Once a company becomes aware of an alleged or suspicious act, such as corruption or bribery, it must investigate the suspicious or alleged act. If the suspicious or alleged act is credible and true, the company must take the necessary steps to respond and remediate. In this article, we are going to discuss the steps involved in investigating an alleged act of bribery or corruption.
A trigger event is an occurrence or breach that causes another event to occur. In anti-corruption compliance programs, it is an event that is the basis for an allegation, such as bribery or corruption. Trigger events can include a negative audit report, reports from a whistle-blower hotline, or a subpoena from the Securities and Exchange Commission (SEC). There can also be other trigger events that do not happen all of the sudden, but instead occur over time, such as an increase in submitted expenses during bid submissions. What's more, trigger events can be discovered through internal controls.
Other trigger events might be:
- Multiple payments to the same vendor on the same day.
- Results of an exit interview for an employee. An employee may quit due to feeling pressure to pay a bribe.
- A contract review.
- A risk assessment.
- Due diligence.
Triage is a process in which the allegation is reviewed and a response plan is created. Companies need to take into consideration the seriousness of the allegation. It needs to be determined if the allegation is serious enough that it needs to be escalated to an audit committee or if the company has more time to review the allegation. The company should also determine if they need to involve inside or outside counsel as a response to an allegation.
Responding to Allegations
In order to determine the credibility of an allegation, the company needs to gather what it knows about the allegation and compare that information to the known facts. The company should go to the source of the allegation to get additional information or get clarification. It should be kept in mind that the more details of the allegation that exist, the more likely it is that the allegation is credible. However, the reverse is not always true. A whistle-blower may not have a lot of details, but that does not mean the allegation is not credible.
Determining the Seriousness of an Allegation
Once an allegation is proven credible, the company must then take necessary steps to preserve the data and information tied to the allegation, then begin an investigation. If an allegation cannot be proven completely credible, the company should still preserve the data and information, then take steps to understand it. For example, the company might interview employees about the allegation, review transactions, review correspondence with vendors, etc. to make a final determination if the allegation is credible. Allegations should be proven false. There should never be any remaining doubt as to whether an allegation is true or not.
Keep this in mind: if there is fraudulent or corrupt activity discovered as the result of an allegation, that activity will typically be incorrectly recorded in the company's books and will be a violation of the FCPA. A forensic accountant and outside counsel might be beneficial in the early stages of an investigation in helping to determine if FCPA regulations were violated.
Once an allegation has been deemed credible, the company should launch an investigation. The company also needs to make sure that evidence is preserved and reviewed, conduct interviews with key employees, report to key stakeholders, and conduct a forensic accounting review.
Launching the Investigation
As stated above, once an allegation is deemed to be credible, an investigation should be launched. Planning for the investigation is as important as the investigation itself, because it will be the basis for the entire investigation.
Planning the investigation should include:
1. Putting together the investigation team. This may be internal, external, or both.
2. Determining the scope of the investigation.
3. Defining the work plan for the investigation. The areas that are usually covered are data preservation, data collection, data processing, email and document analysis, forensic accounting, interviews, reporting, and remediation.
When assembling an investigation team, a company must ask itself a few questions. Who should lead the investigation? Who will the team report to? What key people need to be part of the investigation team?
Best practice is for the investigation committee to hire independent counsel and let the independent counsel lead the investigation. However, if the company decides against independent counsel, then the internal counsel or the chief internal auditor might be appointed to lead the investigation. The role of whoever leads the investigation will be to protect independence between management, the audit team, and the investigations team.
The investigation should also include personnel from other departments within the company. These people might be from:
- Executive management
- Internal audit
- Department management
- Human Resources
- Information Technology
- Corporate security
The investigation team might include external parties as well, such as outside counsel and forensic accountants. External parties do not have conflicts of interest, such as being friends or working closely with those who are alleged to have committed illegal acts.
