ISO 370008:2023 – Internal Investigation in organizations, recommendations

This article discusses the internal investigation process in organizations. The concept of internal investigation is not new and refers to all audit and verification activities carried out within an organization, either by auditors and employees of the organization dedicated to this task, or by experts specializing in this field. These investigators are always appointed by senior management or even by an audit committee. Internal investigation is a process aimed at confirming facts through objective findings. It is carried out independently by specialized auditors who are competent in the relevant field of verification (detection of corrupt practices, qualification of possible internal fraud such as theft of raw materials from a warehouse, vehicle theft, or misappropriation of financial or information assets). Internal investigations may focus on practices deemed negligent (significant operational errors, repeated errors, serious negligence in failing to comply with safety instructions). If the internal investigation identifies process malfunctions, it differs from a traditional internal audit (which aims to provide reasonable assurance about the degree of control over a process or activity) in that it primarily concerns the behavior and practices of an individual or group of individuals within the organization. Whereas an internal audit identifies areas for improvement and makes recommendations, an internal investigation can also make such findings and recommendations. An internal investigation goes beyond a process audit by qualifying the facts and seeking to establish the material and intentional elements and the accountability associated with those facts. Internal investigations are therefore particularly sensitive in nature and involve a methodical search for evidence and qualification of the facts, both to deal with an incident through an objective diagnosis and to establish the root causes, which may involve determining liability with regard to third parties outside the organization or internal employees.

Numerous regulatory and jurisprudential developments now govern internal investigation practices. This point is particularly significant and highlights the need to structure a truly organized internal investigation process in order to avoid any abuses in the process (non-compliance, manipulation of investigation results), or even errors during the investigation (omission of certain findings, lack of traceability and documentation of evidence, failure to comply with the adversarial principle, insufficient material evidence).

The article discusses the theoretical foundations of the internal investigation system and how it is structured around ISO 37008, the standard relating to the organization of internal investigations. Various sector-specific examples are...