Artful science - Internal compliance investigations

When and why companies conduct internal investigations

Compliance investigations may include a series of internal investigations on corruption and kickbacks, financial fraud, collusion, conflicts of interest, and so on. Reasons for conducting an investigation may be to help the company understand the origin of rumours or allegations or to verify evidence which may have emerged inside or outside the company. The goals are to establish whether the company is at risk of violating any laws, to terminate relationships with negative elements inside or outside the organisation, to set an example or to avoid further monetary losses or reputational damage.

Any investigation may involve of a variety of support work, such as forensic accounting, interviewing, e-discovery, gathering and reviewing evidence and legal support.

The following three real cases showcase how compliance investigations take place.

At a glance – real cases of internal investigations for global companies

Case 1 – Kickbacks

A junior engineer in a multinational company anonymously reported that six of the company’s project managers (PMs) in China were accepting kickbacks from contractors in exchange for rewarding them with projects, despite their substandard quality. The Red Flag Group was appointed to investigate these allegations, and sent in an investigation team, consisting of forensic accountants, IT experts and engineering specialists. The following on-site and in-country approaches were part of the investigation:

  • Gathering of evidence from the whistleblower
  • Meetings with the senior management to:
    • finalise the list of employees to investigate and interview
    • investigate the company’s policies and procedures
  • Remote e-discovery of the employees’ laptops and forensic analysis of images from the laptops
  • Analysis of data retrieved
  • Securing of evidence of PMs signing off substandard work
  • Detailed background checks on the contracting companies and their management
  • Further background checks on the PMs’ lifestyle, family relationships with the contractors, properties owned, etc.
  • Interviews with the suspects.

During our investigation, adequate evidence that four of the alleged PMs were involved in the plot was secured. Amongst this key evidence were forensic images showing that one contractor had been providing the PMs with prostitute services as a form of bribe. We also secured a copy of a fax indicating that a large amount had been transferred into the bank account of one of the PMs. In addition, we found that one of the PMs had gone to the same school as the owner of one of the contracting firms. The said PM was found to be driving a car worth US$50,000, despite earning a salary of only US$2,000 a month. This information provided ample support during the interview with the suspects and led to confessions by two of the PMs. Two of the contracting firms were immediately terminated.

Case 2 – Conflict of interest

Anonymous letters were received by the executive management of the European headquarters of a luxury brand. These letters contained claims that key managers in one of the luxury brand’s country offices were receiving bribes from mall owners to convince the company to open stores in certain malls in Philippines. The Red Flag Group was requested to look into the background of the said individuals and their connections with the mall owners.

During the course of the investigation, which lasted for over 18 months, digital information was obtained from the individuals’ hard drives, tens of thousands of emails were scrutinised, the backgrounds of many individual entities were screened, property transactions were analysed, reputational intelligence was obtained and associated companies were looked into.

The investigation uncovered who had been the middlemen between the landlords and the two key managers, how close the individuals had been, that they each owned several expensive apartments, that they had bought properties in the same neighbourhood at the same time, that they had sold and purchased properties to and from each other in different countries, and that related entities had been used to transfer money cross-border. As a result of the investigation two of the company’s key staff were forced to leave the company.

Case 3 – FCPA violation

A pharmaceutical company based in Latin America had a team in Brazil responsible for finance, sales and product distribution. Through tax reviews, the finance director at the company’s headquarters had become aware of an outstanding obligation to the Brazilian tax authority. The finance controller of the Brazilian team’s explanation was that by paying some fees to the tax official the company could defer the tax payment. However, when the finance director asked further whether this practice was potentially in violation of local laws, the financial controller refused to answer and resigned soon afterwards.

The incident cast doubt on the company’s financial integrity. Given the potential huge fines for this sort of behaviour, The Red Flag Group were asked to lead an investigation into possible breaches of the FCPA. We performed a financial analysis of the company’s books and records and searched multiple computer hard-drives to secure documentary evidence. It was eventually found that the team in Brazil’s “fees” were actually bribes to the tax official to avoid fines for late payments. The chief financial officer of the company eventually admitted that he had been aware of the bribes.

Due to the complexity of investigations, the fact that in-depth and in-country expertise is required, and the importance for supporting evidence to have been gathered in a rightful way if it is to be upheld in court, many firms choose to hire external compliance professionals to conduct compliance investigations in a professional and ethical way. The expense of such investigations is more than offset by the potential of enormous collateral damage being done by investigations which have not been carried out properly.

Conducting internal investigations is crucial for the success of any anti-corruption compliance programme, and illegal or non-compliant practices can undermine any organisation, no matter their size or age. Managing a compliance investigation is a key attribute and skill of any compliance officer.

10 tips for conducting internal compliance investigations

1. Build an investigations protocol and policy

Setting up an enterprise-wide consistent investigations protocol and policy should be a key aspect of any compliance officer. Building the protocol and policy needs considerable time – often six months or more. The protocol should include working out the overall approach of an investigation, the roles and responsibilities of the parties, identifying scopes and budgets, and also getting buy-in from key functional and business partners and educating managers of the process.

