December 09, 2019 Articles

Internal Investigations: An Introduction (Part 1 of 3)

What kind of concerns lead to internal investigations, how a business identifies such concerns, and whether an internal investigation is appropriate.

By Elizabeth S. Fenton, John Levitske, Michelle N. Lipkowitz, and Mark A. McGrath

Internal business investigations may become necessary for a variety of reasons. This article is the first in a series of three in which we will address what new in-house lawyers should know about internal investigations. This article will discuss what kind of concerns lead to internal investigations, how a business identifies such concerns, and whether an internal investigation is appropriate. The second in the series will describe the pros and cons of outsourcing an internal investigation. The third in the series will outline how to conduct an investigation.

Employee misconduct, data breaches, accounting discrepancies, and regulatory issues are common business challenges that give rise to internal business investigations. White-collar enforcement activities at the U.S. Securities and Exchange Commission (SEC), the U.S. Department of Justice (DOJ), and other federal and state agencies continue to be a focus of government resources. See SEC, Litigation Releases (modified Nov. 21, 2019); Assistant Attorney General Brian A. Benczkowski Delivers Remarks at the 33rd Annual ABA National Institute on White Collar Crime Conference, U.S. Dep’t of Justice (Mar. 8, 2019) (describing 2018 enforcement statistics). Accordingly, for the in-house lawyer, a sound understanding of when to initiate and how to conduct an internal investigation, including related responsibilities and pitfalls, is necessary. Increased regulatory focus and pursuit of individual wrongdoers, including by attorney “gatekeepers,” has become a key deterrent feature of enforcement programs that in-house lawyers must consider when faced with both civil and criminal investigations. If criminal liability is a possibility, the stakes are, of course, very high indeed.

Internal Investigations: Subject Matters

General counsel may need to initiate internal investigations concerning a variety of subjects. Various areas remain ripe for enforcement and litigation, and these may require internal investigations and potential self-disclosure as issues arise.

Employment. Many issues where internal investigations may be warranted start off as employment disputes. What may appear to be a personality conflict between a manager and an employee can turn into individual litigation over employment discrimination on the basis of race, gender, or other protected class. More infrequently, potential criminal issues involving fraud or theft may be unearthed. If a problem appears to be exclusively employment related, the internal investigators should nonetheless keep their eyes and ears open for other issues that may be involved.

Cybersecurity and theft of intellectual property. Data privacy has become a hot-button issue across all business sectors. Commodity hacking and malware are the modern version of highway robbery. In some cases, a disgruntled employee, former employee, or customer is behind a hack. Data breaches from within cause disruption, morale issues, and financial loss. Other data breaches involve outsiders, some from foreign countries. Even if the wrongdoer is an external actor, the corporation may still face criminal or civil exposure if its safeguards are found to be inadequate.

In the face of a data breach, an internal investigation is an effective way not only to confirm that the issue was truly external, that the business’s controls are adequate, and that the point of data exposure was contained or mitigated but also to troubleshoot and avoid future issues. An internal investigation may lead to additional training of employees, enhanced security measures, and identification of vulnerabilities that could be problematic in future hacks.

If, of course, the corporation did not have adequate controls in place, a remediation plan will be critical, especially if the possibility of criminal liability exists. Data breaches involving customers often require additional disclosures, many of which are regulated by federal and state law. While those laws are beyond the scope of this article, in-house counsel should be aware of them so that the disclosures are timely and accurate.

In addition to these kinds of incidents, theft or misuse of company-issued equipment and intellectual property is also a potential source of criminal liability. An internal investigation may be necessary to determine whether the company’s systems for protecting laptops, thumb drives, smartphones, and other devices are adequate. Insurers, regulators, customers, and shareholders will want to know what the corporation’s policies are (and, in the event of a problem, what the remedial plan is). Customer notice may also be required in certain incidents of this nature.

Securities. The SEC, charged with enforcing the federal securities laws, historically has maintained a vigorous enforcement program to combat wrongdoing, compensate harmed investors, and maintain confidence in the integrity and fairness of the capital markets. Enforcement inquiries are a common occurrence even when organizations and individuals act with pure intentions.

In-house counsel should respond promptly to enforcement inquiries. Retaining experienced counsel, calling the SEC immediately to understand the nature of the inquiry, preserving relevant records, looking at potential insurance coverage, and determining whether the SEC inquiry itself should be disclosed are all critical first steps.

