Internal investigations may be initiated by routine internal audit activities, external tips, or complaints reported through an anonymous facility. They demand the attention of the board, and typically the audit committee, to ensure the investigation will appropriately identify and resolve any underlying issues. A properly conducted internal investigation can help preserve a company’s reputation when an adverse event occurs: if evidence is gathered efficiently and thoroughly, results can be presented to the board and a solution for remediation can be developed in a timely manner. However, mishandled internal investigations can put the reputation of both the company and its executives in jeopardy.
In March, the SEC announced it was charging the former audit committee chair, Vasant Raval, of infoGroup Inc. and three former executives with securities fraud and securities law violations. The SEC stated Raval had improperly conducted an internal investigation at infoGroup and, as a result, infoGroup had filed financial statements with the Commission that were materially misstated.
Raval’s travails contain numerous lessons for boards and audit committee chairs. Though Raval may have been an extremely qualified individual in other ways, his actions demonstrate that he did not properly oversee an internal investigation. Moreover, while the issues surrounding infoGroup and its board relate specifically to an internal investigation of fraudulent transactions, the lessons learned from infoGroup’s troubles are applicable to a diverse array of internal investigations, and can provide practical guidance for board members regarding internal investigations.
On March 15, 2010, the SEC announced it had charged the former CEO, CFOs, and audit committee chair of infoGroup, a publicly-traded $500 million marketing company, with securities fraud and other securities law violations. According to the SEC, former infoGroup CEO Vinod Gupta, “directed [infoGroup] to pay him approximately $9.5 million of unauthorized and undisclosed perquisites” from 2003 through 2007, including “personal use of corporate jets; costs associated with a yacht, homes, automobiles, and life insurance policies; personal credit card expenses; and club memberships and related costs.” Gupta also “entered into related party transactions totaling approximately $9.3 million with two entities which Gupta controlled, and one entity with which he was affiliated, without disclosing the transactions in infoGroup’s public filings with the Commission.”
Gupta’s actions were brought to Info’s board, who then tasked Info’s audit committee chair, Vasant Raval, with leading an internal investigation in late January 2005. The board asked Raval to report back “before the company filed its 2004 Form 10-K and proxy statement in March 2005.” Raval, however, made numerous missteps in the conduct of his investigation. According to the SEC:
- Raval found insufficient documentation and explanations related to some of Gupta’s expenses.
In spite of this lack of documentation, Raval failed to further investigate Gupta’s expenses.
- Raval received communications from Info’s director of internal audit questioning the nature of related party transactions pertaining to Gupta. Raval assured the director of internal audit that he would discuss her concerns with Gupta, though he subsequently had no such discussions.
- Raval’s report to the board, issued on February 8, 2005, did not discuss that Raval himself was aware of insufficient documentation pertaining to Gupta’s expenses.
- In the summer of 2005, a new director of internal audit at infoGroup raised concerns about Gupta’s expenses. However, Raval did not bring these concerns to the board.
Because of these actions (or, in some cases, inactions), the SEC charged Raval with numerous securities law violations. In connection with these charges, Raval agreed to pay a $50,000 penalty and “consented to an order barring him from serving as an officer or director of a public company for five years.” InfoGroup’s CEO was also required to pay a total of $7 million in fines and penalties and consented to an order forbidding him from serving as a director or officer of a public company.
Lessons for Boards and Directors
The charges and penalties faced by Raval highlight an overarching lesson for directors and the boards on which they serve: financial and accounting expertise do not necessarily portend an ability to conduct an internal investigation. While Raval may have been an extremely qualified director in many areas, his actions evidence that he was not an expert in internal investigations. They also provide numerous additional lessons for directors related to internal investigations.
First and foremost, the situation at infoGroup highlights the need for boards to develop a preliminary action plan for internal investigations—even before the requirement for an investigation arises. While the investigation conducted by Raval was related to the fraudulent nature of transactions, a preliminary action plan can be valuable in many different types of investigatory settings, including those related to environmental, operational, and fraud-related liabilities. As such, directors should formulate preliminary plans for these types of events and/or other prominent liabilities that pose a reputational risk to the company.
By possessing a preliminary plan, directors can move swiftly in commencing the internal investigation and also help it move along efficiently. Key elements of a preliminary plan might include:
- A list of trusted external firms and counsel whose services might be useful in the investigation. This list might include potential external counsel as well as forensic experts. These firms and their personnel should be vetted by board members so that they can be quickly engaged in the event of an internal investigation.
- A general procedure describing the manner in which an internal investigation will be conducted along with the personnel involved.
- This plan would describe whether a special committee of the board would be formed as well as identify potential individuals who could lead the investigation.
- It might also specify the frequency with which board meetings will be held in the event of an investigation and the manner in which these meetings would be conducted.
When the need for an internal investigation arises at the board level, this preliminary action plan can be quickly developed into a complete document outlining the manner in which the investigation will be conducted. Key internal and external persons will have already been identified and vetted; they can be quickly assembled to devise a more complete action plan. For example, in the case of an operational liability, such as a product recall, a preliminary plan might include a list of external engineering and validation firms that the company could call upon; a list of potential outside counsels that could be used; key contacts from each external firm; a list of internal personnel who could lead and participate in the investigation; and a procedural outline of how the investigation should be conducted. Once the need for an investigation arises, the preliminary plan would be modified to include specific details of both internal and external individuals and firms selected to participate in the investigation as well as chair the investigation.
Second, no matter the thoughts regarding the size and scope of an internal investigation, board members should ensure that in-house or external counsel is involved. Counsel can appropriately advise the board on the proper manner to inform corporate insurers; review the company’s charter, bylaws and state employment regulations to develop an understanding of the company’s obligations for indemnification; and, help conduct a confidential investigation that is governed by the attorney-client privilege.