2. Plan, then plan some more

When faced with a compliance issue raised through an audit, a whistleblower hotline or reported directly to the compliance officer, there is a natural tendency to jump in and start working on the investigation. It is important at this initial stage to pause and build a plan for the investigation. A clear and concise investigations plan should have a start, middle and an end, and should contain:

  • a summary of the allegation, where it came from, and all essential facts
  • a review of the effect of the allegation if it comes true: the business effect, the costs and the budget required for the investigation
  • the expected scope of any investigation, including what is in scope and what is (initially) out of scope
  • who needs to be informed at the outset, including legal (both corporate and local legal), finance, corporate securities lawyers, outside counsel (both corporate and local counsel), IT group, etc.
  • the people likely to be interviewed, where they are located and their reporting lines
  • an overview of where essential documents and files will be located and how best to access them
  • who should be on the investigations team
  • who needs to be updated on the investigation as it proceeds and at its completion.

A clear and concise plan is essential to structure an investigation. While it might be a living and breathing document that is constantly updated, it supports a structured investigation that is defensible.

3. Always consider local laws

In every investigation that crosses country or regional borders it is vital to understand any local laws that may be applicable. It is advisable to consult local legal counsel with the relevant local knowledge. Some questions you may need to consider include:

  • Are there any local laws that do not allow for an investigation to be conducted without notifying the government?
  • Are there any restrictions on conducting the investigation (for example, bans on using surveillance, video tapes or recordings of interviews)?
  • Can the company investigators access the personal files of an employee held on a company laptop?
  • Can the company investigators access the mobile-phone records of the employee, including their text-message history or browser history on a mobile device (whether or not that mobile device is company-supplied or employee-supplied but used for business)?
  • Can the company conduct an interview of an employee without giving the employee the benefit of appearing with counsel?
  • Can the records obtained from any review of computers be sent to other countries or made available for advisors outside the country in which it has been collected?
  • If the investigation reveals criminal conduct, is there a requirement or an obligation to notify relevant law enforcement?

4. Evidence is no longer limited to documents and email

The days of email usage for today’s generation is over; most people have worked out by now that company email is scanned and accessed and never deleted. It is rare these days to find much evidence in company email, as most employees who might want to do something illegal while at work will use their web-enabled mobile device and private email address. That being the case, evidence collection should include all possible sources, such as emails and computer records, personal files, telephone records, expense accounts, appointment calendars, video-surveillance records, access-card logs and so on. It is also important to consider social media and how the employee may have communicated through this medium.

5. People should be trained on conducting investigations and how to participate in them as a manager or leader

Training is a vital part of an investigation protocol – not only for the investigators but also for the business leaders whose groups are being investigated. Training on how to handle allegations is essential for those receiving them, and for the investigators to ensure the investigations are conducted thoroughly, fairly and objectively. It is also important that management and the leadership team understand that a proper investigation takes time, and they should allow the investigation team to get on with it rather than hindering them by asking endless questions about when it will be finished. This training, aligned with the reporting part of the protocol, should go a long way towards addressing these issues.

6. Privilege can be obstacle

Legal professional privilege may be claimed over certain legal documents that arise from the investigation. In most countries the ability of in-house counsel to assert privilege is weak, and many companies fall over themselves to assert privilege at the risk of conducting a proper investigation that identifies and fixes inherent issues in the business. While it may be appropriate to consider privilege in serious investigations, it is often impractical to do so across the board.

7. Report out from the investigations protocol

Throughout the investigation and once it is completed, the results will need to be sent to various stakeholders. Having some structure around this will save you endless amounts of time. It is common that everyone involved will want to know the outcome of the investigation, and if you don’t have some structure around the reporting it can overwhelm you.

8. Close out the investigation

Too many companies are in a rush to complete the investigation and save the future costs of using external counsel or due diligence/investigations firms. They focus on the issue in front of them, resolve the employee issues, terminate the staff, and get things back to normal as quickly as possible. Companies often do not spend enough time following up the investigation and identifying the weaknesses in internal controls that led to it in the first place. Learning from the investigation is key.

9. Announce the investigation and the outcome

While it is acknowledged that publishing the results of an investigation is not possible at all times, it is often a great learning and communication experience to use the example of how it came to light and the results as a deterrent to others who might contemplate such behaviour. Many companies simply bury the issues and are afraid of making an investigation public in fear of copycats, or of a regulator stepping in to review the case. Using the investigation as a learning example is an essential part of compliance.

10. Investigations should be conducted by specialised investigators

In most cases internal compliance investigations are conducted by local HR, commercial lawyers or corporate security professionals who lack the basic knowledge and practical experience of conducting investigations. This can result in undermined investigations and evidence tampering. Compliance investigations should be conducted by people who:

  • have knowledge in corporate ethics and compliance and understand the seriousness of allegations and their full impacts
  • have extensive accounting knowledge and can review accounting transactions completely and accurately and detect irregular transactions
  • know how to gather, preserve and review both digital and non-digital evidence while maintaining chain of custody
  • have extensive experience in interviewing so subjects can be interviewed in a non-hostile environment after all evidence has been reviewed
  • possess a legal mindset – they don’t necessarily need to be a lawyer, but they should be able to detect a legal issue and know when to ask for legal advice.
Previous Article
Selling compliance up the chain: how to use compliance as an effective sales tool
Selling compliance up the chain: how to use compliance as an effective sales tool

If your business is a retailer or perhaps a maker of food or beverages, it is highly unlikely that a consum...

Next Article
Supply chain and compliance in the agricultural sector
Supply chain and compliance in the agricultural sector

Considering the economic weight and strategic role played by the agricultural sector there is a strong case...

×

Subscribe to The Red Flag Group Insights

First Name
Last Name
Job Title
Company
!
Thanks for subscribing
Error - something went wrong!