Conducting corporate
internal investigations
Michael Missal, Ed Fishman*, Brian Ochs and Rebecca Kline Dubill
Received (in revised form): 17th July, 2007
*Kirkpatrick & Lockhart Preston Gates Ellis LLP, 1601 K Street NW, Washington, DC 20006, USA;
Tel: +1202 778 9000; Fax: +1202 778 9100; E-mail: ed.fishman@klgates.com
Michael Missal is the global leader of the firm’s
Policy and Regulatory Practice. He regularly represents public companies, financial institutions,
officers and directors, and other entities in connection with internal investigations, securities litigation
and enforcement, and related regulatory and litigation matters. He served as Lead Counsel to the
Examiner in the WorldCom bankruptcy proceeding
and as Lead Counsel to the Independent Review
Panel for the CBS News investigation of the 60
Minutes segment on President Bush’s Texas Air
National Guard Service. Prior to joining the firm, he
served as Senior Counsel in the Division of Enforcement of the US Securities and Exchange Commission (SEC).
Ed Fishman represents private and public sector
clients in various regulated industries with respect
to government and internal corporate investigations, corporate transactions and related regulatory
matters. He frequently represents US and multinational clients in the financial, project development
and technology industries with respect to anticorruption, accounting and related internal control
and corporate governance matters.
Brian Ochs concentrates his practice in securities
enforcement matters, broker–dealer regulation and
internal investigations. He frequently advises banks,
broker–dealers and other financial institutions and
their officers and directors in connection with SEC
investigations, litigation and other enforcement
matters. Prior to joining the firm, he spent ten years
on the staff of the Enforcement Division of the SEC,
where he served as Assistant Director from 1998
to 2003.
© 2007 Palgrave Macmillan Ltd. 1741-3591 $30.00
Rebecca Kline Dubill specialises her practice
on internal investigations, securities enforcement and related arbitration and litigation matters.
She has extensive experience in conducting and
coordinating complex internal investigations in a
number of substantive areas. She also represents
broker–dealers, investment companies, investment
advisers, corporate officers and directors, and other
individuals before the SEC, the US Department of
Justice (DOJ), the New York Stock Exchange and
the NASD.
ABSTRACT
KEYWORDS: US corporate internal investigations, best practices, Sarbanes–Oxley
Internal investigations of possible illegal or improper
conduct by corporations have become an increasingly
important exercise of good corporate governance in the
United States. In the wake of the major corporate scandals
involving Enron and WorldCom, the US Congress
enacted tougher corporate accountability standards through
the Sarbanes–Oxley Act of 2002 (‘Sarbanes–Oxley’).1
The financial statement certification and increased Board
of Director responsibilities set forth in Sarbanes–Oxley
have contributed to the rising importance of corporate
internal investigations. In addition, US regulators at the
federal, state and local levels have fostered an emerging
culture of corporate compliance by giving credit to companies that take voluntary steps to investigate, disclose and
halt any illegal or improper conduct. This paper describes
various best practices that have emerged in the US for
conducting corporate internal investigations, particularly
Vol. 4, 4, 297–308
International Journal of Disclosure and Governance
www.palgrave-journals.com/jdg
297
Conducting corporate internal investigations
those involving high-profile matters that are of paramount
importance to the financial status, risk exposure or
reputation of the company sponsoring the investigation.2
International Journal of Disclosure and Governance (2007)
4, 297–308. doi:10.1057/palgrave.jdg.2050065
WHEN SHOULD AN INTERNAL
INVESTIGATION BE CONDUCTED?
An internal investigation may be initiated for
a variety of reasons, but is typically conducted
when there have been allegations or credible
suspicions of wrongdoing, misconduct, or
ethical lapses by a company or its employees.3
These allegations can come to the attention of
the company through whistleblowers, the
results of internal or external audit reviews, or
as a result of financial problems. An internal
investigation also may be warranted when there
have been allegations of wrongdoing by a
competitor company or within an entire
industry. These allegations against third parties
often are brought to the company’s attention
through media reports, private litigation or the
actions of government regulators.
The decision to conduct an internal investigation should be carefully considered, as there
are significant potential risks as well as benefits,
and the decision to initiate an investigation is
very difficult to reverse. An internal investigation may be costly and disruptive to a company’s ongoing operations, depending on how the
investigation is carried out and the scope of
the conduct at issue. An internal investigation
may expose the company and its officers,
directors and employees to criminal or civil
liability by setting forth a ‘roadmap’ for government regulators or private plaintiffs that
reveals the identity of potential wrongdoers,
describes significant evidentiary material and
provides an outline of potential causes of action.
An internal investigation also may uncover
misconduct beyond the scope of the initial
allegations.
These potential drawbacks of an internal
investigation, however, will often be more than
offset by its potential benefits. A key benefit is
298
the role that an internal investigation can play
in limiting potential exposure to criminal or
civil liability as a result of corporate wrongdoing. A prompt and thorough internal investigation might forestall or limit the scope of a
separate government investigation by allowing
the regulator to assess the relevant evidence
gathered and legal conclusions drawn by the
internal investigators while conserving its own
limited resources. Also, the disclosure of the
results of an internal investigation to regulators
may focus any external investigation on particular individuals responsible for the misconduct
and may avoid or defer criminal prosecution
against the company itself for the acts of its
agents. Many US regulatory agencies such as
the Department of Justice (‘DOJ’) and the
Securities and Exchange Commission (‘SEC’)
have formal policies that take cooperation into
account when deciding whether and the extent
to which civil or criminal penalties should be
imposed against a corporate entity in a particular circumstance.
A company may be eligible for significant
cooperation credit if it undertakes a credible
internal investigation, makes a prompt and
voluntary disclosure of the results of that investigation to the relevant regulators and takes
steps to discipline individual wrongdoers and
improve corporate oversight controls. In
contrast, the failure of a company to investigate
despite ‘red flags’ suggesting improper conduct
could subject that company to greater potential
penalties if regulators conclude, based on the
results of their own investigations, that misconduct occurred and was not disclosed or remedied in a timely manner.
Another important function of an internal
investigation is to provide the company with
the facts it needs to make informed decisions
about the consequences of potential misconduct. For example, an internal investigation can
help identify corporate personnel who should
be terminated for violating the law or otherwise disciplined for violating the company’s
policies and procedures. In addition, an internal
investigation often will identify internal controls,
International Journal of Disclosure and Governance Vol. 4, 4, 297–308
© 2007 Palgrave Macmillan Ltd. 1741-3591 $30.00
Missal, Fishman, Ochs and Dubill
financial reporting practices and other internal
procedures that should be strengthened and
improved. An internal investigation also can
provide the information necessary to determine whether settlement of government
charges or private litigation is advisable.
An internal investigation also may be
compelled by mandatory reporting requirements. For example, Sarbanes–Oxley requires
CEOs and CFOs of public companies to certify
that the company’s public filings fairly represent, in all material aspects, the company’s
financial position and results of operations. A
CEO or CFO may be unwilling or unable to
make such a certification, or a company’s independent auditors may be unwilling to proceed
with their review of the company’s financial
statements, until the completion of an internal
investigation into possible accounting or financial disclosure irregularities. Moreover, selfregulatory organisations (‘SROs’) such as the
National Association of Securities Dealers
(NASD)4 or the New York Stock Exchange
often require that members report breaches of
applicable law or SRO rules. A company may
need to conduct an internal investigation and
gain a more complete understanding of the
facts in order to make an effective disclosure.
WHO CONDUCTS THE INTERNAL
INVESTIGATION?
An internal corporate investigation is most
frequently conducted by a company’s in-house
counsel, by its internal audit department, or by
regular or independent outside counsel. A
company’s in-house counsel or internal audit
department will be more familiar with the
company’s business, the company’s document
retention policies and the company’s employees.
Moreover, management and the relevant
employees may feel more comfortable with
having insiders investigate potential wrongdoing and the overall costs of the investigation
most likely will be lower. Therefore, many
routine corporate enquiries into employment
law matters, the sufficiency of certain internal
© 2007 Palgrave Macmillan Ltd. 1741-3591 $30.00
controls and other matters are conducted by
in-house counsel or internal audit. There are,
however, compelling reasons to retain outside
counsel in certain circumstances, perhaps especially in high-profile investigations where
objectivity is a prominent concern.
