Building and maintaining a robust internal investigation function
This is an Insight article, written by a selected partner as part of GIR's co-published content. Read more on Insight
Are you prepared for the investigative storm?
Investigations start unexpectedly, with a path as unpredictable as a tornado. While no one knows when or where a tornado may strike, survival requires significant preparation that starts well in advance of the first storm warning. Communities emphasise preparing the right infrastructure and executing the same drill every time a serious storm strikes. It is the same with investigations. The company can best navigate the storm by preparing an investigative process in advance, monitoring preparedness through growth and changes, taking steps to adjust the process when issues arise, and executing to plan when an investigation occurs.
A clearly defined and well-refined investigative process – one that evaluates and responds to potential fraud and misconduct, identifies those responsible and remediates internal control lapses identified – lies at the heart of any successful compliance programme. It is the key difference between simply implementing a system of internal controls and maintaining those controls in a quality way – both are required of US public companies, and both are key to preventing potential losses, no matter the company’s size.
Regulators are entering this space aggressively. The United States Department of Justice (DOJ) has hired a compliance expert with significant investigative experience. And the DOJ recently issued compliance guidance in connection with its Foreign Corrupt Practices Act pilot programme. That guidance clarifies that compliance departments must be sufficiently independent and robust to deal with the risks inherent in their companies. Further, those departments must be staffed with individuals whose compensation is in line with their peers. Each company must also audit its compliance processes periodically to confirm that they meet the company’s risks. The FCPA pilot programme guidance dovetails with other guidance, such as the ‘Yates Memo,’ which makes perfectly clear that corporate investigations must have the wherewithal to identify wrongdoers and hold them to account. For all these reasons, companies are undertaking efforts to design, implement, enhance and maintain their internal investigation protocols as part of broader compliance initiatives.
This article is intended to provide insight into some of the key considerations when undertaking efforts to build an effective internal investigation programme or to enhance an existing one. Key considerations include:
- developing a plan that facilitates the organisation’s preparedness and response;
- implementing a data collection and analysis protocol that is consistent with the organisation’s needs;
- mining data to meet the investigation’s needs;
- appreciating how forensic accounting can aid an investigation; and
- understanding ‘build versus buy’ as it relates to both the investigative programme as a whole and the specific resource needs of individual investigations.
Prepare for the storm before it strikes
The chance for a storm is always lurking on the horizon. When it comes to corporate fraud and misconduct, it is not a question of if it will happen, but when and how significant the storm will be when it strikes. A fraud and misconduct response protocol is the foundation on which efficient and effective investigations are built. The right people need to take the right actions at the right time. Some of the key components of effective preparation include:
- creating a plan to accommodate the unique challenges of each place the company operates around the world;
- identifying the best incident-response team, including necessary functions from across the company;
- defining the roles of the incident-response team and its individual members and functions;
- developing protocols for escalation of incidents based on the severity of the allegations;
- identifying and updating document-retention policies that are consistent with each country’s data privacy laws;
- standardising evidence-collection protocols, with due adjustments required by the law of each relevant jurisdiction; and
- outlining regulatory-response procedures for response and notification to the appropriate authorities, where appropriate or required.
The responsibility for the design and management of a plan varies by organisation. Internally, the following stakeholders often play a critical role:
- general counsel (legal function);
- chief audit executive (internal audit function);
- chief compliance officer (compliance function); and
- chief talent officer (human resources).
Beyond those internal functions, a wise company will benchmark its plan directly with other companies in the same industry by leveraging the knowledge of its external counsel and forensic accountants, both while designing the plan and during periodic evaluations.
A prepared company will also build out its IT infrastructure long before trouble occurs. An appropriately designed and implemented plan includes the identification, consideration and update (as necessary) of current document-retention policies. A plan that includes the requirement to identify and consider document retention policies before an incident helps keep key information secure and available should it be needed in the future.
Other key qualities of successfully implemented plans include:
- the plan is tailored in size and complexity to meet the needs and risk profile of the organisation;
- the plan includes protocols for the appropriate escalation of attention and resources if and when a situation evolves from an allegation to an investigation; and
- possibly most importantly, the plan calls for remediation, including the identification and enhancement of weak or failed internal controls, and the organisation acts upon the recommended remediation.
Recognise the storm
Many major multinationals face a constant stream of allegations, from mundane quibbles relating to differences between staff and management to major allegations about corruption or improprieties in the company’s books and records. Determining at the outset the difference between a minor passing shower and a major squall can be extraordinarily challenging. Something that initially appears small may well be the start of a serious issue. For instance, a dispute between a company and a purchaser about whether an item is properly returnable can lead to the discovery of side agreements about the terms of sale. And so, it could be that what appeared to be a commercial dispute is really an early indicator of ‘channel stuffing’ and a serious revenue recognition issue. Conversely, not every allegation is a major one, and compliance personnel must learn to reserve judgement until the facts are determined. Regardless, the process for working through the allegations is critical.
