Australia: Handling Internal Investigations

This is an Insight article, written by a selected partner as part of GIR's co-published content. Read more on Insight

It goes without saying that wrongful conduct in a corporate setting can have drastic and irreparable legal, commercial and reputational consequences for the individuals and entities involved. Internal investigations, which can be carried out quickly and tailored to address specific company concerns, can be particularly well suited to identifying, minimising and remediating such fallout. This is particularly relevant in the current corporate climate in Australia, which has seen an increased level of scrutiny over corporate governance and operational issues. More than ever, there is an expectation that board members and senior managers understand what is happening in their company and take responsibility for the actions of employees and third parties who carry out business on behalf of the company. In this climate, internal investigations are becoming more prevalent and this trend will only continue.

What makes an efficient and effective investigation can vary dramatically depending on the subject matter of the investigation, and the individuals and entities involved. This article provides a brief overview of the key considerations that will allow a company to craft and manage an effective Australian internal investigation, and achieve a prompt and robust outcome.

Launching an investigation

There are countless reasons for commencing an internal investigation. A company may itself have identified potential wrongdoing. Third parties may have alleged inappropriate conduct. Regulators may have made informal enquiries or launched a formal investigation, either of the company itself or of another industry participant, that has knock-on consequences for the company. In some cases, regulators may have required an organisation to undertake an internal investigation (see, for example, section 53 of the Independent Commission Against Corruption Act 1988 (NSW)), or there may be other circumstances creating impetus to investigate (for example, licence requirements or positive reporting obligations in particular industries).

Entities may commence investigations to determine whether notification is required under the mandatory data breach notification laws introduced into the Privacy Act 1988 (Cth) by the passing of the Privacy Amendment (Notifiable Data Breaches) Act 2017 (Cth), which took effect on 22 February 2018, in the event the entity suspects but is not certain that a serious and eligible data breach has occurred. Entities are required under the data breach notification scheme to undertake 'reasonable and expeditious assessment' to determine whether there are 'reasonable grounds' to consider that an eligible data breach has occurred. This assessment must be made within 30 days of the entity becoming aware of the relevant circumstances. Entities may also avoid the new notification requirements if they take remedial action before any serious harm is caused by any eligible data breaches.

In the near future, entities may also commence investigations in relation to proposed Commonwealth and state modern slavery laws, which will require large commercial organisations to report on the steps they have taken to ensure that their goods and services are not a product of supply chains in which modern slavery is taking place. The New South Wales legislation passed Parliament on 21 June 2018 and is expected to come into force later in 2018.

In some circumstances, urgent action is necessary. This includes where there is an actual or anticipated destruction of documents (discussed below), or where relevant personnel are about to depart from the organisation. Immediate action is also required where any unreasonable delay in launching the investigation could be seen as acquiescence or tacit approval of the impugned conduct by the company.

While those considerations may dictate the timing of immediate steps in an investigation, other factors, such as the need to efficiently carry on business and the availability of resources, will also influence an investigation's progress. Insufficient information and resources can result in a haphazard investigation process and a less than credible – or even unreliable – investigation report.

Identifying who will conduct the investigation

Once the company has decided to commence an internal investigation, it will need to appoint someone to take responsibility for coordinating and conducting the investigation. Often, this will be a member of the company's legal team. However, there may be cases where it is more appropriate for members of the board to have oversight of the conduct of the investigation – for example, where the conduct of senior management is impugned.

Likewise, if the scale of the investigation involves numerous persons across various offices and a large quantity of factually or technically dense material, the company may need to allocate additional and specific resources to the investigation. For example, if the subject matter of the investigation is a serious and systemic issue, or potentially involves misconduct on the part of senior personnel, it may be advisable for external advisers to conduct the investigation. This often adds an additional layer of impartiality, objectivity and forensic scrutiny, and can assist in navigating difficulties created by internal reporting lines or interpersonal relationships between company personnel.

The members of the investigations team should have an appropriate combination of skills, training and experience to support a well-rounded and thorough investigation. If the investigation involves topics where specialised expertise would be beneficial (such as concerns about securities or antitrust violations), that should be taken into account in forming the team. Failure to appoint appropriate persons could compromise the investigation process and outcome. For similar reasons, close colleagues or peers of persons who are 'at risk' in the investigation should not be appointed to the investigations team.