The type of alleged improper conduct that
may compel an independent internal investigation often will be dependent on a variety of
factors including the structure of the company,
the regulatory framework applicable to its business, the company’s history of prior offences,
the severity and scope of the allegations of
misconduct, and the attitude of management
and the Board of Directors. In general, however,
an internal investigation by an outside firm may
be appropriate when the misconduct involves
corporate officers or directors, potentially
violates applicable laws, relates to accounting
or other financial irregularities, or might lead
to regulatory investigations and enforcement
action.
At a minimum, the retention of an outside
law firm rather than an in-house investigator
makes an investigation more likely to be
perceived as objective and independent, particularly if the outside law firm does not normally
do extensive work for the company. In highprofile matters, an outside law firm experienced
with such internal investigations probably
has the necessary resources to complete an
investigation quickly and may be in a better
position to ensure the integrity and effectiveness of the investigation (as perceived by
regulators or other third parties). Outside
counsel also may have more expertise in the
techniques of conducting internal investigations and in the relevant substantive areas of
law. An outside firm should retain specialised
experts as needed, such as accountants or
forensic investigators.
WHO CONTROLS THE INTERNAL
INVESTIGATION?
At the outset of an internal investigation,
the identity of the client on whose behalf the
Vol. 4, 4, 297–308
International Journal of Disclosure and Governance
299
Conducting corporate internal investigations
investigation is being conducted and the scope
of the investigation should be made clear.
Depending on the circumstances, internal
investigations may be controlled by a company’s
management, Board of Directors, a standing
committee of the Board (such as the Audit
Committee) or a specially created committee
of the Board dedicated to overseeing the investigation. Counsel may have to work through
different lines of supervision and authority for
the investigation, depending on who is implicated in the potential misconduct and who is
viewed as the client. If there are any suggestions
that particular members of senior management
or the Board of Directors were engaged in
wrongdoing, those parties should not have any
influence in or control over the investigation.
In situations where outside counsel is engaged
to conduct an independent internal investigation, it is often helpful when the company
appoints an employee as a ‘facilitator’ to
help outside counsel identify likely sources for
relevant documents, arrange interviews and
facilitate counsel’s access to witnesses and documentation. This facilitator should be someone
who has not been implicated in the wrongdoing.
Investigating counsel and the client also
should agree upfront on the initial scope of the
investigation, which can then be re-evaluated
as necessary. The scope should be broad enough
to include lines of potentially relevant enquiry
that may not be obviously related to the
suspected misconduct. Time and resource limitations may, however, require a more narrow
scope. If the company is under pressure to issue
financial statements by a specific deadline, or if
the company is on the verge of bankruptcy and
has resource constraints or limited access to
former employees, a full internal investigation
of all potential misconduct may not be possible.5
After an initial determination about the scope
of the investigation is made, an engagement
letter should be prepared by the outside investigative team that specifies the identity of the
client and delineates the likely scope of the
investigation.
300
HOW SHOULD AN INTERNAL
INVESTIGATION BE ORGANISED AND
INITIATED?
Careful attention should be given to putting
together the appropriate team of lawyers
and any necessary experts. Since the primary
objective of an internal investigation is to
ascertain facts, not advocate a position, the
investigators should be capable of being
objective and balanced. Former prosecutors
who are experienced in gathering facts and
conducting interviews often are useful members
of the investigating team. Productive lines
of enquiry likely will emerge if time is taken
at the start of an independent investigation
to learn the structure and operation of the
relevant business, with the help of accounting
or other experts if necessary. A leader of the
investigative team should be designated to
coordinate and supervise the activities of the
investigators, interface with and provide status
updates to the client and any interested regulators, and serve as the primary editor of any
written or oral report on the results of the
investigation.
A work plan should be prepared and
revised as necessary so that the investigative
team clearly understands its objectives and
responsibilities, including keeping disruption of
the ongoing business to a minimum. Team
members should frequently communicate
with each other so that everyone is aware of
developing issues and facts as documents are
reviewed and interviews conducted. They also
should be sensitive to maintaining the confidentiality of the investigation, as premature
leaks of information within the company or to
the media will make it harder to get candid
responses from interviewees and may threaten
the integrity of the process. Finally, investigating counsel and the client should give
some thought at the outset as to whether a
final report on the results of the investigation
will be in oral or written form, so that the
appropriate information is documented in
appropriate detail during the course of the
investigation.
International Journal of Disclosure and Governance Vol. 4, 4, 297–308
© 2007 Palgrave Macmillan Ltd. 1741-3591 $30.00
Missal, Fishman, Ochs and Dubill
HOW SHOULD THE INTERNAL
INVESTIGATION BE CONDUCTED?
Documents
The documentary record can be one of the
most important sources of information in an
internal investigation. Documents are crucial to
piecing together a coherent narrative, especially
where witness recollections may not be fresh
or may be biased. A system for collecting,
organising and reviewing both hard copy and
electronic documents should be established
from the beginning of the investigation. In
independent investigations, this process can be
facilitated with the assistance of an in-house
lawyer or paralegal familiar with the company’s
document management systems. The use of
customised document management technology
(scanning and cataloguing tools), which
enhances the ability of the investigative team
to search, organise and retrieve needed items
from the vast amount of data that is likely to
be collected, also can be extremely helpful.
At the outset of an investigation, a notice of
investigation should be distributed to any
employees who may have relevant information.
The notice should provide sufficient details to
communicate the scope of the investigation,
but not indicate the direction of the investigation or otherwise jeopardise the integrity or
confidentiality of the enquiry. Employees
should be told that the investigation is confidential and that they should not discuss the
investigation or the underlying issues with
anyone except counsel that they may elect to
hire to defend their personal interests. The
notice of internal investigation should be
accompanied by a document preservation
notice that instructs employees not to alter,
discard, destroy or conceal potentially relevant
evidence. The usefulness of an internal investigation may be seriously impaired by the failure
to identify and secure relevant documents, so
any document preservation notice should err
on the side of being over-inclusive.
To preserve and secure relevant electronic
documents and communications, a company’s
© 2007 Palgrave Macmillan Ltd. 1741-3591 $30.00
routine data destruction and deletion policies
should be stopped. Documents should be
retained on the network and restored if deleted.
Hard drives and laptops of relevant employees
— along with personal computers and personal
digital assistants (‘PDAs’) if necessary — should
be collected and imaged promptly. In certain
situations, it may be prudent to secure the
offices and hard copy files of relevant employees.
Particular care should be taken to preserve
e-mails, as they reflect the contemporary and
unfiltered state of mind of the sender and can
therefore be an invaluable source of evidence.
Relevant employees should be given a comprehensive list of requested documents, including
drafts, notes and off-site documents (including
any documents that may have been taken home).
Counsel also may consider obtaining a signed
certification from employees that they have
provided all responsive documents and data.
Once collected, documents should be
reviewed for relevance and privilege. Privileged
documents should be segregated immediately
and accessible only to counsel and its agents to
prevent inadvertent waiver of the attorney–
client or work product privilege. Preferably, a
preliminary list of potential interviewees can
be drawn up during the initial document
review phase so that a separate set of relevant
documents can be assembled in preparation for
each interview. Documents also may be sorted
into sets by subject matter. ‘Hot documents’ of
particular importance to the investigation
should be circulated to relevant personnel on
the investigation team and copies kept in a
separate set. The document review team generally will be responsible for assembling and
maintaining a detailed chronology of the events
under investigation, cross-referenced with
relevant documents and other source material
(such as interview notes) and continuously
updated to facilitate the preparation of the final
oral or written report.
