investigations come in all shapes and sizes, and they occur irrespective of the quality of a company’s compliance program or internal controls. In this feature, I will examine investigations from the assumed point of view that the whistleblower
is a company employee or third party alleging a potential violation of company policy through an established internal whistleblower process.
There is no one-size-fits-all approach when responding to a whistleblower. A typical company may receive allegations varying in severity from petty human-resource-related issues (“Someone is eating my lunch out of the employee refrigerator”)
to bribery and corruption concerns. The nature and scope of the investigative response depends on the nature of the alleged offense, the role of the alleged wrongdoers, and the involvement of regulatory stakeholders.
Regardless of scope, however, best practice requires the following:
- Having a process in place to guide the company response
- Evaluating the allegations
- Responding to the allegations
- Remediation based on the investigation findings
Process in Place
Part of having a plan to respond to whistleblower complaints is having an efficient way for employees and third parties to anonymously report allegations of misconduct.1 A company must then have a process for evaluating and investigating allegations:
- Effectiveness of the reporting mechanism – Does your company have an anonymous reporting mechanism? Is the reporting mechanism publicized to employees and third parties? Has it been used? Does your company test employees’ and third parties’
awareness of the reporting mechanism? Are employees and third parties comfortable using it?
- Properly scoping investigations by qualified personnel – How does your company determine which allegations merit further investigation? What steps are taken to ensure investigations are independent, objective, and properly conducted and documented?
How does the company determine who should conduct an investigation, and who within the organization is tasked with making that determination?
- Investigation response – Does your company apply timing metrics to ensure responsiveness? Does it have a process for monitoring the outcome of investigations and ensuring accountability for the response to specific findings and recommendations?
- Resources and tracking of results – Does your company sufficiently fund its reporting and investigative mechanisms? How does it collect, track, analyze, and use information from its reporting mechanisms? Does it periodically analyze reports
or investigative findings for patterns of misconduct or other red flags for compliance weakness?
- Data collection and preservation capabilities – Does your company have appropriate capabilities around preserving and collecting data? Does it take into consideration jurisdictional data protection and privacy laws?
These are just a few of the salient questions to consider when evaluating your company’s preparedness for responding to whistleblower complaints. Take notice of how these evaluation questions do not imply that your company needs a scripted playbook
dictating, “If this happens, then do that.” No two allegations are identical; there must be flexibility in any process. An effective process establishes the infrastructure to ensure that all credible allegations are identified and responded
to. It ensures that companies do not lose the opportunity to learn from and correct the failures that initially gave rise to the allegations.
Companies frequently designate one individual to monitor and initially evaluate allegations for seriousness and credibility. This might be a chief compliance officer or general counsel. In fact, depending on the allegation, it would not be unusual for
more than one person or department to be consulted regarding specific allegations. Regardless of who performs the initial investigative evaluations, it is usually good practice to have the function centrally managed.
Independence and objectivity
are always key concerns. Allegations against senior management will require additional vigilance regarding objectivity and independence among those charged with evaluating and investigating the allegation. For instance, it would be unwise if someone
implicated in an allegation is part of the decision process. Independence and objectivity considerations may necessitate the involvement of the audit committee or an independent special committee formed to address a specific allegation.
In analyzing the credibility and seriousness of a whistleblower allegation, management must objectively review and initially respond to the allegations. Oftentimes, weighing the credibility and/or seriousness of an allegation requires making decisions
when all or most of the facts remain unknown. It also requires a continual reevaluation as additional facts and circumstances come to light.
The initial evaluation is a critical step requiring good judgment. If the initial assessment of an allegation’s seriousness is overstated, then the response may be too heavy-handed, resulting in excess costs and time to complete an investigation.
Conversely, an initial understatement of an allegation’s seriousness can result in an insufficient response that also could create excessive costs and inefficiencies. Many factors impact a company’s initial assessment of allegations, including
- Who within the organization are allegations directed against?
- How many people within the organization may be involved?
- Could there be a serious impact to the company’s current or prior financial reporting?
- Might senior management’s credibility or the company’s reputation be significantly impacted?
- What is the likelihood of government regulator involvement?
- Are the allegations reasonable, detailed, and consistent with known facts about the business?
Conclusive answers may not be straightforward. For example, it may seem intuitive that allegations against a C-suite executive are more serious than allegations against a former employee in the purchasing department. Certainly, senior executives are positioned
to engage in a greater degree of malfeasance than a former low-level employee, but what if that former low-level employee who has been dismissed is replaced with someone that continues the nefarious practices of the past?
Below, we look at two examples to illustrate how evaluations might proceed.
Allegation 1 – The company receives an anonymous tip that the chief marketing officer has entered into a confidential side arrangement with extended payment terms with a major customer. It is alleged that the CFO is aware of this
Allegation 2 – The company receives a tip from a midlevel company financial analyst that management has entered into a transaction to purchase a company for an amount far exceeding its worth because the CEO has an undisclosed investment
in the acquired entity.