Setting the remit of the investigation

The scope of the internal investigation must be set carefully and clearly, with its sole focus on responding to the particular identified problem. It can be useful to prepare written terms of reference, which identify those matters that fall within the subject matter of the internal investigation and – equally critically – those that fall outside. If the investigation has been prompted by regulatory attention, the intended interaction between the internal investigation and any existing or anticipated regulatory process should be taken into account.

The proper constitution of the investigations team, along with the drafting of suitable terms of reference, not only ensures the integrity of the investigation and the information gathered by it, but also plays an important part in determining issues of privilege (discussed below). These initial decisions should not be made on a 'set and forget' basis. As investigations invariably evolve over time, it is vital to reassess the scope of the investigation at frequent and regular intervals, and make any necessary changes.

Whistleblower protections

Changes to Australia's whistleblower regime may impact how a company commences and carries out an internal investigation. The Treasury Law Amendment (Enhancing Whistleblower Protections) Bill 2017 (Cth) was introduced by the Commonwealth government on 7 December 2017 and is, at the time of writing, before the Senate. Relevantly, the amendments introduced by the Bill (if passed) will require public companies and large proprietary companies to have a whistleblower policy in place that explains, among other things, how the company will ensure the fair treatment of employees who are mentioned in any protected disclosures made in accordance with the proposed legislation. A related consideration is for companies to have in place systems and processes to make sure that internal investigations based on whistleblower disclosures proceed in a manner congruent with the enhanced protections – for example, protecting the identity of anonymous whistleblowers (if the Bill is passed, it will be a civil penalty contravention to disclose an anonymous whistleblower's identity).

Communicating the existence of the investigation

The next step is for the company to communicate information internally regarding the investigation. It is often appropriate to issue a document preservation notice, drafted in a neutral and objective way, to all relevant personnel and, in some cases, to all staff, on a confidential basis. Specific document collation requests to relevant individuals may also be needed, as well as guidance on what may and may not be discussed between company staff, or third parties, concerning the investigation.

As a general rule, it is not advisable to disclose the details of the investigation in such communications, or the circumstances that have led to the investigation. This is for many reasons, but particularly because those communications may not be privileged, and may therefore be the subject of disclosure to third parties in the future. The enhanced whistleblower protections discussed above may also impact how such communications are framed.

Conducting the investigation

There are no general specifications in Australia as to how an internal investigation should be carried out, including in relation to procedural matters such as independent representation for company employees interviewed in the course of an investigation. The company should consider and address these issues prior to gathering evidence in the investigation. Best practice suggests companies take into account principles of natural justice, as well as anticipated interactions with regulators about the subject matter of the investigation, in deciding how to proceed. Some Australian regulators have issued guidance notes as a reference point for those considering or undertaking an internal investigation (see, for example, 'Fact Finder: A guide to conducting internal investigations', NSW Independent Commission Against Corruption, March 2012).


An important first step in internal investigations in Australia – like many other jurisdictions – is the appropriate collation, compilation and retention of relevant documents. Document preservation must include both hard copy and electronic documents to ensure all original documents are quarantined in their original form. It may be appropriate to take a forensic image of all relevant electronic data to ensure the integrity of information (including metadata) is maintained throughout the course of the investigation. The company should take urgent steps to preserve documents that could otherwise be destroyed by innocent means (for example, scheduled record management) or malicious means.

Some of the issues a company may need to confront in document collation include how to treat private documents an employee has stored in or on company property. This includes private information or communications stored on the company's computers or mobile phones, or on the company's premises (such as at the employee's desk or workstation). In many circumstances, the company's ability to access and review such private documents will depend on the specific terms of the employment contract, or any applicable codes of conduct or terms of use, and particularly whether consent has been previously provided by employees for employer access to such material.

The company will also need to consider the impact of the Privacy Act 1988 (Cth), which regulates the company's handling of personal information about individuals. There are also differing laws across various state and territory jurisdictions about the ability to use surveillance or recording devices to obtain information without the consent of the person under surveillance. As privacy and surveillance considerations can arise in various ways throughout an internal investigation, the investigations team should ensure it has addressed the relevant legal requirements when embarking on data collection.


