Cross-border overview: building a robust internal investigation function

This is an Insight article, written by a selected partner as part of GIR's co-published content. Read more on Insight


An effective compliance programme must have an investigative process in place to respond to and evaluate potential fraud and misconduct and identify those responsible. Fraud, misconduct, waste and abuse can result in significant financial, economic and reputational costs to an organisation. For this reason, more and more companies are undertaking efforts to design, implement and enhance their internal investigation protocols as part of broader anti-fraud programme development.

An effective reporting mechanism must be in place to capture trigger events and so that each is responded to in an appropriate and consistent manner. There are many forms of trigger events, including whistleblower reports, red flags from other internal sources (such as risk assessment, internal audit reports, management reviews, exit interviews, etc) and red flags from outside sources (such as external auditors and legal or regulatory activity). A consistent approach to capturing and responding to trigger events helps to prevent critical issues from slipping through the cracks. Employees must be trained to identify and report suspected incidents via the reporting mechanisms in place.

This chapter is intended to provide insight into some of the key considerations when undertaking efforts to build an effective (or enhance an existing) internal investigation programme. Key considerations include:

  • having a plan that facilitates the organisation’s preparedness;
  • implementing a data collection and analysis protocol that is consistent with the needs of the organisation;
  • leveraging business intelligence capabilities to supplement the data analysed;
  • using forensic accounting; and
  • understanding ‘build versus buy’ as it relates to both the investigative programme as a whole and the specific resource needs of individual investigations.

Have a plan; be prepared

When it comes to corporate fraud and misconduct, it is not a question of if it will happen, but when. A fraud and misconduct response plan (plan) is the foundation on which efficient and effective investigations are built. The design and implementation of an appropriate plan help to create consistent responses by the right people taking the right actions at the right time. Additionally, the design, implementation and maintenance of the plan assist in proactively identifying a line of reporting and internal control weaknesses so that the organisation can take timely corrective action.

Some of the key components of an effective plan are outlined below.

Pre-incident planning

  • Create the plan and identify the incident response team.
  • Clearly define the roles of the incident response team and its individual members.
  • Develop protocols for escalation of incidents based on the severity of the allegations.
  • Identify and update document-retention policies.
  • Standardise evidence collection protocols.
  • Include regulatory response procedures for response and notification to the appropriate authorities.

Ongoing incident management

  • Determine an appropriate scope for the response based on the trigger event. Does it justify a formal investigation?
  • Determine the roles of the investigation team specific to the matter, including identifying the leader of the team.
  • Identify and preserve financial and non-financial evidence in a timely manner.
  • Determine stakeholder communication protocols, which includes agreeing on a time frame for who needs to know what, when and how often.
  • Identify weak or failed internal controls and business processes.
  • Document the results of the investigation.
  • Consider the appropriateness of civil or legal remedies.
  • Communicate, communicate, communicate.

Post-incident remediation

  • Gain a clear understanding of what went wrong.
  • Take action to address the deficiencies.
  • Consider disciplinary actions against the perpetrators.
  • Develop and implement a plan to prevent reoccurrence.
  • Reassess the effectiveness of the remediation plan periodically.

Companies that have a plan often share certain qualities that are key to successful implementation, including:

  • The plan is tailored in size and complexity to meet the needs (eg, the risk profile) of the organisation.
  • The plan includes protocols for the appropriate escalation of attention and resources if and when a situation evolves from an allegation to an investigation.
  • Lastly, and possibly most importantly, the plan calls for (and the organisation acts upon) remediation steps to include the identification and enhancement of weak or failed internal controls.

An effective plan has protocols for the organisation to to determine how the improper activity occurred, so that remediation steps can be undertaken to prevent it from happening again. All too often, companies take the position that the incident was a one-off occurrence. The reality is, many times, those companies are wrong. If appropriate remediation efforts to improve relevant internal controls are not taken in a timely manner, the same problems can, and often will, happen again.

