9 minutes reading

Corporate Internal Investigations: A Beginner’s Guide (part 1)

When the 2020 Norton Rose Fulbright Litigation Trends Survey asked corporate legal staff what types of legal disputes were of most concern to their companies, investigations and regulatory inquiries earned the second-highest spot, with 24 percent. Respondents cited numerous causes for their concern, including potential criminal or civil liability and damage to their companies’ reputation. The pandemic didn’t help matters any, as 31 percent of companies reported that COVID-19 had fueled an increase in disputes. It’s not just the pandemic that’s to blame for an increase in internal investigations, though: the Securities and Exchange Commission (SEC) reported at the close of fiscal year 2020 that it had awarded a record 39 whistleblower awards that year totaling about $175 million.

This article will provide you with the basics about corporate internal investigations and some key best practices so you can be prepared for almost anything that may be headed your way. We begin with an overview of what an internal investigation is and when it may be warranted. We’ll also discuss the benefits and risks associated with internal investigations. In our next article, we’ll outline the five critical stages of any workplace investigation so you can tailor your next investigation to its unique circumstances. 

Here's what's in: 

Corporate internal investigation basics
When and why are investigations justified?
The benefits of an effective internal investigation
The risks associated with doing—or not doing—an internal investigation
Weighing the costs and benefits of internal investigations 


Let's dive right in! 

Corporate internal investigation basics 

An internal investigation is just what it sounds like: a fact-finding mission conducted within a company in response to a complaint or allegation of misconduct. This type of investigation seeks to determine whether an employee or officer of the company violated any laws, regulations, or policies or caused harm to the company or to its employees, shareholders, or customers. If the investigation reveals that some wrongdoing occurred, it will likely also lead to some form of corrective action. 

Let’s break those components down a little. 

A corporate internal investigation begins with some kind of claim about someone within the company doing something wrong. The allegation that launches an investigation may involve practically anything, including: 

  • embezzlement, insider trading, “cooking the books,” or other financial fraud;
  • violations of laws, for example bribing foreign officials in violation of the Foreign Corrupt Practices Act (FCPA) or dumping toxic waste in violation of the Resource Conservation and Recovery Act;
  • employment discrimination, whether in violation of Title VII, the Americans With Disabilities Act, or other laws and regulations;
  • violations of regulations established by government agencies, such as the SEC;
  • theft of company property;
  • fraud involving any business dealings;
  • employee misconduct such as sexual harassment; or
  • any other violations of company policies or standard operating procedures. 

Similarly, there are a multitude of ways that a company may hear about an allegation. The best situation is generally when the company receives the complaint early, through an employee hotline or direct report to a supervisor. Allegations of wrongdoing may also be surfaced through an initial regulatory inquiry, a shareholder demand letter, or a notice from an internal or external auditor of irregularities in their review of records. In the worst case, the company may receive a subpoena from the Department of Justice (DOJ) about a whistleblower report or a litigation notice about an impending lawsuit. 

Best practice: Stay ahead of potential problems by making it easy for concerned parties to submit claims or tips anonymously and without fear of repercussions. Yes, you’ll probably face some false accusations, but it’s better to have a finger on the pulse of your organization’s internal woes than to have your head in the sand and miss something important. 

Once the company receives a complaint, it must decide whether that claim has any merit and, if so, what it should do in response. Those are the goals of an internal investigation: to get to the bottom of an accusation, find the cause of any misbehavior, and promptly correct it so that it cannot reoccur. 

Best practice: Think of an investigation as a mini-litigation matter that’s handled informally in house. Investigations have a lot in common with full-fledged cases, as you still have to:

  • define the complaint (who allegedly did what to whom, and when and where did those events occur?);
  • scope the matter and determine what evidence will be helpful;
  • review documents and interview witnesses;
  • relate your discovered facts to the law, policy, or regulation in question; and
  • render a decision, complete with executing a “sentence” in the form of consequences.

And while investigations aren’t bound by a courtroom’s rules of civil procedure or evidence, the more seriously you treat them, the better you’ll be prepared if the issue escalates down the road. 


Norton survey 2021

Source: Norton Rose Fulbright Litigation Trends Survey

When and why are internal investigations justified? 

Internal investigations can have incredibly diverse subject matter and can range from low-level grievances to company-ending criminal misbehavior. Because allegations vary widely in their scope, seriousness, and potential repercussions, their responses must also be flexible and adaptable. There is no single right way to handle every complaint and no single way to conduct an investigation. 

While some financial violations and recordkeeping disparities must be reported and investigated upon discovery, the response to an allegation is most often discretionary. Therefore, the first decision a company must make upon hearing a complaint is whether to investigate further. To make that decision, the corporate legal department should consider the following: 

  • How serious is the allegation? Is it a violation of federal or state law or just a variance from company policy?
  • Who is involved? Is the alleged perpetrator a rank-and-file employee, a supervisor, or a high-level C-suite officer or board member?
  • How grave is the danger or harm that the alleged misconduct causes?
  • If the allegation is founded and it becomes public, what is the extent of the company’s exposure?
  • Is the allegation about a one-time occurrence or an ongoing situation? If it’s a one-time situation, is it something that is likely to recur if not corrected?
  • Is the allegation likely to result in a government investigation? Is the allegation something that must be reported to a regulatory official?
  • Will the allegation, if true, lead to civil or criminal liability for the company or its officers? Can the company avoid or lessen any penalties or receive credit for promptly investigating and reporting the conduct? 

