Investigations & Audits - Eeny, Meeny, Miny Moe?

For many people the difference between an investigation and an audit is more a matter of degree than of substance as both involve a measure of scrutiny of the workplace environment that is almost always unwelcome and seen as vaguely threatening. For this reason many will use the words interchangeably. While understandable, this is to misunderstand the very considerable differences between an investigation and an audit. In turn this will often lead to crucial errors being made at the most important stage of an issue arising, i.e. the beginning.

In the United Kingdom the police, when investigating a major incident, will always speak of the "Golden Hour," the first hour when the whole mood and direction of an investigation is set. While an exaggeration, it is used to instil in officers the crucial importance of making good decisions right at the outset of the process. This is because virtually every major criminal investigation that goes awry does so because of a failure to take the correct initial decisions.

You may be forgiven for thinking that hindsight is a wonderful and somewhat privileged position from which to judge what happened at a highly stressful time. You may even think that such judgements are often unfair and do not appreciate the very real pressures that pertain in such circumstances.

The reality is somewhat more prosaic. More often than not bad decisions are made, precisely because the situation is very stressful or pressured, unless you are experienced in dealing with such situations. The fact is that the initial steps in such cases are relatively straightforward and obvious when you think about them, but in the heat of the moment they are regularly forgotten.

Can anyone suggest that the decision to shred documents at Arthur Andersen was a wise move? Had the documents not been shredded, would the outcome have been any worse for the firm, given the fact that as a consequence of the shredding Andersen doesn't exist as a firm anymore?

A very good friend of mine was the senior police officer present at the scene of a major rail crash. On arrival he saw many officers wandering around, not aimlessly, but to no particular purpose beyond trying to help injured people, a perfectly understandable approach you might think. No one had thought to put into operation the emergency plan created for just such an incident, a fact he remedied immediately bringing everything under control and prioritising activity where it was most needed and, crucially, most effective.

You may well be thinking, that's all well and good for a major police incident, but I don't have such matters to deal with. It is equally true that incidents which initially appear to be straightforward and simple often develop into much more significant issues.

A colleague, David Young, wrote an article in the July 2007 edition dealing with "Crisis Management." I do not propose to cover similar ground but it is vital that thought is given to how we will handle the unexpected bombshells that periodically go off in our working lives.

Make the right moves and the company's position will be as well protected as it can be; make the wrong moves and the company could easily be in a significantly worse position.

Choosing the right people to work with is always key, hence the need to understand the real difference between audit and investigation. Audit involves a much lower level of review than an investigation; it does not involve the application of the same skills or experience and it does not deliver the same level of assurance.

These days audit, in the true sense, is more a review of systems than an analysis of the contents of those systems. The size and scope of multinational companies today has changed the way audits are conducted. It is, frankly, impossible to undertake a full audit of a company's records as was done in the past. Accordingly, audits now substantially consist of a review of a company's systems so that the auditors can say that the systems are effective in securing control over company business and records. An audit will identify whether the system is being operated in accordance with the company's stated policies. While unfair to regard them as "box ticking" exercises, it is hardly surprising that it is rare for an auditor to identify fraudulent activity, though interestingly it is far more common where an auditor is in the first year of a relationship with a company.

An investigation is a much stranger beast, mainly because, unlike audit, there are few fixed rules about it and how it should be conducted. Even these rules will vary depending upon the approach to and view you take of the issue in question. As a result, many will feel that much greater thought is required before setting up an investigation as opposed to bringing in the auditors, especially as you have a relationship with your auditors and so the process may be less threatening or stressful.

These factors may account for the fact that often when an issue arises, the immediate first thought is to bring in the auditors, they are independent and show the company is taking matters seriously. While this is a valid option, is it the best option?

That will depend upon the type of problem that has arisen and the assessment of the risks that it brings. This is the "Golden Hour" point. If you truly understand the problem and the risks attendant to the problem, decisions become much easier. The difficulty is that when the problem first arises, information will be scarce and probably sketchy, possibly even unreliable. Often conflicting reports of the issue will exist, from the nature of the problem to the potential scale of the problem.

Not wishing to overreact and be seen as a scaremonger, the temptation will be to downplay the issue. As usual, so will everyone else, though the existence of a whistleblower complicates matters considerably, in part because of the legal protections afforded such persons but because their motivations may well be wholly different from everyone else's for good or ill.

In such circumstances, bringing in the auditors seems like an appropriate and proportionate response. The fundamental question is: Do they have the requisite skills, experience and attributes?

As important, is sufficient thought given to the instructions given to those selected to ensure that issues are properly addressed and not subject to "mission creep" because the initial instructions were insufficiently clear or the scope not properly defined? Equally, once appointed there is the risk that the process will not be properly controlled, especially if the appointees are external and cloaked with the tag of "independence" as there is a natural reluctance against seeking to limit matters and being seen to curb that independent review process.

In addition, there is a question regarding the status of the work product that is produced by whoever is conducting the enquiry into the issue that has arisen. While it may not be top of many people's thought processes when a major problem arises, the issue of legal professional privilege is one that should be considered at an early stage in respect of any matter that may have significant consequences for a business.

The work product of auditors appointed by the company is not protected by legal professional privilege, and, as such, anything told to them or discussed in front of them is not subject to that privilege. The same will apply to the work product of internal staff, such as internal audit or any other internal investigatory resource.

Using appropriately experienced external counsel may provide that protection, even if only for a limited time due to the requirements of Sarbanes-Oxley and international money laundering regulations. This provides the company with a measure of control over the way and timing of the information that needs to be disclosed to people outside of the company. This permits the company a greater degree of control over the initial process and the time to consider actions before submitting to the urgency of the need to act.

Whatever approach is followed, there are several key issues that must be addressed in deciding who to task with the exercise and what the scope of the exercise should be:

1. Is this potentially an enterprise threatening event or issue?

- this will help to determine who should be informed, when and why

2. What is the appropriate level of control for the event or issue?

- clear lines of authority and responsibility are required for effective decision making

3. What are the range of issues that the event or issue gives rise to?

- external civil liability,

- internal civil liability,

- employment issues,

- business level regulatory liability,

- individual regulatory liability,

- business level criminal liability,

- individual criminal liability, and

- reputational damage

4. Do the requisite skills exist internally?

5. Would it, nevertheless, be better to source this externally for reputational or other reasons?

Another common failing is that the full range of potential issues are not properly identified when considering action in a particular situation, which can seriously affect how the company may wish to proceed when they arise later. Often, potential employment issues are forgotten, equally potential criminal issues are put to one side as people do not wish to consider them as possible within their organisations.

Equally important is an honest assessment as to whether you have the requisite knowledge and experience internally to properly answer these questions. Immediate recourse to an appropriately experienced and trusted external advisor can often save a considerable amount of time and wasted effort, not to mention money.

It is unfortunately true that many businesses will only resort to bringing in expert external counsel when they realise things are going badly wrong, this makes protecting the company that much harder and usually involves the company spending more money fixing early bad decisions than dealing with the original problem.

This is particularly true in the area of fraud and matters of a similar nature, including alleged bribery and corruption. A close colleague of mine likens us and our work to that of doctors in a clap clinic, an unfortunate if apposite analogy. Understandably, nobody likes to acknowledge they have a problem in this area, especially because no one wants to expose himself to adverse market commentary and provide competitors with an opportunity to differentiate themselves at their expense.

While as a rule I prefer not to use cliches to make a point, it is a truism to say, "a stitch in time saves nine."

Published .