New Guidance on Best Practices for Internal Investigations

Many resources are available that outline best practices for internal corporate investigations. Following tested methods can be helpful in shaping defensible investigations that generate useful results. Misguided or mismanaged investigations can do more harm than good.

In many instances, suspected or reported wrongdoing can have serious consequences. A few examples of situations that may warrant internal investigations include:

  • workplace/HR issues
  • financial reporting and fraud
  • insider trading
  • bribery and FCPA violations
  • antitrust matters
  • product testing and certification
  • environmental compliance and events
  • safety incidents and OSHA matters

Independent investigations, when warranted, are often a key component of an integrated compliance management system to address these areas.

Key Considerations for an Internal Investigation

Internal investigations enable an organization to:

  • make informed decisions about whether potential violations of applicable laws, regulations, industry codes, internal policies, procedures, processes, corporate compliance, values, and ethics policies have occurred
  • identify the root cause(s) of such violations
  • determine if allegations of violations are substantiated or unsubstantiated
  • assess the occurrence and materiality of any financial loss to the entity
  • mitigate liability of the organization and/or its management, as appropriate
  • implement necessary mitigation measures to prevent future violations
  • strengthen the organization’s compliance and ethics culture
  • consider and manage external reporting to relevant legal and regulatory authorities or relevant interested commercial parties when necessary
  • make disciplinary decisions on management and/or employees involved and debar working with third parties involved in unethical conduct

Civil actions, whistleblower reports, and external investigations by regulators can also lead organizations to conduct internal investigations to find out what triggered the actions and to help shape responsive strategies.

Key considerations include whether to conduct an investigation at all, defining its objectives and scope, determining whether the investigation is going to be independently or internally driven, determining how to maintain confidentiality and attorney-client privilege (to the extent possible), controlling relevant evidence (particularly electronically stored information), and deciding whether any anticipated report generated will be provided to government authorities.

In the end, there is no magic formula. Experienced counsel and investigators are crucial to providing an entity with appropriate legal guidance to protect its interests. Further, it is not uncommon for the credibility of the investigation to be critical to decision-making and persuading government authorities that the entity has acted responsibly in the face of the challenge. (See our previous blog post, “Cooperation with the Justice Department: The Rules are Changing.”) This can be shown by evidence that the investigators followed best practices, thoroughly and carefully pursued the facts, and developed advice on responsive actions dispassionately.

New ISO Standard for Internal Investigations

How Do You Demonstrate the Effectiveness of an Investigation?

A new means exists to establish credibility and compliance with best practices. On July 28, the International Organization for Standardization (ISO) issued ISO TS 37008, its standard on internal investigations. The development of the standard followed almost two years of work by leading experts worldwide.

ISO TS 37008 reflects internal investigation best practices to be used by any organization, large or small, in any country. The guidelines are adaptable to the organization’s size, industry segment, organizational structure, governance structure, and subject matter under investigation. Companies can take advantage of the objective criteria established by ISO TS 37008 to conduct their internal investigations and create or enhance related policies and procedures.

ISO TS 37008 is primarily based on five key principles and a developed process.

The Standard’s Key Principles

The five principles are:

  1. independence
  2. confidentiality
  3. competency
  4. objectivity and impartiality
  5. legality

Each principle must be observed in all phases and by all those involved in the investigation. According to such principles, internal investigations must be conducted independently and in an objective and impartial manner. Further, the activities must be carried out by competent and professional investigators, with attention to confidentiality and in accordance with the applicable laws.

Key Steps to be Taken

The ISO TS 37008 process defines the key steps of internal investigations, including:

  • appointing the investigation team, designing the reporting process, and defining individual roles
  • planning the scope of the investigation, considering the nature of the allegations, the available information, and the appropriate sequence of investigation activities
  • establishing safety and protection measures to be taken regarding the investigation team, witnesses, and the subjects and targets of the investigation
  • collecting and preserving evidence, including ESI, litigation hold, document review, and witness interviews
  • determining how interactions with internal and external stakeholders will be handled, including potential cooperation with regulators and other authorities, with an eye toward possible voluntary disclosure situations (see our previous blog post, “Cooperation with the Justice Department: The Rules are Changing”)
  • outlining the proceedings to close the investigation, including the form and preparation of the investigation’s report and implementing the recommendations, including remedial measures and disciplinary actions


The ISO standard reinforces the necessity of support from senior management and leadership during an internal investigation. The standard also provides guidance on thorny challenges that may arise in keeping management informed while still ensuring an independent and objective internal investigation. In addition, the standard addresses other common concerns such as confidentiality protection, anti-retaliation measures, and elements of a robust investigation policy or procedure.

This useful graphic summarizes the standard’s key elements:

chart illustrating key elements of ISO standard for Internal Investigations

HeplerBroom’s attorneys have conducted numerous internal investigations across a wide range of industries on a variety of issues, so this new ISO/TS37008:2023 standard is not a foreign language to us.

If you need an attorney who is conversant with the delicate issues that internal investigations can raise, please contact Glenn Davis in St. Louis or Thomas Wilson in Springfield.

  • Glenn E. Davis

    Glenn E. Davis handles complex litigation and business counseling issues in a broad range of contexts:

    • Antitrust, distribution & franchise litigation
    • Antitrust business counseling & compliance
    • Business, corporate, and ...

Search Blog




Kerri Forsythe

Jump to Page

This website uses cookies to analyze site usage and to store information about a visitors' session. These cookies allow us to distinguish you from other visitors of our website. We use these cookies purely for analytical purposes and for our own statistical research into the success of our website.

We Encourage You To View Our PRIVACY STATEMENT