Moving Forward after an Investigation

In summary

Practical suggestions for ensuring a strong control environment post-investigation and best practices that companies should consider to position themselves well to detect and investigate future fraudulent or non-compliant behaviour. We also highlight how companies need to take into consideration the unique challenges the covid-19 pandemic presents.

Discussion points

• Organisations that fail to align business strategies and operating decisions to desired ethics and values are at potential risk of extraordinary financial and reputational costs
• Covid-19 continues to present challenges to operating in the current business environment, requiring careful consideration of the impact on a company’s compliance culture and how companies action remedial procedures
• Following an investigation, companies must develop a thorough remediation plan aimed at fixing the root cause of the issue
• Recent international public scandals demonstrate the need for companies to continue to evaluate the effectiveness of their reporting and investigations channels, especially in the aftermath of an investigation
• Ongoing monitoring mechanisms are key to ensuring that any deficiency is promptly escalated and remediated, including the use of data analytics to ensure a quick and consistent focus on the highest areas of risk

Referenced in this article

• Operation Car Wash (Petrobras)
• Glencore, Vitol, Trafigura bribery scandals
• US Department of Justice, Criminal Division

Introduction

As anyone who has led a company through an investigation can attest, conducting a thorough investigation can be expensive, time-consuming and difficult while maintaining normal business operations. In the worst cases, investigations can be devastating to a company’s reputation and long-term financial viability. No matter the scale of an investigation, companies are often left wondering why misconduct occurred and how it could be prevented in the future. When companies handle remediation appropriately, not all that comes out of an investigation has to be negative. We have seen many instances where companies successfully leverage the lessons learned from the investigation and reinforce the importance of building a sustainable culture of ethics and compliance during the remediation process, resulting in a stronger and more resilient organisation.

Moving forward requires organisations to think strategically and demonstrate thoughtfulness, patience and persistence in properly closing out the investigation and developing clear, pragmatic remediation plans for addressing the factors that allowed the misconduct to occur. Following an investigation, it is important to ensure continuing review and enhancement of internal controls, especially those that related to the historical conduct in question. Forward-thinking companies can also use the investigation as an opportunity to assess broader areas of compliance that affect the organisation by demonstrating a compliance-minded tone at the top and in the middle, and a robust risk assessment process to owners and shareholders. The Department of Justice (DOJ) increasingly places emphasis and weight on effective remediation, noting it as a key hallmark of a best-in-class compliance programme.^[1]

In this article, we discuss factors that companies should consider as an investigation draws to a close and practical suggestions for designing effective remediation plans and a strong control environment. We suggest best practices for companies to ensure they are well-positioned to detect and investigate future fraudulent or non-compliant behaviour. We also highlight how companies need to consider the unique challenges that the covid-19 pandemic continues to present, as challenging market conditions and disruptions to the business environment necessitate a nuanced approach to strengthening a company’s compliance environment.

The processes and best practices we describe are applicable to companies that are looking to move forward following a myriad of situations, from employee theft, money laundering and fraud allegations to environmental, regulatory or improper accounting concerns. For the purposes of this article, we provide examples and cultural considerations specific to companies based or operating in the Americas and have chosen to highlight examples primarily focused on bribery and corruption given the current relevance of these issues. Headline-worthy scandals in countries within Latin America continue to sweep newspapers, including the results of Operation Car Wash, which uncovered major oil trading companies for the alleged use of bribes to obtain better terms on contracts with Petrobras.^[3] These examples of misconduct demonstrate the need for companies to continue to evaluate whether their compliance programmes are designed to effectively prevent, detect and deter fraudulent behaviour, especially in the aftermath of an investigation.

Closing an investigation

We have too often seen companies rush to move on from an investigation without taking steps to properly close out the investigation. It is important that pertinent information be identified, captured and communicated in a form and time frame that enables employees to carry out their responsibilities to establish, enhance and monitor controls and rebuild a more efficient, effective and compliance-minded organisation. We discuss below the key topics that companies should consider as an investigation approaches completion.

