac

cess

firm

’s

audi

ts o

r no

t

Firm

ch

oose

s to

asse

rt p

rivi

lege

pr

otec

tion

or

wai

ve

priv

ilege

pr

otec

tion

Reg

ulat

or

choo

ses t

o in

spec

t fir

m

or n

ot

Payo

ffs

real

ized

Figu

re 1

: T

ime

line

of e

vent

s in

the

gam

e. N

ote

that

step

s 2

and

3 in

the

time

line

of e

vent

s do

not o

ccur

in S

cena

rio

1 –

an

insp

ectio

n on

ly r

egim

e (i.e., a

kin

to a

bsol

ute

priv

ilege

) bec

ause

ther

e is

no

poss

ibili

ty o

f reg

ulat

ory

acce

ss to

aud

it m

ater

ials

.

choose to conduct a compliance audit. We assume that if an audit is conducted, the firm will

detect non-compliance and will remedy any violations. It is also implicitly assumed that the

direct costs (i.e., regulatory penalties) and the indirect costs (e.g., bad publicity) of not correcting

violations exceeds the firm’s cost of correcting violations.

As shown in Figure 1, the regulator may choose to access the firm’s audit records, proceed

directly to conduct his own inspection, or do nothing (i.e., neither access nor inspect). If the

regulator attempts to access the audit records, the firm may choose to assert privilege in order to

fight regulatory access or waive privilege and permit access. In this model, a firm chooses to

assert privilege if it believes that its costs of fighting regulatory access (e.g., litigation-related

costs) are less than the potential liability arising from having its audit reports made available to

the public. In the opposite situation, a firm may choose to waive privilege if it believes the

potential liability from its audit reports is less than the costs associated with asserting privilege.

Regardless of whether the regulator is able to access the firm’s audit reports, he may or may not

choose to conduct his own independent inspection. Finally, the payoffs of the firm and regulator

are realized.

Table I provides a summary of notations of the parameters and strategies used in this paper.

self-audits which can be adjusted rather quickly, we keep this rate fixed in our model to study the affect of

our variables of interest. This is in the spirit of controlling for confounding factors to see the effect of

other variables in an experiment (the ceteris paribus argument).

10

As shown in the list of parameters in Table I, the model assumes that there is a cost, , to the

firm of conducting an audit and a cost, C , to comply when non-compliance is detected and

remedied. If the firm is non-compliant but does not conduct an audit, the costs of complying

increase as additional damage is accrued ( ). The regulator’s cost of inspection is C .

The access costs to the regulator depend upon whether the firm chooses to fight access by

asserting privilege, , or instead permits access by waiving privilege, . There are two types

of penalties in the model. In one case, the regulator may choose to impose a penalty independent

of whether the firm or the regulator detected the non-compliance, V . Alternatively, the

regulator may choose to impose a reduced penalty, V , if the firm discovered and remedied the

non-compliance.

Cf

0

D Cf > 0 r

K p Kw

0

a

In each of the three scenarios the firm and the regulator minimize their total expected costs.

The firm’s expected total costs, include audit costs, costs associated with waiving or asserting

privilege, and the costs of non-compliance (costs of bringing to compliance and associated

fines/penalties). The regulator’s expected total costs include inspection costs, privilege-

dependent access costs, and the cost due to undetected damage when the firm is non-compliant.

Before discussing the detailed expected costs for each scenario, we state two results in Lemma 1

and Lemma 2 that we use to simplify our analysis.

Lemma 1: When the firm has conducted a compliance audit, and the regulator accesses the

firm’s audit report, the regulator does not inspect, i.e., (All proof s are given in the 1 0.ρ =

11

Appendix).

By accessing the firm’s audit report, the regulator knows that the firm either has committed

no violations or has already detected and corrected any non-compliance.15 Because the firm is in

compliance at the time the regulator accesses the audit materials, any additional inspection effort

by the regulator is unnecessary and inefficient. Hence, the regulator does not inspect. When the

regulator accesses the firm’s compliance audit report, his subsequent action may include an

independent inspection, if the firm has not already conducted a compliance audit.

Lemma 2: If the firm has not conducted an audit and the regulator attempts to access the audit

reports, the firm will not assert the self-evaluative privilege, i.e., π = 3 0.

When the firm has not conducted an internal audit, it has no fear that its audit materials may

be a source of potential liability. In these circumstances, the firm will not assert the self-

evaluative privilege since the costs of asserting and maintaining privilege protection are greater

than the third-party liability costs (which, in this case, is non-existent since no audit was

conducted), when privilege is waived.

Next, we describe the details of the total expected cost for the firm and the regulator for

each of the three different scenarios.

15 Assuming that the regulator can only imperfectly determine (with some probability) whether the firm

has engaged in proper self-auditing does not qualitatively change any of our insights. Thus, this is not a

critical assumption in our model. 12

A. Expected Costs for Scenario 1: Inspection Only Regime (i.e., no regulatory access)

In this scenario, the regulator cannot access the firm’s compliance self-audit materials and

thus cannot determine if the firm has audited. Therefore, this particular setting can be modeled

as a simultaneous game. The firm can conduct a compliance audit or not, and the regulator can

inspect or not (but is unable to access any existing audits in the firm’s possession). In other

words, this inspection only scenario corresponds to the situation in which there is absolute

privilege protection and regulatory access to internal audits is denied. Let α and γ denote the

probability of audit by the firm and inspection by the regulator, respectively.

The expected cost to the regulator is:

ER ( )( )1 1r rC Dγ γ α= + − − β

o

o

)

) ,fD

The regulator’s expected cost is composed of two elements: the expected cost of inspection

and the expected undetected damages due to non-compliance . ( ) ,rCγ ( ) ( )( )1 1 rDγ α β− −

The expected cost to the firm is given by:

EF ( ) ( ) ( )1f o o fC C V D Vα β βγ α βγ= + + + − +

Rearranging the above, we get,

EF { } ( ){ } { }1 .f o fC C D Vα αβ α βγ βγ= + + − +

The firm’s expected cost is composed of three elements: expected audit cost expected

cost of complying and the expected penalty

( ,fCα

( )( 1oCαβ α βγ+ − ( ).oVβγ

13

B. Expected Costs for Scenario 2: Privilege Regime

The expected cost to the regulator for its three different strategies are:

Access: 1|ER s =

( ) ( )( ) ( ) ( )( ) ( )( ) ( ) ( )

1 1 2 2 3

2 2

1 1 1 1 1 1

1 1 1w p w p w

r r

K K K K K

C D

αβ π αβπ α β π α β π α π α π

α ρ α β ρ

− + + − − + − + − − + −

+ − + − −31 pK

rC

3|

The terms with denote the access cost to the regulator when the firm waives its privilege.

The terms with denote the access cost to the regulator when the firm asserts privilege. The

term with C denotes the expected cost of inspection when the regulator accesses and finds that

the firm has not conducted self-audit and chooses to inspect. The last term denotes the expected

undetected damage as assessed by the regulator when using this strategy.

Kw

Kp

r

No access, inspection: 2|ER s =

( ) ( )( ) ( )1 1 1 1r r r rC C C Cα β αβ α β α β− + + − − + − =

No access, no inspection: 3|ER s =

( )( ) ( ) ( )( )( ) ( ) ( )1 0 0 1 1 0 1 1r rD Dα β αβ α β β α β α− + + − − + − = −

The total expected cost for the regulator is given by:

( )1 1 2 2 1 2| | 1ER ER s ER s ER sδ δ δ δ= + + − −

Recalling that π = from lemma 2 we get 3 0

14

( ) ( )( ) ( )( ) ( ) ( ) ( )

( ) ( )

1 1 1 1 1 2 1 2

1 1 2 1 2 2

1 2

1 1 1

1 1 1 1

1 1

w p w

w r r r

r

ER K K K K

K C D C

D

δ αβ π δ αβπ δ α β π δ α β π

δ α δ α ρ δ α β ρ δ

δ δ β α

= − + + − − + −

+ − + − + − − +

+ − − −

1 p

1 t

C

2

(1)

The expected cost to the firm for its two different strategies are:

Auditing:

( ) ( ) ( )( )

1

0 1 0 2 0 1 1 1 1 1 2

1 2

|1 1

1f t l

l

EF aC C V V C C C

C

β βδ βδ βδ π βδ π β δ π

β δ π

= + + + + − + + − −

+ −

The costs for this strategy includes the audit and compliance cost . The terms with V

are the expected penalty cost, the terms with C are the expected third party liability cost and the

terms with C are the expected litigation costs to assert privilege.

Cf + β 0 0

t

l

Not auditing:

( ) ( )2

2 1 2

|

f o f o

EF a

D V D Vβ ρ δ δ= + + +

When the firm does not audit the expected costs are the expected cost of compliance and penalty

imposed on the firm by regulator when she discovers the non-compliance.