Interviews
Interviews are typically the greatest source of
information in an internal investigation, so they
Vol. 4, 4, 297–308
International Journal of Disclosure and Governance
301
Conducting corporate internal investigations
should be carefully planned for and conducted
as promptly as possible. Interviews can provide
useful context, flesh out the meaning of documents, direct investigators to important issues
or additional sources of evidence, and generally
help investigators evaluate facts and assess
credibility. Generally, an interview should be
conducted as quickly as possible to get an
unvarnished recollection and ‘lock in’ a witness’s
story — perhaps even before a significant
number of documents have been reviewed. If
counsel will, however, have only one opportunity to interview someone (eg, a senior officer),
it might be best to conduct such an interview
at a more advanced stage of the investigation
after more information has been gathered. In
many cases, it will be necessary to interview
people more than once: first, to gain a general
understanding of the events at issue, then again
later to gain more specific and targeted information and to show the witnesses relevant
documents that may contradict their recollections. It is often beneficial to interview lowerlevel employees first before speaking with more
senior officials to gain a better understanding
of events and relevant personnel.
Interviews should be conducted by at
least two lawyers whenever possible, allowing
one lawyer to concentrate on the questions
and any relevant documents while the other
lawyer takes down written notes. Typically, it is
better not to record interviews so that any
privileges can be protected and so that the
witness is less intimidated. Having at least two
investigating lawyers present can facilitate recollection of what a witness said on a particular
subject. Also, an employee should be given the
option to have a lawyer present at an interview.6 This accommodation should not significantly delay an interview, and the lawyer
present should be encouraged not to interfere
with the questioning. Allowing the interviewee’s lawyer to ask questions at the end of the
interview might facilitate these goals and also
might help the investigation’s fact-finding
mission by adding important information to
the record.
302
At the beginning of every interview, counsel
should provide what is commonly known as
the ‘Upjohn warning’.7 At a minimum, these
warnings state that counsel has been retained
to conduct an investigation, that the information obtained during the interview is privileged, that counsel does not represent the
witness and that the decision whether or not
to waive the attorney–client privilege rests
solely with the entity that retained counsel to
investigate. If the interviewee is a current
employee, additional warnings may be appropriate, such as notice that there is a related
government investigation, that the company is
cooperating fully with that investigation, that
the company may turn over a written summary
of the interview to the government or that the
company intends to waive the attorney–client
privilege applicable to the matters discussed
during the interview. Failure to make such
disclosures could cause the witness to challenge
the propriety of the interview and perhaps the
sufficiency of the investigation itself.
Generally, in-person interviews (and to a
lesser extent phone interviews) are preferable
to written questionnaires, as they enable fuller
communication and provide a better means of
preserving any claim of attorney–client privilege. Also, counsel may find it useful to begin
an in-person interview by asking relatively
open-ended questions without direct use of
documents in order to ascertain what the
witness is able to remember independently.
After obtaining the witness’s independent
collection, counsel could then show the interviewee relevant documents to refresh memory
and assess credibility during the rest of the
interview.
PRESERVING ATTORNEY–CLIENT
PRIVILEGE AND WORK PRODUCT
PROTECTION
Preserving the attorney–client privilege and
work product protection is crucial for maintaining maximum control over the results of
an investigation. Failure to maintain these
International Journal of Disclosure and Governance Vol. 4, 4, 297–308
© 2007 Palgrave Macmillan Ltd. 1741-3591 $30.00
Missal, Fishman, Ochs and Dubill
privileges could leave some of the company’s
most sensitive information in the hands of
regulators, private plaintiffs, or competitors.
Ultimately, a company may choose to waive
applicable privileges and disclose the results
of an investigation to regulators or the public.
The company and its counsel should, however,
ensure that disclosure remains an option and
not a forced circumstance.
Communications between a corporate
employee and investigating counsel are only
protected by the attorney–client privilege in
the following circumstances: (1) where the
communication is made for the purpose of
securing legal advice; (2) where the employee
is communicating at the direction of his corporate superior; (3) where the superior is making
the request so that the corporation can secure
legal advice; (4) where the subject matter of
the communication is within the scope of the
employee’s corporate duties and (5) where the
communication is not disseminated beyond
those persons who, because of the corporate
structure, need to know its contents. Therefore,
to preserve the attorney–client privilege, it
should be stated early and often (such as in the
engagement letter and in written summaries of
interviews) that the investigation is being
conducted at the client’s request and is undertaken for the purpose of providing legal
advice. Also, management should directly
instruct employees to cooperate with the investigation and any written summaries of interviews prepared by counsel should specify that
the information was provided at the request
of the company and in furtherance of the
investigation.
The work product protection extends to
materials prepared by or on behalf of counsel
in anticipation of litigation. There are two
different types of work product that can be
developed during an internal investigation:
(1) factual work product, which includes any
evidence gathered by the investigative team and
(2) opinion work product, which includes the
mental impressions of counsel. Factual work
product may be discoverable by third parties
© 2007 Palgrave Macmillan Ltd. 1741-3591 $30.00
upon a showing of ‘substantial need’ for the
information. Opinion work product enjoys
virtually absolute protection from compelled
disclosure. The investigative team can maximise
work product protection by integrating
legal analysis (such as mental impressions or
legal theories rather than simply facts) into
their written summaries of interviews. All
attorney–client privileged and work product
documents created or collected by the
investigative team should be clearly labelled
‘confidential’ and should note which specific
protection applies.
One of the biggest hurdles in maintaining
work product protection is the ‘anticipation of
litigation’ requirement. Although the test for
whether a communication was created in anticipation of litigation varies by jurisdiction, in
general, there must be an identifiable prospect
of litigation or regulatory investigation. The
work product generated during an internal
investigation is more likely to be ‘in anticipation of litigation’ if the investigation was taken
in response to the existence or threat of regulatory action or private litigation.
As a general rule, disclosure to third parties
acts as a waiver of privileged communications.
Waiver may, however, be avoided if the information is shared under a ‘joint defence’ arrangement with third parties as part of an ‘ongoing
joint effort to set up a common defense
strategy’.8 As a general rule, courts have found
such joint defence arrangements sufficient to
maintain the privilege where the parties have
some common interests, so long as those interests are not so divergent that the parties are
effectively adversaries. Disclosure of privileged
communications (such as the final report of an
internal investigation or the underlying materials used to prepare the report) to the government may be made subject to a confidentiality
or nonwaiver agreement that specifies disclosure is made without waiving any applicable
privileges with respect to third parties. Some
courts have held that the production of information to the government pursuant to such
an agreement does not effectuate a waiver of
Vol. 4, 4, 297–308
International Journal of Disclosure and Governance
303
Conducting corporate internal investigations
attorney–client privilege or work product
protection.
WHAT HAPPENS AT THE END OF THE
INVESTIGATION?
Choosing a report format
At some point during an internal investigation,
the client must make the sometimes difficult
decision of whether to receive a written and/or
oral report of the results of the investigation.
This decision may not need to be made until
late in the process, once most of the relevant
facts are gathered and initial conclusions have
been drawn. Nevertheless, the entire investigation should be conducted with an eye towards
preparing some type of final report.
An advantage of a written report is that it
provides the client with all of the key facts and
legal conclusions in one document. A written
report also provides tangible evidence that the
client has sanctioned a thorough and complete
examination of the issue being investigated. For
this reason, written reports are frequently
provided to regulators as part of a voluntary
disclosure to demonstrate cooperation, presented
during litigation to refute charges of wrongdoing, or offered as the basis of a stipulation
for settlement purposes.
There are also reasons, however, not to
produce a written report. A written report may
contain findings or information that is potentially embarrassing or damaging to the company
if disclosed or leaked to the public. Maintaining
the confidentiality of a written report also can
be difficult and may provide a ‘roadmap’ for
regulators to use against the company. Furthermore, it may galvanise civil litigants who would
otherwise not be aware of the issues under
investigation or the client’s exposure to certain
legal theories.
For these reasons, a client in a high-profile
investigation may consider possible alternatives
to a written report, such as a limited written
report focussed solely on the process of the
investigation and an oral summary report to a
304
limited audience of the Board and/or senior
management. A limited written report might
include only a summary of key findings, an
overview of the investigative process or an
executive summary without supporting details.
An oral report to a limited audience avoids
potential misinterpretation or abuse, while
providing the client with the necessary results
of the investigation. If the existence of an
internal investigation is, however, known to the
public or to regulators, a company’s decision
not to produce a written report may expose it
to accusations that it is trying to conceal the
results.This perception might be more damaging
than public disclosure of the findings through
a written report, particularly in a high-profile
matter.