Internal investigations around enforcement inquiries are common, and organizations often benefit from the advice of accounting experts, in addition to experienced counsel, who have expertise handling such matters. Familiarity with the SEC enforcement process, knowledge of the applicable law and investigative best practices, and credibility of both lawyers and accounting experts with the SEC are vital to obtaining the most effective outcome. Internal investigations often prove to be integral components of successful representation of organizations being investigated by the SEC. They provide facts and information regarding potential legal exposure, financial reporting or disclosure issues, and whether action (or inaction) of employees necessitates personnel changes. Internal investigations also often identify deficiencies in the organization’s internal controls and procedures. Addressing such deficiencies in a timely and proactive way may positively influence future potential monetary penalties should the SEC decide to bring (and win) civil enforcement proceedings against the organization.

Corruption. High-stakes government enforcement matters in the areas of bribery and corruption represent another common subject of internal investigations. Organizations that run afoul of the Foreign Corrupt Practices Act (FCPA), UK Bribery Act, and other similar laws in foreign jurisdictions may present unique challenges to in-house attorneys attempting to get their arms around the potential violations of laws, concerns around books and records or internal controls, and related risks and potentially costly impacts on their businesses. The dual elements of the FCPA in particular, dealing with bribery of foreign officials and accounting transparency requirements, were designed to facilitate parallel criminal and civil enforcement. The in-house lawyer must be mindful of the two different standards involved.

Consumer protection. Allegations from regulators or individuals regarding unfair, deceptive, and fraudulent business practices represent additional subject matter that in-house lawyers often encounter. “Do Not Call” lists, fair debt collection, home lending, product safety, and labeling issues are just a few of the subjects that arise in this realm. In addition to the Federal Trade Commission (FTC), and particularly the Bureau of Consumer Protection, many states also have agencies devoted to consumer protection. These agencies investigate fraud and unfair business practices and enforce the laws and regulations relating to those issues.

On learning of a potential consumer protection issue, a corporation should evaluate whether an internal investigation is warranted. The analysis will depend on how widespread the issue is, how serious it is, and what potential fines or statutory penalties may be involved. In addition, the FTC, the DOJ Antitrust Division, and state agencies enforce antitrust laws intended to protect consumers. Internal investigations are especially warranted in these kinds of matters because many antitrust laws provide for treble damages, making violations an expensive prospect.

Environment. Environmental and worker-safety issues also may be the subject of internal investigations. The Occupational Safety and Health Act (OSHA), the Clean Water Act, the Clean Air Act, and state regulations governing the environment and safety are a few of the laws that may be implicated. Whistleblowers, inspectors, and private citizens all are sources of reporting. Retention of scientific experts at an early stage to assist with the investigation often makes sense once a company learns of an environmental or safety issue.

Sources of Information

There are numerous ways for issues warranting investigation to arrive at the doorstep of the legal department. In addition to whistleblowers, regulatory oversight, management reviews, internal and external audits, employee tips, and law enforcement, many businesses now have compliance hotlines where employees or third parties may report suspected wrongdoing or noncompliance with laws. The results of regular internal compliance or information technology reviews are other ways that the legal department may learn about potential issues that introduce potential risk to the organization, and thus necessitate further examination.

Whistleblowers. The use of internal investigations has become much more commonplace since the adoption of the Sarbanes-Oxley Act of 2002 (SOX) and the Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010 (Dodd-Frank). Rules promulgated under SOX and Dodd-Frank laid the groundwork to more meaningfully incentivize individuals, including employees, former employees, and third parties, to proactively provide information to regulators relating to violations of law and to afford them related protections. Bounty programs awarding millions of dollars to whistleblowers who provide original information that leads to successful enforcement by the SEC encourage these individuals to share information that may result in an award worth many times their current earning potential.

The SEC’s 2018 Annual Report to Congress: Whistleblower Program identified approximately 5,200 tips received and more than $168 million awarded to whistleblowers in 2018. Similar bounty programs exist at, among others, the Commodity Futures Trading Commission (CFTC), DOJ, OSHA, and the Department of Health and Human Services. Whistleblowers have proven to be one of the government’s strongest weapons in the fight against fraud, so in-house lawyers should continue to expect whistleblower activity. Regardless of whether the whistleblower has any basis for the claim, an internal investigation of appropriate scope and scale should be conducted promptly upon learning of the allegation(s) to ascertain the facts. This type of investigation can be especially sensitive if the whistleblower is still employed and may become emboldened by the perception that the corporation is retaliating.