Thus, the total expected cost to the firm is given by:

( )1| 1 |EF EF a EF aα α= + −

15

( ) ( ) ( )( ) ( ) ( )

( ) ( )( )

2 1 2 1 1 1 1

1 2 1 2

1 2 2 1 2

1 1

1 1 1

1

f o f t

t l

o

EF C C D C C

C C

V

α αβ α β ρ δ δ αβδ π αβδ π

α β δ π α β δ π

β α δ δ α ρ δ δ

= + + − + + − +

+ − − + −

+ + + − +

l

(2)

B-1. Expected Costs for Scenario 2–Case (I): When Privilege Is Asserted by the Firm

In this case, the firm’s expected litigation costs for asserting privilege are less than the

expected third party liability if privilege is vitiated ( i.e., C ). Hence, the firm asserts

privilege protection whenever the regulator tries to access the self-audits, and the firm has

audited, i.e., . Note that the firm does not assert privilege if it has not conducted

voluntary audits as the expected third party liability is zero in this case. Substituting π π

in equations (1) and (2), the expected costs to the regulator and the firm are:

Cl < t

r

r

2

f)

π π1 2 1= =

1 2 1= =

ER K K CD C D

p w

r r

( ) ( ) ( )( )( ) ( )( )π π δ α δ α δ α ρ

δ α ρ β δ δ δ α β1 2 1 1 1

1 2 2 1 2

1 1 11 1 1 1= = = + − + −

+ − − + + − − − (3)

EF C C DC V

f

l

( ) ( ) ([ ( ) ( )( )]

π π α αβ α β ρ δ δ

δ α α δ δ α ρ δ δ β1 2 0 2 1 2

1 1 2 2 1 2 0

1 11

= = = + + − +

+ + + + − + (4)

B-2. Expected Costs for Scenario 2–Case (II): When Privilege Is Waived by the Firm

In this case, the firm’s expected litigation costs for asserting privilege are greater than the

expected third party liability if privilege protection is vitiated (i.e., ). Hence, the firm

waives privilege and π π . Substituting π π in equations (1) and (2), the expected

costs to the regulator and the firm are:

lC C> t

)1

1 2 0= = 1 2 0= =

( ) ( ) ( ) ( ) (1 1 2 2 1 2 1 21 1 1 1w r r r rER K C C D Dδ δ α ρ δ δ α β ρ δ δ β α= + − + + − − + − − − (5)

16

( ) ( )( ) ( )( )

2 1 2 1

1 2 2 1 2

1

1f o f

o

EF C C D C

V

α αβ α β ρ δ δ αδ


= + + − + +

+ + + − +

t (6)

C. Expected Costs for Scenario 3: Regulatory Access, No Admissibility of Audits Materials in

Third-Party Proceedings and Mitigated Penalty

In this scenario, the firm never asserts privilege since the fear of third party liability from

audit materials is eliminated and regulatory access to audit materials is always permitted. In

addition, the penalty for non-compliance is reduced based on good-faith self-policing efforts by

the firm. Here, the firm faces the penalty, V , if the firm is out of compliance and the regulator

finds non-compliance by independent inspection. However, if the firm has conducted a

compliance audit and corrected the problem, then the alternate penalty, V is assessed, where

Because the penalty is assessed on the firm, the conditional penalty structure does not

affect the regulator’s expected costs. Hence the regulator’s expected cost is given by equation

(5). However, the firm’s expected cost changes, depending on whether the firm has conducted a

compliance audit. The firm’s expected costs for auditing ( and not auditing ( are:

o

,a

.aV V< o

2 a

)+

)

)1a )2a

EF and 1 1| f o aa C C V Vβ βδ βδ= + + +

EF ( ) (2 2 1 2| f o f oa D V D Vβ ρ δ δ = + +

The (unconditional) expected cost to the firm is given by:

( ) ( ) (1 2 2 1 21f o a a f o f oEF C C V V D V D Vα β βδ βδ α β ρ δ δ + + + + − + + + = (7)

17

The first term in equation (7) is the expected cost when the firm conducts a compliance audit and

may incur the mitigated penalty, V The second term is the expected cost when the firm does

not conduct a compliance audit and the penalty, V , may be incurred.

.a

o

III. EQUILIBRIA

A. Scenario 1: Inspection Only Regime

This scenario corresponds to a regulatory regime that provides regulators no access to a

firm's audit materials under any circumstances. In other words, the regulator may either choose

to conduct inspections or do nothing.

The following proposition characterizes three possible Nash equilibria for this inspection

only setting in which no regulatory access to the firm’s compliance audit is permitted (see Figure

2).

Proposition 1: Where the regulator has no access to the firm’s compliance audit report, the

following Nash equilibria exist:

(I) High inspection cost.16

If C then γ α That is, the firm does not audit, and the regulator does not inspect. r rβ> D

0.= =

(II) Low inspection cost, high audit cost.

16 While for expositional purposes we use the descriptors high and low, they are relative. High inspection

cost is relative to regulator's estimate of expected harm from non-compliance. This caveat applies all

through our analysis. 18

rD

β

Firm

’s

Aud

it C

ost,

f

C

III II

I (

)f

oD

Cβ

−

Reg

ulat

or’s

In

spec

tion

Cos

t,

rC

Equ

ilibr

ium

reg

ions

for

scen

ario

1 c

orre

spon

ding

to a

n

insp

ectio

n on

ly r

egim

e w

ith n

o re

gula

tory

acc

ess (

i.e.,

akin

to w

hen

abso

lute

pri

vile

ge is

acc

orde

d to

the

firm

).

Figu

re 2

:

If C and C D then γ = and α = That is, the firm does not audit, and

the regulator always inspects.

D o

β .rβ

)

r r< β ( ) ,f f Cβ> − 1 0.

(III) Low inspection cost, low audit cost.

If C D then γ β and α That is, the firm

mixes between auditing and no-auditing, and the regulator mixes between no-inspection and

inspection.

( ), ,r r f f oC D Cβ β< < − = +( ) /C C Df f0 1 /rC D= −

(a) Equilibrium I (high inspection cost regime): The first equilibrium corresponds to the

situation when violations accumulate. This outcome occurs when the regulator’s inspection cost

exceeds the expected damage from non-compliance as assessed by the regulator

As a result, the regulator does not inspect. Since the regulator does not

inspect, the firm has no incentive to conduct an internal audit. Thus, neither the firm nor the

regulator conducts an investigation. This situation occurs when the expected fallout from non-

compliance is quite small or the firm has a low probability of causing damage from non-

compliance relative to the regulator’s inspection costs.

( . ., . β>r ri e C D

(b) Equilibrium II (low inspection cost, high audit cost): This equilibrium corresponds to a

situation where there is a comparatively large amount of damage from non-compliance. In this

equilibrium, the regulator always inspects, and the firm does not audit because its audit and

compliance procedures are inefficient and expensive compared to the expected costs the

regulator will impose when she detects the firm’s violations (i.e., ). In this C D Cf f− − >β( )0 0

19

situation, the regulator has efficient inspection procedures and technological support, and the

firm has relatively high cost of compliance auditing compared to additional expected damages

that will accrue due to non compliance.

(c) Equilibrium III (low inspection cost, low audit cost, no access allowed (e.g., near absolute

privilege protection)): This is a mixed equilibrium in which the regulator mixes his strategies

between inspecting and not inspecting. The regulator cannot access the firm’s audit records

since access is not allowed, as is the case when the applicable law provides strong immunity or

near absolute privilege protection. In response to the regulator’s strategy, the firm also mixes

between auditing and not auditing. Here, no pure strategy equilibrium is possible because if the

regulator always inspects the firm will always audit, but if the firm always audits, the regulator

will prefer not to inspect. But if the regulator does not inspect then the firm will prefer not to

audit. Thus, there is no pure strategy equilibrium.

B. Scenario 2: Privilege Regime

This scenario corresponds to a regulatory regime in which a firm may choose to assert

privilege protection to protect audit materials if certain, specified conditions are satisfied (e.g.,

prompt detection and remediation of violations, absence of fraudulent conduct, and the like).

However, under this regime, privilege protection can be vitiated if the regulator makes a showing

that one of these specified conditions has been violated by the firm.

For the scenario where the regulator attempts to access the firm’s internal audit records, and

the firm asserts or waives the self-evaluative privilege, there are eight equilibria that correspond

20

to the strategies employed by the firm and the regulator. These equilibria span the complete

parameter space (see Figures 3 and 4 for all the equilibrium regions for this scenario).

