Beryl Markham was a 20th Century female adventurer and one of the first pilots to fly solo and non-stop across the Atlantic (she did it from east to west against prevailing winds). Markham also knew how to turn a phrase. “The way to find a needle in a haystack,” she once said, “is to sit down.”
When it comes to conducting corruption investigations, we would do well to heed her advice—as a warning.
The investigation of a report of bribery or another alleged corrupt act resembles a search for a needle in the corporate haystack. However, investigators who sit down on the job can be certain that their organizations will endure consequences far more painful, costly and disruptive than a little jab.
If the investigation team simply starts rooting around in the hay without this knowledge, the investigation is going to drag on; worse, it may fail to uncover the full scope of the problem. Violations are rarely isolated. If the investigation team fails to unearth other, related ethical violations (or even a major root cause), disruptive follow-up efforts are necessary and the U.S. Department of Justice may take a keen interest.
“Billions of dollars in fines, penalties, disgorgement of profits, and professional fees signal that we are in a world that has bribery and corruption firmly in the center of any international company's radar,” asserts a new eBook “Bribery and Corruption: Navigating the Global Risks” from Ernst &Young's Fraud Investigation & Dispute Services practice.
“The individuals conducting the investigation have to know what the needle looks like before they search,” notes Littler Shareholder Katherine Franklin, who has trained companies on how to conduct effective investigations for more than 20 years. “You need to know what corruption looks like. You need to know what tools and processes to use to make your search as effective and efficient as possible. And you need to know where to look.”
Finding the needle in the haystack marks a difficult-to-develop but crucial capability. When a hotline or a manager receives a report of a violation, a swift and comprehensive investigation is an absolutely necessary response. Anything less can ultimately expose the company to major compliance risks and criminal liability. Yet, conducting a quick, rigorous, and methodical investigation is difficult due to several obstacles including the following:
Translation Obstacles: Recent research indicates that less than 5 percent of all reports of ethical violations are captured by ethics hotlines. The vast majority of these issues are reported to managers and supervisors—but rarely is the reporting done in a crystal-clear (“I witnessed a $50,000 bribe”) manner. Managers need to understand how to spot certain indicators of problems (“I felt uncomfortable when …”) and then ask more questions to flesh them out.
“You need to know what corruption looks like. You need to know what tools and processes to use to make your search as effective and efficient as possible. And you need to know where to look.”
Selection Obstacles: Once an investigation is deemed necessary, the question of who should lead the effort arises. Too often, companies get this answer wrong: HR managers are left to investigate fraud and in-house attorneys take the lead in instances where outside counsel would bring much-needed objectivity to the process.
Breadth and Depth Obstacles: Slow starts can cripple an investigation, but zipping through without looking broadly and deeply enough can blind the investigative team to patterns of unethical behavior or root causes.
By following pre-established steps to triage issues and manage investigations to resolution, your organization, can dig the needle out of the haystack before it pricks you in the …
Investigating Corruption: An OCEG Roundtable
Switzer: Let's start at the beginning, when there is a report or suspicion of corrupt activity what are the very first steps you need to take?
Thomas: First, you have to assess the credibility and seriousness of the event to ensure that the level of response is appropriate and proportionate. Evaluate the qualitative aspects of the allegation rather than focusing on the quantitative aspects, because the notion of “materiality” should not affect the decision to investigate further. Then develop an investigative workplan tailored to the specific facts and circumstances, and revise it as new facts come to light.
Martin: You need a good intake and case management system overseen by an experienced attorney; and you have to preserve all potentially relevant evidence. Cycle times should be monitored so that remedial actions are prompt and followed up to ensure any harm has been stopped.
Siciliano: The initial risk analysis considers the matter's scope, urgency, complexity, and severity. Ask if the issue involves a single individual or multiple people, business units, and physical locations. Are there obligations to disclose to the government or key stakeholders? Is it urgent to intervene quickly to limit exposure? Does the matter involve complex areas of law or technical facts? Do the allegations relate to the reliability of the company's financial reporting? Do they involve high-level employees? Is there a potential public relations consequence? Will regulators and your auditors care?
Switzer: In the United States, immediately establishing attorney client privilege for an investigation into alleged corruption is considered essential, but is that the case—and is it even possible—when the investigation involves activity in other countries?
Siciliano: Privilege typically is not as strong outside the United States. In some jurisdictions, privilege exists for outside counsel, but not for in-house counsel. When conducting a cross-border investigation, I always try to protect the privilege here in the United States by making sure there is a licensed U.S. attorney present during interviews and limiting non-lawyer involvement. But in a country like Japan, in-house legal departments often have no licensed lawyers. This fact, combined with cultural inclinations to report everything through set communication channels to a broad range of parties, can create tension in trying to preserve the privilege.
Martin: Preservation of privilege in a multi-jurisdiction investigation is very challenging because of widely varying rules. Nevertheless, it is very important because now there is an unprecedented level of cooperation and sharing of information among prosecutors across borders. There is no protection for a company against double jeopardy for the same offense in different jurisdictions, and if the attorney-client privilege is non-existent or waived in one jurisdiction, it may be waived in others.