Another key aspect of any investigation is interviewing relevant individuals. It is vitally important that the investigations team properly identifies the relevant individuals, and arranges for them to be interviewed separately, in an appropriate order, and with clear objectives. A core bundle of documents should be produced for each interviewee to be taken through during the course of the interview. It is generally not desirable to provide the interviewees with advance copies of the documents, and they should not be permitted to retain copies of any such documents. The interviewees should also be instructed not to discuss their evidence with anyone else. This is to maintain confidentiality, avoid a potential waiver of privilege and also avoid potential contamination of evidence.

When conducting interviews, the company's legal representatives should clearly inform the interviewee that they represent the interests of the company, and while the content of the interview is confidential and privileged, the company reserves the right to waive that confidentiality or privilege in the future.

In appropriate circumstances, interviewees should not only be allowed but encouraged to obtain independent legal representation for the purposes of the interview. In some cases, the company – or an insurer – may be obliged to indemnify the interviewee for the costs of such representation.

During the interview process, the interviewer should be focused on assessing the interviewee's recollection, as opposed to his or her recreation, of relevant events. Interviewers should always be alive to the potential for interviewees to give incorrect accounts, and should be prepared to challenge and test the evidence given by the interviewee there and then without the need to adjourn the interview, which may allow the interviewee an opportunity to tailor his or her evidence.

In Australia, written records of the interview created by internal or external lawyers for the purpose of advising the company will usually be privileged. This is not the case for notes taken by the interviewee, or any 'support person' brought into the interview by the interviewee. The only exception is where notes are created by the interviewee's appointed legal representative, who has attended the interview for the purpose of advising the interviewee. Those notes will ordinarily be privileged in the hands of the interviewee, but not the company.

The investigations team should also consider whether it is useful to record the interview, or obtain a signed written statement from the interviewee reflecting the evidence given during the interview. In the event the interview was recorded, the team should also consider whether to request that the interviewee sign a transcript of the interview, verifying its accuracy. The assessment of how to record the interview may be influenced by views about the prospect of future regulatory or litigious activity. Unlike some other jurisdictions, it is not yet commonplace for Australian regulators to request access to written statements or notes of witness interviews produced in the course of internal investigations; any such requests are typically met with claims of privilege. The more typical course is for Australian regulators to exercise their compulsory powers to conduct their own interview processes. However, companies should bear in mind the possibility of such requests, particularly if the subject matter of the investigation involves multi-jurisdictional issues, where regulators in other jurisdictions may have different practices and different rules as to the availability of privilege claims may apply.

The company may also need to confront issues that arise when individuals refuse to participate in an interview or other aspects of the investigation, which can trigger the need for disciplinary action. The company must also consider whether certain employees who are the subject of (or are at risk in) the investigation need to be suspended, or, where serious wrongdoing is clearly identified, dismissed (which can then affect the willingness of those individuals to cooperate with the investigation). All of these issues should be assessed with an awareness of the company's relevant employment obligations.

Reporting on the investigation

The investigations team should keep relevant internal stakeholders informed of the progress of the investigation. Once the investigation has concluded, they will also need to report its findings. A key issue that often arises in this context is identifying the relevant stakeholders who need to be informed, and at what stages. Generally, dissemination of information relating to the investigation should be on a 'need to know' basis. That is because doing otherwise may jeopardise a company's ability to claim or retain privilege over those reports. Reporting should also take into account the subject matter of the investigation and the personnel potentially implicated. For example, if senior management is potentially involved, it will be necessary to devise reporting arrangements that avoid communication to those persons, and guard against their accessing any relevant documents or reports created.

Depending on the company in question, there may be some requirement or obligation to disclose aspects of the investigation to regulatory bodies or authorities. This is particularly so if the investigation intersects with an actual or anticipated regulatory investigation, and especially if the company wishes to self-report certain conduct in an effort to obtain immunity from or leniency in respect of potential penalties. In some industries, licence conditions can also create positive reporting obligations where potential contraventions are identified (for example, in the financial services industry).

If the company is a publicly listed entity, disclosure of certain aspects of the investigation may be required in order to comply with the company's continuous disclosure obligations under the Australian Securities Exchange Listing Rules. The company may also need to disclose certain circumstances to their insurer in order to obtain coverage in respect of future claims against the company.

The Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth) also imposes certain transaction and compliance reporting obligations on reporting entities, which can be triggered if certain circumstances are identified in the course of an internal investigation. Reporting entities must also take care not to 'tip off' persons in relation to these matters at any time, including during or following an investigation, as it is an offence to do so.

