Effective Corporate Investigations

The number of U.S. companies facing regulatory proceedings continues to increase. In 2014 alone, more than two-thirds of companies in the insurance, energy, financial services, and health care industries reported retaining outside counsel to assist with regulatory and government investigative activity.¹ This increasing regulatory scrutiny, along with a renewed focus on ethical behavior and protecting (and in some cases incentivizing) whistleblowing activity, has created an environment where corporate lawyers are increasingly called upon to conduct or supervise internal investigations into suspected wrongdoing.

An effective internal investigation may provide management or the board with the information it needs to make an informed decision on how to proceed in the face of alleged misconduct. In many cases, the investigation will provide the information needed to ensure that no future violations occur. Unlike many forms of traditional litigation, however, there is often no roadmap to follow. Internal investigations may cover various topics such as suspected accounting fraud, violations of antitrust and environmental laws, violations of the Foreign Corrupt Practices Act, violations of government contracting regulations, violations of trade sanctions and export controls, insider trading, employee theft, kickbacks, violations of a company’s specific policies and procedures, and so on. There are usually no mandatory procedural rules or court-imposed deadlines; there are no local rules or forms to follow. More importantly, how an investigation is conducted and the scope of that investigation are necessarily informed by the context and the potential impact on a particular company. As a result, there is a seemingly limitless variety of procedures and protocols to choose from.

The purpose of this article is to discuss factors to consider in determining whether and how to conduct an internal investigation, to highlight potential pitfalls that may occur along the way, and to provide pointers to help avoid these pitfalls.

Whether to Initiate an Internal Investigation

Internal investigations often start with an allegation of wrongdoing, which may come from an employee, a shareholder, a director, the media, the company’s outside auditors, the government, or someone else. At the outset, the company must decide whether the allegation warrants investigation and, if so, who should conduct the investigation.

In some cases, the decision to commence an internal investigation is determined by statute. Section 10A of the Securities Exchange Act of 1934, for example, requires a registered public accounting firm to take certain actions when, during the course of an audit, the auditor becomes aware of information that indicates that an “illegal act” may have occurred (regardless of whether that illegal act is perceived to have a material effect on the issuer’s financial statements).² In these circumstances, auditors generally require the company to investigate the potential illegal act, and then the auditors evaluate, pursuant to Section 10A, whether the company has taken appropriate remedial action.³

In many situations, however, companies will exercise discretion in deciding whether an allegation warrants a formal internal investigation. Investigations can be disruptive and expensive, and resources are limited. While the need to investigate in some situations is obvious, in some situations determining whether to conduct an investigation, and how that investigation should be conducted, are judgment calls. Some factors to consider in making these determinations include:

• the seriousness of the allegations, including whether the alleged misconduct violates federal or state criminal law or company policy;
• whether the alleged misconduct involves senior management or board members;
• the company’s potential exposure if the allegations are true;
• the possibility for additional, future violations, or the possibility that the violations are continuing;
• whether the alleged misconduct implicates a potential health and safety risk to employees or others;
• whether the alleged misconduct calls into question any prior internal control or financial certifications provided by executive officers, and whether the alleged misconduct prevents such officers from truthfully executing future certifications;
• the likely response of the company’s auditors to the alleged misconduct;
• whether there is a parallel government investigation, or whether such an investigation is likely to occur;
• whether the company’s audit committee charter, code of conduct, or other policies mandate or encourage an investigation;
• whether the issue must be reported to regulatory officials;
• the extent to which the company may receive credit from enforcement officials for conducting its own investigation; and
• the possible impact on any pending or potential civil litigation.

Consideration should also be given to whether the company has a history of similar violations, because such history raises the likelihood of regulator intervention.⁴ If a complaint cannot be objectively dismissed as frivolous, the following scenarios often warrant some type of formal internal investigation:

• a subpoena from a government agency or regulatory authority, such as the Department of Justice (DOJ) or the Securities and Exchange Commission (SEC), which suggests that the company is the focus of an inquiry;
• a shareholder demand letter;
• issues raised by an external auditor; and
• an internal report, such as through an ethics hotline, raising serious allegations involving senior management.

The likelihood of litigation or a separate government investigation usually weighs in favor of initiating an internal investigation. A prompt and thorough investigation gives the company the opportunity to get ahead of a separate investigation and, in some circumstances, convince the government or regulator that additional investigation is not necessary. Further, a thorough investigation of the individuals involved in the potential misconduct may be required to receive cooperation credit from the DOJ. On September 9, 2015, the DOJ issued a memo outlining six steps that prosecutors should take in all investigations of corporate misconduct. The first step states: “To be eligible for any cooperation credit, corporations must provide to the Department all relevant facts about the individuals involved in corporate misconduct.”⁵ Once the threshold requirement of “all relevant facts with respect to individuals” is met, the extent of the cooperation credit will depend on factors that have historically been applied, including “the diligence, thoroughness, and speed of the internal investigation.”⁶

Determining Who Supervises the Investigation

The decision of who should supervise the investigation, like the decision of whether to conduct an investigation, is highly contextual. Many investigations may be and are properly handled by a company’s own employees. Many larger companies, for example, have highly skilled legal and other staff dedicated solely to conducting such investigations.