Both examples allege serious impropriety by senior company management. However, during an initial evaluation, one allegation was determined to be more credible than the other.
Evaluating Allegation 1 – Because of the alleged involvement of senior management, board-level oversight is employed. It was determined that the allegation is credible and serious enough on its face to move ahead with an investigation
because of the following:
- Side arrangements with customers could trigger a revenue recognition impact which, in turn, could necessitate the need for a restatement.
- We know that revenue recognition has been a critical audit and business concern for the company and its independent auditors, adding additional credibility to the allegations.
- The allegations imply that senior executives at the company may have serious credibility issues, potentially affecting the company’s audit opinion.
- The CFO provides important representations that the independent auditors rely on.
- An allegation against the CFO, if proven, could cause the auditors to reject those representations, resulting in enhanced auditor and regulatory scrutiny.
Evaluating Allegation 2 – The second allegation initially appears deeply troubling. Allegations implicating the top executive of a company always require special care. As a result, independent counsel was brought in to assist. This
case had access to the whistleblower (not anonymous) and it was found the allegations were not credible.
- An interview of the whistleblower presented additional information and perspective.
- The whistleblower appeared to have made a good-faith complaint.
- The whistleblower had previously raised the allegations with the transaction team in charge of the acquisition. The team had previously attempted to address the whistleblower’s concerns and explain the valuations and the fact that the CEO’s
investment was fully disclosed to all parties.
- The whistleblower was found to have misunderstood the nature of the transaction and the transaction team did not adequately address the concerns.
- Substantial documentation did support the acquisition and its valuation.
- The allegations appeared to be based on a misunderstanding by the whistleblower.
When a company concludes that an allegation is credible, it should take immediate steps to preserve relevant data and launch an investigation. This may involve placing legal holds on all potentially relevant information as well as securing electronic
devices to preserve data. In fact, even if uncertain regarding the initial determination of credibility and seriousness, consideration should be given to preserving the relevant data as soon as feasible.
If a credibility and seriousness determination remains uncertain, additional investigation work should continue until the company can make a definitive and supportable conclusion. Once an allegation is deemed credible and serious, the company must respond.
Responding to an Allegation
With any investigation, best practice requires a clear strategic vision, starting with an understanding of the allegations themselves as well as their source. Whatever the purposes of the investigation, they must be clearly articulated at the outset and
the required deliverables specified. These will define the overall strategy. Once the strategy is known, the detailed tactics and actions can be carefully planned.
Thoroughness is an important strategic consideration at the investigation’s outset. Even worse than a disruptive and expensive investigation is having to conduct an investigation twice. Therefore, it is critical to ensure that the investigation
is thorough enough to inspire confidence that the entirety of the problem has been addressed and that other potential problems have been considered. For example, could there be other potential frauds in the business unit or could a similar problem
have occurred in another territory? If an individual is implicated, what other areas of the business has that individual “touched?” Investigations should always consider the broader business operations and risks.
Beyond the allegations, other challenges may influence planning and response. Multiple overseas jurisdictions and their diverse laws and cultures, a high degree of regulatory oversight, and public interest contribute to the importance of maintaining focus
on the investigative objectives.
For example, you may know that the company needs to assure regulators or independent auditors (or both) that a sufficiently thorough and rigorous investigation has been completed, lessons have been learned, appropriate remedial actions have and are being
taken, and the organization has truly changed. But you may also need to convince investors that the organization’s controls and risk management that initially gave rise to the allegations are adequate, particularly moving forward. You may find
that different stakeholders have conflicting points of view. This, in turn, impacts strategy. For example, privilege considerations may complicate agreement between stakeholders in the form of reporting.
A report form and frequency should be tailored to the relevant audience, ensuring that their needs are addressed. Whatever the format, supporting records must be identified throughout the investigation. For example, current practice in the United States
before agencies such as the Department of Justice (DOJ) and the Securities and Exchange Commission (SEC) typically calls for investigative findings to be reported in privileged PowerPoint formats supported by relevant emails, key hard copy documents,
and other analyses.
Investigation structure – Investigations are not necessarily linear. Some elements may run in parallel, and the magnitude of effort behind each element will be dependent on the investigation’s overall scope. For example, data
collection and fieldwork are often carried out simultaneously. An organization also likely needs to replan and refocus the investigation along the way as various findings are made. A company should also consider what internal or external expertise
is required to assist with the investigation. For example, forensic accountants or e-discovery professionals may be needed to assist with remote data collections, analysis, and technical accounting assistance. Special language requirements may be
needed too. Regardless of complexity, it may be helpful to think of all investigations as being divided up into five basic elements:
- Planning, scoping, and orientation – Gather initial information for the inquiry and conduct initial data-gathering interviews so you can plan for resource, logistical, and technical requirements and prepare an initial work plan and scope for
the investigation. Logistical planning should consider privilege and communication protocols and investigative team composition. As with any investigation, the scope of work will likely evolve as facts and evidence are discovered, and the investigating
team must be prepared to adjust the scope of work accordingly on a real-time basis. Liaison and coordination with any interested regulators may also need to be planned. For example, real-time interim reporting and base-touching is a preferred
practice by the DOJ and SEC in Foreign Corrupt Practices Act investigations. Independent auditors shadowing the investigation will also expect to be regularly informed of findings and progress.