Where criminal conduct is suspected or identified, although there is usually no positive obligation to do so, the company may decide to engage with relevant law enforcement agencies, such as the police. Where aspects of an investigation may become public, the company may also wish to engage public relations personnel to assist in managing media coverage and potential reputational impact.

To the extent that criminal conduct is suspected or identified, companies may be incentivised in the near future to proactively self-report internal misconduct in return for reduced penalties, with legislation to introduce a deferred prosecution agreement (DPA) scheme in Australia before Parliament at the time of writing. The intention of the DPA scheme is to encourage self-reporting of misconduct by corporations, to assist in addressing some challenges inherent in detecting and investigating serious corporate crime, and to offer corporations the opportunity to reduce the time, cost and uncertainty connected with drawn-out investigations and prosecutions.

If passed, the Australian DPA scheme, proposed in the Crimes Legislation Amendment (Combatting Corporate Crime) Bill 2017 (Cth), will allow the Commonwealth Director of Public Prosecutions to invite a company that is alleged to have engaged in serious corporate crime to negotiate an agreement to comply with a range of specified conditions. In considering whether to offer a DPA, the Director of Public Prosecutions will take into account whether the company has self-reported the suspected misconduct and the extent to which the company has demonstrated a willingness to cooperate with the law enforcement agency. Conditions of the DPA will require a company to admit to agreed facts detailing their misconduct, pay a financial penalty to the government and disgorge profits and other benefits obtained through the misconduct. If the company fulfils its obligations under the DPA, it will not subsequently be prosecuted in relation to the offences identified in the DPA.

Mandatory data breach notification laws came into effect in February 2018 via recent amendments to the Privacy Act 1988 (Cth). They require the relevant entity to notify the Office of the Australian Information Commissioner and any affected individuals where there are reasonable grounds to believe a serious, eligible data breach has occurred. The Privacy Commissioner has encouraged relevant entities to begin undertaking audits and developing breach response plans in anticipation.

While it is one thing to identify who should be provided with information relating to the investigation, it is another to identify what should be reported. In some circumstances, it might be appropriate merely to identify that an investigation has been undertaken and has concluded. In other circumstances, it may be appropriate to identify the results of the investigation, or the recommendations or findings made in relation to certain matters.

At all stages, the company should also consider whether communications will be protected by privilege and, if so, how to best protect that privilege.

Privilege – a critical factor

Privilege is a key consideration through the course of an internal investigation. An internal investigation where relevant communications are protected by privilege can greatly assist an investigations team to obtain full and frank disclosure, and enable the company to thoroughly assess the situation with a fuller understanding of the facts than might otherwise occur.

There is a healthy respect for privilege in Australia, including in respect of documents created for the purpose of internal investigations. However, this does not mean any claim for privilege over such documents will be blindly accepted. Regulators and other litigants can and often do vigorously challenge privilege claims.

In Australia, legal professional privilege applies to communications that are prepared for the dominant purpose of:

  • obtaining or providing legal advice; or
  • obtaining or providing legal services (including representation) in actual or anticipated litigation.

The test of whether a communication was prepared for the dominant purpose of either of the above limbs requires consideration of the ruling, prevailing or most influential purpose of the communication. The starting point is generally to ask what the intended use of the communication is. Where a communication has mixed purposes, only one of which is a privileged purpose, it is unlikely to be protected by privilege. It is critical to consider the communications to be made and any documents created in the course of an internal investigation against that test.

Where legal advice is given by an in-house lawyer during the course of or in response to an internal investigation, legal professional privilege may still attach to that advice, provided the in-house lawyer was a qualified lawyer acting in the capacity of an independent professional adviser. Independence is crucial. In order to promote such independence, in-house lawyers should maintain their practising certificates, maintain secure files that are separate from the remainder of the organisation, and ensure their legal and non-legal work functions are separated as much as possible.

