This chapter provides a framework on the main aspects of how to conduct an internal investigation into any situation in which the code of conduct, the internal policies of a company, or the applicable laws or regulations might have been breached. Although we focus on practice in Mexico, we believe the ideas we develop can be applied more broadly in whichever jurisdiction an investigation is being carried out.
Internal investigations, when properly conducted, allow companies to prevent and properly respond to any adverse situation that arises from possible wrongdoing; to avoid or mitigate risks and potential responsibility; and to take appropriate measures to sanction the conduct and avoid repetition of improper conduct.
Before starting an investigation, the investigator must review the legislation that is applicable to the conduct being investigated and the scope of permissible investigations. Different legal areas might require review. Criminal, data protection and labour law can be relevant to each step of the investigation.
Internal investigations help companies to identify, prevent, measure and avoid or mitigate risks of potential liability and to determine the validity and seriousness of the concerns that have triggered the need for an investigation.
However, different laws foresee a duty to investigate internally, and regulators take into account the implementation and application of internal policies before imposing any sanctions for improper conduct. Recent implementations of certain Mexican administrative and criminal laws are a notable example of this. Argentina has followed a similar path by incorporating corporate criminal liability in its legal system.
Pursuant to Article 422 of the Mexican National Code of Criminal Proceedings, when determining a corporation’s liability, law enforcement authorities shall consider, among other aspects of corporate culture, the existence of proper controls within the company, such as adequate investigative methods.
In addition, Article 11 of the Federal Criminal Code allows for a reduction in criminal liability of up to one-quarter of the corporation’s liability, as long as the corporation proves that, before the commission of the unlawful conduct, it had a compliance department in charge of preventing that conduct and that it sought to mitigate the potential harm before or after being accused.
Furthermore, the Mexican General Administrative Responsibilities Law provides that law enforcement authorities must consider a company’s ‘integrity policy’ before determining the applicable sanctions. Article 25 of this Law provides that an integrity policy must contain, among other things:
a code of conduct duly published and socialized among all members of the organization, with systems and mechanisms of real application, and adequate reporting systems both within the organization and to the competent authorities, as well as disciplinary systems and specific consequences regarding those who act against internal policies or Mexican legislation.
Moreover, under Article 222 of the Mexican Criminal Procedures National Code, any person who is aware of an act that may constitute a crime is compelled to report it to the Mexican authorities. However, the Code lacks a clear sanction for the breach of this duty.
In certain cases, criminal laws may also foresee sanctions for a lack of investigative steps or failure to report certain conduct to the authorities. In these cases, individuals could be considered as contributing, being an accessory or enabling parties to a crime.
In enforcing the US Foreign Corrupt Practices Act (FCPA), the US Department of Justice (US DOJ) and the US Securities and Exchange Commission (US SEC) also consider the investigative steps taken by a company before imposing sanctions. The ‘Resource Guide to the US Foreign Corrupt Practices Act’ (the FCPA Resource Guide) provides that:
once an allegation is made, companies should have in place an efficient, reliable, and properly funded process for investigating the allegation and documenting the Company’s response, including any disciplinary or remediation measures taken. Companies will want to consider taking “lessons learned” from any reported violations and the outcome of any resulting investigation to update their internal controls and compliance program and focus future training on such issues, as appropriate.
In some cases, external auditors are obliged to investigate and evaluate certain potentially illegal types of conduct when analysing a company’s financial statements.
Well-done internal investigations not only decrease the risk of potential corporate liability but also foster employees’ commitment to internal policies and applicable laws.
A well-structured compliance programme and internal auditing systems are essential for any company to prevent and manage any potential liability. Data from self-reported cases of foreign bribery show that companies are most likely to become aware of bribery by internal audits (31 per cent), M&A due diligence (28 per cent) and whistle-blower complaints (17 per cent). Another report by an international accounting firm found that 25 per cent of the fraud cases discovered in surveyed companies came to light through whistle-blower complaints, which was the main source for detection of fraudulent acts.
