South Africa: A Guide To Conducting An Internal Corporate Investigation

THE TERMS "FRAUD", "BRIBERY", AND "CORRUPTION" HAVE SADLY BECOME ALL TOO FAMILIAR FOR MANY SOUTH AFRICANS. IT'S HARD TO GO A DAY WITHOUT HEARING OF YET ANOTHER FRAUDULENT OR CORRUPT SCHEME.

INTRODUCTION

Since the release of the findings from the Commission of Inquiry into State Capture (colloquially known as the Zondo Commission) and South Africa's recent "greylisting" by the Financial Action Task Force ("FATF"), scouring fraud and corruption-related media reports has become something of a national pastime.

However, these problems are not confined to South Africa or any particular industry or sector. They are, in fact, global concerns. International regulators are becoming more visible and taking an active role in combatting fraud, bribery and corruption. In 2021, Goldman Sachs Group Inc. topped the list of the largest sanctions ever under the Foreign Corrupt Practices Act (FCPA), following a $USD.3-billion settlement with the U.S. Department of Justice and Securities and Exchange Commission. Former senior employees accused Goldman Sachs of paying more than USD1.6-billion in bribes to thirdparty intermediaries and highranking government officials in Malaysia and the UAE.

Regulators such as the U.S. Department of Justice, Securities and Exchange Commission, the U.K. Serious Fraud Office and the French National Financial Prosecutor's Office are imposing significant sanctions on persons and companies found guilty of fraud, bribery and corruption. These international regulators are also collaborating with each other more closely than ever before. For instance, collaborative efforts of the US, UK and French regulators culminated in the USD4-billion corruption settlement with Airbus.

Importantly, the ripple effects of fraud, bribery, and corruption are not restricted to large corporations or multinational enterprises. Small businesses, too, can become embroiled in these issues, suffering potentially devastating consequences.

This guide aims to provide a comprehensive overview of how to conduct internal corporate investigations, helping you safeguard your company— regardless of its size—against the risks and repercussions of unethical conduct.

1 PART ONE

INTERNAL INVESTIGATIONS 101

WHAT IS AN INTERNAL INVESTIGATION ?

An internal investigation refers to the process adopted by a company or entity to probe and uncover potential misconduct committed by management, employees, or third parties. The following are some examples of events that may necessitate an internal investigation:

• Stock theft / IP theft
• Conflicts of interest / misuse of company assets
• Procurement fraud / payment of bribes or kickbacks
• Employee misconduct, including sexual harassment, bullying, nepotism, etc
• Fraud / embezzlement
• A data breach

Essentially, an internal investigation is an inquiry into allegations of misconduct, unethical behaviour, policy violations, fraud, or any other matter that may pose a risk to the organization's integrity or reputation. Typically, internal investigations are carried out by a designated team within the organisation but often, independent, external persons may be involved.

WHEN IS AN INTERNAL INVESTIGATION TRIGGERED?

An internal investigation is often triggered by a specific event, such as:

• The belief that company data has been stolen by a current or former employee. This is more common than one may realise because intellectual property is a desirable and valuable commodity. It could take the form of a client list, a contract template, or the formulae to your most popular (and lucrative) product. There are many red flags to look out for, including:
  • An employee's abrupt departure from the company,
  • A former employee's new employment with a competitor, or
  • A data leak or unauthorised access to company records.
• Receipt of a tip-off / whistle-blower allegation. Whistle-blowing plays a vital role in encouraging accountability, transparency, and good governance. However, it's important to navigate potential challenges associated with whistle-blowers, ensuring disclosures are made in good faith and not for personal gain. In South Africa, whistle-blowers are protected by the Protected Disclosures Act 26 of 2000 (the "Protected Disclosures Act"), which aims to encourage whistleblowing in the workplace and makes it easier to disclose information about criminal and other irregular conduct. Although whistleblower complaints can be a valuable source of information, companies need to be mindful of the potential challenges when dealing with such complaints. 
• External data breaches. Data breaches are becoming more and more common in today's digital environment. An internal investigation may be needed to investigate the source of the breach and identify control weaknesses.
• Being the subject of adverse media. When adverse information is published about a company in the media, irrespective of whether there is any merit to the published article or allegations, a company must be seen to take complaints and allegations seriously. As with managing a whistle-blower complaint, it is good practise to launch an internal investigation to help the company understand whether there is any truth to the allegations and how best to manage the situation.
• Increased regulatory scrutiny within the industry or jurisdiction in which a company operates. Regulators often conduct periodic reviews of different industries. As a result, companies that operate within those industries or jurisdictions come under increased scrutiny. Changes in legislation may also bring about heightened regulatory scrutiny. Companies may be required to investigate to ensure they are operating in compliance with updated legislative frameworks.
• Red flags or malfeasance identified through audit checks. Often auditors or routine checks may reveal red flags or possible malfeasance which may warrant a more comprehensive internal investigation.

WHY DO YOU NEED TO CONDUCT AN INTERNAL INVESTIGATION?

Internal investigations serve numerous purposes, including mitigating and recovering financial losses, safeguarding a company's credibility and reputation, and maintaining consumer trust and investor relations.

Internal investigations also play a significant role in minimising ongoing risks. Allowing a culture of overlooking misconduct creates opportunities, justifications, and motivation for others within the company to engage in fraud or violate company policies. By conducting an investigation into alleged wrongdoing, you reduce the risk associated with two of the three pillars of the Fraud Triangle, a framework commonly used to explain why individuals choose to commit fraud. Namely, opportunity and rationalisation.

WHO NEEDS TO BE INVOLVED IN AN INTERNAL INVESTIGATION?

In the past, it was commonly believed that internal investigations were the sole responsibility of "compliance" or "internal audit" functions. However, the reality is that leadership, middle management, human resources, finance, procurement, IT, legal, compliance and internal audit functions all have a part to play

Whilst it is true that the investigation may be driven by a compliance or corporate investigation function (and they will be the ones doing the 'heavy lifting'), an effective investigation requires buy-in at all levels and more often than not, across departments.

The involvement of external stakeholders such as lawyers, auditors or even regulators themselves may also be necessary. Additionally, the nature or complexity of the investigation may require the expertise of subject matter experts such as:

• Legal experts for advising on legal obligations,
• Data privacy experts for handling data across different jurisdictions,
• Digital forensic and eDiscovery experts for evidence analysis and data analytics and
• Chartered accountant experts for financial statement analysis.

Effective stakeholder management is crucial for achieving meaningful outcomes in an investigation.

WHERE TO BEGIN?

The initial planning of any investigation is a critical step to its success. Proper planning ensures alignment with internal and external stakeholders, and raises awareness of the investigation's potential impact on the business. The investigation plan should set out the investigation's scope and establish anticipated timelines for key milestones, such as data preservation, interviews, and interim reporting. It should also consider any business deadlines that may influence the investigation's time sensitivity, such as year-end financial reporting or contractual periods.

The investigation plan should also set out clear reporting lines and ensure that any persons who may be implicated or conflicted in the matter are removed to avoid any potential conflicts or interference.

Addressing the desired outcome of the investigation early on is also important. Is the objective to stop/ prevent misconduct, build a case for disciplinary, criminal, or civil action, or is it in response to a regulatory request? By preparing an initial investigation plan, you can better assess and justify the required budget and resources, which are often determined by the severity of the allegations and their financial and regulatory impact on the business.

To view the full article click here

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.