Beginning with the Department of Justice’s (DOJ’s) Yates Memo, its Foreign Corrupt Practices Act (FCPA) Pilot Program and then the release of the Evaluation of Corporate Compliance Programs (Evaluation), I believe the DOJ has put even more pressure on every Chief Compliance Officer (CCO), and indeed every company, to get an investigation done quickly, efficiently and most importantly done right is even greater.

I am continuing my series on internal investigations with Jonathan Marks, a partner at Marcum LLP and a well-known internal investigation expert, to get some of his thoughts around what goes into a well-run investigation. His perspective is from someone who performs investigations outside your organization, either because the matter was so serious an outside expert was required; specific subject matter expertise (SME) was not available in your organization or due to the objectivity of the investigation. Today I want to consider who should be on your investigation team.

As discussed previously data collection, retention and preservation are critical elements of any significant internal investigation so you will need to have the involvement of your IT function. IT can help put a litigation hold on email that can help with the preservation of data in other areas of the organization. Further, they can assist with certain other aspects as more facts and circumstances are known.

HR is often an underutilized function for an internal investigator. HR can be very useful to provide context about employees’ work history. There may be notes in HR areas as diverse as training and exit interviews. HR can also be useful to give the investigator “some insight regarding the credibility of the individual that might be making the allegation. For example, are they a good and trusted employee? How long have they been there? What’s their general demeanor? What’s been the feedback on that particular individual?”

Both the Board and senior management can provide different types of support for an investigation. Marks noted the Board has oversight responsibility and senior management is responsible for the day-to-day, tactical operations of the organization, including the internal controls. This means from the Board’s perspective, “we would want to make sure that our governance processes were in place and operating effectively when it comes to an investigation. So, my concern, or concern from a board member’s perspective, from an investigation, early on, is what’s the financial impact; what’s the legal impact, for a publicly traded organization? Are there potential issues here which we as a Board need to be concerned with going forward?”

From the senior management’s perspective, Marks believes “the key thing there is if there is an issue and there was the ability to either override controls or controls weren’t in place or there was something that basically caused this, what do we need to do to assess that? What do we need to do to fix that? What was the root cause for this potential bad behavior? Like I said, how do we fix that or how do we put a plan together in order to fix that or shore that up?” He emphasized this is not the Board’s responsibility but that of senior management. Marks also pointed out that while an investigator would probably assume that the Board of Directors had been notified at this point about the issues being investigated, the investigators may want to make certain the Board has been made aware of the incident and investigation.

Marks suggested outside consultants in the form of forensic accountants should be a part of your investigation team. Such a skilled set team member can bring an investigative mind that drives them to answer questions about what occurred, when and how it happened, and who was involved. However, most lawyers do not understand how forensic accounting is performed and how they can assist your compliance investigation going forward.

Forensic auditing works to collect and analyze accounting and internal-controls evidence. They use this information to produce a fact-based report that can inform the decision-making process in inquiries, investigations and dispute resolution. The by-products of internal audit’s work can include remediation strategies to help a company mitigate and remedy procedural or internal-controls gaps that allowed the underlying issue to occur. Inquiries into accounting and internal controls raise a host of technical issues requiring specialized knowledge that forensic accountants are uniquely positioned to provide. This is a qualitative difference from internal audit, which more often looks at process to determine if it has been adhered to in a procedure.

The objective of a forensic audit investigation team member is to collect, analyze and report on the evidence or facts surrounding an act that often has litigious, fraudulent or criminal implications. Auditors also collect and analyze evidence, but an independent auditor’s objective is to attest to the credibility of assertions that are under examination, such as the material accuracy of financial statements for which the audited company’s management is responsible. However, a key role of the forensic accountant is to identify a concern and to notify company management about the issue or issues discovered.

As with a decision on bringing in outside counsel to perform a compliance investigation, you will need to consider whether a forensic accountant should be retained as an outside consultant or hired as an employee. One critical reason to bring in an outside professional is so they will be not be governed by management or influenced by potential biases within a company. Lastly is the issue of privilege. If a forensic accountant is not assigned through your legal department or through outside counsel, you can kiss away even the chance of claiming privilege.

Obviously, the GC would be involved to help protect the attorney client privilege if for no other reason. Further, an investigation needs to have the corporate compliance function involved, to understand what compliance program was in place at the time of the incident in question, what procedures the compliance function had and understand if this truly was a gap in the compliance function or “maybe there was an area within the compliance function that wasn’t operating as prescribed, or maybe it was a little bit weak.”

Tomorrow, I conclude this three-part series with Marks thoughts on some of the top investigative challenges he has observed in his 25-year practice.


This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at

© Thomas R. Fox, 2017