Internal investigations: The basics

Internal investigations must uncover the truth about misconduct or fraud without damaging innocent employees. Here are the basics of how to plan and conduct a successful internal investigation.

shadow flashlight shadowy investigation

Internal investigations are a vital part of a security program. It's a serious matter when an employee is alleged to be violating company rules. So-called 'insider threats' can cause as much damage as thieves outside. These threats come in many different forms, including:

  • Accounting fraud
  • Outright theft of physical assets
  • Unauthorized access, to manipulate data or to sell it
  • Threats, sexual harrassment or other inappropriate forms of behavior or communication

Internal investigations aim to uncover the truth about alleged misconduct within the organization. But a good internal investigation must do so without compromising the relationship with innocent employees or unnecessarily damaging anyone's reputation. That calls for good planning, consistent execution, analytical skill, sensitivity and a solid grasp of the legalities involved.

Typical elements of an investigation include collection and examination of written or recorded evidence, interviews with suspects and witnesses, and computer and network forensics. It may also require consultation with managers, human resources and legal personnel, and potentially also law enforcement. The exact players and actions will be ONLY those dictated as necessary by the particular case at hand.

Here is a primer covering the basics of internal investigations, compiled from expert advice in CSO Online articles. You will find links throughout pointing to more detailed information.

[Last updated 7/6/2012]

What planning steps should be undertaken at the outset of an internal investigation?

Have clear policies. A policy is helpful in several regards. It should dictate the appropriate personnel and procedures for internal investigations at your organization. A clearly written policy will help your arrive at a successful and correct outcome, avoid common blunders, ensure that proper documentation is kept (see next point), and keep your company out of legal hot water.

Document your work. This includes documenting your compliance with your own policies. In the event that, for example, the subject of the investigation files a lawsuit against your company, you will need to demonstrate to a judge's satisfaction that you behaved responsibly and legally throughout.

Another key document is a confirmatory memorandum. You may determine this is necessary, frequently the case when a verbal complaint or accusation is made. A confirmatory memorandum clarifies the scope of the investigation for all parties involved, including the complainant.

Minimize witness intimidation. "Certain witnesses to the investigation might feel intimidated by the alleged wrongdoer, even by the simple fact that the alleged wrongdoer is in the workplace. Even worse, the alleged wrongdoer (and even the complainant) might intimidate, harass, or retaliate against witnesses in an attempt to influence the outcome of the investigation," Thompson writes in "How to plan an investigation". Keeping the investigation confidential is one step. Extreme circumstances might require removing the suspect from the workplace via paid suspension.

Form an interview team and divide duties. Interviewing suspects one-on-one, unless recorded, can create an opportunity for a plaintiff to challenge the interviewer's notes or recollection. In a team interview, one person may ask questions while the other takes notes and records observations.

Establish the time frame for the investigation. Quick and appropriate action can help head off future legal challenges and also minimize negative impact on morale.

Collect documents and evidence. Thompson's list of things to consider obtaining includes: personnel files, telephone records, expense account records, computerized personnel information, appointment calendars, time cards, building entrance/exit records, computer/word processing disks and hard drive, e-mail records and voice mail records.

Consider the need for special investigative techniques. These are almost always investigative techniques that have a high legal risk and never should be discussed or implemented without legal counsel. In fact, many of these techniques should require high-level approval before they may be utilized, including the following: internal audit, physical investigation (fingerprint, handwriting, voice analysis), physical surveillance, polygraphs, searches of organization or private property, and electronic monitoring or surveillance.

For each interview, you should prepare opening and closing remarks and a set of questions. This does not preclude asking followup questions during the interview. However, it will increase the precision of your communication to the interviewee and improve the quality of information you are able to obtain. These question lists should be retained with your case documentation after the interviews are completed, along with the notes or recordings of the interviews themselves.

Written statements. "Written statements minimize the opportunity for interviewees to dispute the investigators recollection of the interview or change their story. Statements also are a highly persuasive form of evidence," writes Thompson.

Who should be kept informed about an investigation at each stage?

The general rule is: As few people as necessary. Human resources is a likely candidate and should have a great understanding of the level of confidentiality required. After that, judgement calls are in order. Factors include the severity of the incident(s) under investigation, the place within the organization of any suspects, and the tasks that will be required in gathering evidence.

You may need to interview other employees in the course of the investigation. Depending on the nature of the incident, that does not necessarily require that you divulge to those interviewees which individuals are under investigation. However, you may choose to let them know if they are NOT under investigation as that may help them relax and provide more information.

All documentation needs to be locked up tight with strict protocol governing acccess. And if you are using case management software, ensure that access to that data is controlled as strictly as it is for paper documentation.

What departments or skills sets are likely to be required?

The answer depends on the nature of the suspected misconduct. Necessary skills include the ability to conduct

  • face-to-face interviews
  • forensic accounting
  • e-mail discovery and review
  • computer and network forensics
  • cell phone records
  • video surveillance analytics
  • access-card logs
  • inventory audits

or all that and more.

