Establishing the parameters of an investigation is one of the most critical responsibilities facing compliance officers. Define an investigation too narrowly and the company risks missing important pieces of evidence or possibly additional violations. Define it too broadly and the investigation can drag on for long time periods and burn through cash.

An extremely limited scope can also give the impression that the investigation is being undertaken for the sake of appearance, and not to uncover wrongdoing, say investigation specialists. Rather than simply accept the conclusion of an overly narrow investigation, compliance officers need to “peek around the corners,” says Brian Miller, inspector general at the General Services Administration, which manages property and some back-office services and purchasing for the federal government. If an allegation claims that a vendor mischarged on a set of invoices, for example, the investigation should include not only the invoices in question, but other contracts involving the vendor, he says.

Join the Compliance Week community

Receive the latest in corporate governance, risk, and compliance news from Compliance Week. Become a new member and get a one-year print & digital subscription for just $8/week.

Learn more

Casting too wide a net during an investigation also has consequences beyond wasted time and resources. It also can cause compliance to lose credibility if it appears that the investigation has become a fishing expedition.

An overly expansive investigation also can become a distraction to others. Just by showing up, an investigator can prompt questions and anxiety, says Kevin Sisemore, director of internal audit at the University of Colorado. “There’s a lot of lost productivity due to speculation and concern,” when an investigation is underway, he says.

Rightsizing the scope of an investigation, however, can be daunting. For starters, a number of departments often need to be involved, including internal audit, compliance, legal, finance, HR, and others. And the investigation could often involve employees at local and regional levels. As the number of individuals involved increases, “it can be an absolute mess to manage and coordinate,” says Scott Lane, executive chairman at compliance consulting firm The Red Flag Group. 

Moreover, many of the individuals likely will find suspicious activities—say, unexplained reimbursement requests—that are unrelated to the investigation at hand. “When you bring in experts, they’re going to find other things,” says attorney Michael Volkov, an expert in corporate compliance. Of course, this information shouldn’t be ignored. However, it may need to be set aside for another investigation. Otherwise, the primary investigation will continually become sidetracked. 

Moreover, while most outside experts brought in to aid an investigation will act ethically and honestly, they also have a financial incentive to push for a broader and longer, rather than a more targeted, shorter investigation. To minimize the chance that this occurs, “you have to manage the process knowledgeably,” says Volkov. That means focusing on the elements of the case at hand.

Changing scope

“Scoping is something that doesn’t go away. It guides the investigation. The scope can expand, contract or morph.”

Brian Miller, Inspector General, General Services Administration

To be sure, it’s rarely feasible to set firm parameters at the very outset of an investigation and then never deviate from them. More typically, the initial scope is set based on the information available, and then refined as more data is gathered. “Scoping is something that doesn’t go away. It guides the investigation,” says Miller. “The scope can expand, contract, or morph.”

That being said, a few guidelines can help to ensure that the initial parameters are intelligently set and that any modifications to the scope are necessary and reasonable.

An initial step is determining whether the allegation actually is a compliance issue that merits an investigation, Sisemore says. A straightforward theft of a computer, for example, typically is a matter for the local police. That same action, however, could become a matter for compliance or internal audit if someone tries to hide the theft by doctoring records. Making such determinations often hinges on having clear, well-written policies that identify the lead investigators—say, internal audit, HR, or the local police—for different situations, Sisemore adds.