A well-structured and properly publicised hotline is essential for any compliance programme and for an eventual investigation, given that it allows employees to denounce any potentially improper conduct anonymously and without fear of retaliation. This is also helpful for investigators, given that it provides additional data about allegedly improper conduct and whistle-blowers can function as collaborative parties.
However, companies must be aware of the applicable laws, particularly in respect of data protection in relation to the extent to which a hotline might be used. For instance, in some countries, labour issues might be excluded from the scope of an internal hotline.
Besides whistle-blower complaints, internal investigations might also be triggered by direct complaints, lawsuits, threatened litigation, government inquiries, suspicion of misconduct within the company, media reports or accidents in the workplace, among others.
On some occasions, investigations might be a result of government investigations. In these cases, the nature and certain aspects of an investigation might change, or an investigation and cooperation with authorities might be necessary to obtain reduced sanctions and other benefits.
Once a report is received from any internal or external source, it must be redirected to the proper authorities within the company to (1) make a preliminary assessment of the report, (2) determine the nature of the reported conduct, and (3) evaluate whether external counsel is needed.
It is usually advisable for companies to assign the responsibility of receiving, following up and preparing reports of potential improper conduct to internal legal and compliance authorities, given their knowledge and understanding of the applicable regulations and relevant areas within the company, particularly their sensitivity to topics such as legal privilege or preservation of evidence.
Before starting any internal investigation, a company should make a preliminary assessment of the reported conduct to determine whether an investigation is appropriate. A correct preliminary evaluation of the proper type and extent of investigation will save a company both time and costs.
Frequently, reported conduct, even if assumed to be true, might not constitute a breach of the applicable laws or regulations and can be dismissed at the outset. Furthermore, certain issues might imply an easy and quick solution without needing a full investigation. In these situations, depending on the nature of the allegation, the receiving department might solve the problem directly or forward it to the proper area to take any necessary action.
However, when there is reasonable evidence of potential improper conduct, the best course of action will be for the company to trigger an internal investigation.
The situation becomes more complicated when there are indications of potentially improper conduct but only limited information is available in the first instance. In these cases, before initiating a full investigation, investigators should seek other methods of obtaining preliminary information. One effective way to do this is to seek further assistance from the whistle-blower or to conduct preliminary interviews with potentially collaborative parties, while always seeking to preserve the confidentiality of the investigation. Otherwise, the evidence could be hidden or destroyed by the alleged perpetrators.
Once a company determines that a full internal investigation is necessary, it will need to unravel the nature of the reported conduct, to establish a preliminary scope of the investigation, foresee the potential implications of the conduct and determine which department would be the most suitable to carry out the investigation.
Departments that may handle these types of investigations include compliance (in respect of anti-corruption and anti-money laundering), audit (e.g., fraud and improper use of assets), legal (e.g., public bids, intellectual property and anti-trust), human resources (e.g., labour, health and workplace security) and IT (e.g., cybersecurity), among others.
However, this could greatly vary from one company to another. Some aspects to take into consideration are the resources available, the experience and authority of the investigators within the company, and the perception of independence. In any event, the investigators must be perceived as independent and must avoid any conflict of interests.
For specific types of investigations, different departments should cooperate and interact (e.g., anti-corruption, human rights, fraud and sexual harassment). When suspected misconduct involves senior management, serious misconduct or there is a potential conflict of interests, the company should take all necessary steps to maintain independence and impartiality. In these cases, it might be advisable to create a special committee of the board or to retain external counsel.
Depending on the nature of the reported conduct, it might be advisable to retain external counsel to perform the investigation or to serve as an aid. External counsel may offer substantive expertise, relevant experience, scale and other benefits not available from internal resources. Additionally, other external experts may be needed to assist with an internal investigation, such as forensic accountants or e-discovery vendors.
When assessing whether to retain external counsel, another consideration is the potential applicability of the attorney-client privilege and work-product doctrines. The work of external counsel is usually protected by legal privilege, whereas that of in-house counsel may not be protected. In the United States, attorney-client privilege typically applies to the work of both external and in-house counsel. Relatedly, the work of accountants and other third parties may qualify as privileged when work is under the direction of external counsel to enable counsel to provide legal advice.