In some situations, however, management should not be in charge of the internal investigation. If the alleged misconduct involves senior management, for example, or if the corporate entity itself is the focal point of a government investigation, the board should consider delegating the task of overseeing the investigation to a committee of board members who are not implicated in the alleged wrongdoing (such as the audit committee or a committee formed specifically for the investigation). If management is perceived as conducting or influencing the investigation, the investigation may not be afforded credibility by regulators. Further, if the investigation involves public company accounting or other disclosure issues, the company’s outside auditors may insist that the investigation be conducted by independent board members and independent outside counsel.

Assembling the Right Team

Internal investigations are often handled with the assistance of outside counsel, who may have expertise concerning the laws at issue and experience with the interested government agency or agencies. Where an internal investigation is significant, a company should consider whether to hire a firm other than its regular outside counsel. In the view of some regulators, longstanding outside counsel may be incentivized to avoid passing judgment on management.⁷ Also, the company’s regular outside counsel may have been involved, directly or tangentially, with the subject matter of the investigation.

There are, however, significant costs that come with hiring a separate outside law firm to conduct an investigation. In some circumstances, the company’s regular outside counsel may have special expertise that would assist in the investigation, and such counsel may be particularly qualified to work with any interested regulators. In some cases, the government agency and/or the company’s auditor may consent to (or even suggest) the use of regular outside counsel. Absent such circumstances, however, an investigation conducted by independent outside counsel is more likely to be credited by prosecutors, regulators, private litigants, and the courts.

In addition to outside counsel, consideration should be given at the outset to potential experts needed to assist counsel. These experts usually should be retained by counsel, not the company, to ensure the privilege is protected, and such experts should sign retention agreements that make clear their engagement is intended to facilitate the provision of legal advice.⁸

Preparing an Investigative Plan and Defining the Scope of the Investigation

Once the company determines who will supervise and conduct the investigation, the investigative team should prepare an investigative plan that defines the scope of the investigation. Preparing an investigative plan helps keep the investigation on schedule and on budget and may help identify potential pitfalls along the way. If a government agency is involved or is likely to become involved, a thorough plan may assist the company in showing that the company treated the allegations seriously and responded appropriately.

The scope of the investigative plan will often track the principal allegations of wrongdoing. The investigative team, however, should be mindful of related conduct that is likely to be of interest to government investigators. For example, although the allegations of wrongdoing may involve a specific company segment or region, many government agencies will demand specific investigation into whether senior employees with broader responsibilities or board members knew of the misconduct or should have known of the misconduct. One example of this often occurs in accounting investigations conducted by the SEC. In the wake of an accounting restatement that stems from one specific company segment or one geographical region, the SEC may probe the bases for prior Sarbanes-Oxley certifications by the CEO and CFO, which normally state, among other things, that the company maintained sufficient internal controls over financial reporting, that the company had evaluated the effectiveness of those internal controls, and that the company had disclosed significant deficiencies and material weaknesses in its internal controls.

The investigative plan should generally include an assessment of which company operations and employees are potentially involved and what jurisdictions will be the focus of the investigation. It may also be useful to provide an overview of what documents and data will be reviewed, who will be interviewed, and which financial records will be targeted in any forensic audit component of the investigation. A plan also helps to identify data privacy issues in countries that prohibit the collection of certain types of data, such as personal employee e-mail, or impose restrictions on transferring data across borders. Short preliminary interviews are often useful to identify the universe of relevant documents, reporting structures, roles and responsibilities, and IT practices and infrastructure.

If counsel retains experts, rules should be established to ensure that communications to the client will involve counsel. In addition, experts should not interview any witnesses separately without counsel. Counsel should be present at witness interviews to explain who counsel represents, whether the attorney-client privilege applies, whether that privilege may be waived, and who has the authority to waive that privilege. Although these so-called “Upjohn warnings” are well understood by most lawyers,⁹ there is always the risk that officers and employees will assume that company counsel is acting on their behalf. If the company is already cooperating with government authorities and there is an agreement in place that the company will share the substance of interviews, counsel should advise interviewees that waiver of the privilege is likely, probable, or certain—whatever the case may be.