Proposition 2: Where the regulator attempts to access the firm’s internal audit records and the

firm has qualified privilege, the following eight Bayesian equilibria exist:

CASE (I)–Privilege Asserted by the Firm: C , that is third party liability is greater than

legal cost of asserting privilege. Thus, the firm asserts privilege.

Ct > l

=

r/

(I) High inspection cost.

If C D . That is, the firm does not audit, and the regulator

does not access or inspect.

1 2 3, then 0 and 1r rβ δ δ α δ> = = =


If and C then δ δ and are equilibrium

strategies. That is, the firm does not audit, and the regulator does not access the audit reports,

but he always inspects.

C Dr r< β ( )ρ2 1= D Cf f> −β( )0 α1 3 0= = = δ 3 1=

(III) Low inspection cost, low audit cost, high access cost. If , ,

and then

C Ct l> C Dr r< β ( )ρ2 1=

C D Cf f< −β( )0 K C K D C Dp r r r> + −( )∆ β β α β , δ ,

andδ are equilibrium strategies. That is, the firm mixes between

auditing and not-auditing, and the regulator mixes between [no-access, no-inspection] and [no-

access, inspection].

= −1 C Dr r 1 = 0

δ β2 = +(C C βD δ3 21= −0 ) /f f

(IV) Low inspection cost, low audit cost, low access cost.

21

rD

β

Firm

’s

Aud

it C

ost,

f

C

III

II

III

IV

I

()

fo

lD

CC

β−

−

()

fo

DC

β−

Reg

ulat

or’s

In

spec

tion

Cos

t,

rC

priv

ilege

pro

tect

ion

is a

sser

ted

by th

e fir

m.

Figu

re 3

: E

quili

briu

m r

egio

ns fo

r sc

enar

io 2

-cas

e (I

) whe

n

f

C

Reg

ulat

or’s

In

spec

tion

Cos

t,

rC

fo

II

III

IV

I

III

()

fo

DC

β−

()

tD

Cβ

−−C

Firm

’s

Aud

it C

ost,

e fir

m.

rD

β ur

e 4:

whe

n pr

ivile

ge p

rote

ctio

n is

wai

ved

by th

Fig

Equ

ilibr

ium

reg

ions

for

scen

ario

2-c

ase

(II)

If C , , and then Ct l> C Dr r< β ( )ρ2 1= C D C Cf f< − −β( )0 l r/K C K D C Dp r r r< + −( )∆ β β

α β+K K∆

1= π 3 =

= −1

π π1 2=

−D Cp r( )

0

r 1 0= +( ) / (C Cf f, δ β , δ , δ and

and are equilibrium strategies. That is, the firm mixes between [audit|assert]

and [no-audit|waive], and the regulator mixes between [access; no-inspection | audit, inspection

| no-audit] and [no-access, no-inspection].

β −D )Cl 2 0= δ3 11= −

CASE (II)–Privilege Waived by the Firm: , that is third party liability cost is less than

legal cost of asserting privilege. Hence, the firm waives privilege in this case.

C Ct < l

=

r


If C D . That is, the firm does not audit, and the regulator

does not access or inspect.

1 2 3, then 0 and 1r rβ δ δ α δ> = = =


If and C then δ δ and are equilibrium

strategies. That is, the firm does not audit, and the regulator does not access the audit reports,

but he always inspects.

C Dr r< β ( )ρ2 1= D Cf f> −β( )0 α1 3 0= = = 2 1δ =

(III) Low inspection cost, low audit cost, high access cost. If C C , ,

and then

t l< C Dr r< β ( )ρ2 1=

C D Cf f< −β( )0 ( ) /w r r rK C D C Dβ β> − α β , ,

andδ are equilibrium strategies. That is, the firm mixes between

auditing and no-auditing, and the regulator mixes between [no-access, no-inspection] and [no-

access, inspection].

= −1 C Dr r δ1 0=

δ β2 = +(C C βD δ3 21= −0 ) /f f

22


If C , , C D and then Ct l< C Dr r< β ( )ρ2 1= 0( )f f Cβ< − − tC r( ) /w r r rK C D C Dβ β< −

1 (w rK Dα β −

3 0π =

)rC 1 == −

1 2π π= =

, ρ , ρ , δ β , δ , δ δ and

are equilibrium strategies. That is, the firm mixes between [audit|waive] and

[no-audit|waive], and the regulator mixes between [access; no-inspection | audit, inspection | no-

audit] and [no-access, no-inspection].

0 2 1= C C= +1 0( ) /( )f f tD Cβ − 2 0= 3 11= −

Although the first two equilibria in Case (I) and Case (II) are qualitatively similar, they are

supported by different out-of-equilibrium beliefs, as noted in the Appendix.

(a) Equilibrium I (high inspection cost regime): Similar to equilibrium I in proposition 1.

(b) Equilibrium II (low inspection cost, high audit cost): Similar to equilibrium II in proposition

1.

(c) Equilibrium III (low inspection cost, low audit cost, high access cost): Similar to equilibrium

III in proposition 1.

Note that equilibrium III exists on both sides of equilibrium IV in both Case (I) and Case

(II). Equilibrium III occurs when the cost of access is relatively high compared to independent

inspection in which case the regulator may choose to conduct his own inspections. This is more

likely to occur in the case of strong privilege protection as it increases regulatory access costs.

(d) Equilibrium IV (low inspection cost, low audit cost, low access cost, low third party liability

cost): Like equilibrium III in scenario 1, this is a mixed equilibrium. The regulator mixes

23

between accessing the firm’s audit records and doing nothing (i.e., neither accessing nor

inspecting).17 Responding to the regulator’s strategy, the firm also mixes between auditing and

not auditing. The extent of this equilibrium, (i.e., the vertical parameter span of equilibrium IV)

is reduced by litigation-related costs accrued by the firm of asserting privilege when it asserts

privilege (Figure 3). On the other hand, if the firm waives privilege protection, this region is

again reduced by potential third party related liabilities if the audit records are made generally

available to the public. This reduction in the extent of equilibrium IV corresponds to the

disincentive to the firm to engage in potentially self-incriminating compliance auditing. We

focus on this region more below.

If the regulator’s penalty structure is independent of whether the firm has conducted a

compliance audit (i.e., no mitigation for good-faith self-auditing), then the penalty itself does not

directly affect the strategies employed by the firm or the regulator, as is obvious from the

equilibria noted above. This is because the penalty is pervasive whether the firm finds the non-

compliance by self-audit or the regulator finds the non-compliance through access or

independent inspection. Thus, the usefulness of a penalty as a deterrent mechanism is non-

existent.

17 Note that the regulator never accesses the firm’s audit records all the time. When the regulator always

accesses, the firm never audits thus making access worth less for the regulator. If the firm never audits,

the regulator would want to always conduct independent inspections. But if the regulator always

conducts inspections, the firm would like to always audit, and in response, the regulator would always

like to access. Thus, there is no pure strategy equilibrium when the regulator always access. 24

C. Scenario 3: Regulatory Access, No Admissibility of Audits Materials in Third-Party

Proceedings and Mitigated Penalty

This scenario corresponds to a hypothetical legal regime, that we believe is optimal to

maximize the extent and likelihood of corporate self-policing.

The following proposition characterizes perfect Bayesian equilibria for this setting with

regulatory access (i.e., no privilege protection), no third party liability and a penalty conditional

on the efforts of the firm (see Figure 5).

Proposition 3: In this scenario with regulatory access (i.e., no privilege protection or privilege

protection waived), no third party liability and a conditional penalty structure, the following four

perfect Bayesian equilibria exist:


If C then δ δ and δ = The firm does not audit, and the regulator does

not access or inspect.

,r Dβ> r

r )

)

1 2 0α= = = 3 1.

(II) Low Inspection cost, high audit cost.

If C and C D then δ δ and δ = The firm does

not audit, and the regulator does not access but always inspects.

,r Dβ< ( ,f f o o aC V Vβ > − + − 1 3 0α= = = 2 1.

(III) Low inspection cost, low audit cost, high access cost.

If C D and (, ,r r f f o o aC D C V Vβ β < < − + − K C D C Dw r r r> −( )β β

3 20, 1δ δ= − 1 /rC= −

r

.r

then

and α The firm mixes ( ) ( )2 1/ ,f o o a fD C V V Dδ β β δ= + − + = Dβ

25

f

C

Reg

ulat

or’s

In

spec

tion

Cos

t,

rC

II

III

IV

I

III

()

fo

oD

CV

Vβ

−+

−a

()

fo

DC

β−

Firm

’s

Aud

it C

ost,

rD

β

Figu

re 5

: E

quili

briu

m r

egio

ns fo

r sc

enar

io 3

, the

opt

imal

reg

ime

char

acte

rize

d by

regu

lato

ry a

cces

s, no

thir

d pa

rty

liabi

lity

and

miti

gate

d pe

nalti

es.

between auditing and no-auditing, and the regulator mixes between [no-access, no-inspect] and

[no-access, inspect].