In Mexico, rather than a specific attorney–client privilege, there is a general obligation for all professionals, including attorneys, to maintain professional secrecy. However, attorney–client privilege may be claimed over communications exchanged between counsel and client. This criterion has been developed only recently in Mexican law: in an antitrust investigation, tribunals have held that the privilege covers communications between a client and its external counsel. According to the courts’ interpretation, ‘communication’ is understood to refer to all information exchanged and thus refers to both spoken or written communications (e.g., verbal conversations and emails) or work-product (such as written notes or memoranda). Some of these precedents also suggest that legal privilege in Mexico shall not be applicable to in-house counsel.
Hence, companies should give careful consideration to the question of retaining external counsel at the outset of an investigation. If a company decides not to, the work-product obtained from the investigation and from third parties hired by the company might not be protected under privilege. As a consequence, regulators and enforcement authorities (and civil litigants) could demand full access to those potentially adverse and incriminating documents.
Confirming the preliminary assessment regarding the scope and nature of an investigation and drafting an investigation plan will provide a clear road map. As a minimum, such a plan should consider the following aspects:
Self-reporting or revealing that a company is conducting an investigation is always fact-specific. A company might want to reveal its investigation plan to the authorities early in the process, with the aim of receiving cooperation credit and avoiding more severe sanctions at a later stage.
Depending on the nature and the facts of the investigation, it might be advisable to conduct certain interviews and request cooperation from any whistle-blower and potentially collaborating parties before moving to the next steps of the investigation. At all times, it is critical to protect the confidentiality, integrity and potential evidence related to the investigation.
Furthermore, investigators should consider whether it is convenient to notify the implicated parties or the whole company and to what extent, always considering the measures necessary to preserve evidence and avoid retaliation.
Investigators must always be mindful of the company’s best interests and that all documents created, facts uncovered and witness statements in relation to the investigation might be shared with or requested by authorities in the future.
An essential step at the outset of an internal investigation is preserving potentially relevant evidence. Measures to preserve evidence include:
Investigators must always be aware of the applicable data privacy laws when securing, transferring and sharing information, and of guaranteeing appropriate protection of personal data. This is particularly relevant in transnational investigations in which information might be transferred to different countries, or shared between counsel in different jurisdictions, offering often inconsistent regulations.
Before securing information from emails or cellphones that are owned by the company, it is advisable to have a prior policy or consent regarding the company’s authority to access information that belongs to the company or is related to employees’ work. The company must properly inform employees that the information created and shared within the company network and systems belongs to the company and shall be subject to scrutiny, without any expectation of privacy.
Depending on the jurisdiction, it may be advisable to have a prior signed consent from employees (e.g., as a condition of employment), given that some jurisdictions require express consent to use and have access to communications from third parties. In Mexico, a prior policy without express consent could be considered insufficient to obtain and process an employee’s data.
If a company does not have a proper policy or seeks to obtain communications from personal devices, to the extent permissible, it should obtain consent from the owner of the device. The interception of personal communications is usually prohibited and considered as a criminal offence in a number of jurisdictions.
Ownership of the documents and the chain of custody will also be relevant if the documents have to be produced in litigation, administrative or criminal proceedings, or to regulators. If the documents belong to the company, in principle, the company will be able to directly produce them before any authority. However, if the documents belong to an individual, the company will usually need that person’s consent or to request judicial assistance to lawfully obtain them.
The chain of custody is relevant in criminal and some administrative and civil proceedings to assure that the documents have not been tampered with or contaminated. Each measure and step related to gathering, handling, storing, securing, transferring and managing evidence must be properly documented to guarantee that evidence is authentic and legal. A chain of custody is a sine qua non requirement for the validity of evidence in many criminal and some civil proceedings.