The responsibility for the design and management of a plan varies by organisation and is often contingent on the knowledge, training and experience of those within an organisation. That being said, the following stakeholders often play a critical role in the design and management of the plan:

  • general counsel (legal function);
  • chief audit executive (internal audit function);
  • chief compliance officer (compliance function); and
  • chief talent officer (human resources);

Additionally, many organisations leverage their external counsel and forensic accountants during the design and periodic evaluation of their plan.

Once an allegation of fraud or misconduct comes to light, time is of the essence. The first 48–72 hours are often the most critical. During this initial window, appropriate internal communication, and efforts to identify and preserve (not necessarily collect) relevant data and information should take place. Failure to do so could result in the spoliation of evidence (both intentional and unintentional). As an example, once an incident becomes known, immediate consideration needs to be given to the organisation’s back-up tape rotation schedule and e-mail dumpster/recoverable items folder settings so that critical information is not lost. An appropriately designed and implemented plan includes the identification, consideration and update (as necessary) of current document-retention policies. A plan that includes the requirement to identify and consider document retention policies prior to an incident is much better suited to ensuring the needed information is secure and available should it be needed in the future.

Data identification, preservation and collection

From general ledger accounting systems to network security and social media, data has become the backbone of corporations. Organisations regularly generate, collect, manipulate and interpret electronically stored information (ESI) from multiple sources across the enterprise and external to the organisation. Whether you are involved in an investigation or trying to prevent one, you will need to be able to identify and understand complex data sets generated by disparate systems that reside inside oand outside the company. The key is to effectively and efficiently leverage technology and subject-matter professionals to gain relevant and useful insight from the available ESI.

ESI relevant to an investigation can be found in many forms: e-mails, log files, accounting systems, industry-specific business applications, shipping records, and public and private social networking, to name just a few examples.

The process of identification, preservation, collection and hosting ESI to facilitate the analysis of the data during an investigation is commonly referred to as data mining. The data mining process, when done correctly, can helpthe investigative team remain agile despite potentially restrictive technical and legal conditions.

When a company lacks a plan, the identification and collections of relevant ESI using a forensically sound preservation and collection protocol can be overlooked in the investigation. This is often the case when a business unit decides to conduct its own investigation prior to sharing the information through the established reporting mechanisms. It is imperative that ESI from computing platforms, storage devices, mobile hardware and other sources is collected with robust evidentiary integrity that is suitable for investigation, litigation or regulatory response.

Data analysis

Data analysis combines the use of statistical and qualitative analysis, in conjunction with explanatory and predictive models, to guide and identify issues and areas warranting further consideration, thereby focusing investigative efforts where it matters and optimises outcomes. The data are generally maintained in large-scale structured (eg, databases) and unstructured (eg, word processing documents and e-mails) data sets.

An effective data analytic process will help the investigative team answer the following types of questions:

  • Who is talking to whom?
  • What are they talking about?
  • What are the outliers?
  • Who is involved?
  • When did it start?
  • Over what period has it occurred?
  • What is the magnitude/exposure?
  • What was the root cause?

Owing to the costs and complexities associated with the internal development and deployment of a sophisticated data analytic programme, organisations tend to start small and grow their programmes and capabilities over time as their needs and experience warrant. In the early stages, commercially available off-the-shelf tools are often leveraged to perform traditional rules-based queries, analytics and keyword searching. Unfortunately, these traditional approaches tend to have a low detection rate and generate a significant number of false positives (ie, the identification of potential anomalous activity that is not actually responsive to the matter under investigation).

As capabilities and expertise grow, more sophisticated tools and techniques are often used to perform statistical analysis, as well as data visualisation, technology-assisted review and text mining. With the use of sophisticated tools and techniques comes an increase in detection rates for relevant anomalous activity and the significant reduction in false positives.

