North American Forensic Accounting PC
North American Forensic Accounting PC
Major Considerations for Conducting a Compliance Investigation

Major Considerations for Conducting a Compliance Investigation

Conducting a compliance investigation can sometimes feel like you’re looking for a needle in a haystack. Frustrating, time-consuming, and seemingly impossible to resolve. The quick and easy solution, of course, is to burn the haystack and sift through the ashes. But, not when that haystack is your company. Bear in mind that the purpose of your investigation is to strengthen your organization, not torch it. Thus, there are parameters investigators must observe and lines they must not cross. Anyone conducting a compliance investigation must act in accordance with legal and ethical protocols, and proceed in a way that is minimally intrusive on the organization’s operations.

Let’s suppose for instance, that your company has received a customer complaint about a privacy breach. Your last compliance audit did not raise any red flags about your handling of sensitive data, but you can’t be sure whether you’re dealing with an isolated incident or part of a larger pattern, which could erupt into a substantial problem. You need to conduct a thorough investigation, but you must proceed in a way that doesn’t make matters worse. As a primer on how to proceed, we offer a brief summary of the leading considerations.

Legal and regulatory compliance

If your investigation might potentially reveal violations of regulatory requirements, it is critical to understand the specific regulations involved. You must be up to speed on the subject matter (e.g., employment law, privacy regulations, food safety or other industry-specific rules). So, if you are not an attorney practicing in that area, you should act in close consultation with someone who is.

If a whistleblower report prompted your investigation, your processes must comply with myriad protections for whistleblowers codified in pertinent state and federal law. Most importantly, your processes must be free from any taint of retaliation.

As regards data privacy and security, you must adhere to all relevant data protection regulations (e.g., GDPR, HIPAA, CCPA or other state privacy laws) when handling personal information.

Also be aware that whatever has triggered your investigation might fall under the self-reporting requirements of the pertinent statute. These requirements usually have specific timeline obligations which you must meet to avoid an enforcement action by a regulatory agency.

Scope and objectives of your investigation

Generally speaking, you want to use the least intrusive means to achieve the goals of your investigation. You should start by defining clear objectives. For example, you might want to determine if anyone in your company is committing fraud against the organization, is acting in a discriminatory fashion, or is violating particular aspects of your company policies.

Setting clear goals at the outset can help you avoid the “scope creep” of an uncontrolled investigation. When you define clear boundaries and focus on the key, relevant issues, you prevent your investigation from “growing tentacles” which can fan out quickly and elevate the risk of a violation.

Adherence to the investigative process

Discipline is essential for a successful investigation. This means maintaining three key components:

  • Confidentiality — Investigators must exercise discretion to protect reputations and prevent retaliation. Those in charge must limit the knowledge and involvement of others (such as data analysts) to the minimum amount necessary to their specific role.
  • Neutrality and objectivity — Investigators must scrutinize conflicts of interest to ensure that everyone participating in the investigation is unbiased and independent.
  • Proper and thorough documentation — Investigators must keep thorough, accurate records of all tasks and findings. In many cases, regulatory requirements dictate how long the organization must keep such information secure, but the possibility of litigation is an additional consideration.

It cannot be stressed enough that the manner in which you conduct your investigation will either reinforce and strengthen your organization’s core values or violate and erode them.

Evidence collection and employee rights

Inevitably, an investigation must examine employee conduct to ascertain whether certain actions conform to the law and/or company policies. This inquiry must proceed within legal and ethical boundaries.

Of paramount concern are employee privacy rights. Many companies have internal employee privacy policies that outline the privacy expectations for employees. State and federal laws also enshrine employee privacy rights. Before gathering evidence, such as employee emails or text messages, investigators must familiarize themselves with pertinent employee privacy regulations, as well as the company’s written policies.

Evidence that might implicate privacy law requires special handling. When preserving such evidence, companies must secure and protect all materials. Investigators must limit access to those directly involved in the investigation.

Remedial actions and follow-ups

The results of the investigation should be used to strengthen the organization. Three positive applications of the results are:

  • Disciplinary actions — Misconduct must carry consequences, but penalties must be fair and consistent. By allowing due process for accused employees and imposing just sanctions upon proof of wrongdoing, your process contributes to the building of an ethical organizational culture.
  • Process improvements — Your findings can indicate ways to improve controls and policies to prevent similar violations in the future.
  • Monitoring and compliance audits — You now have a basis to conduct regular reviews to ensure continued compliance.

Investigations should do more than “catch the bad guys.” They should disclose lapses where your organization needs improvement, enabling you to strengthen all areas of compliance.

When to consider hiring outside legal or forensic accounting support

It’s been said that the first rule of lifesaving is “The rescuer must survive.” Just so, the first rule for compliance investigations is “The investigator must comply.” Compliance investigations can be complex, and how you handle an investigation has serious implications for your organization. First, there’s the matter at hand, which challenges you to obtain the answers you need, so you can understand what has taken place and how to remedy the situation. Are you up to that task? The second consideration is a point of lasting importance: how might the investigation impact your corporate culture? You must ask whether you can conduct your inquiry in a manner that upholds and reinforces your organization’s values? If there is any doubt, you should consider hiring experienced, outside professionals, who can help your company avoid some of the pitfalls referenced above.

By North American Forensic Accounting | Published December 1, 2024 | Posted in Investigations |  

Archives
Categories