Essential elements of a report
Whether a final report is delivered to the client
in written or oral form, it generally should
contain the following elements: (1) background
and mandate, (2) executive summary, (3) review
of the investigative process, (4) findings, (5)
conclusions and (6) recommendations. Counsel
should begin assembling an outline of the
report early in the investigation and keep track
of citations to source material for the easy
retrieval of information.
The background and mandate section sets
out counsel’s understanding of all the facts
leading up to the decision to undertake an
investigation. A crucial part of this section is an
explicit identification of the client and a
description of counsel’s mandate in undertaking the investigation (the exact scope of the
investigation and what limitations, if any, were
placed on counsel by the client or external
factors such as the unavailability of key
witnesses). It generally should be followed by
an executive summary section, which describes
the basic findings and conclusions for readers
with various perspectives.
The review section summarises the steps that
counsel took to conduct the investigation: the
number of lawyers and experts involved, the
process used to identify, collect and review
International Journal of Disclosure and Governance Vol. 4, 4, 297–308
© 2007 Palgrave Macmillan Ltd. 1741-3591 $30.00
Missal, Fishman, Ochs and Dubill
relevant documents, the identity of people
interviewed and the overall time taken to
complete the investigation. It also should
describe documents that were unavailable or
witnesses who declined to cooperate or were
otherwise unavailable.This section might include
a narrative assessment of whether counsel
believes it had adequate cooperation from
the client and others to conduct a thorough
and objective investigation.
The findings section should contain a narrative description of the relevant facts, organised
according to the nature of the matter being
investigated (eg, chronologically, or by issue,
transaction, or business group). Because the
findings serve as the basis for the later legal
conclusions and recommendations set forth in
the report, it is crucial for the credibility and
effectiveness of the report as a whole that
counsel be able to identify the authority for
every factual finding in this section. If the
evidence from different witnesses or documents
on a particular point is contradictory, that fact
should be dispassionately noted in the report.
If counsel was unable to verify information or
had any reason to question the accuracy or
authenticity of certain evidence, this also should
be noted and explained.
The conclusion section should provide an
assessment of the potential legal vulnerabilities of
the company and its agents based on the facts
collected during the investigation. It should
therefore lay out the applicable legal standards
and analyse the potential consequences under
those laws of the facts set forth in the findings
section. The particular structure of this section
will be dictated by the purpose of the investigation. Counsel may want to include a wellreasoned discussion of potential legal theories
that it considered but found lacking support.This
can provide the client with a framework for
analysing potential culpability should more information come to light. Alternatively, this section
could persuade relevant authorities that charges
against the company are not warranted.
The recommendations section should
contain a description of actions that counsel
© 2007 Palgrave Macmillan Ltd. 1741-3591 $30.00
believes the company either should or is
legally compelled to take, such as personnel
actions, structural reforms, improved internal
control processes, additional scrutiny of certain
areas, or legal actions against individual
wrongdoers or third parties. Counsel should
be aware that making such recommendations
may expose the company to the scrutiny or
criticism of regulators or others should it
choose not to follow the recommended course
of action.
A final, written report should typically not
be reviewed by anyone in the company before
it is finalised, in order to preserve its integrity
and independence. In some situations (particularly if the issues involved are highly technical),
it may be helpful to allow someone within the
company who has the technical background,
but who is not implicated by the internal investigation to review and comment on a nearfinished draft of the relevant facts to ensure
accuracy.
Disclosure of results
After the investigation is complete and a report
has been made in oral or written form to the
client, the company must decide whether to
disclose the report or the findings of the investigation to regulators or to the general public.
The client should carefully consider whether
the company is legally required to make this
type of disclosure. Such disclosure may be
mandatory in the following situations: (1)
settlement agreements may require disclosure;
(2) some companies are subject to specific
regulations that require disclosure to regulators9; and (3) filings under the Securities Act
of 193310 and the Securities Exchange Act of
193411 must include any material information
needed to make the company’s statements not
misleading. Although only portions or a
description of the key findings from a final
report may be disclosed, the company should
be aware of the danger of selective disclosure.
A company that has conducted a high-profile
internal investigation may have reasons to
consider disclosure to government regulators
Vol. 4, 4, 297–308
International Journal of Disclosure and Governance
305
Conducting corporate internal investigations
or the public even in the absence of any legal
mandate. Voluntary disclosure to the public
often allows the company to control the timing,
content and manner of the public release of
information, enabling it to refute any inaccurate information that may have already been
disseminated. Also, a frank self-appraisal may
resonate positively with investors and the public,
especially where the wrongdoing was of a less
serious nature or was restricted to a limited
number of individuals. Even where underlying
conduct is more egregious or systemic, public
release of the investigative report may provide
a measure of finality that might be preferable
to ongoing piecemeal revelations that constantly
raise new doubts.
Short of full public disclosure, there may be
benefits to making a full and voluntary disclosure to regulatory officials. Such disclosure may
forestall regulatory or criminal action by fairly
presenting the facts and making arguments that
may either dissuade authorities from taking
action or persuade them to be more lenient in
settlement discussions. Government authorities
have increasingly encouraged the voluntary
disclosure of misconduct. For example, the
DOJ’s McNulty Memorandum12 states that
one consideration for prosecutors in assessing
whether a corporation’s cooperation with
government investigators is sufficient to prevent
an indictment is ‘the corporation’s timely and
voluntary disclosure of wrongdoing’. The SEC
has similar guidelines for making voluntary
disclosures.
These potential advantages, however, can be
overstated. A company should seriously consider
the potential risks of disclosure. Both DOJ and
the SEC can be exacting in their assessment of
what is cooperation and will frequently make
additional demands beyond the disclosure of
investigative results (such as requests for additional documents, interviews or an expanded
enquiry into other subjects). Moreover, it is not
clear that meaningful credit is always given for
cooperation. By making a voluntary disclosure
to the authorities, a company may sacrifice
more than it has gained by leaving itself without
306
further leverage against the demands of the
government regulators. Also, by choosing to
publicly disclose the findings, the company may
generate pressure to take disciplinary action
against any wrongdoers or to abandon certain
practices, thereby losing the flexibility to make
such decisions without outside influence.
Another significant drawback to voluntary
disclosure is that, while exceptions exist in
some jurisdictions, as a general rule disclosure
to the government of the report of an internal
investigation will serve as a waiver of the
attorney–client privilege, exposing the report
to discovery in parallel civil proceedings.13
The potential loss of the attorney–client
privilege is a key consideration in deciding
whether to disclose an investigative report
or the results of an internal investigation to
third parties. Courts have resisted attempts
to maintain the confidentiality of investigative
reports once they have been disclosed to
the government.14 There are, however, some
measures that can limit the potential waiver
of any applicable privileges. A company may
want to request a subpoena before disclosing a
report to a regulator, as some courts have held
that disclosure made to the government
pursuant to a subpoena may not act as a
blanket waiver because it was compelled.15 A
company also may try to obtain a signed confidentiality agreement from the government
before turning over the report, as some courts
have held that such agreements protect the
work product privilege, if not the attorney–
client privilege, and therefore may help avoid
disclosure of the underlying documentary
record and source material from the investigation.16 In addition, a company should be attentive to how it uses the report of an internal
investigation, as some courts have found that
‘offensive’ use, such as basing a defence on an
exculpatory report, is incompatible with an
assertion that the report is privileged.17 A
company may have a better chance of preserving
privilege if it bases its defence on the underlying facts developed in the report rather than
the report itself.
International Journal of Disclosure and Governance Vol. 4, 4, 297–308
© 2007 Palgrave Macmillan Ltd. 1741-3591 $30.00
Missal, Fishman, Ochs and Dubill
Disciplining employees
If actual or potential employee wrongdoing
comes to light during an internal investigation,
a company faces the decision of how and
whether to discipline the employees involved.
The company should consider several competing
factors, such as the effect on other employees,
the effect on ongoing operations, the effect on
the continuing investigation and the effect on
the company’s relations with regulators. Degrees
of discipline can range from a written reprimand to termination.
