Challenges in Conducting Internal Investigations from a Chief Legal Officer’s Perspective

Crises often involve the need to conduct internal investigations regarding some aspects of the crisis, and in these circumstances, fast, careful and effective administration of internal investigations is often critical for avoiding mitigating risk for the organisation. From a general counsel perspective, especially those who also have compliance responsibilities, there are a number of factors a chief legal officer must consider during the investigation process, including how and when to start an internal investigation, manage the budget, determine who will be in charge of the investigation, prepare a plan, define the scope and execution, and address privacy and attorney–client privilege issues. In this short article, I will address some practical issues from the perspective of a compliance officer, covering some controversial topics, tips and best practices to make internal investigations effective.

When and how to initiate an internal investigation

Internal investigations often start with an allegation of policy violation, fraud or crime, and the allegation may arise from anywhere and affect anyone. At the outset, a company must decide whether the allegation requires investigation and, if so, who should conduct the investigation. Investigations are usually expensive and resources limited; while the need to investigate in certain instances is obvious, some factors to consider include:

  • the seriousness of the allegation, including whether the alleged misconduct violates criminal law or company policy;
  • existence of a history of similar violations;
  • whether the alleged misconduct involves senior management or board members;
  • the company's potential exposure if the allegations are true;
  • the possibility of future violations or that the violations are continuing;
  • whether the alleged misconduct implicates a potential health and safety risk;
  • whether the alleged misconduct calls into question any prior internal control or financial certifications provided by executive officers, and whether the alleged misconduct prevents such officers from truthfully executing future certifications;
  • the anticipated response of the company's auditors to the alleged misconduct;
  • whether there is a parallel government investigation, or whether such an investigation is likely to occur;
  • whether a company's audit committee charter, code of conduct or other policies mandate or encourage an investigation where the issue must be reported to regulatory officials;
  • the extent to which the company may receive credit from enforcement officials for conducting its own investigation; and
  • the possible impact on any pending or potential civil litigation.

On receipt of the allegation, the legal department often plays a very important role as many complaints historically arise from the analysis of business scenarios, and a legal practitioner is usually the first to come in contact with risk situations and possible violations.

Many cases assigned to the compliance department lack substantive aspects and just contain generic allegations. In these cases, initiating an investigative process may not be effective or even possible.

Managing the budget

Managing the budget during an internal investigation is one of the great challenges for the legal department, as it usually requires extensive reviews of emails and documents, forensic imaging of devices, audits, and costs with external consultants and audits.

Initiating an internal investigation is not a fiduciary responsibility of the companies but of the legal or compliance officer, and the most costly investigations are those in which it is necessary to carry out a report to the authorities. In this kind of investigation, it is essential that the legal or compliance officer can provide all the relevant documentation to the authorities while demonstrating that research has been conducted according to best practice, the resources needed to obtain the necessary information have been used sparingly and the necessary measures have been taken to repair credibility, even if this comes at a high cost to the business.

Given this scenario, the credibility of the investigation must be balanced with its costs. Here are some tips on how to effectively conduct research using internal and technological resources.

Identify the correct scope of the investigation

Identifying and accurately assessing the scope of the investigation will greatly help reduce costs because, instead of professionals initiating a review of documents, audits or even the collection of devices, it is necessary to understand first if there is information available to conduct an effective investigation or available means to obtain this information.

A good example of this is when we receive generalised allegations, such as, 'The managing director is involved in a corruption case.' Even if an allegation like this is quite alarming, if there is no more information about a specific date, third parties that would have interacted with the managing director, a specific business or other information, the investigation will be greatly impaired. If it is not possible to follow up with the reporter for additional information, the investment in an investigation will not be effective.

Develop intelligent research planning

Setting priorities, custodians and evidence to be obtained can be crucial for budgeting. Building a phased investigation can help the investigator to oversee the entire process and work individually in each part of the investigation. If one can add the necessary investigations into the planning memo, including all initial custodians, document reviews and necessary interviews, it will be possible to minimise travel costs, audit hiring and non-effective expenses with lawyers. Videoconference and other communication apps can also be a reliable resource for investigations.

