Once the internal investigation is concluded we need to document our findings. There is no one and only way of documenting the findings, but I would like to recommend the format I have been using for over 20 years of reporting outcomes of internal investigations. The format is very much alike to the ACFE reporting standard too, which adds a bit of credibility to it 🙂
Why do we need to document our findings in the report? Well there are many reasons reasons. But first and foremost it enables us to provide evidence of due diligence in responding to known allegation of misconduct. Without it we might face corporate liability charges for negligence in supervision or organisation, or even wilful blindness, close to knowingly accept the wrongdoing, alike criminal aiding and abetting.
Let’s move to the format of the report. In my opinion a good format would include:
- Background
- Executive summary (for C-suite readers)
- Scope of work (what did we probe)
- Approach (work done)
- Findings (evidence collected)
- Conclusions (what is the meaning of it) & Impact (should we be bothered and why)
- Recommendations (what to do next)
Background
This section shortly introduces the purpose for our action. For instance it may bee a short passage introducing the fact that Company X invited us to investigate the concerns around its procurement process following an anonymous report from a whistleblower.
Executive summary (for C-suite readers)
In this section we shortly summarize the outcome of our investigation. Most common approach is to refer to the allegations brought to investigate and the conclusions on whether evidence gathered confirm or deny them. This section needs to be up to two pages long, preferably up to one-pager, as this is the section read by the management and supervisory boards when accepting work done.
Scope of work (what did we probe)
In this section we need to list all the allegations / charges subject to our verification. As referred in the Investigation planning section, it is worthwhile to build alternative hypotheses for each allegation in order to avoid a cognitive bias of focusing only on evidence supporting the allegations and not to look into the facts that prove otherwise. We need to remember about the “beyond reasonable doubt” rules or fair play.
Approach (work done)
In this section we simply outline all the actions that have been taken to verify the hypotheses, i.e. the validating tests designed and executed according to the audit plan in order to conclude whether the alleged wrongdoing took place and who was the perpetrator(s). In this section we may also need to list all the caveats and limitations of work that might be relevant to the investigation. The caveats and limitation often prove to be helpful to substantiate our diligent action and limits of diligence applied in a given case, in case of doubts.
Findings (evidence collected)
In this section we provide all the facts gathered during our investigation and the sources of evidence substantiating these facts. We need to bear in mind that a forensic investigation report is a stand-alone document, it needs to provide all the information necessary to support the conclusions of the investigation without a need to refer to any other documents or sources.
Conclusions (what is the meaning of it) & Impact (should we be bothered and why)
This section is often very much alike the Executive summary section of the report, and concludes the facts collected during the evidence gathering phase. The impact of conclusions is not always provided by the internal investigators, often this work is done by a legal counsel / legal attorney, who presents facts in the context of surrounding regulations, procedures and provides insight about legal impact of the factual findings.
Recommendations (what to do next)
Recommendations are the actionable items that both provide advise on how to mitigate the impact of the wrongdoing in case the allegations have been confirmed and provide insight about the actions that should be taken in order to prevent misconduct or wrongdoing in the future. This section is not obligatory in every investigation report, sometimes it is even advised not to include it as could be used against the organization in case of established gross negligence in its organization leading to the wrongdoing. The recommendations section, if included, opens the door to the last chapter of this “Subjective manual for reactive forensic auditing in corporate environment”, i.e. the “Constant learning and improvement” section of it.
