Manager in office discussing strategy with employees while wearing face mask during the covid-19 pandemic

What boards must watch for in corporate investigations

Photographic portrait of Ramesh Moosa
Ramesh Moosa

EY Asean and Singapore Forensic & Integrity Services Leader

5 minute read 20 Oct 2021
Related topics
Board governance and oversight
Assurance
Forensics

Boards must be able to navigate complex corporate investigations as part of a robust crisis management framework when adverse events occur.

In brief

  • A sound crisis management framework is crucial to mitigate the impact of adverse events and strengthen stakeholders’ trust.
  • As this often involves complex corporate investigations, boards must understand how these work and the common pitfalls.
  • Quick and decisive mitigation or remediation actions before investigations are completed can help restore stakeholders’ confidence in the business.

The board’s ability to manage crises has become more critical than ever during this time of COVID-19 disruption. According to the EY Global Integrity Report 2020, 90% of respondents believe that the pandemic poses a risk to ethical business conduct at their organization. Similarly, a recent survey by the Association of Certified Fraud Examiners found that as of August 2020, 77% of respondents had seen an increase in fraud cases since the start of the pandemic and they expect this trend to continue.1  

While it is imperative that a strong integrity culture is established within the organization to reduce the likelihood of adverse events, crises may still occur despite best efforts. Boards should see that a sound crisis management framework is in place to guide themselves and the organization in handling significant incidents, with the aim of minimizing impact and securing stakeholders’ trust.

Overseeing a corporate investigation — such as a short-seller attack, a whistle-blower complaint that calls into question the integrity of senior leaders or a sophisticated cyber attack — is often complex and time-consuming. Failure in oversight can carry personal risks for directors. Board members are personally liable for failure to exercise reasonable diligence in the discharge of their duties as company directors. The board should therefore understand the key steps involved in the investigative process, including the common pitfalls at each stage.

Triggering crisis management

At the onset of the incident, a dedicated crisis management team comprising cross-functional business unit leaders that reports to the board should be assembled. A preliminary assessment should be conducted on the allegations or issues to determine the response strategy, including the use of appropriate incident response playbooks that the management team prepared. At this point, the board should also identify key intervention actions, which may include the suspension of senior executives named in the allegations as well as mitigation and contingency plans.

Robust communication strategies, both internal and external, are key to protecting confidential and sensitive information. Legal professional privilege protocols may be adopted to protect attorney and client privilege over confidential information, such as situation analyses, mitigation plans and strategies.

Conducting the investigation

To convene an investigation, the board must clearly establish the objective, scope, investigative actions and timelines. Where the allegations are directed at the senior management’s integrity over matters like financial reporting irregularities or other fraud-related matters, such personnel must not be in the chain of command in the investigation. 

The board must also assess the need to engage external forensic investigators and legal counsels to conduct the investigation independently without undue influence. For serious allegations, it is worthwhile engaging independent forensic investigators who report directly to a committee comprising independent non-executive directors. Engaging external counsels may also be useful, particularly for matters involving multiple jurisdictions.

Once the board has convened the investigation, steps must be taken quickly to preserve all potentially relevant documents. A document preservation notice must be issued to all relevant employees to preserve both electronic and paper records. Equally important is preventing the overwriting and deletion of electronic data that occur as part of business-as-usual activities, such as system audit logs, recycling of data backups or purging of emails as part of regular housekeeping when mail size quotas are exceeded. Failure to preserve documentary evidence could impede a thorough investigation and seriously compromise the company’s legal position with regulators or in any ensuing litigation.

The board must also decide how and when to disclose the investigation findings to stakeholders, statutory auditors, regulators and other impacted third parties. Although there are no hard-and-fast rules governing the timing for reporting the preliminary or final findings of an investigation, the board must consider the potential impact of the disclosures on the company’s financial statements as well as criminal and civil liabilities that may arise from the investigation results. Communications regarding the investigation must therefore be conducted on a careful and “need to know” basis.

Communications on the investigation should be carefully conducted and only when
necessary due to the potential impact of disclosures on financial statements as well as
resulting criminal and civil liabilities that may arise.

How EY can Help

Taking decisive mitigation and remediation actions

Companies need not wait until the investigation is completed before taking decisive mitigation or remediation actions. When an incident happens, regulators will often question whether other risks may be present in the organization or whether similar issues may occur in other territories where the organization operates.

 

Regulators are increasingly sharing information with their counterparts in other jurisdictions. An example is the payment of bribes to government officials. Many anti-bribery and corruption regulations are extraterritorial, including Singapore’s Prevention of Corruption Act, the Malaysian Anti-Corruption Commission Act, the US Foreign Corrupt Practices Act and the UK Bribery Act. An incident impacting an organization in one territory can quickly escalate and impact its operations in other key markets.

 

The board should conduct risk and controls assessments as soon as practicable and in parallel with the investigation, but without impeding it. Acting swiftly to identify and remediate risks and control weaknesses, as opposed to waiting for the investigations to complete, will go a long way in restoring the confidence of regulators and other stakeholders. 

 

Importantly, as part of remediation measures, companies need to establish an effective fraud risk management framework to strengthen proactive fraud prevention, detection and monitoring controls. Having a whistle-blowing hotline may not be sufficient — the program needs to be tested for effectiveness. The adoption of fraud detection systems, case management and workflow solutions to enable the compliance function to anticipate and detect risks more effectively isalso crucial. This will provide greater assurance to regulators and other key stakeholders that adequate measures are implemented to prevent similar issues from reoccurring.

 

By staying vigilant and proactively directing the management to establish a crisis management framework, the board will enhance its effectiveness in overseeing adverse events and safeguarding stakeholders’ trust. The board should consider the following questions: 

  • What are the crisis management plans or playbooks in place to help the board and management deal with adverse events?
  • How will the board directors discharge their fiduciary duties in the conduct of a complex corporate investigation where the ethics and integrity of the senior management have been called into question?
  • Does the board have the ability to quickly draw upon the experience of independent forensic and legal experts at its disposal to avoid common pitfalls, address issues swiftly and secure stakeholders’ trust?
  • Has the board implemented effective monitoring of financial transactions using technology and data to identify and investigate fraud indicators?
  • How often is the fraud risk management program, including the whistle-blowing program, tested to confirm that it is effective?
  • Is the board able to justify that the management has established adequate controls and procedures to prevent and detect fraud?

Download the full issue

PDF (2 MB)

Summary

Boards play a critical role in creating a sound crisis management framework to help minimize the impact of adverse events and strengthen stakeholders’ trust. They must prepare to oversee complex corporate investigations and navigate the potential pitfalls. By establishing an effective fraud risk management framework, companies can prevent, detect and monitor fraud more proactively.

About this article

Photographic portrait of Ramesh Moosa
Ramesh Moosa
EY Asean and Singapore Forensic & Integrity Services Leader
Forensic and cyber professional. Leads highly talented teams serving multinational organizations. Agile and adaptable in any environment. Aspiring chef. Bike and car enthusiast.
Related topics
Board governance and oversight
Assurance
Forensics

Related articles

How boards can drive compliance transformation

A technology-enabled ethics and compliance function underpinned by a culture of integrity can lead to greater business value. Learn more

Ramesh Moosa

Why third-party risks are a threat to consumer supply chain integrity

Consumer products and retail (CPR) organizations must manage third-party risks to strengthen supply chain integrity. Learn more

Ramesh Moosa

    EY refers to the global organization, and may refer to one or more, of the member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients.