Internal compliance investigations: More important than ever

By Kate Garfinkel and Thad McBride

Thad McBride (tmcbride@bassberry.com) is Partner at Bass, Berry & Sims PLC in Washington DC. Kate Garfinkel (catherine.garfinkel@alcoa.com) is Vice President and Chief Ethics & Compliance Officer at Alcoa Corporation in Pittsburgh, Pennsylvania.

Every day, the news brings a fresh report of allegations or even admissions of wrongdoing: high-profile individuals accused of sexual harassment, high-profile companies settling allegations of corruption, high-profile officials implicated in political skullduggery. According to one source,[1] “…heightened awareness of sexual harassment in the workplace, triggered by the daily publicity of harassment accusations…has resulted in a surge of client calls to plaintiff attorneys who litigate such claims.” Corporations are no doubt receiving more hotline calls.

Now more than ever, it is essential that companies have policies that address harassment, bribery, quality, trade, antitrust, environment, and a host of other compliance topics. World-class companies have these policies. But the question for compliance professionals is how effective these policies are when, not if, allegations are made. A strong internal investigation process can make the difference between identifying and addressing a problem early on or letting it fester into an issue that becomes a legal liability and reputational crisis. Now is a good time to consider whether your internal review process is up to snuff.

An effective compliance program prevents, detects, and addresses violations of law and/or company policy. Internal compliance investigations and reviews, when conducted in a confidential and professional manner, ensure that a company can adequately address compliance issues. This article lays out a number of best practices for conducting internal compliance reviews. While every review is different, there are certain steps and procedures to follow to ensure the review is effective.

Benefits of internal reviews

In addition to civil claims that may arise from the types of claims mentioned above, the U.S. and other governments are pursuing corporate misconduct with increasing frequency and success. It is now routine to see news articles trumpeting penalties in the millions and sometimes even billions of dollars,[2] including against many well-known companies.[3]

Enforcement is also aggressively targeting individual wrongdoers. As evidenced by publication of the so-called Yates Memo, which was issued by then-Deputy Attorney General Sally Yates in September 2015, the U.S. government has maintained its focus on prosecuting individuals in the context of corporate crimes. Certainly in the case of sexual harassment, it is highly likely that individuals will be punished and face significant penalties, including possible jail time.

Under the Federal Sentencing Guidelines issued by the U.S. Sentencing Commission, an independent agency of the Judicial Branch, criminal penalties against a corporate offender can be reduced significantly if the offender maintains an effective compliance policy that is reasonably designed to prevent and detect criminal conduct. The Sentencing Commission recognizes that a program that both prevents and detects potential violations is a key part of establishing and maintaining a culture of compliance within an organization.

Internal reviews have additional benefits to companies that seek to follow good governance principles. Knowing the full extent of a potential violation is the first step to preventing it from continuing or happening again. A thoughtful internal review will uncover the relevant facts necessary to enable senior management, and the board, to make fully informed decisions. Detailed written reports provide evidence that a company identified and responded in good faith to allegations and can serve to protect individuals in management from claims of conspiracy.

Ultimately, a well-structured and well-executed internal review process promotes a culture of ethical conduct and compliance with the law and works toward these goals. If employees know where to turn with concerns, and have confidence that their concerns will be addressed respectfully and with integrity, they will be more likely to seek guidance through the company’s compliance program when the need arises.

Conducting the internal review

A successful internal review begins with a thoughtfully designed and documented process. Take the time to think through—and document in a concise, clearly worded procedure document—who is responsible for what and when in the internal review process. Tailor your process to the company and industry, taking into consideration the possible sources of data for review and how that data is stored. Train the individuals who will be responsible, and keep track of who has received training.

Inception

Reports of potential wrongdoing can come to a Compliance department from many sources—a whistleblower hotline being the most obvious. Companies may also identify specific individuals or departments as part of a “help chain” for employees to turn to with questions or concerns. Supervisors, compliance liaisons, the Legal or Compliance department, in no particular order, can serve as a resource for employees when potential issues are made apparent.

Regardless of the manner in which a potential issue arises, it is important to have an effective, consistent intake process. Individuals and groups who form part of the company’s help chain should be trained on how to receive, document, and act on concerns that are raised.