Investigators shall also promptly take all necessary measures to avoid any retaliation against whistle-blowers, cooperating parties, stakeholders or even the implicated parties. This helps preserve the integrity of an investigation and anyone implicated.
Examples of appropriate measures to avoid retaliation are:
Not being able to take appropriate measures to avoid retaliation will be viewed negatively by regulators and authorities. Furthermore, these measures strengthen a culture of compliance within the company, guaranteeing that employees will not be punished in any way for denouncing, in good faith, any improper conduct or cooperating with an investigation. By failing to take these measures, a company might give a contradictory message to its employees.
A key step in any investigation is obtaining the proper evidence regarding the potentially improper conduct. Thorough email searches are standard for virtually any significant internal investigation and have proven to be very revealing in investigations of improper conducts. Additionally, cellphone searches are becoming increasingly relevant, given that informal channels of communications such as Whatsapp or Telegram are being used more often as working tools, that improper conduct is now documented in emails less often and that people are more wary about what they write in emails. Other relevant evidentiary sources include working documents held in computers or databases, such as Word or Excel documents, as well as physical documents and material.
Documents and information should be collected and reviewed in light of the scope of the investigation, the implicated parties and any other evidence that suggests that the documents might be relevant for the investigation.
There are numerous e-discovery platforms that enable counsel or other investigators to apply search criteria to reduce the amount of information that needs to be analysed. Artificial intelligence that uses predictive coding is also a powerful tool that can reduce time and costs.
The people in charge of reviewing documents must have sufficient knowledge of the nature and scope of the investigation, the relevant facts and the information that they should be seeking, so as to properly identify relevant documents. This is often one of the most labour-intensive parts of an investigation and is essential for proper fact-finding.
Once documents have been reviewed, it is useful to have a chronology of all relevant documents and information to track and analyse key events, conduct, stakeholders and documentation. Again, investigators must be mindful of the company’s best interests and that all documents created, facts uncovered and witness statements in relation to the investigation might be shared with or requested by authorities in the future.
As well as a document review, it is sometimes advisable to seek additional sources of information and, depending on the case, to engage an accounting firm to conduct forensic transaction testing. Often, the sources of concern lie in how a company keeps its books and records. Forensic experts will analyse whether a company’s books accurately, reasonably and in a timely manner reflect the transactions represented therein. They also might look into revenue recognition in books and in reality, and search for discrepancies with a company’s policies. Moreover, they will frequently analyse third-party vendor accounts and whether their services and bills are well supported and conform to market standards.
Interviews are also essential to any corporate internal investigation, ideally once a thorough document review has been performed and the key issues have been outlined in a working chronology. Interviews should be conducted with relevant stakeholders, witnesses and implicated individuals. In general, all those materially involved in the underlying facts should be interviewed.
For this, investigators must (1) determine which parties to interview according to the evidence previously obtained, (2) draft an interview protocol with reference to the relevant evidence and facts, and (3) conduct interviews in accordance with the foregoing.
The interview protocol should serve as a guideline for the interviews, by making express reference to the relevant documents by topic or chronological order and the proposed questions for interviewees. Other relevant topics that might be useful are the factual background, knowledge of the regulation applicable to the conduct and proposals for how to remediate certain types of conduct.
Depending on the case, it might be advisable to first interview witnesses and then the implicated parties, starting with lower-level employees and working up to the most senior employees. Investigators must also pay close attention to who will perform and be present during the interviews. In all cases, investigators must make sure to be perceived as independent and to try to avoid creating an overly formal environment that could affect the outcome of the interviews.
Depending on the jurisdiction, investigators typically inform interviewees (1) that they only represent the company (or whoever they represent) and do not represent the interviewees or their interests and that they may wish to seek separate counsel, (2) of the purpose of the interview, (3) that the interview is privileged and confidential and shall not be shared or disclosed by the employee with third parties, and (4) that the privilege and confidentiality of the interview belongs to the company, and that only the company controls such privilege and might decide to waive and disclose it to third parties, including authorities. This is known as the Upjohn warning, which originates from the case Upjohn Co v. United States.