The hiring of external lawyers is fundamental for giving credibility and independence to the investigation. However, this resource must be used intelligently, requesting legal opinions and analyses only in the situations previously mapped, avoiding generic requests and eschewing defined timelines.

It is also common to want to conduct audits on all deals entered into with dealer 'X'; however, if there is no cut-off date or slightly more objective information, such as a certain customer or values, searches will rarely be effective.

Use internal resources

Internal resources can be of great value in lowering the costs of an investigation. Some companies have artificial intelligence capabilities to pursue deals and audit processes, and this can be more effective than hiring an outside firm. Conducting the review of emails and documents internally are also important, since, in addition to internal professionals already being experts in most commercial issues, there would be no additional cost. For contractual reviews and even legal memoranda, the use of the legal department can be effective.

Request regular reports and prior proposals

One of the most effective ways to control the costs of an investigation is to request an estimate of fees in advance and to report regularly – weekly, if possible. With these reports, it will be easier to understand where the investigation is at, the steps to be taken, some operational details and, most importantly, the amount spent in each phase.

Another important factor is to be able to quickly update the legal or compliance managers of your company with the information relevant to the administration of ongoing investigations and also the department's operationality.

Consider verbal reports and PowerPoint presentations

Using verbal or summarised reports by email can be an important tool for saving time and money. In less complex cases, such as violation of policies without great impact and legal risk, their use may be effective, provided that the case is updated in the internal records of the company.

Replacing large reports with PowerPoint models, for example, also allows for substantial savings, even for complex investigations, as it can help authorities understand the complexity of business and research actors.

Who should conduct an internal investigation?

After the initial assessment that an investigation should be conducted, important questions will arise about who should conduct it. Typically, the legal, compliance or audit department itself will be assigned to conduct the review; however, if board members or senior executives are involved, it is recommended that the investigation be assigned to someone independent. Another question to be considered in this case is interaction between senior executives and the compliance department. Although there is mutual respect between the departments, a compliance officer often looks to senior management for support for the implementation of the programme, especially in its initial phase. In the case of an ongoing investigation conducted by compliance in which this officer is being investigated, the decision to give effective support could be compromised.

Another factor to consider is the equation between the expected time for conclusion of the case and the resources available. It should be considered whether assigning the case to an in-house team with skills and knowledge of investigations or to external counsel would be the most effective solution. Resources are limited, so understanding how to use them effectively will make a difference. 

An important tip for legal officers to be able to balance budget constraints with a shorter investigation time is to develop a shared internal investigation plan for potentially less harmful investigations, where a third party reviews documents and emails and the legal or compliance department conducts interviews and prepares the report. It will be certainly more cost-effective.

Planning, defining scope and execution

From the perspective of a chief legal officer in charge of an investigation, it is extremely important to assess and constantly reassess the scope of an investigation. A common pitfall is tackling too much, often based on diffuse information or multiple violations, and lacking focus. For example, if you have an alleged violation in the sales department, it would not be necessary or effective to review your entire pricing structure or entire distribution chain. In the case of a report made via the helpline, for example, a preliminary interview and a brief meeting of the ethics committee may help define the scope more precisely. Note that hotline reports are often made with a high emotional load, and being able to discern what needs to be used in the investigation plan is critical.

As for custodians, in order to stay focused on the scope of investigation, it is important to identify the key players and prioritise them. When new facts or custodians arise, the scope may be reviewed. This does not mean discarding the others, but rather paying special attention to those who can more effectively contribute to the investigation.

As for evidence, documents (including emails and messages from messaging and texting apps) are often the best form of evidence. Today, an impressive number of cases are supported by evidence from messaging apps. To render this evidence valid for use in court, in many jurisdictions, it is critical for the company to have a clear investigation and policy electronic devices policy communicated to its employees. It is also wise to send a retention notice to custodians in order to preserve all potential evidence and avoid destruction of documents. Ensure procedures are in place to link documents to their authors and recipients and file evidence properly.

With regard to document review, it is vital that investigators have sufficient time to complete a meaningful review, familiarise themselves with the main documents related to each witness and decide on how to confront each witness with these documents during the interview.

