First Reference company logo

Inside Internal Controls

News and discussion on implementing risk management

machine cogs image

Allegations and investigations


It is difficult today to avoid news about allegations and subsequent investigations.

First it was a slew of high profile allegations about sexual misconduct. Now it’s about abuse of power – and the sex-related allegations continue.

In my time, I have conducted many investigations, had my team perform others, and been a target in an allegation that was investigated by outside counsel hired by the audit committee. So I think I have some relevant experience!

What we should all note from the news is that a failure to perform an appropriate investigation is a serious source of risk to any organization.

This is what I believe:

1. It is critical for any individual within the organization to be able to report suspected inappropriate behavior without fear of retaliation.

The apparent effort by members of the US government to identify a whistleblower and then paint him or her as a political operative is unforgiveable and probably illegal (these federal employees are protected by law).

Unfortunately, many people do not come forward because there is a credible fear – justified by real life examples – of retaliation.

I advised (through her attorney) one lady who reported suspected wrongdoing by her manager to her company’s ombudsman, as required by company policy. However, her manager had started a disciplinary process against the whistleblower, triggered by that person’s refusal to perform what she believed to be corrupt acts demanded by the manager. The ombudsman was a senior member of the legal department who was advising the manager on the disciplinary process; he refused to open, let alone act on, the whistleblower’s complaint. Unfortunately, the whistleblower was fired, her allegations were never investigated, and her personal attorney failed to advise her properly on how to sue for damages. (Sadly, the only protection under federal law is when the whistleblower reports the suspected activity to the SEC. No protection against retaliation is provided when allegations are reported to the company’s ombudsman or hotline following company policy.)

At one company, an individual told one of my team that she had been subject to inappropriate sexual harassment. He came to me and I advised that the lady should report the allegation to HR or the hotline. Our team did not investigate personnel-related incidents. Later, I asked the VP of HR whether the allegation had been received, without naming the person. He said that it had been received but he had decided it had no merit and would not investigate. He had recognized the name of the complainant and that was enough for him. He said the lady had disciplinary problems and was complaining to protect her job, not because anything had happened. I tried to persuade him that the allegation needed to be investigated, to no avail. I reported this to the General Counsel and let him handle the issue, which he did.

Failing to investigate an allegation by an employee who is being disciplined exposes the company to a claim that the company’s actions against the employee are retaliation.

I also think about the ladies who have alleged inappropriate sexual activities by Supreme Court judges during the confirmation proceedings. They were not only identified by name but were publicly ridiculed.

These allegations should, if there was to be a fair process, have been conducted quietly by professional investigators with an open mind, not in public. Frankly, as I look at the current impeachment inquiry, I have to wonder whether the process is appropriate. It should be much quieter and performed by objective professionals.

2. It is also critical that individuals outside the organization be able to report suspected wrongdoing by our employees.

I can recall a number of cases where vendors and customers gave us information that we investigated and determined there had been fraudulent acts. (The assessment of fraud is a legal determination, based on facts that we provide counsel.)

Few organizations, in my experience, have processes where vendors, customers, and others can report suspected inappropriate behavior by an employee of the company. When complaints are made, they generally end up in the wrong hands because the third party doesn’t know whom to tell.

3. Every allegation should be considered. Before launching a formal investigation by my team, we look to see if there is predication.

  • If the allegation is true, would the actions represent a violation of law, company policy, or desired behaviors?

    If not, we still consider whether it would be appropriate to conduct further inquiries; sometimes, the whistleblower did not explain the situation adequately and we have our suspicions.

    If yes, then we determine who is responsible for the preliminary investigation: a process to see if a formal investigation should be opened. Sometimes, it is internal audit, sometimes HR, and sometimes it could be another function like physical security or legal.
  • Is there sufficient information and evidence that the allegation might be true?

    Sometimes, we can fairly quickly determine that it is without foundation, in which case we document that and close the case. (We will consider contacting the complainant if we know who that is to make sure a mistake has not been made in the details they provided. On rare occasions, we might consider investigating whether this was a deliberate smear that represents a violation itself.)

    There have been times where the allegation was too vague to investigate. If we can contact the complainant, we will try to elicit more information. If not, we flag the complainant, keeping it open and waiting to see if we receive more at a later date.
  • If there is predication, we will open a formal investigation. But we try very hard to keep it quiet. The fewer people who know about it the better, even (and especially) management. I am proud to have completed investigations of suspected inappropriate employee behavior and closed them as without foundation without the ‘targets’ even knowing there had been either allegation or investigation.

4. All investigations should be conducted by trained (and certified, where possible) objective professionals.

My investigators (including myself) were either certified fraud examiners or had received appropriate formal training in investigations, interviewing, and interrogations.

The investigation is to uncover related facts. Interpretation of those facts is a management decision with advice from legal counsel. It is very easy, too easy, for investigators to form opinions that bias and taint the investigation.

Every ‘target’ must be treated with respect and dignity throughout the investigation.

I suffered through an investigation by HR of a personnel-related complaint against some of my employees. The investigator did not know what she was doing and alienated everybody – and then failed to uncover the truth.

When a complaint was lodged against me (together with the CFO), the audit committee engaged outside counsel. She was professional and handled herself well. It was an awful experience but turned out well – although the individual who invented the complaint was paid to leave the company, which upsets me even today.

5. Internal audit should consider a periodic review to ensure all of the above and provide assurance to top management and the board that the allegation and investigation processes are appropriate.

Where internal audit itself is responsible for the hot line or related processes, and/or investigating allegations, they should consider engaging a third party to perform a review and report the results to the board.

What do you think?

Follow me

Norman D. Marks, CPA, CRMA

Norman D. Marks is an Author, Evangelist and Mentor for Better Run Business, as well as an OCEG Fellow and Honorary Fellow of the Institute of Risk Management. Mr. Marks has been a practitioner and thought leader in internal audit, risk management, and governance for a long time. He has led large and small internal audit departments, been a Chief Risk Officer and Chief Compliance Officer, and managed IT Security and governance functions. Read more
Follow me

Latest posts by Norman D. Marks, CPA, CRMA (see all)

, , , , , ,

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.