This means the investigation team may include representatives from:

  • physical security
  • IT or information security
  • finance
  • audit
  • facilities
  • human resources
  • legal
  • suspects' departmental management
  • outside investigation or forensics firms

Details of each individual case must dictate the selections. Each investigation should include the necessary personnel and no others. See Security investigations: Merge ahead for more on this question.

What about detecting and investigating financial fraud specifically?

Clearly, suspected financial crimes will require the involvement of someone with expertise in fraud.

Software can help detect fraud. Packages with that specific intent typically run more than 100 test per transaction, looking for common issues such as a vendor address that is the same as an employee address, duplicate invoice numbers, and multiple changes in a vendor identity field. Such scans can be run on a daily basis or in-line during transaction processing in order to prevent fraudulent transactions, or on historical data to help in a fraud investigation.

Employee training to recognize fraud is equally important.

See more expert advice about fraud detection from a security professional and also in this Q&A with the former head of the Association of Certified Fraud Examiners.

Also see this list for certifications relevant to fraud, investigations and forensics.

Is it typically worthwhile to set up an employee hotline, allowing anonymous accusations?

A 2006 study of employee hotline calls found that 65 percent of the calls yielded information that warranted investigation, and that roughly half (46 percent) of the ensuing investigations resulted in corrective action of some kind.

What tools can help with the computer aspect of evidence-gathering?

There are a number of different types of software that can be helpful.

Digital forensics tools are intended to help security staff, law enforcement and legal investigators identify, collect, preserve and examine data on computer hard drives related to inappropriate and illegal activity, such as cybercrime, e-mail and Internet abuse, fraud, financial mismanagement, unauthorized disclosure of corporate information, intellectual property theft, and so on. Increasingly, these tools are also being applied to e-discovery efforts related to civil litigation and regulatory compliance.

Off-the-shelf enterprise forensics software packages include:

  • Guidance Software's EnCase
  • AccessData's Forensics Toolkit
  • Paraben Corp. P2
  • Technology Pathways' ProDiscover Technology

Others include New Technologies' suite of tools, X-Ways Software Technology's WinHex utility, StepaNet Communications' DataLifte and ASR Data's Smart utility. On the open-source side are Sleuth Kit and E-fense's Helix.

These forensic tools cover a range of capabilities (and cost).

In addition to forensics tools geared toward hard-drive contents, two other types of tools are often used in conjunction with forensics (or e-discovery) work, according to Mark Rhodes-Ousley, an information security architect and author of Network Security: The Complete Reference. For instance, there are "survey tools" that report on exceptions to preconfigured thresholds, including intrusion detection tools, e-mail and log analyzers, Web proxy reporters and network traffic analyzers, he says. In addition, "sliding-window" systems observe the behavior of a system over time, including network monitoring tools such as those from NetWitness, Niksun, and Sandstorm Enterprises.

Other tools can come in handy specifically when someone within the company is believed to be leaking proprietary information to the outside.

So-called data loss prevention (DLP) software can attempt to block or record such data leaks. Over the past several years most DLP providers have been acquired by larger security suite vendors: Symantec bought Vontu. CA bought Orchestria. WebSense bought Port Authority. EMC bought Tablus. And so on. Verdasys and Code Green Networks remain examples of independent DLP companies—as of this writing, of course. (Find advice on how to choose and use DLP software here.)

Depending on the particular case in question, there are other tools and techniques which may supplement or replace these off-the-shelf packages. Corporate Investigations Manager Brandon Gregg recommends several free methods for identifying the source of information leaks, which may be intentional or accidental: allows you to customize Twitter searches by keyword and location and save your searches as RSS feeds to have the data emailed or texted to you instantly. Start off slow with searches for your company name or a new product and monitor twitter for threats, disgruntle employees and internal leaks.

Limewire is a popular peer-2-peer file sharing programs; unfortunately, during a quick install of the program, most users overlook the details and approve the program to share the entire contents of their My Documents folder. Install this program on your computer —make sure to disable all file sharing—and routinely search for your company's name. Documents with "Acme" in the metadata or title will flag and you can actually see the user's IP address and download the file. provides a quick and easy way to search for your company or keywords across a wide selection of sites including news, blogs, YouTube, and even popular photosharing site flickr. Countless unapproved videos and photos by employees can quickly be discovered.

Google's proprietary collection of websites and vast arsenal of tools give it the fourth and fifth place on the list. Using a recipe of basic and advanced search features can greatly narrow the number of results returned and give you better data. Instead of searching for Acme Company, use "Acme Company" in quotations or narrow your results with more details like "Acme Company" "Confidential Handling" to find any leaked company documents with "confidential handling" in the metadata or headers. Check out Google advanced search or search for "Google Hack Lists" for more tricks like finding your company's IP CCTV cameras and password lists.

Google Alerts. Once you have narrowed your search and tested it out, use Google Alerts ( to make Google work for you. In this example I have set up two searches in Google Alerts.

The first is a simple search to specifically search Myspace users postings about ACME:

"Acme Company"

and a second more complex search looking for any Acme file on free file sharing websites:

1 2 Page 1
Page 1 of 2
7 hot cybersecurity trends (and 2 going cold)