The International Organization for Standardization (ISO) has recently published Technical Specification (TS) 37008, which provides guidelines for internal investigations.[1] The document includes a step-by-step investigative process that outlines addressing an allegation, assembling an investigative team, developing scope, and conducting the actual investigation. Several of the steps are similar to the U.S. Department of Justice’s hallmarks of an effective compliance program as to remedial actions and continuous monitoring that incorporates the results of an investigation.[2]
Although we do not want to restate all the ISO guidelines, the following are several items you should consider when conducting investigations.
The investigative process
Principles of an investigation
There are several general principles that should be followed as part of the investigative process. For example, the investigation should be impartial and should not be influenced by internal or external factors other than what evidence is obtained that either confirms or refutes the allegation.
Case study: A construction company in the U.S. desperately wanted to keep its Mexican operation running smoothly. However, allegations from a whistleblower pointed to the local general manager paying bribes to avoid taxes, siphoning funds from headquarters to pay for his other businesses, and providing headquarters with a second set of books to show a much higher profit margin. The corporate executives decided they could “live with” a certain dollar amount of “shrinkage” (in the millions of dollars), discontinued the investigation, and terminated the whistleblower. Unfortunately, regulators later identified the tax irregularities. The company not only had to pay fines but also the news media was alerted to the situation.
This illustrates that no matter how effective the investigation, if the results are not handled appropriately, the company’s reputation can still be negatively affected, there can be an internal effect that employees will be too scared to come forward the next time, and enforcement actions can be taken against the company because it retaliated against the whistleblower and allowed bribery and corruption to continue.
Other important principles are that investigations should be conducted with fairness and good judgment by experienced and well-trained professionals with integrity and objectivity and who remain independent of any conflict of interest.
Goals of an investigation
Depending on the investigation, the goals can and should include confirming or refuting allegations by establishing facts. Some entities may not want to spend the time, resources, and money to properly investigate. Others believe they need to investigate to safeguard their reputation, determine financial losses, if any, “strengthen the organization’s compliance and ethics culture,” and mitigate the liability of management and ensure the prevention of illicit activity in the future.[3]
Assessment of the allegation
Determining the seriousness of the allegation is critical for allocating the proper resources and sending a message to all stakeholders that the organization will address all complaints with the level of resources required. The investigative resource managing this process should have the experience to objectively assess whether the allegation can be handled internally or if external resources are required. ISO/TS 37008 guidance warns, “Not having the capabilities to conduct internal investigations and/or failing to conduct internal investigations can have adverse effects on an organization such as compromising the effectiveness of the compliance management system, failing to protect its reputation, and failing to detect and counter wrongdoing.”[4]
Scoping and planning
The scope may be relegated to finding facts of a specific matter; however, organizations need to know the regulatory and legal implications of potential wrongdoing. The guidance suggests that corporate entities should develop investigation procedures and policies and, importantly, follow them. Written policies assist an organization in conducting investigations consistently and objectively as opposed to relying on management’s opinion on whether to escalate allegations. What if an allegation that is detailed with examples points to executive management involvement? Without written investigative procedures, this allegation may be conveniently overlooked or only tacitly investigated.
The guidance also touches on gathering evidence and putting a legal hold on information to safeguard it from intentional or accidental destruction. ISO/TS 37008 specifically mentions that investigators should reach out to the whistleblower(s) to obtain additional details. Even if a whistleblower wants to remain anonymous, companies should continue communicating with and gathering information from the whistleblower. That will shorten the investigation time and help quickly determine if the allegations can be confirmed or refuted.
Case study: The legal counsel of a multinational global manufacturer conducted an investigation in Southeast Asia based on an online whistleblower allegation. The whistleblower requested to remain anonymous due to working in the same location with the alleged perpetrators. The legal counsel astutely continued to have an online dialogue with the whistleblower while simultaneously safeguarding the whistleblower’s identity. The third-party hotline facilitated back-and-forth communication between the whistleblower and the internal counsel. The whistleblower provided invoices, purchase orders, vendor names, and other relevant information for the company to continue to investigate.
Interviews
Despite what you see in media and on television, interviewing witnesses requires years of experience and cannot be conducted with a “heavy hand.” If an investigator says, “We will squeeze the interviewee until they break,” this is a huge red flag. Respect and consideration for anyone interviewed (including suspected wrongdoers) are critical to the investigation’s success.
The guidance also emphasizes the organization should support the investigative process and protect the witnesses and investigators from retaliation. The typical scenario that can wreak havoc on an investigation is heavy-handed interviews by individuals who believe it is appropriate to demonstrate their authority over the interviewee. This can happen with internal auditors who have limited interviewing experience and with investigators who are insecure in their interviewing techniques and attempt to use legal or company policies to push the subject to provide information. Although there may be legal or policy requirements for subjects to cooperate in an investigation, if investigators resort to strongarming subjects, the goals of the interview will typically not be accomplished—that is, to collect as much accurate information as possible to confirm or refute an allegation, not to intimidate or force an admission.
Case study: In an investigation into a bribery allegation in South America, the investigative team used local resources who, unfortunately, were only experienced in auditing. When given the opportunity to talk with individuals who had information related to the allegation, the audit partner used intimidation and raised his voice on multiple occasions. As a result, at every question, even those regarding routine process questions, the interviewees made it a point to be unhelpful and misleading—even though these interviewees were strictly witnesses! All the interviews had to be redone to undo the hostile attitude of the interviewees by developing rapport and successfully obtaining the necessary information.
Report and communication
The results of an investigation should be provided in writing and communicated to select stakeholders. The report should include the facts found, detail the violations of policies or regulatory statutes, note internal gaps identified that led to the wrongdoing, and suggest modification of procedures to prevent the occurrence from recurring.
