How to Audit Your Internal Investigation Program (Part II of III)
As an initial step, an audit of an internal investigation program requires a detailed understanding of the operation of a company’s internal investigation program.
In crafting the audit, the first step is to define the relevant universe of investigations. The audit scope will depend on the number of investigations to be review based on the number of investigations and the years to be reviewed. Assuming that your audit is limited to the prior two years, the number of investigations should be determined by category.
In most cases, the number of investigations will require review of a sample of investigations conducted by: (1) office/investigator (e.g. headquarters, region or local staff); (2) type (e.g. human resources, conflict of interest, theft, bribery); (3) geographic location. The audit scope should seek to ensure that a representative sample from as many locations and as many types are conducted so that meaningful findings can be made. If a sample from one location is small, such an audit may not be helpful since the review may be too small.
The audit scope should also ensure that a broad cross-section of investigation sources is examined, including hotline reports (identified and anonymous), walk-ins (e.g. human resources, compliance), government investigations or proactive requests.
Assuming that you have defined your audit scope to address all of the significant aspects of the internal investigation program, you will need to define the standard operating procedures or controls that need to be evaluated. Once these are defined, a review of an investigation file and documents will have to be conducted.
The audit review for each file should reflect evaluation of the following controls and factors (assuming a reasonable number of best practice SOPs).
For each case, the audit should collect basic information about each case selected under the scoping procedure/ These basic facts include: (1) Source of investigation; (2) Location of investigation (business unit and country/office); (3) investigation offense(s) (code and legal); (4) Privileged v. Non-Privileged; (5) Notification(s) (complainant, subject); (6) Assignment of investigation; (7) Lead investigator; (8) Absence of conflict of interest; (9) Date of investigation initiation; (10) Date of investigation closing; (11) Final action; and (12) No. of days opening to closing.
The basic audit review should include identification of the individuals involved, including the complainant and the individuals investigated (or subjects of investigation). The initial summary should include the issues investigated, the results of investigation (substantiated v. unsubstantiated), the disciplinary action (if any) and remediation steps.
After collecting the basic information for each of the audited cases, the review should focus on the conduct of the investigation itself. As a threshold matter, the audit should almost exclusively depend on a documented case file. To the extent items are not documented, this would be an important audit finding to record.
With regard to the specific investigation, and assuming these items are required under the standard operating procedures and based on templates available for use in each investigation, the following items should be reviewed: (1) Initial assessment; (2) Investigation plan, including proper scoping, evidence collection and review (documents and other sources), and witness interviews; (3) elements of offense(s) analysis; (4) Document hold and preservation steps; (5) Internal/external assistance; (6) Notifications/Contacts with complainant; (7) Subjects of investigation; (8) Proper confidentiality arrangements; (9) Document review; (10) Witness interviews (properly conducted, scoped and memorialized); (11) Documented Upjohn warnings.
Evaluation of these items may involve judgment calls as to proper scope, substance, document review. Some of the items are binary – yes or no – and good data points. While I recognize that the judgment calls may suggest a lack of objective analysis, such a review should not be used s a flyspecking review but more forgiving to make sure that there is an explanation for any decision and barring some major factor that was ignored, such discretion should be counted as a positive result.
A separate portion of the review should be focused on the review of the written investigative report for key elements of an investigation. If a documented report is not included in the file, that would be a clear deficiency.
As to the substance of the report, it should include: (1) Outline of allegations; (2) Investigative steps; (3) Chronology of events; (4) Factual analysis; (5) Review of documents and witness statements; (6) Specified credibility determinations; (7) Explanation of determinations.
The last step in the investigation audit should focus on the review of the investigation. Hopefully, the company has appointed an independent committee to review the investigations and impose consistent discipline. This review process should be documented as well, and therefore subject to review.
The independent committee review factors should include: (1) Approval, rejection or referral back for additional investigation (if the independent committee required further investigation and sent the investigation back to address identified deficiencies, this should be captured); (2) Analysis; (3) Reasons for discipline or resolution and explanation; (4) Consistency analysis and explanation; (5) Root cause analysis/contributing factors; (6) Communication of decision (complainant and subject/violator); (7) Days for review and resolution; (8) Remediation and confirmation of changes implemented.
The audit results for each of the investigation phases can be tracked, categorized and analyzed for trends and observations. Once conducted, the audit framework can be used (and modified, if needed) to develop trends over time and the ability to document improvements and modifications to a company’s ethics and compliance program.