A truly prepared company must train its employees to recognise and report potential issues and to implement the infrastructure required to allow employees to safely report allegations without fear of reprisal. In turn, a company must evaluate and respond to each allegation appropriately and consistently. Without a culture that encourages reporting wrongdoing and timely and visibly addressing it, a company will lack a primary source of information about major internal issues. Failing to adhere to a consistent approach will discourage internal reporting and transparency.
The sources of allegations and reports of misbehaviour are diverse, and each source poses its own challenges. As suppliers and other third parties are often in the best position to identify problematic activity, a company would be wise to set up systems to provide these external third parties with a method to report problematic behaviour by company personnel. Internally, individuals may report alleged misconduct (whistleblower reports), or normal company processes (including risk assessments, compliance audits, internal audit reports, management reviews and exit interviews) can return red flags that require further review. In each instance, compliance personnel must be trained to recognise red flags for what they are, and to route issues to appropriate decision-makers, which can include internal or external legal counsel, the audit committee and designated members of management. A consistent approach to capturing and responding to trigger events helps to prevent critical issues from slipping through the cracks while also creating a system to track resolution and remediation.
React quickly and appropriately
The best internal investigations follow a pattern. Each allegation requires the company to:
- Determine an appropriate scope for the response based on the trigger event, responding to two basic questions:
- Is a formal investigation needed?
- What internal function should perform the investigation?
- Determine the roles of the investigation team specific to the matter, including clearly identifying the investigative team leader.
- Identify and preserve financial and non-financial evidence in a comprehensive and timely manner.
- Determine stakeholder communication protocols, which include agreeing on a time frame for who needs to know what, when and how often.
- Document the results of the investigation, bearing in mind the possible future uses of all information gathered.
- Determine that the investigation’s scope will help the company determine the importance of the problem by, among other things, evaluating historical information for related or similar incidents to determine whether a larger issue requires remediation.
- Seek guidance on whether external reporting is necessary.
Although planning an investigation, as discussed above, can take considerable time, certain things must happen immediately. Once an allegation of fraud or misconduct surfaces, time is of the essence, and the first 48 to 72 hours are often the most critical. During this initial window, appropriate internal communication and efforts to identify and preserve (though not necessarily collect) relevant data and information should take place. Failure to do so risks the loss of evidence – both intentional and unintentional. Investigative teams must think immediately and broadly about the right types of data to preserve.
From general ledger accounting systems to network security and social media, data has become the backbone of corporations. Organisations regularly generate, collect, manipulate and interpret electronically stored information (ESI) from multiple sources across the enterprise and external to the organisation. Whenever the company is involved in an investigation, it is critical to identify and understand the complex data sets generated by disparate systems that reside inside and outside the company. As an example, once an incident becomes known, corporate management should immediately consider the organisation’s backup-tape rotation schedule and email dumpster/recoverable items folder settings so critical information is not lost. The key is to effectively and efficiently leverage technology and subject-matter professionals to gain relevant and useful insight from the available ESI.
ESI sources relevant to an investigation can include, among others:
- emails and electronic data on personal computers, central servers and backup tapes;
- hard-copy files;
- smartphones and tablets;
- log files;
- accounting systems;
- expense reports and supporting backup documentation;
- industry-specific business applications; and
- public and private social networking.
The process of identifying, preserving, collecting and hosting ESI to facilitate the analysis of the data during an investigation is commonly referred to as data mining. This process, when done correctly, can help the investigative team remain agile despite potentially restrictive technical and legal conditions.
The eye of the storm or just a lull — using data to get the full picture
When a company lacks a plan, the identification and collection of relevant ESI using a forensically sound preservation and collection protocol can be delayed, or worse, overlooked in the investigation. This is often the case when a business unit decides to conduct its own investigation before sharing information through the established reporting mechanisms. It is imperative to collect ESI from computing platforms, storage devices, mobile hardware and other sources with evidentiary integrity that is suitable for investigation, litigation or regulatory response.
Data mining is not limited to the common types of information we have outlined here. Many investigations will need to collect and assess information associated with individuals and entities that are believed to be directly or indirectly related to the matter under investigation. The investigative team starts with data available internally – the due diligence files for third parties, employment files for individuals and other related information. When additional entities or individuals are identified, previously unknown to the company, the integrity diligence investigative process typically involves the following:
- public domain searches, including adverse media inquiries and social media reviews;
- review of public records databases, such as criminal and civil litigation, property (real estate, cars, aircraft), liens, bankruptcies and regulatory infractions;
- comprehensive review of available sanction, embargo and watch lists, and other compliance databases to identify parties suspected of wrongdoing, politically exposed persons and state-owned entities;
- local language research using jurisdiction-specific resources;
- analysis of ownership structure to uncover beneficial owners and identify potential conflicts of interest;
- other real asset searches;
- identification of links to government officials or entities, including contracts awarded and potentially vulnerable relationships with other entities; and
- site visits to the subject entity’s headquarters or other operations.