A company also may consider disciplining
an employee for refusing to cooperate with the
internal investigation. An internal investigator
generally has no ability to subpoena witnesses,
and therefore an employee can merely decline
to cooperate with the investigators unless the
employer can exercise some reasonable form of
leverage. Terminating an employee who refuses
to cooperate should not be done reflexively,
as there can be serious consequences for
the company under employment laws. On the
other hand, if a company is perceived as encouraging the intransigence of its employees by a
failure to discipline, it may negatively affect the
company’s public reputation or credit for cooperating with a regulator.Therefore, the company
should document its efforts to encourage
employee cooperation with the internal investigation.
Remedial action
If misconduct comes to light during an internal
investigation, taking immediate action to halt
such misconduct and disciplining wrongdoers
signals to regulators, the investment community
and the public that the company is taking its
obligations seriously, operating in good faith
and willing to take difficult actions if necessary
to remediate any improper behaviour. The
drawback to swift action is that disciplining an
employee may make that employee less
amenable to further cooperation with the
investigation, and, if terminated, the company
may lose all access to the employee for purposes
of the investigation. Also, disciplinary action
© 2007 Palgrave Macmillan Ltd. 1741-3591 $30.00
taken in the midst of an investigation (particularly in high-profile investigations where
members of senior management may be terminated or forced to resign) may alert regulators
or potential third-party litigants to possible
wrongdoing. Finally, acting too hastily may
expose the company to liability if facts later
emerge that mitigate or excuse the conduct of
the person disciplined. Therefore, it is often
advisable to wait until the investigation is well
under way, and to give the relevant person an
opportunity to respond, if possible, before
taking action such as termination (unless it is
abundantly clear that the individual engaged in
wrongdoing or violated important company
policies).
CONCLUSION
The foregoing discussion highlights various
best practices that have emerged in conducting
US corporate internal investigations. Many
of these practices are driven by the legal
regimes and doctrines — such as Sarbanes–
Oxley, the DOJ/SEC emphasis on voluntary
cooperation and the protections of the
attorney–client and work product evidentiary
privileges — that prompt and shape the development of internal investigations. Although
there is no specific statutory law that dictates
the required parameters of an internal investigation, the failure to follow best practices
(as they continue to evolve and emerge) will
threaten the integrity, independence and effectiveness of any internal review conducted by a
US corporation.
ACKNOWLEDGMENTS
We are grateful to Christine Goepp Towberman,
a summer associate with the firm, for her
valuable contributions to the preparation of this
paper. The authors also are indebted to all of
the members of the firm’s internal investigations and securities enforcement practice groups
for their experience, insight and other contributions to the development of these best practices for conducting corporate investigations.
Vol. 4, 4, 297–308
International Journal of Disclosure and Governance
307
Conducting corporate internal investigations
NOTES
1 Pub. L. No. 107-204, 116 Stat. 745 (2002).
2 The use of internal investigations in the US is
not limited to corporations. Many nonprofit
organisations, trade associations and even
governmental entities conduct internal investigations. Moreover, the practice of conducting
internal investigations is not limited to the US.
Although this paper discusses only US corporate internal investigations, many of the principles discussed herein have wider applicability.
3 A corporation generally is liable for the acts
of its corporate officers, employees or other
agents acting within the scope of their
employment and intending in part to benefit
the corporation.
4 Upon completion of NASD’s pending merger
with NYSE Regulation, the new SRO will
be called the Securities Industry Regulatory
Authority (‘SIRA’).
5 In such cases, it is critically important for the
investigative team to identify those issues not
examined, which may warrant further enquiry
by regulators or others with subpoena power.
6 It is not unusual for a company to pay for
an employee’s lawyer, depending on the past
practice of the company, the seniority of the
employee, the employee’s rights to a defence
paid by the company under the employment
agreement and the types of allegations being
investigated.
7 The name comes from the US Supreme Court
decision in Upjohn Co. v United States, 449 US
383 (1981) (holding that the attorney–client
privilege between a company and investigating
counsel extends to communications between
investigating counsel and the company’s
employees).
8 In re Grand Jury Subpoena, A Nameless Lawyer,
274 F.3d 563, 572 (1st Cir. 2001).
9 For example, companies that do business
with the US federal government are required
to disclose information giving ‘reasonable
grounds’ to believe that illegal kickbacks
may have been paid in connection with
308
10
11
12
13
14
15
16
17
International Journal of Disclosure and Governance Vol. 4, 4, 297–308
government contracts. Similarly, regulators
of federally insured banks require disclosure
when a bank believes it has been defrauded.
Securities Act of 1933, 15 USC § 77(a).
Securities Exchange Act of 1934, 15 USC § 17a.
The McNulty Memorandum (issued by the
then Deputy Attorney General Paul McNulty
in 2006) and its predecessor the Thompson
Memorandum (issued by the then Deputy
Attorney General Larry Thompson in 2001)
are internal DOJ memoranda that set forth
the agency’s policy on the enforcement of the
criminal laws against corporations and other
business organisations.
A recent federal district court decision,
however, held that the disclosure of a final
investigative report did not waive the opinion
work product privilege applicable to drafts of
the report, attorney interview notes, and legal
memoranda produced in connection with the
preparation of the final report. See In re Vioxx
Products Liability Litigation, 2007 WL 854251
(E.D. La. 2007).
Courts have consistently rejected the argument that an independent report should
remain protected from discovery on the basis
of a finding that there was only a ‘selective’ or
‘limited’ waiver of the attorney–client privilege when disclosed to the government. See,
for example, In re Qwest Communications International, Inc., 450 F.3d 1179, 1201 (10th Cir.
2006); but see Diversified Industries v Meredith,
572 F.2d 596 (8th Cir. 1977) (holding that
plaintiff company’s disclosure of investigatory
materials to the SEC pursuant to a subpoena
did not constitute a blanket waiver of the
attorney–client privilege).
See Diversified Industries v Meredith, 572 F.2d
596 (8th Cir. 1977).
See, for example, In re Royal Ahold N.V.
Securities & ERISA Litigation, 230 F.R.D. 433
(D. Md. 2005).
See, for example, Granite Partners, L.P. v Bear,
Sterns & Co., 184 F.R.D. 49, 55 (S.D.N.Y.
1999).
© 2007 Palgrave Macmillan Ltd. 1741-3591 $30.00
Reproduced with permission of the copyright owner. Further reproduction prohibited without permission.
The Audit Committee As Sleuth:
Conducting an Internal Investigation
By Peter L. Rossiter and Jay Williams
The audit committee often takes the lead in commissioning, overseeing and taking action based upon the results
of an independent investigation.
I
n the post–Sarbanes-Oxley world, where corporate criminal and regulatory investigations have
become much more common, audit committees
are increasingly presented with issues that require
them to consider whether they should commence
an “internal investigation” in order to get to the
bottom of an issue, perhaps using lawyers and
other experts independent of management. This
article explains some of the forces that are driving
this phenomenon, which affects both public and
private financial institutions. It also offers some
practical advice about how to structure, conduct
and complete investigations of this kind.
Forces Affecting
Public Companies
Whistle-Blower Policies
Section 301 of the Sarbanes-Oxley Act of 2002
(“SOA”) requires a publicly held company’s
audit committee to establish procedures for the
receipt, retention and treatment of complaints
relating to accounting, internal accounting controls or auditing matters. The procedures must,
among other things, allow for the confidential,
anonymous submission by employees of concerns
about questionable accounting or auditing matters. Companies have taken varying approaches to
these requirements, sometimes adopting policies
that are part of a larger program that deals with
compliance issues broader than just financial and
FEBRUARY–MARCH 2006
accounting matters and sometimes adopting narrower policies that respond specifically to these
requirements. Whatever the approach, whistleblower programs raise the same issue: what to do
with a complaint that comes in. Ignoring a credible
complaint is not a practical option.