Interviews should seek to establish the facts by presenting relevant documentation and allowing interviewees to accurately recollect the facts and express their opinion with the aim of obtaining information that is as accurate and reliable as possible. Interviewees might request before or during the interview to have their own counsel present or to have an opportunity to be advised by their own counsel. One issue that may arise is whether the company should pay for an employee’s personal counsel.
In general, interviewers should avoid recording or transcribing interviews verbatim.
Among other considerations, recordings and transcripts are also usually not protected by legal privilege and they add an air of unnecessary formality to an interview, which can be counterproductive in some cases and can affect the quality and content of the interviewee’s responses. Consistent with legal privilege, it is usually advisable to take notes on personal perspectives, opinions about the interview and to address legal theories.
Third parties are in no way obliged to agree to these interviews and careful consideration must be given before interviewing third parties or former employees over which the company has no authority. Anti-corruption contractual clauses can in some cases be useful for the purpose of compelling a third party to cooperate. In these cases, investigators must weigh the potential benefits and costs, and act in the best interests of the company.
After the interview, employees should be reminded of the confidentiality of the information and that the information must not be shared with other employees or any third party. Once the information has been analysed, investigators must determine whether additional fact-finding in the form of document review or interviews is necessary or if they should proceed with the final report and suggested remediation measures.
Once an investigation has been concluded, investigators should analyse all the information gathered in the investigation and report the findings and suggested remediation measures to the appropriate officers and directors within the company (and, potentially, outside the company). The final report should address the factual issues and conclusions and provide a legal analysis of the subject matter and the potential remediation measures that the company might adopt. However, this sequence of events needs to be flexible. Investigations frequently offer insights into other aspects of the business that require greater scrutiny. Thus, one line of analysis often sets the stage for a new or deeper investigation.
Depending on the case, careful consideration must be given to whether the report will be in written form or oral.
Besides a final report, companies must always take appropriate remediation measures to make sure that the risk of repetition of improper conduct is mitigated and to properly sanction those employees who may have acted improperly. This is essential to mitigate any risk for the company and, in fact, without this step, an investigation ultimately may become meaningless.
Some typical remediation measures include:
When taking remedial action, parties should seek to be consistent in imposing and applying measures and also should always seek to reduce the risk of repetition and to implement measures to identify future risks. In particular, companies must heed the lessons learned and incorporate them into their policies and procedures to avoid or mitigate the risk of recurrence.
Local applicable labour laws must be analysed before taking any action against employees. For instance, Mexican legislation does not allow a salary reduction and grounds for dismissal follow strict scrutiny and will always be interpreted in favour of the employee.
Finally, the appropriate department within the company must decide whether the investigation and its findings should be notified or voluntarily disclosed to regulators or other authorities, to the extent not already self-reported or otherwise known. This is a decision that should not be taken lightly and requires consultation with external counsel with proper knowledge of the jurisdiction and applicable laws.
Companies may engage in a dialogue with the authorities and opt to cooperate in their investigation to try to seek a reduction of sanctions. Some of the criteria taken into account by authorities when considering whether to reduce sanctions are whether the cooperating party:
Once an authority brings charges against a company, as a general rule, the company may enter into a dialogue to address the authority’s concerns.
Some of the factors that should be considered before deciding whether voluntary disclosure is appropriate are:
As has been discussed, internal investigations are an invaluable tool for companies to mitigate risks of potential liability in respect of misconduct within the company, and are essential for any well-structured compliance programme. In some cases, internal investigations are also necessary or helpful in obtaining a reduction in criminal, civil or administrative penalties. Having a working compliance programme within the company, properly investigating improper conduct and sometimes self-disclosing improper conduct has proven to be helpful when dealing with authorities.
While all investigations and companies are different, a well-conducted, successful and effective investigation must be performed under a general framework and a basic set of rules. A well-structured investigation will help to prevent any undesirable surprises and to maintain proper control of relevant conduct and facts being investigated. In contrast, an improper investigation could have disastrous outcomes for a company, even increasing significantly its risk of liability.