Privilege Considerations

Potential waivers of the attorney-client privilege may arise from sharing information with the individuals whose conduct is being investigated, with auditors, and with the government. Credit for cooperation with the government, however, does not require waiver of the privilege. In 2008, the DOJ changed its Principles of Federal Prosecution of Business Organizations, marking a notable change from the policies in the January 2003 Thompson memo.¹⁰ The principles now state: “Eligibility for cooperation credit is not predicated upon the waiver of attorney-client privilege or work product protection. Instead, the sort of cooperation that is most valuable to resolving allegations of misconduct by a corporation and its officers, directors, employees, or agents is disclosure of the relevant facts concerning such misconduct.”¹¹ The SEC has similarly articulated that legitimate privilege assertions should not preclude cooperation credit.¹²

A recent case suggests that the investigative team may be well served to expressly inform any interviewees that one of the purposes of the interview is to obtain information to provide the company with legal advice. In United States ex rel. Barko v. Halliburton Co., a company started an internal investigation based on allegations that it had overbilled the federal government for work by Iraqi subcontractors.¹³ After the company received allegations of the overbilling, nonlawyers in the compliance department conducted interviews and sent reports to the legal department pursuant to the company’s code of business conduct.¹⁴ In subsequent civil litigation, a court held that 89 documents from the investigation were not privileged because the investigation was “undertaken pursuant to regulatory law and corporate policy rather than for the purpose of obtaining legal advice.”¹⁵ The district court noted that the interviewed employees were not notified that the purpose of the interview was to assist the business in obtaining legal advice, and concluded that this fact further supported that the “purpose of the investigation was for business rather than legal advice.”¹⁶

The D.C. Circuit Court of Appeals granted mandamus relief, vacated the district court ruling, and remanded, holding that the documents were protected by the attorney-client privilege because a “substantial purpose” of the investigation was to obtain legal advice.¹⁷ The court found that the company’s claim of privilege was “materially indistinguishable” from the claim sustained in Upjohn Co. v. United States,¹⁸ the landmark Supreme Court case holding that the attorney-client privilege protects confidential employee communications made during a company’s internal investigation led by company lawyers. Although the company obtained relief at the appellate level, it is noteworthy that the district court had already revealed the substance of some of the privileged documents in its earlier opinion. The decision serves as a reminder that if a company intends for its investigation to be covered by the attorney-client privilege, care should be taken to show that the investigation is being conducted under the supervision of lawyers for the purpose of providing legal advice and is not a routine compliance function.¹⁹

Pointers to Avoid Potential Missteps

Internal investigations involve a number of judgment calls, and the reaction to those judgment calls by interested constituencies such as government agencies, auditors, and shareholders are not always predictable. Nevertheless, the following are a few pointers to address issues that, in the authors’ experience, often arise during the course of internal investigations:

Identify, preserve, and collect relevant information early and document this process. Relevant information often includes data other than e-mail and hard copy documents, including items such as telephone records, text messages, instant messages, shared network files, backup data, Internet search histories, databases, voicemails, and other data that may only be accessible through a forensic examination of a device.

Adhere to the agreed upon investigative structure unless a formal decision is made to change it. If, for example, investigative counsel is reporting to the audit committee, the general counsel should not direct the activities of investigative counsel.

Act on allegations of wrongdoing promptly. A company is usually well served by gathering the facts and determining an appropriate response quickly. It may, for example, be in the company’s interest to self-report a potential violation before the government learns about it through other means. In the accounting context, there is usually limited time to resolve any issues before the next 10-Q or 10-K is due, and a missed filing deadline can have serious market and other repercussions (including a share price decline, shareholder class actions, and an SEC investigation).

Set a realistic time frame for completion. While companies should move swiftly to investigate allegations of misconduct, they should also set realistic timelines to completion. In the accounting context, for example, there is often a rush to complete an investigation before an SEC filing deadline, which is unsurprising given the consequences of a missed filing noted above. Once the company completes that filing, however, government agencies may ask detailed questions about the conclusions reached during the investigation and the bases for the financial information included in the filing.

Develop a clear plan prior to embarking on a substantial data review project. Even in situations where timing is critical, the investigative team is often better served by spending time up front planning any data review. Launching into a data review without a clear plan may cause the reviewers to miss relevant information, review irrelevant information, and create more issues (and expense) in the long run.

Carefully plan the interview process. Interviews are stressful for employees, and multiple interviews of multiple employees will damage employee morale. Where feasible, review all relevant information prior to conducting interviews to reduce the chance of multiple sessions. Avoid conducting interviews alone, and carefully document the information provided. It is important to get answers to all relevant questions, but it is also important to be polite. Keep in mind that it is not uncommon for whistleblowers to claim that a confrontational interview itself is retaliatory conduct in violation of a whistleblower statute.

Do not unintentionally waive the attorney-client privilege, and obtain board consent for intentional waivers. In some circumstances, privilege waivers are appropriate but usually should be approved by the board in advance. Efforts should be made to avoid unintentional waivers.