Audit Committee Charters
Public companies listed on the New York Stock
Exchange (NYSE) or Nasdaq are also required to
adopt charters for their audit committees. The listing standards of the NYSE and Nasdaq prescribe
the contents of the charter. They require the audit
committee to take on a broad set of tasks and responsibilities for financial accounting, auditing and
compliance matters and give it access to both internal
and external resources to carry out those tasks and
responsibilities. Some of these requirements—such
as the audit committee’s responsibility for a whistle-blower program and its authority to engage
independent counsel—are required by SOA; others
reflect NYSE- or Nasdaq-imposed standards for
corporate governance. Taken together, they virtually
assure audit committee involvement in any serious
allegation of wrongdoing, particularly if it could affect the financial statements in a material way.
Peter L. Rossiter and Jay Williams are Partners in the law firm Schiff Hardin
LLP. Mr. Rossiter is Co-Head of the Public Companies Group and a member of
the Financial Institutions Group. Contact him at prossiter@schiffhardin.com.
Mr. Williams is a member of Schiff Hardin’s Litigation Group focusing on whitecollar defense and compliance matters and often investigates or litigates matters
involving financial institutions. Contact him at jwilliams@schiffhardin.com.
BANK ACCOUNTING & FINANCE
3
Conducting an Internal Investigation
Private Companies
Are Also Affected
FDICIA Requirements
The Federal Deposit Insurance Corporation Improvement Act of 1991 (FDICIA) and the FDIC regulations
and guidelines under it (12 CFR §363) require financial institutions with more than $500 million in assets
to have an audit committee with at least a majority
of independent directors, whether the institution
is publicly or privately held. The official guidance
to these regulations lists, as appropriate duties for
an audit committee, a host of matters relating to
financial statements and internal controls, as well
as review of the institution’s compliance with laws
and regulations. For large institutions (assets over
$3 billion), the audit committee is also required to be
able to retain counsel “at its discretion without prior
permission of the institution’s board of directors.”
Fiduciary Duties
The members of the audit committee of both public
and privately held financial institutions have fiduciary duties to the institution and its owners. These
duties include the duty to exercise care in performing their oversight function. When confronted with
specific allegations of wrongdoing, that duty can
very quickly become a duty to commission an investigation that will get to the bottom of the allegations.
The failure to perform this duty in a timely and appropriate manner may lead to potential liability on
the part of audit committee members themselves.
Constituencies Can
Demand an Investigation
Auditors
The Private Securities Litigation Reform Act of 1995
added Section 10A to the Securities Exchange Act of
1934. Section 10A imposes a variety of requirements
in connection with audits. When an auditor detects or
otherwise becomes aware of information indicating
4
BANK ACCOUNTING & FINANCE
that an illegal act may have occurred, the auditor has
an obligation to take action. First, the auditor must
determine whether it is likely that an illegal act has, in
fact, occurred. If it has, the auditor must then determine
the effect of the act on the financial statements of the
company and make sure that the audit committee or the
board (in the absence of an audit committee) is informed
of the illegal acts, unless they are clearly inconsequential.
If the audit committee or the board does not respond
appropriately, the auditor may in certain circumstances
have an obligation to report the matter directly to the
Securities and Exchange Commission (SEC) if the company fails to do so. As a result of these requirements,
companies can safely assume that auditors will require
an investigation of allegations of any serious wrongdoing that may affect the financial statements.
Regulators
The banking regulators, will, of course, be very interested in any alleged wrongdoing that affects the
wide range of matters within their mandate, from
the institution’s financial statements to its credit,
risk management and internal control policies and
functions. Because of the wide range of materials to
which regulators have access, they are quite likely
to become aware of any such allegations, whether
in a formal review of “whistle-blower” compliance,
in other reviews or in periodic conversations with
management and compliance personnel. For serious
matters, it is quite likely that they will want to see a
credible internal investigation of the complaints.
For publicly held companies, the SEC acts as the regulator of financial and other disclosures. The SEC does
not have the examination authority of the banking
regulators except in certain areas, such as with respect
to broker-dealer and investment advisor affiliates. But
it will quickly become aware of any allegations that
call for disclosure in the institution’s financial statements or filings under the Securities Exchange Act of
1934. If any of these reveal or suggest wrongdoing, the
institution may be greatly advantaged in discussions
with the SEC if it has conducted and can share with
the SEC the results of a credible internal investigation.
Because the SEC frequently encourages corporations
to disclose the results of their own internal investigations, a well-conducted investigation can make a
significant difference in resolving SEC investigations
favorably and expeditiously.
FEBRUARY–MARCH 2006
Conducting an Internal Investigation
Prosecutors
Sometimes allegations involve potential criminal conduct. The institution’s response to such allegations can
be a critical determinant of whether, if the allegations
prove true, it will ultimately be prosecuted. Law enforcement officials give substantial weight to whether the
institution maintains an effective compliance program in
general and whether it responded effectively and appropriately to the specific allegations in deciding whether to
bring charges against the institution and what charges to
bring. For the U.S. Department of Justice, for example,
the 2003 “Thompson Memorandum” lays out these considerations quite clearly. A prompt, thorough internal
investigation can be a significant factor in influencing a
prosecutor either not to bring criminal charges against
the institution at all or to bring charges of a less serious
nature than would otherwise have been the case.
Civil Litigation
If the conduct alleged has harmed the company and affected its stock price, it is quite likely that civil litigation
will ensue. Although it may not be possible to protect
the company in direct litigation, a demonstration that
the institution has an effective compliance program and
responded effectively to these allegations of wrongdoing can help insulate directors from personal liability. In
addition, in some circumstances involving “derivative”
litigation—lawsuits brought by stockholders on behalf
of the company—the board has the ability to form a
special litigation committee, investigate the allegations
and, assuming the results of the investigation justify
this conclusion, obtain dismissal of the litigation on the
basis that it is not in the best interests of the company
to pursue it. The intricacies of these maneuvers are
beyond the scope of this article, but in many situations
they lead a company to conclude that an independent
investigation, monitored by the audit committee or a
special litigation committee, is important.
Conducting the
Investigation
Once the audit committee concludes that an investigation is prudent, for one or more of the reasons noted
above, it confronts a host of practical issues. Who should
conduct the investigation? What role should manageFEBRUARY–MARCH 2006
ment play in it? How can the scope of the investigation
be defined? What steps can (or cannot) be taken to
secure the cooperation of key employees? How can the
results of the investigation be protected from disclosure
to hostile third parties, who may seek to sue the company? These are key questions, the answers to which
will determine the usefulness of the investigation and
maximize the potential for it having a positive—or the
least negative—effect on the company.
Who Investigates
In some circumstances, allegations of wrongdoing can
be adequately investigated by “inside” personnel—employees of the institution, such as internal auditors or
members of an inside legal department. The nature of
the allegations and the potential materiality of the allegations should wrongdoing be found can be key factors
in determining whether this is possible. Often, however, the potential problem and the scope of the work
required are significant enough that it makes sense to
turn to outside experts. In addition, if the allegations
potentially implicate senior officers of the institution,
conflicts of interest are often present. Moreover, many
allegations of wrongdoing include an implicit or explicit
charge that management oversight has been lax, which
can compound the potential conflicts of interest.
For these reasons, the need to conduct a credible
internal investigation often requires the use of professionals outside the company. Because most such
investigations involve some issues of law and the audit
committee normally wishes to maximize its chances
for preserving the confidentiality of the results of the
investigation through invoking the attorney-client
privilege, the outside investigator is often an outside
law firm. In order to give the investigation maximum
credibility, the institution normally turns to a firm that
is not management’s usual outside counsel.
Management’s Role
Management can support the investigation, although
care must be taken to insulate from this function anyone
whose conduct is called into question by the allegations
(and who may have, or require, their own separate legal
representation). Indeed, it will probably be impossible
for outside counsel to investigate allegations adequately
without the full cooperation of some members of
management. At the same time, management must be
BANK ACCOUNTING & FINANCE
5
Conducting an Internal Investigation
careful not to drive the investigation. That function is
best performed by the audit committee.