In the UK, documents produced and communications made by in-house lawyers in the course of undertaking internal investigations are not necessarily protected by privilege. In the RBS Rights Issue Litigation [2016] EWHC 3161 (Ch), the English High Court considered that not all officers and employees of the company should be treated as a client for the purpose of legal professional privilege and that certain transcripts and notes from interviews conducted by the in-house lawyers gathered during an internal investigation therefore were not considered to be lawyer–client communications and were not protected by legal professional privilege. That position was reinforced in subsequent UK decisions, including Serious Fraud Office v Eurasian Natural Resources Corporation Ltd [2017] 1 WLR 4205 (from which an appeal is pending), R v Paul Jukes [2018] EWCA Crim 176, and R v Serious Fraud Office [2018] EWHC 856 (Admin). Australian courts have not taken this narrow approach as to who constitutes a client, however, they have taken differing approaches about whether lawyers' notes of interviews of witnesses are protected by privilege, depending on the particular circumstances.

Issues also frequently arise as to whether privilege attaches to documents prepared by third parties. Third-party service providers, such as information technology consultants or forensic accountants (among others) may need to be involved in the investigation process, including to provide specific advice in relation to narrow or discrete issues. In Australia, privilege can attach to documents prepared by these third parties, provided the document was created for the dominant purpose of obtaining legal advice or for use in actual or anticipated litigation. When engaging third parties, the engagement letter should clearly specify the limited purpose for which those third parties are engaged, their obligations to maintain confidentiality, and confirm that disclosure of any privileged documents to them will not constitute a waiver to the world at large.

In Australia, whether 'limited waiver' arrangements are effective to allow disclosure of privileged information to a regulator, while maintaining privilege against third parties, was examined in Cantor v Audi Australia Pty Ltd [2016] FCA 1391. There, the Federal Court of Australia considered whether legal advice disclosed to a German regulator in response to its requests for information from the company during the course of its investigations maintained privilege for the purpose of the Australian litigation. The Court held that privilege was maintained as against the applicants, because the document had been provided in circumstances of confidentiality such that any waiver of privilege was limited to the German regulator. That regulator had no authority to waive that privilege, except to the extent compelled by law, which had not been successfully forced upon the regulator. However, Australian courts are yet to authoritatively determine whether 'limited waiver' arrangements are effective to allow disclosure of privileged information to an Australian regulator, although at least one Australian regulator, ASIC, offers a pro forma agreement to facilitate disclosure of privileged information to it on a voluntary basis.

The UK decision Property Alliance Group Limited v The Royal Bank Of Scotland Plc [2015] EWHC 1557 (Ch) potentially offers some further guidance. There, the Court considered whether communication with regulatory bodies in the course of an investigation was capable of attracting privilege. It held that disclosure by individuals and entities to regulators will not necessarily result in a waiver of privilege if it occurs confidentially and for the limited purpose of the ongoing investigation. Such communications and disclosures are capable of retaining privilege on the basis they are subject to a limited waiver in respect of the relevant regulatory body only. However, importantly, the privilege may be lost if the party claiming privilege later seeks to rely on the findings of the regulatory body with which it communicated.

There are also many other ways in which privilege can be waived. As confidentiality is an essential precondition to the existence and maintenance of the privilege, waiver will often occur where the actions of a party are plainly inconsistent with the maintenance of that confidentiality. This can include where the substance of legal advice is disclosed in company announcements, where legal advice is referred to in correspondence in order to support a position (including in correspondence with regulators), or when the effect of legal advice is disclosed and recorded in minutes of board meetings.

Where an investigation deals with cross-border subject matter, the company should take into account the fact that rules regarding privilege can vary between jurisdictions, so that communications protected by privilege in Australia may not receive the same treatment elsewhere.

Concluding comments

Internal investigations are an important tool for identifying, minimising and remediating actual or alleged corporate wrongdoing. The way in which an internal investigation is conducted can also have significant benefits for preparing for and responding to any associated civil and criminal proceedings. Yet there is obviously no one-size-fits-all solution. The subject matter of each internal investigation, along with any regulatory involvement, will shape the many forensic decisions to be made during each investigation.

Having in place an appropriate regime for conducting internal investigations, taking into account the topics outlined in this article (as well as the effective conduct of internal investigations), is viewed positively by Australian courts and regulators as a sign of good corporate governance. Indeed, when used properly, the internal investigations process is not only a valuable part of a company's arsenal to respond to allegations of wrongful conduct, but a deterrent to future wrongful conduct, thereby yielding an even greater benefit to the company in the medium-to-long term.

Unlock unlimited access to all Global Investigations Review content