If C then and ,r Dβ< r 1δ( ) ( )1 2 1 2 30, 1, / , 0, 1f o o a fC C V V Dρ ρ δ β β δ δ= = = + − + = = −

α β= − −1 K D Cw r( r ) The firm mixes between auditing and no-auditing, and the regulator

mixes between [access; no inspect | audit, inspect | no audit] and [no-access, no-inspect].

(a) Equilibrium I (high inspection cost regime): The first equilibrium here is similar to

equilibrium (I) seen in all three previous propositions. In this case, neither the regulator nor the

firm conducts an investigation. Hence, a change in the penalty structure has no effect on this

equilibrium.

(b) Equilibrium II (low inspection cost, high audit cost): The strategies of the firm and the

regulator are also similar in the second equilibrium for all four propositions; however, the set of

parameter values for which this equilibrium occurs differs due to the mitigated penalty.

(c) Equilibrium III (low inspection cost, low audit cost, high access cost): This equilibrium is

similar to equilibrium III in proposition 2, Case (II).

(d) Equilibrium IV (low inspection cost, low audit cost, low access cost, no privilege protection

and no third party liability): This equilibrium is very similar to equilibrium IV in proposition 2,

Case (II), the privilege waived case -- except that the vertical span of this equilibrium is

increased since third party liability costs and litigation cost related to privilege protection are

26

eliminated by limiting the admissibility of audit materials in third party proceedings against the

firm.

The third and fourth equilibria are both mixed-strategy equilibria just as in the privilege

scenario in proposition 2 with the firm’s probability of compliance auditing being similar in both

scenarios. We provide a more detailed comparison of these scenarios in the next section.

IV. IMPLICATIONS OF THE MODEL

When the regulator can only conduct her own inspections (i.e., there is no possibility of

regulatory access), equilibria I through III exist (see proposition 1). By comparing the firm’s

auditing probability in equilibrium III in scenario 1 (regulatory inspection only regime with no

access to the firm’s audits) and equilibrium IV (regulatory access regime in scenarios 2-3), we

can compare the influence of privilege protection versus regulatory access to audit materials on

the firm’s self-auditing behavior. Note that regulatory access does not affect strategies in

equilibria I or II or the parameter values for which they are realized. Second, by comparing the

height of equilibrium IV in proposition 2—Case (I) and Case (II), with equilibrium IV in

scenario 3, we can examine the effect of limiting the admissibility of audit materials in third

party proceedings against the firm on the extent of self-policing conducted by the firm. Third, by

comparing the width of equilibrium IV between Case (I) and Case (II) in proposition 2, we can

determine the impact of asserting privilege and the consequent higher access cost to the regulator

on the extent of self-policing conducted by the firm.

27

A. Corollary 1–Comparing the self-auditing probability with and without regulatory

access to the firm’s self-audits: The probability of corporate self-auditing in equilibrium (IV)

in Scenario 2 (privilege regime)–both cases (I)&(II) is strictly greater than the probability of

self-auditing in equilibrium III in Scenario 1 (inspection regime, no access permitted).

As shown in the proof of corollary 1 in the Appendix, the firm’s auditing probability is

strictly higher in equilibrium (IV) in Scenario 2 – both cases (I)&(II) than in equilibrium III in

Scenario 1. When there is no possibility of regulatory access, the firm modifies its auditing

strategy according to an incentive structure that permits inspection only. When the possibility of

regulatory access is introduced, the firm modifies its auditing strategy to respond to this new

incentive structure by increasing its self-auditing rate. This result may seem counterintuitive

when considered in light of the common argument that a firm is likely to audit more if access is

denied, since the fear of third-party liability or self-incrimination is eliminated. This argument

presumes that the firm’s audit strategy (auditing more or less) would be independent of the

regulatory regime (either permitting or denying access to audits). However, the regulator would

make changes to her own strategy based on the firm’s new incentives and firm would respond to

that. By conducting an equilibrium analysis, it is possible to consider the responses of both the

firm and the regulator simultaneously. When confronted with a regulatory regime where access

to self-audits is unavailable, the regulator switches to inspection regime or conducts no audit at

all depending on its assessment of expected damages due to non-compliance. This creates little

problem when access is costly so that regulator would prefer to use inspection only (equilibrium-

28

III in proposition 2 in both cases). When the regulatory regime is modified to include access, the

regulator uses access as a substitute for inspection only when it is more efficient to do so

(equilibrium-IV in proposition 2 in both cases). This creates the positive incentive for the firm to

switch to good faith self-policing in order to capture the benefits of early detection and remedy

of violations to minimize the regulatory fines and penalties that may otherwise be imposed by

the regulator and which is more costly for the firm. The importance of regulatory access in

increasing the firm’s auditing probability is demonstrated by the equilibrium analysis presented

here, which shows that the firm’s auditing rate is strictly higher when regulatory access is

permitted. In contrast, denying regulatory access through privilege protection merely reduces the

disincentive for firms to engage in self-auditing but does not create a positive incentive to

undertake self-auditing.

B. Corollary 2–Comparing the privilege asserted and the privilege waived cases: The

extent of the access equilibrium when privilege is asserted (Case-I equilibrium IV in proposition

2) is smaller than the access equilibrium when privilege is waived (Case-II equilibrium IV in

proposition 2).

In equilibrium III and equilibrium IV, the firm conducts self-audits. Self-auditing occurs

when the audit cost and the cost of complying associated with the audit is less than the non-

compliance costs resulting from not self-auditing. Although equilibria III and IV are self-audit

regions, the auditing rate is higher in equilibrium IV (access equilibrium) compared to

equilibrium III (inspection equilibrium).

29

Since the focus of this analysis is on maximizing both the extent and rate of self-auditing, it

is desirable to maximize the range of parameters over which equilibrium IV occurs. In

equilibrium III, the regulator employs an inspecting strategy (or does nothing) since the cost of

accessing the firm’s audit records are high (e.g., litigation costs associated with trying to obtain

access are high). As these access costs are reduced below the cost of inspection, the regulator

changes strategy and pursues an accessing strategy. In equilibrium IV, the regulator employs a

mixed strategy [access; no-inspection | audit, inspection | no-audit] and [no-access, no-

inspection] to keep the firm from adopting a pure no-auditing strategy. In addition, in

equilibrium IV, the firm adopts a mixed strategy [audit|waive] and [no-audit|waive] in the case

the firm waives privilege, and [audit|assert] and [no-audit|assert] in the case the firm asserts

privilege to keep the regulator from adopting a pure strategy of accessing. Since the access cost

to the regulator is relatively lower in the privilege waived scenario compared to the privilege

asserted scenario, the access strategy is more efficient than independent inspection for the

regulator over a wider range of inspection costs in the privilege waived scenario compared to the

privilege asserted scenario. Thus, the width of equilibrium IV in the privilege waived case is

larger than the privilege asserted case.

Next, let us now consider scenario 3 in which audit records and materials are rendered

inadmissible in third-party legal proceedings,18 and regulatory access to self-audits is permitted

18 If audit reports are made available only to the regulator, then it may be necessary to structure

meaningful oversight to ensure that the regulator is diligently performing his duties. There may be a 30

without the possibility of privilege protection. This is the optimal legal regime since the

disincentives for self-policing are minimized but positive incentives for self-policing are

preserved. In this scenario, the firm does not face a disincentive to engage in self-policing due to

third-party liability costs (i.e., the reduction in the height of equilibrium IV due to and in

Figures 3 and 4 (scenario 2 -- Cases (I) & (II)) are eliminated in Figure 5), since audit materials

are inadmissible in third-party proceedings.

Cl Ct

In addition, the access costs to the regulator are reduced since he does not have to incur

litigation costs (we assume that the access cost in this scenario is same as the privilege waived

case in scenario 2) to obtain access to audit materials (compare the width of equilibrium IV in

Figure 5 with Figure 3). As a result, the parameter span of equilibrium IV is expanded both

vertically and horizontally. Recall from the discussion presented above that the firm’s auditing

probability is higher in equilibrium IV. It follows that expanding the range of parameters for

which equilibrium IV (compare the height and width of equilibrium IV in Figures 5 with that of

Figures 3 and 4) exists, promotes early detection and remediation of violations. Here, it is

important to note that limiting the admissibility of audit materials and eliminating privilege

protection, reduces the cost of access incurred by the regulator. All these effects work in tandem

to increase the parameter span of the self-auditing equilibrium region with the higher auditing

concern of regulatory capture with both the firm and the regulator entering into a jointly maximizing

relationship. The regulator’s incentives would have to be tailored to minimize the possibility of capture

31

probability (equilibrium IV in Figure 5).