Regulatory compliance considerations

In consultation with counsel, companies should carefully evaluate applicable regulatory requirements. Companies are often subject to multiple jurisdictions and regulations, which can complicate this process. For example, jurisdictions and regulatory bodies have varied and nuanced requirements concerning self-disclosure of identified misconduct; self-disclosing to one regulator, therefore, could necessitate further disclosure to additional regulators in certain situations. Although a full analysis of the requirements is beyond the scope of this article, we raise this as an example of a regulatory requirement that companies should consider during an investigation.

Disciplinary actions

A standardised approach to enforcing disciplinary actions when concluding an investigation illustrates to employees that the company takes misconduct seriously and also is relevant to preventing a liability that could result from discriminatory applications of penalties. DOJ guidance indicates that disciplinary actions should be ‘commensurate with the violations’ and that ‘swift consequences’ should follow instances of unethical conduct.^[4] Additionally, disciplinary actions should be applied consistently across global locations and in accordance with applicable regulations. It further serves as a positive reinforcement to the company’s tone at the top, when the policy is applied evenly and fairly regardless of the person’s position within the organisation. Given the myriad changes in how business is conducted since the start of the pandemic, companies should evaluate whether the outcome of an investigation requires additional compliance communication to, and training for, all employees reiterating the culture of compliance, a concept that may not be uppermost in the mind when employees are working remotely with limited management and executive leadership interaction.

Investigation reporting

Many factors, such as regulatory or other disclosure obligations, pending or anticipated litigation, whistleblower involvement, privilege concerns and budgets, will affect the decision about the type and level of detail in any investigation report that is ultimately prepared.

The internal or external investigators involved in the investigation have a front-line view of the process failures, misconduct and compliance weaknesses that allowed the alleged misconduct to occur. We strongly encourage companies to ensure that the investigators provide a debrief during the reporting phase – whether through a formal written investigation report, a separate stand-alone deliverable or an oral readout – that includes the investigators’ assessment of any control deficiencies, gaps in the control environment and opportunities to improve processes in line with best practices that came to light during the course of the investigation. This feedback will be essential in developing a remediation plan to help the company ensure a robust control environment moving forward.

Planning for remediation

During and following an investigation, a company should develop a remediation plan that seeks to address the conditions that allowed the misconduct to occur. The remediation plan should, at a minimum, incorporate the investigator’s observations and suggested recommendations regarding specific control deficiencies. It should also take into consideration the impact of covid-19 on the organisation’s ability to develop and execute an effective remediation plan (e.g., the continued impact of a working-from-home environment and the need for interim remedial procedures owing to the limitations imposed by covid-19). Given the still-evolving ‘new normal’ under which companies are operating, we strongly encourage taking remediation a step further and using it as an opportunity to refresh or conduct an assessment of the broader culture, control and compliance environment. In its updated guidance, the DOJ has indicated that prosecutors should consider whether companies have measured their culture of compliance and the steps they have taken as a result of that assessment.^[5] These culture assessments, which could include surveys or working groups that engage employees at all levels, can be particularly insightful in the current environment as the covid-19 pandemic has affected the attitudes of employees and the overall culture of many companies. These steps will help illuminate other aspects of the compliance programme that may not be effectively preventing, detecting and deterring misconduct.

Successfully executing a remediation plan

A poorly designed remediation plan will hinder a company’s efforts to move forward. If well designed, the remediation plan will clearly articulate specific actions the company needs to take to address the identified issues. The plan should be pragmatic and risk-based, anticipating associated costs of the control and potential resourcing constraints. Remediation plans should identify milestones with due dates and responsible owners for each action item wherever possible to encourage accountability. The plan should consider check-in points when the process owners and operators can discuss with the compliance function best practices, controls that are working and areas that need adjustment. Controls that are too complicated, or that fail to factor the significant changes within the business landscape, are often circumvented or ignored.