From the outset of an investigation, the people in charge must clearly outline the nature and scope of the conduct under review, the potential implications and who should investigate. It is also essential to consider other issues that could have serious implications, which range from the need to retain external counsel, to preserve attorney–client privilege over the investigation, and to determine which specific measures to take to preserve evidence and avoid retaliation.
While this chapter is not an exhaustive analysis of every issue and situation to take into consideration when performing an internal investigation, it should serve as a useful guide for any internal investigation a company carries out to review potential improper conduct.
Lastly, the remediation measures a company adopts after finishing an investigation are essential to mitigate the risk of repetition, including the recurrence of potential liability. This step helps companies to remediate any improper conduct and to learn from its mistakes. An investigation is incomplete without taking this critical step.
For these reasons, and many others, a proper policy addressing improper conduct and ensuring well-conducted investigations is imperative for mitigating potential liability. It is also vital to take appropriate measures to sanction individuals who engage in improper conduct and to enhance relevant controls to prevent improper conduct in the future.
 Adrián Magallanes Pérez and Diego Sierra Laris are partners at Von Wobeser y Sierra, SC.
 US Department of Justice, Criminal Division, and US Securities and Exchange Commission, Enforcement Division, ‘A Resource Guide to the U.S. Foreign Corrupt Practices Act’ (2012), p. 61.
 See OECD Foreign Bribery Report, ‘An analysis of the crime of bribery of foreign public officials’, OECD (2014) < https://read.oecd-ilibrary.org/governance/oecd-foreign-bribery-report_9789264226616-en#page18pp. 16-17>.
 KPMG Forensic, ‘Profile of a Fraudster’, Survey, 2007, p. 26.
 Tarun, Robert W, and Tomczak, Peter P, The Foreign Corrupt Practices Act Handbook: A Practical Guide for Multinational Counsel, Transactional Lawyers and White Collar Criminal Practitioners, Third Edition, American Bar Association (2013), p. 196, quoting In re John Doe Corp., 675 F.2d 482 (2d Cir. 1983) (investigation by accounting firm as part of its audit is not privileged) and In re Grand Jury Subpoena, 599 F. 2d 504, 510 (2d Cir. 1979) (investigation by management is not privileged).
 See ‘Non-binding precedents No I.1o.A.E.193 A (10a.) and I.1o.A.E.194 A (10a.) by the First Collegiate Court on Antitrust, Broadcasting and Telecommunications Matters for the First Circuit (Mexico City)’ in Federal Judicial Weekly Report and its Gazette, Volume XXXVIII (January 2017), pp. 2475, 2721.
 See Non-binding precedent, ‘Prueba electrónica o digital en el proceso penal. Las evidencias provenientes de una comunicación privada llevada a cabo en una red social, vía mensajería sincrónica (chat), para que tengan eficacia probatoria deben satisfacer como estándar mínimo, haber sido obtenidas lícitamente y que su recolección conste en una cadena de custodia’ [Electronic or digital evidence in a criminal proceeding. Evidence regarding private communications in a social network via chat, to be legal must satisfy a minimum standard by having been legally obtained and properly documented in a chain of custody’], First Collegiate Tribunal in Civil Matters for the First Circuit, 2013524. I.2o.P.49 P (10a.), Federal Judicial Weekly Report and its Gazette, Volume XXXVIII (January 2017), p. 2609 (MEX).
 See Non-binding precedent ‘Cadena de custodia. Debe respetarse para que los indicios recabados en la escena del crimen generen convicción en el juzgador’ [Chain of custody. It must be guaranteed in the crime scene for indicia to generate conviction in the judge], First Chamber of the Supreme Court of Justice, 2004653, 1a. CCXCV/2013 (10a.), Federal Judicial Weekly Report and its Gazette, Volume XXV (October 2013), p. 1043 (MEX).
 Upjohn Co. v. United States, 449 U.S. 383 (1981).
 Mexico’s Federal Labour Law, Articles 51(IV), 82 and 84.