Investigation plan

Not all complaints can or should be investigated. For example, it would probably be a waste of compliance resources to try to investigate a general allegation of corruption in China, absent some identifying details. The basis on which a determination to investigate will be made and the level of risk the allegation involves should all be documented as part of the internal review process.

When a determination is made that an internal review will be conducted, it is important to first develop an investigation plan that is scaled to the scope of the potential issue. The plan should set forth timelines for tasks but also recognize that, as the review proceeds and more information becomes available, the timeline (and scope and specific investigative steps and other elements of the review) may need to change. The plan will also establish the roles of members of the investigative team so that, from the outset, all involved understand their responsibilities aand are in a position to work together effectively.

The review should be risk-based and realistic, and thus the plan and overall review must reflect budget, resource, and time considerations. Often, the company’s internal subject-matter experts will be in the best position to conduct the review. If the subject of the review is one that could have a material impact on the company, it is worthwhile to consider outside counsel or outside advisors. Some of the benefits of using external resources can be increased objectivity and independence, avoidance of actual or perceived conflicts of interest, ability to leverage knowledge and experience from prior investigations and other reviews, familiarity with the expectations of enforcement authorities, and deference to findings from management and the board—and the government if it becomes involved. Involving outside counsel can also better protect the attorney-client privilege.

The plan may include several steps but, at a minimum, should account for preserving, collecting, and reviewing relevant documents and data; conducting interviews; and reporting and responding to results.

Preserving and collecting data

A thorough review is impossible without relevant data. Even before collecting data, it is critical to have a plan in place to ensure that data is preserved.

As soon as possible after becoming aware of a potential compliance issue, the Compliance department should assess the risks posed by the potential issue. For higher risk matters, such as ones involving litigation or a government investigation, preservation instructions should be circulated to personnel who may have relevant data. The instructions, often in the form of an email notification, should be tailored appropriately to cover all potentially problematic conduct. In some cases, the notice and instructions may need to be long and formal; in other cases, a short and informal set of instructions will suffice. The instructions should reflect the level of sophistication of the recipients and err on the side of broad distribution, while recognizing that additional topics can later be added to the notice and/or it can be disseminated to other recipients as the review proceeds.

Generally speaking, in order to better protect the attorney-client privilege, the general counsel or another member of the Legal department should distribute the notice. In cases in which the Legal department may be implicated in alleged misconduct, the preservation notice can be circulated by outside counsel.

Regardless of who distributes the notice, it must explain clearly what recipients are required to preserve and not delete. The notice should also state that recipients are required to acknowledge receipt of the notice and their agreement to comply with it. If acknowledgment is not received promptly, follow-up communications should be sent. These initial steps are vital to ensure that personnel are indeed preserving relevant data and that, if they do not do so, it is clear that they are acting against the company’s instruction.

Collecting data

Before starting to gather data, it is important to consider what data to collect and when to collect it. Collecting data can involve significant cost and disruption to the business, factors which must be weighed against the risk of missing an important piece of information. In some cases there may be only a limited amount of potentially relevant data to review—at least initially—in which case, it may make sense to review all of the data.

Where data may fall under a protected class (e.g., the attorney-client or work product privilege), attorneys should manage the data review. The attorney-client privilege protects from disclosure communications made between an attorney and client in confidence for the purpose of seeking, obtaining, or providing legal advice. The work product privilege protects documents and other tangible things prepared in the anticipation of litigation or enforcement action by or for another party or its representative.

To be clear, underlying facts are generally discoverable. Take for example a situation in which a lawyer provides legal analysis, advice, or strategy to respond to a specific request or instruction from a client. The underlying facts the lawyer analyzes likely are not protected from disclosure; the lawyer’s analysis of the law with respect to those facts, and strategic advice about how to proceed in light of the facts, likely would be protected.

The role of outside service providers is also worth considering in supporting the data-collection effort. For example, in a financial fraud or other compliance review involving monetary/financial issues, a forensic accountant’s expertise can be invaluable in collecting and reviewing accounting records and assessing internal controls.

The types, sources, and amounts of data potentially available for review continue to grow. There can be relevant data in shared network drives/folders, computer hard drives, individuals’ phones or other personal devices, thumb drives, physical file cabinets, offsite storage, and elsewhere. While rare, it is possible that data in all of these locations and all of these forms may need to be reviewed.