Thomas: Given the risks, you really need to make sure the investigation team knows how to identify and address local privilege and data privacy issues when determining how to collect, store, and analyze the relevant documents and data for the investigation.
OCEG ROUNDTABLE PANELISTS
Vice President, Chief Compliance Officer,
Senior Deputy General Counsel
Fraud Investigation and Dispute Services,
Ernst & Young
Switzer: Corruption can range from an individual salesperson's decision to bribe a government official to a concerted conspiracy that establishes an ongoing kickback scheme. What steps do you take to determine if this is a single bad act versus an ongoing scheme with multiple participants?
Thomas: Determining whether a transaction is an isolated act or part of pervasive or systemic issue is essential. Indicators from e-mails, interviews, or other sources should be investigated further, and it is important to focus on the attributes of the problematic transactions and how they are recorded in the company's books. For example if an employee admits to paying a bribe through an excess commission to an agent, analysis of payments to that agent may identify numerous similar transactions. There may be other indicators in the general ledger meta data that could identify problematic transactions and experienced investigative teams can apply data analytics to identify other non-standard transactions.
Siciliano: That really is the purpose of the investigation. You may have allegations about a discrete event, but your investigation is going to assess whether there was similar wrongdoing by that individual over a period of time. With data mining tools this process has become much simpler and more efficient. Even if you don't find evidence of additional misconduct, the fact that the wrongful conduct did occur is reflective of a potential weakness in your control process and you should evaluate whether others in the organization have exploited that weakness. If you have an internal audit function that is regularly checking control processes, point them in the direction of the potential weakness and have them test it for you. When these discrete incidents of misconduct arise, an organization needs to use them as an opportunity to see if they are part of a larger problem.
Switzer: What sort of policies, procedures, and controls around information management and document retention are necessary to ensure that evidence remains available to the investigators?
Siciliano: While most investigators would prefer that evidence stay around forever, that's neither practical nor advisable in today's business world. Instead, a business should implement document retention policies and procedures that are tailored to how the company is structured and goes to market. Rather than use generic descriptions, the policy should clearly explain how to handle and retain specific types of documents, identified by the terms used by the business. Companies have gotten into trouble recently for what courts have found to be unreasonably short e-mail retention policies, so at a minimum companies need to make sure that their policies are reasonably related to business needs and don't appear to be designed to hide information. It's also helpful to have an IT infrastructure which makes ESI accessible and gives you the ability to segregate relevant users' content from the rest of the population. Companies also need to have strict controls in place that establish who has authority to delete data. The worst scenario is inadvertent deletion because a court may treat it as deliberate destruction of evidence. A key element of maintaining the necessary controls is a cooperative working relationship between the legal, HR, and IT departments and a process in place for securing approval for the destruction of data.
Thomas: Most companies perform regular backups of important data and have established formal document retention policies that allow the company to comply with its legal and local tax requirements. It is important to understand these different policies and procedures to ensure that data is not inadvertently lost or destroyed. This is often addressed by issuing a document preservation notice or legal hold notice that is provided in local languages, is broadly distributed, and clearly defines what is to be retained. The investigative team should immediately consider acquiring forensically sound images of the data on employees' laptops and of the company's servers in order to preserve what may turn out to be very relevant metadata. The preservation of other electronic data, such as information on smartphones and thumb drives or other external media, should also be considered. The decision of what data to review and how to review it can often be taken at a later time, but it will at least remain available to the investigative team if it is preserved. The investigative team should also contact IT to ensure that relevant backup tapes are not being overwritten and contact any off-site storage facility to ensure that hard copy documents are not being routinely destroyed.
Switzer: How do you decide if, and when, to inform external stakeholders, including legal authorities, about an ongoing internal investigation?
Martin: First take into account whether reporting is mandated by law such as required disclosures for public companies in U.S. Then you have to consider how significant the discovered violation is; whether disclosure is required by an agreement such as a DPA; how likely it is that disclosure will be made by someone else such as a whistleblower or disgruntled employee; the impact of the Dodd-Frank Act's whistleblower rules; what the rules are for disclosure in various jurisdictions; whether the rewards of disclosure outweigh the risks; and who needs to be involved in the disclosure decision. Remember, once you disclose you lose control of the matter.
Siciliano: After considering legal reporting obligations and the seriousness of the event, I consider what I have actually learned in my investigation. External stakeholders such as auditors typically take the view that your first duty is to report to them no matter what. I think, however, you first need to know what you're reporting. I've experienced too many situations where a stunning allegation turns out to be a simple misunderstanding. Also, you don't want to report on something that you don't fully understand because, when your report contains mistakes, you potentially lose credibility with the third-party stakeholder.
Thomas: You don't always get to decide. In some cases, the investigation has been triggered by an inquiry from the government and discussions with the regulators are ongoing throughout the investigation. And, whether disclosed to regulators or not, companies are still subject to audit and have reporting obligations in respect of their public filings. In other cases, once the investigative team has developed enough facts to corroborate bribery or corruption issues, the company may seek to self-disclose issues in return for leniency, in which case what you disclose may be as important as when. For example, you may include a summary of progress to date, highlighting the remediation steps that the company is taking to punish those involved and prevent future recurrences.