- Data collection and processing – The detailed data collection of both hard copy and electronic records provides a robust and informed platform for field work. This is an important step in any investigation, and it must be well-planned and documented.
Jurisdictional data privacy issues must be addressed, and data must be put in a form that permits searching and review.
- Field work – Using the knowledge gained from the first two elements as well as the investigator’s expert judgment and experience, a detailed inquiry will review the relevant events and issues under investigation and draw preliminary conclusions.
Often, more detailed interviews will have to be conducted and more data will have to be analyzed.
- Follow-up and verification – Confirm the field work findings with robust evidence, including documentary evidence wherever possible.
- Reporting – Report on each area of investigation for the appropriate stakeholders, such as the audit committee, board, auditors, or relevant regulators.
Special data considerations – During an investigation, it is easy to obtain an overwhelming volume of data, both paper and electronic. As with all successful investigations, data collection requires proper planning and preparation.
Narrowly scoped investigations may require limited data collection; larger, multijurisdictional investigations could involve very complex data collection efforts. A focus on key risk areas enables efficient investigations, but this must be balanced
against a need to preserve evidence. Understand where relevant data is located, the types of systems used, and how data is backed up and for how long. Knowledge of what data is held by whom and where it is located can be vital. Data from networked
computers can often be captured remotely (i.e., the investigator does not necessarily need to have physical access to a specific computer).
An early and critical step is data preservation. Ensure that paper documents are not shredded and electronic data is not deleted or written over. A subset of preserved data can be copied or captured, and a smaller subset analyzed. This not only includes
paper documents, electronic files, and email, but also transactional data from accounting and other enterprise resource planning systems, such as SAP and personal devices. It is crucial to gain an understanding and receive reliable and local legal
advice regarding data protection and data privacy regulations for all relevant jurisdictions.
It is important that specialized equipment is used by trained professionals when seizing electronic data. This will ensure the data is correctly captured and evidentially sound. The collection of data should follow a consistent and, as necessary, forensically
sound methodology that is properly documented to ensure it is an auditable process that can withstand scrutiny.
Despite the volume, it is often best to secure as much electronic data as possible and then examine the data intelligently and in a focused manner. It is also sensible to consider securing other sources of electronic data, such as full-system backup tapes
and off-site data warehouse contents, for data preservation purposes. A full-system backup will capture a snapshot in time of the electronic information, such that if any generated reports and files are corrupted, the original information can be restored
from the backup file. This is true whether or not the team ultimately reviews this data source. The locking down and securing of such data is often a critical element in determining the thoroughness of the investigative effort. For example, failure
to turn off automatic 60-day tape rotation and the overwriting of tapes can inadvertently destroy important evidence and create undeserved credibility challenges with regulators. As with all aspects of an investigation, data capture can be disruptive
to ongoing operational activity. Planning will help minimize any impact on the organization’s day-to-day business operations.
An investigation should not be viewed as the end of the matter. Gaining maximum value from an investigation requires an organization to consider lessons learned, what remedial actions have and must yet be taken, and what preventative strategies can be
applied. Remediation likely requires consideration of disciplinary measures, additional training, and enhancements to existing controls. Remediation will feed into the organization’s risk management framework, policy and guideline framework,
and auditing strategy. It will also be important in setting the appropriate tone at the top and defining corporate culture. For example, if an individual or individuals are implicated in a matter, the company’s remediation response must communicate
an important message regarding the company’s corporate culture and tone at the top. Remediation also serves as an important deterrent against future misconduct.
Remediation is often considered something that happens at an investigation’s conclusion. Sometimes, though, remediation may be required as soon as an investigation begins, even before the final results are known. For example, allegations around
improper payments may require, at least on a temporary basis, the need to ensure that the payment review function is carried out by someone independent of the individual normally designated to perform that function.
Finally, do not forget the whistleblower. Whether or not an allegation is ultimately investigated, best practice requires keeping the whistleblower informed of progress and final conclusions. The whistleblower must understand that the company takes allegations
seriously. Companies should encourage whistleblowers to submit their complaints internally with the company. The alternative is that complaints get reported directly to regulators without the company having a chance to address them first. Too often,
whistleblowers are ostracized when, in fact, they should be rewarded.
1 See U.S. Department of Justice guidance, Evaluation of Corporate Compliance Programs, as updated in June 2020.
Steven G. Blum, CPA, CFE, is a principal with Control Risks Group in Washington, D.C., and a member of the
Pennsylvania CPA Journal Editorial Board. He can be reached at firstname.lastname@example.org.