Companies should also ensure that the steps in a remediation plan actually mitigate the identified deficiency. Far too often, companies create ‘band-aid’ solutions when developing remediation plans owing to a lack of understanding of the root cause of an issue or in an effort to demonstrate that a control or process has been implemented to address the deficiency. The DOJ describes the ability ‘to conduct a thoughtful root cause analysis of misconduct and timely and appropriately remediate to address the root causes’ as a ‘hallmark of a compliance programme that is working effectively in practice’.^[6] Defining effective remediation steps requires thorough analyses of and reflection on the root cause of an issue and consideration of whether control gaps or cultural issues are pervasive across multiple processes or business units. The coronavirus pandemic has created its own complexities and companies have had to transform how they conduct their day-to-day operations. We continue to observe that many companies have not had the opportunity to conduct effective root cause analysis or risk assessments (or have not made these a priority) to identify the vulnerabilities that may have led to the investigation or may lead to future investigations.

We will use a brief case study to illustrate how fictitious company ZYX Inc (ZYX), a medical equipment manufacturer, should approach remediation following an investigation into the bribery of a government official through a charitable donation made to a non-profit organisation (NPO). ZYX was awarded a contract to furnish several public hospitals in Colombia with hospital beds during the peak of the covid-19 pandemic. During the contract negotiation, ZYX was requested and agreed to make a charitable donation to an NPO for the purposes of funding the construction of a temporary covid-19 treatment facility in a rural area. Winning the contract was lucrative to ZYX’s business and it saw the donation as a way to build goodwill in a country where it had previously conducted limited business. In an effort to secure the contract, ZYX expedited payment to the NPO and did not perform any due diligence to evaluate the legitimacy of the NPO or the project for which it was making a charitable donation. ZYX also did not conduct any screening for conflicts of interest or politically exposed personnel (PEP), which would have identified that the NPO was controlled by the government official who requested the donation. Further, ZYX did not have a formal process to perform continuing monitoring of the use of the donation funds towards the construction of the treatment facility, which subsequently was never built.

Though certainly not an exhaustive list, the following remediation steps are intended to provide examples of actions the company could take to ensure proper due diligence and continuing monitoring of charitable donations and interactions with PEPs. These steps take into account the DOJ’s 2020 update, in which it specified that prosecutors should assess whether a company’s risk management practices have taken into account certain risks that are likely to emerge in the company’s line of business, such as charitable donations.^[7]

Remediation steps

• Review the procedural documentation and controls regarding making charitable donations to ensure thorough due diligence is performed and potential relationships with government officials are identified. We have seen many cases of the directors of a charitable organisation being directly related to a government official. The government official may not be listed directly in the NPO; however, given the familial relationship, they are often used to facilitate bribes. Therefore, to the extent possible, due diligence should be performed to understand complete relationships. Additionally, implement a process requiring compliance, legal and some level of executive leadership review and approval of all donations.
• Perform thorough know-your-customer and vendor due diligence, including inventorying and risk-ranking all vendors who may interact with the government agencies or are controlled by PEPs. Transactions with these entities should then be subject to additional review or scrutiny. This should be performed not only in response to the investigation but also periodically thereafter.
• Using a risk-based approach, perform continuing anti-bribery and corruption monitoring on vendors with whom the company will continue business relationships. The due diligence should, at a minimum, include the following elements: understanding ownership structure; identifying government affiliation and ownership by PEPs; cross referencing against a list of entities subject to international economic sanctions or other available lists of high-risk entities; and reviewing litigation profiles and adverse media about the entity and its primary stakeholders.
• Formalise the record retention process for the due diligence performed on all donation transactions.
• Review anti-corruption compliance policies and update them as appropriate to ensure clear and consistent messaging.
• Provide anti-bribery and corruption training that includes a robust description of the risks relating to charitable and political donations, state-owned entities and a more comprehensive definition of PEPs.
• Best practice would be for companies to take ownership of such a construction project, and make payments directly to the vendors involved in the construction to ensure completion of the project. All vendors would also have to follow the company’s standard on-boarding and due diligence policies.