Government inquiry or investigation. In-house lawyers may learn of potential issues directly from governmental agencies. Such notices may or may not involve information obtained from a whistleblower. The foregoing examples assume that the corporation has not received notice that an outside investigation is already underway. In the unfortunate event that a governmental agency issues an information request before the business initiates an internal investigation, an internal investigation may still be necessary and appropriate. A search warrant, a grand jury subpoena, an administrative audit, an informal inquiry, or another type of agency request often serves as the reason for initiating an internal investigation.

Independent auditors. Independent auditors sometimes identify issues during an audit to be further researched by the organization. When an auditor raises concerns, an internal investigation may be appropriate depending on the nature and materiality of the potential issue. Congress has enacted several comprehensive laws to address financial reporting problems—that is, SOX and Dodd-Frank. These kinds of internal investigations can also be very sensitive as they frequently involve members of the C-suite.

Necessity of an Internal Investigation

The decision about whether to conduct an internal investigation has potentially wide-ranging ramifications. In-house lawyers should dedicate sufficient time and critical thought to this decision, including considerations such as the following:

  • Does the company have some duty to investigate (e.g., federal regulation or statute; material connection to the financial statements)?
  • Are regulators aware of the issue (or are they likely to become involved), and how will they view the company’s decision?
  • Is there reason to believe that a significant problem exists?
  • Are potential misconduct and violations attributable to the actions of senior management, or was senior management aware of such conduct?
  • Is the issue expected to have wide-ranging impacts?
  • What kind of message will investigating (or not investigating) send to employees and other stakeholders?

Additional factors to consider may include potential criminal or civil liability, customer relations, reputational issues, and shareholder concerns. If the corporation trades publicly, a litmus test is often whether the issue will have a material effect on the consolidated financial statements. If the concern potentially rises to the level of criminal liability, serious thought must be given to conducting an internal investigation.

Corporations may also use an internal investigation as a way to control the facts around an issue, protect attorney-client privilege and work-product protection, set a tone internally and externally, evaluate potential defenses and preserve them, or position themselves for a more lenient sentence or monetary penalties if criminal conduct is discovered. Additional benefits to conducting an investigation include the limitation of civil claims, deterrence of future misconduct, improved morale and productivity, and demonstration that senior management takes such matters seriously and has fulfilled fiduciary duties of care.

Despite the foregoing, a full-blown internal investigation is not always necessary. If, on learning of an issue, the in-house lawyer is able to quickly determine that the complaint or report lacks merit (for example, a disgruntled employee is overreacting), no further action may be required.

In other cases, an issue may appear to be valid, but once an investigation is begun, the investigator may learn early on that the problem can be isolated and contained without further probing. Examples may include allegations that can quickly be determined to have no basis, or asset-misappropriation schemes—such as theft of company assets, payments to nonapproved vendors, or expense-reimbursement fraud—that have no material impact on the financial statements. Oftentimes, in such cases, isolated procedures applied by company personnel will suffice, assuming that the company has confidence in its overall internal control and reporting structure.


Internal investigations increasingly have become an important aspect of the work of many legal departments. The outcomes can be meaningful and far-reaching, potentially impacting the reputation and financial well-being of companies and their employees. The stakes are even higher where criminal liability may be involved. Creating a defensible process and being thorough in the accumulation of evidence, review of documents, and interviewing of witnesses will assist companies greatly in dealing with government authorities, consumers, vendors, and employees—and in putting the issues at the core of an investigation behind them.

Elizabeth S. Fenton is a partner with Saul Ewing Arnstein & Lehr LLP in Wilmington, Delaware. Michelle N. Lipkowitz is a partner with Saul Ewing Arnstein & Lehr LLP in Baltimore, Maryland. John Levitske and Mark A. McGrath are senior managing directors of Ankura in Chicago, Illinois.


Ankura is the Litigation Advisory Services Sponsor of the ABA Section of Litigation. This article should be not construed as an endorsement by the ABA or ABA Entities.


Copyright © 2019 American Bar Association. All rights reserved. This information or any portion thereof may not be copied or disseminated in any form or by any means or downloaded or stored in an electronic database or retrieval system without the express written consent of the American Bar Association. The views expressed in this article are those of the author(s) and do not necessarily reflect the positions or policies of the American Bar Association, the Section of Litigation, this committee, or the employer(s) of the author(s).