Pay attention to various interested constituencies during the investigation. In the authors’ experience, it is often important to communicate with various constituencies other than the client through the course of an investigation. Outside auditors, for example, should normally be kept in the loop on procedural steps the company is taking to investigate any accounting issues, because the auditors will need to be comfortable with the findings prior to consenting to a quarterly or annual SEC filing. Similarly, if the investigation starts with an internal complaint, consider communicating with the complainant. If the complainant is aware that the company is conducting a thorough and independent investigation, the complainant may forgo reporting externally.

Be sensitive to data protection laws in other jurisdictions. Countries other than the United States often have data privacy laws intended to protect company employees and others. Consult with a local practitioner prior to collecting or reviewing data located outside the United States.

Know your regulator. Different government agencies have differing views on what constitutes an effective investigation and what constitutes appropriate remedial action. Consider which government agencies are likely to be involved, and consider retaining professionals with direct experience working with these agencies. n

Notes

1. Norton Rose Fulbright, 2015 Litigation Trends Annual Survey (2015), available at www. nortonrosefulbright.com/files/ 20150514-2015-litigation-trends-survey_v24-128746.pdf. The survey contains data through 2014. The 12th annual survey, which contains data through 2015, will be released in May 2016.

2. 15 U.S.C. § 78j-1(b).

3. See id.

4. The Principles of Federal Prosecution of Business Organizations provide that “[p]rosecutors may consider a corporation’s history of similar conduct, including prior criminal, civil, and regulatory enforcement actions against it, in determining whether to bring criminal charges and how best to resolve cases.” U.S. Dep’t of Justice, U.S. Attorneys’ Manual § 9-28.600 (2008) [hereinafter USAM].

5. Memorandum from Sally Quillian Yates, Deputy Attorney Gen., Individual Accountability for Corporate Wrongdoing (Sept. 9, 2015), available at www.justice.gov/dag/file/769036/download.

6. Id. at 3.

7. See Speech by Former SEC Commissioner Roel C. Campos: How to Be an Effective Board Member (Aug. 15, 2006), available at www.sec.gov/news/speech/2006/spch081506rcc.htm (“In fact, when circumstances indicate possible wrongdoing, the audit committee and the board should have their own independent advisors, investigators, and lawyers. As guided by Sarbanes-Oxley, the board and its committees should ‘engage independent counsel and other advisors, as it determines necessary to carry out its duties’ and should not rely exclusively on the corporation’s advisors and lawyers.”).

8. See, e.g., United States v. Kovel, 296 F.2d 918 (2d Cir. 1961) (holding that when an attorney retains an accountant so that the lawyer may better give legal advice, communications related to that purpose are privileged).

9. See infra note 18 and accompanying text.

10. See Memorandum from Mark Filip, Deputy Attorney Gen., Principles of Federal Prosecution of Business Organizations (Aug. 28, 2008), available at www.justice.gov/sites/default/files/dag/legacy/2008/11/03/dag-memo-08282008.pdf; cf. Memorandum from Larry D. Thompson, Deputy Attorney Gen., Principles of Federal Prosecution of Business Organizations (Jan. 20, 2003), available at www.americanbar.org/ content/dam/aba/migrated/poladv/priorities/privilegewaiver/2003jan20_privwaiv_dojthomp.authcheckdam.pdf.

11. USAM, supra note 4, § 9-28.720.

12. SeeSec. & Exch. Comm’n, Enforcement Manual § 4.3 (2015) (“The staff should not ask a party to waive the attorney-client privilege or work product protection without prior approval of the Director or Deputy Director. . . . Both entities and individuals may provide significant cooperation in investigations by voluntarily disclosing relevant information. Voluntary disclosure of information need not include a waiver of privilege to be an effective form of cooperation and a party’s decision to assert a legitimate claim of privilege will not negatively affect their claim to credit for cooperation.” (emphasis omitted)).

13. 37 F. Supp. 3d 1, 3 (D.D.C. 2014).

14. Id. at 4.

15. Id. at 5.

16. Id. at 5–6.

17. In re Kellogg Brown & Root, Inc., 756 F.3d 754, 760 (D.C. Cir. 2014).

18. 449 U.S. 383 (1981).

19. On remand, the district court ordered disclosure of the internal investigation documents a second time, finding that the company had waived the privilege when a witness reviewed the documents in preparation for a 30(b)(6) deposition and when the company put the content of the documents “at issue” in a summary judgment brief. Although this decision was also reversed by the D.C. Circuit, it serves as a reminder that companies should exercise caution when using privileged investigative materials to aid in future litigation. See In re Kellogg Brown & Root, Inc., 796 F.3d 137 (D.C. Cir. 2015).