Testing the newly implemented controls

All internal control systems require monitoring and it is especially important to plan for testing and monitoring of newly implemented or enhanced controls. The monitoring specifications should provide a clear plan to test controls, including the frequency of the testing and identifying the person who is responsible for carrying out the review. Relying on internal audit to perform testing at a later time during a ‘normal course’ audit is simply not enough, especially for a control that has already been found inadequate in preventing misconduct. The testing should be performed by a party independent from the control owner and should allow for assessment of ‘normal course’ behaviour wherever possible.

Continuing with the above ZYX Inc case study above, examples of remediation steps ZYX could perform to confirm effectiveness of controls include:

• reviewing recent charitable contributions to ensure that newly implemented screening policies and procedures are being adhered to, including that the appropriate due diligence has been performed and approvals obtained. Documentation retained for selected transactions should also be reviewed for completeness and adequacy; and
• analysing donation transactions with an associated project commitment to check that continuing review and monitoring procedures have been carried out to ensure that the monies donated are being used for their intended purpose.

Internal control testing should also take into account the current challenges presented as a result of the covid-19 pandemic. With employees working remotely, there is increased difficulty in retrieving the data or other information necessary to complete test work. Companies should ensure that they have appropriate and reliable communication mechanisms in place to facilitate the sharing of knowledge between the control owner and the party conducting the testing. When system data is needed to carry out testing, the independent reviewer should have an appropriate mode of access to the data without it being passed through too many intermediary parties (increasing the chance of intentional or unintentional manipulation) and set up protocols for supervising remote collections, to the extent they are necessary, observing data extracts and conducting remote validation for completeness and integrity.

Tracking remediation plans through resolution

Companies often fail to follow remediation actions through to closure, especially in the current environment when companies are constantly reinventing and transforming the way they conduct business. Since the start of the pandemic, we have observed a trend of companies deprioritising or delaying the remediation of identified control gaps to focus on business continuity. Although an emphasis on business continuity is critical, companies should not take the approach that the current business environment is only temporary and should ensure effective remediation of all identified vulnerabilities in a timely manner. If companies fail to conduct effective remediation of identified gaps, they significantly increase their risk of future investigations.

It is essential that companies ensure a strong protocol is in place to follow through on the implementation, and track monitoring, of recommended remedial measures (including those resulting from the investigation, internal audit and compliance reviews). Remedial measures, the status of their implementation and the process for testing the effectiveness of implementation should be recorded and tracked in a central repository, identifying a responsible party to track the status, and having a process in place to test the effectiveness of implementation before considering remediation to be ‘complete’.

There must also be consequences for a responsible party who fails to meet an assigned due date without a reasonable and plausible explanation. Management should be notified immediately if remedial measures have not been implemented within agreed time frames. It may also be necessary to notify the company’s compliance officer, the audit committee of the board of directors and the regulators if remedial measures have not been implemented in a timely manner.

Strengthening the organisation and moving forward

Organisations need to ensure that all areas of compliance operate in a holistic, integrated manner for a compliance programme to be truly effective. Three areas of a compliance programme that are important to consider evaluating following an investigation include the internal audit function, monitoring controls, and complaint reporting and investigation channels. These areas are important because detecting control weaknesses, identifying potential misconduct at the earliest instance and effectively investigating issues that may arise in the future are critical to maintaining adequate controls and an effective compliance programme. This point is further emphasised in the current economic environment, in which we are seeing organisations implement cost-saving measures, resulting in budget and headcount reductions within their primary lines of defence, including compliance and internal audit. Based on the authors’ experience, economic downturns typically increase an organisation’s exposure to fraud and misconduct and short-term cost savings eventually create gaps within the overall compliance programme that can result in costly and time-consuming investigations at a later stage. This trend of reducing budget and headcount is also contrary to the DOJ’s guidance, which emphasises adequate staffing, with resources equipped with appropriate skill sets, to ensure an effective compliance programme.^[8]

Assessing the internal audit function

The mandate of an internal audit is not necessarily to detect all instances of fraud – intentional subversion of controls can be very difficult, if not impossible, to detect – but following an investigation, it is important to consider whether an internal audit should have identified the misconduct. This assessment is especially critical if the misconduct was pervasive throughout the organisation, occurred for a very long time or the fraudulent behaviour exhibited a number of ‘red flags’ that followed predictable fraud patterns (e.g., large round-dollar payments to new vendors with vague descriptions).

