Conducting an effective internal investigation

Since the 2008 financial crisis, successive UK governments have introduced various measures to combat economic crime. Directors have been faced with increased compliance, regulation and corporate governance obligations. When faced with allegations of misconduct, whether from outside or within, many choose to conduct an internal investigation. Not only do internal investigations shine a light on whether existing policies and procedures are fit for purpose, and allow directors to identify the scale of the issue, but a successful internal investigation will stand directors in good stead in the event of a regulatory probe.

If the corporate crime bill—currently in the Commons—passes, it will introduce a “failure to prevent” offence, similar to that in the Bribery Act 2010 and the Criminal Finances Act 2017. This means that the presence of reasonable fraud prevention procedures will be a significant mitigating factor to accusations of fraud.

Access our full Director's Guide to Internal Investigations

Could your firm stand up to an internal investigation? 

Now is the time for directors to stress test their company’s compliance regime, to consider how it would stand up to an internal investigation. Implementing a protocol for handling any internal investigation now and rolling out ongoing training for the board and senior management would also be wise.

Companies are, of course, all different, with some sectors—such as financial services—more highly regulated than others. In a multinational, directors will need to consider the obligations of overlapping regulatory regimes. With these nuances in mind, we consider the broad questions directors should ask themselves when preparing for an internal investigation:

Does the company have an effective stance on inappropriate behaviour?

Inappropriate behaviour takes a number of forms, such as bullying, coercion, discrimination, aggression and abusive behaviour, and sexual harassment. Directors need to ensure that they have a comprehensive disciplinary procedure in place, which clearly sets out the process to be followed after an allegation of misconduct. Managers should receive regular and thorough training on how to deal with any allegations of inappropriate behaviour quickly and effectively, and should be aware of best practice to promote an inclusive workplace for all employees.

Would the whistleblowing policies provide the correct level of protection to a whistleblower?

Incentives to report wrongdoing and the protection of rights in the Public Interest Disclosure Act 1998 mean that a whistleblower’s identity should be protected as far as possible. Any dismissal of an employee due to making a “protected disclosure” is automatically unfair. A whistleblowing claim is a common trigger for an internal investigation, so directors should make sure that an effective whistleblowing policy is in place that will alert management to the occurrence of any behaviour that falls under the whistleblowing definition, such as the committing of a criminal offence, a risk to health and safety, or risk or actual damage to the environment. That way, the issue can be dealt with as soon as possible, with the least reputational risk.

Are the company’s ‘use of IT’ policies comprehensive enough in the light of hybrid working?

With employees now using the company’s technology both in the workplace and at home, the boundaries between technology use for work and leisure have become increasingly blurred. Directors need to ensure that clear boundaries are set over the proper use of company equipment and technology, through “acceptable use policies” (AUPs). The policies should ensure that employees understand their responsibilities and rights and outline the company’s expectations of their use of technology in the workplace. A regular education programme keeping employees up to date on identifying the latest cyber threats provides another layer of protection.

In terms of an internal investigation, there are limits to the information the company can access; for example, intercepting a public network such as Gmail or accessing an employee’s private phone without consent are criminal offences.

Are the privacy/data protection policies up to date, and tailored to each region?

Privacy/data protection policies explain how a company deals with the personal information it collects from employees or customers, outlining what is being collected and why. These policies should be supplemented with appropriate software systems and effective data security controls. Managers and employees should be offered training on effective data protection measures.

What resources are available to conduct an internal investigation properly?

Any investigating team will be drawn from a mix of professionals, led by a senior project manager. It will probably include management, the internal audit committee, in-house legal or compliance department, HR and IT personnel, or comprise external advisers—either for a particular issue or to run the entire investigation. Much depends on the severity and scale of the allegations. Although it may be tempting to keep the investigation within the confines of the company, external advisers bring experience, expertise and independence and add credibility to the findings. They have had regular dealings with the regulators and prosecutors and can often advise across jurisdictions.

Is the company’s directors’ and officers’ liability insurance sufficient?

There are big variations in the types of policies available, so when considering the impact of an internal investigation, directors should take time to review the provisions of their existing D&O insurance policies.

To discover more about best practice on this issue you can access our Director’s Guide to Internal Investigations here.