After defining the scope, planning and document review, it is time to conduct the interviews. Investigators should be guided by the documents and allegations to identify their witnesses. When interviewing, stay mindful of both the employees' and the company's rights and obligations and act with kindness and focus. Custodians will often make every attempt possible to prevent the interview from going smoothly, lie, or even try to disqualify the investigator. It is critical for an investigator to act naturally and firmly to complete the process.

In short, a good interview is fundamentally one that enables: discovery of as many relevant facts (or sources of such facts) from the witness as possible; and an accurate assessment of the witness's credibility.

Preparing the report after following all the above steps is a natural consequence of a fact-finding investigation process. The final report should contain the scope of the investigation, a summary of the steps taken during the review (including a description of the custodians), a description of all facts found, the most relevant points and a factual conclusion about the allegations.

The next step, as a result of the report, is to implement the improvements and disciplinary action, as necessary. Corrective action should be adapted to the situation. Appropriate action may include training of employees, business partners and third parties; creation and review of policies; and application of disciplinary action, such as warning letter, suspension or even dismissal of employees.

A key tip for legal managers is focusing on timely implementation of action items, as delay in taking this action may make internal investigation ineffective.

Data privacy

During internal investigations and the collection of devices from employees, it is crucial that the legal manager checks the applicable local laws. In several countries in Latin America, for example, it is recommended that the employee's formal consent to avoid legal exposure and alleged violation of personal data is obtained. When in doubt, it is always recommended to seek external counsel opinion.

Other specific situations should be considered, such as existence of an investigation policy that is communicated to employees, existence of a bring-your-own-device policy and local restrictions, whether based on legislation or case law.

Another very relevant point is the enactment of the General Data Protection Regulation (GDPR). It will require a significant change in internal processes as companies planning to conduct internal investigations into the conduct of their employees or agents will likely need to first conduct data protection impact assessments (DPIAs); DPIAs are now mandatory in some cases under the GDPR.

In practical terms, the DPIA process will require companies to consider and document the nature and scope of proposed investigations, the reasons for which they are sought, and their assessment of the need and proportionality of the measures and impact on the individuals' privacy. In addition, it requires companies to describe the steps they plan to adopt to deal with privacy risks.

Attorney–client privilege

Although the context of attorney–client protection may vary depending on the country where the review is conducted, the concept of attorney–client privilege is an essential tool for conducting internal investigations involving relevant issues and major exposure. Making sure investigations are privileged is important because it allows clients and their lawyers to discuss problems, reach conclusions or other findings, discuss alternative solutions and make decisions based on the findings without fear of disclosure to outside parties. This helps protect the accuracy and integrity of the review. This protection is especially important in the context of FCPA investigations, given the potential that third parties, including the US government, company shareholders or other stakeholders, could seek access to highly sensitive information produced in a review.

If the privilege is going to be applied, then the investigation should make this clear at the inception, with documented guidance from the company's chief legal officer that the specific investigation is being conducted under a claim of privilege. Thereafter, and at every step, counsel and investigators have to state unequivocally before any interview that the investigation is being conducted under the privilege, and that it is the company's privilege, so that waiver or any claim belongs to the company and not to any individual. The company should document carefully the legal basis for the investigation, the specific assertion of the privilege, and provide basic guidance on how the privilege should be preserved.

Even if local laws apply, when it comes to an FCPA investigation under attorney–client privilege, there are many relevant details regarding the application of the concept and, as a general guide, I recommend consulting with a US lawyer, who will be very familiar with its details and application.


With the exponential growth of internal investigations, especially in Latin America, it is critical that the legal or compliance officer is given the legitimacy and independence necessary to conduct a review. The cost, as mentioned above, may impact the investigation, but should not be a barrier to carrying it out. Some smart ways of maximising efforts and lowering the costs that can be applied to most existing investigations, regardless of company size, have been mentioned in this chapter.

Conducting internal investigations requires a series of decisions by the chief legal officer that vary according to the seriousness of the investigation, as well as the expected response from the regulatory agencies. Unfortunately, these responses are not always predictable, so it will always be best to conduct a review based on best compliance practices. 


1 Daniel Sibille is a compliance director at Oracle do Brasil.

Get unlimited access to all Latin Lawyer content