The investigation’s design and planning. After the decision is made to conduct an investigation and the purpose and scope have been determined, the auditor will need to develop an investigation plan. Such a plan may include any of the following:
Investigation’s Design And Planning
Identifying witnesses and others who need to be interviewed
Interviews should be limited to those individuals with a presumed knowledge of the issue. To maintain confidentiality to the greatest possible extent, auditors should not interview individuals without knowledge or involvement whatsoever in the issue.
Determining types of relevant documentation available
Documentation could include phone records, expense reports, e-mail history, Internet activity, desktop computer files, purchasing records, correspondence, prior investigation reports, personnel records, financial transaction history, and performance appraisals, just to name a few.
Considering legal ramifications of the issue
Some issues require special handling and consultation with the legal and human resources departments, such as sexual harassment cases and violations of state, local, or federal laws.
Identifying any specialists that may be needed to assist
Certain elements of an investigation can benefit from assistance from an expert. Examples include subject surveillance, interpretation of technical engineering data, guidance on the nuances of labor laws, forensic examination of computer files, and other situations where the auditors do not possess the experience or expertise to perform the task competently.
Identifying applicable company policies and procedures
The internal auditor needs to be aware of company policy as it applies to the issue under investigation. By making this determination, the auditor can avoid a situation where perceived misconduct turns out not to be prohibited by company policy.
Although authorship of policies and procedures is generally not the responsibility of internal audit, the internal audit department should review policies and procedures before issuance and make recommendations, where necessary, to avoid any gaps or gray areas that leave too much open to individual interpretation. Policies and procedures should be concise and not open to multiple interpretations.
Requesting access to computer resources
Some investigations may require the auditor to monitor an employee’s e-mail traffic and Internet activity. The chief audit executive should ensure that appropriate access is granted. Generally, this will require the notification and involvement of representatives from human resources, information security, and the legal department.
Coordinating with other organizations
As noted earlier, depending on the type of issue, human resources, security, legal, operations, or other functions may need to be aware of the investigation activity. Senior management and the board of directors should be informed of major investigations with significant financial or legal impact or where the potential for adverse publicity is high.
After the investigation plan is prepared, audit management should review and approve the approach. The plan should remain flexible enough to allow for new developments that could change the scope of the investigation.
When it comes to an investigation plan, everyone has the same goal in mind: to find out the truth. In the context of a disciplinary investigation, for example, this could be useful in determining the facts surrounding an allegation of bullying or harassment.
An investigation plan is a critical tool for any investigator. It specifies the investigation’s goals, as well as the processes, procedures, and policies that will be used to assess the alleged misconduct. It will also include the people who will be interviewed, the expected timeframes, and, in some cases, the financial costs as well as the risks involved.