C. Corollary 3–Comparing an independent penalty regime with a mitigated penalty

regime: (I) As the extent of mitigation in penalty, (i.e., the difference between V0 and Va ) is

increased, the set of parameter values that supports equilibria in which the firm includes self-

auditing in its strategy (i.e., equilibrium III in Scenario 1 and equilibria III and IV for both cases

in Scenario 2) becomes larger.

(II) The probability of regulatory inspection in equilibrium III and regulatory access in

equilibrium IV decreases as the magnitude of the difference between V0 and Va increases.

If the penalty for non-compliance is reduced when the firm engages in good-faith self-

policing, the extent of the firm’s self-auditing can be increased since the firm now finds it more

beneficial to include self-auditing in their strategy. With respect to Figures 3 and 4, the firm

engages in self-auditing in equilibria III and IV. With a mitigated penalty conditioned upon

corporate self-policing, the vertical parameter span for equilibria III and IV is increased (see

Figure 5), thereby increasing the self-policing region. This result is consistent with Arlen and

Kraakman's proposal that the amount of mitigation in the penalty may be used to offset the

additional liability to the firm from engaging in increased self-policing.19 Stated differently,

increasing the extent of self-policing by the firm should not correspondingly increase the firm’s

by the firm. Note, however, that the admissibility of audit evidence against specific agents of the firm for

individual wrongdoing may still be permitted. 19 See Arlen & Kraakman, supra note 10 at 746.

32

liability for non-compliance.

Within equilibrium III, the probability of regulatory inspection decreases as the difference

between V and V is increased. In addition, in the access equilibrium (equilibrium IV), the

probability of access by the regulator decreases as the difference between V and V is increased.

This is advantageous to the regulator, as the regulator can ensure that the firm does self-auditing

and, at the same time, he can decrease his own costly access and inspection efforts.

0 a

0 a

When regulatory access to audit reports is made available only to a regulator, that raises the

probability of regulatory capture. Concerns about regulatory capture make restrictions on third-

party access less appealing. However, by structuring meaningful oversight of regulators and

fashioning other incentives for regulators to minimize the possibility of regulatory capture, we

can try to ensure that a regulator is diligently performing her duties, even without third-party

access to audits. It is important to note that our proposal does not limit third-party civil

enforcement actions against firms and does not advocate switching to a pure regulatory

oversight. It only requires that internal audit reports be kept out of the hands of potential

plaintiffs. As a result, the collateral consequences for third-party civil enforcement actions may

be limited. Moreover, the admissibility of audit evidence against specific agents of a firm for

individual wrongdoing is permitted.

In sum, by formally modeling the strategic interaction between a firm and a regulator, we

identify prescriptive measures that provide maximum incentives for firms to engage in self-

policing. Consistent with Arlen and Kraakman’s study of corporate liability regimes, we find

33

that privilege protection, while minimizing the disincentive to undertake self-auditing by

removing the fear of liability, is overbroad and does not by itself create a positive incentive for

corporate self-auditing.20 As an alternative to privilege protection, in order to maximize the

extent and probability of corporate self-policing, we recommend the following measures: (a)

applicable regulatory regimes should grant regulators access to corporate self-audits and move

away from privilege protection; (b) the admissibility of self-audit evidence in third-party legal

proceedings should be eliminated; and (c) mitigated penalties should be imposed on firms

engaging in good-faith self-policing.

V. SENSITIVITY ANALYSIS

In this section, we discuss the sensitivity of strategies employed by the firm and the

regulator to different parameters in the model. For example, it provides us with insight as to

what kind of equilibriums regions and self auditing probability one might observe in two

different industries where one of these parameters may vary systematically. Similarly, it also

provides insight to the type of change one might expect when the value of a parameter (such as

the imposed penalty) increases or decreases. Table II provides an overall summary of the results

of our sensitivity analysis.

34

20 See Arlen & Kraakman, supra note 10 at 744.

Effect of Change in : β

Scenario 1: An increase in increases the region covered by equilibrium III (the self audit

region) expands to both top and right in Figure 2 thereby decreasing the likelihood of both

equilibriums I and II. In equilibrium III, the probability of self-audit increases and the

probability of inspection by the regulator decreases.

β

Scenario 2–Case (I) & Case (II) and Scenario 3:

Equilibrium III and IV (the self-audit region Figures 3-5) expands thereby effectively decreasing

the likelihood of non self-audit regions (Equilibrium I & II).

In Equilibrium III: α increases, δ decreases and δ increases 2 3

In Equilibrium IV: α increases, δ decreases and δ increases 1 3

For example, if we are dealing with an industry in which many firms are out of compliance (high

), then permitting regulatory access to self-audits increases the probability that the firms will

self-audit. This is because in such a non-compliant industry, these firms have more to gain by

increasing the frequency of their self-audits. At the same time, as the self-auditing probability

increases, the regulator finds it more efficient to access the firm’s self-audits instead of

conducting her own inspections, and as a result, the probability of regulator inspections

decreases.

β

35

Effect of Change in C : r

Scenario 1: An increase in increases the region covered by equilibrium I (no self audit and

no inspection region) expand to the left in Figure 2, there by decreasing the likelihood of both

equilibriums II and III. In equilibrium III, the probability of self-audit decreases, but the

probability of inspection by the regulator remains unchanged.

rC


Equilibrium I (no self audit and no inspection region) expand to the left thereby decreasing the

likelihood of Equilibrium II-IV.

In Equilibrium III: α decreases, δ unchanged and δ unchanged 2 3

In Equilibrium IV: α decreases, δ unchanged and δ unchanged 1 3

Effect of Change in C : f

Scenario 1: An increase in increases the region covered by equilibrium II (no self audit and

inspection region) expands to the bottom in Figure 2, there by decreasing the likelihood of

equilibrium III. In equilibrium III, the probability of inspection by the regulator increases but the

probability of self-audit by the firm remains unchanged.

fC


Equilibrium II (no self audit and inspection region) expands to the bottom thereby decreasing the

likelihood of Equilibrium III and IV.

Equilibrium III: α unchanged, δ increases and δ decreases. 2 3

36

Equilibrium IV: α unchanged, increases and δ decreases. 1δ 3

The effect of change in is similar to C as shown above. 0C f

Effect of Change in : fD

Scenario 1: An increase in increases the region covered by equilibrium III (self audit and

inspection region) expands to the top in Figure 2, there by decreasing the likelihood of

equilibrium II. In equilibrium III the probability of inspection by the regulator decreases but the

probability of self-audit by the firm remains unchanged.

fD


Equilibrium III and IV (self audit region) expands to the top thereby decreasing the likelihood of

Equilibrium II.

Equilibrium III: α unchanged, δ decreases and δ increases. 2 3

Equilibrium IV: α unchanged, decreases and δ increases. 1δ 3

Effect of Change in : rD

Scenario 1: An increase in increases the region covered by equilibrium II and III expands to

the right in Figure 2, there by decreasing the likelihood of equilibrium I. In equilibrium III the

probability of self-audit by the firm increases but the probability of inspection by the regulator is

unchanged.

rD

37


Equilibrium II, III and IV (self audit and inspection region) expands to the top thereby

decreasing the likelihood of Equilibrium I.

Equilibrium III: α increases, δ and δ are unchanged. 2 3

Equilibrium IV: α increases, δ and δ are unchanged. 1 3

Effect of Change in and : pK wK

An increase in and affects only the self-audit probability in equilibrium IV in both cases

of scenario 2 and scenario 3. The self-audit probability decreases in all these cases. Thus, an

increase in access cost is detrimental to self policing.

pK wK

VI. CONCLUSION

This article reexamines the common justification for the corporate self-evaluative privilege

(SEP) that privilege protection is necessary in order to avoid creating a disincentive for firms to

engage in self-evaluation. Courts and commentators have repeatedly urged that if a firm knows a

regulator can access its internal audit records, it will correspondingly not engage in diligent

compliance monitoring. Our analysis demonstrates that self-evaluative privilege removes the

disincentive for self-auditing but does not create any positive incentive for self-auditing. In

contrast, a legal regime that grants regulatory access to internal audit materials creates a positive

incentive for firms to engage in self-policing and results in a higher auditing rate than an

inspection only regime, without regulatory access. Increased corporate self-evaluation achieved 38

through a higher self-auditing rate then enables us to capture the societal benefits of early

detection and remedy of violations. Under our analysis, as an alternative to the corporate SEP,

we propose a multi-pronged legal regime that enhances the probability and extent of corporate

self-policing and embraces measures that create positive incentives for firms to engage in self-

auditing, such as: (a) permitting regulatory access to audit materials, and (b) providing mitigated

penalties for firms engaging in self-evaluation. As part of such a legal regime, an additional

measure that limits the admissibility of audit materials in third-party proceedings reduces the

disincentive for firms to engage in self-auditing. Instead of blanket privilege protection, we

propose optimally-designed legal regimes that minimize the disincentive to engage in self-

policing while creating and maintaining positive incentives to undertake corporate self-auditing.