While internal investigations are almost always conducted, in part, by in-house personnel, it is generally important for directors to hear an independent voice on the matter from a third party. Using in-house personnel can help the company control costs of the investigation and allow personnel intimately connected with the company to work on the investigation; however, employees’ familiarity with in-house personnel can also work to the detriment of an internal investigation. Employees may be uncomfortable sharing information with people they know. In some instances, members of the in-house investigation team may have been former co-workers of potential employee witnesses. This familiarity may preclude witnesses from speaking openly and candidly. They may also have reservations about the confidentiality of information they might potentially share with an in-house investigator.
In contrast, third-party experts can provide a company with an independent view of the internal investigation. These experts may specialize in internal investigations and, as such, may have more intimate knowledge of the laws and regulations surrounding investigations than in-house personnel. Furthermore, use of third-party experts may be viewed more favorably with prosecutors and regulators due to their independence and appearance of propriety. However, in using third-party experts, companies must ensure confidentiality is maintained throughout the course of the investigation and after its conclusion.
Third, developing a formal investigation plan requires input from counsel and as well as a thorough understanding of all available facts by numerous individuals. The development of an investigation plan and oversight of the investigation should involve multiple board members as well as legal counsel; one board member should not be given this task alone, as was the case with infoGroup.
Work plans should clearly articulate the scope of the internal investigation, the personnel (both internal and external) involved in its execution, the methods investigators plan to use in conducting the investigation, the form of the deliverable that will be presented upon the investigation’s completion, and a list of individuals who will present the results of the investigation to the board. Work plans should be flexible in order to allow investigators sufficient time to investigate new leads and tie up loose ends. If the investigation is forced to conclude before sufficient evidence is collected and analyzed, the company’s reputation may still hang in the balance.
In the case of infoGroup, the timetable and tasks presented by the board to Raval were aggressive. One could argue that the board did not provide Raval enough time to conduct an “in depth” investigation: he was charged with leading an investigation on January 27, 2005 that was supposed to conclude in March 2005. In less than one month of time, Raval was required by the board to uncover all the facts surrounding Gupta’s expenses, examine these facts, opine on them, and generate a report to the board.
Moreover, it appears the board did not assist Raval in obtaining internal or external personnel to assist him with the investigation; he was left to his own devices in carrying out the investigation, a nearly insurmountable task for even the most experienced audit committee chair. Securities laws compel public companies to provide funding for advisors retained by the audit committee in instances such as internal investigations. However, while funding apparently existed to assist Raval in his investigation, it appears he did not ask for the support necessary to carry out his investigation.
Despite the fact that Raval stated his report was the result of an “in-depth investigation,” Info’s board should have known that a report issued just 12 days (8 business days) after a launched investigation would more than likely not contain detailed or substantive findings—especially when the investigation was conducted by a single person. Nonetheless, the board apparently accepted Raval’s report as evidence that a detailed investigation had taken place, and that it had been presented with a complete inventory of facts uncovered in the investigation. Additionally, by tasking Raval with overseeing the investigation on his own, his interpretation of the facts was left unchecked by other individuals. He acted as the lone filter to the board, able to select information for presentation at his own discretion.
In general, while one individual may lead an internal investigation, its results should be presented to the board by no less than two individuals who do not work side-by-side on a daily basis. For instance, an audit committee chair could present the results of an investigation in conjunction with an in-house or external counsel. Or, because they do not work together on a daily basis, the results of an investigation could be presented by a special committee of the board to the board as a whole. In some instances, it may be beneficial to have the results of an internal investigation presented by personnel who are both internal and external to the company. This practice can help board members gain confidence that evidence was collected and reviewed in an unbiased manner.
Lastly, Raval’s actions highlight the importance of internal audit reporting best practices documented by the AICPA. By reporting to a single person, as in the case of infoGroup, an internal auditor’s findings can be inappropriately filtered, leaving the board potentially uninformed on crucial issues. Best practices, however, including those contained in the AICPA’s book The Audit Committee Toolkit, state that chief audit executives should report to the entire audit committee. Audit committee members are required by securities laws to be “independent.” While the board itself may contain non-independent directors, such as the CEO and CFO, the audit committee must be comprised entirely of independent directors and led by an individual with financial expertise. By reporting to the audit committee and not the board as a whole, opinions expressed by the chief audit executive will be heard by a committee of individuals who are entirely independent from the company itself.
The recent SEC actions against executives and the audit committee chair of infoGroup highlight numerous lessons learned for directors: 1) boards should develop a preliminary plan for internal investigations prior to the need for such an investigation; 2) internal or external counsel should always be involved in an internal investigation; 3) development of an investigation plan should include oversight from at least two independent board members in conjunction with counsel; and, 4) the chief audit executive should report to the entire audit committee.
The actions of infoGroup’s audit committee chair not only harmed the company’s reputation, but also prevented the company from effectively containing the problem in an efficient manner. Raval’s actions did not afford the board a chance to understand the full extent of CEO Gupta’s actions, and potentially subjected infoGroup to repeated harm when such harm could have been prevented. However, directors can learn many lessons from Raval’s mistakes, including that internal investigations require experienced personnel oversight for proper execution.
Harry Cendrowski is a founding member of Cendrowski Selecky, Cendrowski Corporate Advisors and The Prosperitas Group. Contact him at firstname.lastname@example.org.
Jim Martin specializes in providing comprehensive risk assessments at Cendrowski Selecky, focusing on the evaluation of operating effectiveness of business processes and the internal control structure, and the development of recommendations for improvement. Contact him at email@example.com.