Investigating the Insider

By Michael J. Missal and Andrew H. Feller

When to Investigate

Whether to conduct an internal investigation should be considered carefully. Once the decision is made, it is difficult to reverse. An investigation that is halted before it is completed can lead to claims of a cover-up or failure to ascertain the facts.

Internal investigations typically should be conducted when there have been credible allegations or suspicions of significant wrongdoing, misconduct, or ethical lapses. There are many factors that are important in determining whether an internal investigation should be conducted, including the magnitude of the alleged harm to the company (separate criteria apply regarding investigations of prohibited employee behaviors, such as harassment), the existence of any governmental inquiry, the extent of publicity that the matter has received, the number of employees involved, the duration of the alleged wrongdoing, the prior disciplinary history of the company, the culture of the company, and the aggressiveness of the company’s board of directors. Internal investigations may also be appropriate where there have not been specific allegations against a company but where there have been allegations of misconduct within the industry or against a competitor. 

A good example of an industrywide development that could lead a company to conduct an internal investigation was the widespread backdating of stock-option grants in early 2007, a practice which can lead to the misstatement of a company’s financial accounts. After the publication of an academic study showing that the practice had been widespread before being made impractical by a rule change, hundreds of companies began internal reviews of their historical options-granting practices in anticipation of widespread investigations by the Securities and Exchange Commission (SEC) and the Department of Justice (DOJ).

In other cases, the circumstances leading to an internal investigation are specific to the individual company. In some instances, a whistleblower from inside or outside the company may bring an issue to the management’s attention, which will lead the board to conduct an investigation as an exercise of its duty of care.

Alternatively, the company’s own internal audit or internal security functions may detect practices that are illegal or violate the company’s guidelines. In such circumstances, companies should conduct an internal investigation to mitigate the company’s potential liability and to determine what changes to institute to prevent future problems.

Certain government agencies, including the SEC, have stated explicitly that they will consider a company’s efforts to conduct an investigation when deciding whether to charge that company with wrongdoing. DOJ guidelines for charging corporate entities with criminal conduct—as revised in 2007 through the McNulty memo—urged prosecutors to consider whether the company shared the results of any internal investigation with the government.

Who Should Lead

Who should lead an internal investigation of major crimes depends on the situation. If the matter looks contained—if, for example, it concerns impropriety within one department or division—and if it is not linked to senior management, security can usually handle the situation alone regardless of whether the security department reports to the CEO.

By contrast, if the case involves allegations against executives or issues that could have a major impact on the company’s reputation, value, or viability, an outside firm might be a better solution, because the results of these types of internal investigations must be beyond reproach. One way to achieve credibility is to ensure that the probes were conducted by a truly independent third party. This entity should be an outside law firm or investigative team that has not done extensive work for the company. Companies may face skepticism as to the credibility of their efforts to examine themselves or root out wrongdoing if the outside agency that conducts the investigation is considered too closely tied to the company.

Among the more extreme examples of this was when Ken Lay hired Enron’s main outside counsel, Vinson & Elkins (V&E), to conduct an investigation into the allegations contained in a whistleblower letter. Many of the transactions that V&E reviewed as part of its investigations had been undertaken in the first place only with the assistance of V&E. Therefore, V&E was in the position of reviewing its own work. The court-appointed examiner who reviewed Enron’s collapse in bankruptcy was harshly critical of this dual role.

Another consideration is that the third party has no role in any governmental investigation that is already underway. In one prominent case, the City of San Diego hired outside counsel to conduct an internal investigation into possible improprieties relating to the city’s municipal bond sales and transactions with its pension fund. After the firm that was conducting the investigation also began defending the city in a related SEC investigation, the city’s auditors publicly questioned whether that firm could complete its internal investigation in an objective and independent manner. Ultimately, another firm was hired to conduct a separate investigation relating to the same conduct, at great cost to the city. 

Obviously, if there have been any allegations that the CEO, general counsel, or any member of the board has engaged in wrongdoing, those people should not have any involvement in, or influence over, the investigation. Alternative structures, including board committees, can be used in these circumstances.

For instance, one measure implemented as part of the Sarbanes-Oxley Act requires that corporations establish audit committees with responsibility for developing procedures to receive, retain, and investigate complaints of financial fraud involving auditing, accounting, or internal-control issues. The law empowers those audit committees to hire their own counsel to conduct such an investigation.

The audit committee, the security director, or the person within the company who is in charge of hiring and receiving reports from the third party should designate an employee to act as a liaison and facilitator who can help the third party identify sources for relevant documents. That person should assist in arranging interviews and performing other administrative tasks. This facilitator may or may not be a member of the security department but should not otherwise participate in the investigation or be privy to the findings.



The Magazine — Past Issues


Beyond Print

SM Online

See all the latest links and resources that supplement the current issue of Security Management magazine.