39

TABLE I: SUMMARY OF NOTATION

Parameters:

β = Probability that the firm is out of compliance.

fC = Firm’s audit cost.

oC = Firm’s cost of complying if firm audits.

fD = Firm’s cost of complying if firm does not audit.

tC = Firm’s liability to third parties from audit reports when privilege is waived.

lC = Firm’s cost (e.g., litigation costs) for asserting privilege.

oV = Firm’s penalty if detected out of compliance by regulator.

aV = Mitigated penalty for good faith self-audit by firm in scenario 3.

rC = Regulator’s inspection cost.

wK = Regulator’s assessing cost when the self-evaluative privilege is waived.

pK = Regulator’s assessing cost when the self-evaluative privilege is asserted.

rD = Regulator’s assessment of damage cost.

40

Strategy Elements:

α = Firm’s probability of auditing.

1π = Firm’s probability of asserting the self-evaluative privilege when the firm audits, finds non-

compliance and fixes it, and regulator assesses the audit reports.

2π = Firm’s probability of asserting privilege when the firm audits, finds it is compliant, and the

regulator assesses the audit reports.

3π = Firm’s probability of asserting the self-evaluative privilege when the firm does not audit

and regulator assesses the audit reports.

1δ = Regulator’s probability of accessing.

2δ = Regulator’s probability of not accessing and inspecting.

3δ = Regulator’s probability of not accessing and not inspecting.

1ρ = Given regulatory access, regulator’s probability of inspecting if the firm has audited.

2ρ = Given regulatory access, regulator’s probability of inspecting if the firm has not audited.

γ = Regulator’s probability of inspecting given that accessing is unavailable.

41

TABLE II: SUMMARY OF SENSITIVITY ANALYSIS Change

On→ Of ↓

Self-auditing

probability (α )

Probability of regulatory

access (δ ) 1

Probability of

inspection and no access (δ ) 2

Probability of no

access & no

inspections (δ ) 3

Probability of inspections

when there is no access

(γ )

Penalty, V 0 = = = = = Probability that the firm is not compliant, β

↑

↓

↓

↑

↑

Regulator’s audit cost, rC

↓

=

=

=

=

Firm’s audit cost, C f

=

↑

↑

↓

↑

Firm’s cost of complying, if it audits, 0C

=

↑

↑

↓

↑

Regulator’s assessment of the damage due to the firm’s non-compliance,

rD

↑

=

=

=

=

Firm’s cost of complying if it does not audit,

fD

=

↓

↓

↑

↓

Regulator’s cost of accessing the firm’s audits when privilege is waived, pK

↓

=

=

=

NA

Regulator’s cost of accessing the firm’s audits when privilege is asserted, wK

↓

=

=

=

NA

Legend: increase (↑); decrease (↓); unaffected (=); not applicable (NA)

42

APPENDIX

A. PROOF OF LEMMA 1:

If the regulator accesses and the firm has conducted a compliance audit, the expected cost to the

regulator from inspecting ( and not inspecting ( are: 1ρ =1) 0)1ρ =

1

1

| ( 1) and| ( 0) 0

rER CER

ρρ

= == =

If the firm has conducted a self-audit, it finds and corrects any non-compliance. Hence, an

additional inspection by the regulator simply incurs additional cost, C with no corresponding

benefit. Therefore, the accessing regulator’s dominant strategy is to not inspect if the firm has

conducted a good-faith audit.

,r

B. PROOF OF LEMMA 2:

The expected cost to the firm in the three scenarios when the firm asserts the self-evaluative

privilege are as follows:

olt VCCEF ++−= 111 )1()( πππ (A1)

(Firm audits, finds non-compliance and fixes it, and regulator accesses the audit report.)

lt CCEF 222 )1()( πππ +−= (A2)

(Firm audits, finds it is compliant, and regulator accesses the audit report.)

3 3 2 3 2( ) [ ( )] (1 ) [ ( )l f o fEF C D V D Vπ π βρ π βρ= + + + − + ]o (A3)

(Firm does not audit and regulator accesses the audit report.)

The first order conditions for cost minimization are:

1

1l

EF C Cπ

∂= −

∂ t (A4)

2l

EF C Cπ

∂= −

∂ t (A5)

3l

EF Cπ

∂=

∂ (A6)

If then lC C> t 1 0EF π∂ ∂ > and 2 0EF π >∂ ∂ implying If C then 1 2 0.π π= = l C< t

1EF π∂ ∂ 0< and 2 0EF π <∂ ∂ implying Since 1 2 1.π π= = 3EF π 0lC= >∂ ∂ , we always

have . Note that these three equilibria span the parameter space excluding the razor edge

equilibria.

3 0π =

C. PROOF OF PROPOSITION 1:

In an inspection only regime, there is no regulatory access, and we have an unconditional

penalty. Therefore, the game can be modeled as a simultaneous play, and we derive the Nash

equilibria of the game as follows:

The expected cost to the regulator and firm are:

(A7) (1 )(1 )rER C Dγ γ α= + − − rβ

0f (A8) 0 (1 )fEF C C D Vα αβ α βγ βγ= + + − +

The first-order conditions for expected cost minimization are:

(1 )rER C α βγ

∂= − −

∂ rD (A9)

0fEF C C Dβ βγα

∂= + −

∂ f (A10)

2

1. Equilibrium (I):

Assume . Then C Dr > β r ER γ∂∂ > 0 for any , and is a dominant strategy for the

regulator. Given ,

[0,1]α ∈ 0γ =

0=γ 0,>EF α∂ ∂

0=

implying that the firm’s best response is .

Therefore, and represent equilibrium strategies.

0α =

0γ = α

2. Equilibrium (II):

Assume and . Then r rC β< D )0(f fC D Cβ> − 0,EF α∂ ∂ > implying that the firm’s dominant

strategy is . Given and , 0α = 0α = <r rC Dβ ER γ∂ ∂ < 0, implying that the regulator’s best

response is . Therefore, and represent equilibrium strategies. 1γ = 1γ = α 0=

3. Equilibrium (III):

Assume and . Given r rC β< D )0(f fC D Cβ< − 1 rC Dα = − rβ , the regulator’s best response

is obtained by solving equation (A10). This gives 0( )f fC C Dγ β β= + , where by

. Similarly given

1γ <

0( fC D C− )f β< 0( fC Cγ β= + ) fDβ , the firm’s best response is obtained by

solving equation (A9): 1 r rC Dα β= − , where by . Therefore, 0α > rC β< rD

1= − r rC Dα β and 0 ) fDβ( fC Cγ β= + represent equilibrium strategies.

D. PROOF OF PROPOSITION 2:

CASE (I): , that is, the third party liability cost is greater than legal cost of asserting

privilege.

C Ct > l

1 p

From (5) and (9), the expected cost to the regulator and firm are

(A11)

( ) ( )( ) ( )( ) ( ) ( ) ( )

( ) ( )

1 1 1 1 1 2 1 2

1 1 2 1 2 2

1 2

1 1 1

1 1 1 1

1 1

w p w

w r r r

r

ER K K K K

K C D C

D

δ αβ π δ αβπ δ α β π δ α β π

δ α δ α ρ δ α β ρ δ

δ δ β α

= − + + − − + −

+ − + − + − − +

+ − − −

3

( ) ( ) ( )( ) ( ) ( )

( ) ( )( )

2 1 2 1 1 1 1

1 2 1 2

1 2 2 1 2

1 1

1 1 1

1

f o f t

t l

o

EF C C D C C

C C

V

α αβ α β ρ δ δ αβδ π αβδ π

α β δ π α β δ π


= + + − + + − +

+ − − + −

+ + + − +

l

t

r

r

2

f)

(A12)

In this case the firm’s expected litigation costs for asserting privilege are less than the expected

third party liability costs ( ). Hence, the firm asserts privilege and .