A well-designed, robust risk assessment should feed into audit planning by highlighting key risk areas (e.g., geographical area, business unit, industry-specific risks). Internal audit should consider these risks when building the annual audit plan for the company. Internal audit teams often build audit procedures that focus on assessing controls (as expected) but miss the mark in designing procedures to pick up specific risks (e.g., bribery and corruption). We have seen a rapidly changing business landscape throughout the covid-19 pandemic and, therefore, it is important that companies ensure that their audit plans take into account emerging risks and potential control gaps. As a best practice, the authors have seen companies re-evaluate their audit plan and design specific audits to cover controls that may be affected by remote working arrangements. Companies should also ensure that internal auditing is adequately staffed with team members who have the requisite experience and skill set to perform assessments of specific risks and that all team members receive continued training. Internal auditing also needs to have visible support from the highest levels of leadership to be effective. Limited access to key employees, data and documentation severely restricts the ability to conduct meaningful and thorough assessments. There should also be access to all the information needed to assess control adequacy and remediation efforts, and business units should respond swiftly to requests and directives. When business leaders are dismissive towards an internal audit, business units can feel empowered to ignore audit findings and suggested remediation recommendations.

In the ZYX Inc example, the company should consider whether the internal audit identified any related issues previously (e.g., insufficient due diligence, lack of continuing monitoring) and recommended remedial measures similar to those outlined above. If so, then ZYX’s leadership may have a problematic attitude towards internal audit or the organisation may be deficient in following through with remediating audit findings. If the internal audit had not identified similar issues, however, ZYX should assess whether the annual audit programme provides adequate geographical, business unit, product and key risk coverage, whether the auditors are adequately skilled and trained to assess risks and whether audit procedures are adequately designed to detect the type of control weaknesses identified.

Data analytics for ongoing monitoring

According to the DOJ, organisations need to ‘ensure that the organisation’s compliance and ethics programme is followed, including monitoring and auditing to detect criminal conduct’ and ‘evaluate periodically the effectiveness of the organisation’s’ programme.^[9] Monitoring entails testing the effectiveness of key controls, including assessing whether the controls are functioning as intended and employees are adhering to procedural requirements. The continuing nature of monitoring allows for earlier detection of misconduct (rather than waiting for internal or external auditors to perform testing on a prescribed time frame). In line with the guidelines presented above, organisations should have clear mechanisms in place to ensure identified deficiencies are adequately and promptly remediated. The risk assessment process should focus the compliance department on the most critical areas to be prioritised for monitoring. Monitoring procedures are often identical to common audit procedures and may entail reviewing transaction details and related documentation for discrepancies, duplication, errors, policy violations, missing approvals, incomplete data, dollar or volume limit errors, or other potential internal control failures.

The best continuous monitoring programmes leverage data analytics and allow the monitoring team to quickly and consistently focus on the highest areas of risk, extracting the potential risk areas from the noise within the large volumes of available data. Data analytics facilitate the review of broad data sets that may not be feasible through manual review. Metrics stemming from data analytics can flag key risk areas such as high-risk payments, fluctuations in payments and unexpected payment patterns, suspicious large round-dollar payment amounts or payments to unusual vendors and accounts. Data analytics facilitate comparative analysis, simple visualisation of key data and can be used to inform risk-based sample selection for transaction-based testing by highlighting transactions that follow certain patterns (e.g., a high, round-dollar payment recorded for a new vendor in the general ledger account). Companies can also develop ways to visualise data through dashboards and sophisticated visualisation tools that will allow management to quickly delve into large volumes of data to explore trends more deeply (e.g., for spikes of activity in a specific region).