The benefits of an effective internal investigation 

We’ve already alluded to some of the benefits of a good internal investigation, such as preventing the reoccurrence of problem behavior and avoiding criminal or civil liability. Promptly and effectively investigating misconduct, and acting on discovered information to correct problems, can also help maintain the company’s reputation and avoid scandal or bad publicity. 

Problems that are swept under the rug rarely resolve themselves; it’s generally better to proactively deal with those situations instead of passively hoping that they’ll go away. For example, if a company learns that a supervisor has been harassing a younger report based on their gender, national origin, or skin color, it’s better to learn about that conduct early so that the company has the opportunity to act. That may include changing policies and procedures, enhancing training, or disciplining any involved personnel. 

Best practice: Try to make your responses or consequences proportional to the type of violation alleged. If someone is breaking a state or federal law while working for your company, that almost certainly demands a substantial response. If someone is bending a policy—especially a policy that’s commonly disregarded—it’s rarely a good idea to overreact. Instead, it might be time to change the policy or at least to educate employees about why it’s important. 

Learning about misconduct through an effective employee investigation is also preferable to hearing about that same misconduct from a government agency or a private litigant. Knowing in advance that such a claim might be coming gives the company time to prepare a defense or, if appropriate, seek a settlement. The business may also be able to obtain credit for its cooperation with government agencies, which may decrease the civil damages leveraged against the company or obviate its criminal liability. Finally, a company that takes internal investigations seriously can uphold its reputation as an ethical company that seeks to do right by its employees, shareholders, and customers. 


eDiscovery 101 - blog

The risks associated with doing—or not doing—an internal investigation 

Corporate internal investigations can be risky whether you do them or not. Let’s look first at the risks of doing an investigation, as the risks of not doing them are, in most cases, simply the converse of the benefits we just touched on. 

Costing money, time, and other resources 

First and foremost, corporate internal investigations cost money and take up valuable time. In some cases, the cost of reviewing documents for internal investigations can rival the costs of eDiscovery and litigation. Poorly scoped investigations also tend to drag on for an extended, and seemingly endless, period of time. This makes it even more likely that the investigation will be damaging to employee morale and lead to suspicion, disengagement, and a reduced willingness of employees to report problems or cooperate with questioning. 

Best practice: Time is of the essence with most complaints, so you can’t afford to “wait and see” what happens next or decide that you’ll figure out an approach when you need to and not a moment sooner. For accounting and other financial services organizations, you may learn of a claim just before a filing deadline, which puts you in the position of either not timely disclosing it or missing the deadline while you decide whether you’re obligated to disclose. For other organizations, it may be only a matter of time before rumors of the problem leak out on social media, in the news, or to a regulator or law enforcement body. Planning in advance how you will respond saves you precious time when trouble strikes. 

Maintaining attorney-client privilege throughout an investigation 

It is surprisingly easy to waive the company’s attorney-client privilege inadvertently during the course of an employee investigation. For example, sharing information—by discussing the facts with witnesses, auditors, or regulatory authorities—can waive the privilege. 

Best practice: You may at some point choose to intentionally waive the attorney-client privilege, perhaps by providing information to a regulatory authority, but be sure to obtain the consent of your organization’s board or leadership before you do. 

Companies often find that they haven’t waived the attorney-client privilege simply because it never existed in the first place. If the company undertakes an investigation for what is determined to be a “business purpose,” such as minimizing liability, mitigating financial losses, or completing routine compliance functions, rather than for the purpose of obtaining legal advice, there is no privilege cloaking the investigation. This is why—as we’ll explain further in part two—it’s often better to have outside counsel manage investigations instead of the in-house legal department. 

Complying with data privacy laws during an investigation 

If your organization has global offices or stores data in other locations, be on the lookout for local data protection laws and regulations. You may need to navigate cross-border data transfer issues or take extra steps to ensure you don’t violate data privacy laws that give additional protections to employees in other jurisdictions. 

The risk of skipping or skimping on an investigation 

While there are risks associated with doing an investigation, the risks of not doing one—or doing a rushed, incomplete investigation—are usually more substantial. Without an investigation, the company won’t find out what really happened, which leaves open the possibility of it happening again. Or the company might only learn the truth of the matter when it gets hammered in a court case. The company and its officers may find themselves criminally or civilly liable for misconduct; at best, they won’t get cooperation credit from regulatory authorities and may face enhanced scrutiny in their future dealings. The DOJ or another government agency might decide that the company was complicit in a criminal scheme because it turned a blind eye to the misconduct. Once that happens, public scandal and financial ruin may be close behind. 

As just one damaging example, Clover Health Investments recently stated that it had received a letter from the SEC advising it of an investigation into allegations that the company “misled investors about its business and failed to tell them about an active Department of Justice investigation into its practices.” Since news of the investigation broke, “shares of Clover Health [fell] 2 percent Friday after plunging 12 percent Thursday.” This clearly demonstrates how ignoring misconduct can spiral out of control with grievous consequences. 


Weighing the costs and benefits of internal investigations 

Internal investigations run the gamut from minor complaints about an employee’s shoddy compliance with internal policies all the way to bombshells about C-suite officers intentionally breaking federal laws (and bankrupting the company in the process). Some allegations are barely worth checking on, while others merit a full-fledged external review. Therefore, the essential first step in any inquiry is weighing the costs inherent in an investigation with the risks that the investigation—or the lack of one—will impose.