Substituting in equation (A11) and (A12) the expected cost to the regulator and the

firm are:

C Cl < π π1 2 1= =

π π1 2 1= =

ER K K CD C D

p w

r r

( ) ( ) ( )( )( ) ( )( )π π δ α δ α δ α ρ

δ α ρ β δ δ δ α β1 2 1 1 1

1 2 2 1 2

1 1 11 1 1 1= = = + − + −

+ − − + + − − − (A13)

EF C C DC V

f

l

( ) ( ) ([ ( ) ( )( )]

π π α αβ α β ρ δ δ

δ α α δ δ α ρ δ δ β1 2 0 2 1 2

1 1 2 2 1 2 0

1 11

= = = + + − +

+ + + + − + (A14)

1. Equilibrium (I):

Assume that . Define . Using this in equation (A13) and

(A14), the simplified expected costs to the regulator and firm are:

C Dr r> β (ρ2 0= )

r

2 01

∆K K Kp w= −( )

ER K K D C Dp w r r= + − + − + + − − −δ α δ α δ α β δ δ δ α β1 1 1 2 1 21 1 1 1( ) ( ) ( )( ) (A15)

EF C C D C Vf f l= + + − + + + + −α αβ α βδ δ α α δ δ α δ β0 2 1 1 21( ) [ ( ) ( ) ] (A16)

The first-order conditions for cost minimization for the regulator and firm are:

∂∂

= + − = +ER K K Kp w wδ

α α α1

1( ) ∆K (A17)

∂∂

= − −ER Crδ

α β2

1( ) Dr (A18)

∂∂

= + − + +EF C C D Cf f lα

β βδ δ α βδ0 2 1 1V0 (A19)

4

Since , and , the right hand side of (A17) and (A18) is always

positive implying . Using , (A19) reduces to:

K Kw + >α∆ 0 C Dr r> β

δ δ1 2 0= =

0 1≤ ≤α

δ δ1 2= 0=

∂∂

= + >EF C Cfα

β 0 0 , indicating in equilibrium. α = 0

Thus, if , the equilibrium strategies are: , and . This is based

on the out-of-equilibrium beliefs (Lemma 1), , and

C Dr > β r α = 0

ρ2

δ δ1 2 0= =

0= π π1 2=

δ 3 1=

π 3ρ1 0= 1= 0= .


Assume that and . Using in equation (A13) and

(A14), the simplified expected cost to the regulator and firm are:

C Dr r< β ( )ρ2 1= C D Cf f> −β( 0 )

r

0

( )ρ2 1=

ER K K C C Dp w r r= + − + − + + − − −δ α δ α δ α δ δ δ α β1 1 1 2 1 21 1 1 1( ) ( ) ( )( ) (A20)

EF C C D C Vf f l= + + − + + + +α αβ α δ δ β δ α δ δ β0 1 2 1 1 21( )( ) ( ) (A21)


∂∂

= + − + − − −ER K K Cp w rδ

α α α α1

1 1 1( ) ( ) ( ) Drβ (A22)

∂∂

= − −ER Crδ

α β2

1( ) Dr (A23)

∂∂

= + − + +EF C C Dfα

β δ δ β δ0 1 2 1( ) Cf l (A24)

Since , and we have C C Df f+ >β β0 ( )δ δ1 2 1+ ≤ ∂ ∂ >EF α 0 implying . α = 0

Substituting in (A13), we get α = 0 ∂ ∂ = − <ER C Dr rδ β2 0 because C Dr r< β

by assumption. This means . Hence, for C and , δ 2 1= Dr r< β C D Cf f> −β( )0

δ 2 1= , , and are equilibrium strategies. This is based on the out-of-

equilibrium beliefs (Lemma 1), , and

δ1 0= δ 3 0=

ρ1

α = 0

0= ρ2 1= π π1 2 1= = π 3 0= .

5


Assume that , and . Since

, the expected payoff to the regulator and firm are same as (A20) and (A21). Therefore,

(A22), (A23) and (A24) give the first-order conditions. Suppose the firm’s strategy is

C Dr r< β ( )ρ2 1= C D Cf f< −β( )0 K C K D C Dp r r r> + −( )∆ β r/ β

ρ2 1=

α = −1 C Dr

K Cp r ∆

β r

r) / β

. Substituting this in the regulator’s first order condition (A22) and using the fact

that , we have K D C Dr r> + −( β ∂ ∂ >ER δ1 0

f

, implying . Substituting

in (A24), we get , which is less than one. This means (A23) equals zero.

So, solving for from (A23) gives

δ1 0= δ1 0=

δ β2 = +(C Cf

α

β0 ) / D

α βC Dr r= −1 .

Thus, α β= −1 C Dr r

0.

, , and are equilibrium strategies.

This is based on the out-of-equilibrium beliefs (Lemma 1), , and

δ1 0= δ β2 0= +( ) /C C Df f

ρ1 0=

β δ 2δ 3 1= −

ρ2 1= π π1 2 1= =

π 3 =

4. Equilibrium (IV):




C Dr r< β ( )ρ2 1= C D Cf f< − −β( )0 Cl r/ βK C K D C Dp r r r< + −( )∆ β

ρ2 1=

α β= − + −1 K K D Cp r(∆

K C K D Cp r r r< + −(∆ β

r )

r) / β

. Substituting this in (A23) and using the fact that

, we have D ∂ ∂ >ER δ 2 0

− )Cf l

, implying . Substituting this in

(A24), we get , which is less than one. This means we can solve

(A22) as an equality to get

δ 2 0=

δ β1 0= +( )C Cf β/ ( D

α = −1 K Kp ∆ β+ −D Cr( )r . Thus, α β+ −K K D Cp r( )∆

1 2 1= 3 0π =

= −1

1 π π=

r ,

, , , , , and are

equilibrium strategies.

δ β β1 0= + −( ) / (C C D Cf f )l δ 2 0= δ δ3 11= − ρ1 = 0 ρ2 =

6

CASE (II): , that is third party liability cost is less than legal cost of asserting privilege.C Ct < l

t

)1 α

t

In this case, the firm’s expected litigation costs for asserting privilege are less than the expected

third party liability ( ). Hence, the firm waives privilege protection and .

Substituting in equation (A11) and (A12), the expected cost to the regulator and the

firm are:

lC C>

0=

1 2 0π π= =

1 2π π=

( ) ( ) ( ) ( ) (1 1 2 2 1 2 1 21 1 1 1w r r r rER K C C D Dδ δ α ρ δ δ α β ρ δ δ β= + − + + − − + − − − (A25)

( ) ( )( ) ( )( )

2 1 2 1

1 2 2 1 2

1

1f o f

o

EF C C D C

V

α αβ α β ρ δ δ αδ


= + + − + +

+ + + − + (A26)

1. Equilibrium (I):

Assume that . Using this in equation (A25) and (A26), the simplified expected

cost to the regulator and firm are:

C Dr r> β (ρ2 0= )

)α

)2

( ) (1 2 21 1w r rER K C Dδ δ δ β= + + − − (A27)

( ) (2 1 11f o f t oEF C C D C Vα αβ α βδ αδ β αδ δ= + + − + + + (A28)

The first-order conditions for cost minimization for the firm and regulator are:

1w

ER Kδ

∂=

∂ (A29)

( )2

1rER C α βδ

∂= − −

∂ rD and (A30)

2 1f o f t oEF C C D C Vβ βδ δ βα

∂= + − + +

∂ 1δ (A31)


positive, implying . Using , (A31) reduces to:

0wK > C Dr r> β

δ δ=

0 1≤ ≤α

0=1 2 δ δ1 2 0= =

7

∂∂

= + >EF C Cfα


Thus, if the equilibrium strategies are: C Dr > β r

α = 0

ρ2

, and . This is based on the out-of-equilibrium beliefs (Lemma

1), and .

δ δ1 2 0= =

0=

δ 3 1=

3 0π =

ρ1 0=

1 2π π= =


Assume that and . Using in equation (A25) and

(A26), the simplified expected cost to the regulator and firm are:

C Dr r< β ( )ρ2 1= C D Cf f> −β( 0 )

)1 α

)

( )ρ2 1=

( ) ( ) (1 1 2 1 21 1w r r rER K C C Dδ δ α δ δ δ β= + − + + − − − (A32)

( ) ( ) (1 2 1 1 21f o f t oEF C C D C Vα αβ α β δ δ αδ β δ δ= + + − + + + + (A33)


1

(1 ) (1 )w rER K Cα αδ

∂= + − − −

∂ rDβ (A34)

∂∂

= − −ER Crδ

α β2

1( ) Dr (A35)

∂∂

= + − + +EF C C Dfα

β δ δ β δ0 1 2 1( ) Cf l (A36)

Since and , we have C C Df f+ >β β0 ( )δ δ1 2 1+ ≤ ∂ ∂ >EF α 0 , implying . α = 0

Substituting in (A13), we get α = 0 ∂ ∂ = − <ER C Dr rδ β2 0 because , C Dr r< β

by assumption. This means . Hence, for C and , δ 2 1= Dr r< β C D Cf f> −β( )0

δ 2 1= , , and are equilibrium strategies. This is based on the out-of-

equilibrium beliefs (Lemma 1), and .