Integrity diligence

An integral component of most investigations is often the need to collect and assess information associated with individuals and entities that are believed to be directly or indirectly related to the matter under investigation. The integrity diligence investigative process typically involves the following:

  • public domain searches including adverse media inquiries and social media reviews;
  • review of public records databases, such as criminal and civil litigation, property (real estate, cars, aircraft), liens, bankruptcies and regulatory infractions;
  • comprehensive review of available sanction, embargo and watch lists and other compliance databases to identify parties suspected of wrongdoing, politically exposed persons and state-owned entities;
  • local language research utilising jurisdiction-specific resources
  • analysis of ownership structure to uncover beneficial owners and identify potential conflicts of interest;
  • other real asset searches;
  • identification of links to government officials or entities, including contracts awarded and potentially vulnerable relationships with other entities; and
  • site visits to the subject entity’s headquarters or other operations.

Forensic accounting review

The forensic accounting review is a key investigative step as it can uncover how the conduct manifested itself in the accounting records. This process is based on an understanding of the allegation or issue in question and the related processes and policies at the business being investigated. A forensic accounting review would typically include the data analysis discussed above and use that information to help target specific investigation into the operations and testing of vendors, accounts, contracts, individuals, payments, journal entries or other transactions. The specific procedures performed would vary depending on the nature of the investigation, as financial statement fraud is different from a vendor fraud issue.

When testing transactions, the business purpose is critically examined. Do the facts of the transaction hold up to scrutiny? This is significantly more in-depth than a controls-based test would be, because many improper transactions have the necessary approval. The techniques involved generally include interviews of the people familiar with the transaction and the related processes and controls. Documents such as contracts, invoices, cash vouchers, shipping documents and other supporting documents are reviewed often in their original form to identify potentially fabricated support.

The key is to put the pieces of evidence together from the various sources, including e-mails, interviews, integrity diligence, accounting records, etc, so that the investigative team can state that based on the procedures performed, the issue is either substantiated or not.

Internal versus external resources

The decision about whether to leverage internal resources, external subject-matter professionals or a combination of the two is relevant to each of the topics discussed above. Additionally, this consideration is revisited based upon the specific circumstances of an investigation. The following is intended to provide some guidance around things an organisation may wish to consider when exploring the question of internal versus external resources:

  • Knowledge and experience: Depending upon the complexities of the matter under investigation, to include the specific issues to be investigated and the locations in which the inappropriate activity is suspected to have occurred, the requisite knowledge, training and experience may not be available internally, and therefore, external sources may need to be considered. Alternatively, internal involvement may be critical due to specific internal complexities.
  • Technology requirements: The level of sophistication of the technology tools available to the internal investigative team or their ability to effectively use them for a particular investigation may impact the decision on whether to leverage an external resource to facilitate access to a technology not otherwise available or access to a resource needed to manipulate an available technology in a way not previously undertaken by the organisation.
  • Targets of the investigation: Investigations involving sensitive targets, such as members of executive management or distributors, may require the use of an independent third party so that the investigative process is not inappropriately influenced or otherwise tainted.
  • Financial exposure: Depending upon the potential financial, economic or reputational risk associated with the matter under investigation, the use of external resources may be advisable.
  • Resource availability and time constraints: There are often situations where, due to internal resource availability or time constraints, there is a need for additional ‘arms and legs’ to efficiently accomplish the work that needs to be done.
  • Potential for criminal or regulatory violations: If governmental or regulatory action is anticipated, it may be advisable to retain the services of an external third party for reasons such as maintaining the independence of the investigative team, in fact and in appearance, to increase the likelihood that the governmental or regulatory body will rely on the work performed by the investigative team, reducing the amount of additional (and often repetitive and potentially more disruptive) work done by the government or regulator. Additionally, outside advisors can assist in preparing a turnkey case that can be turned over to law enforcement to pursue action on individuals or third parties where you have identified wrongdoing.

One size does not fit all

There is no one-size-fits-all approach to the design, implementation and maintenance of an internal investigative capability. Furthermore, needs, capabilities and requirements will evolve over time and should be reassessed as the landscape changes. Smaller organisations, as well as larger ones in the early stages of development, will likely find themselves outsourcing many of the activities associated with their investigative needs. But as knowledge, training and experience are gained by those charged with managing and implementing the investigative function, companies will find themselves more confident in their ability to effectively execute their responsibilities with internal tools and resources.

Unlock unlimited access to all Global Investigations Review content