One important concrete step that management
should take promptly, however, is to designate a
point person to work with the outside counsel conducting the investigation to assure the integrity of
all data and other evidence that will be important
to the investigation. The destruction or alteration of
any such data or evidence can compound what may
already be a bad problem. That can happen because
employees deliberately set out to undermine the
investigation or merely because employees in good
faith misunderstand the situation and think they are
helping the institution. It is very important to prevent this from happening by taking effective action at
the outset of any investigation. The necessary action
may include giving a clear warning to all involved
personnel as well as physically segregating paper
records and making and safeguarding a copy of all
relevant emails and other computer records.
Scope
The scope of the investigation will depend heavily
on the nature of the allegations and the circumstances of the institution, so all judgments about
scope are inherently situational. Many allegations
could provoke a potentially limitless investigation,
however, so it is important to define the limits of
the investigation at the outset. Those limits may, of
course, change in response to information developed
in the investigation, but the initial effort at scope
definition is well worth it.
The typical investigation will include a review of
all documentary evidence, including electronic documents. In today’s business world, where e-mail has
become an important (if not the primary) means of
day-to-day communication, defining the e-mail search
is a crucial step in assuring that the investigation will
be thorough and credible. Most investigations will also
involve at least some interviews of key personnel and
often more wide-ranging interviews, perhaps even of
outsiders or third parties. There may even be a need for
some forensic assistance using one of the many firms
that specialize in this type of investigation. Finally, if
the issues are principally accounting or auditing issues,
there will be a need to engage an outside consultant
with accounting expertise. In most situations it will
be important to use a firm other than the institution’s
6
BANK ACCOUNTING & FINANCE
regular auditors, in order to bolster the credibility of the
investigation, avoid compromising the independence
of the auditors and avoid raising issues with respect to
the magnitude of the auditor’s nonaudit services.
In all these scope definition matters, the audit committee will rely on the advice of counsel and other
experts. It certainly can take input from management, but the audit committee should remain the
driver in defining the scope and method of investigation. It must also monitor the investigation as it
proceeds, reaching judgments and tuning the scope
and process as it is conducted. If the audit committee simply launches the investigation and then lets
it drift forward, it is likely to drift for a very long
time and reach no good destination. Moreover, a
well-structured and well-defined investigation will
help contain costs, which can be substantial.
Securing Cooperation
To conduct an effective investigation, outside counsel will need the cooperation of some and perhaps
many employees of the institution. It is critical to
get this cooperation but, at the same time, counsel
must be careful to make sure that all employees interviewed understand that the investigation is being
conducted by the audit committee, through counsel
who works for the company and not for the employees. The warnings that applicable ethical rules
require counsel to give can be quite chilling. The risk,
of course, is that if the key people will not cooperate,
the only practical alternative may be an investigation
by law enforcement officials, who have the force of
law behind them to compel cooperation.
Privilege
Many investigations involve a risk that the information developed will, if accessible to private plaintiffs
and their attorneys, lead to either derivative or direct
litigation against the company or its officers and
directors. Many investigations seek to maximize the
extent to which the results can be shielded by the attorney-client privilege or work-product doctrine. To
do that, the audit committee retains outside counsel
as the investigator, who in turn retains the various
other experts and consultants needed (rather than
having them retained directly by the committee) (Exhibit 1). All documents generated by, or at the request
FEBRUARY–MARCH 2006
Conducting an Internal Investigation
of, counsel are marked as subject to the privilege
and safeguarded. The results of the investigation are
structured to separate, to the extent possible, the facts
discovered from the legal conclusions of counsel. In
certain instances, depending upon the circumstances,
counsel may deliberately decide not to reduce the
findings—either interim or final—to writing.
There are practical constraints on the audit
committee’s ability to shield the results of the investigation through use of the attorney-client privilege
or work-product doctrine, including the demands of
the various constituencies that have a stake, either
immediately or down the road, in the investigation.
The audit committee may hear and receive a complete report of the results of the investigation without
jeopardizing any applicable privilege. In order to
satisfy their Section 10A responsibilities, however,
the auditors may require full access to the report. At
that point, a company is between a rock and a hard
place—it either hands over the report, which may
well involve waiving the attorney-client (or workproduct) privilege or risks either a scope limitation
on the audit or even the resignation of its auditors.
Disclosure of the report to bank regulators can also
waive the privilege. In some situations, the regulators
will be sensitive to this concern and will work with the
company to find alternative ways in which to satisfy
their regulatory mandate without creating incremental risk for the company. “Nonwaiver” agreements are
sometimes used as a way to try to provide disclosure
without waiving the privilege, though they are not
always upheld by courts when tested.
If the results of the investigation become the focus of
law enforcement officials, including the enforcement
division of the SEC, the dynamic is quite different. They
may simply require access to the report regardless of
the consequences for the attorney-client privilege. If
they do not get access, they may either conduct their
own investigation or simply bring charges. They
may also seek a broad waiver of the attorney-client
privilege as a condition of giving the institution credit
for cooperating—credit that can be important both in
charging decisions and, should there be a criminal
prosecution and conviction, in sentencing. These decisions can often be difficult, since an institution might
be required (or at least requested) to turn over the
report of its privileged investigation before knowing
with any degree of precision or certainty what good,
if any, doing so will have on the eventual outcome.
FEBRUARY–MARCH 2006
Reporting the Results
Format
The nature of the report of the results of an internal
investigation will necessarily vary with the nature
of the matter being investigated and with the conclusions and decisions reached at earlier stages of
the investigation with respect to the matters discussed above. Proper planning at the initial states
is critical, recognizing, of course, that adjustments
may need to be made along the way. The report
can range from something very comprehensive to
something very simple.
For example, in some circumstances it may be
appropriate to generate a formally bound report, reviewing the issues, the investigative work done and
the legal and factual conclusions reached, together
with recommendations reached by outside counsel.
In other circumstances, the report may be as simple
as an oral report to the audit committee, covering
all aspects of the investigation, and conversations
with other constituencies—auditors, regulators,
law enforcement officials—to describe the factual
conclusions reached. The full-blown formal report
will most likely be used where there is no desire or
practical possibility of keeping the investigation
or its results confidential under the attorney-client privilege; the stripped-down oral version will
maximize the chances of preserving privilege. As
Exhibit 1
Protecting the Privilege
Financial
Institution
Audit Committee
Data analysis
experts
E-discovery
experts
Outside
Counsel
Private
investigators
Banking/ regulatory
experts
Forensic
experts
Accounting
experts
BANK ACCOUNTING & FINANCE
7
Conducting an Internal Investigation
discussed above, however, the demands of the various constituencies interested in the investigation
may well push the format in one direction or another. The important point is to plan from the outset
with a full understanding of the potential uses of
the report and to keep those potential uses in mind
throughout the process of investigation.
Follow-up
The investigation is, of course, not an end in itself.
The audit committee’s first responsibility, after
receiving the results in whatever format, will be to
assure itself that the work done was thorough and
the conclusions are credible. It is very important for
the audit committee to assure that the matter was
fully investigated and the report is truly complete—
nothing is worse than an investigation that proceeds
by the “drip method,” where conclusions come in
one at a time over a prolonged period in response
to sequential questions from the audit committee
or—worse—from the other constituencies such as
auditors, regulators or law enforcement officials.
Once the audit committee is satisfied in this respect, it must then determine what to do in response
to the investigation. In this deliberation, as opposed
to during the investigation itself, it may well be possible for the audit committee to work in collaboration
with management. If there are no findings of management wrongdoing, or if the wrongdoers can be
clearly identified and isolated, the audit committee
will be able to consult with management about follow-up steps. These range from deciding with whom
the results of the investigation will be shared (and
how they will be shared) to deciding what changes
in the institution’s structure or processes should be
made in light of the results of the investigation. This
last point, which is, in effect, an extension of the
investigation, is especially important. If the investigation revealed clear problems, it is essential that
the institution address those problems and make
the necessary changes as promptly as possible. In
some cases, even where the authorities have not
yet become involved, the investigation may present
the institution with the often difficult question of
whether there is a requirement (or practical benefits)
to “self-report” violations of law or other misconduct
revealed by the internal investigation.