δ1 0= δ 3 0=

ρ1

α = 0

0= ρ2 1= 1 2 3 0π π π= = =

8


Assume that , and . Since ,

the expected payoff to the regulator and firm are same as (A32) and (A33). Therefore, (A34),

(A35) and (A36) give the first-order conditions. Suppose the firm’s strategy is

C Dr r< β ( )ρ2 1= C D Cf f< −β( )0 ( ) /w r r rK C D C Dβ> − rβ ρ2 1=

α = −1 C Dr

(w r rK C Dβ> −

β r

rβ

. Substituting this in the regulator’s first order condition (A34) and using the fact

, we have ) /rC D ∂ ∂ >ER δ1 0 , implying . Substituting in (A36)

we get , which is less than one. This means (A35) equals zero. So solving

for from (A35) gives

δ1 0= δ1 0=

δ β2 = +(C Cf

α

β f0 ) / D

α C Dr β r= −1 . Thus, α β= −1 C Dr r δ1, ,

and are equilibrium strategies. This is based on the out-of-equilibrium beliefs

(Lemma 1), and

0= δ β2 0= +( )C C β/ Df f

ρ1 0=δ δ3 21= −

ρ2 1= 1 2 3 0.π= = =π π

4. Equilibrium (IV):




C Dr r< β ( )ρ2 1= 0( )f fC D Cβ< − − tC rβ( ) /w r r rK C D C Dβ< −

ρ2 1=

1 (w rK D Cα β= − −

(w r r rK C D Cβ< −

)r

rβ

. Substituting this in (A35) and using the fact that

, we have ) / D ∂ ∂ >ER δ 2 0

)f tC

, implying . Substituting this in (A36),

we get , which is less than one. This means we can solve (A34) as

an equality to get

δ 2 0=

1 0( )fC Cδ β= + /( Dβ −

1 (w rK D )rCβ −α = − . Thus, 1 (w rK Dα β

1 2 π= =

)r ρ1 0=C= − −

δ 3 0π π =

, , ,

, , and are equilibrium strategies.

ρ2 1=

1 0( ) /(f fC C Dδ β β= + )tC− δ 2 0= δ 3 11= −

E. PROOF OF PROPOSITION 3:

9

In this case the firm is protected from third party liability for the information accessed by the

regulator (privilege is waived) and the penalty is reduced for good faith self-policing efforts, i.e.,

if the firm audits and fixes any non-compliance, the firm is penalized an amount which is less

than the unconditional penalty, V 0.a V<

( ) ( ) ( ) ( ) (1 1 2 2 1 2 1 21 1 1 1w r r r rER K C C D Dδ δ α ρ δ δ α β ρ δ δ β= + − + + − − + − − − )1 α

0( )

(A37)

1 2 2 1 0 2[ ] (1 ) ( )f o a a f fEF C C V V D V D Vα β βδ βδ α β ρ δ δ = + + + + − + + + (A38)

1. Equilibrium (I):



C Dr r> β (ρ2 0= )

)α

0( )

( ) (1 2 21 1w r rER K C Dδ δ δ β= + + − − (A39)

1 2 2 1 0 2[ ] (1 ) ( )f o a a f fEF C C V V D V D Vα β βδ βδ α β ρ δ δ = + + + + − + + + (A40)


1w

ER Kδ

∂=

∂ (A41)

( )2

1rER C α βδ

∂= − −

∂ rD and (A42)

1 2 2( ) (f o a oEF C C V V Dβ β δ δ βδα

∂= + + + − +

∂)f (A43)


positive, implying . Using , (A43) reduces to:

0wK > C Dr r> β

δ δ=

0 1≤ ≤α

0=1 2 δ δ1 2 0= =

∂∂

= + >EF C Cfα


Thus, if , the equilibrium strategies are: C Dr > β r

10

α = 0

ρ2

, and . This is based on the out-of-equilibrium beliefs (Lemma 1)

and .

δ δ1 2 0= =

0=

δ 3 1= ρ1 0=

2. Equilibrium (II)-(IV):



r rC Dβ< 2(ρ = 1)

)1 α

0( )

( ) ( ) (1 1 2 1 21 1w r r rER K C C Dδ δ α δ δ δ β= + − + + − − − (A44)

1 2 1 0 2[ ] (1 ) ( )f o a a f fEF C C V V D V D Vα β βδ βδ α β δ δ = + + + + − + + + (A45)


1

(1 ) (1 )w rER K Cα αδ

∂= + − − −

∂ rDβ (A46)

∂∂

= − −ER Crδ

α β2

1( ) Dr (A47)

0 1 2 0( )(fEF C C V V Dβ β δ δα

∂= + − + − +

∂)a f

D

r

(A48)

Note that the conditions (A46), (A47) and (A48) are identical to conditions (A34), (A35) and

(A36) in Proposition 3, if we substitute for and C Using this identity

we know that the equilibria for the modified game when C are:

*fD 0( )a fV V D− +

<

0.t =

Dr rβ

(II) If C andC D , then , , and are equilibrium

strategies. This is based on the out-of-equilibrium beliefs (Lemma 1) and .

r r< β *0( )f f Cβ> − δ 2 1= δ1 0= δ 3 0=

ρ1 0=

α = 0

ρ2 1=

(III) If C D , and , then r r< β *0( )f fC D Cβ< − ( ) /w r r rK C D C Dβ β> − α β= −1 C Dr r , ,

and are equilibrium strategies. This is based on the out-of-

equilibrium beliefs and .

δ1 0=

*0 ) /f fDβ δ 3 1= −

ρ1 0= ρ2 =

2 (C Cδ β= + δ 2

1

11

(IV) If , and , then C Dr r< β *0( )f fC D Cβ< − ( ) /w r r rK C D C Dβ β< − r 1 (w rK D Cα β= − − )r

δ1

f

,

, , , and are equilibrium strategies. ρ1 0= ρ2 1= 1 0( )C Cδ β= + /(f fDβ )tC− δ 2 0= δ 3 1= −

To convert these equilibria to the ones stated in Proposition 3, substitute for . 0( )aV V D− + *fD

F. PROOF OF COROLLARY 1:

If ( )w, + < - , and K < .r r r

r r f o f tr

C D CC D C C D C

Dβ

β β ββ

−<

( )

Compare equilibrium (IV) in

both cases of Proposition 2 with equilibrium (III) in Proposition 1. Each of this equilibrium will

occur given the conditions noted above. The probability of an audit by the firm is

wK1r rD Cβ

= −−

α in equilibrium (IV) in Case I. In the inspection only equilibrium,

equilibrium (III), the probability of a self-audit by the firm is 1 r

r

CD

αβ

= − .

( )wKThus, if 1 1 r

r r r

CD C Dβ β

− > −−

, the probability that the firm will conduct a compliance

audit is greater when regulatory access is granted. This is same as

KD C

CD

w

r r

r

r( )β β−< . Or, alternatively K C D C

Dwr r r

r

<−(β

β) , is which is true as an assumed

condition for equilibrium (IV) in Case I to occur. Similarly, it can be shown that the probability

of self-auditing for Case II in equilibrium (IV) is greater compared to the self-auditing

probability in the no access situation.

G. PROOF OF COROLLARY 2:

12

Consider equilibrium (IV) in both privilege asserted (Case(I)) and privilege waived (Case(II))

cases. From Proposition 2--Case I and Proposition 2--Case II, values of C for which we get

access equilibria are defined by and in

the privilege asserted and privilege waived cases respectively. Substituting and

rearranging terms, the condition for the privilege asserted case is equivalent to

r

(w rK CK C K D C Dp r r r< + −( )∆ β β r/ r) /r rD C Dβ β< −

∆K K Kp= −( )w

K C D C Dw r r r r< − −( )β β 1

rC

C D Kr r p−( )β . From the continuity of C , we know that the range

of values of for which

r

K C D C Dw r r r r< −( )β β is strictly larger than the range of values for

which K Cw r D Cr< −( ) D C D Kr r r r p− −( )β β β1 .

H. PROOF OF COROLLARY 3:

Assume Then as V increases, the set of parameters for which

> 0 holds becomes smaller. That is, the parameter space for

which equilibrium II (in which the firm never self-audits) occurs is reduced and the parameter

space for which equilibria III and IV occur (i.e., the equilibria in which the firm self-audits with

positive probability), becomes larger.

.rC Dβ<

0 +fD V− −

r 0 aV−

tC+ ( )af oC C Vβ −

The proof for the decrease in the probability of inspections by the regulator in equilibrium III

and the probability of regulatory access in equilibrium IV is straightforward from a comparison

of the regulator’s and firm’s strategies in the respective equilibria for the setting with a

unconditional penalty in Proposition 2 and a mitigated penalty in Proposition 3.

13

Documents

Do We Need the Corporate Self-Evaluative Privilege?