7 Best Practices for Corporate Internal Investigations


Photo courtesy of West Midlands Police on Flickr

Photo courtesy of West Midlands Police on Flickr

Rob Swystun, Pristine Advisers

While the Department of Justice eschews hand holding for companies that conduct their own internal investigations, it does have some best practices guidelines for them to follow.

Eugene Illovsky, a partner with Morrison Foerster, gave an overview of these best practices guidelines in an article on Mondaq.

Illovsky gathered information from speeches made by Criminal Division head Assistant Attorney General Leslie Caldwell to determine what the DOJ considers to be a quality internal investigation by a company.

According to Illovsky, Caldwell said the DOJ uses the Principles of Federal Prosecution of Business Organizations (nicknamed the Filip factors) to decide whether to charge a company. That decision is based partly on “the existence and effectiveness of the corporation’s pre-existing compliance program.

What the DOJ is looking for is whether a company has established corporate governance mechanisms that can effectively detect and prevent misconduct.

Illovsky has identified two key messages that Caldwell has repeatedly delivered about internal investigations by companies:

  1. companies that over-investigate do so at their own cost and peril; and
  2. companies’ internal investigations must identify and deliver evidence against individual wrongdoers.

The quality of the company’s investigation will determine how effectively the company is deemed to have cooperated with the government in delivering that evidence

Best Practices

Here, then, are seven ways a company can ensure it conducts robust internal investigations.

  1. Make internal investigations part of the company’s compliance program.

A company will get credit from the DOJ, Illovsky says, if its compliance program is effective. The DOJ considers a compliance program to be effective if it has procedures designed to:

  • uncover wrongdoing in the company and
  • expose individuals responsible for criminal behavior.

Those procedures are the tools the company uses in its investigation.

  1. Tailor and Target investigations.

The DOJ places a premium on targeted investigations that are designed to:

  • root out relevant facts,
  • identify and interview the knowledgeable actors and
  • capture and preserve relevant documents and other evidence that explains the pervasiveness of the misconduct.
  1. Allocate a reasonable amount of resources to investigations.

You may think this means spending big money and taking a lot of time to perform investigations, but Caldwell says the DOJ has seen “needlessly costly and overbroad investigations.”

It is neither necessary nor productive for a company to employ its internal investigators to look “under every rock and pebble,” she says.

Or, if you prefer marine metaphors, Caldwell has also said companies will not garner extra credit with the DOJ if they “aimlessly boil the ocean.” (Although they will get enough seafood to cater the company Christmas party.)

Excessive investigations will only cost companies a lot in fees and delay the government’s investigation and a resolution to the company’s internal crisis.

  1. Communicate and cooperate.

Companies that cooperate with the government will get additional help to appropriately target investigations. The DOJ will clearly state to a cooperating company its areas of interest and where possible share information to help focus the company’s internal investigation.

Caldwell says she encourages open dialogue between a company’s counsel and DOJ prosecutors about the progress of an internal investigation and this dialogue comes easily to companies committed to demonstrating cooperation.

  1. Develop your investigative procedures now.

Although every situation is unique, a company’s pre-existing compliance program must have procedures designed to uncover wrongdoing, Illovsky says. General investigative procedures that can be used in all situations can be developed before a crisis hits and incorporated into the compliance program.

If a crisis does pop up, a company will be able to run its investigation smoother by having these procedures in place.

  1. Have a compliance program investigations playbook.

Gather these general procedures into an investigative playbook that company counsel can reference at any given time. The procedures should be developed after discussions with what Illovsky calls pertinent corporate constituencies and outside counsel or advisors.

Start by asking what would happen in a hypothetical investigation:

  • How would it be staffed?
  • Who would be the points of contact and authority?
  • What evidence collection issues might arise unique to how the company operates?

The playbook should also include the following information for critical IT personnel and vendors:

  • the latest data map (an inventory of the company’s electronic and other data sources),
  • HR policies and employment/collective bargaining agreements,
  • templates,
  • company policies regarding whistleblower complaints, and
  • any other information key personnel may need for an investigation.
  1. Prepare to manage the project.

The company’s point of contact, which can either be an investigating board committee or in-house lawyer, should use project management techniques with the investigators, Illovsky says.

They should:

  • scope the project (reassess as needed);
  • map out team responsibilities;
  • use timelines and budgets; and
  • schedule regular dialogue with DOJ to keep the investigation tailored and avoid the risks of either under investigating or over investigating.

Companies should treat an internal investigation as part of their compliance program, Illovsky concludes, and not something they must undertake as a result of having a compliance program. An ineffective investigation risks preventing the company from getting full credit from the DOJ for its efforts.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s