Even when there are many sources of data, it is often the case that the principal or only data needed will be company email. The investigative team should work with the company’s IT support team to understand how emails can be retrieved and what type of internal search capabilities the IT team has at its disposal. As needed, outside e-discovery vendors can be engaged to assist with collecting and processing data for review.

Although email and other electronically stored data may be most relevant, unique hard copy documents may also exist and be pertinent to the review. This may be especially true in jurisdictions in the developing world, where technological capabilities are less advanced and hard copies of documents, ledgers, and other records are often the norm. It is good practice to ask interviewees about relevant hard copy documents, which otherwise may not be identified during the data-gathering exercise, and potentially collect any such relevant documents in conjunction with the interview.

Foreign privacy laws are another important consideration when collecting data from non-US personnel or locations. Personal data cannot always be transferred outside a country without an individual’s consent, and data privacy laws may dictate the location of document processing and review. In an increasing number of countries, strict limitations are placed on what data can be collected from individuals, even when the data is stored on company-owned devices. It is therefore essential to consult with local counsel on applicable data privacy restrictions.

Reviewing data

Once data is collected, it has to be reviewed. Depending on risk, the volume of documents collected, time and cost restraints, and the facts of the review, multiple levels of review may be warranted. For example, internal personnel may conduct an initial review of the documents, followed by a second set of internal or external reviewers. The second-tier review is good practice to identify key data that may be inadvertently (or even intentionally) overlooked by the first-level reviewer. In any level of review, it will likely be possible and appropriate to use date, keyword, and other search filters to narrow the amount of data that has to be reviewed.

Sometimes the volume of data is too large, or the importance of independent review is paramount, in which case outside assistance is warranted. Outside counsel can assist, and may be able to engage (relatively) reasonably priced contract attorneys. Outside counsel experienced in data reviews can also provide access to technology to filter out potentially relevant data from large amounts of information without the need for significant human involvement and its associated costs.

Ultimately, the purpose of document review is to aid the reviewer in understanding the facts in a nuanced way and to prepare for interviews. Therefore, it is important that the person who will conduct interviews is part of the review process.

This document is only available to members. Please log in or become a member.
Become a Member Login
 


Would you like to read this entire article?

If you already subscribe to this publication, just log in. If not, let us send you an email with a link that will allow you to read the entire article for free. Just complete the following form.

* required field

First name field cannot be blank!
Last name field cannot be blank!
We will send you an email that will give you access to this entire article.
Email field cannot be blank!
Enter a valid email!
Company field cannot be blank!
Enter a valid company!
Title field cannot be blank!

We're committed to your privacy. The Society of Corporate Compliance and Ethics (SCCE) & Health Care Compliance Association (HCCA) uses the information you provide us to contact you about our relevant content, products, and services. For more information, check out our Privacy Policy.


About SCCE

The Society of Corporate Compliance and Ethics (SCCE) is a non-profit, member-based professional association. SCCE supports our members' work with education, news, and discussion forums. We are a community of leaders, defining and shaping the corporate compliance environment across a wide range of industries and geographic regions. In developing and maintaining effective ethics and compliance programs, our members strengthen and protect their companies.

952.933.4977

About HCCA

The Health Care Compliance Association (HCCA), is a 501(c)6 non-profit, member-based professional association. HCCA was established in 1996 and is headquartered in Minneapolis, MN. We provide training, certification, and other resources to over 10,000 members. Our members include compliance officers and staff from a wide range of organizations, including hospitals, research facilities, clinics and technology service providers.

952.988.0141

Facebook X LinkedIn
Copyright © 2024 by Society of Corporate Compliance and Ethics (SCCE) & Health Care Compliance Association (HCCA). No claim to original US Government works. All rights reserved. All information provided through this site, including without limitation all information such as the “look and feel” of the site, data files, graphics, text, photographs, drawings, logos, images, sounds, music, video or audio files on this site, is owned and/or licensed by SCCE & HCCA or its suppliers and is subject to United States and international copyright, trademark and other intellectual property laws. Any third party logos and/or content provided herein is owned by such third parties and is used by permission herein. Your use of this site to is subject to our Terms Of Use and Privacy Statement.
Cookie settings