When investigations of wrongdoing are mismanaged, the effects can be long-lasting. An example came to light in July, when the U.S. Department of Justice (DOJ) inspector general released a report on the Federal Bureau of Investigation's handling of sexual abuse allegations by a former USA Gymnastics physician. The report highlighted errors such as failing to act promptly, mistakes in handling and documenting evidence, and gaps in notifying external parties.
Internal audit functions should be alert to when and how they can participate in internal investigations. In addition to direct involvement in investigations, auditors can provide assurance and advice on their organization's investigatory process.
Cases of investigations that have gone awry have led to claims of discrimination, retaliation, or situations where the misconduct continued while waiting on action. Delayed responses can be a missed opportunity to gather the correct data or assemble the best team. Conversely, acting too hastily can result in less thorough work, premature conclusions, and assembling the wrong team.
Investigations can introduce or magnify risks in areas such as compliance, third-party management, data security, privacy, and insurance claims. Ramifications of improper investigations can lead to reputational damage, litigation, regulator involvement, operational disruptions, low employee morale, and financial losses. While there are many risks, there also are valuable opportunities, including refinement of policies, procedures, behaviors, and practices.
All organizations face challenges in a dynamic regulatory environment. There are numerous rules, laws, international standards, and guidance that address compliance matters and internal investigations. Additionally, an International Organization for Standardization working group is developing an internal investigations standard.
The variety of laws and regulations, coupled with the availability and relevance of guidelines, make the compliance landscape complex. Requirements may apply based on the organization's operational or jurisdictional locations, among other facts and circumstances. Entities must understand that inappropriately managed investigations can result in legal and regulatory violations due to:
- Issues about where, when, and how interviews take place, along with the type of questions being asked.
- Inappropriate or unauthorized recordings.
- Inadequate management of personal, confidential, or sensitive data.
- Inconsistencies in how similar investigations were handled in the past.
Auditors on the Case
Historically, statistics from the Association of Certified Fraud Examiners' Report to the Nations show that internal audit is a top source for tips that lead to detection of occupational fraud. When an allegation is made, auditors must fully understand and follow appropriate internal and external communication and escalation protocols.
Internal audit can be involved in a variety of capacities:
- Main investigator. The board or management may request internal audit to perform investigations over certain matters. These responsibilities already may be included in the approved charter for some audit functions. For others, the decision is made on a case-by-case basis.
- Investigation team member. Internal audit may be requested to provide specific support to another function or a third party that is conducting the investigation. The type of involvement can range from facilitating or conducting interviews to performing data analytics and documenting facts.
- Witness. In some cases, auditors may be called to serve as a witness based on their observations in the case. As always, audit should remain factual and objective.
While internal audit should be prepared to support any of these roles, audit leadership should not blindly jump into the execution or ownership of internal investigations. It is imperative that auditors have the right knowledge, skills, training, and experience. Auditors also must understand when and how coordination needs to take place with other functions and external parties. Otherwise, their participation could unintentionally taint the outcome and be detrimental.
Internal audit's involvement in investigations is not always as a participant. It also can provide a variety of assurance services.
Internal Reporting Internal audit can provide assurance on the accuracy and completeness of internal reporting. This may include validation of metrics such as the number of allegations received and reported to the governing body, percentage of substantiated cases, trends on allegation types and disciplinary actions, and average cost or duration per investigation.
Internal and External Compliance Auditors can validate that the complaint-handling process is managed and executed appropriately. They should determine whether the process follows internal policies and procedures as well as whether it complies with applicable rules, laws, and regulations.
Lessons Learned Auditors can give assurance about prompt and adequate fixes to particular or systemic issues, including revisions to processes, policies, and training materials.
Confidentiality Internal audit can review procedures regarding the management of hotline activity. Practitioners should pay close attention to the privacy and confidentiality of whistleblowers and those being accused.
In addition to assurance, internal audit can provide advice to the organization to improve its investigation processes.
Triage Procedures Auditors can assess triage procedures for received allegations, along with intake steps and factors in the preliminary assessment phase. Examples include prioritization, reaction speed, scoping, assignment of resources, and how the organization determines when not to investigate.
Case-management System Internal audit can provide advice during the implementation of a case-management system or on the effective use of the system's capabilities. Auditors can advise on access controls, task automation opportunities, feasibility of enhanced reporting, interfaces with other platforms, and records-retention safeguards.
Controls Auditors can advise on anti-fraud controls and other "anti-misconduct" controls in areas such as harassment, discrimination, safety, and retaliation.
Training, Promotion, and Awareness Auditors can help facilitate training sessions to raise employees' and third parties' awareness of reporting mechanisms. In addition, internal audit can advise on the visualization of data tracked in a case-management system or obtained through e-discovery techniques, chain of custody controls, and the use of cross-functional data and information.
Communication, Cooperation, and Collaboration
Investigations present risks, and internal audit can protect value by providing services around the investigatory process. Auditors must be aware of the risks and trained to participate and contribute. Equally important, there may be cases where value can be protected by not participating in investigations at all. Regardless of the strategy, audit should align its activities with the board and management, and ensure communication, cooperation, and collaboration among all roles.