Complaint reporting and investigation channels

While organisations would, of course, prefer to not have misconduct, it is inevitable in a large, global organisation that an allegation requiring further investigation will arise. What is worse than an investigation initiated by an ethics hotline complaint? An investigation initiated by the government based on whistleblower complaints because the company did not take a complaint seriously or failed to conduct an effective investigation of an allegation. International public scandals have demonstrated the need for companies to continue to evaluate the effectiveness of their reporting and investigations channels, especially in the aftermath of an investigation. Petrobras, the company at the centre of Operation Car Wash, was reportedly revisiting its treatment of whistleblower complaints.^[10] It has been reported that Petrobras had received a whistleblower complaint regarding potential corruption in its oil trading business in 2012 but failed to stop the improper activity.^[11]

Companies should have an ethics hotline in place that allows any employee, vendor or other external party to make an anonymous complaint. The hotline should be available 24/7, reachable by multiple channels (including a local telephone number, online portal and email address) and must allow whistleblowers to submit a complaint in the local language. In the current environment, companies should ensure their hotlines are operating effectively and that there are protocols in place to ensure there is no lapse in coverage. However, simply setting up the hotline is not enough, companies must take appropriate steps to advertise the hotline and ensure that all relevant parties understand how to submit a complaint and feel comfortable submitting a complaint without fear of retaliation. Organisations must also reflect on the effect that culture has on an individual’s willingness to use the hotline. The level and type of messaging a company creates to advertise the hotline may need to be different to educate employees who may have preconceived notions or cultural expectations about whether it is appropriate to raise an allegation against one’s supervisor, or trusting whether the allegation, if raised, will actually be acted on without retaliation. Given the recent emphasis on corruption in Brazil and prevalence of ongoing investigations, we have used Brazil as an example on cultural considerations. It is well-recognised that the Brazilian culture ‘by and large, is not favourable to whistleblowing behaviour’.^[12] A lack of whistleblower protections and a hierarchical society in which the distribution of power is imbalanced contribute to a general fear of retaliation.

Additionally, organisations need to ensure that processes are in place to effectively, thoroughly and promptly investigate any allegations submitted to the hotline. The lack of a strong investigations process can undermine a company’s efforts to implement and advertise a hotline, as employees can adopt a ‘why bother’ attitude if they feel that allegations they raise will not be taken seriously or be investigated in a timely manner, or that the company would not take appropriate disciplinary action when warranted. Investigators should also possess the requisite skill sets to investigate the allegation at hand (e.g., forensic accounting skills are ideal for investigations into improper payments, whereas an allegation regarding sexual harassment will necessitate a human resources-oriented investigator).

A well-designed investigations process should complement other key compliance processes, including, for example, steps to ensure that any remedial actions required as a result of an investigation are carried through to completion, and appropriate disciplinary measures result from the investigation when warranted. Companies should also consider the nature, frequency and outcomes of their own investigations, as well as those of their peers, when evaluating the company’s tone at the top, performing risk assessments and preparing annual audit plans.

Conclusion

We recognise that establishing, maintaining or changing an overall culture of compliance requires a sustained effort. In the past year, covid-19 has brought about inconceivable changes to the business landscape, further reiterating that a one-time focus on ethics and values will not be enough to achieve a corporate culture that truly embraces ethical behaviour. Organisations that fail to align business strategies and operating decisions, including personnel decisions, to desired ethics and values are at potential risk of extraordinary financial and reputational costs. As such, the compliance function must have the stature and authority, support of senior leadership and necessary funding to successfully establish, implement and monitor an effective compliance programme. In conclusion, it is apparent there are several courses of action, factors, nuances and underlying currents that need to be navigated after any investigation. The recommendations in this article are offered as a compass on that journey. It is best to chart one’s course carefully to truly strengthen the organisation and allow it to surge ahead, especially during these uncertain times.

Notes