Prepare for the next storm
The job isn’t over when the investigation closes. On the contrary, the company must assess the causes and significance of the incident, and remediation is critical for the overall health of the company. An effective plan has protocols for the organisation to determine not only how the improper activity occurred, but also the steps that need to be taken company-wide to prevent a similar situation from happening again. Taken in complete isolation, every incident is a one-off occurrence. But that view is almost always too narrow. Reviews of internal audit results company-wide or other investigation results often demonstrate patterns of activity – similar management or points of control failures. If appropriate remediation efforts to improve relevant internal controls are taken in a vacuum for only the subsidiary or function at issue, the same problems can, and often will, happen again there or elsewhere. A good after-action report will include:
- documentation of a clear understanding of what went wrong (and what went right since something likely caused the issue to surface);
- identification of weak or failed internal controls and business processes and appropriate remediation steps to propose;
- actions to address the deficiencies, so the appropriate functions are committed to follow through on the remediation steps;
- consideration of disciplinary actions against those who intentionally violated internal controls and those who failed to recognise an issue at its inception;
- revision of current controls and/or implementation of new controls that will help detect and prevent recurrence;
- thorough documentation of what was done in the remediation process, in case the company is ever called to account for what it did in response to the incident or allegation; and
- a plan to periodically reassess the remediation plan’s effectiveness.
Don’t go it alone
Improper activities are almost uniformly aimed at generating additional revenue or allocating money where it doesn’t belong (including employee pockets), and those activities always leave a trail – but the company must know how to spot it. In this regard, a forensic accounting review is a key investigative step. Focusing on the procedures, policies and transactions related to the allegation, a forensic accounting review typically samples and tests particular transactions to identify payments made inappropriately, without support, or in contravention of company policy. Typical areas reviewed include the operation and evaluation of vendors, accounts, contracts, individuals, payments, journal entries or other transactions. The specific procedures performed vary depending on the nature of the investigation, as fraud plays out in different ways in the company’s financial records and beyond.
When testing transactions, the business purpose is critically examined. Does the transaction hold up to scrutiny? Testing goes beyond the basic question of approvals into the underlying activity related to the transaction. Is the correct account debited and credited? Are the dates appropriate? Is the description appropriate? The techniques for answering these questions involved generally include interviewing people familiar with the transaction and the related processes and controls. Documents such as contracts, invoices, cash vouchers, shipping documents and other supporting documents are reviewed often in their original form to identify potentially fabricated support.
Throughout the investigation, the larger investigative team must appropriately share information among the team’s members to allow for a complete view of the issues encountered. The best conclusions and observations are formed from this comprehensive view, marrying evidence derived from various sources, such as emails, interviews, integrity diligence, accounting records, etc. Only after comparing and contrasting the various sources can the investigative team state conclusively whether the issue is substantiated based on the procedures performed.
The decision about whether to leverage internal resources, external subject-matter professionals, or a combination of the two is relevant to each of the topics discussed above. This consideration is revisited based upon the specific circumstances of an investigation, including the magnitude of the issue, number and level of employees involved, patterns of behaviour, etc. While every circumstance is different, the following considerations often factor into the company’s decision to involve external resources:
- Targets of the investigation: investigations involving sensitive targets, such as members of executive management or distributors, may need an independent third party so that the process is not inappropriately influenced or otherwise tainted.
- Potential for criminal or regulatory violations: if governmental or regulatory action is anticipated, it may be advisable to retain the services of an external third party. Reasons for doing so include maintaining the independence of the investigative team, in fact and in appearance, to increase the likelihood that the governmental or regulatory body will rely on the work performed by the investigative team, or reducing the amount of additional (and often repetitive and potentially more disruptive) work done by the government or regulator. Outside advisers can also help prepare a turnkey case that can be turned over to law enforcement to pursue action on individuals or third parties where the company has identified wrongdoing.
- Financial exposure: depending upon the potential financial, economic or reputational risk associated with the matter under investigation, the use of external resources may be advisable.
- Knowledge and experience: if the matter under investigation is particularly complex, external sources may need to be considered for widespread patterns of activity, location of improper activity compared to company subject-matter experts, knowledge of investigative nuances and experience of employees available internally. Internal involvement is always critical for the investigative team to understand the specifics of the business, internal policies at play, accounting system nuances and other institutional knowledge that the investigative team requires.
- Technology requirements: the maturity of the technology available to the internal investigative team or the team’s ability to effectively use technology for a particular investigation may impact the decision on whether to leverage an external resource. External resources can facilitate access to a technology not otherwise available or to a resource needed to manipulate an available technology in a way not previously undertaken by the organisation.
- Resource availability and time constraints: often, due to internal resource availability or time constraints, an organisation needs additional ‘arms and legs’ to efficiently accomplish the work that is needed.
Every investigation is like a snowflake
While we have attempted to derive particular lessons or best practices to be applied in most investigations, every investigation is different. Just as no two storms behave the same way, there is no one-size-fits-all approach to the design, implementation and maintenance of an internal investigative capability. Needs, capabilities and requirements will evolve over time and should be reassessed as the landscape changes. Smaller organisations, as well as larger ones in the early stages of development, will likely find themselves outsourcing many activities associated with their investigative needs. But as those charged with managing and implementing the investigative function gain knowledge, training and experience, companies will find themselves more confident in their ability to effectively execute their responsibilities with internal tools and resources, supplemented with external resources as appropriate.