Compliance investigation checklist

The Society for Corporate Compliance & Ethics suggests using the following checklist when conducting an internal investigation:

  1. List all the allegations of misconduct or concerns reported.
  2. Segregate facts from opinions, feelings and hearsay.
  3. Determine if an investigation will be necessary.
  4. Identify who will manage the investigation.
  5. Identify who will conduct the investigation.
  6. Identify who may be required to support the investigation.
  7. Identify any documentation needed to support the investigation.
  8. Identify the individuals to be interviewed (consider order in which you plan to interview).
  9. Prepare standard questions in advance of the interviews.
  10. Schedule interviews in a location that offers privacy and confidentiality.
  11. Explain to interviewee the purpose of the interview, need for confidentiality, any related company policy, and if necessary, attorney-client privilege.
  12. Include names of investigator(s), interviewee, date, time on investigation record.
  13. Keep notes clear, concise and objective (to the extent practical, document exactly what the interviewee states).
  14. Identify and obtain additional documentation or the names of others who could corroborate the information obtained from the interviewee.
  15. Document observed behaviors, body language, lack of cooperation, nervousness, fear, etc …
  16. Review all documents and interview notes to your investigation plan.
  17. Prepare report based on facts and supporting documentation.
  18. If possible, obtain objective and independent review from an E&C colleague.
  19. Issue report to Management based on “need to know.”
  20. Follow-up with Human Resources to assure corrective or disciplinary actions were taken, if applicable.
  21. Determine with legal if external reporting (mandatory or voluntary) to customer of government agencies will be made.
  22. Maintain investigation file in accordance with your company’s record retention policy.
  23. Summarize investigations at a high level for periodic reports.

Some leading companies have developed protocols for investigations and can use them when an allegation arises, Lane says. Typical steps might include identifying key stakeholders, explaining to the business units how an investigation is conducted, and outlining the procedures under which information is released more broadly.

Having an established protocol helps to not only set the scope for an investigation, but can aid in setting reasonable expectations among those involved, Lane adds. Executives who haven’t been through an investigation in the past may be surprised at the time required to, for instance, dig through old e-mails and transaction records and interview employees, and often concern events that occurred several years earlier.

What’s the damage potential?

An important factor in determining the level of resources to dedicate to an investigation is the magnitude of the risks to the organization, should the allegation prove true, Lane notes. Along with financial and legal risks, the potential damage to the company’s reputation or brands should factor into the calculation.

It also helps to consider whether the allegation concerns one-off bad behavior by a single employee or a more systemic pattern of illegal or unethical actions, Miller says. Of course, a more systemic series of violations generally means a broader investigation.

If the alleged activity and the harm it’s causing appear to be ongoing, it probably will make sense to dedicate more resources to the investigation and to begin it sooner, rather than later, Sisemore says. The goal is to go and stop the activity before it causes further damage.

Scope creep

While the reasons to expand an investigation often are compelling, the result can be scope creep, and an investigation that spins out of control. One way to keep things on track is to create an investigation time line and identify the role each team member will play, says Joseph Spinelli, managing director and lead of the anti-bribery and corruption services team at advisory firm Navigant. “Make sure everyone is cognizant of the facts, allegation, and scope.”

Those involved also need to concentrate on the legal elements of an alleged offense or violation. Questions should include: “What is the provision allegedly violated and what do you have to establish to show the violation?” Volkov says. Addressing these questions can help identify the individuals and documents most likely to be able to provide information relevant to the search. “First focus, then determine where to go from there,” he says.

Without this discipline, it can be easy for an investigation to wander into allegations from decades ago or even get into conspiracy theories, Volkov adds. The result often is a waste of time and resources, he says. “Your job is to find information on the current allegation.” 

Some trial and error often is inevitable when setting the scope of an investigation. It can be difficult, for example, to identify at the outset the precise documents and interviews that will be needed to prove or disprove an allegation, Sisemore says.  Investigators often need to examine the sets of documents that seem most relevant, try to assess whether they’re getting closer to the information that’s truly needed, and if not, shift focus. “If something changes, you have to react,” Sisemore adds. 

At the same time, compliance officers have to continually assess whether the investigation has reached a point at which the cost of additional work will outweigh the potential benefits to the organization. Then, they have to be ready to say, “This is worth only so much, and we’re not going to spend another $1 million,” Lane says.

Making this call is difficult and requires a mix of solid legal, risk, and business expertise. “It requires leadership,” Lane says.