8
BANK ACCOUNTING & FINANCE
If the investigation began with, or at any step involved, a whistle-blower, there are two additional,
important concluding steps in any internal investigation. First, it will be important to report to the
whistle-blower the results of the investigation and
any action taken. There will be circumstances in
which giving the full report, or a full description of
the action taken, will not be possible, especially in
situations that involve confidential personnel matters
or where there is a practical prospect of retaining the
attorney-client privilege. Nonetheless, letting the employee know that action has been taken will minimize
misinterpretation, help prevent rumors and support
organizational morale. Such a report may also be required by the organization’s whistle-blower policy.
A second, equally important concluding step
in investigations involving a whistle-blower is to
determine what, if any, steps need to be taken to
protect the whistle-blower. SOA contains provisions
protecting whistle-blowers against reprisals, and
there are many state statutes covering specific areas
that contain similar protections. This can be a tricky
undertaking. Even when the allegations of wrongdoing led to an investigation concluding that there was
in fact wrongdoing, and the wrongdoers have been
clearly identified and separated from the institution, there can be lingering resentment toward the
individual who “caused” the turmoil that ensued.
Many situations will not be even this clear-cut—the
whistle-blower’s hands may not be entirely clean,
or there may be no finding of wrongdoing, although
the whistle-blower in fact came forward with a goodfaith, justified suspicion. Real care must be taken at
this final stage of the investigation in order not to
compound the institution’s difficulties.
Business in a Fishbowl
Public companies and regulated financial institutions today must conduct their business in a
fishbowl. When allegations of wrongdoing surface,
it is often the audit committee that will need to take
the lead—by commissioning, overseeing and taking
action based upon the results of a thorough, independent investigation. Done right, these investigations
can help the audit committee minimize the harm
such allegations can cause, making sure that the
truth comes out in a credible way and the institution
deals with it in the right way.
FEBRUARY–MARCH 2006
legal briefs
Whistling to the Audit Committee:
How an Internal Investigation Begins
By ChristopherJ. Zinski
magine the following scenario. A company's whistleblower hotline records a
soft, muffled voice, but the message is
loud and clear: Three large lending transactions initiated last year were fraudulent,
and a bank insider was involved. AU three
borrowers are fictitious companies with
falsified financial statements. More
than $7 million is at risk.
The names of the borrowers are
too difficult to understand from the
phone log, however, the voice has
provided several crucial clues. All
three loans were made through one
of the banks San Diego offices, the
time period involved is February
through April, and a senior loan
officer is involved in the scam.
The callers final point is even more
chilling—other offices and more loans
could possibly be involved.
A transcript of the hotline message is
handed to the chair of the audit committee.
What should the audit committee do?
I
Options and Obligations
Section 301 of the Sarbanes-Oxley Act
mandates that audit committees of public
companies establish procedures for the
receipt, retention, and treatment of complaints received by the issuer regarding
accounting, internal accounting controls, or
auditing matters.
That process, in this example, has surfaced the complaint concerning an alleged
42
Community Banker
Augusr 2005
accounting irregularity to the right forum
within the organization—the audit committee. The challenge now facing the audit
committee is to determine how the anonymous complaint should be treated, and here
the law does not provide a script.
The audit committee could set up a
team composed of senior officers and other
employees to investigate the complaint.
For instance, it could appoint the head of
internal audit to lead an inquiry team,
which would include the company's chief
legal officer. But in this case, given the
materiality of the allegations and the claim
that bank insiders are involved, the audit
committee can't be sure that the officers and
employees leading the investigation are
independent.
Indeed the audit committee needs to
understand why the internal audit staff
missed the problem—if the allegations turn
out to be true. Moreover, a staff attorney
under the super\'ision of the chief legal
officer may have documented the suspect
lending transactions.
While some types of complaints reported
under the company's whistleblower policy
may lend themselves to internal reviews,
this fact pattern suggests that the audit committee should outsource the investigation to
independent professionals. Section 301 of
Sarbanes-Oxley grants audit committees the
authority to engage independent counsel or
other advisors, as it determines necessary to
carry out its duties.
Auditors and Regulators
The details in the scenario above would
trigger the duty of the company's directors
to make a reasonable inquiry concerning the
circumstances alleged in the whistleblower's
complaint. Other parties have an interest in
the inquiry as well.
The company's external auditors will
want a thorough investigation completed.
The complaint suggests that the company
may have recorded fictitious loans resulting
in the overstatement of balance-sheet
accounts and earnings. If the allegations
prove true, the company's prior, audited
consolidated financial statements may
require restatement.
Moreover, the auditors will want sufficient assurance that officers of the company
were not engaged in illegal acts, otherwise
the credibility of the company's internal
controls and financial statement integrity
are in doubt.
An independent, thorough investigation
will be necessary to satisfy the external
auditor and satisfy the auditors legal duties.
Bank regulators also will want to know
whether the allegations are true. The
whistleblower's complaint raises serious
questions about the bank's internal control
system, whether the bank's financial statements are accurately stated, and safety and
soundness issues.
The regulators have broad examination
powers, and if the company does not
thoroughly investigate the allegations in the
legal briefs |
complaint, the bank examiners may conduct
their own inspection.
The Securities and Fxchange Commission
also may be interested in the investigation,
particularly if it results in a restatement
of the company's prior-year financial statements or material charge-offs.
Taking swift action to investigate, disclosing the results to the appropriate
government agencies, and cooperating with
law enforcement will mitigate the risk that
the company could face government prosecution or other penalties or sanctions.
Internal and External Help
The internal investigation will be most
effective if the audit committee properly
organizes the inquiry at the beginning.
The first order of business is to retain
a qualified law firm that is independent
of the company. In addition to satisfying
the independence standard, the law firm
should assemble a team of its lawyers who
have expertise in banking, criminal, and
securities law, as well background and
experience in financial accounting and
internal audit.
Early in the process, the law firm should
prepare a comprehensive work plan, citing
the documents it plans to review and interviews it expects to convene. This plan
should be fully discussed with, and
approved by, the audit committee.
When the internal investigation ends,
there are several possible outcomes. The
company could receive a clean bill of
health from special investigative counsel, or
counsel could conclude that the facts raise
ambiguities over whether illegal acts did or
did not occur.
And, of course, the whistleblower
allegations could be proved true, and the
investigation could discover bad facts and
illegal activity.
Upon receiving counsel's conclusions.
however, there can be no doubt that the
audit committee must adopt a course of
action. Ambiguities may call for further
investigation. Bad facts require remedial
steps.
The company's problems will only be
compounded if the investigation recommends action that the audit committee,
board, or management doesn't take.
Once an investigation begins, the out-
come is unknown and the remedial action
necessary to correct a problem is unpredictable. But once the whistle is blown, the
audit committee needs to investigate and act
on the recommendations that follow. 1^
AU views expressed are solely those ofthe
author. Christopher f. Zinski is a partner
and financial institutions lawyer with
Schiff I lardin LLP. a Chicago law firm. He
chairs the firm's Financial Institutions
Group. He also is a CPA and Certified
Internal Auditor. Zinski can he reached
at czinski@schiffhardin.com.
hat
sets
With over 40 years of experience, The Todd
Organization is one of the leading providers and
administrators of Bank-Owned Life Insurance
(BOLI) in the nation. The Todd Organization
has access to and utilizes insurance products from
major insurance carriers including Northwestern
Mutual, one ofthe highest rated and most respected
insurance carriers in the industry.' This difference
not only sets us apart...it sets us ahead.
Recent guidance p r o v ^ ^ ^ ^ ^ p C Bulletin 2004-56 makes it more critical than ever fur
institutions to properly manage the risks of their BOLI program. For more information
on how The Todd Organization can help ensure the long term ^success of your BOLI
plan, please contact us at:
The Todd Organization
www.toddorg.com
Steve Toven
Director, Cummunity Bank Consulting
toven s(?toddorg.com
703-356-0584
faiB 703-356-0585
THE TODD ORGANIZATION
I Organization, the marfcsUng name lor Todd Consulting, I n c . i
Wl. provides ana administers executive t>enent plans
*Best possible insurance financial strer>stn ratings: A-r* -A.M. Best. AAA- FUeti
Northwestern Mutual i.ile Insurance Company
I ft Poof •». Aaa - Mijody s Investors Service.
August 2005
Community Banker
43
Purchase answer to see full
attachment