The paper analyses the stages of investigation of corruption violations in the public and private companies.
The publication stresses that in order to effectively conduct this kind of investigations, it is necessary to properly gather and store evidence, ensure the confidentiality of information, including the data of whistleblowers, respect the rights of employees to protection, privacy and integrity of personal data, optimize the duration of investigations and define and formalize the procedure for internal investigations in advance, including:
- grounds for initiating an internal investigation;
- main stages of the investigative process and their duration;
- persons responsible for deciding on initiating the investigation and conducting it, their functions, requirements on disclosure and management of possible conflicts of interest of these persons; for example, the decision to initiate an investigation can be entrusted to the manager, a person appointed by him/her or a dedicated or ad hoc committee, while the conduct of the investigation can rest with an internal investigative team or outsourced in the event that the responsible employees have conflicts of interest;
- objectives of the investigation;
- methods and instruments used throughout the investigation;
- provisions aimed at protecting whistleblowers and alleged perpetrators under investigation from retaliation, as well as ensuring the confidentiality of information, including personal data, gathered throughout the investigation;
- criteria for selecting the corrective action based on the outcome of internal investigations.
The procedure for internal investigation can be described in a separate document (for example, in the Rules of internal investigation), local corporate acts defining the functioning of internal reporting channels or in other documents and must be brought to the attention of all employees of the company.
1. Initiation of investigation.
The paper highlights that an internal investigation can be initiated:
1) following the tips received inside the organisation:
- through the reporting channels, on the violations committed by employees, including former ones, shareholders, members of the administrative, governing, supervisory or monitoring body of the company, including the non-executive members, and other persons associated with the organisation,
- based on the outcome of the internal control and/or audit procedures; in this case it is recommended that organisations contact immediately the judicial authorities;
2) based on external information, in particular:
- reports made by third parties, including counterparties of the company, its contractors and/or subcontractors, and applicants to positions in the organisation or persons who have a different sort of pre-contractual relations with the organisation;
- initiation of court proceedings against the organisation: the latter can express its intent to cooperate with the investigation also by conducting internal investigation;
- requests of information from foreign authorities: upon the receipt of such request, the organisation can initiate internal investigation of the facts set out in the request;
- the violations detected in the course of external audit procedures, including those conducted in the framework of mergers and acquisitions, audit of a partner or annual audit procedures.
2. Conduct of investigation.
The paper states that companies should follow a set of principles throughout the investigation, in particular:
- gather evidence by using only legal and fair methods;
- follow the principle of loyalty (faithful compliance with the employment contract) enshrined in the law, which means that an employee should cooperate with the investigation conducted by the employer, while the employer should respect the procedural safeguards in the interest of the employee and use the means of investigation proportionate to the pursued goal if they can damage the interests/rights of employees;
- respect the principle of precaution, i.e. not to cause unreasonable harm to the employee;
- conduct the investigation impartially;
- ensure the confidentiality of the data of the employees involved in the investigation and the information gathered throughout the investigation;
- inform the employees involved about the developments in the investigation;
- seek to control the volume of data gathered in order not to violate the right to privacy of the employees: for example, to search for data gradually, starting by collecting documents stored in the office of the employee and analysing the files on his/her work computer, and then expand this list gradually etc.
Upon the conclusion of investigation it is recommended that companies make an annual report containing the description of the elements proving the violation (violations), the list of investigative techniques, the list of actions undertaken in the framework of the investigation etc. In the event that an internal investigation is conducted in parallel with a preliminary investigation of law enforcement authorities or judicial investigation, the submission of the report to the authorities can prove the fact that the company cooperates with them and, as a consequence, is considered as a mitigating factor if it is held liable.
3. Follow-up to investigation.
The guidance provides for the following response measures in the event that the facts that corruption offences were committed are proved:
- hold disciplinary liable the natural persons involved in the commission of the offence;
- in the event of legal recourse: hold the legal person criminally and/or administratively liable and the natural person criminally liable;
- detect the shortcomings in the corporate compliance programme. Taking into account the flaws, the company can subsequently: 1) reconsider the map of corruption risks, 2) assess the need to update the code of conduct, 3) organise anti-corruption training, including repeated one, 4) implement due diligence procedures, 5) analyse the efficiency of internal reporting channels, 6) reconsider the procedures for financial reporting control, 7) reconsider the set of disciplinary sanctions;
- further internal monitoring and audit of the processes in which violations and/or vulnerabilities were detected in the course of the investigation also by developing and implementing new means of monitoring, planning internal audit etc. The monitoring and audit should be conducted not only in the company where a violation was detected, but also in the subsidiary/parent and other associated organisations of a similar risk profile etc.