Internal investigations are becoming an increasingly important risk management tool. Whilst normally a fact finding exercise, they also play a vital part in a company's compliance with regulatory obligations. Internal investigations are a good way of establishing potential risks to the company, whether they are reputation or legal, and can expose potential criminal, civil or regulatory liability. We discuss what you should consider when undertaking an internal investigation.

Why initiate an internal investigation?

Internal investigations can be initiated for many reasons. They may be a result of an internal audit, company compliance procedure or as a result of whistleblowing within the company. If it is the latter, the company must consider their duties and obligations as an employer towards the whistle-blower and any other employees who may be involved. In this context it may also be necessary to consider foreign law depending on where the employees work and are employed.

Defining the scope

It is imperative at the outset of any internal investigation that you determine its scope and purpose. This will ensure the investigation is focused and yields results. The scope and purpose should be defined in a "Terms of Reference" document, which should be agreed at the outset and followed.

Who should conduct the investigation?

From the outset, the company must identify who will take responsibility for leading the investigation. This will normally be in conjunction with the company's HR, legal and compliance departments, internal audit, and board of directors.

The company must also decide whether to instruct outside counsel to conduct the investigation. This is certainly a good idea where there are any suspicions or concerns about management knowledge of, or involvement in, the issue to be investigated.

Investigative work is by its nature intrusive, but the investigation should be objective and independent, and it must be borne in mind that it might, at a later date, be necessary to demonstrate the impartiality and legitimacy of the investigation to a regulator or prosecutor.

The issue of privilege

The issue of privilege is key when deciding who should conduct the investigation, as it can assist in controlling the evidence from external scrutiny. There are two types of legal professional privilege: legal advice privilege and litigation privilege. Generally legal advice privilege is more relevant during internal investigations.

Legal advice privilege can be claimed over communications between a lawyer and their client created for the purpose of giving or receiving legal advice, or documents evidencing the content of those communications. This type of privilege has its limitations as, for example, interview notes of a meeting with a witness may not attract privilege even if taken by lawyer since they are not communications between a lawyer and his client. However if the notes were in the form of a communication addressed to the client and gave the lawyer's impression of the witness, they may then fall within the definition of legal advice privilege.

Litigation privilege is much wider since it covers all documents obtained throughout the litigation process. However this only applies where actual litigation is contemplated.

Knowledge of the investigation

Knowledge of the investigation should be limited and as a general rule be on a "need-toknow" basis only.

This is important not only in terms of preserving evidence but also when it comes to interviewing witnesses, whose recollection may be influenced if they discuss the issue with other people once the investigation has begun.

The importance of gathering evidence

It is normally recommended to notify relevant employees of the need to preserve all documents, both in hard and electronic form. However there is also a need to prevent deliberate destruction which can be a real risk where employees may be implicated in some form of wrong-doing.

It is also prudent to understand as soon as possible where evidence is held. This could include central servers, desktops, laptops and smartphones. Where information is held electronically, it is recommended to involve an IT professional in the extraction of the data so that it is preserved with its meta-data intact.

Data protection must be considered when gathering and storing personal data of employees, as this is governed by the Data Protection Act 1998. It is imperative that this is stored securely to minimise any risk of data leaks. Where data is held overseas, careful consideration needs to be given to local law distinctions.

Potential consequences of an internal investigation

The outcome of an internal investigation will vary case by case and unfortunately may have commercial and reputational consequences for the company. Actions you may need to consider include: 

  • Disciplinary action. This should be done in conjunction with the HR department, as they will be best placed to advise on the firm's policies and disciplinary procedure
  • Self-reporting to the authorities or regulators
  • Alerting your banks/financiers to any wrongdoing that may have been discovered. In many finance transactions companies are required to enter into prescriptive and pervasive covenants, in particular regarding legality, anti-bribery and money laundering. These should be examined carefully

Preventing reoccurrence

Depending on the outcome of the investigation, it will often be prudent for a company to consider what steps can be taken to prevent reoccurrence. Measures include:

  • Reissuing the compliance handbook 
  • Delivering training on compliance issues to employees
  • Reviewing reporting lines and accountability

It is also important that these remedial and preventative measures are monitored and reviewed on a regular basis.

Internal Investigations: How To Protect Your Business

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.