About Data Preservation
In the beginning of an investigation, the investigation team should take steps to identify and protect sources that may be relevant. This includes protecting and preserving all related data. Counsel should issue legal hold notices to preserve all forms of data needed for the investigation so it cannot be spoiled. The custodians of the records - or data - should be informed of their responsibility to preserve the information. Once a legal hold has been issued, there should then be controls put into place and compliance by custodians should be monitored.
Discovering Sources of Relevant Information
Data sources that contain possibly relevant information should be identified by conducting interviews with the IT department. The investigation team should develop a custodian list for each source of information. As the team learns more, other custodians can be added to that list. At this point, the investigation team should have a general understanding of the allegation, the date range of the investigation, employment dates for custodians, how custodian computers were handled if they were terminated, etc.
Email can be the most critical data source during an investigation. Email can exist on a custodian's computer, on the email server, and on portable storage devices. Other electronic documents such as PDF's are also important. That said, let's discuss the different types of data sources.
File Servers and Email
Data servers can be a valuable source of information. The investigation team will need to identify all data storage servers, as well as which custodians had access to the servers. Email servers, group or public file shares, and private file shares all need to be identified. The servers for a company are usually housed in a single location. Different regional locations may have their own servers, as well. The investigation team may not need information from all file servers, but they should still have an understanding of all servers. Emails stored on servers is easy to collect. It can also be collected without the custodian being aware. Companies can also collect information for multiple custodians.
Backup Tapes and Archives
There are archiving systems for emails stored on servers. These archiving systems save space, but also maintain some access to the emails and attachments. It is usually easier to restore emails from an archival system than a backup tape. However, restoring emails from archives can take some time. The amount of time it takes is based on the number of custodians and how long the email has been archived from the source.
Backup tapes can fill in any gaps found in the data. The investigation team should understand the company's backup procedures so the appropriate backup tapes are preserved. Most companies record over a backup tape after a specific period of time. If the investigation team does not preserve the necessary backup tapes early on in the investigation, there is a chance the data will be recorded over in a future backup.
A custodian's computer can be an excellent source of information. Getting information from these computers can be tricky, however, because the custodian will be made aware that the PC is going to be searched. There are applications on the market that allow the collection of information without the custodian being made aware, but the effectiveness of these applications can be limited. When searching a custodian's PC for information, forensic software such as EnCase can be used with forensic images to recover files that been deleted and perform a more in-depth analysis.
The investigation team will also need to review the company's accounting records in the course of the investigation. Important sources of information during the accounting review are:
- Annual reports
- Trial balances
- General ledger
- Journal entries
- Accounting database information
- Accounting transactions
- Chart of accounts
- Organizational charts
- Approval levels (accounting)
Books and Record Review
The investigation team also reviews books and records to find problematic activities, then understand how they are manifested in the company's accounting system.
Areas the investigation team will want to focus on include:
- Third parties
- Government interactions
- Charitable donations
- Marketing expenses
- Facilitation payments
Remediation is defined as the correcting or remedying of a problem, especially as to stop further damage. Remediation can be needed immediately while an investigation is ongoing depending on the issue. It is okay to start remediation during an investigation, but the areas that require it may not always be apparent until after the investigation is complete. In addition, sometimes it is best to wait until an investigation is complete before remediation. For example, if there are any possible FCPA violations, it is always best to inform the government before implementing any remediation plan.
The findings of the investigation may make it necessary to take disciplinary actions against some individuals. The disciplinary measure might simply be training on corruption, bribery, policies, procedures, etc. It could also be termination. Decisions on disciplinary measures should be made with the assistance of outside counsel. If the government is involved, they will expect to be made aware of these actions.
Anti-corruption training that is provided as part of a remediation plan can be training for specific individuals or for everyone in the company. The training can be created and given by the compliance department of a company, outside counsel, or a third party. The training should reinforce the company's compliance program, such as the policies and procedures. It should also reinforce FCPA regulations and laws. The names of the attendees should be documented for each training session. Training should be repeated every quarter or year, whichever the company decides is most effective.
Remediation of controls might also be needed based on the outcome of the investigation. This might mean new controls, strengthened controls, or more monitoring of controls that are already in place. The government usually expects to be notified of changes to the internal control structure.