The latest Audit Committee Brief from Deloitte covers Internal Investigations: 10 Ways to Prepared in Advance. Now apart from the obvious correction (there's only one way to prepare and that's in advance), I have some serious issues with the guidance.
We should first recognize that Deloitte offers fraud investigation services, so it has a perspective and interest that differs from mine — which comes from decades of performing, managing, or providing oversight of investigations as the head of internal audit and an employee of the organization.
The piece starts with some interesting information, analyzing the whistleblower tips received by the U.S. SEC in August and September 2011 (presumably the latest data available).
- 334 tips were received, 32 from outside the U.S. (China and U.K.).
- 54 related to market manipulation, 52 related to 'offering fraud', 51 to corporate disclosures and financial statements, 25 to insider trading, etc.
Deloitte moves on to talk about being prepared, and I fully endorse that recommendation.
Their first step is "preparing investigative protocols." Now while much of their advice is fine, they miss the most important point (IMHO): it is rare that the audit committee will be the first to receive an allegation or tip. It will go either to a whistleblower line or an employee. Even when tips go to a whistleblower line run by an independent third party, that third party is directed by an employee and most tips are routed to an employee for action. In my experience, that is almost always the head of internal audit. It could be the chief compliance officer if the organization has one. Either way, it is not the audit committee that assesses the tip and decides how it will be handled.
I believe that the audit committee has to delegate the handling of tips to a single, senior and respected individual (not to a committee). As I said, this is normally the head of internal audit (and will assume that in my comments below). This is the most important part of any "investigative protocol."
Another part of the "protocol" is recognizing that as few people as possible should be aware of the allegation and investigation. The CEO and CFO, despite their protestations, do not have a need to know about an investigation unless the amount is massive or there is reason to believe a senior official is involved. They can wait until the investigation has been concluded!
Tips and allegations have to be assessed to determine whether there is sufficient information, whether the activity would be a violation of the company's codes and policies if true, the type of allegation (e.g., financial statement fraud, complaints about product quality, discrimination in hiring, or unsafe working conditions — remember that the vast majority of tips received on hotlines relate to personnel policies), and its severity.
Not every allegation can and should be investigated. Sometimes the activity being alleged is not a violation of company policy (I received one where the complaint was that the employee had refused to date the husband of a customer!) Sometimes, the allegation is vague and without additional information little can be done.
The audit committee should agree with the head of internal audit when and how the committee (usually the chair rather than the full committee) should be involved. My recommendation is that the audit committee is alerted if a senior official is potentially involved (and "senior official" will have to be defined); when the potential loss is greater than a defined value; when the issue could indicate a significant (defined) breakdown in internal controls; or otherwise at the discretion of the head of internal audit.
The audit committee should not be involved in the minutiae, such as ensuring the admissibility of evidence. They should be able to leave that to the head of internal audit.
I am wary about using attorneys, however skilled they say they are in performing investigations. I monitored the investigation of a senior official by outside counsel (hired by the audit committee, recommended by general counsel) and all I can say is that it was at best appalling and at worse atrociously negligent. But I am also wary about using former police detectives without in some fashion keeping in check their inbred view of employees as "suspects." Great damage can be done to an employee's reputation if care is not taken in how that individual is treated and how information is shared on the status of the investigation.
I am also wary about using an external audit firm. I have seen too many times (at two major corporations) lasting damage from a heavy-handed investigation that left in its wake not only a few fired managers but many dispirited employees — most of whom soon left.
I favor the use of experienced and certified fraud examiners.
The advice on responding promptly and prudently is sound, as is the distinction between an investigation and an internal audit. Not every internal auditor is trained and sufficiently experienced to conduct an investigation (although they are usually better than attorneys, in my experience).
The rest of the Deloitte advice is fine, although missing a couple of key points:
- How will the results of the investigation be reported and to whom? I don't think there is a need to bother the audit committee with every investigation.
- Who will determine what action to take once the investigation has been completed?
This last question is very important. Not only do decisions have to be made about potential disciplinary actions, but also about any corrections to internal control, etc.
I welcome your views and comments. I am sure I have missed some points — and expect feedback from the legal community!