| BLOG
New Guidance on Best Practices for Internal Investigations

Many resources are available that outline best practices for internal corporate investigations. Following tested methods can be helpful in shaping defensible investigations that generate useful results. Misguided or mismanaged investigations can do more harm than good.

In many instances, suspected or reported wrongdoing can have serious consequences. A few examples of situations that may warrant internal investigations include:

  • workplace/HR issues
  • financial reporting and fraud
  • insider trading
  • bribery and FCPA violations
  • antitrust matters
  • product testing and certification
  • environmental compliance and events
  • safety incidents and OSHA matters

Independent investigations, when warranted, are often a key component of an integrated compliance management system to address these areas.

Key Considerations for an Internal Investigation

Internal investigations enable an organization to:

  • make informed decisions about whether potential violations of applicable laws, regulations, industry codes, internal policies, procedures, processes, corporate compliance, values, and ethics policies have occurred
  • identify the root cause(s) of such violations
  • determine if allegations of violations are substantiated or unsubstantiated
  • assess the occurrence and materiality of any financial loss to the entity
  • mitigate liability of the organization and/or its management, as appropriate
  • implement necessary mitigation measures to prevent future violations
  • strengthen the organization’s compliance and ethics culture
  • consider and manage external reporting to relevant legal and regulatory authorities or relevant interested commercial parties when necessary
  • make disciplinary decisions on management and/or employees involved and debar working with third parties involved in unethical conduct

Civil actions, whistleblower reports, and external investigations by regulators can also lead organizations to conduct internal investigations to find out what triggered the actions and to help shape responsive strategies.

Key considerations include whether to conduct an investigation at all, defining its objectives and scope, determining whether the investigation is going to be independently or internally driven, determining how to maintain confidentiality and attorney-client privilege (to the extent possible), controlling relevant evidence (particularly electronically stored information), and deciding whether any anticipated report generated will be provided to government authorities.

In the end, there is no magic formula. Experienced counsel and investigators are crucial to providing an entity with appropriate legal guidance to protect its interests. Further, it is not uncommon for the credibility of the investigation to be critical to decision-making and persuading government authorities that the entity has acted responsibly in the face of the challenge. (See our previous blog post, “Cooperation with the Justice Department: The Rules are Changing.”) This can be shown by evidence that the investigators followed best practices, thoroughly and carefully pursued the facts, and developed advice on responsive actions dispassionately.

New ISO Standard for Internal Investigations

How Do You Demonstrate the Effectiveness of an Investigation?

A new means exists to establish credibility and compliance with best practices. On July 28, the International Organization for Standardization (ISO) issued ISO TS 37008, its standard on internal investigations. The development of the standard followed almost two years of work by leading experts worldwide.

ISO TS 37008 reflects internal investigation best practices to be used by any organization, large or small, in any country. The guidelines are adaptable to the organization’s size, industry segment, organizational structure, governance structure, and subject matter under investigation. Companies can take advantage of the objective criteria established by ISO TS 37008 to conduct their internal investigations and create or enhance related policies and procedures.

ISO TS 37008 is primarily based on five key principles and a developed process.

The Standard’s Key Principles

The five principles are:

  1. independence
  2. confidentiality
  3. competency
  4. objectivity and impartiality
  5. legality

Each principle must be observed in all phases and by all those involved in the investigation. According to such principles, internal investigations must be conducted independently and in an objective and impartial manner. Further, the activities must be carried out by competent and professional investigators, with attention to confidentiality and in accordance with the applicable laws.

Key Steps to be Taken

The ISO TS 37008 process defines the key steps of internal investigations, including:

  • appointing the investigation team, designing the reporting process, and defining individual roles
  • planning the scope of the investigation, considering the nature of the allegations, the available information, and the appropriate sequence of investigation activities
  • establishing safety and protection measures to be taken regarding the investigation team, witnesses, and the subjects and targets of the investigation
  • collecting and preserving evidence, including ESI, litigation hold, document review, and witness interviews
  • determining how interactions with internal and external stakeholders will be handled, including potential cooperation with regulators and other authorities, with an eye toward possible voluntary disclosure situations (see our previous blog post, “Cooperation with the Justice Department: The Rules are Changing”)
  • outlining the proceedings to close the investigation, including the form and preparation of the investigation’s report and implementing the recommendations, including remedial measures and disciplinary actions

Conclusion

The ISO standard reinforces the necessity of support from senior management and leadership during an internal investigation. The standard also provides guidance on thorny challenges that may arise in keeping management informed while still ensuring an independent and objective internal investigation. In addition, the standard addresses other common concerns such as confidentiality protection, anti-retaliation measures, and elements of a robust investigation policy or procedure.

This useful graphic summarizes the standard’s key elements:

chart illustrating key elements of ISO standard for Internal Investigations

HeplerBroom’s attorneys have conducted numerous internal investigations across a wide range of industries on a variety of issues, so this new ISO/TS37008:2023 standard is not a foreign language to us.

If you need an attorney who is conversant with the delicate issues that internal investigations can raise, please contact Glenn Davis in St. Louis or Thomas Wilson in Springfield.

  • Glenn E. Davis
    Partner

    Experience matters. For over 40 years, Glenn Davis’ unwavering commitment to clients has been the delivery of creative and efficient results in dynamic business disputes and cybersecurity challenges. His mission is to provide ...

Search Blog

Categories

Archives

Contact

Kerri Forsythe
618.307.1150
Email

Jump to Page

HeplerBroom LLC Cookie Preference Center

Your Privacy

When you visit our website, we use cookies on your browser to collect information. The information collected might relate to you, your preferences, or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. For more information about how we use Cookies, please see our Privacy Policy.

Strictly Necessary Cookies

Always Active

Necessary cookies enable core functionality such as security, network management, and accessibility. These cookies may only be disabled by changing your browser settings, but this may affect how the website functions.

Functional Cookies

Always Active

Some functions of the site require remembering user choices, for example your cookie preference, or keyword search highlighting. These do not store any personal information.

Form Submissions

Always Active

When submitting your data, for example on a contact form or event registration, a cookie might be used to monitor the state of your submission across pages.

Performance Cookies

Performance cookies help us improve our website by collecting and reporting information on its usage. We access and process information from these cookies at an aggregate level.

Powered by Firmseek