Internal investigations: There is no escaping anymore!
Thursday 1 September 2022
Payel Chatterjee
Adani Enterprises Ltd, India; Asia Pacific Regional Forum Liaison Officer, IBA Business Crime Committee
payelc@gmail.com
Sahil Kanuga
Co-Head, International Disputes & Investigation Practice, Nishith Desai Associates, India
sahilkanuga@gmail.com
Condemnation without investigation is the height of ignorance!
Albert Einstein
Whistleblowing complaints on financial, ethical and legal issues are on the rise in India. With the law not having evolved at the same pace, it has created even more uncertainties in the regulatory environment. However, consciously, many Indian corporates have adapted and changed gears, ushering in a new mindset, and incorporating policies to achieve the broader objective of ‘no fraud-no corruption’. Robust policies focusing on various jurisdictions play a critical role in addressing these concerns and bringing about the much-desired change for an evolved India Inc. to ensure compliance with laws and global best practices.
India is no stranger to corporate frauds. The rise in internal investigations is a step forward to send a strong message and keep such issues in check. Internal investigations, once considered a ‘once-in-a-while’ phenomenon and only for multi-nationals, has slowly evolved as the norm in today’s corporate world. Internal investigations effectively assist in detecting erring officials and improper conduct in case of complaints by third parties including whistleblowers. Investigations are critical both from a process as well as an end-result perspective. There is no straight jacket formula available to formalise the process for all investigations; it is ever evolving, and each investigation differs based on the complexity of the allegations involved.
While initiating investigations in India, the starting point is usually identifying the nature of complaint, scope of the enquiry and kind of entity involved, whether a listed or unlisted company. This may trigger procedural compliances and requirement of disclosure. With the increased use of technology, the job has been made much easier with forensic experts aiding the whole process. Multi-jurisdictional issues also arise when it involves multinational companies with presence in various countries which involves a delicate interplay of various laws and regulators. In such cases, compliance with only Indian laws may not be sufficient. Keeping such issues in mind and planning the investigation well goes a long way in obtaining effective results.
CARO 2020 and other legal updates
Internal investigations largely cater to a multitude of potential issues. Investigations upon a whistle-blower’s complaint are a litmus test on the compliance of tenets of corporate governance. A holistic investigation going to the roots of the complaint reflects the smooth functioning of the corporate wheel.
During the pandemic, the Companies (Auditor’s Report) Order 2020 (the ‘CARO 2020/Order’) was introduced and made applicable for audits of financial year 2020/21 and onwards. The requirements of the Order are supplemental to the existing provisions of the Companies Act 2013 and envisage an enhanced mechanism for disclosures and reporting to be done by the auditors which, among other things, obligates the auditors to include details in the auditor’s report as to whether the auditor has considered whistleblower complaints, if any, received during the year by the company. CARO 2020 envisages building a system of checks and balances to ensure that whistleblower complaints are appropriately dealt with and not merely swept under the carpet, as was previously being done by many.
While it may be too soon to comment on the overall efficacy of the new regime in the face of a clear scope of frivolous and speculative complaints intended to malign the goodwill of the company, over time, such a change is likely to push the company management to adopt and comply with a robust mechanism of corporate governance.
Further, the Securities Exchange Board of India through amendments to the Listing Obligations and Disclosure Requirements) (Third Amendment) Regulations 2020 introduced certain changes mandating the listed entities to disclose initiation of forensic audit along with reasons, name of entity conducting the audit, followed by disclosure of final forensic audit report along with comments from the management to the stock exchange. The intent, whilst clearly in the face of attorney-client privilege, appears to stem from the regulator attempting to ensure maximum possible disclosure to market participants and enabling accurate price discovery.
Role of data in investigations
Data has taken centre stage. Correctly identifying and preserving the data at the earliest can make or break the investigation. The first step is identifying the source, nature and credibility of the data by analysing the alleged misconduct, involvement of criminality, if any, errors in financial controls and internal management controls, whether it involves bribery/corruption, data theft and financial frauds, etc. Depending on the kind of investigation, the sources of data are analysed – servers, mobiles, laptops, tablets, WhatsApp chats, cloud-based storage, and data leakage prevention systems used by corporations. Data analytics goes a long way in conducting a fruitful investigation. Collation of data and its analysis forms the backbone of an investigation.
While company-owned devices can be asked for at any time, the tricky part is always the issue of whether custodians will consent and hand over their personal devices, when used for business purposes. While consent is key, there are no specific compliances under the Indian data protection rules for collection, handling or storage of an individual’s personal data; compliances are applicable to entities that collect, handle or store sensitive personal data of individuals and strict adherence needs to be ensured, balancing concerns of employees, statutory requirements and law across jurisdictions.
The integrity of procedure and secure handling of data, its filtration and review based on keyword searches are extremely critical to ensure complete analysis of available data. With data-heavy investigations, it has become a norm to make use of e-discovery platforms. These have additional benefits such as automatic email linkages and avoiding duplication. Deployment of these technologies ensures a faster, more effective, and thorough investigation.
Significance of maintaining privilege
Information accessed and gathered during the process of investigation is usually extremely confidential and/or sensitive and preserving it securely is of utmost significance. This includes raw data collected from custodians, interview notes, memorandum issued during the process, legal advice and reports issued post investigation. With several conflicting rulings across the globe deciphering ‘privilege’ and its applicability to investigations, the issue is evolving and high time for companies to wake up and understand the purpose of the creation of documents, its end usage, and the concern of privilege.
The rule of thumb remains that engaging outside counsel to conduct an investigation gives a better attempt at protecting privilege. Drafting of engagement letters with appropriate facts also impacts the treatment and attraction of applicable laws. There is dire need to appreciate that privilege is still unsettled territory; precedents are not the last word but would differ with every fact, circumstances, and applicable jurisdiction. Privilege, still being a grey area in India, continues to haunt the investigation procedure fuelling the need for having external counsels to ensure investigations have the best chance of ensuring the benefit of attorney-client privilege.
Conclusion
The role of forensic investigators, lawyers and auditors have evolved over the years. With more wrongdoing coming to light in recent times and overall awareness of the whistleblowing mechanism increasing, the demand for investigations has also increased manifold. There is increased awareness about data privacy and privilege issues and their significance while conducting investigations to ensure there are no procedural lapses.
Organisations need to ensure sufficient and proportionate steps are taken to prevent such allegations from re-surfacing by adopting remedial measures. It could involve comprehensive review of existing policies, stricter compliances and disclosure norms.
Disclosure of such investigation is jurisdiction specific and depends on the nature of entities involved. Reporting requirements to regulatory authorities, sectoral regulators also differ across jurisdictions; however, as regards India, reporting to the Board and the statutory auditors is essential. Whistleblowing allegations have raised more reputational risks for organisations in case of failure to take appropriate steps. Therefore, each step needs to be well documented, and a proper plan should be put in place. A one-size-fits-all approach cannot be adopted.